From 3537dd319dfbcc403a5165d8c19c4834e8e64730 Mon Sep 17 00:00:00 2001 From: Tim Condon <0xTim@users.noreply.github.com> Date: Sun, 15 May 2022 18:25:09 +0200 Subject: [PATCH] Update supported Swift Versions and BoringSSL (#72) * Update vending scripts * Start migrating script to Python 3 * Start migrating script to Python 3 * Start migrating script to Python 3 * Start migrating script to Python 3 * Start migrating script to Python 3 * Update BoringSSL to ce2a353d0147bac03ef883d91dcd9c405ab527fa * Remove test discovery flags * Udpate tools version to 5.4 * Update CI * Fix CI --- .github/workflows/test.yml | 49 +- Package.swift | 2 +- .../CJWTKitBoringSSL/crypto/asn1/a_bitstr.c | 30 +- Sources/CJWTKitBoringSSL/crypto/asn1/a_bool.c | 43 +- Sources/CJWTKitBoringSSL/crypto/asn1/a_enum.c | 195 - Sources/CJWTKitBoringSSL/crypto/asn1/a_int.c | 544 +- .../CJWTKitBoringSSL/crypto/asn1/a_mbstr.c | 32 +- .../CJWTKitBoringSSL/crypto/asn1/a_object.c | 91 +- .../CJWTKitBoringSSL/crypto/asn1/a_print.c | 48 +- .../CJWTKitBoringSSL/crypto/asn1/a_strex.c | 236 +- .../CJWTKitBoringSSL/crypto/asn1/a_strnid.c | 218 +- Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c | 2 +- .../CJWTKitBoringSSL/crypto/asn1/asn1_lib.c | 191 +- .../CJWTKitBoringSSL/crypto/asn1/asn_pack.c | 52 +- Sources/CJWTKitBoringSSL/crypto/asn1/f_enum.c | 93 - Sources/CJWTKitBoringSSL/crypto/asn1/f_int.c | 5 + .../CJWTKitBoringSSL/crypto/asn1/internal.h | 66 + .../CJWTKitBoringSSL/crypto/asn1/tasn_dec.c | 453 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_enc.c | 456 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_fre.c | 16 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_new.c | 16 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_typ.c | 14 +- .../CJWTKitBoringSSL/crypto/asn1/tasn_utl.c | 11 +- .../CJWTKitBoringSSL/crypto/base64/base64.c | 32 +- Sources/CJWTKitBoringSSL/crypto/bio/file.c | 6 + Sources/CJWTKitBoringSSL/crypto/bio/printf.c | 12 - .../CJWTKitBoringSSL/crypto/blake2/blake2.c | 10 +- .../CJWTKitBoringSSL/crypto/bytestring/ber.c | 42 +- .../CJWTKitBoringSSL/crypto/bytestring/cbb.c | 9 + .../CJWTKitBoringSSL/crypto/bytestring/cbs.c | 32 +- .../crypto/chacha/chacha-armv8.ios.aarch64.S | 18 +- .../chacha/chacha-armv8.linux.aarch64.S | 18 +- .../crypto/chacha/chacha-x86.linux.x86.S | 4 +- .../crypto/chacha/chacha-x86.windows.x86.S | 4 +- .../chacha/chacha-x86_64.linux.x86_64.S | 4 +- .../crypto/chacha/chacha-x86_64.mac.x86_64.S | 4 +- .../CJWTKitBoringSSL/crypto/chacha/chacha.c | 87 +- .../aes128gcmsiv-x86_64.linux.x86_64.S | 4 +- .../aes128gcmsiv-x86_64.mac.x86_64.S | 4 +- .../chacha20_poly1305_armv8.ios.aarch64.S | 3024 +++++++++ .../chacha20_poly1305_armv8.linux.aarch64.S | 3027 +++++++++ .../chacha20_poly1305_x86_64.linux.x86_64.S | 4 +- .../chacha20_poly1305_x86_64.mac.x86_64.S | 4 +- .../crypto/cipher_extra/cipher_extra.c | 110 +- .../crypto/cipher_extra/e_aesccm.c | 1 - .../crypto/cipher_extra/e_aesgcmsiv.c | 13 +- .../cipher => cipher_extra}/e_des.c | 177 +- .../crypto/cipher_extra/internal.h | 15 +- .../crypto/cpu_aarch64_apple.c | 72 + ...arch64-fuchsia.c => cpu_aarch64_fuchsia.c} | 15 +- ...pu-aarch64-linux.c => cpu_aarch64_linux.c} | 10 +- .../{cpu-aarch64-win.c => cpu_aarch64_win.c} | 8 +- .../crypto/{cpu-arm.c => cpu_arm.c} | 2 +- .../{cpu-arm-linux.c => cpu_arm_linux.c} | 9 +- .../{cpu-arm-linux.h => cpu_arm_linux.h} | 0 .../crypto/{cpu-intel.c => cpu_intel.c} | 3 +- .../crypto/{cpu-ppc64le.c => cpu_ppc64le.c} | 2 +- Sources/CJWTKitBoringSSL/crypto/crypto.c | 25 +- .../crypto/curve25519/curve25519.c | 25 +- .../crypto/{fipsmodule => }/des/des.c | 21 +- .../crypto/{fipsmodule => }/des/internal.h | 6 +- .../crypto/digest_extra/digest_extra.c | 1 + Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c | 21 + Sources/CJWTKitBoringSSL/crypto/err/err.c | 16 + .../CJWTKitBoringSSL/crypto/err/err_data.c | 1370 ++-- .../CJWTKitBoringSSL/crypto/evp/evp_asn1.c | 4 +- Sources/CJWTKitBoringSSL/crypto/evp/print.c | 4 +- Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c | 66 +- .../crypto/fipsmodule/aes/aes.c | 2 - .../crypto/fipsmodule/aes/internal.h | 10 +- .../aesni-gcm-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/aesni-gcm-x86_64.mac.x86_64.S | 4 +- .../crypto/fipsmodule/aesni-x86.linux.x86.S | 4 +- .../crypto/fipsmodule/aesni-x86.windows.x86.S | 4 +- .../fipsmodule/aesni-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/aesni-x86_64.mac.x86_64.S | 4 +- .../fipsmodule/aesv8-armx64.ios.aarch64.S | 2 +- .../fipsmodule/aesv8-armx64.linux.aarch64.S | 2 +- .../crypto/fipsmodule/bn-586.linux.x86.S | 4 +- .../crypto/fipsmodule/bn-586.windows.x86.S | 4 +- .../crypto/fipsmodule/bn/bytes.c | 136 +- .../crypto/fipsmodule/bn/div.c | 24 +- .../crypto/fipsmodule/bn/exponentiation.c | 1 - .../crypto/fipsmodule/bn/gcd_extra.c | 5 +- .../crypto/fipsmodule/bn/internal.h | 26 +- .../crypto/fipsmodule/bn/prime.c | 12 + .../crypto/fipsmodule/bn/rsaz_exp.h | 15 +- .../crypto/fipsmodule/bn/sqrt.c | 56 +- .../crypto/fipsmodule/cipher/aead.c | 3 + .../crypto/fipsmodule/cipher/cipher.c | 12 + .../crypto/fipsmodule/cipher/e_aes.c | 11 +- .../crypto/fipsmodule/co-586.linux.x86.S | 4 +- .../crypto/fipsmodule/co-586.windows.x86.S | 4 +- .../crypto/fipsmodule/dh/dh.c | 14 +- .../crypto/fipsmodule/dh/internal.h | 36 + .../crypto/fipsmodule/digest/digest.c | 5 + .../crypto/fipsmodule/ec/ec.c | 43 +- .../crypto/fipsmodule/ec/ec_key.c | 11 +- .../crypto/fipsmodule/ec/internal.h | 15 +- .../crypto/fipsmodule/ec/p224-64.c | 104 +- ...p256-x86_64-table.h => p256-nistz-table.h} | 2 +- .../ec/{p256-x86_64.c => p256-nistz.c} | 24 +- .../ec/{p256-x86_64.h => p256-nistz.h} | 8 +- .../crypto/fipsmodule/ec/p256.c | 81 +- .../crypto/fipsmodule/ec/scalar.c | 10 +- .../crypto/fipsmodule/ec/simple.c | 9 +- .../crypto/fipsmodule/ecdh/ecdh.c | 3 + .../crypto/fipsmodule/ecdsa/ecdsa.c | 23 +- .../crypto/fipsmodule/ecdsa/internal.h | 6 + .../fipsmodule/ghash-ssse3-x86.linux.x86.S | 4 +- .../fipsmodule/ghash-ssse3-x86.windows.x86.S | 4 +- .../ghash-ssse3-x86_64.linux.x86_64.S | 4 +- .../ghash-ssse3-x86_64.mac.x86_64.S | 4 +- .../crypto/fipsmodule/ghash-x86.linux.x86.S | 4 +- .../crypto/fipsmodule/ghash-x86.windows.x86.S | 4 +- .../fipsmodule/ghash-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/ghash-x86_64.mac.x86_64.S | 4 +- .../fipsmodule/ghashv8-armx64.ios.aarch64.S | 26 +- .../fipsmodule/ghashv8-armx64.linux.aarch64.S | 26 +- .../crypto/fipsmodule/hmac/hmac.c | 7 + .../crypto/fipsmodule/md4/md4.c | 11 +- .../crypto/fipsmodule/md5-586.linux.x86.S | 4 +- .../crypto/fipsmodule/md5-586.windows.x86.S | 4 +- .../fipsmodule/md5-x86_64.linux.x86_64.S | 4 +- .../crypto/fipsmodule/md5-x86_64.mac.x86_64.S | 4 +- .../crypto/fipsmodule/md5/md5.c | 11 +- .../crypto/fipsmodule/modes/gcm.c | 11 +- .../crypto/fipsmodule/modes/gcm_nohw.c | 2 +- .../crypto/fipsmodule/modes/internal.h | 5 - .../fipsmodule/p256-armv8-asm.ios.aarch64.S | 1769 ++++++ .../fipsmodule/p256-armv8-asm.linux.aarch64.S | 1772 ++++++ .../fipsmodule/p256-x86_64-asm.linux.x86_64.S | 4 +- .../fipsmodule/p256-x86_64-asm.mac.x86_64.S | 4 +- .../p256_beeu-armv8-asm.ios.aarch64.S | 324 + .../p256_beeu-armv8-asm.linux.aarch64.S | 327 + .../p256_beeu-x86_64-asm.linux.x86_64.S | 4 +- .../p256_beeu-x86_64-asm.mac.x86_64.S | 4 +- .../crypto/fipsmodule/rand/internal.h | 6 +- .../crypto/fipsmodule/rand/rand.c | 13 +- .../crypto/fipsmodule/rand/urandom.c | 2 +- .../fipsmodule/rdrand-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/rdrand-x86_64.mac.x86_64.S | 4 +- .../crypto/fipsmodule/rsa/internal.h | 22 + .../crypto/fipsmodule/rsa/rsa.c | 91 +- .../crypto/fipsmodule/rsa/rsa_impl.c | 25 +- .../fipsmodule/rsaz-avx2.linux.x86_64.S | 4 +- .../crypto/fipsmodule/rsaz-avx2.mac.x86_64.S | 4 +- .../crypto/fipsmodule/self_check/fips.c | 41 + .../crypto/fipsmodule/self_check/self_check.c | 934 +-- .../crypto/fipsmodule/sha/sha1.c | 70 +- .../crypto/fipsmodule/sha/sha256.c | 22 +- .../crypto/fipsmodule/sha/sha512.c | 47 +- .../crypto/fipsmodule/sha1-586.linux.x86.S | 4 +- .../crypto/fipsmodule/sha1-586.windows.x86.S | 4 +- .../fipsmodule/sha1-armv8.ios.aarch64.S | 16 +- .../fipsmodule/sha1-armv8.linux.aarch64.S | 16 +- .../fipsmodule/sha1-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/sha1-x86_64.mac.x86_64.S | 4 +- .../crypto/fipsmodule/sha256-586.linux.x86.S | 4 +- .../fipsmodule/sha256-586.windows.x86.S | 4 +- .../fipsmodule/sha256-armv8.ios.aarch64.S | 37 +- .../fipsmodule/sha256-armv8.linux.aarch64.S | 37 +- .../fipsmodule/sha256-x86_64.linux.x86_64.S | 215 +- .../fipsmodule/sha256-x86_64.mac.x86_64.S | 215 +- .../crypto/fipsmodule/sha512-586.linux.x86.S | 4 +- .../fipsmodule/sha512-586.windows.x86.S | 4 +- .../fipsmodule/sha512-armv8.ios.aarch64.S | 569 +- .../fipsmodule/sha512-armv8.linux.aarch64.S | 569 +- .../fipsmodule/sha512-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/sha512-x86_64.mac.x86_64.S | 4 +- .../fipsmodule/vpaes-armv8.ios.aarch64.S | 2 +- .../fipsmodule/vpaes-armv8.linux.aarch64.S | 2 +- .../crypto/fipsmodule/vpaes-x86.linux.x86.S | 4 +- .../crypto/fipsmodule/vpaes-x86.windows.x86.S | 4 +- .../fipsmodule/vpaes-x86_64.linux.x86_64.S | 4 +- .../fipsmodule/vpaes-x86_64.mac.x86_64.S | 4 +- .../crypto/fipsmodule/x86-mont.linux.x86.S | 4 +- .../crypto/fipsmodule/x86-mont.windows.x86.S | 4 +- .../fipsmodule/x86_64-mont.linux.x86_64.S | 4 +- .../fipsmodule/x86_64-mont.mac.x86_64.S | 4 +- .../fipsmodule/x86_64-mont5.linux.x86_64.S | 4 +- .../fipsmodule/x86_64-mont5.mac.x86_64.S | 4 +- Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c | 4 +- Sources/CJWTKitBoringSSL/crypto/hrss/hrss.c | 67 +- Sources/CJWTKitBoringSSL/crypto/internal.h | 366 +- Sources/CJWTKitBoringSSL/crypto/mem.c | 69 +- Sources/CJWTKitBoringSSL/crypto/pem/pem_all.c | 8 +- .../CJWTKitBoringSSL/crypto/pem/pem_pkey.c | 36 - .../CJWTKitBoringSSL/crypto/pkcs7/internal.h | 23 +- Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7.c | 42 +- .../crypto/pkcs7/pkcs7_x509.c | 163 +- .../CJWTKitBoringSSL/crypto/pkcs8/internal.h | 1 - Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c | 2 +- .../crypto/pkcs8/pkcs8_x509.c | 34 +- .../crypto/poly1305/poly1305.c | 7 +- .../CJWTKitBoringSSL/crypto/pool/internal.h | 7 +- Sources/CJWTKitBoringSSL/crypto/pool/pool.c | 91 +- .../CJWTKitBoringSSL/crypto/siphash/siphash.c | 12 +- .../CJWTKitBoringSSL/crypto/x509/asn1_gen.c | 20 +- Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c | 7 + .../CJWTKitBoringSSL/crypto/x509/by_file.c | 31 +- .../CJWTKitBoringSSL/crypto/x509/internal.h | 213 +- .../CJWTKitBoringSSL/crypto/x509/name_print.c | 4 +- .../CJWTKitBoringSSL/crypto/x509/rsa_pss.c | 13 +- Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c | 102 +- Sources/CJWTKitBoringSSL/crypto/x509/t_req.c | 6 +- Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c | 52 +- .../CJWTKitBoringSSL/crypto/x509/t_x509a.c | 6 +- .../CJWTKitBoringSSL/crypto/x509/x509_cmp.c | 17 +- .../CJWTKitBoringSSL/crypto/x509/x509_lu.c | 81 +- .../CJWTKitBoringSSL/crypto/x509/x509_obj.c | 1 + .../CJWTKitBoringSSL/crypto/x509/x509_set.c | 2 +- .../CJWTKitBoringSSL/crypto/x509/x509_trs.c | 11 +- .../CJWTKitBoringSSL/crypto/x509/x509_vfy.c | 85 +- .../CJWTKitBoringSSL/crypto/x509/x509_vpm.c | 2 +- .../CJWTKitBoringSSL/crypto/x509/x509cset.c | 13 +- .../CJWTKitBoringSSL/crypto/x509/x509name.c | 6 +- .../CJWTKitBoringSSL/crypto/x509/x509rset.c | 2 + Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c | 7 +- Sources/CJWTKitBoringSSL/crypto/x509/x_name.c | 40 +- Sources/CJWTKitBoringSSL/crypto/x509/x_req.c | 3 + Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c | 19 +- .../CJWTKitBoringSSL/crypto/x509/x_x509a.c | 31 +- .../CJWTKitBoringSSL/crypto/x509v3/internal.h | 248 +- .../crypto/x509v3/pcy_cache.c | 3 +- .../CJWTKitBoringSSL/crypto/x509v3/pcy_data.c | 4 +- .../CJWTKitBoringSSL/crypto/x509v3/pcy_int.h | 217 - .../CJWTKitBoringSSL/crypto/x509v3/pcy_lib.c | 2 +- .../CJWTKitBoringSSL/crypto/x509v3/pcy_map.c | 3 +- .../CJWTKitBoringSSL/crypto/x509v3/pcy_node.c | 2 +- .../CJWTKitBoringSSL/crypto/x509v3/pcy_tree.c | 9 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_akey.c | 32 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_alt.c | 34 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c | 13 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_crld.c | 1 + .../CJWTKitBoringSSL/crypto/x509v3/v3_lib.c | 25 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c | 170 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_pci.c | 3 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_purp.c | 4 +- .../CJWTKitBoringSSL/crypto/x509v3/v3_utl.c | 199 +- Sources/CJWTKitBoringSSL/hash.txt | 2 +- .../include/CJWTKitBoringSSL.h | 7 +- .../include/CJWTKitBoringSSL_aead.h | 8 +- .../include/CJWTKitBoringSSL_arm_arch.h | 78 +- .../include/CJWTKitBoringSSL_asn1.h | 1357 +++- .../include/CJWTKitBoringSSL_asn1t.h | 30 +- .../include/CJWTKitBoringSSL_base.h | 19 +- .../include/CJWTKitBoringSSL_base64.h | 8 + .../include/CJWTKitBoringSSL_bio.h | 19 + .../include/CJWTKitBoringSSL_bn.h | 30 +- ...JWTKitBoringSSL_boringssl_prefix_symbols.h | 278 +- ...itBoringSSL_boringssl_prefix_symbols_asm.h | 57 +- .../include/CJWTKitBoringSSL_bytestring.h | 21 +- .../include/CJWTKitBoringSSL_cipher.h | 24 +- .../include/CJWTKitBoringSSL_cpu.h | 216 +- .../include/CJWTKitBoringSSL_crypto.h | 32 + .../include/CJWTKitBoringSSL_dh.h | 16 +- .../include/CJWTKitBoringSSL_digest.h | 7 + .../include/CJWTKitBoringSSL_dsa.h | 68 +- .../include/CJWTKitBoringSSL_ec.h | 10 +- .../include/CJWTKitBoringSSL_ec_key.h | 48 +- .../include/CJWTKitBoringSSL_ecdsa.h | 18 +- .../include/CJWTKitBoringSSL_err.h | 21 +- .../include/CJWTKitBoringSSL_evp.h | 84 +- .../include/CJWTKitBoringSSL_hkdf.h | 4 + .../include/CJWTKitBoringSSL_hmac.h | 4 + .../include/CJWTKitBoringSSL_hpke.h | 2 +- .../include/CJWTKitBoringSSL_mem.h | 12 +- .../include/CJWTKitBoringSSL_pkcs7.h | 42 +- .../include/CJWTKitBoringSSL_pkcs8.h | 15 +- .../include/CJWTKitBoringSSL_pool.h | 8 +- .../include/CJWTKitBoringSSL_rsa.h | 60 +- .../include/CJWTKitBoringSSL_span.h | 21 +- .../include/CJWTKitBoringSSL_stack.h | 17 +- .../include/CJWTKitBoringSSL_thread.h | 11 +- .../include/CJWTKitBoringSSL_type_check.h | 7 +- .../include/CJWTKitBoringSSL_x509.h | 732 ++- .../include/CJWTKitBoringSSL_x509_vfy.h | 707 +-- .../include/CJWTKitBoringSSL_x509v3.h | 80 +- .../include/boringssl_prefix_symbols_nasm.inc | 114 +- .../CJWTKitBoringSSL/include/module.modulemap | 4 + .../third_party/fiat/curve25519_32.h | 1898 ++++-- .../third_party/fiat/curve25519_64.h | 1149 ++-- .../third_party/fiat/p256_32.h | 5489 +++++++++++------ .../third_party/fiat/p256_64.h | 1759 ++++-- scripts/build-asm.py | 11 +- scripts/patch-1-inttypes.patch | 4 +- scripts/patch-2-arm-arch.patch | 17 - scripts/vendor-boringssl.sh | 28 +- 289 files changed, 26640 insertions(+), 10049 deletions(-) delete mode 100644 Sources/CJWTKitBoringSSL/crypto/asn1/a_enum.c delete mode 100644 Sources/CJWTKitBoringSSL/crypto/asn1/f_enum.c create mode 100644 Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.ios.aarch64.S create mode 100644 Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.linux.aarch64.S rename Sources/CJWTKitBoringSSL/crypto/{fipsmodule/cipher => cipher_extra}/e_des.c (64%) create mode 100644 Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c rename Sources/CJWTKitBoringSSL/crypto/{cpu-aarch64-fuchsia.c => cpu_aarch64_fuchsia.c} (81%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-aarch64-linux.c => cpu_aarch64_linux.c} (90%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-aarch64-win.c => cpu_aarch64_win.c} (88%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-arm.c => cpu_arm.c} (97%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-arm-linux.c => cpu_arm_linux.c} (96%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-arm-linux.h => cpu_arm_linux.h} (100%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-intel.c => cpu_intel.c} (99%) rename Sources/CJWTKitBoringSSL/crypto/{cpu-ppc64le.c => cpu_ppc64le.c} (97%) rename Sources/CJWTKitBoringSSL/crypto/{fipsmodule => }/des/des.c (98%) rename Sources/CJWTKitBoringSSL/crypto/{fipsmodule => }/des/internal.h (98%) create mode 100644 Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h rename Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/{p256-x86_64-table.h => p256-nistz-table.h} (99%) rename Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/{p256-x86_64.c => p256-nistz.c} (97%) rename Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/{p256-x86_64.h => p256-nistz.h} (95%) create mode 100644 Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.ios.aarch64.S create mode 100644 Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.linux.aarch64.S create mode 100644 Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.ios.aarch64.S create mode 100644 Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.linux.aarch64.S delete mode 100644 Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_int.h create mode 100644 Sources/CJWTKitBoringSSL/include/module.modulemap delete mode 100644 scripts/patch-2-arm-arch.patch diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 6f1a092e..c8564074 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: matrix: dependent: - jwt - container: swift:5.2-focal + container: swift:5.6-focal steps: - name: Check out JWTKit uses: actions/checkout@v2 @@ -29,45 +29,8 @@ jobs: - name: Run tests with Thread Sanitizer run: swift test --enable-test-discovery --sanitize=thread working-directory: dependent - linux: - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - image: - # 5.2 Stable - - swift:5.2-xenial - - swift:5.2-bionic - - swift:5.2-focal - - swift:5.2-centos8 - - swift:5.2-amazonlinux2 - # 5.2 Unstable - - swiftlang/swift:nightly-5.2-xenial - - swiftlang/swift:nightly-5.2-bionic - # 5.3 Unstable - - swiftlang/swift:nightly-5.3-xenial - - swiftlang/swift:nightly-5.3-bionic - # Master Unstable - - swiftlang/swift:nightly-master-xenial - - swiftlang/swift:nightly-master-bionic - - swiftlang/swift:nightly-master-focal - - swiftlang/swift:nightly-master-centos8 - - swiftlang/swift:nightly-master-amazonlinux2 - container: ${{ matrix.image }} - steps: - - name: Check out code - uses: actions/checkout@v2 - - name: Run tests with Thread Sanitizer - timeout-minutes: 10 - run: swift test --enable-test-discovery --sanitize=thread - macOS: - runs-on: macos-latest - steps: - - name: Select latest available Xcode - uses: maxim-lobanov/setup-xcode@v1.2.1 - with: - xcode-version: latest - - name: Check out code - uses: actions/checkout@v2 - - name: Run tests with Thread Sanitizer - run: swift test --enable-test-discovery --sanitize=thread + unit-tests: + uses: vapor/ci/.github/workflows/run-unit-tests.yml@reusable-workflows + with: + with_coverage: false + with_tsan: true diff --git a/Package.swift b/Package.swift index 09923f46..3cf1f033 100644 --- a/Package.swift +++ b/Package.swift @@ -1,4 +1,4 @@ -// swift-tools-version:5.2 +// swift-tools-version:5.4 import PackageDescription let package = Package( diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_bitstr.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_bitstr.c index ebccfe25..89f3573b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_bitstr.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_bitstr.c @@ -63,6 +63,7 @@ #include #include "../internal.h" +#include "internal.h" int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, const unsigned char *d, int len) @@ -70,8 +71,8 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, const unsigned char *d, int len) return ASN1_STRING_set(x, d, len); } -static int asn1_bit_string_length(const ASN1_BIT_STRING *str, - uint8_t *out_padding_bits) { +int asn1_bit_string_length(const ASN1_BIT_STRING *str, + uint8_t *out_padding_bits) { int len = str->length; if (str->flags & ASN1_STRING_FLAG_BITS_LEFT) { // If the string is already empty, it cannot have padding bits. @@ -79,8 +80,8 @@ static int asn1_bit_string_length(const ASN1_BIT_STRING *str, return len; } - // TODO(davidben): If we move this logic to |ASN1_BIT_STRING_set_bit|, can - // we remove this representation? + // TODO(https://crbug.com/boringssl/447): If we move this logic to + // |ASN1_BIT_STRING_set_bit|, can we remove this representation? while (len > 0 && str->data[len - 1] == 0) { len--; } @@ -158,11 +159,20 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, p = *pp; padding = *(p++); + len--; if (padding > 7) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); goto err; } + /* Unused bits in a BIT STRING must be zero. */ + uint8_t padding_mask = (1 << padding) - 1; + if (padding != 0 && + (len < 1 || (p[len - 1] & padding_mask) != 0)) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BIT_STRING_PADDING); + goto err; + } + /* * We do this to preserve the settings. If we modify the settings, via * the _set_bit function, we will recalculate on output @@ -170,21 +180,19 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear */ ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | padding); /* set */ - if (len-- > 1) { /* using one because of the bits left byte */ - s = (unsigned char *)OPENSSL_malloc((int)len); + if (len > 0) { + s = OPENSSL_memdup(p, len); if (s == NULL) { OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); goto err; } - OPENSSL_memcpy(s, p, (int)len); - s[len - 1] &= (0xff << padding); p += len; - } else + } else { s = NULL; + } ret->length = (int)len; - if (ret->data != NULL) - OPENSSL_free(ret->data); + OPENSSL_free(ret->data); ret->data = s; ret->type = V_ASN1_BIT_STRING; if (a != NULL) diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_bool.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_bool.c index 77bb44e2..54d9472c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_bool.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_bool.c @@ -59,7 +59,7 @@ #include #include -int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) +int i2d_ASN1_BOOLEAN(ASN1_BOOLEAN a, unsigned char **pp) { int r; unsigned char *p, *allocated = NULL; @@ -71,7 +71,7 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) if (*pp == NULL) { if ((p = allocated = OPENSSL_malloc(r)) == NULL) { OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; + return -1; } } else { p = *pp; @@ -88,36 +88,35 @@ int i2d_ASN1_BOOLEAN(int a, unsigned char **pp) return r; } -int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length) -{ - int ret = -1; - const unsigned char *p; +ASN1_BOOLEAN d2i_ASN1_BOOLEAN(ASN1_BOOLEAN *a, const unsigned char **pp, + long length) { + const unsigned char *p = *pp; long len; int inf, tag, xclass; - int i = 0; - - p = *pp; inf = ASN1_get_object(&p, &len, &tag, &xclass, length); if (inf & 0x80) { - i = ASN1_R_BAD_OBJECT_HEADER; - goto err; + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER); + return -1; } - if (tag != V_ASN1_BOOLEAN) { - i = ASN1_R_EXPECTING_A_BOOLEAN; - goto err; + if (inf & V_ASN1_CONSTRUCTED) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE); + return -1; + } + + if (tag != V_ASN1_BOOLEAN || xclass != V_ASN1_UNIVERSAL) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPECTING_A_BOOLEAN); + return -1; } if (len != 1) { - i = ASN1_R_BOOLEAN_IS_WRONG_LENGTH; - goto err; + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH); + return -1; } - ret = (int)*(p++); - if (a != NULL) + ASN1_BOOLEAN ret = (ASN1_BOOLEAN)*(p++); + if (a != NULL) { (*a) = ret; + } *pp = p; - return (ret); - err: - OPENSSL_PUT_ERROR(ASN1, i); - return (ret); + return ret; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_enum.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_enum.c deleted file mode 100644 index fd9ccfc3..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_enum.c +++ /dev/null @@ -1,195 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include - -#include -#include - -#include -#include - -#include "../internal.h" - - -/* - * Code for ENUMERATED type: identical to INTEGER apart from a different tag. - * for comments on encoding see a_int.c - */ - -int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) -{ - int j, k; - unsigned int i; - unsigned char buf[sizeof(long) + 1]; - long d; - - a->type = V_ASN1_ENUMERATED; - if (a->length < (int)(sizeof(long) + 1)) { - if (a->data != NULL) - OPENSSL_free(a->data); - if ((a->data = - (unsigned char *)OPENSSL_malloc(sizeof(long) + 1)) != NULL) - OPENSSL_memset((char *)a->data, 0, sizeof(long) + 1); - } - if (a->data == NULL) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return (0); - } - d = v; - if (d < 0) { - d = -d; - a->type = V_ASN1_NEG_ENUMERATED; - } - - for (i = 0; i < sizeof(long); i++) { - if (d == 0) - break; - buf[i] = (int)d & 0xff; - d >>= 8; - } - j = 0; - for (k = i - 1; k >= 0; k--) - a->data[j++] = buf[k]; - a->length = j; - return (1); -} - -long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) -{ - int neg = 0, i; - - if (a == NULL) - return (0L); - i = a->type; - if (i == V_ASN1_NEG_ENUMERATED) - neg = 1; - else if (i != V_ASN1_ENUMERATED) - return -1; - - OPENSSL_STATIC_ASSERT(sizeof(uint64_t) >= sizeof(long), - "long larger than uint64_t"); - - if (a->length > (int)sizeof(uint64_t)) { - /* hmm... a bit ugly */ - return -1; - } - - uint64_t r64 = 0; - if (a->data != NULL) { - for (i = 0; i < a->length; i++) { - r64 <<= 8; - r64 |= (unsigned char)a->data[i]; - } - - if (r64 > LONG_MAX) { - return -1; - } - } - - long r = (long) r64; - if (neg) - r = -r; - - return r; -} - -ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) -{ - ASN1_ENUMERATED *ret; - int len, j; - - if (ai == NULL) - ret = ASN1_ENUMERATED_new(); - else - ret = ai; - if (ret == NULL) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); - goto err; - } - if (BN_is_negative(bn)) - ret->type = V_ASN1_NEG_ENUMERATED; - else - ret->type = V_ASN1_ENUMERATED; - j = BN_num_bits(bn); - len = ((j == 0) ? 0 : ((j / 8) + 1)); - if (ret->length < len + 4) { - unsigned char *new_data = OPENSSL_realloc(ret->data, len + 4); - if (!new_data) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - goto err; - } - ret->data = new_data; - } - - ret->length = BN_bn2bin(bn, ret->data); - return (ret); - err: - if (ret != ai) - ASN1_ENUMERATED_free(ret); - return (NULL); -} - -BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) -{ - BIGNUM *ret; - - if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) - OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB); - else if (ai->type == V_ASN1_NEG_ENUMERATED) - BN_set_negative(ret, 1); - return (ret); -} diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_int.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_int.c index fa560e8d..aabc0c4a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_int.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_int.c @@ -59,8 +59,10 @@ #include #include +#include #include #include +#include #include "../internal.h" @@ -72,129 +74,110 @@ ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x) int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) { - int neg, ret; - /* Compare signs */ - neg = x->type & V_ASN1_NEG; + /* Compare signs. */ + int neg = x->type & V_ASN1_NEG; if (neg != (y->type & V_ASN1_NEG)) { - if (neg) - return -1; - else + return neg ? -1 : 1; + } + + int ret = ASN1_STRING_cmp(x, y); + if (neg) { + /* This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from + * returning |INT_MIN|. */ + if (ret < 0) { return 1; + } else if (ret > 0) { + return -1; + } else { + return 0; + } } - ret = ASN1_STRING_cmp(x, y); + return ret; +} - if (neg) - return -ret; - else - return ret; +/* negate_twos_complement negates |len| bytes from |buf| in-place, interpreted + * as a signed, big-endian two's complement value. */ +static void negate_twos_complement(uint8_t *buf, size_t len) +{ + uint8_t borrow = 0; + for (size_t i = len - 1; i < len; i--) { + uint8_t t = buf[i]; + buf[i] = 0u - borrow - t; + borrow |= t != 0; + } } -/* - * This converts an ASN1 INTEGER into its content encoding. - * The internal representation is an ASN1_STRING whose data is a big endian - * representation of the value, ignoring the sign. The sign is determined by - * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative. - * - * Positive integers are no problem: they are almost the same as the DER - * encoding, except if the first byte is >= 0x80 we need to add a zero pad. - * - * Negative integers are a bit trickier... - * The DER representation of negative integers is in 2s complement form. - * The internal form is converted by complementing each octet and finally - * adding one to the result. This can be done less messily with a little trick. - * If the internal form has trailing zeroes then they will become FF by the - * complement and 0 by the add one (due to carry) so just copy as many trailing - * zeros to the destination as there are in the source. The carry will add one - * to the last none zero octet: so complement this octet and add one and finally - * complement any left over until you get to the start of the string. - * - * Padding is a little trickier too. If the first bytes is > 0x80 then we pad - * with 0xff. However if the first byte is 0x80 and one of the following bytes - * is non-zero we pad with 0xff. The reason for this distinction is that 0x80 - * followed by optional zeros isn't padded. - */ +static int is_all_zeros(const uint8_t *in, size_t len) { + for (size_t i = 0; i < len; i++) { + if (in[i] != 0) { + return 0; + } + } + return 1; +} -int i2c_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **pp) +int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, unsigned char **outp) { - int pad = 0, ret, i, neg; - unsigned char *p, *n, pb = 0; - - if (a == NULL) - return (0); - neg = a->type & V_ASN1_NEG; - if (a->length == 0) - ret = 1; - else { - ret = a->length; - i = a->data[0]; - if (ret == 1 && i == 0) - neg = 0; - if (!neg && (i > 127)) { - pad = 1; - pb = 0; - } else if (neg) { - if (i > 128) { - pad = 1; - pb = 0xFF; - } else if (i == 128) { - /* - * Special case: if any other bytes non zero we pad: - * otherwise we don't. - */ - for (i = 1; i < a->length; i++) - if (a->data[i]) { - pad = 1; - pb = 0xFF; - break; - } - } - } - ret += pad; - } - if (pp == NULL) - return (ret); - p = *pp; - - if (pad) - *(p++) = pb; - if (a->length == 0) - *(p++) = 0; - else if (!neg) - OPENSSL_memcpy(p, a->data, (unsigned int)a->length); - else { - /* Begin at the end of the encoding */ - n = a->data + a->length - 1; - p += a->length - 1; - i = a->length; - /* Copy zeros to destination as long as source is zero */ - while (!*n && i > 1) { - *(p--) = 0; - n--; - i--; - } - /* Complement and increment next octet */ - *(p--) = ((*(n--)) ^ 0xff) + 1; - i--; - /* Complement any octets left */ - for (; i > 0; i--) - *(p--) = *(n--) ^ 0xff; + if (in == NULL) { + return 0; } - *pp += ret; - return (ret); -} + /* |ASN1_INTEGER|s should be represented minimally, but it is possible to + * construct invalid ones. Skip leading zeros so this does not produce an + * invalid encoding or break invariants. */ + int start = 0; + while (start < in->length && in->data[start] == 0) { + start++; + } + + int is_negative = (in->type & V_ASN1_NEG) != 0; + int pad; + if (start >= in->length) { + /* Zero is represented as a single byte. */ + is_negative = 0; + pad = 1; + } else if (is_negative) { + /* 0x80...01 through 0xff...ff have a two's complement of 0x7f...ff + * through 0x00...01 and need an extra byte to be negative. + * 0x01...00 through 0x80...00 have a two's complement of 0xfe...ff + * through 0x80...00 and can be negated as-is. */ + pad = in->data[start] > 0x80 || + (in->data[start] == 0x80 && + !is_all_zeros(in->data + start + 1, in->length - start - 1)); + } else { + /* If the high bit is set, the signed representation needs an extra + * byte to be positive. */ + pad = (in->data[start] & 0x80) != 0; + } -/* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */ + if (in->length - start > INT_MAX - pad) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); + return 0; + } + int len = pad + in->length - start; + assert(len > 0); + if (outp == NULL) { + return len; + } -ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, + if (pad) { + (*outp)[0] = 0; + } + OPENSSL_memcpy(*outp + pad, in->data + start, in->length - start); + if (is_negative) { + negate_twos_complement(*outp, len); + assert((*outp)[0] >= 0x80); + } else { + assert((*outp)[0] < 0x80); + } + *outp += len; + return len; +} + +ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **out, const unsigned char **inp, long len) { - ASN1_INTEGER *ret = NULL; - const unsigned char *p, *pend; - unsigned char *to, *s; - int i; - /* * This function can handle lengths up to INT_MAX - 1, but the rest of the * legacy ASN.1 code mixes integer types, so avoid exposing it to @@ -205,85 +188,69 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, return NULL; } - if ((a == NULL) || ((*a) == NULL)) { - if ((ret = ASN1_INTEGER_new()) == NULL) - return (NULL); - ret->type = V_ASN1_INTEGER; - } else - ret = (*a); + CBS cbs; + CBS_init(&cbs, *inp, (size_t)len); + int is_negative; + if (!CBS_is_valid_asn1_integer(&cbs, &is_negative)) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER); + return NULL; + } - p = *pp; - pend = p + len; + ASN1_INTEGER *ret = NULL; + if (out == NULL || *out == NULL) { + ret = ASN1_INTEGER_new(); + if (ret == NULL) { + return NULL; + } + } else { + ret = *out; + } - /* - * We must OPENSSL_malloc stuff, even for 0 bytes otherwise it signifies - * a missing NULL parameter. - */ - s = (unsigned char *)OPENSSL_malloc((int)len + 1); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; + /* Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First, + * determine the size needed for a minimal result. */ + if (is_negative) { + /* 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff + * through 0x000100...001 and need one leading zero removed. 0x8000...00 + * through 0xff00...00 have a two's complement of 0x8000...00 through + * 0x0100...00 and will be minimally-encoded as-is. */ + if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0xff && + !is_all_zeros(CBS_data(&cbs) + 1, CBS_len(&cbs) - 1)) { + CBS_skip(&cbs, 1); + } + } else { + /* Remove the leading zero byte, if any. */ + if (CBS_len(&cbs) > 0 && CBS_data(&cbs)[0] == 0x00) { + CBS_skip(&cbs, 1); + } + } + + if (!ASN1_STRING_set(ret, CBS_data(&cbs), CBS_len(&cbs))) { goto err; } - to = s; - if (!len) { - /* - * Strictly speaking this is an illegal INTEGER but we tolerate it. - */ - ret->type = V_ASN1_INTEGER; - } else if (*p & 0x80) { /* a negative number */ + + if (is_negative) { ret->type = V_ASN1_NEG_INTEGER; - if ((*p == 0xff) && (len != 1)) { - p++; - len--; - } - i = len; - p += i - 1; - to += i - 1; - while ((!*p) && i) { - *(to--) = 0; - i--; - p--; - } - /* - * Special case: if all zeros then the number will be of the form FF - * followed by n zero bytes: this corresponds to 1 followed by n zero - * bytes. We've already written n zeros so we just append an extra - * one and set the first byte to a 1. This is treated separately - * because it is the only case where the number of bytes is larger - * than len. - */ - if (!i) { - *s = 1; - s[len] = 0; - len++; - } else { - *(to--) = (*(p--) ^ 0xff) + 1; - i--; - for (; i > 0; i--) - *(to--) = *(p--) ^ 0xff; - } + negate_twos_complement(ret->data, ret->length); } else { ret->type = V_ASN1_INTEGER; - if ((*p == 0) && (len != 1)) { - p++; - len--; - } - OPENSSL_memcpy(s, p, (int)len); } - if (ret->data != NULL) - OPENSSL_free(ret->data); - ret->data = s; - ret->length = (int)len; - if (a != NULL) - (*a) = ret; - *pp = pend; - return (ret); + /* The value should be minimally-encoded. */ + assert(ret->length == 0 || ret->data[0] != 0); + /* Zero is not negative. */ + assert(!is_negative || ret->length > 0); + + *inp += len; + if (out != NULL) { + *out = ret; + } + return ret; + err: - OPENSSL_PUT_ERROR(ASN1, i); - if ((ret != NULL) && ((a == NULL) || (*a != ret))) + if (ret != NULL && (out == NULL || *out != ret)) { ASN1_INTEGER_free(ret); - return (NULL); + } + return NULL; } int ASN1_INTEGER_set(ASN1_INTEGER *a, long v) @@ -300,121 +267,196 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v) return 1; } -int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v) +int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) { - uint8_t *const newdata = OPENSSL_malloc(sizeof(uint64_t)); - if (newdata == NULL) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; + if (v >= 0) { + return ASN1_ENUMERATED_set_uint64(a, (uint64_t) v); } - OPENSSL_free(out->data); - out->data = newdata; - v = CRYPTO_bswap8(v); - memcpy(out->data, &v, sizeof(v)); + if (!ASN1_ENUMERATED_set_uint64(a, 0 - (uint64_t) v)) { + return 0; + } - out->type = V_ASN1_INTEGER; + a->type = V_ASN1_NEG_ENUMERATED; + return 1; +} +static int asn1_string_set_uint64(ASN1_STRING *out, uint64_t v, int type) +{ + uint8_t buf[sizeof(uint64_t)]; + CRYPTO_store_u64_be(buf, v); size_t leading_zeros; - for (leading_zeros = 0; leading_zeros < sizeof(uint64_t) - 1; - leading_zeros++) { - if (out->data[leading_zeros] != 0) { - break; - } + for (leading_zeros = 0; leading_zeros < sizeof(buf); leading_zeros++) { + if (buf[leading_zeros] != 0) { + break; + } } - out->length = sizeof(uint64_t) - leading_zeros; - OPENSSL_memmove(out->data, out->data + leading_zeros, out->length); + if (!ASN1_STRING_set(out, buf + leading_zeros, + sizeof(buf) - leading_zeros)) { + return 0; + } + out->type = type; + return 1; +} + +int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v) +{ + return asn1_string_set_uint64(out, v, V_ASN1_INTEGER); +} +int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v) +{ + return asn1_string_set_uint64(out, v, V_ASN1_ENUMERATED); +} + +static int asn1_string_get_abs_uint64(uint64_t *out, const ASN1_STRING *a, + int type) +{ + if ((a->type & ~V_ASN1_NEG) != type) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE); + return 0; + } + uint8_t buf[sizeof(uint64_t)] = {0}; + if (a->length > (int)sizeof(buf)) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER); + return 0; + } + OPENSSL_memcpy(buf + sizeof(buf) - a->length, a->data, a->length); + *out = CRYPTO_load_u64_be(buf); return 1; } -long ASN1_INTEGER_get(const ASN1_INTEGER *a) +static int asn1_string_get_uint64(uint64_t *out, const ASN1_STRING *a, int type) { - int neg = 0, i; + if (!asn1_string_get_abs_uint64(out, a, type)) { + return 0; + } + if (a->type & V_ASN1_NEG) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_INTEGER); + return 0; + } + return 1; +} - if (a == NULL) - return (0L); - i = a->type; - if (i == V_ASN1_NEG_INTEGER) - neg = 1; - else if (i != V_ASN1_INTEGER) - return -1; +int ASN1_INTEGER_get_uint64(uint64_t *out, const ASN1_INTEGER *a) +{ + return asn1_string_get_uint64(out, a, V_ASN1_INTEGER); +} - OPENSSL_STATIC_ASSERT(sizeof(uint64_t) >= sizeof(long), - "long larger than uint64_t"); +int ASN1_ENUMERATED_get_uint64(uint64_t *out, const ASN1_ENUMERATED *a) +{ + return asn1_string_get_uint64(out, a, V_ASN1_ENUMERATED); +} - if (a->length > (int)sizeof(uint64_t)) { - /* hmm... a bit ugly, return all ones */ - return -1; +static long asn1_string_get_long(const ASN1_STRING *a, int type) +{ + if (a == NULL) { + return 0; } - uint64_t r64 = 0; - if (a->data != NULL) { - for (i = 0; i < a->length; i++) { - r64 <<= 8; - r64 |= (unsigned char)a->data[i]; - } + uint64_t v; + if (!asn1_string_get_abs_uint64(&v, a, type)) { + goto err; + } - if (r64 > LONG_MAX) { - return -1; - } + int64_t i64; + int fits_in_i64; + /* Check |v != 0| to handle manually-constructed negative zeros. */ + if ((a->type & V_ASN1_NEG) && v != 0) { + i64 = (int64_t)(0u - v); + fits_in_i64 = i64 < 0; + } else { + i64 = (int64_t)v; + fits_in_i64 = i64 >= 0; } + OPENSSL_STATIC_ASSERT(sizeof(long) <= sizeof(int64_t), "long is too big"); - long r = (long) r64; - if (neg) - r = -r; + if (fits_in_i64 && LONG_MIN <= i64 && i64 <= LONG_MAX) { + return (long)i64; + } - return r; +err: + /* This function's return value does not distinguish overflow from -1. */ + ERR_clear_error(); + return -1; } -ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) +long ASN1_INTEGER_get(const ASN1_INTEGER *a) { - ASN1_INTEGER *ret; - int len, j; + return asn1_string_get_long(a, V_ASN1_INTEGER); +} - if (ai == NULL) - ret = ASN1_INTEGER_new(); - else +long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) +{ + return asn1_string_get_long(a, V_ASN1_ENUMERATED); +} + +static ASN1_STRING *bn_to_asn1_string(const BIGNUM *bn, ASN1_STRING *ai, + int type) +{ + ASN1_INTEGER *ret; + if (ai == NULL) { + ret = ASN1_STRING_type_new(type); + } else { ret = ai; + } if (ret == NULL) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn) && !BN_is_zero(bn)) - ret->type = V_ASN1_NEG_INTEGER; - else - ret->type = V_ASN1_INTEGER; - j = BN_num_bits(bn); - len = ((j == 0) ? 0 : ((j / 8) + 1)); - if (ret->length < len + 4) { - unsigned char *new_data = OPENSSL_realloc(ret->data, len + 4); - if (!new_data) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - goto err; - } - ret->data = new_data; + + if (BN_is_negative(bn) && !BN_is_zero(bn)) { + ret->type = type | V_ASN1_NEG; + } else { + ret->type = type; } - ret->length = BN_bn2bin(bn, ret->data); - /* Correct zero case */ - if (!ret->length) { - ret->data[0] = 0; - ret->length = 1; + + int len = BN_num_bytes(bn); + if (!ASN1_STRING_set(ret, NULL, len) || + !BN_bn2bin_padded(ret->data, len, bn)) { + goto err; } - return (ret); + return ret; + err: - if (ret != ai) - ASN1_INTEGER_free(ret); - return (NULL); + if (ret != ai) { + ASN1_STRING_free(ret); + } + return NULL; } -BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) +ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) { - BIGNUM *ret; + return bn_to_asn1_string(bn, ai, V_ASN1_INTEGER); +} + +ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) +{ + return bn_to_asn1_string(bn, ai, V_ASN1_ENUMERATED); +} + +static BIGNUM *asn1_string_to_bn(const ASN1_STRING *ai, BIGNUM *bn, int type) +{ + if ((ai->type & ~V_ASN1_NEG) != type) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_INTEGER_TYPE); + return NULL; + } + BIGNUM *ret; if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) OPENSSL_PUT_ERROR(ASN1, ASN1_R_BN_LIB); - else if (ai->type == V_ASN1_NEG_INTEGER) + else if (ai->type & V_ASN1_NEG) BN_set_negative(ret, 1); return (ret); } + +BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) +{ + return asn1_string_to_bn(ai, bn, V_ASN1_INTEGER); +} + +BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) +{ + return asn1_string_to_bn(ai, bn, V_ASN1_ENUMERATED); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c index 8463c008..5ed70cb2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_mbstr.c @@ -66,8 +66,6 @@ #include "internal.h" #include "../bytestring/internal.h" -static int is_printable(uint32_t value); - /* * These functions take a string in UTF8, ASCII or multibyte form and a mask * of permissible ASN1 string types. It then works out the minimal type @@ -153,7 +151,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, } /* Update which output formats are still possible. */ - if ((mask & B_ASN1_PRINTABLESTRING) && !is_printable(c)) { + if ((mask & B_ASN1_PRINTABLESTRING) && !asn1_is_printable(c)) { mask &= ~B_ASN1_PRINTABLESTRING; } if ((mask & B_ASN1_IA5STRING) && (c > 127)) { @@ -285,24 +283,16 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len, return -1; } -/* Return 1 if the character is permitted in a PrintableString */ -static int is_printable(uint32_t value) +int asn1_is_printable(uint32_t value) { - int ch; - if (value > 0x7f) + if (value > 0x7f) { return 0; - ch = (int)value; - /* - * Note: we can't use 'isalnum' because certain accented characters may - * count as alphanumeric in some environments. - */ - if ((ch >= 'a') && (ch <= 'z')) - return 1; - if ((ch >= 'A') && (ch <= 'Z')) - return 1; - if ((ch >= '0') && (ch <= '9')) - return 1; - if ((ch == ' ') || strchr("'()+,-./:=?", ch)) - return 1; - return 0; + } + /* Note we cannot use |isalnum| because it is locale-dependent. */ + return ('a' <= value && value <= 'z') || // + ('A' <= value && value <= 'Z') || // + ('0' <= value && value <= '9') || // + value == ' ' || value == '\'' || value == '(' || value == ')' || + value == '+' || value == ',' || value == '-' || value == '.' || + value == '/' || value == ':' || value == '=' || value == '?'; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_object.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_object.c index 635c9ce4..81966af8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_object.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_object.c @@ -69,20 +69,26 @@ int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) { - unsigned char *p, *allocated = NULL; - int objsize; + if (a == NULL) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } - if ((a == NULL) || (a->data == NULL)) - return (0); + if (a->length == 0) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT); + return -1; + } - objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT); - if (pp == NULL || objsize == -1) + int objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT); + if (pp == NULL || objsize == -1) { return objsize; + } + unsigned char *p, *allocated = NULL; if (*pp == NULL) { if ((p = allocated = OPENSSL_malloc(objsize)) == NULL) { OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; + return -1; } } else { p = *pp; @@ -104,54 +110,65 @@ int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a) return OBJ_obj2txt(buf, buf_len, a, 0); } +static int write_str(BIO *bp, const char *str) +{ + int len = strlen(str); + return BIO_write(bp, str, len) == len ? len : -1; +} + int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) { - char buf[80], *p = buf; - int i; + if (a == NULL || a->data == NULL) { + return write_str(bp, "NULL"); + } - if ((a == NULL) || (a->data == NULL)) - return (BIO_write(bp, "NULL", 4)); - i = i2t_ASN1_OBJECT(buf, sizeof buf, a); - if (i > (int)(sizeof(buf) - 1)) { - p = OPENSSL_malloc(i + 1); - if (!p) + char buf[80], *allocated = NULL; + const char *str = buf; + int len = i2t_ASN1_OBJECT(buf, sizeof(buf), a); + if (len > (int)sizeof(buf) - 1) { + /* The input was truncated. Allocate a buffer that fits. */ + allocated = OPENSSL_malloc(len + 1); + if (allocated == NULL) { return -1; - i2t_ASN1_OBJECT(p, i + 1, a); + } + len = i2t_ASN1_OBJECT(allocated, len + 1, a); + str = allocated; + } + if (len <= 0) { + str = ""; } - if (i <= 0) - return BIO_write(bp, "", 9); - BIO_write(bp, p, i); - if (p != buf) - OPENSSL_free(p); - return (i); + + int ret = write_str(bp, str); + OPENSSL_free(allocated); + return ret; } ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long length) { - const unsigned char *p; long len; int tag, xclass; - int inf, i; - ASN1_OBJECT *ret = NULL; - p = *pp; - inf = ASN1_get_object(&p, &len, &tag, &xclass, length); + const unsigned char *p = *pp; + int inf = ASN1_get_object(&p, &len, &tag, &xclass, length); if (inf & 0x80) { - i = ASN1_R_BAD_OBJECT_HEADER; - goto err; + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER); + return NULL; } - if (tag != V_ASN1_OBJECT) { - i = ASN1_R_EXPECTING_AN_OBJECT; - goto err; + if (inf & V_ASN1_CONSTRUCTED) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE); + return NULL; } - ret = c2i_ASN1_OBJECT(a, &p, len); - if (ret) + + if (tag != V_ASN1_OBJECT || xclass != V_ASN1_UNIVERSAL) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPECTING_AN_OBJECT); + return NULL; + } + ASN1_OBJECT *ret = c2i_ASN1_OBJECT(a, &p, len); + if (ret) { *pp = p; + } return ret; - err: - OPENSSL_PUT_ERROR(ASN1, i); - return (NULL); } ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_print.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_print.c index 6b83b965..e6a4594e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_print.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_print.c @@ -56,38 +56,28 @@ #include -#include -#include +#include + +#include "internal.h" + int ASN1_PRINTABLE_type(const unsigned char *s, int len) { - int c; - int ia5 = 0; - int t61 = 0; - - if (len <= 0) - len = -1; - if (s == NULL) - return (V_ASN1_PRINTABLESTRING); + if (len < 0) { + len = strlen((const char *)s); + } - while ((*s) && (len-- != 0)) { - c = *(s++); - if (!(((c >= 'a') && (c <= 'z')) || - ((c >= 'A') && (c <= 'Z')) || - (c == ' ') || - ((c >= '0') && (c <= '9')) || - (c == ' ') || (c == '\'') || - (c == '(') || (c == ')') || - (c == '+') || (c == ',') || - (c == '-') || (c == '.') || - (c == '/') || (c == ':') || (c == '=') || (c == '?'))) - ia5 = 1; - if (c & 0x80) - t61 = 1; + int printable = 1; + for (int i = 0; i < len; i++) { + unsigned char c = s[i]; + if (c & 0x80) { + /* No need to continue iterating. */ + return V_ASN1_T61STRING; + } + if (!asn1_is_printable(c)) { + printable = 0; + } } - if (t61) - return (V_ASN1_T61STRING); - if (ia5) - return (V_ASN1_IA5STRING); - return (V_ASN1_PRINTABLESTRING); + + return printable ? V_ASN1_PRINTABLESTRING : V_ASN1_IA5STRING; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c index 0ac06d18..2cbf45cc 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strex.c @@ -56,6 +56,7 @@ #include +#include #include #include #include @@ -155,100 +156,98 @@ static int do_esc_char(uint32_t c, unsigned char flags, char *do_quotes, return 1; } -#define BUF_TYPE_WIDTH_MASK 0x7 -#define BUF_TYPE_CONVUTF8 0x8 - /* * This function sends each character in a buffer to do_esc_char(). It * interprets the content formats and converts to or from UTF8 as * appropriate. */ -static int do_buf(unsigned char *buf, int buflen, - int type, unsigned char flags, char *quotes, BIO *out) +static int do_buf(const unsigned char *buf, int buflen, int encoding, + int utf8_convert, unsigned char flags, char *quotes, BIO *out) { - int i, outlen, len, charwidth; - unsigned char orflags, *p, *q; - uint32_t c; - p = buf; - q = buf + buflen; - outlen = 0; - charwidth = type & BUF_TYPE_WIDTH_MASK; - - switch (charwidth) { - case 4: + /* Reject invalid UCS-4 and UCS-2 lengths without parsing. */ + switch (encoding) { + case MBSTRING_UNIV: if (buflen & 3) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING); return -1; } break; - case 2: + case MBSTRING_BMP: if (buflen & 1) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING); return -1; } break; - default: - break; } + const unsigned char *p = buf; + const unsigned char *q = buf + buflen; + int outlen = 0; while (p != q) { - if (p == buf && flags & ASN1_STRFLGS_ESC_2253) + unsigned char orflags = 0; + if (p == buf && flags & ASN1_STRFLGS_ESC_2253) { orflags = CHARTYPE_FIRST_ESC_2253; - else - orflags = 0; + } /* TODO(davidben): Replace this with |cbs_get_ucs2_be|, etc., to check - * for invalid codepoints. */ - switch (charwidth) { - case 4: + * for invalid codepoints. Before doing that, enforce it in the parser, + * https://crbug.com/boringssl/427, so these error cases are not + * reachable from parsed objects. */ + uint32_t c; + switch (encoding) { + case MBSTRING_UNIV: c = ((uint32_t)*p++) << 24; c |= ((uint32_t)*p++) << 16; c |= ((uint32_t)*p++) << 8; c |= *p++; break; - case 2: + case MBSTRING_BMP: c = ((uint32_t)*p++) << 8; c |= *p++; break; - case 1: + case MBSTRING_ASC: c = *p++; break; - case 0: - i = UTF8_getc(p, buflen, &c); - if (i < 0) + case MBSTRING_UTF8: { + int consumed = UTF8_getc(p, buflen, &c); + if (consumed < 0) return -1; /* Invalid UTF8String */ - buflen -= i; - p += i; + buflen -= consumed; + p += consumed; break; + } + default: - return -1; /* invalid width */ + assert(0); + return -1; } if (p == q && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_LAST_ESC_2253; - if (type & BUF_TYPE_CONVUTF8) { + if (utf8_convert) { unsigned char utfbuf[6]; int utflen; utflen = UTF8_putc(utfbuf, sizeof utfbuf, c); - for (i = 0; i < utflen; i++) { + for (int i = 0; i < utflen; i++) { /* * We don't need to worry about setting orflags correctly * because if utflen==1 its value will be correct anyway * otherwise each character will be > 0x7f and so the * character will never be escaped on first and last. */ - len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags), - quotes, out); - if (len < 0) + int len = do_esc_char(utfbuf[i], flags | orflags, quotes, out); + if (len < 0) { return -1; + } outlen += len; } } else { - len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, out); - if (len < 0) + int len = do_esc_char(c, flags | orflags, quotes, out); + if (len < 0) { return -1; + } outlen += len; } } @@ -279,7 +278,7 @@ static int do_hex_dump(BIO *out, unsigned char *buf, int buflen) /* * "dump" a string. This is done when the type is unknown, or the flags * request it. We can either dump the content octets or the entire DER - * encoding. This uses the RFC2253 #01234 format. + * encoding. This uses the RFC 2253 #01234 format. */ static int do_dump(unsigned long lflags, BIO *out, const ASN1_STRING *str) @@ -331,22 +330,31 @@ static int do_dump(unsigned long lflags, BIO *out, const ASN1_STRING *str) return outlen + 1; } -/* - * Lookup table to convert tags to character widths, 0 = UTF8 encoded, -1 is - * used for non string types otherwise it is the number of bytes per - * character - */ - -static const signed char tag2nbyte[] = { - -1, -1, -1, -1, -1, /* 0-4 */ - -1, -1, -1, -1, -1, /* 5-9 */ - -1, -1, 0, -1, /* 10-13 */ - -1, -1, -1, -1, /* 15-17 */ - 1, 1, 1, /* 18-20 */ - -1, 1, 1, 1, /* 21-24 */ - -1, 1, -1, /* 25-27 */ - 4, -1, 2 /* 28-30 */ -}; +/* string_type_to_encoding returns the |MBSTRING_*| constant for the encoding + * used by the |ASN1_STRING| type |type|, or -1 if |tag| is not a string + * type. */ +static int string_type_to_encoding(int type) { + /* This function is sometimes passed ASN.1 universal types and sometimes + * passed |ASN1_STRING| type values */ + switch (type) { + case V_ASN1_UTF8STRING: + return MBSTRING_UTF8; + case V_ASN1_NUMERICSTRING: + case V_ASN1_PRINTABLESTRING: + case V_ASN1_T61STRING: + case V_ASN1_IA5STRING: + case V_ASN1_UTCTIME: + case V_ASN1_GENERALIZEDTIME: + case V_ASN1_ISO64STRING: + /* |MBSTRING_ASC| refers to Latin-1, not ASCII. */ + return MBSTRING_ASC; + case V_ASN1_UNIVERSALSTRING: + return MBSTRING_UNIV; + case V_ASN1_BMPSTRING: + return MBSTRING_BMP; + } + return -1; +} /* * This is the main function, print out an ASN1_STRING taking note of various @@ -356,79 +364,77 @@ static const signed char tag2nbyte[] = { int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long lflags) { - int outlen, len; - int type; - char quotes; - unsigned char flags; - quotes = 0; /* Keep a copy of escape flags */ - flags = (unsigned char)(lflags & ESC_FLAGS); - - type = str->type; - - outlen = 0; - + unsigned char flags = (unsigned char)(lflags & ESC_FLAGS); + int type = str->type; + int outlen = 0; if (lflags & ASN1_STRFLGS_SHOW_TYPE) { - const char *tagname; - tagname = ASN1_tag2str(type); + const char *tagname = ASN1_tag2str(type); outlen += strlen(tagname); if (!maybe_write(out, tagname, outlen) || !maybe_write(out, ":", 1)) return -1; outlen++; } - /* Decide what to do with type, either dump content or display it */ - - /* Dump everything */ - if (lflags & ASN1_STRFLGS_DUMP_ALL) - type = -1; - /* Ignore the string type */ - else if (lflags & ASN1_STRFLGS_IGNORE_TYPE) - type = 1; - else { - /* Else determine width based on type */ - if ((type > 0) && (type < 31)) - type = tag2nbyte[type]; - else - type = -1; - if ((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN)) - type = 1; + /* Decide what to do with |str|, either dump the contents or display it. */ + int encoding; + if (lflags & ASN1_STRFLGS_DUMP_ALL) { + /* Dump everything. */ + encoding = -1; + } else if (lflags & ASN1_STRFLGS_IGNORE_TYPE) { + /* Ignore the string type and interpret the contents as Latin-1. */ + encoding = MBSTRING_ASC; + } else { + encoding = string_type_to_encoding(type); + if (encoding == -1 && (lflags & ASN1_STRFLGS_DUMP_UNKNOWN) == 0) { + encoding = MBSTRING_ASC; + } } - if (type == -1) { - len = do_dump(lflags, out, str); + if (encoding == -1) { + int len = do_dump(lflags, out, str); if (len < 0) return -1; outlen += len; return outlen; } + int utf8_convert = 0; if (lflags & ASN1_STRFLGS_UTF8_CONVERT) { - /* - * Note: if string is UTF8 and we want to convert to UTF8 then we - * just interpret it as 1 byte per character to avoid converting - * twice. - */ - if (!type) - type = 1; - else - type |= BUF_TYPE_CONVUTF8; + /* If the string is UTF-8, skip decoding and just interpret it as 1 byte + * per character to avoid converting twice. + * + * TODO(davidben): This is not quite a valid optimization if the input + * was invalid UTF-8. */ + if (encoding == MBSTRING_UTF8) { + encoding = MBSTRING_ASC; + } else { + utf8_convert = 1; + } } - len = do_buf(str->data, str->length, type, flags, "es, NULL); - if (len < 0) + /* Measure the length. */ + char quotes = 0; + int len = do_buf(str->data, str->length, encoding, utf8_convert, flags, + "es, NULL); + if (len < 0) { return -1; + } outlen += len; - if (quotes) + if (quotes) { outlen += 2; - if (!out) + } + if (!out) { return outlen; - if (quotes && !maybe_write(out, "\"", 1)) - return -1; - if (do_buf(str->data, str->length, type, flags, NULL, out) < 0) - return -1; - if (quotes && !maybe_write(out, "\"", 1)) + } + + /* Encode the value. */ + if ((quotes && !maybe_write(out, "\"", 1)) || + do_buf(str->data, str->length, encoding, utf8_convert, flags, NULL, + out) < 0 || + (quotes && !maybe_write(out, "\"", 1))) { return -1; + } return outlen; } @@ -451,22 +457,19 @@ int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) { - ASN1_STRING stmp, *str = &stmp; - int mbflag, type, ret; if (!in) return -1; - type = in->type; - if ((type < 0) || (type > 30)) - return -1; - mbflag = tag2nbyte[type]; - if (mbflag == -1) + int mbflag = string_type_to_encoding(in->type); + if (mbflag == -1) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNKNOWN_TAG); return -1; - mbflag |= MBSTRING_FLAG; + } + ASN1_STRING stmp, *str = &stmp; stmp.data = NULL; stmp.length = 0; stmp.flags = 0; - ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, - B_ASN1_UTF8STRING); + int ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, + B_ASN1_UTF8STRING); if (ret < 0) return ret; *out = stmp.data; @@ -574,7 +577,8 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm) // their value, updates |v| and |len|, and returns one. Otherwise, returns // zero. static int consume_two_digits(int* out, const char **v, int *len) { - if (*len < 2|| !isdigit((*v)[0]) || !isdigit((*v)[1])) { + if (*len < 2 || !isdigit((unsigned char)((*v)[0])) || + !isdigit((unsigned char)((*v)[1]))) { return 0; } *out = ((*v)[0] - '0') * 10 + ((*v)[1] - '0'); diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c index 6ba7840f..18d58c91 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_strnid.c @@ -56,18 +56,23 @@ #include -#include /* For bsearch */ +#include +#include #include #include #include #include -#include -DEFINE_STACK_OF(ASN1_STRING_TABLE) +#include "../internal.h" +#include "../lhash/internal.h" +#include "internal.h" -static STACK_OF(ASN1_STRING_TABLE) *stable = NULL; -static void st_free(ASN1_STRING_TABLE *tbl); + +DEFINE_LHASH_OF(ASN1_STRING_TABLE) + +static LHASH_OF(ASN1_STRING_TABLE) *string_tables = NULL; +static struct CRYPTO_STATIC_MUTEX string_tables_lock = CRYPTO_STATIC_MUTEX_INIT; void ASN1_STRING_set_default_mask(unsigned long mask) { @@ -83,34 +88,36 @@ int ASN1_STRING_set_default_mask_asc(const char *p) return 1; } +static const ASN1_STRING_TABLE *asn1_string_table_get(int nid); + /* * The following function generates an ASN1_STRING based on limits in a * table. Frequently the types and length of an ASN1_STRING are restricted by * a corresponding OID. For example certificates and certificate requests. */ -ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, - const unsigned char *in, int inlen, - int inform, int nid) +ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, + int len, int inform, int nid) { - ASN1_STRING_TABLE *tbl; ASN1_STRING *str = NULL; - unsigned long mask; int ret; - if (!out) + if (!out) { out = &str; - tbl = ASN1_STRING_TABLE_get(nid); - if (tbl) { - mask = tbl->mask; - if (!(tbl->flags & STABLE_NO_MASK)) + } + const ASN1_STRING_TABLE *tbl = asn1_string_table_get(nid); + if (tbl != NULL) { + unsigned long mask = tbl->mask; + if (!(tbl->flags & STABLE_NO_MASK)) { mask &= B_ASN1_UTF8STRING; - ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask, - tbl->minsize, tbl->maxsize); + } + ret = ASN1_mbstring_ncopy(out, in, len, inform, mask, tbl->minsize, + tbl->maxsize); } else { - ret = ASN1_mbstring_copy(out, in, inlen, inform, B_ASN1_UTF8STRING); + ret = ASN1_mbstring_copy(out, in, len, inform, B_ASN1_UTF8STRING); } - if (ret <= 0) + if (ret <= 0) { return NULL; + } return *out; } @@ -118,15 +125,13 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, * Now the tables and helper functions for the string table: */ -/* size limits: this stuff is taken straight from RFC3280 */ - +/* See RFC 5280. */ #define ub_name 32768 #define ub_common_name 64 #define ub_locality_name 128 #define ub_state_name 128 #define ub_organization_name 64 #define ub_organization_unit_name 64 -#define ub_title 64 #define ub_email_address 128 #define ub_serial_number 64 @@ -157,120 +162,105 @@ static const ASN1_STRING_TABLE tbl_standard[] = { {NID_ms_csp_name, -1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK} }; -static int sk_table_cmp(const ASN1_STRING_TABLE **a, - const ASN1_STRING_TABLE **b) +static int table_cmp(const ASN1_STRING_TABLE *a, const ASN1_STRING_TABLE *b) { - return (*a)->nid - (*b)->nid; + if (a->nid < b->nid) { + return -1; + } + if (a->nid > b->nid) { + return 1; + } + return 0; } -static int table_cmp(const void *in_a, const void *in_b) +static int table_cmp_void(const void *a, const void *b) { - const ASN1_STRING_TABLE *a = in_a; - const ASN1_STRING_TABLE *b = in_b; - return a->nid - b->nid; + return table_cmp(a, b); } -ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid) +static uint32_t table_hash(const ASN1_STRING_TABLE *tbl) { - int found; - size_t idx; - ASN1_STRING_TABLE *ttmp; - ASN1_STRING_TABLE fnd; - fnd.nid = nid; - - ttmp = - bsearch(&fnd, tbl_standard, - sizeof(tbl_standard) / sizeof(ASN1_STRING_TABLE), - sizeof(ASN1_STRING_TABLE), table_cmp); - if (ttmp) - return ttmp; - if (!stable) - return NULL; - sk_ASN1_STRING_TABLE_sort(stable); - found = sk_ASN1_STRING_TABLE_find(stable, &idx, &fnd); - if (!found) - return NULL; - return sk_ASN1_STRING_TABLE_value(stable, idx); + return OPENSSL_hash32(&tbl->nid, sizeof(tbl->nid)); } -int ASN1_STRING_TABLE_add(int nid, - long minsize, long maxsize, unsigned long mask, - unsigned long flags) +static const ASN1_STRING_TABLE *asn1_string_table_get(int nid) { - ASN1_STRING_TABLE *tmp; - char new_nid = 0; - flags &= ~STABLE_FLAGS_MALLOC; - if (!stable) - stable = sk_ASN1_STRING_TABLE_new(sk_table_cmp); - if (!stable) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; + ASN1_STRING_TABLE key; + key.nid = nid; + const ASN1_STRING_TABLE *tbl = + bsearch(&key, tbl_standard, OPENSSL_ARRAY_SIZE(tbl_standard), + sizeof(ASN1_STRING_TABLE), table_cmp_void); + if (tbl != NULL) { + return tbl; } - if (!(tmp = ASN1_STRING_TABLE_get(nid))) { - tmp = OPENSSL_malloc(sizeof(ASN1_STRING_TABLE)); - if (!tmp) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; - } - tmp->flags = flags | STABLE_FLAGS_MALLOC; - tmp->nid = nid; - tmp->minsize = tmp->maxsize = -1; - new_nid = 1; - } else - tmp->flags = (tmp->flags & STABLE_FLAGS_MALLOC) | flags; - if (minsize != -1) - tmp->minsize = minsize; - if (maxsize != -1) - tmp->maxsize = maxsize; - tmp->mask = mask; - if (new_nid) - sk_ASN1_STRING_TABLE_push(stable, tmp); - return 1; -} -void ASN1_STRING_TABLE_cleanup(void) -{ - STACK_OF(ASN1_STRING_TABLE) *tmp; - tmp = stable; - if (!tmp) - return; - stable = NULL; - sk_ASN1_STRING_TABLE_pop_free(tmp, st_free); + CRYPTO_STATIC_MUTEX_lock_read(&string_tables_lock); + if (string_tables != NULL) { + tbl = lh_ASN1_STRING_TABLE_retrieve(string_tables, &key); + } + CRYPTO_STATIC_MUTEX_unlock_read(&string_tables_lock); + /* Note returning |tbl| without the lock is only safe because + * |ASN1_STRING_TABLE_add| cannot modify or delete existing entries. If we + * wish to support that, this function must copy the result under a lock. */ + return tbl; } -static void st_free(ASN1_STRING_TABLE *tbl) +int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, + unsigned long mask, unsigned long flags) { - if (tbl->flags & STABLE_FLAGS_MALLOC) - OPENSSL_free(tbl); -} - -#ifdef STRING_TABLE_TEST + /* Existing entries cannot be overwritten. */ + if (asn1_string_table_get(nid) != NULL) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } -int main(void) -{ - ASN1_STRING_TABLE *tmp; - int i, last_nid = -1; + int ret = 0; + CRYPTO_STATIC_MUTEX_lock_write(&string_tables_lock); - for (tmp = tbl_standard, i = 0; - i < sizeof(tbl_standard) / sizeof(ASN1_STRING_TABLE); i++, tmp++) { - if (tmp->nid < last_nid) { - last_nid = 0; - break; + if (string_tables == NULL) { + string_tables = lh_ASN1_STRING_TABLE_new(table_hash, table_cmp); + if (string_tables == NULL) { + goto err; + } + } else { + /* Check again for an existing entry. One may have been added while + * unlocked. */ + ASN1_STRING_TABLE key; + key.nid = nid; + if (lh_ASN1_STRING_TABLE_retrieve(string_tables, &key) != NULL) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + goto err; } - last_nid = tmp->nid; } - if (last_nid != 0) { - printf("Table order OK\n"); - exit(0); + ASN1_STRING_TABLE *tbl = OPENSSL_malloc(sizeof(ASN1_STRING_TABLE)); + if (tbl == NULL) { + goto err; + } + tbl->nid = nid; + tbl->flags = flags; + tbl->minsize = minsize; + tbl->maxsize = maxsize; + tbl->mask = mask; + ASN1_STRING_TABLE *old_tbl; + if (!lh_ASN1_STRING_TABLE_insert(string_tables, &old_tbl, tbl)) { + OPENSSL_free(tbl); + goto err; } + assert(old_tbl == NULL); + ret = 1; - for (tmp = tbl_standard, i = 0; - i < sizeof(tbl_standard) / sizeof(ASN1_STRING_TABLE); i++, tmp++) - printf("Index %d, NID %d, Name=%s\n", i, tmp->nid, - OBJ_nid2ln(tmp->nid)); +err: + CRYPTO_STATIC_MUTEX_unlock_write(&string_tables_lock); + return ret; +} - return 0; +void ASN1_STRING_TABLE_cleanup(void) +{ } -#endif +void asn1_get_string_table_for_testing(const ASN1_STRING_TABLE **out_ptr, + size_t *out_len) { + *out_ptr = tbl_standard; + *out_len = OPENSSL_ARRAY_SIZE(tbl_standard); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c b/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c index 49336f76..c151a3a8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/a_time.c @@ -73,7 +73,7 @@ IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME) -IMPLEMENT_ASN1_FUNCTIONS(ASN1_TIME) +IMPLEMENT_ASN1_FUNCTIONS_const(ASN1_TIME) ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t) { diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c b/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c index 93bec4f5..a131a1f5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/asn1_lib.c @@ -59,11 +59,12 @@ #include #include -#include +#include #include #include #include "../internal.h" +#include "internal.h" /* Cross-module errors from crypto/x509/i2d_pr.c. */ @@ -103,117 +104,54 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE) -static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, - long max); static void asn1_put_length(unsigned char **pp, int length); -int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, - int *pclass, long omax) +int ASN1_get_object(const unsigned char **inp, long *out_len, int *out_tag, + int *out_class, long in_len) { - int i, ret; - long l; - const unsigned char *p = *pp; - int tag, xclass, inf; - long max = omax; - - if (!max) - goto err; - ret = (*p & V_ASN1_CONSTRUCTED); - xclass = (*p & V_ASN1_PRIVATE); - i = *p & V_ASN1_PRIMITIVE_TAG; - if (i == V_ASN1_PRIMITIVE_TAG) { /* high-tag */ - p++; - if (--max == 0) - goto err; - l = 0; - while (*p & 0x80) { - l <<= 7L; - l |= *(p++) & 0x7f; - if (--max == 0) - goto err; - if (l > (INT_MAX >> 7L)) - goto err; - } - l <<= 7L; - l |= *(p++) & 0x7f; - tag = (int)l; - if (--max == 0) - goto err; - } else { - tag = i; - p++; - if (--max == 0) - goto err; + if (in_len < 0) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); + return 0x80; } - /* To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags. */ - if (xclass == V_ASN1_UNIVERSAL && tag > V_ASN1_MAX_UNIVERSAL) - goto err; - - *ptag = tag; - *pclass = xclass; - if (!asn1_get_length(&p, &inf, plength, max)) - goto err; - - if (inf && !(ret & V_ASN1_CONSTRUCTED)) - goto err; - -#if 0 - fprintf(stderr, "p=%d + *plength=%ld > omax=%ld + *pp=%d (%d > %d)\n", - (int)p, *plength, omax, (int)*pp, (int)(p + *plength), - (int)(omax + *pp)); - -#endif - if (*plength > (omax - (p - *pp))) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); - /* - * Set this so that even if things are not long enough the values are - * set correctly - */ - ret |= 0x80; + /* TODO(https://crbug.com/boringssl/354): This should use |CBS_get_asn1| to + * reject non-minimal lengths, which are only allowed in BER. However, + * Android sometimes needs allow a non-minimal length in certificate + * signature fields (see b/18228011). Make this only apply to that field, + * while requiring DER elsewhere. Better yet, it should be limited to an + * preprocessing step in that part of Android. */ + unsigned tag; + size_t header_len; + int indefinite; + CBS cbs, body; + CBS_init(&cbs, *inp, (size_t)in_len); + if (!CBS_get_any_ber_asn1_element(&cbs, &body, &tag, &header_len, + /*out_ber_found=*/NULL, &indefinite) || + indefinite || + !CBS_skip(&body, header_len) || + /* Bound the length to comfortably fit in an int. Lengths in this + * module often switch between int and long without overflow checks. */ + CBS_len(&body) > INT_MAX / 2) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); + return 0x80; } - *pp = p; - return (ret | inf); - err: - OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); - return (0x80); -} -static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, - long max) -{ - const unsigned char *p = *pp; - unsigned long ret = 0; - unsigned long i; + /* Convert between tag representations. */ + int tag_class = (tag & CBS_ASN1_CLASS_MASK) >> CBS_ASN1_TAG_SHIFT; + int constructed = (tag & CBS_ASN1_CONSTRUCTED) >> CBS_ASN1_TAG_SHIFT; + int tag_number = tag & CBS_ASN1_TAG_NUMBER_MASK; - if (max-- < 1) - return 0; - if (*p == 0x80) { - *inf = 1; - ret = 0; - p++; - } else { - *inf = 0; - i = *p & 0x7f; - if (*(p++) & 0x80) { - if (i > sizeof(ret) || max < (long)i) - return 0; - while (i-- > 0) { - ret <<= 8L; - ret |= *(p++); - } - } else - ret = i; + /* To avoid ambiguity with V_ASN1_NEG, impose a limit on universal tags. */ + if (tag_class == V_ASN1_UNIVERSAL && tag_number > V_ASN1_MAX_UNIVERSAL) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); + return 0x80; } - /* - * Bound the length to comfortably fit in an int. Lengths in this module - * often switch between int and long without overflow checks. - */ - if (ret > INT_MAX / 2) - return 0; - *pp = p; - *rl = (long)ret; - return 1; + + *inp = CBS_data(&body); + *out_len = CBS_len(&body); + *out_tag = tag_number; + *out_class = tag_class; + return constructed; } /* @@ -406,17 +344,44 @@ void ASN1_STRING_free(ASN1_STRING *str) int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { - int i; + /* Capture padding bits and implicit truncation in BIT STRINGs. */ + int a_length = a->length, b_length = b->length; + uint8_t a_padding = 0, b_padding = 0; + if (a->type == V_ASN1_BIT_STRING) { + a_length = asn1_bit_string_length(a, &a_padding); + } + if (b->type == V_ASN1_BIT_STRING) { + b_length = asn1_bit_string_length(b, &b_padding); + } - i = (a->length - b->length); - if (i == 0) { - i = OPENSSL_memcmp(a->data, b->data, a->length); - if (i == 0) - return (a->type - b->type); - else - return (i); - } else - return (i); + if (a_length < b_length) { + return -1; + } + if (a_length > b_length) { + return 1; + } + /* In a BIT STRING, the number of bits is 8 * length - padding. Invert this + * comparison so we compare by lengths. */ + if (a_padding > b_padding) { + return -1; + } + if (a_padding < b_padding) { + return 1; + } + + int ret = OPENSSL_memcmp(a->data, b->data, a_length); + if (ret != 0) { + return ret; + } + + /* Comparing the type first is more natural, but this matches OpenSSL. */ + if (a->type < b->type) { + return -1; + } + if (a->type > b->type) { + return 1; + } + return 0; } int ASN1_STRING_length(const ASN1_STRING *str) diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/asn_pack.c b/Sources/CJWTKitBoringSSL/crypto/asn1/asn_pack.c index 96977108..bc3a5f03 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/asn_pack.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/asn_pack.c @@ -59,47 +59,43 @@ #include #include -/* ASN1_ITEM versions of the above */ -ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct) +ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **out) { - ASN1_STRING *octmp; + uint8_t *new_data = NULL; + int len = ASN1_item_i2d(obj, &new_data, it); + if (len <= 0) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_ENCODE_ERROR); + return NULL; + } - if (!oct || !*oct) { - if (!(octmp = ASN1_STRING_new())) { + ASN1_STRING *ret = NULL; + if (out == NULL || *out == NULL) { + ret = ASN1_STRING_new(); + if (ret == NULL) { OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); + OPENSSL_free(new_data); return NULL; } - if (oct) - *oct = octmp; - } else - octmp = *oct; - - if (octmp->data) { - OPENSSL_free(octmp->data); - octmp->data = NULL; + } else { + ret = *out; } - if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_ENCODE_ERROR); - return NULL; + ASN1_STRING_set0(ret, new_data, len); + if (out != NULL) { + *out = ret; } - if (!octmp->data) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return NULL; - } - return octmp; + return ret; } -/* Extract an ASN1 object from an ASN1_STRING */ - void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it) { - const unsigned char *p; - void *ret; - - p = oct->data; - if (!(ret = ASN1_item_d2i(NULL, &p, oct->length, it))) + const unsigned char *p = oct->data; + void *ret = ASN1_item_d2i(NULL, &p, oct->length, it); + if (ret == NULL || p != oct->data + oct->length) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR); + ASN1_item_free(ret, it); + return NULL; + } return ret; } diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/f_enum.c b/Sources/CJWTKitBoringSSL/crypto/asn1/f_enum.c deleted file mode 100644 index d8230582..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/f_enum.c +++ /dev/null @@ -1,93 +0,0 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] */ - -#include - -#include - -/* Based on a_int.c: equivalent ENUMERATED functions */ - -int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a) -{ - int i, n = 0; - static const char *h = "0123456789ABCDEF"; - char buf[2]; - - if (a == NULL) - return (0); - - if (a->length == 0) { - if (BIO_write(bp, "00", 2) != 2) - goto err; - n = 2; - } else { - for (i = 0; i < a->length; i++) { - if ((i != 0) && (i % 35 == 0)) { - if (BIO_write(bp, "\\\n", 2) != 2) - goto err; - n += 2; - } - buf[0] = h[((unsigned char)a->data[i] >> 4) & 0x0f]; - buf[1] = h[((unsigned char)a->data[i]) & 0x0f]; - if (BIO_write(bp, buf, 2) != 2) - goto err; - n += 2; - } - } - return (n); - err: - return (-1); -} diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/f_int.c b/Sources/CJWTKitBoringSSL/crypto/asn1/f_int.c index c49c2a35..7f86ad70 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/f_int.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/f_int.c @@ -95,3 +95,8 @@ int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a) err: return (-1); } + +int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a) +{ + return i2a_ASN1_INTEGER(bp, a); +} diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h b/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h index 2b6d1535..07030f58 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/internal.h @@ -62,6 +62,7 @@ #include #include +#include #if defined(__cplusplus) extern "C" { @@ -106,6 +107,25 @@ struct asn1_object_st { int flags; /* Should we free this one */ }; +ASN1_OBJECT *ASN1_OBJECT_new(void); + +// ASN1_ENCODING structure: this is used to save the received +// encoding of an ASN1 type. This is useful to get round +// problems with invalid encodings which can break signatures. +typedef struct ASN1_ENCODING_st { + unsigned char *enc; // DER encoding + long len; // Length of encoding + int modified; // set to 1 if 'enc' is invalid + // alias_only is zero if |enc| owns the buffer that it points to + // (although |enc| may still be NULL). If one, |enc| points into a + // buffer that is owned elsewhere. + unsigned alias_only : 1; + // alias_only_on_next_parse is one iff the next parsing operation + // should avoid taking a copy of the input and rather set + // |alias_only|. + unsigned alias_only_on_next_parse : 1; +} ASN1_ENCODING; + int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d); int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d); @@ -123,15 +143,31 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); +/* ASN1_item_ex_i2d encodes |*pval| as a value of type |it| to |out| under the + * i2d output convention. It returns a non-zero length on success and -1 on + * error. If |tag| is -1. the tag and class come from |it|. Otherwise, the tag + * number is |tag| and the class is |aclass|. This is used for implicit tagging. + * This function treats a missing value as an error, not an optional field. */ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); + void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it); +/* asn1_get_choice_selector returns the CHOICE selector value for |*pval|, which + * must of type |it|. */ int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it); + int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it); +/* asn1_get_field_ptr returns a pointer to the field in |*pval| corresponding to + * |tt|. */ ASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); +/* asn1_do_adb returns the |ASN1_TEMPLATE| for the ANY DEFINED BY field |tt|, + * based on the selector INTEGER or OID in |*pval|. If |tt| is not an ADB field, + * it returns |tt|. If the selector does not match any value, it returns NULL. + * If |nullerr| is non-zero, it will additionally push an error to the error + * queue when there is no match. */ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr); @@ -140,8 +176,13 @@ int asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it); + +/* asn1_enc_restore, if |*pval| has a saved encoding, writes it to |out| under + * the i2d output convention, sets |*len| to the length, and returns one. If it + * has no saved encoding, it returns zero. */ int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it); + int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, const ASN1_ITEM *it); @@ -150,6 +191,31 @@ int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, * a pointer. */ const void *asn1_type_value_as_pointer(const ASN1_TYPE *a); +/* asn1_is_printable returns one if |value| is a valid Unicode codepoint for an + * ASN.1 PrintableString, and zero otherwise. */ +int asn1_is_printable(uint32_t value); + +/* asn1_bit_string_length returns the number of bytes in |str| and sets + * |*out_padding_bits| to the number of padding bits. + * + * This function should be used instead of |ASN1_STRING_length| to correctly + * handle the non-|ASN1_STRING_FLAG_BITS_LEFT| case. */ +int asn1_bit_string_length(const ASN1_BIT_STRING *str, + uint8_t *out_padding_bits); + +typedef struct { + int nid; + long minsize; + long maxsize; + unsigned long mask; + unsigned long flags; +} ASN1_STRING_TABLE; + +/* asn1_get_string_table_for_testing sets |*out_ptr| and |*out_len| to the table + * of built-in |ASN1_STRING_TABLE| values. It is exported for testing. */ +OPENSSL_EXPORT void asn1_get_string_table_for_testing( + const ASN1_STRING_TABLE **out_ptr, size_t *out_len); + #if defined(__cplusplus) } /* extern C */ diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c index 9e3eb870..a24c657c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_dec.c @@ -60,7 +60,6 @@ #include #include -#include #include #include @@ -75,34 +74,27 @@ */ #define ASN1_MAX_CONSTRUCTED_NEST 30 -static int asn1_check_eoc(const unsigned char **in, long len); -static int asn1_find_end(const unsigned char **in, long len, char inf); - -static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass, int depth); - -static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); - static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, - char *inf, char *cst, - const unsigned char **in, long len, - int exptag, int expclass, char opt, ASN1_TLC *ctx); + char *cst, const unsigned char **in, long len, + int exptag, int expclass, char opt); static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx, int depth); + int depth); static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx, int depth); + int depth); static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, - int utype, char *free_cont, const ASN1_ITEM *it); + int utype, const ASN1_ITEM *it); static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, - int tag, int aclass, char opt, - ASN1_TLC *ctx); + int tag, int aclass, char opt); +static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, + long len, const ASN1_ITEM *it, int tag, int aclass, + char opt, int depth); /* Table to convert tags to bit values, used for MSTRING type */ static const unsigned long tag2bit[32] = { @@ -134,10 +126,6 @@ unsigned long ASN1_tag2bit(int tag) /* Macro to initialize and invalidate the cache */ -#define asn1_tlc_clear(c) if (c) (c)->valid = 0 -/* Version to avoid compiler warning about 'c' always non-NULL */ -#define asn1_tlc_clear_nc(c) (c)->valid = 0 - /* * Decode an ASN1 item, this currently behaves just like a standard 'd2i' * function. 'in' points to a buffer to read the data from, in future we @@ -149,12 +137,11 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it) { - ASN1_TLC c; ASN1_VALUE *ptmpval = NULL; if (!pval) pval = &ptmpval; - asn1_tlc_clear_nc(&c); - if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) + + if (asn1_item_ex_d2i(pval, in, len, it, -1, 0, 0, 0) > 0) return *pval; return NULL; } @@ -166,15 +153,13 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, - char opt, ASN1_TLC *ctx, int depth) + char opt, int depth) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_EXTERN_FUNCS *ef; - const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb; const unsigned char *p = NULL, *q; unsigned char oclass; - char seq_eoc, seq_nolen, cst, isopt; + char cst, isopt; int i; int otag; int ret = 0; @@ -183,10 +168,6 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; - if (aux && aux->asn1_cb) - asn1_cb = aux->asn1_cb; - else - asn1_cb = 0; /* * Bound |len| to comfortably fit in an int. Lengths in this module often @@ -216,10 +197,10 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, goto err; } return asn1_template_ex_d2i(pval, in, len, - it->templates, opt, ctx, depth); + it->templates, opt, depth); } return asn1_d2i_ex_primitive(pval, in, len, it, - tag, aclass, opt, ctx); + tag, aclass, opt); break; case ASN1_ITYPE_MSTRING: @@ -234,8 +215,8 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, p = *in; /* Just read in tag and class */ - ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, - &p, len, -1, 0, 1, ctx); + ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, + &p, len, -1, 0, 1); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); goto err; @@ -257,14 +238,14 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, OPENSSL_PUT_ERROR(ASN1, ASN1_R_MSTRING_WRONG_TAG); goto err; } - return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0, ctx); + return asn1_d2i_ex_primitive(pval, in, len, it, otag, 0, 0); case ASN1_ITYPE_EXTERN: /* Use new style d2i */ ef = it->funcs; - return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx); + return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, NULL); - case ASN1_ITYPE_CHOICE: + case ASN1_ITYPE_CHOICE: { /* * It never makes sense for CHOICE types to have implicit tagging, so if * tag != -1, then this looks like an error in the template. @@ -274,6 +255,8 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, goto err; } + const ASN1_AUX *aux = it->funcs; + ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL; if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; @@ -297,7 +280,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, /* * We mark field as OPTIONAL so its absence can be recognised. */ - ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, depth); + ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, depth); /* If field not present, try the next one */ if (ret == -1) continue; @@ -327,8 +310,9 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, goto auxerr; *in = p; return 1; + } - case ASN1_ITYPE_SEQUENCE: + case ASN1_ITYPE_SEQUENCE: { p = *in; /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ @@ -337,15 +321,13 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, aclass = V_ASN1_UNIVERSAL; } /* Get SEQUENCE length and update len, p */ - ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, - &p, len, tag, aclass, opt, ctx); + ret = asn1_check_tlen(&len, NULL, NULL, &cst, + &p, len, tag, aclass, opt); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); goto err; } else if (ret == -1) return -1; - /* If indefinite we don't do a length check */ - seq_nolen = seq_eoc; if (!cst) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_NOT_CONSTRUCTED); goto err; @@ -356,6 +338,8 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, goto err; } + const ASN1_AUX *aux = it->funcs; + ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL; if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) goto auxerr; @@ -384,16 +368,6 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, if (!len) break; q = p; - if (asn1_check_eoc(&p, len)) { - if (!seq_eoc) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); - goto err; - } - len -= p - q; - seq_eoc = 0; - q = p; - break; - } /* * This determines the OPTIONAL flag value. The field cannot be * omitted if it is the last of a SEQUENCE and there is still @@ -408,8 +382,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, * attempt to read in field, allowing each to be OPTIONAL */ - ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, ctx, - depth); + ret = asn1_template_ex_d2i(pseqval, &p, len, seqtt, isopt, depth); if (!ret) { errtt = seqtt; goto err; @@ -424,13 +397,8 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, len -= p - q; } - /* Check for EOC if expecting one */ - if (seq_eoc && !asn1_check_eoc(&p, len)) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); - goto err; - } /* Check all data read */ - if (!seq_nolen && len) { + if (len) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_SEQUENCE_LENGTH_MISMATCH); goto err; } @@ -462,6 +430,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, goto auxerr; *in = p; return 1; + } default: return 0; @@ -483,7 +452,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) { - return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); + return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, 0); } /* @@ -494,13 +463,12 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx, int depth) + int depth) { int flags, aclass; int ret; long len; const unsigned char *p, *q; - char exp_eoc; if (!val) return 0; flags = tt->flags; @@ -515,8 +483,8 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, * Need to work out amount of data available to the inner content and * where it starts: so read in EXPLICIT header to get the info. */ - ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, - &p, inlen, tt->tag, aclass, opt, ctx); + ret = asn1_check_tlen(&len, NULL, NULL, &cst, + &p, inlen, tt->tag, aclass, opt); q = p; if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); @@ -528,30 +496,20 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, return 0; } /* We've found the field so it can't be OPTIONAL now */ - ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); + ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, depth); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); return 0; } /* We read the field in OK so update length */ len -= p - q; - if (exp_eoc) { - /* If NDEF we must have an EOC here */ - if (!asn1_check_eoc(&p, len)) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); - goto err; - } - } else { - /* - * Otherwise we must hit the EXPLICIT tag end or its an error - */ - if (len) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH); - goto err; - } + /* Check for trailing data. */ + if (len) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_EXPLICIT_LENGTH_MISMATCH); + goto err; } } else - return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, depth); + return asn1_template_noexp_d2i(val, in, inlen, tt, opt, depth); *in = p; return 1; @@ -564,7 +522,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_TEMPLATE *tt, char opt, - ASN1_TLC *ctx, int depth) + int depth) { int flags, aclass; int ret; @@ -579,7 +537,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, if (flags & ASN1_TFLG_SK_MASK) { /* SET OF, SEQUENCE OF */ int sktag, skaclass; - char sk_eoc; /* First work out expected inner tag value */ if (flags & ASN1_TFLG_IMPTAG) { sktag = tt->tag; @@ -592,8 +549,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, sktag = V_ASN1_SEQUENCE; } /* Get the tag */ - ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, - &p, len, sktag, skaclass, opt, ctx); + ret = asn1_check_tlen(&len, NULL, NULL, NULL, + &p, len, sktag, skaclass, opt); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); return 0; @@ -622,19 +579,9 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, while (len > 0) { ASN1_VALUE *skfield; const unsigned char *q = p; - /* See if EOC found */ - if (asn1_check_eoc(&p, len)) { - if (!sk_eoc) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); - goto err; - } - len -= p - q; - sk_eoc = 0; - break; - } skfield = NULL; if (!asn1_item_ex_d2i(&skfield, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, 0, ctx, depth)) { + -1, 0, 0, depth)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); goto err; } @@ -645,14 +592,10 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, goto err; } } - if (sk_eoc) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); - goto err; - } } else if (flags & ASN1_TFLG_IMPTAG) { /* IMPLICIT tagging */ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), tt->tag, - aclass, opt, ctx, depth); + aclass, opt, depth); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); goto err; @@ -661,7 +604,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, } else { /* Nothing special */ ret = asn1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, + -1, tt->flags & ASN1_TFLG_COMBINE, opt, depth); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); @@ -681,13 +624,12 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen, const ASN1_ITEM *it, - int tag, int aclass, char opt, ASN1_TLC *ctx) + int tag, int aclass, char opt) { int ret = 0, utype; long plen; - char cst, inf, free_cont = 0; + char cst; const unsigned char *p; - BUF_MEM buf = {0, NULL, 0 }; const unsigned char *cont = NULL; long len; if (!pval) { @@ -713,8 +655,8 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, return 0; } p = *in; - ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, - &p, inlen, -1, 0, 0, ctx); + ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, + &p, inlen, -1, 0, 0); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); return 0; @@ -728,8 +670,8 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, } p = *in; /* Check header */ - ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, - &p, inlen, tag, aclass, opt, ctx); + ret = asn1_check_tlen(&plen, NULL, NULL, &cst, + &p, inlen, tag, aclass, opt); if (!ret) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); return 0; @@ -739,57 +681,21 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, /* SEQUENCE, SET and "OTHER" are left in encoded form */ if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) { - /* - * Clear context cache for type OTHER because the auto clear when we - * have a exact match wont work - */ - if (utype == V_ASN1_OTHER) { - asn1_tlc_clear(ctx); - } /* SEQUENCE and SET must be constructed */ - else if (!cst) { + if (utype != V_ASN1_OTHER && !cst) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_CONSTRUCTED); return 0; } cont = *in; - /* If indefinite length constructed find the real end */ - if (inf) { - if (!asn1_find_end(&p, plen, inf)) - goto err; - len = p - cont; - } else { - len = p - cont + plen; - p += plen; - } + len = p - cont + plen; + p += plen; } else if (cst) { - if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN - || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER - || utype == V_ASN1_ENUMERATED) { - /* These types only have primitive encodings. */ - OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE); - return 0; - } - - /* Free any returned 'buf' content */ - free_cont = 1; - /* - * Should really check the internal tags are correct but some things - * may get this wrong. The relevant specs say that constructed string - * types should be OCTET STRINGs internally irrespective of the type. - * So instead just check for UNIVERSAL class and ignore the tag. - */ - if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { - goto err; - } - len = buf.length; - /* Append a final null to string */ - if (!BUF_MEM_grow_clean(&buf, len + 1)) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - goto err; - } - buf.data[len] = 0; - cont = (const unsigned char *)buf.data; + /* This parser historically supported BER constructed strings. We no + * longer do and will gradually tighten this parser into a DER + * parser. BER types should use |CBS_asn1_ber_to_der|. */ + OPENSSL_PUT_ERROR(ASN1, ASN1_R_TYPE_NOT_PRIMITIVE); + return 0; } else { cont = p; len = plen; @@ -797,22 +703,19 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, } /* We now have content length and type: translate into a structure */ - /* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */ - if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it)) + if (!asn1_ex_c2i(pval, cont, len, utype, it)) goto err; *in = p; ret = 1; err: - if (free_cont && buf.data) - OPENSSL_free(buf.data); return ret; } /* Translate ASN1 content octets into a structure */ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, - int utype, char *free_cont, const ASN1_ITEM *it) + int utype, const ASN1_ITEM *it) { ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; @@ -916,20 +819,11 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, stmp = (ASN1_STRING *)*pval; stmp->type = utype; } - /* If we've already allocated a buffer use it */ - if (*free_cont) { - if (stmp->data) - OPENSSL_free(stmp->data); - stmp->data = (unsigned char *)cont; /* UGLY CAST! RL */ - stmp->length = len; - *free_cont = 0; - } else { - if (!ASN1_STRING_set(stmp, cont, len)) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - ASN1_STRING_free(stmp); - *pval = NULL; - goto err; - } + if (!ASN1_STRING_set(stmp, cont, len)) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(stmp); + *pval = NULL; + goto err; } break; } @@ -948,208 +842,23 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, } /* - * This function finds the end of an ASN1 structure when passed its maximum - * length, whether it is indefinite length and a pointer to the content. This - * is more efficient than calling asn1_collect because it does not recurse on - * each indefinite length header. - */ - -static int asn1_find_end(const unsigned char **in, long len, char inf) -{ - int expected_eoc; - long plen; - const unsigned char *p = *in, *q; - /* If not indefinite length constructed just add length */ - if (inf == 0) { - *in += len; - return 1; - } - expected_eoc = 1; - /* - * Indefinite length constructed form. Find the end when enough EOCs are - * found. If more indefinite length constructed headers are encountered - * increment the expected eoc count otherwise just skip to the end of the - * data. - */ - while (len > 0) { - if (asn1_check_eoc(&p, len)) { - expected_eoc--; - if (expected_eoc == 0) - break; - len -= 2; - continue; - } - q = p; - /* Just read in a header: only care about the length */ - if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, - -1, 0, 0, NULL)) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); - return 0; - } - if (inf) - expected_eoc++; - else - p += plen; - len -= p - q; - } - if (expected_eoc) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); - return 0; - } - *in = p; - return 1; -} - -/* - * This function collects the asn1 data from a constructred string type into - * a buffer. The values of 'in' and 'len' should refer to the contents of the - * constructed type and 'inf' should be set if it is indefinite length. - */ - -/* - * This determines how many levels of recursion are permitted in ASN1 string - * types. If it is not limited stack overflows can occur. If set to zero no - * recursion is allowed at all. Although zero should be adequate examples - * exist that require a value of 1. So 5 should be more than enough. - */ -#define ASN1_MAX_STRING_NEST 5 - -static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass, int depth) -{ - const unsigned char *p, *q; - long plen; - char cst, ininf; - p = *in; - inf &= 1; - /* - * If no buffer and not indefinite length constructed just pass over the - * encoded data - */ - if (!buf && !inf) { - *in += len; - return 1; - } - while (len > 0) { - q = p; - /* Check for EOC */ - if (asn1_check_eoc(&p, len)) { - /* - * EOC is illegal outside indefinite length constructed form - */ - if (!inf) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_UNEXPECTED_EOC); - return 0; - } - inf = 0; - break; - } - - if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, - len, tag, aclass, 0, NULL)) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_ERROR); - return 0; - } - - /* If indefinite length constructed update max length */ - if (cst) { - if (depth >= ASN1_MAX_STRING_NEST) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_NESTED_ASN1_STRING); - return 0; - } - if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, depth + 1)) - return 0; - } else if (plen && !collect_data(buf, &p, plen)) - return 0; - len -= p - q; - } - if (inf) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_EOC); - return 0; - } - *in = p; - return 1; -} - -static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen) -{ - int len; - if (buf) { - len = buf->length; - if (!BUF_MEM_grow_clean(buf, len + plen)) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); - return 0; - } - OPENSSL_memcpy(buf->data + len, *p, plen); - } - *p += plen; - return 1; -} - -/* Check for ASN1 EOC and swallow it if found */ - -static int asn1_check_eoc(const unsigned char **in, long len) -{ - const unsigned char *p; - if (len < 2) - return 0; - p = *in; - if (!p[0] && !p[1]) { - *in += 2; - return 1; - } - return 0; -} - -/* - * Check an ASN1 tag and length: a bit like ASN1_get_object but it sets the - * length for indefinite length constructed form, we don't know the exact - * length but we can set an upper bound to the amount of data available minus - * the header length just read. + * Check an ASN1 tag and length: a bit like ASN1_get_object but it + * checks the expected tag. */ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, - char *inf, char *cst, - const unsigned char **in, long len, - int exptag, int expclass, char opt, ASN1_TLC *ctx) + char *cst, const unsigned char **in, long len, + int exptag, int expclass, char opt) { int i; int ptag, pclass; long plen; - const unsigned char *p, *q; + const unsigned char *p; p = *in; - q = p; - - if (ctx && ctx->valid) { - i = ctx->ret; - plen = ctx->plen; - pclass = ctx->pclass; - ptag = ctx->ptag; - p += ctx->hdrlen; - } else { - i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); - if (ctx) { - ctx->ret = i; - ctx->plen = plen; - ctx->pclass = pclass; - ctx->ptag = ptag; - ctx->hdrlen = p - q; - ctx->valid = 1; - /* - * If definite length, and no error, length + header can't exceed - * total amount of data available. - */ - if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) { - OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); - asn1_tlc_clear(ctx); - return 0; - } - } - } + i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); if (i & 0x80) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_OBJECT_HEADER); - asn1_tlc_clear(ctx); return 0; } if (exptag >= 0) { @@ -1159,23 +868,11 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, */ if (opt) return -1; - asn1_tlc_clear(ctx); OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TAG); return 0; } - /* - * We have a tag and class match: assume we are going to do something - * with it - */ - asn1_tlc_clear(ctx); } - if (i & 1) - plen = len - (p - q); - - if (inf) - *inf = i & 1; - if (cst) *cst = i & V_ASN1_CONSTRUCTED; diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c index 82e6e73b..d7ee5bd8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_enc.c @@ -56,6 +56,7 @@ #include +#include #include #include @@ -66,53 +67,47 @@ #include "internal.h" +static int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out, + const ASN1_ITEM *it, int tag, int aclass, + int optional); static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, - const ASN1_ITEM *it, int tag, int aclass); -static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, - const ASN1_ITEM *it); + const ASN1_ITEM *it, int tag, int aclass, + int optional); +static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cont, int *out_omit, + int *putype, const ASN1_ITEM *it); static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, - int skcontlen, const ASN1_ITEM *item, - int do_sort, int iclass); + int skcontlen, const ASN1_ITEM *item, int do_sort); static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int aclass); -static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, - const ASN1_ITEM *it, int flags); /* * Top level i2d equivalents */ int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it) -{ - return asn1_item_flags_i2d(val, out, it, 0); -} - -/* - * Encode an ASN1 item, this is use by the standard 'i2d' function. 'out' - * points to a buffer to output the data to. The new i2d has one additional - * feature. If the output buffer is NULL (i.e. *out == NULL) then a buffer is - * allocated and populated with the encoding. - */ - -static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, - const ASN1_ITEM *it, int flags) { if (out && !*out) { unsigned char *p, *buf; - int len; - len = ASN1_item_ex_i2d(&val, NULL, it, -1, flags); - if (len <= 0) + int len = ASN1_item_ex_i2d(&val, NULL, it, /*tag=*/-1, /*aclass=*/0); + if (len <= 0) { return len; + } buf = OPENSSL_malloc(len); - if (!buf) + if (!buf) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); return -1; + } p = buf; - ASN1_item_ex_i2d(&val, &p, it, -1, flags); + int len2 = ASN1_item_ex_i2d(&val, &p, it, /*tag=*/-1, /*aclass=*/0); + if (len2 <= 0) { + return len2; + } + assert(len == len2); *out = buf; return len; } - return ASN1_item_ex_i2d(&val, out, it, -1, flags); + return ASN1_item_ex_i2d(&val, out, it, /*tag=*/-1, /*aclass=*/0); } /* @@ -122,27 +117,48 @@ static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) +{ + int ret = asn1_item_ex_i2d_opt(pval, out, it, tag, aclass, /*optional=*/0); + assert(ret != 0); + return ret; +} + +/* asn1_item_ex_i2d_opt behaves like |ASN1_item_ex_i2d| but, if |optional| is + * non-zero and |*pval| is omitted, it returns zero and writes no bytes. */ +int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out, + const ASN1_ITEM *it, int tag, int aclass, + int optional) { const ASN1_TEMPLATE *tt = NULL; int i, seqcontlen, seqlen; - const ASN1_EXTERN_FUNCS *ef; - const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb = 0; - if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) - return 0; + /* Historically, |aclass| was repurposed to pass additional flags into the + * encoding process. */ + assert((aclass & ASN1_TFLG_TAG_CLASS) == aclass); + /* If not overridding the tag, |aclass| is ignored and should be zero. */ + assert(tag != -1 || aclass == 0); - if (aux && aux->asn1_cb) - asn1_cb = aux->asn1_cb; + /* All fields are pointers, except for boolean |ASN1_ITYPE_PRIMITIVE|s. + * Optional primitives are handled later. */ + if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) { + if (optional) { + return 0; + } + OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE); + return -1; + } switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: - if (it->templates) - return asn1_template_ex_i2d(pval, out, it->templates, - tag, aclass); - return asn1_i2d_ex_primitive(pval, out, it, tag, aclass); - break; + if (it->templates) { + if (it->templates->flags & ASN1_TFLG_OPTIONAL) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); + return -1; + } + return asn1_template_ex_i2d(pval, out, it->templates, tag, aclass); + } + return asn1_i2d_ex_primitive(pval, out, it, tag, aclass, optional); case ASN1_ITYPE_MSTRING: /* @@ -153,9 +169,9 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); return -1; } - return asn1_i2d_ex_primitive(pval, out, it, -1, aclass); + return asn1_i2d_ex_primitive(pval, out, it, -1, 0, optional); - case ASN1_ITYPE_CHOICE: + case ASN1_ITYPE_CHOICE: { /* * It never makes sense for CHOICE types to have implicit tagging, so if * tag != -1, then this looks like an error in the template. @@ -164,31 +180,39 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); return -1; } - if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) - return 0; i = asn1_get_choice_selector(pval, it); - if ((i >= 0) && (i < it->tcount)) { - ASN1_VALUE **pchval; - const ASN1_TEMPLATE *chtt; - chtt = it->templates + i; - pchval = asn1_get_field_ptr(pval, chtt); - return asn1_template_ex_i2d(pchval, out, chtt, -1, aclass); - } - /* Fixme: error condition if selector out of range */ - if (asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it, NULL)) - return 0; - break; + if (i < 0 || i >= it->tcount) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_NO_MATCHING_CHOICE_TYPE); + return -1; + } + const ASN1_TEMPLATE *chtt = it->templates + i; + if (chtt->flags & ASN1_TFLG_OPTIONAL) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); + return -1; + } + ASN1_VALUE **pchval = asn1_get_field_ptr(pval, chtt); + return asn1_template_ex_i2d(pchval, out, chtt, -1, 0); + } - case ASN1_ITYPE_EXTERN: + case ASN1_ITYPE_EXTERN: { /* If new style i2d it does all the work */ - ef = it->funcs; - return ef->asn1_ex_i2d(pval, out, it, tag, aclass); + const ASN1_EXTERN_FUNCS *ef = it->funcs; + int ret = ef->asn1_ex_i2d(pval, out, it, tag, aclass); + if (ret == 0) { + /* |asn1_ex_i2d| should never return zero. We have already checked + * for optional values generically, and |ASN1_ITYPE_EXTERN| fields + * must be pointers. */ + OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR); + return -1; + } + return ret; + } - case ASN1_ITYPE_SEQUENCE: + case ASN1_ITYPE_SEQUENCE: { i = asn1_enc_restore(&seqcontlen, out, pval, it); /* An error occurred */ if (i < 0) - return 0; + return -1; /* We have a valid cached encoding... */ if (i > 0) return seqcontlen; @@ -197,12 +221,8 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ if (tag == -1) { tag = V_ASN1_SEQUENCE; - /* Retain any other flags in aclass */ - aclass = (aclass & ~ASN1_TFLG_TAG_CLASS) - | V_ASN1_UNIVERSAL; + aclass = V_ASN1_UNIVERSAL; } - if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL)) - return 0; /* First work out sequence content length */ for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; @@ -210,9 +230,9 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, int tmplen; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) - return 0; + return -1; pseqval = asn1_get_field_ptr(pval, seqtt); - tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass); + tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, 0); if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen)) return -1; seqcontlen += tmplen; @@ -228,40 +248,49 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, ASN1_VALUE **pseqval; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) - return 0; + return -1; pseqval = asn1_get_field_ptr(pval, seqtt); - /* FIXME: check for errors in enhanced version */ - asn1_template_ex_i2d(pseqval, out, seqtt, -1, aclass); + if (asn1_template_ex_i2d(pseqval, out, seqtt, -1, 0) < 0) { + return -1; + } } - if (asn1_cb && !asn1_cb(ASN1_OP_I2D_POST, pval, it, NULL)) - return 0; return seqlen; + } default: - return 0; - + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); + return -1; } - return 0; } +/* asn1_template_ex_i2d behaves like |asn1_item_ex_i2d_opt| but uses an + * |ASN1_TEMPLATE| instead of an |ASN1_ITEM|. An |ASN1_TEMPLATE| wraps an + * |ASN1_ITEM| with modifiers such as tagging, SEQUENCE or SET, etc. Instead of + * taking an |optional| parameter, it uses the |ASN1_TFLG_OPTIONAL| flag. */ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass) { int i, ret, flags, ttag, tclass; size_t j; flags = tt->flags; + + /* Historically, |iclass| was repurposed to pass additional flags into the + * encoding process. */ + assert((iclass & ASN1_TFLG_TAG_CLASS) == iclass); + /* If not overridding the tag, |iclass| is ignored and should be zero. */ + assert(tag != -1 || iclass == 0); + /* * Work out tag and class to use: tagging may come either from the * template or the arguments, not both because this would create - * ambiguity. Additionally the iclass argument may contain some - * additional flags which should be noted and passed down to other - * levels. + * ambiguity. */ if (flags & ASN1_TFLG_TAG_MASK) { /* Error if argument and template tagging */ - if (tag != -1) - /* FIXME: error code here */ + if (tag != -1) { + OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); return -1; + } /* Get tagging from template */ ttag = tt->tag; tclass = flags & ASN1_TFLG_TAG_CLASS; @@ -273,14 +302,12 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, ttag = -1; tclass = 0; } - /* - * Remove any class mask from iflag. - */ - iclass &= ~ASN1_TFLG_TAG_CLASS; + + const int optional = (flags & ASN1_TFLG_OPTIONAL) != 0; /* - * At this point 'ttag' contains the outer tag to use, 'tclass' is the - * class and iclass is any flags passed to this function. + * At this point 'ttag' contains the outer tag to use, and 'tclass' is the + * class. */ if (flags & ASN1_TFLG_SK_MASK) { @@ -290,8 +317,13 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, int skcontlen, sklen; ASN1_VALUE *skitem; - if (!*pval) - return 0; + if (!*pval) { + if (optional) { + return 0; + } + OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE); + return -1; + } if (flags & ASN1_TFLG_SET_OF) { isset = 1; @@ -323,7 +355,7 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, int tmplen; skitem = sk_ASN1_VALUE_value(sk, j); tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), - -1, iclass); + -1, 0); if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) return -1; skcontlen += tmplen; @@ -347,30 +379,36 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, /* SET or SEQUENCE and IMPLICIT tag */ ASN1_put_object(out, /*constructed=*/1, skcontlen, sktag, skaclass); /* And the stuff itself */ - asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), - isset, iclass); + if (!asn1_set_seq_out(sk, out, skcontlen, ASN1_ITEM_ptr(tt->item), + isset)) { + return -1; + } return ret; } if (flags & ASN1_TFLG_EXPTAG) { /* EXPLICIT tagging */ /* Find length of tagged item */ - i = ASN1_item_ex_i2d(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, iclass); - if (!i) - return 0; + i = asn1_item_ex_i2d_opt(pval, NULL, ASN1_ITEM_ptr(tt->item), -1, 0, + optional); + if (i <= 0) + return i; /* Find length of EXPLICIT tag */ ret = ASN1_object_size(/*constructed=*/1, i, ttag); if (out && ret != -1) { /* Output tag and item */ ASN1_put_object(out, /*constructed=*/1, i, ttag, tclass); - ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass); + if (ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, + 0) < 0) { + return -1; + } } return ret; } - /* Either normal or IMPLICIT tagging: combine class and flags */ - return ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), - ttag, tclass | iclass); + /* Either normal or IMPLICIT tagging */ + return asn1_item_ex_i2d_opt(pval, out, ASN1_ITEM_ptr(tt->item), + ttag, tclass, optional); } @@ -392,93 +430,96 @@ static int der_cmp(const void *a, const void *b) return d1->length - d2->length; } -/* Output the content octets of SET OF or SEQUENCE OF */ - +/* asn1_set_seq_out writes |sk| to |out| under the i2d output convention, + * excluding the tag and length. It returns one on success and zero on error. + * |skcontlen| must be the total encoded size. If |do_sort| is non-zero, the + * elements are sorted for a SET OF type. Each element of |sk| has type + * |item|. */ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, - int skcontlen, const ASN1_ITEM *item, - int do_sort, int iclass) + int skcontlen, const ASN1_ITEM *item, int do_sort) { - size_t i; - ASN1_VALUE *skitem; - unsigned char *tmpdat = NULL, *p = NULL; - DER_ENC *derlst = NULL, *tder; - if (do_sort) { - /* Don't need to sort less than 2 items */ - if (sk_ASN1_VALUE_num(sk) < 2) - do_sort = 0; - else { - derlst = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) - * sizeof(*derlst)); - if (!derlst) - return 0; - tmpdat = OPENSSL_malloc(skcontlen); - if (!tmpdat) { - OPENSSL_free(derlst); + /* No need to sort if there are fewer than two items. */ + if (!do_sort || sk_ASN1_VALUE_num(sk) < 2) { + for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) { + ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i); + if (ASN1_item_ex_i2d(&skitem, out, item, -1, 0) < 0) { return 0; } } - } - /* If not sorting just output each item */ - if (!do_sort) { - for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { - skitem = sk_ASN1_VALUE_value(sk, i); - ASN1_item_ex_i2d(&skitem, out, item, -1, iclass); - } return 1; } - p = tmpdat; - /* Doing sort: build up a list of each member's DER encoding */ - for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) { - skitem = sk_ASN1_VALUE_value(sk, i); - tder->data = p; - tder->length = ASN1_item_ex_i2d(&skitem, &p, item, -1, iclass); + if (sk_ASN1_VALUE_num(sk) > ((size_t)-1) / sizeof(DER_ENC)) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); + return 0; + } + + int ret = 0; + unsigned char *const buf = OPENSSL_malloc(skcontlen); + DER_ENC *encoded = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*encoded)); + if (encoded == NULL || buf == NULL) { + OPENSSL_PUT_ERROR(ASN1, ERR_R_MALLOC_FAILURE); + goto err; } - /* Now sort them */ - qsort(derlst, sk_ASN1_VALUE_num(sk), sizeof(*derlst), der_cmp); - /* Output sorted DER encoding */ + /* Encode all the elements into |buf| and populate |encoded|. */ + unsigned char *p = buf; + for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) { + ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i); + encoded[i].data = p; + encoded[i].length = ASN1_item_ex_i2d(&skitem, &p, item, -1, 0); + if (encoded[i].length < 0) { + goto err; + } + assert(p - buf <= skcontlen); + } + + qsort(encoded, sk_ASN1_VALUE_num(sk), sizeof(*encoded), der_cmp); + + /* Output the elements in sorted order. */ p = *out; - for (i = 0, tder = derlst; i < sk_ASN1_VALUE_num(sk); i++, tder++) { - OPENSSL_memcpy(p, tder->data, tder->length); - p += tder->length; + for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) { + OPENSSL_memcpy(p, encoded[i].data, encoded[i].length); + p += encoded[i].length; } *out = p; - OPENSSL_free(derlst); - OPENSSL_free(tmpdat); - return 1; + + ret = 1; + +err: + OPENSSL_free(encoded); + OPENSSL_free(buf); + return ret; } +/* asn1_i2d_ex_primitive behaves like |ASN1_item_ex_i2d| but |item| must be a + * a PRIMITIVE or MSTRING type that is not an |ASN1_ITEM_TEMPLATE|. */ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, - const ASN1_ITEM *it, int tag, int aclass) + const ASN1_ITEM *it, int tag, int aclass, + int optional) { - int len; - int utype; - int usetag; - - utype = it->utype; - - /* - * Get length of content octets and maybe find out the underlying type. - */ - - len = asn1_ex_i2c(pval, NULL, &utype, it); + /* Get length of content octets and maybe find out the underlying type. */ + int omit; + int utype = it->utype; + int len = asn1_ex_i2c(pval, NULL, &omit, &utype, it); + if (len < 0) { + return -1; + } + if (omit) { + if (optional) { + return 0; + } + OPENSSL_PUT_ERROR(ASN1, ASN1_R_MISSING_VALUE); + return -1; + } /* * If SEQUENCE, SET or OTHER then header is included in pseudo content * octets so don't include tag+length. We need to check here because the * call to asn1_ex_i2c() could change utype. */ - if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || - (utype == V_ASN1_OTHER)) - usetag = 0; - else - usetag = 1; - - /* -1 means omit type */ - - if (len == -1) - return 0; + int usetag = utype != V_ASN1_SEQUENCE && utype != V_ASN1_SET && + utype != V_ASN1_OTHER; /* If not implicitly tagged get tag from underlying type */ if (tag == -1) @@ -486,21 +527,42 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, /* Output tag+length followed by content octets */ if (out) { - if (usetag) + if (usetag) { ASN1_put_object(out, /*constructed=*/0, len, tag, aclass); - asn1_ex_i2c(pval, *out, &utype, it); + } + int len2 = asn1_ex_i2c(pval, *out, &omit, &utype, it); + if (len2 < 0) { + return -1; + } + assert(len == len2); + assert(!omit); *out += len; } - if (usetag) + if (usetag) { return ASN1_object_size(/*constructed=*/0, len, tag); + } return len; } -/* Produce content octets from a structure */ - -static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, - const ASN1_ITEM *it) +/* asn1_ex_i2c writes the |*pval| to |cout| under the i2d output convention, + * excluding the tag and length. It returns the number of bytes written, + * possibly zero, on success or -1 on error. If |*pval| should be omitted, it + * returns zero and sets |*out_omit| to true. + * + * If |it| is an MSTRING or ANY type, it gets the underlying type from |*pval|, + * which must be an |ASN1_STRING| or |ASN1_TYPE|, respectively. It then updates + * |*putype| with the tag number of type used, or |V_ASN1_OTHER| if it was not a + * universal type. If |*putype| is set to |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or + * |V_ASN1_OTHER|, it additionally outputs the tag and length, so the caller + * must not do so. + * + * Otherwise, |*putype| must contain |it->utype|. + * + * WARNING: Unlike most functions in this file, |asn1_ex_i2c| can return zero + * without omitting the element. ASN.1 values may have empty contents. */ +static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, + int *putype, const ASN1_ITEM *it) { ASN1_BOOLEAN *tbool = NULL; ASN1_STRING *strtmp; @@ -514,17 +576,26 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, * |ASN1_PRIMITIVE_FUNCS| table of callbacks. */ assert(it->funcs == NULL); + *out_omit = 0; + /* Should type be omitted? */ if ((it->itype != ASN1_ITYPE_PRIMITIVE) || (it->utype != V_ASN1_BOOLEAN)) { - if (!*pval) - return -1; + if (!*pval) { + *out_omit = 1; + return 0; + } } if (it->itype == ASN1_ITYPE_MSTRING) { /* If MSTRING type set the underlying type */ strtmp = (ASN1_STRING *)*pval; utype = strtmp->type; + if (utype < 0 && utype != V_ASN1_OTHER) { + /* MSTRINGs can have type -1 when default-constructed. */ + OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE); + return -1; + } /* Negative INTEGER and ENUMERATED values use |ASN1_STRING| type values * that do not match their corresponding utype values. INTEGERs cannot * participate in MSTRING types, but ENUMERATEDs can. @@ -545,6 +616,11 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, ASN1_TYPE *typ; typ = (ASN1_TYPE *)*pval; utype = typ->type; + if (utype < 0 && utype != V_ASN1_OTHER) { + /* |ASN1_TYPE|s can have type -1 when default-constructed. */ + OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE); + return -1; + } *putype = utype; pval = &typ->value.asn1_value; } else @@ -555,8 +631,11 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, otmp = (ASN1_OBJECT *)*pval; cont = otmp->data; len = otmp->length; - if (cont == NULL || len == 0) + if (len == 0) { + /* Some |ASN1_OBJECT|s do not have OIDs and cannot be serialized. */ + OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT); return -1; + } break; case V_ASN1_NULL: @@ -566,34 +645,39 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, case V_ASN1_BOOLEAN: tbool = (ASN1_BOOLEAN *)pval; - if (*tbool == -1) - return -1; + if (*tbool == -1) { + *out_omit = 1; + return 0; + } if (it->utype != V_ASN1_ANY) { /* * Default handling if value == size field then omit */ - if (*tbool && (it->size > 0)) - return -1; - if (!*tbool && !it->size) - return -1; + if ((*tbool && (it->size > 0)) || + (!*tbool && !it->size)) { + *out_omit = 1; + return 0; + } } c = *tbool ? 0xff : 0x00; cont = &c; len = 1; break; - case V_ASN1_BIT_STRING: - return i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, - cout ? &cout : NULL); - break; + case V_ASN1_BIT_STRING: { + int ret = i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, + cout ? &cout : NULL); + /* |i2c_ASN1_BIT_STRING| returns zero on error instead of -1. */ + return ret <= 0 ? -1 : ret; + } case V_ASN1_INTEGER: - case V_ASN1_ENUMERATED: - /* - * These are all have the same content format as ASN1_INTEGER - */ - return i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL); - break; + case V_ASN1_ENUMERATED: { + /* |i2c_ASN1_INTEGER| also handles ENUMERATED. */ + int ret = i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : NULL); + /* |i2c_ASN1_INTEGER| returns zero on error instead of -1. */ + return ret <= 0 ? -1 : ret; + } case V_ASN1_OCTET_STRING: case V_ASN1_NUMERICSTRING: diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_fre.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_fre.c index ebe23df8..ee081436 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_fre.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_fre.c @@ -79,17 +79,11 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) { const ASN1_TEMPLATE *tt = NULL, *seqtt; const ASN1_EXTERN_FUNCS *ef; - const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb; int i; if (!pval) return; if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) return; - if (aux && aux->asn1_cb) - asn1_cb = aux->asn1_cb; - else - asn1_cb = 0; switch (it->itype) { @@ -104,7 +98,9 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) ASN1_primitive_free(pval, it); break; - case ASN1_ITYPE_CHOICE: + case ASN1_ITYPE_CHOICE: { + const ASN1_AUX *aux = it->funcs; + ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL; if (asn1_cb) { i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL); if (i == 2) @@ -124,6 +120,7 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) *pval = NULL; } break; + } case ASN1_ITYPE_EXTERN: ef = it->funcs; @@ -131,9 +128,11 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) ef->asn1_ex_free(pval, it); break; - case ASN1_ITYPE_SEQUENCE: + case ASN1_ITYPE_SEQUENCE: { if (!asn1_refcount_dec_and_test_zero(pval, it)) return; + const ASN1_AUX *aux = it->funcs; + ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL; if (asn1_cb) { i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL); if (i == 2) @@ -162,6 +161,7 @@ void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) } break; } + } } void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c index 788398b5..688c6a98 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_new.c @@ -95,14 +95,8 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, { const ASN1_TEMPLATE *tt = NULL; const ASN1_EXTERN_FUNCS *ef; - const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb; ASN1_VALUE **pseqval; int i; - if (aux && aux->asn1_cb) - asn1_cb = aux->asn1_cb; - else - asn1_cb = 0; switch (it->itype) { @@ -127,7 +121,9 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, goto memerr; break; - case ASN1_ITYPE_CHOICE: + case ASN1_ITYPE_CHOICE: { + const ASN1_AUX *aux = it->funcs; + ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL; if (asn1_cb) { i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL); if (!i) @@ -146,8 +142,11 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) goto auxerr2; break; + } - case ASN1_ITYPE_SEQUENCE: + case ASN1_ITYPE_SEQUENCE: { + const ASN1_AUX *aux = it->funcs; + ASN1_aux_cb *asn1_cb = aux != NULL ? aux->asn1_cb : NULL; if (asn1_cb) { i = asn1_cb(ASN1_OP_NEW_PRE, pval, it, NULL); if (!i) @@ -173,6 +172,7 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, goto auxerr2; break; } + } return 1; memerr2: diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_typ.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_typ.c index 346e5dc8..2cab7b19 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_typ.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_typ.c @@ -62,7 +62,7 @@ #define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \ IMPLEMENT_ASN1_TYPE(sname) \ - IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(sname, sname, sname) \ + IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(sname, sname, sname) \ sname *sname##_new(void) \ { \ return ASN1_STRING_type_new(V_##sname); \ @@ -88,7 +88,7 @@ IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_UNIVERSALSTRING) IMPLEMENT_ASN1_STRING_FUNCTIONS(ASN1_BMPSTRING) IMPLEMENT_ASN1_TYPE(ASN1_NULL) -IMPLEMENT_ASN1_FUNCTIONS(ASN1_NULL) +IMPLEMENT_ASN1_FUNCTIONS_const(ASN1_NULL) IMPLEMENT_ASN1_TYPE(ASN1_OBJECT) @@ -97,18 +97,20 @@ IMPLEMENT_ASN1_TYPE(ASN1_ANY) /* Just swallow an ASN1_SEQUENCE in an ASN1_STRING */ IMPLEMENT_ASN1_TYPE(ASN1_SEQUENCE) -IMPLEMENT_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE) +IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE) /* Multistring types */ IMPLEMENT_ASN1_MSTRING(ASN1_PRINTABLE, B_ASN1_PRINTABLE) -IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE) +IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, ASN1_PRINTABLE, + ASN1_PRINTABLE) IMPLEMENT_ASN1_MSTRING(DISPLAYTEXT, B_ASN1_DISPLAYTEXT) -IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT) +IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, DISPLAYTEXT, DISPLAYTEXT) IMPLEMENT_ASN1_MSTRING(DIRECTORYSTRING, B_ASN1_DIRECTORYSTRING) -IMPLEMENT_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING) +IMPLEMENT_ASN1_FUNCTIONS_const_fname(ASN1_STRING, DIRECTORYSTRING, + DIRECTORYSTRING) /* Three separate BOOLEAN type: normal, DEFAULT TRUE and DEFAULT FALSE */ IMPLEMENT_ASN1_TYPE_ex(ASN1_BOOLEAN, ASN1_BOOLEAN, -1) diff --git a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_utl.c b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_utl.c index 31c598b9..5699253b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_utl.c +++ b/Sources/CJWTKitBoringSSL/crypto/asn1/tasn_utl.c @@ -118,6 +118,7 @@ int asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it) { } static ASN1_ENCODING *asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it) { + assert(it->itype == ASN1_ITYPE_SEQUENCE); const ASN1_AUX *aux; if (!pval || !*pval) { return NULL; @@ -222,7 +223,6 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr) { const ASN1_ADB *adb; const ASN1_ADB_TABLE *atbl; - long selector; ASN1_VALUE **sfld; int i; if (!(tt->flags & ASN1_TFLG_ADB_MASK)) { @@ -243,14 +243,11 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, return adb->null_tt; } - /* Convert type to a long: + /* Convert type to a NID: * NB: don't check for NID_undef here because it * might be a legitimate value in the table */ - if (tt->flags & ASN1_TFLG_ADB_OID) { - selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld); - } else { - selector = ASN1_INTEGER_get((ASN1_INTEGER *)*sfld); - } + assert(tt->flags & ASN1_TFLG_ADB_OID); + int selector = OBJ_obj2nid((ASN1_OBJECT *)*sfld); /* Try to find matching entry in table Maybe should check application types * first to allow application override? Might also be useful to have a flag diff --git a/Sources/CJWTKitBoringSSL/crypto/base64/base64.c b/Sources/CJWTKitBoringSSL/crypto/base64/base64.c index 3285529d..940c8c00 100644 --- a/Sources/CJWTKitBoringSSL/crypto/base64/base64.c +++ b/Sources/CJWTKitBoringSSL/crypto/base64/base64.c @@ -122,6 +122,19 @@ int EVP_EncodedLength(size_t *out_len, size_t len) { return 1; } +EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) { + EVP_ENCODE_CTX *ret = OPENSSL_malloc(sizeof(EVP_ENCODE_CTX)); + if (ret == NULL) { + return NULL; + } + OPENSSL_memset(ret, 0, sizeof(EVP_ENCODE_CTX)); + return ret; +} + +void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { + OPENSSL_free(ctx); +} + void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) { OPENSSL_memset(ctx, 0, sizeof(EVP_ENCODE_CTX)); } @@ -265,14 +278,17 @@ static uint8_t base64_ascii_to_bin(uint8_t a) { const uint8_t is_slash = constant_time_eq_8(a, '/'); const uint8_t is_equals = constant_time_eq_8(a, '='); - uint8_t ret = 0xff; // 0xff signals invalid. - ret = constant_time_select_8(is_upper, a - 'A', ret); // [0,26) - ret = constant_time_select_8(is_lower, a - 'a' + 26, ret); // [26,52) - ret = constant_time_select_8(is_digit, a - '0' + 52, ret); // [52,62) - ret = constant_time_select_8(is_plus, 62, ret); - ret = constant_time_select_8(is_slash, 63, ret); - // Padding maps to zero, to be further handled by the caller. - ret = constant_time_select_8(is_equals, 0, ret); + uint8_t ret = 0; + ret |= is_upper & (a - 'A'); // [0,26) + ret |= is_lower & (a - 'a' + 26); // [26,52) + ret |= is_digit & (a - '0' + 52); // [52,62) + ret |= is_plus & 62; + ret |= is_slash & 63; + // Invalid inputs, 'A', and '=' have all been mapped to zero. Map invalid + // inputs to 0xff. Note '=' is padding and handled separately by the caller. + const uint8_t is_valid = + is_upper | is_lower | is_digit | is_plus | is_slash | is_equals; + ret |= ~is_valid; return ret; } diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/file.c b/Sources/CJWTKitBoringSSL/crypto/bio/file.c index 6e22c33e..e01a1cf8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/file.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/file.c @@ -308,4 +308,10 @@ int BIO_rw_filename(BIO *bio, const char *filename) { BIO_CLOSE | BIO_FP_READ | BIO_FP_WRITE, (char *)filename); } +long BIO_tell(BIO *bio) { return BIO_ctrl(bio, BIO_C_FILE_TELL, 0, NULL); } + +long BIO_seek(BIO *bio, long offset) { + return BIO_ctrl(bio, BIO_C_FILE_SEEK, offset, NULL); +} + #endif // OPENSSL_TRUSTY diff --git a/Sources/CJWTKitBoringSSL/crypto/bio/printf.c b/Sources/CJWTKitBoringSSL/crypto/bio/printf.c index 63c72bba..ca5b0dbf 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bio/printf.c +++ b/Sources/CJWTKitBoringSSL/crypto/bio/printf.c @@ -71,18 +71,6 @@ int BIO_printf(BIO *bio, const char *format, ...) { va_start(args, format); out_len = vsnprintf(buf, sizeof(buf), format, args); va_end(args); - -#if defined(OPENSSL_WINDOWS) - // On Windows, vsnprintf returns -1 rather than the requested length on - // truncation - if (out_len < 0) { - va_start(args, format); - out_len = _vscprintf(format, args); - va_end(args); - assert(out_len >= (int)sizeof(buf)); - } -#endif - if (out_len < 0) { return -1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/blake2/blake2.c b/Sources/CJWTKitBoringSSL/crypto/blake2/blake2.c index aca97f20..e945e639 100644 --- a/Sources/CJWTKitBoringSSL/crypto/blake2/blake2.c +++ b/Sources/CJWTKitBoringSSL/crypto/blake2/blake2.c @@ -42,19 +42,17 @@ static const uint8_t kSigma[10 * 16] = { // clang-format on }; -#define RIGHT_ROTATE(v, n) (((v) >> (n)) | ((v) << (64 - (n)))) - // https://tools.ietf.org/html/rfc7693#section-3.1 static void blake2b_mix(uint64_t v[16], int a, int b, int c, int d, uint64_t x, uint64_t y) { v[a] = v[a] + v[b] + x; - v[d] = RIGHT_ROTATE(v[d] ^ v[a], 32); + v[d] = CRYPTO_rotr_u64(v[d] ^ v[a], 32); v[c] = v[c] + v[d]; - v[b] = RIGHT_ROTATE(v[b] ^ v[c], 24); + v[b] = CRYPTO_rotr_u64(v[b] ^ v[c], 24); v[a] = v[a] + v[b] + y; - v[d] = RIGHT_ROTATE(v[d] ^ v[a], 16); + v[d] = CRYPTO_rotr_u64(v[d] ^ v[a], 16); v[c] = v[c] + v[d]; - v[b] = RIGHT_ROTATE(v[b] ^ v[c], 63); + v[b] = CRYPTO_rotr_u64(v[b] ^ v[c], 63); } static void blake2b_transform( diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c index d79e216a..761dac1c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/ber.c @@ -29,8 +29,10 @@ static const unsigned kMaxDepth = 2048; // is_string_type returns one if |tag| is a string type and zero otherwise. It // ignores the constructed bit. static int is_string_type(unsigned tag) { + // While BER supports constructed BIT STRINGS, OpenSSL misparses them. To + // avoid acting on an ambiguous input, we do not support constructed BIT + // STRINGS. See https://github.com/openssl/openssl/issues/12810. switch (tag & ~CBS_ASN1_CONSTRUCTED) { - case CBS_ASN1_BITSTRING: case CBS_ASN1_OCTETSTRING: case CBS_ASN1_UTF8STRING: case CBS_ASN1_NUMERICSTRING: @@ -67,9 +69,9 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, unsigned depth) { CBS contents; unsigned tag; size_t header_len; - + int indefinite; if (!CBS_get_any_ber_asn1_element(&in, &contents, &tag, &header_len, - ber_found)) { + ber_found, &indefinite)) { return 0; } if (*ber_found) { @@ -91,11 +93,14 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, unsigned depth) { return 1; } -// is_eoc returns true if |header_len| and |contents|, as returned by -// |CBS_get_any_ber_asn1_element|, indicate an "end of contents" (EOC) value. -static char is_eoc(size_t header_len, CBS *contents) { - return header_len == 2 && CBS_len(contents) == 2 && - OPENSSL_memcmp(CBS_data(contents), "\x00\x00", 2) == 0; +// cbs_get_eoc returns one if |cbs| begins with an "end of contents" (EOC) value +// and zero otherwise. If an EOC was found, it advances |cbs| past it. +static int cbs_get_eoc(CBS *cbs) { + if (CBS_len(cbs) >= 2 && + CBS_data(cbs)[0] == 0 && CBS_data(cbs)[1] == 0) { + return CBS_skip(cbs, 2); + } + return 0; } // cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If @@ -114,21 +119,20 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, } while (CBS_len(in) > 0) { + if (looking_for_eoc && cbs_get_eoc(in)) { + return 1; + } + CBS contents; unsigned tag, child_string_tag = string_tag; size_t header_len; - int ber_found; + int indefinite; CBB *out_contents, out_contents_storage; - if (!CBS_get_any_ber_asn1_element(in, &contents, &tag, &header_len, - &ber_found)) { + /*out_ber_found=*/NULL, &indefinite)) { return 0; } - if (is_eoc(header_len, &contents)) { - return looking_for_eoc; - } - if (string_tag != 0) { // This is part of a constructed string. All elements must match // |string_tag| up to the constructed bit and get appended to |out| @@ -151,11 +155,9 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, out_contents = &out_contents_storage; } - if (CBS_len(&contents) == header_len && header_len > 0 && - CBS_data(&contents)[header_len - 1] == 0x80) { - // This is an indefinite length element. + if (indefinite) { if (!cbs_convert_ber(in, out_contents, child_string_tag, - 1 /* looking for eoc */, depth + 1) || + /*looking_for_eoc=*/1, depth + 1) || !CBB_flush(out)) { return 0; } @@ -169,7 +171,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, unsigned string_tag, if (tag & CBS_ASN1_CONSTRUCTED) { // Recurse into children. if (!cbs_convert_ber(&contents, out_contents, child_string_tag, - 0 /* not looking for eoc */, depth + 1)) { + /*looking_for_eoc=*/0, depth + 1)) { return 0; } } else { diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c index ab131def..821013c2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbb.c @@ -404,6 +404,15 @@ int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) { return 1; } +int CBB_add_zeros(CBB *cbb, size_t len) { + uint8_t *out; + if (!CBB_add_space(cbb, &out, len)) { + return 0; + } + OPENSSL_memset(out, 0, len); + return 1; +} + int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) { if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, out_data, len)) { diff --git a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c index 027abe8f..8b646f7c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c +++ b/Sources/CJWTKitBoringSSL/crypto/bytestring/cbs.c @@ -216,6 +216,14 @@ int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out) { return cbs_get_length_prefixed(cbs, out, 3); } +int CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c) { + const uint8_t *split = OPENSSL_memchr(CBS_data(cbs), c, CBS_len(cbs)); + if (split == NULL) { + return 0; + } + return CBS_get_bytes(cbs, out, split - CBS_data(cbs)); +} + // parse_base128_integer reads a big-endian base-128 integer from |cbs| and sets // |*out| to the result. This is the encoding used in DER for both high tag // number form and OID components. @@ -271,13 +279,20 @@ static int parse_asn1_tag(CBS *cbs, unsigned *out) { tag |= tag_number; + // Tag [UNIVERSAL 0] is reserved for use by the encoding. Reject it here to + // avoid some ambiguity around ANY values and BER indefinite-length EOCs. See + // https://crbug.com/boringssl/455. + if ((tag & ~CBS_ASN1_CONSTRUCTED) == 0) { + return 0; + } + *out = tag; return 1; } static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, size_t *out_header_len, int *out_ber_found, - int ber_ok) { + int *out_indefinite, int ber_ok) { CBS header = *cbs; CBS throwaway; @@ -286,6 +301,10 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, } if (ber_ok) { *out_ber_found = 0; + *out_indefinite = 0; + } else { + assert(out_ber_found == NULL); + assert(out_indefinite == NULL); } unsigned tag; @@ -325,6 +344,7 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, *out_header_len = header_len; } *out_ber_found = 1; + *out_indefinite = 1; return CBS_get_bytes(cbs, out, header_len); } @@ -387,16 +407,18 @@ int CBS_get_any_asn1(CBS *cbs, CBS *out, unsigned *out_tag) { int CBS_get_any_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, size_t *out_header_len) { - return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len, - NULL, 0 /* DER only */); + return cbs_get_any_asn1_element(cbs, out, out_tag, out_header_len, NULL, NULL, + /*ber_ok=*/0); } int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, - size_t *out_header_len, int *out_ber_found) { + size_t *out_header_len, int *out_ber_found, + int *out_indefinite) { int ber_found_temp; return cbs_get_any_asn1_element( cbs, out, out_tag, out_header_len, - out_ber_found ? out_ber_found : &ber_found_temp, 1 /* BER allowed */); + out_ber_found ? out_ber_found : &ber_found_temp, out_indefinite, + /*ber_ok=*/1); } static int cbs_get_asn1(CBS *cbs, CBS *out, unsigned tag_value, diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.ios.aarch64.S index 1b5986d8..dc4eba73 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.ios.aarch64.S @@ -67,7 +67,7 @@ Lshort: ldp x24,x25,[x3] // load key ldp x26,x27,[x3,#16] ldp x28,x30,[x4] // load counter -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x24,x24,#32 ror x25,x25,#32 ror x26,x26,#32 @@ -228,7 +228,7 @@ Loop: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -285,7 +285,7 @@ Less_than_64: add x15,x15,x16,lsl#32 add x17,x17,x19,lsl#32 add x20,x20,x21,lsl#32 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -351,7 +351,7 @@ ChaCha20_neon: ldp x28,x30,[x4] // load counter ld1 {v27.4s},[x4] ld1 {v31.4s},[x5] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev64 v24.4s,v24.4s ror x24,x24,#32 ror x25,x25,#32 @@ -649,7 +649,7 @@ Loop_neon: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -729,7 +729,7 @@ Ltail_neon: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -847,7 +847,7 @@ L512_or_more_neon: ldp x28,x30,[x4] // load counter ld1 {v27.4s},[x4] ld1 {v31.4s},[x5] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev64 v24.4s,v24.4s ror x24,x24,#32 ror x25,x25,#32 @@ -1360,7 +1360,7 @@ Loop_upper_neon: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -1874,7 +1874,7 @@ Loop_lower_neon: add x1,x1,#64 add v21.4s,v21.4s,v25.4s -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.linux.aarch64.S index d960166a..463bc76f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-armv8.linux.aarch64.S @@ -68,7 +68,7 @@ ChaCha20_ctr32: ldp x24,x25,[x3] // load key ldp x26,x27,[x3,#16] ldp x28,x30,[x4] // load counter -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x24,x24,#32 ror x25,x25,#32 ror x26,x26,#32 @@ -229,7 +229,7 @@ ChaCha20_ctr32: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -286,7 +286,7 @@ ChaCha20_ctr32: add x15,x15,x16,lsl#32 add x17,x17,x19,lsl#32 add x20,x20,x21,lsl#32 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -352,7 +352,7 @@ ChaCha20_neon: ldp x28,x30,[x4] // load counter ld1 {v27.4s},[x4] ld1 {v31.4s},[x5] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev64 v24.4s,v24.4s ror x24,x24,#32 ror x25,x25,#32 @@ -650,7 +650,7 @@ ChaCha20_neon: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -730,7 +730,7 @@ ChaCha20_neon: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -848,7 +848,7 @@ ChaCha20_512_neon: ldp x28,x30,[x4] // load counter ld1 {v27.4s},[x4] ld1 {v31.4s},[x5] -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev64 v24.4s,v24.4s ror x24,x24,#32 ror x25,x25,#32 @@ -1361,7 +1361,7 @@ ChaCha20_512_neon: add x20,x20,x21,lsl#32 ldp x19,x21,[x1,#48] add x1,x1,#64 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 @@ -1875,7 +1875,7 @@ ChaCha20_512_neon: add x1,x1,#64 add v21.4s,v21.4s,v25.4s -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ rev x5,x5 rev x7,x7 rev x9,x9 diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.linux.x86.S index e5425d08..9a2a349a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.windows.x86.S index a07eb5cd..45236662 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.linux.x86_64.S index a0c91b57..b6c2aba5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.mac.x86_64.S index 0e2bcf00..5b0b3c9c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c index fb6b4826..54359688 100644 --- a/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c +++ b/Sources/CJWTKitBoringSSL/crypto/chacha/chacha.c @@ -19,28 +19,24 @@ #include #include -#include - #include "../internal.h" #include "internal.h" -#define U8TO32_LITTLE(p) \ - (((uint32_t)((p)[0])) | ((uint32_t)((p)[1]) << 8) | \ - ((uint32_t)((p)[2]) << 16) | ((uint32_t)((p)[3]) << 24)) - // sigma contains the ChaCha constants, which happen to be an ASCII string. static const uint8_t sigma[16] = { 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' }; -#define ROTATE(v, n) (((v) << (n)) | ((v) >> (32 - (n)))) - // QUARTERROUND updates a, b, c, d with a ChaCha "quarter" round. -#define QUARTERROUND(a, b, c, d) \ - x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 16); \ - x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 12); \ - x[a] += x[b]; x[d] = ROTATE(x[d] ^ x[a], 8); \ - x[c] += x[d]; x[b] = ROTATE(x[b] ^ x[c], 7); +#define QUARTERROUND(a, b, c, d) \ + x[a] += x[b]; \ + x[d] = CRYPTO_rotl_u32(x[d] ^ x[a], 16); \ + x[c] += x[d]; \ + x[b] = CRYPTO_rotl_u32(x[b] ^ x[c], 12); \ + x[a] += x[b]; \ + x[d] = CRYPTO_rotl_u32(x[d] ^ x[a], 8); \ + x[c] += x[d]; \ + x[b] = CRYPTO_rotl_u32(x[b] ^ x[c], 7); void CRYPTO_hchacha20(uint8_t out[32], const uint8_t key[32], const uint8_t nonce[16]) { @@ -71,24 +67,25 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, uint32_t counter) { assert(!buffers_alias(out, in_len, in, in_len) || in == out); - uint32_t counter_nonce[4]; counter_nonce[0] = counter; - counter_nonce[1] = U8TO32_LITTLE(nonce + 0); - counter_nonce[2] = U8TO32_LITTLE(nonce + 4); - counter_nonce[3] = U8TO32_LITTLE(nonce + 8); + uint32_t counter_nonce[4]; + counter_nonce[0] = counter; + counter_nonce[1] = CRYPTO_load_u32_le(nonce + 0); + counter_nonce[2] = CRYPTO_load_u32_le(nonce + 4); + counter_nonce[3] = CRYPTO_load_u32_le(nonce + 8); const uint32_t *key_ptr = (const uint32_t *)key; #if !defined(OPENSSL_X86) && !defined(OPENSSL_X86_64) // The assembly expects the key to be four-byte aligned. uint32_t key_u32[8]; if ((((uintptr_t)key) & 3) != 0) { - key_u32[0] = U8TO32_LITTLE(key + 0); - key_u32[1] = U8TO32_LITTLE(key + 4); - key_u32[2] = U8TO32_LITTLE(key + 8); - key_u32[3] = U8TO32_LITTLE(key + 12); - key_u32[4] = U8TO32_LITTLE(key + 16); - key_u32[5] = U8TO32_LITTLE(key + 20); - key_u32[6] = U8TO32_LITTLE(key + 24); - key_u32[7] = U8TO32_LITTLE(key + 28); + key_u32[0] = CRYPTO_load_u32_le(key + 0); + key_u32[1] = CRYPTO_load_u32_le(key + 4); + key_u32[2] = CRYPTO_load_u32_le(key + 8); + key_u32[3] = CRYPTO_load_u32_le(key + 12); + key_u32[4] = CRYPTO_load_u32_le(key + 16); + key_u32[5] = CRYPTO_load_u32_le(key + 20); + key_u32[6] = CRYPTO_load_u32_le(key + 24); + key_u32[7] = CRYPTO_load_u32_le(key + 28); key_ptr = key_u32; } @@ -99,14 +96,6 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, #else -#define U32TO8_LITTLE(p, v) \ - { \ - (p)[0] = (v >> 0) & 0xff; \ - (p)[1] = (v >> 8) & 0xff; \ - (p)[2] = (v >> 16) & 0xff; \ - (p)[3] = (v >> 24) & 0xff; \ - } - // chacha_core performs 20 rounds of ChaCha on the input words in // |input| and writes the 64 output bytes to |output|. static void chacha_core(uint8_t output[64], const uint32_t input[16]) { @@ -129,7 +118,7 @@ static void chacha_core(uint8_t output[64], const uint32_t input[16]) { x[i] += input[i]; } for (i = 0; i < 16; ++i) { - U32TO8_LITTLE(output + 4 * i, x[i]); + CRYPTO_store_u32_le(output + 4 * i, x[i]); } } @@ -142,25 +131,25 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, uint8_t buf[64]; size_t todo, i; - input[0] = U8TO32_LITTLE(sigma + 0); - input[1] = U8TO32_LITTLE(sigma + 4); - input[2] = U8TO32_LITTLE(sigma + 8); - input[3] = U8TO32_LITTLE(sigma + 12); + input[0] = CRYPTO_load_u32_le(sigma + 0); + input[1] = CRYPTO_load_u32_le(sigma + 4); + input[2] = CRYPTO_load_u32_le(sigma + 8); + input[3] = CRYPTO_load_u32_le(sigma + 12); - input[4] = U8TO32_LITTLE(key + 0); - input[5] = U8TO32_LITTLE(key + 4); - input[6] = U8TO32_LITTLE(key + 8); - input[7] = U8TO32_LITTLE(key + 12); + input[4] = CRYPTO_load_u32_le(key + 0); + input[5] = CRYPTO_load_u32_le(key + 4); + input[6] = CRYPTO_load_u32_le(key + 8); + input[7] = CRYPTO_load_u32_le(key + 12); - input[8] = U8TO32_LITTLE(key + 16); - input[9] = U8TO32_LITTLE(key + 20); - input[10] = U8TO32_LITTLE(key + 24); - input[11] = U8TO32_LITTLE(key + 28); + input[8] = CRYPTO_load_u32_le(key + 16); + input[9] = CRYPTO_load_u32_le(key + 20); + input[10] = CRYPTO_load_u32_le(key + 24); + input[11] = CRYPTO_load_u32_le(key + 28); input[12] = counter; - input[13] = U8TO32_LITTLE(nonce + 0); - input[14] = U8TO32_LITTLE(nonce + 4); - input[15] = U8TO32_LITTLE(nonce + 8); + input[13] = CRYPTO_load_u32_le(nonce + 0); + input[14] = CRYPTO_load_u32_le(nonce + 4); + input[15] = CRYPTO_load_u32_le(nonce + 8); while (in_len > 0) { todo = sizeof(buf); diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.linux.x86_64.S index 71e14ce5..c70ff68a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.mac.x86_64.S index 27e3d64d..29a06032 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/aes128gcmsiv-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.ios.aarch64.S new file mode 100644 index 00000000..fc419c33 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.ios.aarch64.S @@ -0,0 +1,3024 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#if defined(__aarch64__) && defined(__APPLE__) +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif +#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif + +#if !defined(OPENSSL_NO_ASM) +#if defined(BORINGSSL_PREFIX) +#include +#endif +#include +.section __TEXT,__const + +.align 7 +Lchacha20_consts: +.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' +Linc: +.long 1,2,3,4 +Lrol8: +.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14 +Lclamp: +.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC + +.text + + +.align 6 +Lpoly_hash_ad_internal: +.cfi_startproc + cbnz x4, Lpoly_hash_intro + ret + +Lpoly_hash_intro: + cmp x4, #16 + b.lt Lpoly_hash_ad_tail + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #16 + b Lpoly_hash_ad_internal + +Lpoly_hash_ad_tail: + cbz x4, Lpoly_hash_ad_ret + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the AAD + sub x4, x4, #1 + +Lpoly_hash_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, x4] + mov v20.b[0], w11 + subs x4, x4, #1 + b.ge Lpoly_hash_tail_16_compose + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +Lpoly_hash_ad_ret: + ret +.cfi_endproc + + +///////////////////////////////// +// +// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data); +// +.globl _chacha20_poly1305_seal +.private_extern _chacha20_poly1305_seal + +.align 6 +_chacha20_poly1305_seal: + AARCH64_SIGN_LINK_REGISTER +.cfi_startproc + stp x29, x30, [sp, #-80]! +.cfi_def_cfa_offset 80 +.cfi_offset w30, -72 +.cfi_offset w29, -80 + mov x29, sp +# We probably could do .cfi_def_cfa w29, 80 at this point, but since +# we don't actually use the frame pointer like that, it's probably not +# worth bothering. + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] +.cfi_offset b15, -8 +.cfi_offset b14, -16 +.cfi_offset b13, -24 +.cfi_offset b12, -32 +.cfi_offset b11, -40 +.cfi_offset b10, -48 +.cfi_offset b9, -56 +.cfi_offset b8, -64 + + adrp x11, Lchacha20_consts@PAGE + add x11, x11, Lchacha20_consts@PAGEOFF + + ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values + ld1 {v28.16b - v30.16b}, [x5] + + mov x15, #1 // Prepare the Poly1305 state + mov x8, #0 + mov x9, #0 + mov x10, #0 + + ldr x12, [x5, #56] // The total cipher text length includes extra_in_len + add x12, x12, x2 + mov v31.d[0], x4 // Store the input and aad lengths + mov v31.d[1], x12 + + cmp x2, #128 + b.le Lseal_128 // Optimization for smaller buffers + + // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext, + // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically, + // the fifth block (A4-D4) horizontally. + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + sub x5, x5, #32 + + mov x6, #10 + +.align 5 +Lseal_init_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x6, x6, #1 + b.hi Lseal_init_rounds + + add v15.4s, v15.4s, v25.4s + mov x11, #4 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + and v4.16b, v4.16b, v27.16b + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + mov x16, v4.d[0] // Move the R key to GPRs + mov x17, v4.d[1] + mov v27.16b, v9.16b // Store the S key + + bl Lpoly_hash_ad_internal + + mov x3, x0 + cmp x2, #256 + b.le Lseal_tail + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #256 + + mov x6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds + mov x7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256 + +Lseal_main_loop: + adrp x11, Lchacha20_consts@PAGE + add x11, x11, Lchacha20_consts@PAGEOFF + + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + sub x5, x5, #32 +.align 5 +Lseal_main_loop_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x6, x6, #1 + b.ge Lseal_main_loop_rounds + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + subs x7, x7, #1 + b.gt Lseal_main_loop_rounds + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + add v15.4s, v15.4s, v25.4s + mov x11, #5 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + add v14.4s, v14.4s, v29.4s + add v19.4s, v19.4s, v30.4s + + cmp x2, #320 + b.le Lseal_tail + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v4.16b + eor v21.16b, v21.16b, v9.16b + eor v22.16b, v22.16b, v14.16b + eor v23.16b, v23.16b, v19.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #320 + + mov x6, #0 + mov x7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration + + b Lseal_main_loop + +Lseal_tail: + // This part of the function handles the storage and authentication of the last [0,320) bytes + // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data. + cmp x2, #64 + b.lt Lseal_tail_64 + + // Store and authenticate 64B blocks per iteration + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v22.d[0] + mov x12, v22.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v23.d[0] + mov x12, v23.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + st1 {v20.16b - v23.16b}, [x0], #64 + sub x2, x2, #64 + + // Shift the state left by 64 bytes for the next iteration of the loop + mov v0.16b, v1.16b + mov v5.16b, v6.16b + mov v10.16b, v11.16b + mov v15.16b, v16.16b + + mov v1.16b, v2.16b + mov v6.16b, v7.16b + mov v11.16b, v12.16b + mov v16.16b, v17.16b + + mov v2.16b, v3.16b + mov v7.16b, v8.16b + mov v12.16b, v13.16b + mov v17.16b, v18.16b + + mov v3.16b, v4.16b + mov v8.16b, v9.16b + mov v13.16b, v14.16b + mov v18.16b, v19.16b + + b Lseal_tail + +Lseal_tail_64: + ldp x3, x4, [x5, #48] // extra_in_len and extra_in_ptr + + // Here we handle the last [0,64) bytes of plaintext + cmp x2, #16 + b.lt Lseal_tail_16 + // Each iteration encrypt and authenticate a 16B block + ld1 {v20.16b}, [x1], #16 + eor v20.16b, v20.16b, v0.16b + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + st1 {v20.16b}, [x0], #16 + + sub x2, x2, #16 + + // Shift the state left by 16 bytes for the next iteration of the loop + mov v0.16b, v5.16b + mov v5.16b, v10.16b + mov v10.16b, v15.16b + + b Lseal_tail_64 + +Lseal_tail_16: + // Here we handle the last [0,16) bytes of ciphertext that require a padded block + cbz x2, Lseal_hash_extra + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in + eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes + not v22.16b, v20.16b + + mov x6, x2 + add x1, x1, x2 + + cbz x4, Lseal_tail_16_compose // No extra data to pad with, zero padding + + mov x7, #16 // We need to load some extra_in first for padding + sub x7, x7, x2 + cmp x4, x7 + csel x7, x4, x7, lt // Load the minimum of extra_in_len and the amount needed to fill the register + mov x12, x7 + add x3, x3, x7 + sub x4, x4, x7 + +Lseal_tail16_compose_extra_in: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, #-1]! + mov v20.b[0], w11 + subs x7, x7, #1 + b.gt Lseal_tail16_compose_extra_in + + add x3, x3, x12 + +Lseal_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x1, #-1]! + mov v20.b[0], w11 + ext v21.16b, v22.16b, v21.16b, #15 + subs x2, x2, #1 + b.gt Lseal_tail_16_compose + + and v0.16b, v0.16b, v21.16b + eor v20.16b, v20.16b, v0.16b + mov v21.16b, v20.16b + +Lseal_tail_16_store: + umov w11, v20.b[0] + strb w11, [x0], #1 + ext v20.16b, v20.16b, v20.16b, #1 + subs x6, x6, #1 + b.gt Lseal_tail_16_store + + // Hash in the final ct block concatenated with extra_in + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +Lseal_hash_extra: + cbz x4, Lseal_finalize + +Lseal_hash_extra_loop: + cmp x4, #16 + b.lt Lseal_hash_extra_tail + ld1 {v20.16b}, [x3], #16 + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #16 + b Lseal_hash_extra_loop + +Lseal_hash_extra_tail: + cbz x4, Lseal_finalize + eor v20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext + add x3, x3, x4 + +Lseal_hash_extra_load: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, #-1]! + mov v20.b[0], w11 + subs x4, x4, #1 + b.gt Lseal_hash_extra_load + + // Hash in the final padded extra_in blcok + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +Lseal_finalize: + mov x11, v31.d[0] + mov x12, v31.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + # Final reduction step + sub x12, xzr, x15 + orr x13, xzr, #3 + subs x11, x8, #-5 + sbcs x12, x9, x12 + sbcs x13, x10, x13 + csel x8, x11, x8, cs + csel x9, x12, x9, cs + csel x10, x13, x10, cs + mov x11, v27.d[0] + mov x12, v27.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + + stp x8, x9, [x5] + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] +.cfi_restore b15 +.cfi_restore b14 +.cfi_restore b13 +.cfi_restore b12 +.cfi_restore b11 +.cfi_restore b10 +.cfi_restore b9 +.cfi_restore b8 + ldp x29, x30, [sp], 80 +.cfi_restore w29 +.cfi_restore w30 +.cfi_def_cfa_offset 0 + AARCH64_VALIDATE_LINK_REGISTER + ret + +Lseal_128: + // On some architectures preparing 5 blocks for small buffers is wasteful + eor v25.16b, v25.16b, v25.16b + mov x11, #1 + mov v25.s[0], w11 + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v17.16b, v30.16b + add v15.4s, v17.4s, v25.4s + add v16.4s, v15.4s, v25.4s + + mov x6, #10 + +Lseal_128_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x6, x6, #1 + b.hi Lseal_128_rounds + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + + // Only the first 32 bytes of the third block (counter = 0) are needed, + // so skip updating v12 and v17. + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + + add v30.4s, v30.4s, v25.4s + add v15.4s, v15.4s, v30.4s + add v30.4s, v30.4s, v25.4s + add v16.4s, v16.4s, v30.4s + + and v2.16b, v2.16b, v27.16b + mov x16, v2.d[0] // Move the R key to GPRs + mov x17, v2.d[1] + mov v27.16b, v7.16b // Store the S key + + bl Lpoly_hash_ad_internal + b Lseal_tail +.cfi_endproc + + +///////////////////////////////// +// +// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data); +// +.globl _chacha20_poly1305_open +.private_extern _chacha20_poly1305_open + +.align 6 +_chacha20_poly1305_open: + AARCH64_SIGN_LINK_REGISTER +.cfi_startproc + stp x29, x30, [sp, #-80]! +.cfi_def_cfa_offset 80 +.cfi_offset w30, -72 +.cfi_offset w29, -80 + mov x29, sp +# We probably could do .cfi_def_cfa w29, 80 at this point, but since +# we don't actually use the frame pointer like that, it's probably not +# worth bothering. + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] +.cfi_offset b15, -8 +.cfi_offset b14, -16 +.cfi_offset b13, -24 +.cfi_offset b12, -32 +.cfi_offset b11, -40 +.cfi_offset b10, -48 +.cfi_offset b9, -56 +.cfi_offset b8, -64 + + adrp x11, Lchacha20_consts@PAGE + add x11, x11, Lchacha20_consts@PAGEOFF + + ld1 {v24.16b - v27.16b}, [x11] // Load the CONSTS, INC, ROL8 and CLAMP values + ld1 {v28.16b - v30.16b}, [x5] + + mov x15, #1 // Prepare the Poly1305 state + mov x8, #0 + mov x9, #0 + mov x10, #0 + + mov v31.d[0], x4 // Store the input and aad lengths + mov v31.d[1], x2 + + cmp x2, #128 + b.le Lopen_128 // Optimization for smaller buffers + + // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys + mov v0.16b, v24.16b + mov v5.16b, v28.16b + mov v10.16b, v29.16b + mov v15.16b, v30.16b + + mov x6, #10 + +.align 5 +Lopen_init_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + subs x6, x6, #1 + b.hi Lopen_init_rounds + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + + and v0.16b, v0.16b, v27.16b + mov x16, v0.d[0] // Move the R key to GPRs + mov x17, v0.d[1] + mov v27.16b, v5.16b // Store the S key + + bl Lpoly_hash_ad_internal + +Lopen_ad_done: + mov x3, x1 + +// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes +Lopen_main_loop: + + cmp x2, #192 + b.lt Lopen_tail + + adrp x11, Lchacha20_consts@PAGE + add x11, x11, Lchacha20_consts@PAGEOFF + + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + sub x5, x5, #32 + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + lsr x4, x2, #4 // How many whole blocks we have to hash, will always be at least 12 + sub x4, x4, #10 + + mov x7, #10 + subs x6, x7, x4 + subs x6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash + csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full + + cbz x7, Lopen_main_loop_rounds_short + +.align 5 +Lopen_main_loop_rounds: + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most +Lopen_main_loop_rounds_short: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x7, x7, #1 + b.gt Lopen_main_loop_rounds + subs x6, x6, #1 + b.ge Lopen_main_loop_rounds_short + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + add v15.4s, v15.4s, v25.4s + mov x11, #5 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + add v14.4s, v14.4s, v29.4s + add v19.4s, v19.4s, v30.4s + + // We can always safely store 192 bytes + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #192 + + mov v0.16b, v3.16b + mov v5.16b, v8.16b + mov v10.16b, v13.16b + mov v15.16b, v18.16b + + cmp x2, #64 + b.lt Lopen_tail_64_store + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + + mov v0.16b, v4.16b + mov v5.16b, v9.16b + mov v10.16b, v14.16b + mov v15.16b, v19.16b + + cmp x2, #64 + b.lt Lopen_tail_64_store + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v4.16b + eor v21.16b, v21.16b, v9.16b + eor v22.16b, v22.16b, v14.16b + eor v23.16b, v23.16b, v19.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + b Lopen_main_loop + +Lopen_tail: + + cbz x2, Lopen_finalize + + lsr x4, x2, #4 // How many whole blocks we have to hash + + cmp x2, #64 + b.le Lopen_tail_64 + cmp x2, #128 + b.le Lopen_tail_128 + +Lopen_tail_192: + // We need three more blocks + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v15.16b, v30.16b + mov v16.16b, v30.16b + mov v17.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + eor v21.16b, v21.16b, v21.16b + ins v23.s[0], v25.s[0] + ins v21.d[0], x15 + + add v22.4s, v23.4s, v21.4s + add v21.4s, v22.4s, v21.4s + + add v15.4s, v15.4s, v21.4s + add v16.4s, v16.4s, v23.4s + add v17.4s, v17.4s, v22.4s + + mov x7, #10 + subs x6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash + csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing + sub x4, x4, x7 + + cbz x7, Lopen_tail_192_rounds_no_hash + +Lopen_tail_192_rounds: + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most +Lopen_tail_192_rounds_no_hash: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x7, x7, #1 + b.gt Lopen_tail_192_rounds + subs x6, x6, #1 + b.ge Lopen_tail_192_rounds_no_hash + + // We hashed 160 bytes at most, may still have 32 bytes left +Lopen_tail_192_hash: + cbz x4, Lopen_tail_192_hash_done + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #1 + b Lopen_tail_192_hash + +Lopen_tail_192_hash_done: + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + add v12.4s, v12.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v16.4s, v16.4s, v30.4s + add v17.4s, v17.4s, v30.4s + + add v15.4s, v15.4s, v21.4s + add v16.4s, v16.4s, v23.4s + add v17.4s, v17.4s, v22.4s + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #128 + b Lopen_tail_64_store + +Lopen_tail_128: + // We need two more blocks + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v15.16b, v30.16b + mov v16.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + eor v22.16b, v22.16b, v22.16b + ins v23.s[0], v25.s[0] + ins v22.d[0], x15 + add v22.4s, v22.4s, v23.4s + + add v15.4s, v15.4s, v22.4s + add v16.4s, v16.4s, v23.4s + + mov x6, #10 + sub x6, x6, x4 + +Lopen_tail_128_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v1.4s, v1.4s, v6.4s + eor v16.16b, v16.16b, v1.16b + rev32 v16.8h, v16.8h + + add v11.4s, v11.4s, v16.4s + eor v6.16b, v6.16b, v11.16b + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + add v1.4s, v1.4s, v20.4s + eor v16.16b, v16.16b, v1.16b + tbl v16.16b, {v16.16b}, v26.16b + + add v11.4s, v11.4s, v16.4s + eor v20.16b, v20.16b, v11.16b + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + ext v6.16b, v6.16b, v6.16b, #4 + ext v11.16b, v11.16b, v11.16b, #8 + ext v16.16b, v16.16b, v16.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + add v1.4s, v1.4s, v6.4s + eor v16.16b, v16.16b, v1.16b + rev32 v16.8h, v16.8h + + add v11.4s, v11.4s, v16.4s + eor v6.16b, v6.16b, v11.16b + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + add v1.4s, v1.4s, v20.4s + eor v16.16b, v16.16b, v1.16b + tbl v16.16b, {v16.16b}, v26.16b + + add v11.4s, v11.4s, v16.4s + eor v20.16b, v20.16b, v11.16b + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + ext v6.16b, v6.16b, v6.16b, #12 + ext v11.16b, v11.16b, v11.16b, #8 + ext v16.16b, v16.16b, v16.16b, #4 + subs x6, x6, #1 + b.gt Lopen_tail_128_rounds + cbz x4, Lopen_tail_128_rounds_done + subs x4, x4, #1 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + b Lopen_tail_128_rounds + +Lopen_tail_128_rounds_done: + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v16.4s, v16.4s, v30.4s + add v15.4s, v15.4s, v22.4s + add v16.4s, v16.4s, v23.4s + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + sub x2, x2, #64 + + b Lopen_tail_64_store + +Lopen_tail_64: + // We just need a single block + mov v0.16b, v24.16b + mov v5.16b, v28.16b + mov v10.16b, v29.16b + mov v15.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + ins v23.s[0], v25.s[0] + add v15.4s, v15.4s, v23.4s + + mov x6, #10 + sub x6, x6, x4 + +Lopen_tail_64_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + subs x6, x6, #1 + b.gt Lopen_tail_64_rounds + cbz x4, Lopen_tail_64_rounds_done + subs x4, x4, #1 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + b Lopen_tail_64_rounds + +Lopen_tail_64_rounds_done: + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v15.4s, v15.4s, v23.4s + +Lopen_tail_64_store: + cmp x2, #16 + b.lt Lopen_tail_16 + + ld1 {v20.16b}, [x1], #16 + eor v20.16b, v20.16b, v0.16b + st1 {v20.16b}, [x0], #16 + mov v0.16b, v5.16b + mov v5.16b, v10.16b + mov v10.16b, v15.16b + sub x2, x2, #16 + b Lopen_tail_64_store + +Lopen_tail_16: + // Here we handle the last [0,16) bytes that require a padded block + cbz x2, Lopen_finalize + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext + eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask + not v22.16b, v20.16b + + add x7, x1, x2 + mov x6, x2 + +Lopen_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x7, #-1]! + mov v20.b[0], w11 + ext v21.16b, v22.16b, v21.16b, #15 + subs x2, x2, #1 + b.gt Lopen_tail_16_compose + + and v20.16b, v20.16b, v21.16b + // Hash in the final padded block + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + eor v20.16b, v20.16b, v0.16b + +Lopen_tail_16_store: + umov w11, v20.b[0] + strb w11, [x0], #1 + ext v20.16b, v20.16b, v20.16b, #1 + subs x6, x6, #1 + b.gt Lopen_tail_16_store + +Lopen_finalize: + mov x11, v31.d[0] + mov x12, v31.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + # Final reduction step + sub x12, xzr, x15 + orr x13, xzr, #3 + subs x11, x8, #-5 + sbcs x12, x9, x12 + sbcs x13, x10, x13 + csel x8, x11, x8, cs + csel x9, x12, x9, cs + csel x10, x13, x10, cs + mov x11, v27.d[0] + mov x12, v27.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + + stp x8, x9, [x5] + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] +.cfi_restore b15 +.cfi_restore b14 +.cfi_restore b13 +.cfi_restore b12 +.cfi_restore b11 +.cfi_restore b10 +.cfi_restore b9 +.cfi_restore b8 + ldp x29, x30, [sp], 80 +.cfi_restore w29 +.cfi_restore w30 +.cfi_def_cfa_offset 0 + AARCH64_VALIDATE_LINK_REGISTER + ret + +Lopen_128: + // On some architectures preparing 5 blocks for small buffers is wasteful + eor v25.16b, v25.16b, v25.16b + mov x11, #1 + mov v25.s[0], w11 + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v17.16b, v30.16b + add v15.4s, v17.4s, v25.4s + add v16.4s, v15.4s, v25.4s + + mov x6, #10 + +Lopen_128_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x6, x6, #1 + b.hi Lopen_128_rounds + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + + add v30.4s, v30.4s, v25.4s + add v15.4s, v15.4s, v30.4s + add v30.4s, v30.4s, v25.4s + add v16.4s, v16.4s, v30.4s + + and v2.16b, v2.16b, v27.16b + mov x16, v2.d[0] // Move the R key to GPRs + mov x17, v2.d[1] + mov v27.16b, v7.16b // Store the S key + + bl Lpoly_hash_ad_internal + +Lopen_128_store: + cmp x2, #64 + b.lt Lopen_128_store_64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v22.d[0] + mov x12, v22.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v23.d[0] + mov x12, v23.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + + mov v0.16b, v1.16b + mov v5.16b, v6.16b + mov v10.16b, v11.16b + mov v15.16b, v16.16b + +Lopen_128_store_64: + + lsr x4, x2, #4 + mov x3, x1 + +Lopen_128_hash_64: + cbz x4, Lopen_tail_64_store + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #1 + b Lopen_128_hash_64 +.cfi_endproc + +#endif // !OPENSSL_NO_ASM +#endif // defined(__aarch64__) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.linux.aarch64.S new file mode 100644 index 00000000..3fe8bdea --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_armv8.linux.aarch64.S @@ -0,0 +1,3027 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#if defined(__aarch64__) && defined(__linux__) +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif +#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif + +#if !defined(OPENSSL_NO_ASM) +#if defined(__aarch64__) +#if defined(BORINGSSL_PREFIX) +#include +#endif +#include +.section .rodata + +.align 7 +.Lchacha20_consts: +.byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' +.Linc: +.long 1,2,3,4 +.Lrol8: +.byte 3,0,1,2, 7,4,5,6, 11,8,9,10, 15,12,13,14 +.Lclamp: +.quad 0x0FFFFFFC0FFFFFFF, 0x0FFFFFFC0FFFFFFC + +.text + +.type .Lpoly_hash_ad_internal,%function +.align 6 +.Lpoly_hash_ad_internal: +.cfi_startproc + cbnz x4, .Lpoly_hash_intro + ret + +.Lpoly_hash_intro: + cmp x4, #16 + b.lt .Lpoly_hash_ad_tail + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #16 + b .Lpoly_hash_ad_internal + +.Lpoly_hash_ad_tail: + cbz x4, .Lpoly_hash_ad_ret + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the AAD + sub x4, x4, #1 + +.Lpoly_hash_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, x4] + mov v20.b[0], w11 + subs x4, x4, #1 + b.ge .Lpoly_hash_tail_16_compose + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +.Lpoly_hash_ad_ret: + ret +.cfi_endproc +.size .Lpoly_hash_ad_internal, .-.Lpoly_hash_ad_internal + +///////////////////////////////// +// +// void chacha20_poly1305_seal(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *seal_data); +// +.globl chacha20_poly1305_seal +.hidden chacha20_poly1305_seal +.type chacha20_poly1305_seal,%function +.align 6 +chacha20_poly1305_seal: + AARCH64_SIGN_LINK_REGISTER +.cfi_startproc + stp x29, x30, [sp, #-80]! +.cfi_def_cfa_offset 80 +.cfi_offset w30, -72 +.cfi_offset w29, -80 + mov x29, sp +# We probably could do .cfi_def_cfa w29, 80 at this point, but since +# we don't actually use the frame pointer like that, it's probably not +# worth bothering. + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] +.cfi_offset b15, -8 +.cfi_offset b14, -16 +.cfi_offset b13, -24 +.cfi_offset b12, -32 +.cfi_offset b11, -40 +.cfi_offset b10, -48 +.cfi_offset b9, -56 +.cfi_offset b8, -64 + + adrp x11, .Lchacha20_consts + add x11, x11, :lo12:.Lchacha20_consts + + ld1 {v24.16b - v27.16b}, [x11] // .Load the CONSTS, INC, ROL8 and CLAMP values + ld1 {v28.16b - v30.16b}, [x5] + + mov x15, #1 // Prepare the Poly1305 state + mov x8, #0 + mov x9, #0 + mov x10, #0 + + ldr x12, [x5, #56] // The total cipher text length includes extra_in_len + add x12, x12, x2 + mov v31.d[0], x4 // Store the input and aad lengths + mov v31.d[1], x12 + + cmp x2, #128 + b.le .Lseal_128 // Optimization for smaller buffers + + // Initially we prepare 5 ChaCha20 blocks. Four to encrypt up to 4 blocks (256 bytes) of plaintext, + // and one for the Poly1305 R and S keys. The first four blocks (A0-A3..D0-D3) are computed vertically, + // the fifth block (A4-D4) horizontally. + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + sub x5, x5, #32 + + mov x6, #10 + +.align 5 +.Lseal_init_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x6, x6, #1 + b.hi .Lseal_init_rounds + + add v15.4s, v15.4s, v25.4s + mov x11, #4 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + and v4.16b, v4.16b, v27.16b + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + mov x16, v4.d[0] // Move the R key to GPRs + mov x17, v4.d[1] + mov v27.16b, v9.16b // Store the S key + + bl .Lpoly_hash_ad_internal + + mov x3, x0 + cmp x2, #256 + b.le .Lseal_tail + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #256 + + mov x6, #4 // In the first run of the loop we need to hash 256 bytes, therefore we hash one block for the first 4 rounds + mov x7, #6 // and two blocks for the remaining 6, for a total of (1 * 4 + 2 * 6) * 16 = 256 + +.Lseal_main_loop: + adrp x11, .Lchacha20_consts + add x11, x11, :lo12:.Lchacha20_consts + + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + sub x5, x5, #32 +.align 5 +.Lseal_main_loop_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x6, x6, #1 + b.ge .Lseal_main_loop_rounds + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + subs x7, x7, #1 + b.gt .Lseal_main_loop_rounds + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + add v15.4s, v15.4s, v25.4s + mov x11, #5 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + add v14.4s, v14.4s, v29.4s + add v19.4s, v19.4s, v30.4s + + cmp x2, #320 + b.le .Lseal_tail + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v4.16b + eor v21.16b, v21.16b, v9.16b + eor v22.16b, v22.16b, v14.16b + eor v23.16b, v23.16b, v19.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #320 + + mov x6, #0 + mov x7, #10 // For the remainder of the loop we always hash and encrypt 320 bytes per iteration + + b .Lseal_main_loop + +.Lseal_tail: + // This part of the function handles the storage and authentication of the last [0,320) bytes + // We assume A0-A4 ... D0-D4 hold at least inl (320 max) bytes of the stream data. + cmp x2, #64 + b.lt .Lseal_tail_64 + + // Store and authenticate 64B blocks per iteration + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v22.d[0] + mov x12, v22.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v23.d[0] + mov x12, v23.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + st1 {v20.16b - v23.16b}, [x0], #64 + sub x2, x2, #64 + + // Shift the state left by 64 bytes for the next iteration of the loop + mov v0.16b, v1.16b + mov v5.16b, v6.16b + mov v10.16b, v11.16b + mov v15.16b, v16.16b + + mov v1.16b, v2.16b + mov v6.16b, v7.16b + mov v11.16b, v12.16b + mov v16.16b, v17.16b + + mov v2.16b, v3.16b + mov v7.16b, v8.16b + mov v12.16b, v13.16b + mov v17.16b, v18.16b + + mov v3.16b, v4.16b + mov v8.16b, v9.16b + mov v13.16b, v14.16b + mov v18.16b, v19.16b + + b .Lseal_tail + +.Lseal_tail_64: + ldp x3, x4, [x5, #48] // extra_in_len and extra_in_ptr + + // Here we handle the last [0,64) bytes of plaintext + cmp x2, #16 + b.lt .Lseal_tail_16 + // Each iteration encrypt and authenticate a 16B block + ld1 {v20.16b}, [x1], #16 + eor v20.16b, v20.16b, v0.16b + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + st1 {v20.16b}, [x0], #16 + + sub x2, x2, #16 + + // Shift the state left by 16 bytes for the next iteration of the loop + mov v0.16b, v5.16b + mov v5.16b, v10.16b + mov v10.16b, v15.16b + + b .Lseal_tail_64 + +.Lseal_tail_16: + // Here we handle the last [0,16) bytes of ciphertext that require a padded block + cbz x2, .Lseal_hash_extra + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the plaintext/extra in + eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask that will only mask the ciphertext bytes + not v22.16b, v20.16b + + mov x6, x2 + add x1, x1, x2 + + cbz x4, .Lseal_tail_16_compose // No extra data to pad with, zero padding + + mov x7, #16 // We need to load some extra_in first for padding + sub x7, x7, x2 + cmp x4, x7 + csel x7, x4, x7, lt // .Load the minimum of extra_in_len and the amount needed to fill the register + mov x12, x7 + add x3, x3, x7 + sub x4, x4, x7 + +.Lseal_tail16_compose_extra_in: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, #-1]! + mov v20.b[0], w11 + subs x7, x7, #1 + b.gt .Lseal_tail16_compose_extra_in + + add x3, x3, x12 + +.Lseal_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x1, #-1]! + mov v20.b[0], w11 + ext v21.16b, v22.16b, v21.16b, #15 + subs x2, x2, #1 + b.gt .Lseal_tail_16_compose + + and v0.16b, v0.16b, v21.16b + eor v20.16b, v20.16b, v0.16b + mov v21.16b, v20.16b + +.Lseal_tail_16_store: + umov w11, v20.b[0] + strb w11, [x0], #1 + ext v20.16b, v20.16b, v20.16b, #1 + subs x6, x6, #1 + b.gt .Lseal_tail_16_store + + // Hash in the final ct block concatenated with extra_in + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +.Lseal_hash_extra: + cbz x4, .Lseal_finalize + +.Lseal_hash_extra_loop: + cmp x4, #16 + b.lt .Lseal_hash_extra_tail + ld1 {v20.16b}, [x3], #16 + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #16 + b .Lseal_hash_extra_loop + +.Lseal_hash_extra_tail: + cbz x4, .Lseal_finalize + eor v20.16b, v20.16b, v20.16b // Use T0 to load the remaining extra ciphertext + add x3, x3, x4 + +.Lseal_hash_extra_load: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x3, #-1]! + mov v20.b[0], w11 + subs x4, x4, #1 + b.gt .Lseal_hash_extra_load + + // Hash in the final padded extra_in blcok + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + +.Lseal_finalize: + mov x11, v31.d[0] + mov x12, v31.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + # Final reduction step + sub x12, xzr, x15 + orr x13, xzr, #3 + subs x11, x8, #-5 + sbcs x12, x9, x12 + sbcs x13, x10, x13 + csel x8, x11, x8, cs + csel x9, x12, x9, cs + csel x10, x13, x10, cs + mov x11, v27.d[0] + mov x12, v27.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + + stp x8, x9, [x5] + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] +.cfi_restore b15 +.cfi_restore b14 +.cfi_restore b13 +.cfi_restore b12 +.cfi_restore b11 +.cfi_restore b10 +.cfi_restore b9 +.cfi_restore b8 + ldp x29, x30, [sp], 80 +.cfi_restore w29 +.cfi_restore w30 +.cfi_def_cfa_offset 0 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.Lseal_128: + // On some architectures preparing 5 blocks for small buffers is wasteful + eor v25.16b, v25.16b, v25.16b + mov x11, #1 + mov v25.s[0], w11 + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v17.16b, v30.16b + add v15.4s, v17.4s, v25.4s + add v16.4s, v15.4s, v25.4s + + mov x6, #10 + +.Lseal_128_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x6, x6, #1 + b.hi .Lseal_128_rounds + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + + // Only the first 32 bytes of the third block (counter = 0) are needed, + // so skip updating v12 and v17. + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + + add v30.4s, v30.4s, v25.4s + add v15.4s, v15.4s, v30.4s + add v30.4s, v30.4s, v25.4s + add v16.4s, v16.4s, v30.4s + + and v2.16b, v2.16b, v27.16b + mov x16, v2.d[0] // Move the R key to GPRs + mov x17, v2.d[1] + mov v27.16b, v7.16b // Store the S key + + bl .Lpoly_hash_ad_internal + b .Lseal_tail +.cfi_endproc +.size chacha20_poly1305_seal,.-chacha20_poly1305_seal + +///////////////////////////////// +// +// void chacha20_poly1305_open(uint8_t *pt, uint8_t *ct, size_t len_in, uint8_t *ad, size_t len_ad, union open_data *aead_data); +// +.globl chacha20_poly1305_open +.hidden chacha20_poly1305_open +.type chacha20_poly1305_open,%function +.align 6 +chacha20_poly1305_open: + AARCH64_SIGN_LINK_REGISTER +.cfi_startproc + stp x29, x30, [sp, #-80]! +.cfi_def_cfa_offset 80 +.cfi_offset w30, -72 +.cfi_offset w29, -80 + mov x29, sp +# We probably could do .cfi_def_cfa w29, 80 at this point, but since +# we don't actually use the frame pointer like that, it's probably not +# worth bothering. + stp d8, d9, [sp, #16] + stp d10, d11, [sp, #32] + stp d12, d13, [sp, #48] + stp d14, d15, [sp, #64] +.cfi_offset b15, -8 +.cfi_offset b14, -16 +.cfi_offset b13, -24 +.cfi_offset b12, -32 +.cfi_offset b11, -40 +.cfi_offset b10, -48 +.cfi_offset b9, -56 +.cfi_offset b8, -64 + + adrp x11, .Lchacha20_consts + add x11, x11, :lo12:.Lchacha20_consts + + ld1 {v24.16b - v27.16b}, [x11] // .Load the CONSTS, INC, ROL8 and CLAMP values + ld1 {v28.16b - v30.16b}, [x5] + + mov x15, #1 // Prepare the Poly1305 state + mov x8, #0 + mov x9, #0 + mov x10, #0 + + mov v31.d[0], x4 // Store the input and aad lengths + mov v31.d[1], x2 + + cmp x2, #128 + b.le .Lopen_128 // Optimization for smaller buffers + + // Initially we prepare a single ChaCha20 block for the Poly1305 R and S keys + mov v0.16b, v24.16b + mov v5.16b, v28.16b + mov v10.16b, v29.16b + mov v15.16b, v30.16b + + mov x6, #10 + +.align 5 +.Lopen_init_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + subs x6, x6, #1 + b.hi .Lopen_init_rounds + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + + and v0.16b, v0.16b, v27.16b + mov x16, v0.d[0] // Move the R key to GPRs + mov x17, v0.d[1] + mov v27.16b, v5.16b // Store the S key + + bl .Lpoly_hash_ad_internal + +.Lopen_ad_done: + mov x3, x1 + +// Each iteration of the loop hash 320 bytes, and prepare stream for 320 bytes +.Lopen_main_loop: + + cmp x2, #192 + b.lt .Lopen_tail + + adrp x11, .Lchacha20_consts + add x11, x11, :lo12:.Lchacha20_consts + + ld4r {v0.4s,v1.4s,v2.4s,v3.4s}, [x11] + mov v4.16b, v24.16b + + ld4r {v5.4s,v6.4s,v7.4s,v8.4s}, [x5], #16 + mov v9.16b, v28.16b + + ld4r {v10.4s,v11.4s,v12.4s,v13.4s}, [x5], #16 + mov v14.16b, v29.16b + + ld4r {v15.4s,v16.4s,v17.4s,v18.4s}, [x5] + sub x5, x5, #32 + add v15.4s, v15.4s, v25.4s + mov v19.16b, v30.16b + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + lsr x4, x2, #4 // How many whole blocks we have to hash, will always be at least 12 + sub x4, x4, #10 + + mov x7, #10 + subs x6, x7, x4 + subs x6, x7, x4 // itr1 can be negative if we have more than 320 bytes to hash + csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are full + + cbz x7, .Lopen_main_loop_rounds_short + +.align 5 +.Lopen_main_loop_rounds: + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most +.Lopen_main_loop_rounds_short: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v9.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v18.8h, v18.8h + rev32 v19.8h, v19.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + eor v8.16b, v8.16b, v13.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v9.4s, #20 + sli v8.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + add v3.4s, v3.4s, v7.4s + add v4.4s, v4.4s, v8.4s + + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + eor v18.16b, v18.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v18.16b, {v18.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + add v13.4s, v13.4s, v18.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v14.16b + + ushr v9.4s, v8.4s, #25 + sli v9.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #4 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #12 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + add v0.4s, v0.4s, v6.4s + add v1.4s, v1.4s, v7.4s + add v2.4s, v2.4s, v8.4s + add v3.4s, v3.4s, v5.4s + add v4.4s, v4.4s, v9.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + rev32 v18.8h, v18.8h + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + rev32 v19.8h, v19.8h + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v6.16b, v6.16b, v12.16b + eor v7.16b, v7.16b, v13.16b + eor v8.16b, v8.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v9.16b, v9.16b, v14.16b + + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + ushr v7.4s, v8.4s, #20 + sli v7.4s, v8.4s, #12 + ushr v8.4s, v5.4s, #20 + sli v8.4s, v5.4s, #12 + ushr v5.4s, v9.4s, #20 + sli v5.4s, v9.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + add v3.4s, v3.4s, v8.4s + add v4.4s, v4.4s, v5.4s + + eor v18.16b, v18.16b, v0.16b + eor v15.16b, v15.16b, v1.16b + eor v16.16b, v16.16b, v2.16b + eor v17.16b, v17.16b, v3.16b + eor v19.16b, v19.16b, v4.16b + + tbl v18.16b, {v18.16b}, v26.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + tbl v19.16b, {v19.16b}, v26.16b + + add v12.4s, v12.4s, v18.4s + add v13.4s, v13.4s, v15.4s + add v10.4s, v10.4s, v16.4s + add v11.4s, v11.4s, v17.4s + add v14.4s, v14.4s, v19.4s + + eor v20.16b, v20.16b, v12.16b + eor v6.16b, v6.16b, v13.16b + eor v7.16b, v7.16b, v10.16b + eor v8.16b, v8.16b, v11.16b + eor v5.16b, v5.16b, v14.16b + + ushr v9.4s, v5.4s, #25 + sli v9.4s, v5.4s, #7 + ushr v5.4s, v8.4s, #25 + sli v5.4s, v8.4s, #7 + ushr v8.4s, v7.4s, #25 + sli v8.4s, v7.4s, #7 + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + + ext v9.16b, v9.16b, v9.16b, #12 + ext v14.16b, v14.16b, v14.16b, #8 + ext v19.16b, v19.16b, v19.16b, #4 + subs x7, x7, #1 + b.gt .Lopen_main_loop_rounds + subs x6, x6, #1 + b.ge .Lopen_main_loop_rounds_short + + eor v20.16b, v20.16b, v20.16b //zero + not v21.16b, v20.16b // -1 + sub v21.4s, v25.4s, v21.4s // Add +1 + ext v20.16b, v21.16b, v20.16b, #12 // Get the last element (counter) + add v19.4s, v19.4s, v20.4s + + add v15.4s, v15.4s, v25.4s + mov x11, #5 + dup v20.4s, w11 + add v25.4s, v25.4s, v20.4s + + zip1 v20.4s, v0.4s, v1.4s + zip2 v21.4s, v0.4s, v1.4s + zip1 v22.4s, v2.4s, v3.4s + zip2 v23.4s, v2.4s, v3.4s + + zip1 v0.2d, v20.2d, v22.2d + zip2 v1.2d, v20.2d, v22.2d + zip1 v2.2d, v21.2d, v23.2d + zip2 v3.2d, v21.2d, v23.2d + + zip1 v20.4s, v5.4s, v6.4s + zip2 v21.4s, v5.4s, v6.4s + zip1 v22.4s, v7.4s, v8.4s + zip2 v23.4s, v7.4s, v8.4s + + zip1 v5.2d, v20.2d, v22.2d + zip2 v6.2d, v20.2d, v22.2d + zip1 v7.2d, v21.2d, v23.2d + zip2 v8.2d, v21.2d, v23.2d + + zip1 v20.4s, v10.4s, v11.4s + zip2 v21.4s, v10.4s, v11.4s + zip1 v22.4s, v12.4s, v13.4s + zip2 v23.4s, v12.4s, v13.4s + + zip1 v10.2d, v20.2d, v22.2d + zip2 v11.2d, v20.2d, v22.2d + zip1 v12.2d, v21.2d, v23.2d + zip2 v13.2d, v21.2d, v23.2d + + zip1 v20.4s, v15.4s, v16.4s + zip2 v21.4s, v15.4s, v16.4s + zip1 v22.4s, v17.4s, v18.4s + zip2 v23.4s, v17.4s, v18.4s + + zip1 v15.2d, v20.2d, v22.2d + zip2 v16.2d, v20.2d, v22.2d + zip1 v17.2d, v21.2d, v23.2d + zip2 v18.2d, v21.2d, v23.2d + + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + + add v1.4s, v1.4s, v24.4s + add v6.4s, v6.4s, v28.4s + add v11.4s, v11.4s, v29.4s + add v16.4s, v16.4s, v30.4s + + add v2.4s, v2.4s, v24.4s + add v7.4s, v7.4s, v28.4s + add v12.4s, v12.4s, v29.4s + add v17.4s, v17.4s, v30.4s + + add v3.4s, v3.4s, v24.4s + add v8.4s, v8.4s, v28.4s + add v13.4s, v13.4s, v29.4s + add v18.4s, v18.4s, v30.4s + + add v4.4s, v4.4s, v24.4s + add v9.4s, v9.4s, v28.4s + add v14.4s, v14.4s, v29.4s + add v19.4s, v19.4s, v30.4s + + // We can always safely store 192 bytes + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #192 + + mov v0.16b, v3.16b + mov v5.16b, v8.16b + mov v10.16b, v13.16b + mov v15.16b, v18.16b + + cmp x2, #64 + b.lt .Lopen_tail_64_store + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v3.16b + eor v21.16b, v21.16b, v8.16b + eor v22.16b, v22.16b, v13.16b + eor v23.16b, v23.16b, v18.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + + mov v0.16b, v4.16b + mov v5.16b, v9.16b + mov v10.16b, v14.16b + mov v15.16b, v19.16b + + cmp x2, #64 + b.lt .Lopen_tail_64_store + + ld1 {v20.16b - v23.16b}, [x1], #64 + eor v20.16b, v20.16b, v4.16b + eor v21.16b, v21.16b, v9.16b + eor v22.16b, v22.16b, v14.16b + eor v23.16b, v23.16b, v19.16b + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + b .Lopen_main_loop + +.Lopen_tail: + + cbz x2, .Lopen_finalize + + lsr x4, x2, #4 // How many whole blocks we have to hash + + cmp x2, #64 + b.le .Lopen_tail_64 + cmp x2, #128 + b.le .Lopen_tail_128 + +.Lopen_tail_192: + // We need three more blocks + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v15.16b, v30.16b + mov v16.16b, v30.16b + mov v17.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + eor v21.16b, v21.16b, v21.16b + ins v23.s[0], v25.s[0] + ins v21.d[0], x15 + + add v22.4s, v23.4s, v21.4s + add v21.4s, v22.4s, v21.4s + + add v15.4s, v15.4s, v21.4s + add v16.4s, v16.4s, v23.4s + add v17.4s, v17.4s, v22.4s + + mov x7, #10 + subs x6, x7, x4 // itr1 can be negative if we have more than 160 bytes to hash + csel x7, x7, x4, le // if itr1 is zero or less, itr2 should be 10 to indicate all 10 rounds are hashing + sub x4, x4, x7 + + cbz x7, .Lopen_tail_192_rounds_no_hash + +.Lopen_tail_192_rounds: + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most +.Lopen_tail_192_rounds_no_hash: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x7, x7, #1 + b.gt .Lopen_tail_192_rounds + subs x6, x6, #1 + b.ge .Lopen_tail_192_rounds_no_hash + + // We hashed 160 bytes at most, may still have 32 bytes left +.Lopen_tail_192_hash: + cbz x4, .Lopen_tail_192_hash_done + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #1 + b .Lopen_tail_192_hash + +.Lopen_tail_192_hash_done: + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + add v12.4s, v12.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v16.4s, v16.4s, v30.4s + add v17.4s, v17.4s, v30.4s + + add v15.4s, v15.4s, v21.4s + add v16.4s, v16.4s, v23.4s + add v17.4s, v17.4s, v22.4s + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v2.16b + eor v21.16b, v21.16b, v7.16b + eor v22.16b, v22.16b, v12.16b + eor v23.16b, v23.16b, v17.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #128 + b .Lopen_tail_64_store + +.Lopen_tail_128: + // We need two more blocks + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v15.16b, v30.16b + mov v16.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + eor v22.16b, v22.16b, v22.16b + ins v23.s[0], v25.s[0] + ins v22.d[0], x15 + add v22.4s, v22.4s, v23.4s + + add v15.4s, v15.4s, v22.4s + add v16.4s, v16.4s, v23.4s + + mov x6, #10 + sub x6, x6, x4 + +.Lopen_tail_128_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v1.4s, v1.4s, v6.4s + eor v16.16b, v16.16b, v1.16b + rev32 v16.8h, v16.8h + + add v11.4s, v11.4s, v16.4s + eor v6.16b, v6.16b, v11.16b + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + add v1.4s, v1.4s, v20.4s + eor v16.16b, v16.16b, v1.16b + tbl v16.16b, {v16.16b}, v26.16b + + add v11.4s, v11.4s, v16.4s + eor v20.16b, v20.16b, v11.16b + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + ext v6.16b, v6.16b, v6.16b, #4 + ext v11.16b, v11.16b, v11.16b, #8 + ext v16.16b, v16.16b, v16.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + add v1.4s, v1.4s, v6.4s + eor v16.16b, v16.16b, v1.16b + rev32 v16.8h, v16.8h + + add v11.4s, v11.4s, v16.4s + eor v6.16b, v6.16b, v11.16b + ushr v20.4s, v6.4s, #20 + sli v20.4s, v6.4s, #12 + add v1.4s, v1.4s, v20.4s + eor v16.16b, v16.16b, v1.16b + tbl v16.16b, {v16.16b}, v26.16b + + add v11.4s, v11.4s, v16.4s + eor v20.16b, v20.16b, v11.16b + ushr v6.4s, v20.4s, #25 + sli v6.4s, v20.4s, #7 + ext v6.16b, v6.16b, v6.16b, #12 + ext v11.16b, v11.16b, v11.16b, #8 + ext v16.16b, v16.16b, v16.16b, #4 + subs x6, x6, #1 + b.gt .Lopen_tail_128_rounds + cbz x4, .Lopen_tail_128_rounds_done + subs x4, x4, #1 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + b .Lopen_tail_128_rounds + +.Lopen_tail_128_rounds_done: + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v16.4s, v16.4s, v30.4s + add v15.4s, v15.4s, v22.4s + add v16.4s, v16.4s, v23.4s + + ld1 {v20.16b - v23.16b}, [x1], #64 + + eor v20.16b, v20.16b, v1.16b + eor v21.16b, v21.16b, v6.16b + eor v22.16b, v22.16b, v11.16b + eor v23.16b, v23.16b, v16.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + sub x2, x2, #64 + + b .Lopen_tail_64_store + +.Lopen_tail_64: + // We just need a single block + mov v0.16b, v24.16b + mov v5.16b, v28.16b + mov v10.16b, v29.16b + mov v15.16b, v30.16b + eor v23.16b, v23.16b, v23.16b + ins v23.s[0], v25.s[0] + add v15.4s, v15.4s, v23.4s + + mov x6, #10 + sub x6, x6, x4 + +.Lopen_tail_64_rounds: + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #4 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #12 + add v0.4s, v0.4s, v5.4s + eor v15.16b, v15.16b, v0.16b + rev32 v15.8h, v15.8h + + add v10.4s, v10.4s, v15.4s + eor v5.16b, v5.16b, v10.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + add v0.4s, v0.4s, v20.4s + eor v15.16b, v15.16b, v0.16b + tbl v15.16b, {v15.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + eor v20.16b, v20.16b, v10.16b + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + ext v5.16b, v5.16b, v5.16b, #12 + ext v10.16b, v10.16b, v10.16b, #8 + ext v15.16b, v15.16b, v15.16b, #4 + subs x6, x6, #1 + b.gt .Lopen_tail_64_rounds + cbz x4, .Lopen_tail_64_rounds_done + subs x4, x4, #1 + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + b .Lopen_tail_64_rounds + +.Lopen_tail_64_rounds_done: + add v0.4s, v0.4s, v24.4s + add v5.4s, v5.4s, v28.4s + add v10.4s, v10.4s, v29.4s + add v15.4s, v15.4s, v30.4s + add v15.4s, v15.4s, v23.4s + +.Lopen_tail_64_store: + cmp x2, #16 + b.lt .Lopen_tail_16 + + ld1 {v20.16b}, [x1], #16 + eor v20.16b, v20.16b, v0.16b + st1 {v20.16b}, [x0], #16 + mov v0.16b, v5.16b + mov v5.16b, v10.16b + mov v10.16b, v15.16b + sub x2, x2, #16 + b .Lopen_tail_64_store + +.Lopen_tail_16: + // Here we handle the last [0,16) bytes that require a padded block + cbz x2, .Lopen_finalize + + eor v20.16b, v20.16b, v20.16b // Use T0 to load the ciphertext + eor v21.16b, v21.16b, v21.16b // Use T1 to generate an AND mask + not v22.16b, v20.16b + + add x7, x1, x2 + mov x6, x2 + +.Lopen_tail_16_compose: + ext v20.16b, v20.16b, v20.16b, #15 + ldrb w11, [x7, #-1]! + mov v20.b[0], w11 + ext v21.16b, v22.16b, v21.16b, #15 + subs x2, x2, #1 + b.gt .Lopen_tail_16_compose + + and v20.16b, v20.16b, v21.16b + // Hash in the final padded block + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + eor v20.16b, v20.16b, v0.16b + +.Lopen_tail_16_store: + umov w11, v20.b[0] + strb w11, [x0], #1 + ext v20.16b, v20.16b, v20.16b, #1 + subs x6, x6, #1 + b.gt .Lopen_tail_16_store + +.Lopen_finalize: + mov x11, v31.d[0] + mov x12, v31.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + # Final reduction step + sub x12, xzr, x15 + orr x13, xzr, #3 + subs x11, x8, #-5 + sbcs x12, x9, x12 + sbcs x13, x10, x13 + csel x8, x11, x8, cs + csel x9, x12, x9, cs + csel x10, x13, x10, cs + mov x11, v27.d[0] + mov x12, v27.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + + stp x8, x9, [x5] + + ldp d8, d9, [sp, #16] + ldp d10, d11, [sp, #32] + ldp d12, d13, [sp, #48] + ldp d14, d15, [sp, #64] +.cfi_restore b15 +.cfi_restore b14 +.cfi_restore b13 +.cfi_restore b12 +.cfi_restore b11 +.cfi_restore b10 +.cfi_restore b9 +.cfi_restore b8 + ldp x29, x30, [sp], 80 +.cfi_restore w29 +.cfi_restore w30 +.cfi_def_cfa_offset 0 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.Lopen_128: + // On some architectures preparing 5 blocks for small buffers is wasteful + eor v25.16b, v25.16b, v25.16b + mov x11, #1 + mov v25.s[0], w11 + mov v0.16b, v24.16b + mov v1.16b, v24.16b + mov v2.16b, v24.16b + mov v5.16b, v28.16b + mov v6.16b, v28.16b + mov v7.16b, v28.16b + mov v10.16b, v29.16b + mov v11.16b, v29.16b + mov v12.16b, v29.16b + mov v17.16b, v30.16b + add v15.4s, v17.4s, v25.4s + add v16.4s, v15.4s, v25.4s + + mov x6, #10 + +.Lopen_128_rounds: + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #4 + ext v6.16b, v6.16b, v6.16b, #4 + ext v7.16b, v7.16b, v7.16b, #4 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #12 + ext v16.16b, v16.16b, v16.16b, #12 + ext v17.16b, v17.16b, v17.16b, #12 + add v0.4s, v0.4s, v5.4s + add v1.4s, v1.4s, v6.4s + add v2.4s, v2.4s, v7.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + rev32 v15.8h, v15.8h + rev32 v16.8h, v16.8h + rev32 v17.8h, v17.8h + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v5.16b, v5.16b, v10.16b + eor v6.16b, v6.16b, v11.16b + eor v7.16b, v7.16b, v12.16b + ushr v20.4s, v5.4s, #20 + sli v20.4s, v5.4s, #12 + ushr v5.4s, v6.4s, #20 + sli v5.4s, v6.4s, #12 + ushr v6.4s, v7.4s, #20 + sli v6.4s, v7.4s, #12 + + add v0.4s, v0.4s, v20.4s + add v1.4s, v1.4s, v5.4s + add v2.4s, v2.4s, v6.4s + eor v15.16b, v15.16b, v0.16b + eor v16.16b, v16.16b, v1.16b + eor v17.16b, v17.16b, v2.16b + tbl v15.16b, {v15.16b}, v26.16b + tbl v16.16b, {v16.16b}, v26.16b + tbl v17.16b, {v17.16b}, v26.16b + + add v10.4s, v10.4s, v15.4s + add v11.4s, v11.4s, v16.4s + add v12.4s, v12.4s, v17.4s + eor v20.16b, v20.16b, v10.16b + eor v5.16b, v5.16b, v11.16b + eor v6.16b, v6.16b, v12.16b + ushr v7.4s, v6.4s, #25 + sli v7.4s, v6.4s, #7 + ushr v6.4s, v5.4s, #25 + sli v6.4s, v5.4s, #7 + ushr v5.4s, v20.4s, #25 + sli v5.4s, v20.4s, #7 + + ext v5.16b, v5.16b, v5.16b, #12 + ext v6.16b, v6.16b, v6.16b, #12 + ext v7.16b, v7.16b, v7.16b, #12 + + ext v10.16b, v10.16b, v10.16b, #8 + ext v11.16b, v11.16b, v11.16b, #8 + ext v12.16b, v12.16b, v12.16b, #8 + + ext v15.16b, v15.16b, v15.16b, #4 + ext v16.16b, v16.16b, v16.16b, #4 + ext v17.16b, v17.16b, v17.16b, #4 + subs x6, x6, #1 + b.hi .Lopen_128_rounds + + add v0.4s, v0.4s, v24.4s + add v1.4s, v1.4s, v24.4s + add v2.4s, v2.4s, v24.4s + + add v5.4s, v5.4s, v28.4s + add v6.4s, v6.4s, v28.4s + add v7.4s, v7.4s, v28.4s + + add v10.4s, v10.4s, v29.4s + add v11.4s, v11.4s, v29.4s + + add v30.4s, v30.4s, v25.4s + add v15.4s, v15.4s, v30.4s + add v30.4s, v30.4s, v25.4s + add v16.4s, v16.4s, v30.4s + + and v2.16b, v2.16b, v27.16b + mov x16, v2.d[0] // Move the R key to GPRs + mov x17, v2.d[1] + mov v27.16b, v7.16b // Store the S key + + bl .Lpoly_hash_ad_internal + +.Lopen_128_store: + cmp x2, #64 + b.lt .Lopen_128_store_64 + + ld1 {v20.16b - v23.16b}, [x1], #64 + + mov x11, v20.d[0] + mov x12, v20.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v21.d[0] + mov x12, v21.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v22.d[0] + mov x12, v22.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + mov x11, v23.d[0] + mov x12, v23.d[1] + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + + eor v20.16b, v20.16b, v0.16b + eor v21.16b, v21.16b, v5.16b + eor v22.16b, v22.16b, v10.16b + eor v23.16b, v23.16b, v15.16b + + st1 {v20.16b - v23.16b}, [x0], #64 + + sub x2, x2, #64 + + mov v0.16b, v1.16b + mov v5.16b, v6.16b + mov v10.16b, v11.16b + mov v15.16b, v16.16b + +.Lopen_128_store_64: + + lsr x4, x2, #4 + mov x3, x1 + +.Lopen_128_hash_64: + cbz x4, .Lopen_tail_64_store + ldp x11, x12, [x3], 16 + adds x8, x8, x11 + adcs x9, x9, x12 + adc x10, x10, x15 + mul x11, x8, x16 // [t2:t1:t0] = [acc2:acc1:acc0] * r0 + umulh x12, x8, x16 + mul x13, x9, x16 + umulh x14, x9, x16 + adds x12, x12, x13 + mul x13, x10, x16 + adc x13, x13, x14 + mul x14, x8, x17 // [t3:t2:t1:t0] = [acc2:acc1:acc0] * [r1:r0] + umulh x8, x8, x17 + adds x12, x12, x14 + mul x14, x9, x17 + umulh x9, x9, x17 + adcs x14, x14, x8 + mul x10, x10, x17 + adc x10, x10, x9 + adds x13, x13, x14 + adc x14, x10, xzr + and x10, x13, #3 // At this point acc2 is 2 bits at most (value of 3) + and x8, x13, #-4 + extr x13, x14, x13, #2 + adds x8, x8, x11 + lsr x11, x14, #2 + adc x9, x14, x11 // No carry out since t0 is 61 bits and t3 is 63 bits + adds x8, x8, x13 + adcs x9, x9, x12 + adc x10, x10, xzr // At this point acc2 has the value of 4 at most + sub x4, x4, #1 + b .Lopen_128_hash_64 +.cfi_endproc +.size chacha20_poly1305_open,.-chacha20_poly1305_open +#endif +#endif // !OPENSSL_NO_ASM +.section .note.GNU-stack,"",%progbits +#endif // defined(__aarch64__) && defined(__linux__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.linux.x86_64.S index 2d1b5160..728a9f71 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.mac.x86_64.S index 14e99269..15ba0bc5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/chacha20_poly1305_x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/cipher_extra.c b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/cipher_extra.c index fdb4ad37..6248ef6b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/cipher_extra.c +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/cipher_extra.c @@ -67,25 +67,42 @@ #include "../internal.h" +static const struct { + int nid; + const char *name; + const EVP_CIPHER *(*func)(void); +} kCiphers[] = { + {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc}, + {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr}, + {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb}, + {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm}, + {NID_aes_128_ofb128, "aes-128-ofb", EVP_aes_128_ofb}, + {NID_aes_192_cbc, "aes-192-cbc", EVP_aes_192_cbc}, + {NID_aes_192_ctr, "aes-192-ctr", EVP_aes_192_ctr}, + {NID_aes_192_ecb, "aes-192-ecb", EVP_aes_192_ecb}, + {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm}, + {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb}, + {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc}, + {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr}, + {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb}, + {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, + {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb}, + {NID_des_cbc, "des-cbc", EVP_des_cbc}, + {NID_des_ecb, "des-ecb", EVP_des_ecb}, + {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc}, + {NID_des_ede_ecb, "des-ede", EVP_des_ede}, + {NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc}, + {NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc}, + {NID_rc4, "rc4", EVP_rc4}, +}; + const EVP_CIPHER *EVP_get_cipherbynid(int nid) { - switch (nid) { - case NID_rc2_cbc: - return EVP_rc2_cbc(); - case NID_rc2_40_cbc: - return EVP_rc2_40_cbc(); - case NID_des_ede3_cbc: - return EVP_des_ede3_cbc(); - case NID_des_ede_cbc: - return EVP_des_cbc(); - case NID_aes_128_cbc: - return EVP_aes_128_cbc(); - case NID_aes_192_cbc: - return EVP_aes_192_cbc(); - case NID_aes_256_cbc: - return EVP_aes_256_cbc(); - default: - return NULL; + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) { + if (kCiphers[i].nid == nid) { + return kCiphers[i].func(); + } } + return NULL; } const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { @@ -93,54 +110,17 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { return NULL; } - if (OPENSSL_strcasecmp(name, "rc4") == 0) { - return EVP_rc4(); - } else if (OPENSSL_strcasecmp(name, "des-cbc") == 0) { - return EVP_des_cbc(); - } else if (OPENSSL_strcasecmp(name, "des-ede3-cbc") == 0 || - // This is not a name used by OpenSSL, but tcpdump registers it - // with |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a - // no-op, so we support the name here. - OPENSSL_strcasecmp(name, "3des") == 0) { - return EVP_des_ede3_cbc(); - } else if (OPENSSL_strcasecmp(name, "aes-128-cbc") == 0) { - return EVP_aes_128_cbc(); - } else if (OPENSSL_strcasecmp(name, "aes-192-cbc") == 0) { - return EVP_aes_192_cbc(); - } else if (OPENSSL_strcasecmp(name, "aes-256-cbc") == 0) { - return EVP_aes_256_cbc(); - } else if (OPENSSL_strcasecmp(name, "aes-128-ctr") == 0) { - return EVP_aes_128_ctr(); - } else if (OPENSSL_strcasecmp(name, "aes-192-ctr") == 0) { - return EVP_aes_192_ctr(); - } else if (OPENSSL_strcasecmp(name, "aes-256-ctr") == 0) { - return EVP_aes_256_ctr(); - } else if (OPENSSL_strcasecmp(name, "aes-128-ecb") == 0) { - return EVP_aes_128_ecb(); - } else if (OPENSSL_strcasecmp(name, "aes-192-ecb") == 0) { - return EVP_aes_192_ecb(); - } else if (OPENSSL_strcasecmp(name, "aes-256-ecb") == 0) { - return EVP_aes_256_ecb(); - } else if (OPENSSL_strcasecmp(name, "aes-128-gcm") == 0) { - return EVP_aes_128_gcm(); - } else if (OPENSSL_strcasecmp(name, "aes-192-gcm") == 0) { - return EVP_aes_192_gcm(); - } else if (OPENSSL_strcasecmp(name, "aes-256-gcm") == 0) { - return EVP_aes_256_gcm(); - } else if (OPENSSL_strcasecmp(name, "aes-128-ofb") == 0) { - return EVP_aes_128_ofb(); - } else if (OPENSSL_strcasecmp(name, "aes-192-ofb") == 0) { - return EVP_aes_192_ofb(); - } else if (OPENSSL_strcasecmp(name, "aes-256-ofb") == 0) { - return EVP_aes_256_ofb(); - } else if (OPENSSL_strcasecmp(name, "des-ecb") == 0) { - return EVP_des_ecb(); - } else if (OPENSSL_strcasecmp(name, "des-ede") == 0) { - return EVP_des_ede(); - } else if (OPENSSL_strcasecmp(name, "des-ede-cbc") == 0) { - return EVP_des_ede_cbc(); - } else if (OPENSSL_strcasecmp(name, "rc2-cbc") == 0) { - return EVP_rc2_cbc(); + // This is not a name used by OpenSSL, but tcpdump registers it with + // |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a no-op, so we + // support the name here. + if (OPENSSL_strcasecmp(name, "3des") == 0) { + name = "des-ede3-cbc"; + } + + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kCiphers); i++) { + if (OPENSSL_strcasecmp(kCiphers[i].name, name) == 0) { + return kCiphers[i].func(); + } } return NULL; diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesccm.c b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesccm.c index b83dc509..61347529 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesccm.c +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesccm.c @@ -50,7 +50,6 @@ #include -#include #include #include #include diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c index 6baf3f80..9971fcd4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_aesgcmsiv.c @@ -17,11 +17,11 @@ #include #include -#include #include #include #include "../fipsmodule/cipher/internal.h" +#include "../internal.h" #define EVP_AEAD_AES_GCM_SIV_NONCE_LEN 12 @@ -857,22 +857,15 @@ static const EVP_AEAD aead_aes_256_gcm_siv = { #if defined(AES_GCM_SIV_ASM) -static char avx_aesni_capable(void) { - const uint32_t ecx = OPENSSL_ia32cap_P[1]; - - return (ecx & (1 << (57 - 32))) != 0 /* AESNI */ && - (ecx & (1 << 28)) != 0 /* AVX */; -} - const EVP_AEAD *EVP_aead_aes_128_gcm_siv(void) { - if (avx_aesni_capable()) { + if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) { return &aead_aes_128_gcm_siv_asm; } return &aead_aes_128_gcm_siv; } const EVP_AEAD *EVP_aead_aes_256_gcm_siv(void) { - if (avx_aesni_capable()) { + if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) { return &aead_aes_256_gcm_siv_asm; } return &aead_aes_256_gcm_siv; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_des.c b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c similarity index 64% rename from Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_des.c rename to Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c index e84c7b17..256a8a95 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_des.c +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/e_des.c @@ -59,7 +59,6 @@ #include #include "internal.h" -#include "../delocate.h" typedef struct { @@ -88,17 +87,21 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, return 1; } -DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_des_cbc) { - memset(out, 0, sizeof(EVP_CIPHER)); - out->nid = NID_des_cbc; - out->block_size = 8; - out->key_len = 8; - out->iv_len = 8; - out->ctx_size = sizeof(EVP_DES_KEY); - out->flags = EVP_CIPH_CBC_MODE; - out->init = des_init_key; - out->cipher = des_cbc_cipher; -} +static const EVP_CIPHER evp_des_cbc = { + /* nid = */ NID_des_cbc, + /* block_size = */ 8, + /* key_len = */ 8, + /* iv_len = */ 8, + /* ctx_size = */ sizeof(EVP_DES_KEY), + /* flags = */ EVP_CIPH_CBC_MODE, + /* app_data = */ NULL, + /* init = */ des_init_key, + /* cipher = */ des_cbc_cipher, + /* cleanup = */ NULL, + /* ctrl = */ NULL, +}; + +const EVP_CIPHER *EVP_des_cbc(void) { return &evp_des_cbc; } static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { @@ -107,25 +110,29 @@ static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, } in_len -= ctx->cipher->block_size; - EVP_DES_KEY *dat = (EVP_DES_KEY *) ctx->cipher_data; + EVP_DES_KEY *dat = (EVP_DES_KEY *)ctx->cipher_data; for (size_t i = 0; i <= in_len; i += ctx->cipher->block_size) { - DES_ecb_encrypt((DES_cblock *) (in + i), (DES_cblock *) (out + i), + DES_ecb_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), &dat->ks.ks, ctx->encrypt); } return 1; } -DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_des_ecb) { - memset(out, 0, sizeof(EVP_CIPHER)); - out->nid = NID_des_ecb; - out->block_size = 8; - out->key_len = 8; - out->iv_len = 0; - out->ctx_size = sizeof(EVP_DES_KEY); - out->flags = EVP_CIPH_ECB_MODE; - out->init = des_init_key; - out->cipher = des_ecb_cipher; -} +static const EVP_CIPHER evp_des_ecb = { + /* nid = */ NID_des_ecb, + /* block_size = */ 8, + /* key_len = */ 8, + /* iv_len = */ 0, + /* ctx_size = */ sizeof(EVP_DES_KEY), + /* flags = */ EVP_CIPH_ECB_MODE, + /* app_data = */ NULL, + /* init = */ des_init_key, + /* cipher = */ des_ecb_cipher, + /* cleanup = */ NULL, + /* ctrl = */ NULL, +}; + +const EVP_CIPHER *EVP_des_ecb(void) { return &evp_des_ecb; } typedef struct { union { @@ -137,7 +144,7 @@ typedef struct { static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { DES_cblock *deskey = (DES_cblock *)key; - DES_EDE_KEY *dat = (DES_EDE_KEY*) ctx->cipher_data; + DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; DES_set_key(&deskey[0], &dat->ks.ks[0]); DES_set_key(&deskey[1], &dat->ks.ks[1]); @@ -147,8 +154,8 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, } static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, - const uint8_t *in, size_t in_len) { - DES_EDE_KEY *dat = (DES_EDE_KEY*) ctx->cipher_data; + const uint8_t *in, size_t in_len) { + DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; DES_ede3_cbc_encrypt(in, out, in_len, &dat->ks.ks[0], &dat->ks.ks[1], &dat->ks.ks[2], (DES_cblock *)ctx->iv, ctx->encrypt); @@ -156,22 +163,26 @@ static int des_ede3_cbc_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return 1; } -DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_des_ede3_cbc) { - memset(out, 0, sizeof(EVP_CIPHER)); - out->nid = NID_des_ede3_cbc; - out->block_size = 8; - out->key_len = 24; - out->iv_len = 8; - out->ctx_size = sizeof(DES_EDE_KEY); - out->flags = EVP_CIPH_CBC_MODE; - out->init = des_ede3_init_key; - out->cipher = des_ede3_cbc_cipher; -} +static const EVP_CIPHER evp_des_ede3_cbc = { + /* nid = */ NID_des_ede3_cbc, + /* block_size = */ 8, + /* key_len = */ 24, + /* iv_len = */ 8, + /* ctx_size = */ sizeof(DES_EDE_KEY), + /* flags = */ EVP_CIPH_CBC_MODE, + /* app_data = */ NULL, + /* init = */ des_ede3_init_key, + /* cipher = */ des_ede3_cbc_cipher, + /* cleanup = */ NULL, + /* ctrl = */ NULL, +}; + +const EVP_CIPHER *EVP_des_ede3_cbc(void) { return &evp_des_ede3_cbc; } static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, - const uint8_t *iv, int enc) { - DES_cblock *deskey = (DES_cblock *) key; - DES_EDE_KEY *dat = (DES_EDE_KEY *) ctx->cipher_data; + const uint8_t *iv, int enc) { + DES_cblock *deskey = (DES_cblock *)key; + DES_EDE_KEY *dat = (DES_EDE_KEY *)ctx->cipher_data; DES_set_key(&deskey[0], &dat->ks.ks[0]); DES_set_key(&deskey[1], &dat->ks.ks[1]); @@ -180,17 +191,21 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, return 1; } -DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_des_ede_cbc) { - memset(out, 0, sizeof(EVP_CIPHER)); - out->nid = NID_des_ede_cbc; - out->block_size = 8; - out->key_len = 16; - out->iv_len = 8; - out->ctx_size = sizeof(DES_EDE_KEY); - out->flags = EVP_CIPH_CBC_MODE; - out->init = des_ede_init_key; - out->cipher = des_ede3_cbc_cipher; -} +static const EVP_CIPHER evp_des_ede_cbc = { + /* nid = */ NID_des_ede_cbc, + /* block_size = */ 8, + /* key_len = */ 16, + /* iv_len = */ 8, + /* ctx_size = */ sizeof(DES_EDE_KEY), + /* flags = */ EVP_CIPH_CBC_MODE, + /* app_data = */ NULL, + /* init = */ des_ede_init_key, + /* cipher = */ des_ede3_cbc_cipher, + /* cleanup = */ NULL, + /* ctrl = */ NULL, +}; + +const EVP_CIPHER *EVP_des_ede_cbc(void) { return &evp_des_ede_cbc; } static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { @@ -208,30 +223,36 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, return 1; } -DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_des_ede) { - memset(out, 0, sizeof(EVP_CIPHER)); - out->nid = NID_des_ede_ecb; - out->block_size = 8; - out->key_len = 16; - out->iv_len = 0; - out->ctx_size = sizeof(DES_EDE_KEY); - out->flags = EVP_CIPH_ECB_MODE; - out->init = des_ede_init_key; - out->cipher = des_ede_ecb_cipher; -} +static const EVP_CIPHER evp_des_ede = { + /* nid = */ NID_des_ede_ecb, + /* block_size = */ 8, + /* key_len = */ 16, + /* iv_len = */ 0, + /* ctx_size = */ sizeof(DES_EDE_KEY), + /* flags = */ EVP_CIPH_ECB_MODE, + /* app_data = */ NULL, + /* init = */ des_ede_init_key, + /* cipher = */ des_ede_ecb_cipher, + /* cleanup = */ NULL, + /* ctrl = */ NULL, +}; -DEFINE_METHOD_FUNCTION(EVP_CIPHER, EVP_des_ede3) { - memset(out, 0, sizeof(EVP_CIPHER)); - out->nid = NID_des_ede3_ecb; - out->block_size = 8; - out->key_len = 24; - out->iv_len = 0; - out->ctx_size = sizeof(DES_EDE_KEY); - out->flags = EVP_CIPH_ECB_MODE; - out->init = des_ede3_init_key; - out->cipher = des_ede_ecb_cipher; -} +const EVP_CIPHER *EVP_des_ede(void) { return &evp_des_ede; } -const EVP_CIPHER* EVP_des_ede3_ecb(void) { - return EVP_des_ede3(); -} +static const EVP_CIPHER evp_des_ede3 = { + /* nid = */ NID_des_ede3_ecb, + /* block_size = */ 8, + /* key_len = */ 24, + /* iv_len = */ 0, + /* ctx_size = */ sizeof(DES_EDE_KEY), + /* flags = */ EVP_CIPH_ECB_MODE, + /* app_data = */ NULL, + /* init = */ des_ede3_init_key, + /* cipher = */ des_ede_ecb_cipher, + /* cleanup = */ NULL, + /* ctrl = */ NULL, +}; + +const EVP_CIPHER *EVP_des_ede3(void) { return &evp_des_ede3; } + +const EVP_CIPHER *EVP_des_ede3_ecb(void) { return EVP_des_ede3(); } diff --git a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/internal.h b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/internal.h index 7ab1c17b..f99ef0f6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cipher_extra/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/cipher_extra/internal.h @@ -60,7 +60,6 @@ #include #include -#include #include #include "../internal.h" @@ -164,7 +163,8 @@ union chacha20_poly1305_seal_data { } out; }; -#if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) +#if (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ + !defined(OPENSSL_NO_ASM) OPENSSL_STATIC_ASSERT(sizeof(union chacha20_poly1305_open_data) == 48, "wrong chacha20_poly1305_open_data size"); @@ -172,11 +172,14 @@ OPENSSL_STATIC_ASSERT(sizeof(union chacha20_poly1305_seal_data) == 48 + 8 + 8, "wrong chacha20_poly1305_seal_data size"); OPENSSL_INLINE int chacha20_poly1305_asm_capable(void) { - const int sse41_capable = (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0; - return sse41_capable; +#if defined(OPENSSL_X86_64) + return CRYPTO_is_SSE4_1_capable(); +#elif defined(OPENSSL_AARCH64) + return CRYPTO_is_NEON_capable(); +#endif } -// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It decrypts +// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts // |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|. // Additional input parameters are passed in |aead_data->in|. On exit, it will // write calculated tag value to |aead_data->out.tag|, which the caller must @@ -187,7 +190,7 @@ extern void chacha20_poly1305_open(uint8_t *out_plaintext, size_t ad_len, union chacha20_poly1305_open_data *data); -// chacha20_poly1305_open is defined in chacha20_poly1305_x86_64.pl. It encrypts +// chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts // |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|. // Additional input parameters are passed in |aead_data->in|. The calculated tag // value is over the computed ciphertext concatenated with |extra_ciphertext| diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c new file mode 100644 index 00000000..d1ace02f --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_apple.c @@ -0,0 +1,72 @@ +/* Copyright (c) 2021, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include "internal.h" + +#if defined(OPENSSL_AARCH64) && defined(OPENSSL_APPLE) && \ + !defined(OPENSSL_STATIC_ARMCAP) + +#include +#include + +#include + + +extern uint32_t OPENSSL_armcap_P; + +static int has_hw_feature(const char *name) { + int value; + size_t len = sizeof(value); + if (sysctlbyname(name, &value, &len, NULL, 0) != 0) { + return 0; + } + if (len != sizeof(int)) { + // This should not happen. All the values queried should be integer-valued. + assert(0); + return 0; + } + + // Per sys/sysctl.h: + // + // Selectors that return errors are not support on the system. Supported + // features will return 1 if they are recommended or 0 if they are supported + // but are not expected to help performance. Future versions of these + // selectors may return larger values as necessary so it is best to test for + // non zero. + return value != 0; +} + +void OPENSSL_cpuid_setup(void) { + // Apple ARM64 platforms have NEON and cryptography extensions available + // statically, so we do not need to query them. In particular, there sometimes + // are no sysctls corresponding to such features. See below. +#if !defined(__ARM_NEON) || !defined(__ARM_FEATURE_AES) || \ + !defined(__ARM_FEATURE_SHA2) +#error "NEON and crypto extensions should be statically available." +#endif + OPENSSL_armcap_P = + ARMV7_NEON | ARMV8_AES | ARMV8_PMULL | ARMV8_SHA1 | ARMV8_SHA256; + + // macOS has sysctls named both like "hw.optional.arm.FEAT_SHA512" and like + // "hw.optional.armv8_2_sha512". There does not appear to be documentation on + // which to use. The "armv8_2_sha512" style omits statically-available + // features, while the "FEAT_SHA512" style includes them. However, the + // "FEAT_SHA512" style was added in macOS 12, so we use the older style for + // better compatibility and handle static features above. + if (has_hw_feature("hw.optional.armv8_2_sha512")) { + OPENSSL_armcap_P |= ARMV8_SHA512; + } +} + +#endif // OPENSSL_AARCH64 && OPENSSL_APPLE && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-fuchsia.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c similarity index 81% rename from Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-fuchsia.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c index 8908f2e8..1f3b31a3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-fuchsia.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_fuchsia.c @@ -12,7 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_FUCHSIA) && \ !defined(OPENSSL_STATIC_ARMCAP) @@ -23,16 +23,14 @@ #include -#include "internal.h" - extern uint32_t OPENSSL_armcap_P; void OPENSSL_cpuid_setup(void) { uint32_t hwcap; zx_status_t rc = zx_system_get_features(ZX_FEATURE_KIND_CPU, &hwcap); if (rc != ZX_OK || (hwcap & ZX_ARM64_FEATURE_ISA_ASIMD) == 0) { - // Matching OpenSSL, if NEON/ASIMD is missing, don't report other features - // either. + // If NEON/ASIMD is missing, don't report other features either. This + // matches OpenSSL, and the other features depend on SIMD registers. return; } @@ -47,9 +45,12 @@ void OPENSSL_cpuid_setup(void) { if (hwcap & ZX_ARM64_FEATURE_ISA_SHA1) { OPENSSL_armcap_P |= ARMV8_SHA1; } - if (hwcap & ZX_ARM64_FEATURE_ISA_SHA2) { + if (hwcap & ZX_ARM64_FEATURE_ISA_SHA256) { OPENSSL_armcap_P |= ARMV8_SHA256; } + if (hwcap & ZX_ARM64_FEATURE_ISA_SHA512) { + OPENSSL_armcap_P |= ARMV8_SHA512; + } } -#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP +#endif // OPENSSL_AARCH64 && OPENSSL_FUCHSIA && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-linux.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c similarity index 90% rename from Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-linux.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c index a3508656..9389d8c2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-linux.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_linux.c @@ -12,7 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_LINUX) && \ !defined(OPENSSL_STATIC_ARMCAP) @@ -21,8 +21,6 @@ #include -#include "internal.h" - extern uint32_t OPENSSL_armcap_P; @@ -36,6 +34,7 @@ void OPENSSL_cpuid_setup(void) { static const unsigned long kPMULL = 1 << 4; static const unsigned long kSHA1 = 1 << 5; static const unsigned long kSHA256 = 1 << 6; + static const unsigned long kSHA512 = 1 << 21; if ((hwcap & kNEON) == 0) { // Matching OpenSSL, if NEON is missing, don't report other features @@ -57,6 +56,9 @@ void OPENSSL_cpuid_setup(void) { if (hwcap & kSHA256) { OPENSSL_armcap_P |= ARMV8_SHA256; } + if (hwcap & kSHA512) { + OPENSSL_armcap_P |= ARMV8_SHA512; + } } -#endif // OPENSSL_AARCH64 && !OPENSSL_STATIC_ARMCAP +#endif // OPENSSL_AARCH64 && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-win.c b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c similarity index 88% rename from Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-win.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c index 5b1ad5e4..a67ff364 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-aarch64-win.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_aarch64_win.c @@ -13,7 +13,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include "internal.h" #if defined(OPENSSL_AARCH64) && defined(OPENSSL_WINDOWS) && \ !defined(OPENSSL_STATIC_ARMCAP) @@ -22,8 +22,6 @@ #include -#include "internal.h" - extern uint32_t OPENSSL_armcap_P; void OPENSSL_cpuid_setup(void) { // We do not need to check for the presence of NEON, as Armv8-A always has it @@ -36,6 +34,8 @@ void OPENSSL_cpuid_setup(void) { OPENSSL_armcap_P |= ARMV8_SHA1; OPENSSL_armcap_P |= ARMV8_SHA256; } + // As of writing, Windows does not have a |PF_*| value for ARMv8.2 SHA-512 + // extensions. When it does, add it here. } -#endif +#endif // OPENSSL_AARCH64 && OPENSSL_WINDOWS && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-arm.c b/Sources/CJWTKitBoringSSL/crypto/cpu_arm.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/cpu-arm.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_arm.c index 0336ad0f..1d1b5867 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-arm.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_arm.c @@ -12,7 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include "internal.h" #if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_STATIC_ARMCAP) diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-arm-linux.c b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c similarity index 96% rename from Sources/CJWTKitBoringSSL/crypto/cpu-arm-linux.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c index a1ffd352..cc497a2c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-arm-linux.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.c @@ -12,9 +12,10 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include "internal.h" -#if defined(OPENSSL_ARM) && !defined(OPENSSL_STATIC_ARMCAP) +#if defined(OPENSSL_ARM) && defined(OPENSSL_LINUX) && \ + !defined(OPENSSL_STATIC_ARMCAP) #include #include #include @@ -23,7 +24,7 @@ #include #include -#include "cpu-arm-linux.h" +#include "cpu_arm_linux.h" #define AT_HWCAP 16 #define AT_HWCAP2 26 @@ -226,4 +227,4 @@ int CRYPTO_has_broken_NEON(void) { return g_has_broken_neon; } int CRYPTO_needs_hwcap2_workaround(void) { return g_needs_hwcap2_workaround; } -#endif // OPENSSL_ARM && !OPENSSL_STATIC_ARMCAP +#endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-arm-linux.h b/Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.h similarity index 100% rename from Sources/CJWTKitBoringSSL/crypto/cpu-arm-linux.h rename to Sources/CJWTKitBoringSSL/crypto/cpu_arm_linux.h diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-intel.c b/Sources/CJWTKitBoringSSL/crypto/cpu_intel.c similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/cpu-intel.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_intel.c index fa745530..c061e57e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-intel.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_intel.c @@ -54,8 +54,7 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ -#include - +#include #if !defined(OPENSSL_NO_ASM) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64)) diff --git a/Sources/CJWTKitBoringSSL/crypto/cpu-ppc64le.c b/Sources/CJWTKitBoringSSL/crypto/cpu_ppc64le.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/cpu-ppc64le.c rename to Sources/CJWTKitBoringSSL/crypto/cpu_ppc64le.c index 21b2ba49..9df9f5c5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/cpu-ppc64le.c +++ b/Sources/CJWTKitBoringSSL/crypto/cpu_ppc64le.c @@ -12,7 +12,7 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include #if defined(OPENSSL_PPC64LE) diff --git a/Sources/CJWTKitBoringSSL/crypto/crypto.c b/Sources/CJWTKitBoringSSL/crypto/crypto.c index 852772d4..0edf2051 100644 --- a/Sources/CJWTKitBoringSSL/crypto/crypto.c +++ b/Sources/CJWTKitBoringSSL/crypto/crypto.c @@ -14,8 +14,6 @@ #include -#include - #include "fipsmodule/rand/fork_detect.h" #include "fipsmodule/rand/internal.h" #include "internal.h" @@ -88,22 +86,31 @@ HIDDEN unsigned long OPENSSL_ppc64le_hwcap2 = 0; #if defined(OPENSSL_STATIC_ARMCAP) +// See ARM ACLE for the definitions of these macros. Note |__ARM_FEATURE_AES| +// covers both AES and PMULL and |__ARM_FEATURE_SHA2| covers SHA-1 and SHA-256. +// https://developer.arm.com/architectures/system-architectures/software-standards/acle +// https://github.com/ARM-software/acle/issues/152 +// +// TODO(davidben): Do we still need |OPENSSL_STATIC_ARMCAP_*| or are the +// standard flags and -march sufficient? HIDDEN uint32_t OPENSSL_armcap_P = -#if defined(OPENSSL_STATIC_ARMCAP_NEON) || \ - (defined(__ARM_NEON__) || defined(__ARM_NEON)) +#if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON) ARMV7_NEON | #endif -#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_CRYPTO) +#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_AES) ARMV8_AES | #endif -#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_CRYPTO) +#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_AES) + ARMV8_PMULL | +#endif +#if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2) ARMV8_SHA1 | #endif -#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_CRYPTO) +#if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2) ARMV8_SHA256 | #endif -#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_CRYPTO) - ARMV8_PMULL | +#if defined(__ARM_FEATURE_SHA512) + ARMV8_SHA512 | #endif 0; diff --git a/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c index 8ef5dd47..273bc22f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c +++ b/Sources/CJWTKitBoringSSL/crypto/curve25519/curve25519.c @@ -24,7 +24,6 @@ #include #include -#include #include #include #include @@ -37,6 +36,10 @@ // Various pre-computed constants. #include "./curve25519_tables.h" +#if defined(OPENSSL_NO_ASM) +#define FIAT_25519_NO_ASM +#endif + #if defined(BORINGSSL_CURVE25519_64BIT) #include "../../third_party/fiat/curve25519_64.h" #else @@ -503,27 +506,21 @@ static void ge_p3_tobytes(uint8_t s[32], const ge_p3 *h) { int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t s[32]) { fe u; fe_loose v; - fe v3; + fe w; fe vxx; fe_loose check; fe_frombytes(&h->Y, s); fe_1(&h->Z); - fe_sq_tt(&v3, &h->Y); - fe_mul_ttt(&vxx, &v3, &d); - fe_sub(&v, &v3, &h->Z); // u = y^2-1 + fe_sq_tt(&w, &h->Y); + fe_mul_ttt(&vxx, &w, &d); + fe_sub(&v, &w, &h->Z); // u = y^2-1 fe_carry(&u, &v); fe_add(&v, &vxx, &h->Z); // v = dy^2+1 - fe_sq_tl(&v3, &v); - fe_mul_ttl(&v3, &v3, &v); // v3 = v^3 - fe_sq_tt(&h->X, &v3); - fe_mul_ttl(&h->X, &h->X, &v); - fe_mul_ttt(&h->X, &h->X, &u); // x = uv^7 - - fe_pow22523(&h->X, &h->X); // x = (uv^7)^((q-5)/8) - fe_mul_ttt(&h->X, &h->X, &v3); - fe_mul_ttt(&h->X, &h->X, &u); // x = uv^3(uv^7)^((q-5)/8) + fe_mul_ttl(&w, &u, &v); // w = u*v + fe_pow22523(&h->X, &w); // x = w^((q-5)/8) + fe_mul_ttt(&h->X, &h->X, &u); // x = u*w^((q-5)/8) fe_sq_tt(&vxx, &h->X); fe_mul_ttl(&vxx, &vxx, &v); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/des/des.c b/Sources/CJWTKitBoringSSL/crypto/des/des.c similarity index 98% rename from Sources/CJWTKitBoringSSL/crypto/fipsmodule/des/des.c rename to Sources/CJWTKitBoringSSL/crypto/des/des.c index e759078a..8ba98c60 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/des/des.c +++ b/Sources/CJWTKitBoringSSL/crypto/des/des.c @@ -342,10 +342,10 @@ void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule) { // table contained 0213 4657 t2 = ((t << 16L) | (s & 0x0000ffffL)) & 0xffffffffL; - schedule->subkeys[i][0] = ROTATE(t2, 30) & 0xffffffffL; + schedule->subkeys[i][0] = CRYPTO_rotr_u32(t2, 30); t2 = ((s >> 16L) | (t & 0xffff0000L)); - schedule->subkeys[i][1] = ROTATE(t2, 26) & 0xffffffffL; + schedule->subkeys[i][1] = CRYPTO_rotr_u32(t2, 26); } } @@ -392,8 +392,8 @@ static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) { // <71755.204@CompuServe.COM> for pointing this out. // clear the top bits on machines with 8byte longs // shift left by 2 - r = ROTATE(r, 29) & 0xffffffffL; - l = ROTATE(l, 29) & 0xffffffffL; + r = CRYPTO_rotr_u32(r, 29); + l = CRYPTO_rotr_u32(l, 29); // I don't know if it is worth the effort of loop unrolling the // inner loop @@ -434,8 +434,8 @@ static void DES_encrypt1(uint32_t *data, const DES_key_schedule *ks, int enc) { } // rotate and clear the top bits on machines with 8byte longs - l = ROTATE(l, 3) & 0xffffffffL; - r = ROTATE(r, 3) & 0xffffffffL; + l = CRYPTO_rotr_u32(l, 3); + r = CRYPTO_rotr_u32(r, 3); FP(r, l); data[0] = l; @@ -454,8 +454,8 @@ static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) { // sparc2. Thanks to Richard Outerbridge <71755.204@CompuServe.COM> for // pointing this out. // clear the top bits on machines with 8byte longs - r = ROTATE(r, 29) & 0xffffffffL; - l = ROTATE(l, 29) & 0xffffffffL; + r = CRYPTO_rotr_u32(r, 29); + l = CRYPTO_rotr_u32(l, 29); // I don't know if it is worth the effort of loop unrolling the // inner loop @@ -495,8 +495,8 @@ static void DES_encrypt2(uint32_t *data, const DES_key_schedule *ks, int enc) { D_ENCRYPT(ks, r, l, 0); } // rotate and clear the top bits on machines with 8byte longs - data[0] = ROTATE(l, 3) & 0xffffffffL; - data[1] = ROTATE(r, 3) & 0xffffffffL; + data[0] = CRYPTO_rotr_u32(l, 3); + data[1] = CRYPTO_rotr_u32(r, 3); } void DES_encrypt3(uint32_t *data, const DES_key_schedule *ks1, @@ -782,4 +782,3 @@ void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule) { #undef D_ENCRYPT #undef ITERATIONS #undef HALF_ITERATIONS -#undef ROTATE diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/des/internal.h b/Sources/CJWTKitBoringSSL/crypto/des/internal.h similarity index 98% rename from Sources/CJWTKitBoringSSL/crypto/fipsmodule/des/internal.h rename to Sources/CJWTKitBoringSSL/crypto/des/internal.h index 4c7a3d2e..4de2b259 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/des/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/des/internal.h @@ -59,7 +59,7 @@ #include -#include "../../internal.h" +#include "../internal.h" #if defined(__cplusplus) extern "C" { @@ -218,7 +218,7 @@ how to use xors :-) I got it to its final state. #define D_ENCRYPT(ks, LL, R, S) \ do { \ LOAD_DATA(ks, R, S, u, t, E0, E1); \ - t = ROTATE(t, 4); \ + t = CRYPTO_rotr_u32(t, 4); \ (LL) ^= \ DES_SPtrans[0][(u >> 2L) & 0x3f] ^ DES_SPtrans[2][(u >> 10L) & 0x3f] ^ \ DES_SPtrans[4][(u >> 18L) & 0x3f] ^ \ @@ -230,8 +230,6 @@ how to use xors :-) I got it to its final state. #define ITERATIONS 16 #define HALF_ITERATIONS 8 -#define ROTATE(a, n) (((a) >> (n)) + ((a) << (32 - (n)))) - #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/crypto/digest_extra/digest_extra.c b/Sources/CJWTKitBoringSSL/crypto/digest_extra/digest_extra.c index 305630e8..9c3942b1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/digest_extra/digest_extra.c +++ b/Sources/CJWTKitBoringSSL/crypto/digest_extra/digest_extra.c @@ -83,6 +83,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = { {NID_sha256, EVP_sha256, SN_sha256, LN_sha256}, {NID_sha384, EVP_sha384, SN_sha384, LN_sha384}, {NID_sha512, EVP_sha512, SN_sha512, LN_sha512}, + {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256}, {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1}, // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding // hash function when given a signature OID. To avoid unintended lax parsing diff --git a/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c b/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c index 94c15d25..025c2aed 100644 --- a/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/dsa/dsa.c @@ -550,6 +550,27 @@ void DSA_SIG_free(DSA_SIG *sig) { OPENSSL_free(sig); } +void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r, + const BIGNUM **out_s) { + if (out_r != NULL) { + *out_r = sig->r; + } + if (out_s != NULL) { + *out_s = sig->s; + } +} + +int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { + if (r == NULL || s == NULL) { + return 0; + } + BN_free(sig->r); + BN_free(sig->s); + sig->r = r; + sig->s = s; + return 1; +} + // mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and // |b| as secret. This function internally uses Montgomery reduction, but // neither inputs nor outputs are in Montgomery form. diff --git a/Sources/CJWTKitBoringSSL/crypto/err/err.c b/Sources/CJWTKitBoringSSL/crypto/err/err.c index 4517021f..d7157228 100644 --- a/Sources/CJWTKitBoringSSL/crypto/err/err.c +++ b/Sources/CJWTKitBoringSSL/crypto/err/err.c @@ -745,6 +745,22 @@ void ERR_add_error_dataf(const char *format, ...) { err_set_error_data(buf); } +void ERR_set_error_data(char *data, int flags) { + if (!(flags & ERR_FLAG_STRING)) { + // We do not support non-string error data. + assert(0); + return; + } + if (flags & ERR_FLAG_MALLOCED) { + err_set_error_data(data); + } else { + char *copy = OPENSSL_strdup(data); + if (copy != NULL) { + err_set_error_data(copy); + } + } +} + int ERR_set_mark(void) { ERR_STATE *const state = err_get_state(); diff --git a/Sources/CJWTKitBoringSSL/crypto/err/err_data.c b/Sources/CJWTKitBoringSSL/crypto/err/err_data.c index 83f009c6..517c720d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/err/err_data.c +++ b/Sources/CJWTKitBoringSSL/crypto/err/err_data.c @@ -55,185 +55,188 @@ OPENSSL_STATIC_ASSERT(ERR_LIB_USER == 33, "library value changed"); OPENSSL_STATIC_ASSERT(ERR_NUM_LIBS == 34, "number of libraries changed"); const uint32_t kOpenSSLReasonValues[] = { - 0xc320847, - 0xc328861, - 0xc330870, - 0xc338880, - 0xc34088f, - 0xc3488a8, - 0xc3508b4, - 0xc3588d1, - 0xc3608f1, - 0xc3688ff, - 0xc37090f, - 0xc37891c, - 0xc38092c, - 0xc388937, - 0xc39094d, - 0xc39895c, - 0xc3a0970, - 0xc3a8854, + 0xc320885, + 0xc32889f, + 0xc3308ae, + 0xc3388be, + 0xc3408cd, + 0xc3488e6, + 0xc3508f2, + 0xc35890f, + 0xc36092f, + 0xc36893d, + 0xc37094d, + 0xc37895a, + 0xc38096a, + 0xc388975, + 0xc39098b, + 0xc39899a, + 0xc3a09ae, + 0xc3a8892, 0xc3b00f7, - 0xc3b88e3, - 0x10320854, - 0x103295ca, - 0x103315d6, - 0x103395ef, - 0x10341602, - 0x10348f34, - 0x10350c6d, - 0x10359615, - 0x1036163f, - 0x10369652, - 0x10371671, - 0x1037968a, - 0x1038169f, - 0x103896bd, - 0x103916cc, - 0x103996e8, - 0x103a1703, - 0x103a9712, - 0x103b172e, - 0x103b9749, - 0x103c176f, + 0xc3b8921, + 0x10320892, + 0x10329620, + 0x1033162c, + 0x10339645, + 0x10341658, + 0x10348f72, + 0x10350cab, + 0x1035966b, + 0x10361695, + 0x103696a8, + 0x103716c7, + 0x103796e0, + 0x103816f5, + 0x10389713, + 0x10391722, + 0x1039973e, + 0x103a1759, + 0x103a9768, + 0x103b1784, + 0x103b979f, + 0x103c17c5, 0x103c80f7, - 0x103d1780, - 0x103d9794, - 0x103e17b3, - 0x103e97c2, - 0x103f17d9, - 0x103f97ec, - 0x10400c31, - 0x104097ff, - 0x1041181d, - 0x10419830, - 0x1042184a, - 0x1042985a, - 0x1043186e, - 0x10439884, - 0x1044189c, - 0x104498b1, - 0x104518c5, - 0x104598d7, - 0x1046060a, - 0x1046895c, - 0x104718ec, - 0x10479903, - 0x10481918, - 0x10489926, - 0x10490e80, - 0x10499760, - 0x104a162a, - 0x14320c14, - 0x14328c22, - 0x14330c31, - 0x14338c43, + 0x103d17d6, + 0x103d97ea, + 0x103e1809, + 0x103e9818, + 0x103f182f, + 0x103f9842, + 0x10400c6f, + 0x10409855, + 0x10411873, + 0x10419886, + 0x104218a0, + 0x104298b0, + 0x104318c4, + 0x104398da, + 0x104418f2, + 0x10449907, + 0x1045191b, + 0x1045992d, + 0x10460635, + 0x1046899a, + 0x10471942, + 0x10479959, + 0x1048196e, + 0x1048997c, + 0x10490ebe, + 0x104997b6, + 0x104a1680, + 0x14320c52, + 0x14328c60, + 0x14330c6f, + 0x14338c81, 0x143400b9, 0x143480f7, 0x18320090, - 0x18328f8a, + 0x18328fc8, 0x183300b9, - 0x18338fa0, - 0x18340fb4, + 0x18338fde, + 0x18340ff2, 0x183480f7, - 0x18350fd3, - 0x18358feb, - 0x18361000, - 0x18369014, - 0x1837104c, - 0x18379062, - 0x18381076, - 0x18389086, - 0x18390a82, - 0x18399096, - 0x183a10bc, - 0x183a90e2, - 0x183b0c8c, - 0x183b9131, - 0x183c1143, - 0x183c914e, - 0x183d115e, - 0x183d916f, - 0x183e1180, - 0x183e9192, - 0x183f11bb, - 0x183f91d4, - 0x184011ec, - 0x184086e2, - 0x18411105, - 0x184190d0, - 0x184210ef, - 0x18428c79, - 0x184310ab, - 0x18439117, - 0x18440fc9, - 0x18449038, - 0x20321226, - 0x20329213, - 0x24321232, - 0x243289a2, - 0x24331244, - 0x24339251, - 0x2434125e, - 0x24349270, - 0x2435127f, - 0x2435929c, - 0x243612a9, - 0x243692b7, - 0x243712c5, - 0x243792d3, - 0x243812dc, - 0x243892e9, - 0x243912fc, - 0x28320c61, - 0x28328c8c, - 0x28330c31, - 0x28338c9f, - 0x28340c6d, + 0x18351011, + 0x18359029, + 0x1836103e, + 0x18369052, + 0x1837108a, + 0x183790a0, + 0x183810b4, + 0x183890c4, + 0x18390ac0, + 0x183990d4, + 0x183a10fa, + 0x183a9120, + 0x183b0cca, + 0x183b916f, + 0x183c1181, + 0x183c918c, + 0x183d119c, + 0x183d91ad, + 0x183e11be, + 0x183e91d0, + 0x183f11f9, + 0x183f9212, + 0x1840122a, + 0x1840870d, + 0x18411143, + 0x1841910e, + 0x1842112d, + 0x18428cb7, + 0x184310e9, + 0x18439155, + 0x18441007, + 0x18449076, + 0x20321264, + 0x20329251, + 0x24321270, + 0x243289e0, + 0x24331282, + 0x2433928f, + 0x2434129c, + 0x243492ae, + 0x243512bd, + 0x243592da, + 0x243612e7, + 0x243692f5, + 0x24371303, + 0x24379311, + 0x2438131a, + 0x24389327, + 0x2439133a, + 0x28320c9f, + 0x28328cca, + 0x28330c6f, + 0x28338cdd, + 0x28340cab, 0x283480b9, 0x283500f7, - 0x28358c79, - 0x2c323234, - 0x2c329313, - 0x2c333242, - 0x2c33b254, - 0x2c343268, - 0x2c34b27a, - 0x2c353295, - 0x2c35b2a7, - 0x2c3632d7, + 0x28358cb7, + 0x2c3232bf, + 0x2c329351, + 0x2c3332cd, + 0x2c33b2df, + 0x2c3432f3, + 0x2c34b305, + 0x2c353320, + 0x2c35b332, + 0x2c363362, 0x2c36833a, - 0x2c3732e4, - 0x2c37b310, - 0x2c383335, - 0x2c38b34c, - 0x2c39336a, - 0x2c39b37a, - 0x2c3a338c, - 0x2c3ab3a0, - 0x2c3b33b1, - 0x2c3bb3d0, - 0x2c3c1325, - 0x2c3c933b, - 0x2c3d33e4, - 0x2c3d9354, - 0x2c3e3401, - 0x2c3eb40f, - 0x2c3f3427, - 0x2c3fb43f, - 0x2c403469, - 0x2c409226, - 0x2c41347a, - 0x2c41b48d, - 0x2c4211ec, - 0x2c42b49e, - 0x2c43072f, - 0x2c43b3c2, - 0x2c443323, - 0x2c44b44c, - 0x2c4532ba, - 0x2c45b2f6, - 0x2c46335a, + 0x2c37336f, + 0x2c37b39b, + 0x2c3833c0, + 0x2c38b3d7, + 0x2c3933f5, + 0x2c39b405, + 0x2c3a3417, + 0x2c3ab42b, + 0x2c3b343c, + 0x2c3bb45b, + 0x2c3c1363, + 0x2c3c9379, + 0x2c3d34a0, + 0x2c3d9392, + 0x2c3e34ca, + 0x2c3eb4d8, + 0x2c3f34f0, + 0x2c3fb508, + 0x2c403532, + 0x2c409264, + 0x2c413543, + 0x2c41b556, + 0x2c42122a, + 0x2c42b567, + 0x2c43076d, + 0x2c43b44d, + 0x2c4433ae, + 0x2c44b515, + 0x2c453345, + 0x2c45b381, + 0x2c4633e5, + 0x2c46b46f, + 0x2c473484, + 0x2c47b4bd, 0x30320000, 0x30328015, 0x3033001f, @@ -276,525 +279,533 @@ const uint32_t kOpenSSLReasonValues[] = { 0x30458306, 0x3046031f, 0x3046833a, - 0x30470357, - 0x30478369, - 0x30480377, - 0x30488388, - 0x30490397, - 0x304983af, - 0x304a03c1, - 0x304a83d5, - 0x304b03ed, - 0x304b8400, - 0x304c040b, - 0x304c841c, - 0x304d0428, - 0x304d843e, - 0x304e044c, - 0x304e8462, - 0x304f0474, - 0x304f8486, - 0x305004a9, - 0x305084bc, - 0x305104cd, - 0x305184dd, - 0x305204f5, - 0x3052850a, - 0x30530522, - 0x30538536, - 0x3054054e, - 0x30548567, - 0x30550580, - 0x3055859d, - 0x305605a8, - 0x305685c0, - 0x305705d0, - 0x305785e1, - 0x305805f4, - 0x3058860a, - 0x30590613, - 0x30598628, - 0x305a063b, - 0x305a864a, - 0x305b066a, - 0x305b8679, - 0x305c069a, - 0x305c86b6, - 0x305d06c2, - 0x305d86e2, - 0x305e06fe, - 0x305e870f, - 0x305f0725, - 0x305f872f, - 0x30600499, + 0x30470372, + 0x30478384, + 0x304803a2, + 0x304883b3, + 0x304903c2, + 0x304983da, + 0x304a03ec, + 0x304a8400, + 0x304b0418, + 0x304b842b, + 0x304c0436, + 0x304c8447, + 0x304d0453, + 0x304d8469, + 0x304e0477, + 0x304e848d, + 0x304f049f, + 0x304f84b1, + 0x305004d4, + 0x305084e7, + 0x305104f8, + 0x30518508, + 0x30520520, + 0x30528535, + 0x3053054d, + 0x30538561, + 0x30540579, + 0x30548592, + 0x305505ab, + 0x305585c8, + 0x305605d3, + 0x305685eb, + 0x305705fb, + 0x3057860c, + 0x3058061f, + 0x30588635, + 0x3059063e, + 0x30598653, + 0x305a0666, + 0x305a8675, + 0x305b0695, + 0x305b86a4, + 0x305c06c5, + 0x305c86e1, + 0x305d06ed, + 0x305d870d, + 0x305e0729, + 0x305e874d, + 0x305f0763, + 0x305f876d, + 0x306004c4, 0x3060804a, - 0x34320b72, - 0x34328b86, - 0x34330ba3, - 0x34338bb6, - 0x34340bc5, - 0x34348bfe, - 0x34350be2, + 0x30610357, + 0x3061873a, + 0x30620392, + 0x34320bb0, + 0x34328bc4, + 0x34330be1, + 0x34338bf4, + 0x34340c03, + 0x34348c3c, + 0x34350c20, 0x3c320090, - 0x3c328cc9, - 0x3c330ce2, - 0x3c338cfd, - 0x3c340d1a, - 0x3c348d44, - 0x3c350d5f, - 0x3c358d85, - 0x3c360d9e, - 0x3c368db6, - 0x3c370dc7, - 0x3c378dd5, - 0x3c380de2, - 0x3c388df6, - 0x3c390c8c, - 0x3c398e19, - 0x3c3a0e2d, - 0x3c3a891c, - 0x3c3b0e3d, - 0x3c3b8e58, - 0x3c3c0e6a, - 0x3c3c8e9d, - 0x3c3d0ea7, - 0x3c3d8ebb, - 0x3c3e0ec9, - 0x3c3e8eee, - 0x3c3f0cb5, - 0x3c3f8ed7, + 0x3c328d07, + 0x3c330d20, + 0x3c338d3b, + 0x3c340d58, + 0x3c348d82, + 0x3c350d9d, + 0x3c358dc3, + 0x3c360ddc, + 0x3c368df4, + 0x3c370e05, + 0x3c378e13, + 0x3c380e20, + 0x3c388e34, + 0x3c390cca, + 0x3c398e57, + 0x3c3a0e6b, + 0x3c3a895a, + 0x3c3b0e7b, + 0x3c3b8e96, + 0x3c3c0ea8, + 0x3c3c8edb, + 0x3c3d0ee5, + 0x3c3d8ef9, + 0x3c3e0f07, + 0x3c3e8f2c, + 0x3c3f0cf3, + 0x3c3f8f15, 0x3c4000b9, 0x3c4080f7, - 0x3c410d35, - 0x3c418d74, - 0x3c420e80, - 0x3c428e0a, - 0x403219b8, - 0x403299ce, - 0x403319fc, - 0x40339a06, - 0x40341a1d, - 0x40349a3b, - 0x40351a4b, - 0x40359a5d, - 0x40361a6a, - 0x40369a76, - 0x40371a8b, - 0x40379a9d, - 0x40381aa8, - 0x40389aba, - 0x40390f34, - 0x40399aca, - 0x403a1add, - 0x403a9afe, - 0x403b1b0f, - 0x403b9b1f, + 0x3c410d73, + 0x3c418db2, + 0x3c420ebe, + 0x3c428e48, + 0x40321a0e, + 0x40329a24, + 0x40331a52, + 0x40339a5c, + 0x40341a73, + 0x40349a91, + 0x40351aa1, + 0x40359ab3, + 0x40361ac0, + 0x40369acc, + 0x40371ae1, + 0x40379af3, + 0x40381afe, + 0x40389b10, + 0x40390f72, + 0x40399b20, + 0x403a1b33, + 0x403a9b54, + 0x403b1b65, + 0x403b9b75, 0x403c0071, 0x403c8090, - 0x403d1b80, - 0x403d9b96, - 0x403e1ba5, - 0x403e9bdd, - 0x403f1bf7, - 0x403f9c1f, - 0x40401c34, - 0x40409c48, - 0x40411c83, - 0x40419c9e, - 0x40421cb7, - 0x40429cca, - 0x40431cde, - 0x40439d0c, - 0x40441d23, + 0x403d1bd6, + 0x403d9bec, + 0x403e1bfb, + 0x403e9c33, + 0x403f1c4d, + 0x403f9c75, + 0x40401c8a, + 0x40409c9e, + 0x40411cd9, + 0x40419cf4, + 0x40421d0d, + 0x40429d20, + 0x40431d34, + 0x40439d62, + 0x40441d79, 0x404480b9, - 0x40451d38, - 0x40459d4a, - 0x40461d6e, - 0x40469d8e, - 0x40471d9c, - 0x40479dc3, - 0x40481e34, - 0x40489eee, - 0x40491f05, - 0x40499f1f, - 0x404a1f36, - 0x404a9f54, - 0x404b1f6c, - 0x404b9f99, - 0x404c1faf, - 0x404c9fc1, - 0x404d1fe2, - 0x404da01b, - 0x404e202f, - 0x404ea03c, - 0x404f20b9, - 0x404fa12f, - 0x40502186, - 0x4050a19a, - 0x405121cd, - 0x405221dd, - 0x4052a201, - 0x40532219, - 0x4053a22c, - 0x40542241, - 0x4054a264, - 0x4055228f, - 0x4055a2cc, - 0x405622f1, - 0x4056a30a, - 0x40572322, - 0x4057a335, - 0x4058234a, - 0x4058a371, - 0x405923a0, - 0x4059a3cd, - 0x405a23e1, - 0x405aa3f1, - 0x405b2409, - 0x405ba41a, - 0x405c242d, - 0x405ca46c, - 0x405d2479, - 0x405da49e, - 0x405e24dc, - 0x405e8ac0, - 0x405f24fd, - 0x405fa50a, - 0x40602518, - 0x4060a53a, - 0x4061259b, - 0x4061a5d3, - 0x406225ea, - 0x4062a5fb, - 0x40632648, - 0x4063a65d, - 0x40642674, - 0x4064a6a0, - 0x406526bb, - 0x4065a6d2, - 0x406626ea, - 0x4066a714, - 0x4067273f, - 0x4067a784, - 0x406827cc, - 0x4068a7ed, - 0x4069281f, - 0x4069a84d, - 0x406a286e, - 0x406aa88e, - 0x406b2a16, - 0x406baa39, - 0x406c2a4f, - 0x406cad59, - 0x406d2d88, - 0x406dadb0, - 0x406e2dde, - 0x406eae2b, - 0x406f2e84, - 0x406faebc, - 0x40702ecf, - 0x4070aeec, - 0x4071080f, - 0x4071aefe, - 0x40722f11, - 0x4072af47, - 0x40732f5f, - 0x40739525, - 0x40742f73, - 0x4074af8d, - 0x40752f9e, - 0x4075afb2, - 0x40762fc0, - 0x407692e9, - 0x40772fe5, - 0x4077b025, - 0x40783040, - 0x4078b079, - 0x40793090, - 0x4079b0a6, - 0x407a30d2, - 0x407ab0e5, - 0x407b30fa, - 0x407bb10c, - 0x407c313d, - 0x407cb146, - 0x407d2808, - 0x407da13f, - 0x407e3055, - 0x407ea381, - 0x407f1db0, - 0x407f9f83, - 0x408020c9, - 0x40809dd8, - 0x408121ef, - 0x4081a06d, - 0x40822dc9, - 0x40829b2b, - 0x4083235c, - 0x4083a685, - 0x40841dec, - 0x4084a3b9, - 0x4085243e, - 0x4085a562, - 0x408624be, - 0x4086a159, - 0x40872e0f, - 0x4087a5b0, - 0x40881b69, - 0x4088a797, - 0x40891bb8, - 0x40899b45, - 0x408a2a87, - 0x408a993d, - 0x408b3121, - 0x408bae99, - 0x408c244e, - 0x408c9975, - 0x408d1ed4, - 0x408d9e1e, - 0x408e2004, - 0x408ea2ac, - 0x408f27ab, - 0x408fa57e, - 0x40902760, - 0x4090a490, - 0x40912a6f, - 0x4091999b, - 0x40921c05, - 0x4092ae4a, - 0x40932f2a, - 0x4093a16a, - 0x40941e00, - 0x4094aaa0, - 0x4095260c, - 0x4095b0b2, - 0x40962df6, - 0x4096a0e2, - 0x409721b5, - 0x4097a053, - 0x40981c65, - 0x4098a620, - 0x40992e66, - 0x4099a2d9, - 0x409a2272, - 0x409a9959, - 0x409b1e5a, - 0x409b9e85, - 0x409c3007, - 0x409c9ead, - 0x409d209e, - 0x409da083, - 0x409e1cf6, - 0x409ea117, - 0x409f20ff, - 0x409f9e4d, - 0x41f42941, - 0x41f929d3, - 0x41fe28c6, - 0x41feab7c, - 0x41ff2caa, - 0x4203295a, - 0x4208297c, - 0x4208a9b8, - 0x420928aa, - 0x4209a9f2, - 0x420a2901, - 0x420aa8e1, - 0x420b2921, - 0x420ba99a, - 0x420c2cc6, - 0x420caab0, - 0x420d2b63, - 0x420dab9a, - 0x42122bcd, - 0x42172c8d, - 0x4217ac0f, - 0x421c2c31, - 0x421f2bec, - 0x42212d3e, - 0x42262c70, - 0x422b2d1c, - 0x422bab3e, - 0x422c2cfe, - 0x422caaf1, - 0x422d2aca, - 0x422dacdd, - 0x422e2b1d, - 0x42302c4c, - 0x4230abb4, - 0x4432073a, - 0x44328749, - 0x44330755, - 0x44338763, - 0x44340776, - 0x44348787, - 0x4435078e, - 0x44358798, - 0x443607ab, - 0x443687c1, - 0x443707d3, - 0x443787e0, - 0x443807ef, - 0x443887f7, - 0x4439080f, - 0x4439881d, - 0x443a0830, - 0x48321313, - 0x48329325, - 0x4833133b, - 0x48339354, - 0x4c321379, - 0x4c329389, - 0x4c33139c, - 0x4c3393bc, + 0x40451d8e, + 0x40459da0, + 0x40461dc4, + 0x40469de4, + 0x40471df2, + 0x40479e19, + 0x40481e8a, + 0x40489f44, + 0x40491f5b, + 0x40499f75, + 0x404a1f8c, + 0x404a9faa, + 0x404b1fc2, + 0x404b9fef, + 0x404c2005, + 0x404ca017, + 0x404d2038, + 0x404da071, + 0x404e2085, + 0x404ea092, + 0x404f212c, + 0x404fa1a2, + 0x40502211, + 0x4050a225, + 0x40512258, + 0x40522268, + 0x4052a28c, + 0x405322a4, + 0x4053a2b7, + 0x405422cc, + 0x4054a2ef, + 0x4055231a, + 0x4055a357, + 0x4056237c, + 0x4056a395, + 0x405723ad, + 0x4057a3c0, + 0x405823d5, + 0x4058a3fc, + 0x4059242b, + 0x4059a458, + 0x405a246c, + 0x405aa47c, + 0x405b2494, + 0x405ba4a5, + 0x405c24b8, + 0x405ca4f7, + 0x405d2504, + 0x405da529, + 0x405e2567, + 0x405e8afe, + 0x405f2588, + 0x405fa595, + 0x406025a3, + 0x4060a5c5, + 0x40612626, + 0x4061a65e, + 0x40622675, + 0x4062a686, + 0x406326d3, + 0x4063a6e8, + 0x406426ff, + 0x4064a72b, + 0x40652746, + 0x4065a75d, + 0x40662775, + 0x4066a79f, + 0x406727ca, + 0x4067a80f, + 0x40682857, + 0x4068a878, + 0x406928aa, + 0x4069a8d8, + 0x406a28f9, + 0x406aa919, + 0x406b2aa1, + 0x406baac4, + 0x406c2ada, + 0x406cade4, + 0x406d2e13, + 0x406dae3b, + 0x406e2e69, + 0x406eaeb6, + 0x406f2f0f, + 0x406faf47, + 0x40702f5a, + 0x4070af77, + 0x4071084d, + 0x4071af89, + 0x40722f9c, + 0x4072afd2, + 0x40732fea, + 0x4073957b, + 0x40742ffe, + 0x4074b018, + 0x40753029, + 0x4075b03d, + 0x4076304b, + 0x40769327, + 0x40773070, + 0x4077b0b0, + 0x407830cb, + 0x4078b104, + 0x4079311b, + 0x4079b131, + 0x407a315d, + 0x407ab170, + 0x407b3185, + 0x407bb197, + 0x407c31c8, + 0x407cb1d1, + 0x407d2893, + 0x407da1ca, + 0x407e30e0, + 0x407ea40c, + 0x407f1e06, + 0x407f9fd9, + 0x4080213c, + 0x40809e2e, + 0x4081227a, + 0x4081a0e0, + 0x40822e54, + 0x40829b81, + 0x408323e7, + 0x4083a710, + 0x40841e42, + 0x4084a444, + 0x408524c9, + 0x4085a5ed, + 0x40862549, + 0x4086a1e4, + 0x40872e9a, + 0x4087a63b, + 0x40881bbf, + 0x4088a822, + 0x40891c0e, + 0x40899b9b, + 0x408a2b12, + 0x408a9993, + 0x408b31ac, + 0x408baf24, + 0x408c24d9, + 0x408c99cb, + 0x408d1f2a, + 0x408d9e74, + 0x408e205a, + 0x408ea337, + 0x408f2836, + 0x408fa609, + 0x409027eb, + 0x4090a51b, + 0x40912afa, + 0x409199f1, + 0x40921c5b, + 0x4092aed5, + 0x40932fb5, + 0x4093a1f5, + 0x40941e56, + 0x4094ab2b, + 0x40952697, + 0x4095b13d, + 0x40962e81, + 0x4096a155, + 0x40972240, + 0x4097a0a9, + 0x40981cbb, + 0x4098a6ab, + 0x40992ef1, + 0x4099a364, + 0x409a22fd, + 0x409a99af, + 0x409b1eb0, + 0x409b9edb, + 0x409c3092, + 0x409c9f03, + 0x409d2111, + 0x409da0f6, + 0x409e1d4c, + 0x409ea18a, + 0x409f2172, + 0x409f9ea3, + 0x40a021b2, + 0x40a0a0c3, + 0x41f429cc, + 0x41f92a5e, + 0x41fe2951, + 0x41feac07, + 0x41ff2d35, + 0x420329e5, + 0x42082a07, + 0x4208aa43, + 0x42092935, + 0x4209aa7d, + 0x420a298c, + 0x420aa96c, + 0x420b29ac, + 0x420baa25, + 0x420c2d51, + 0x420cab3b, + 0x420d2bee, + 0x420dac25, + 0x42122c58, + 0x42172d18, + 0x4217ac9a, + 0x421c2cbc, + 0x421f2c77, + 0x42212dc9, + 0x42262cfb, + 0x422b2da7, + 0x422babc9, + 0x422c2d89, + 0x422cab7c, + 0x422d2b55, + 0x422dad68, + 0x422e2ba8, + 0x42302cd7, + 0x4230ac3f, + 0x44320778, + 0x44328787, + 0x44330793, + 0x443387a1, + 0x443407b4, + 0x443487c5, + 0x443507cc, + 0x443587d6, + 0x443607e9, + 0x443687ff, + 0x44370811, + 0x4437881e, + 0x4438082d, + 0x44388835, + 0x4439084d, + 0x4439885b, + 0x443a086e, + 0x48321351, + 0x48329363, + 0x48331379, + 0x48339392, + 0x4c3213cf, + 0x4c3293df, + 0x4c3313f2, + 0x4c339412, 0x4c3400b9, 0x4c3480f7, - 0x4c3513c8, - 0x4c3593d6, - 0x4c3613f2, - 0x4c369418, - 0x4c371427, - 0x4c379435, - 0x4c38144a, - 0x4c389456, - 0x4c391476, - 0x4c3994a0, - 0x4c3a14b9, - 0x4c3a94d2, - 0x4c3b060a, - 0x4c3b94eb, - 0x4c3c14fd, - 0x4c3c950c, - 0x4c3d1525, - 0x4c3d8c54, - 0x4c3e1592, - 0x4c3e9534, - 0x4c3f15b4, - 0x4c3f92e9, - 0x4c40154a, - 0x4c409365, - 0x4c411582, - 0x4c419405, - 0x4c42156e, - 0x503234b0, - 0x5032b4bf, - 0x503334ca, - 0x5033b4da, - 0x503434f3, - 0x5034b50d, - 0x5035351b, - 0x5035b531, - 0x50363543, - 0x5036b559, - 0x50373572, - 0x5037b585, - 0x5038359d, - 0x5038b5ae, - 0x503935c3, - 0x5039b5d7, - 0x503a35f7, - 0x503ab60d, - 0x503b3625, - 0x503bb637, - 0x503c3653, - 0x503cb66a, - 0x503d3683, - 0x503db699, - 0x503e36a6, - 0x503eb6bc, - 0x503f36ce, - 0x503f8388, - 0x504036e1, - 0x5040b6f1, - 0x5041370b, - 0x5041b71a, - 0x50423734, - 0x5042b751, - 0x50433761, - 0x5043b771, - 0x50443780, - 0x5044843e, - 0x50453794, - 0x5045b7b2, - 0x504637c5, - 0x5046b7db, - 0x504737ed, - 0x5047b802, - 0x50483828, - 0x5048b836, - 0x50493849, - 0x5049b85e, - 0x504a3874, - 0x504ab884, - 0x504b38a4, - 0x504bb8b7, - 0x504c38da, - 0x504cb908, - 0x504d391a, - 0x504db937, - 0x504e3952, - 0x504eb96e, - 0x504f3980, - 0x504fb997, - 0x505039a6, - 0x505086fe, - 0x505139b9, - 0x58320f72, - 0x68320f34, - 0x68328c8c, - 0x68330c9f, - 0x68338f42, - 0x68340f52, + 0x4c35141e, + 0x4c35942c, + 0x4c361448, + 0x4c36946e, + 0x4c37147d, + 0x4c37948b, + 0x4c3814a0, + 0x4c3894ac, + 0x4c3914cc, + 0x4c3994f6, + 0x4c3a150f, + 0x4c3a9528, + 0x4c3b0635, + 0x4c3b9541, + 0x4c3c1553, + 0x4c3c9562, + 0x4c3d157b, + 0x4c3d8c92, + 0x4c3e15e8, + 0x4c3e958a, + 0x4c3f160a, + 0x4c3f9327, + 0x4c4015a0, + 0x4c4093bb, + 0x4c4115d8, + 0x4c41945b, + 0x4c4215c4, + 0x4c4293a3, + 0x50323579, + 0x5032b588, + 0x50333593, + 0x5033b5a3, + 0x503435bc, + 0x5034b5d6, + 0x503535e4, + 0x5035b5fa, + 0x5036360c, + 0x5036b622, + 0x5037363b, + 0x5037b64e, + 0x50383666, + 0x5038b677, + 0x5039368c, + 0x5039b6a0, + 0x503a36c0, + 0x503ab6d6, + 0x503b36ee, + 0x503bb700, + 0x503c371c, + 0x503cb733, + 0x503d374c, + 0x503db762, + 0x503e376f, + 0x503eb785, + 0x503f3797, + 0x503f83b3, + 0x504037aa, + 0x5040b7ba, + 0x504137d4, + 0x5041b7e3, + 0x504237fd, + 0x5042b81a, + 0x5043382a, + 0x5043b83a, + 0x50443857, + 0x50448469, + 0x5045386b, + 0x5045b889, + 0x5046389c, + 0x5046b8b2, + 0x504738c4, + 0x5047b8d9, + 0x504838ff, + 0x5048b90d, + 0x50493920, + 0x5049b935, + 0x504a394b, + 0x504ab95b, + 0x504b397b, + 0x504bb98e, + 0x504c39b1, + 0x504cb9df, + 0x504d3a0c, + 0x504dba29, + 0x504e3a44, + 0x504eba60, + 0x504f3a72, + 0x504fba89, + 0x50503a98, + 0x50508729, + 0x50513aab, + 0x5051b849, + 0x505239f1, + 0x58320fb0, + 0x68320f72, + 0x68328cca, + 0x68330cdd, + 0x68338f80, + 0x68340f90, 0x683480f7, - 0x6c320efa, - 0x6c328c43, - 0x6c330f05, - 0x6c338f1e, - 0x74320a28, + 0x6c320f38, + 0x6c328c81, + 0x6c330f43, + 0x6c338f5c, + 0x74320a66, 0x743280b9, - 0x74330c54, - 0x7832098d, - 0x783289a2, - 0x783309ae, + 0x74330c92, + 0x783209cb, + 0x783289e0, + 0x783309ec, 0x78338090, - 0x783409bd, - 0x783489d2, - 0x783509f1, - 0x78358a13, - 0x78360a28, - 0x78368a3e, - 0x78370a4e, - 0x78378a6f, - 0x78380a82, - 0x78388a94, - 0x78390aa1, - 0x78398ac0, - 0x783a0ad5, - 0x783a8ae3, - 0x783b0aed, - 0x783b8b01, - 0x783c0b18, - 0x783c8b2d, - 0x783d0b44, - 0x783d8b59, - 0x783e0aaf, - 0x783e8a61, - 0x7c321202, - 0x80321418, + 0x783409fb, + 0x78348a10, + 0x78350a2f, + 0x78358a51, + 0x78360a66, + 0x78368a7c, + 0x78370a8c, + 0x78378aad, + 0x78380ac0, + 0x78388ad2, + 0x78390adf, + 0x78398afe, + 0x783a0b13, + 0x783a8b21, + 0x783b0b2b, + 0x783b8b3f, + 0x783c0b56, + 0x783c8b6b, + 0x783d0b82, + 0x783d8b97, + 0x783e0aed, + 0x783e8a9f, + 0x7c321240, + 0x8032146e, 0x80328090, - 0x80333203, + 0x8033328e, 0x803380b9, - 0x80343212, - 0x8034b17a, - 0x80353198, - 0x8035b226, - 0x803631da, - 0x8036b189, - 0x803731cc, - 0x8037b167, - 0x803831ed, - 0x8038b1a9, - 0x803931be, + 0x8034329d, + 0x8034b205, + 0x80353223, + 0x8035b2b1, + 0x80363265, + 0x8036b214, + 0x80373257, + 0x8037b1f2, + 0x80383278, + 0x8038b234, + 0x80393249, }; const size_t kOpenSSLReasonValuesLen = sizeof(kOpenSSLReasonValues) / sizeof(kOpenSSLReasonValues[0]); @@ -843,8 +854,10 @@ const char kOpenSSLReasonStringData[] = "INTEGER_NOT_ASCII_FORMAT\0" "INTEGER_TOO_LARGE_FOR_LONG\0" "INVALID_BIT_STRING_BITS_LEFT\0" + "INVALID_BIT_STRING_PADDING\0" "INVALID_BMPSTRING\0" "INVALID_DIGIT\0" + "INVALID_INTEGER\0" "INVALID_MODIFIER\0" "INVALID_NUMBER\0" "INVALID_OBJECT_ENCODING\0" @@ -891,6 +904,7 @@ const char kOpenSSLReasonStringData[] = "UNSUPPORTED_ANY_DEFINED_BY_TYPE\0" "UNSUPPORTED_PUBLIC_KEY_TYPE\0" "UNSUPPORTED_TYPE\0" + "WRONG_INTEGER_TYPE\0" "WRONG_PUBLIC_KEY_TYPE\0" "WRONG_TAG\0" "WRONG_TYPE\0" @@ -1060,6 +1074,7 @@ const char kOpenSSLReasonStringData[] = "NOT_PKCS7_SIGNED_DATA\0" "NO_CERTIFICATES_INCLUDED\0" "NO_CRLS_INCLUDED\0" + "AMBIGUOUS_FRIENDLY_NAME\0" "BAD_ITERATION_COUNT\0" "BAD_PKCS12_DATA\0" "BAD_PKCS12_VERSION\0" @@ -1207,6 +1222,7 @@ const char kOpenSSLReasonStringData[] = "HTTP_REQUEST\0" "INAPPROPRIATE_FALLBACK\0" "INCONSISTENT_CLIENT_HELLO\0" + "INCONSISTENT_ECH_NEGOTIATION\0" "INVALID_ALPN_PROTOCOL\0" "INVALID_ALPN_PROTOCOL_LIST\0" "INVALID_CLIENT_HELLO_INNER\0" @@ -1216,6 +1232,7 @@ const char kOpenSSLReasonStringData[] = "INVALID_ECH_CONFIG_LIST\0" "INVALID_ECH_PUBLIC_NAME\0" "INVALID_MESSAGE\0" + "INVALID_OUTER_EXTENSION\0" "INVALID_OUTER_RECORD_TYPE\0" "INVALID_SCT_LIST\0" "INVALID_SIGNATURE_ALGORITHM\0" @@ -1409,7 +1426,10 @@ const char kOpenSSLReasonStringData[] = "LOADING_DEFAULTS\0" "NAME_TOO_LONG\0" "NEWER_CRL_NOT_NEWER\0" + "NO_CERTIFICATE_FOUND\0" + "NO_CERTIFICATE_OR_CRL_FOUND\0" "NO_CERT_SET_FOR_US_TO_VERIFY\0" + "NO_CRL_FOUND\0" "NO_CRL_NUMBER\0" "PUBLIC_KEY_DECODE_ERROR\0" "PUBLIC_KEY_ENCODE_ERROR\0" @@ -1454,6 +1474,7 @@ const char kOpenSSLReasonStringData[] = "INVALID_PURPOSE\0" "INVALID_SECTION\0" "INVALID_SYNTAX\0" + "INVALID_VALUE\0" "ISSUER_DECODE_ERROR\0" "NEED_ORGANIZATION_AND_NUMBERS\0" "NO_CONFIG_DATABASE\0" @@ -1471,6 +1492,7 @@ const char kOpenSSLReasonStringData[] = "POLICY_PATH_LENGTH_ALREADY_DEFINED\0" "POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY\0" "SECTION_NOT_FOUND\0" + "TRAILING_DATA_IN_EXTENSION\0" "UNABLE_TO_GET_ISSUER_DETAILS\0" "UNABLE_TO_GET_ISSUER_KEYID\0" "UNKNOWN_BIT_STRING_ARGUMENT\0" diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/evp_asn1.c b/Sources/CJWTKitBoringSSL/crypto/evp/evp_asn1.c index be9b5955..4b4aaba8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/evp_asn1.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/evp_asn1.c @@ -369,8 +369,8 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, const uint8_t **inp, // Unlike OpenSSL, we do not support EC keys with this API. The raw EC // public key serialization requires knowing the group. In OpenSSL, calling // this function with |EVP_PKEY_EC| and setting |out| to NULL does not work. - // It requires |*out| to include a partially-initiazed |EVP_PKEY| to extract - // the group. + // It requires |*out| to include a partially-initialized |EVP_PKEY| to + // extract the group. default: OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE); goto err; diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/print.c b/Sources/CJWTKitBoringSSL/crypto/evp/print.c index dae75e3c..043d4e45 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/print.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/print.c @@ -253,7 +253,7 @@ static int do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) { if (priv_key) { if (!BIO_indent(bp, off, 128) || - BIO_printf(bp, "%s: (%d bit)\n", ktype, BN_num_bits(x->p)) <= 0) { + BIO_printf(bp, "%s: (%u bit)\n", ktype, BN_num_bits(x->p)) <= 0) { goto err; } } @@ -368,7 +368,7 @@ static int do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) { } order = BN_new(); if (order == NULL || !EC_GROUP_get_order(group, order, NULL) || - BIO_printf(bp, "%s: (%d bit)\n", ecstr, BN_num_bits(order)) <= 0) { + BIO_printf(bp, "%s: (%u bit)\n", ecstr, BN_num_bits(order)) <= 0) { goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c b/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c index 48712b38..8c0c131b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c +++ b/Sources/CJWTKitBoringSSL/crypto/evp/scrypt.c @@ -32,8 +32,6 @@ typedef struct { uint32_t words[16]; } block_t; OPENSSL_STATIC_ASSERT(sizeof(block_t) == 64, "block_t has padding"); -#define R(a, b) (((a) << (b)) | ((a) >> (32 - (b)))) - // salsa208_word_specification implements the Salsa20/8 core function, also // described in RFC 7914, section 3. It modifies the block at |inout| // in-place. @@ -42,38 +40,38 @@ static void salsa208_word_specification(block_t *inout) { OPENSSL_memcpy(&x, inout, sizeof(x)); for (int i = 8; i > 0; i -= 2) { - x.words[4] ^= R(x.words[0] + x.words[12], 7); - x.words[8] ^= R(x.words[4] + x.words[0], 9); - x.words[12] ^= R(x.words[8] + x.words[4], 13); - x.words[0] ^= R(x.words[12] + x.words[8], 18); - x.words[9] ^= R(x.words[5] + x.words[1], 7); - x.words[13] ^= R(x.words[9] + x.words[5], 9); - x.words[1] ^= R(x.words[13] + x.words[9], 13); - x.words[5] ^= R(x.words[1] + x.words[13], 18); - x.words[14] ^= R(x.words[10] + x.words[6], 7); - x.words[2] ^= R(x.words[14] + x.words[10], 9); - x.words[6] ^= R(x.words[2] + x.words[14], 13); - x.words[10] ^= R(x.words[6] + x.words[2], 18); - x.words[3] ^= R(x.words[15] + x.words[11], 7); - x.words[7] ^= R(x.words[3] + x.words[15], 9); - x.words[11] ^= R(x.words[7] + x.words[3], 13); - x.words[15] ^= R(x.words[11] + x.words[7], 18); - x.words[1] ^= R(x.words[0] + x.words[3], 7); - x.words[2] ^= R(x.words[1] + x.words[0], 9); - x.words[3] ^= R(x.words[2] + x.words[1], 13); - x.words[0] ^= R(x.words[3] + x.words[2], 18); - x.words[6] ^= R(x.words[5] + x.words[4], 7); - x.words[7] ^= R(x.words[6] + x.words[5], 9); - x.words[4] ^= R(x.words[7] + x.words[6], 13); - x.words[5] ^= R(x.words[4] + x.words[7], 18); - x.words[11] ^= R(x.words[10] + x.words[9], 7); - x.words[8] ^= R(x.words[11] + x.words[10], 9); - x.words[9] ^= R(x.words[8] + x.words[11], 13); - x.words[10] ^= R(x.words[9] + x.words[8], 18); - x.words[12] ^= R(x.words[15] + x.words[14], 7); - x.words[13] ^= R(x.words[12] + x.words[15], 9); - x.words[14] ^= R(x.words[13] + x.words[12], 13); - x.words[15] ^= R(x.words[14] + x.words[13], 18); + x.words[4] ^= CRYPTO_rotl_u32(x.words[0] + x.words[12], 7); + x.words[8] ^= CRYPTO_rotl_u32(x.words[4] + x.words[0], 9); + x.words[12] ^= CRYPTO_rotl_u32(x.words[8] + x.words[4], 13); + x.words[0] ^= CRYPTO_rotl_u32(x.words[12] + x.words[8], 18); + x.words[9] ^= CRYPTO_rotl_u32(x.words[5] + x.words[1], 7); + x.words[13] ^= CRYPTO_rotl_u32(x.words[9] + x.words[5], 9); + x.words[1] ^= CRYPTO_rotl_u32(x.words[13] + x.words[9], 13); + x.words[5] ^= CRYPTO_rotl_u32(x.words[1] + x.words[13], 18); + x.words[14] ^= CRYPTO_rotl_u32(x.words[10] + x.words[6], 7); + x.words[2] ^= CRYPTO_rotl_u32(x.words[14] + x.words[10], 9); + x.words[6] ^= CRYPTO_rotl_u32(x.words[2] + x.words[14], 13); + x.words[10] ^= CRYPTO_rotl_u32(x.words[6] + x.words[2], 18); + x.words[3] ^= CRYPTO_rotl_u32(x.words[15] + x.words[11], 7); + x.words[7] ^= CRYPTO_rotl_u32(x.words[3] + x.words[15], 9); + x.words[11] ^= CRYPTO_rotl_u32(x.words[7] + x.words[3], 13); + x.words[15] ^= CRYPTO_rotl_u32(x.words[11] + x.words[7], 18); + x.words[1] ^= CRYPTO_rotl_u32(x.words[0] + x.words[3], 7); + x.words[2] ^= CRYPTO_rotl_u32(x.words[1] + x.words[0], 9); + x.words[3] ^= CRYPTO_rotl_u32(x.words[2] + x.words[1], 13); + x.words[0] ^= CRYPTO_rotl_u32(x.words[3] + x.words[2], 18); + x.words[6] ^= CRYPTO_rotl_u32(x.words[5] + x.words[4], 7); + x.words[7] ^= CRYPTO_rotl_u32(x.words[6] + x.words[5], 9); + x.words[4] ^= CRYPTO_rotl_u32(x.words[7] + x.words[6], 13); + x.words[5] ^= CRYPTO_rotl_u32(x.words[4] + x.words[7], 18); + x.words[11] ^= CRYPTO_rotl_u32(x.words[10] + x.words[9], 7); + x.words[8] ^= CRYPTO_rotl_u32(x.words[11] + x.words[10], 9); + x.words[9] ^= CRYPTO_rotl_u32(x.words[8] + x.words[11], 13); + x.words[10] ^= CRYPTO_rotl_u32(x.words[9] + x.words[8], 18); + x.words[12] ^= CRYPTO_rotl_u32(x.words[15] + x.words[14], 7); + x.words[13] ^= CRYPTO_rotl_u32(x.words[12] + x.words[15], 9); + x.words[14] ^= CRYPTO_rotl_u32(x.words[13] + x.words[12], 13); + x.words[15] ^= CRYPTO_rotl_u32(x.words[14] + x.words[13], 18); } for (int i = 0; i < 16; ++i) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/aes.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/aes.c index feb2537c..d2fa5401 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/aes.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/aes.c @@ -50,8 +50,6 @@ #include -#include - #include "internal.h" #include "../modes/internal.h" diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/internal.h index fe2f81a8..0685bc41 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aes/internal.h @@ -17,7 +17,7 @@ #include -#include +#include "../../internal.h" #if defined(__cplusplus) extern "C" { @@ -30,18 +30,14 @@ extern "C" { #define HWAES #define HWAES_ECB -OPENSSL_INLINE int hwaes_capable(void) { - return (OPENSSL_ia32cap_get()[1] & (1 << (57 - 32))) != 0; -} +OPENSSL_INLINE int hwaes_capable(void) { return CRYPTO_is_AESNI_capable(); } #define VPAES #if defined(OPENSSL_X86_64) #define VPAES_CTR32 #endif #define VPAES_CBC -OPENSSL_INLINE int vpaes_capable(void) { - return (OPENSSL_ia32cap_get()[1] & (1 << (41 - 32))) != 0; -} +OPENSSL_INLINE int vpaes_capable(void) { return CRYPTO_is_SSSE3_capable(); } #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) #define HWAES diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.linux.x86_64.S index 3b6b4d50..b6045661 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.mac.x86_64.S index 372ccb6e..d2daf1f5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-gcm-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.linux.x86.S index 8b455011..143f9be9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.windows.x86.S index 488b4c62..29820d27 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.linux.x86_64.S index cfd7879f..4d14130c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.mac.x86_64.S index 50614972..8a19e7b6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesni-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.ios.aarch64.S index 62ebf9a9..41bd9629 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.ios.aarch64.S @@ -636,7 +636,7 @@ _aes_hw_ctr32_encrypt_blocks: // // [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice // [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w8, w8 #endif add w10, w8, #1 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.linux.aarch64.S index 90c009fd..876ab7d6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/aesv8-armx64.linux.aarch64.S @@ -637,7 +637,7 @@ aes_hw_ctr32_encrypt_blocks: // // [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice // [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w8, w8 #endif add w10, w8, #1 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.linux.x86.S index 3430021e..7d79400c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.windows.x86.S index 97f4e57f..4daa486e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn-586.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c index c7d52885..2ebd8897 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/bytes.c @@ -61,19 +61,38 @@ #include "internal.h" +void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, + size_t in_len) { + for (size_t i = 0; i < out_len; i++) { + if (in_len < sizeof(BN_ULONG)) { + // Load the last partial word. + BN_ULONG word = 0; + for (size_t j = 0; j < in_len; j++) { + word = (word << 8) | in[j]; + } + in_len = 0; + out[i] = word; + // Fill the remainder with zeros. + OPENSSL_memset(out + i + 1, 0, (out_len - i - 1) * sizeof(BN_ULONG)); + break; + } -BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { - size_t num_words; - unsigned m; - BN_ULONG word = 0; - BIGNUM *bn = NULL; - - if (ret == NULL) { - ret = bn = BN_new(); + in_len -= sizeof(BN_ULONG); + out[i] = CRYPTO_load_word_be(in + in_len); } + // The caller should have sized the output to avoid truncation. + assert(in_len == 0); +} + +BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { + BIGNUM *bn = NULL; if (ret == NULL) { - return NULL; + bn = BN_new(); + if (bn == NULL) { + return NULL; + } + ret = bn; } if (len == 0) { @@ -81,12 +100,9 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } - num_words = ((len - 1) / BN_BYTES) + 1; - m = (len - 1) % BN_BYTES; + size_t num_words = ((len - 1) / BN_BYTES) + 1; if (!bn_wexpand(ret, num_words)) { - if (bn) { - BN_free(bn); - } + BN_free(bn); return NULL; } @@ -96,15 +112,7 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { ret->width = (int)num_words; ret->neg = 0; - while (len--) { - word = (word << 8) | *(in++); - if (m-- == 0) { - ret->d[--num_words] = word; - word = 0; - m = BN_BYTES - 1; - } - } - + bn_big_endian_to_words(ret->d, ret->width, in, len); return ret; } @@ -112,13 +120,12 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { BIGNUM *bn = NULL; if (ret == NULL) { bn = BN_new(); + if (bn == NULL) { + return NULL; + } ret = bn; } - if (ret == NULL) { - return NULL; - } - if (len == 0) { ret->width = 0; ret->neg = 0; @@ -142,38 +149,58 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } -size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) { - size_t n, i; - BN_ULONG l; - - n = i = BN_num_bytes(in); - while (i--) { - l = in->d[i / BN_BYTES]; - *(out++) = (unsigned char)(l >> (8 * (i % BN_BYTES))) & 0xff; - } - return n; -} - -static int fits_in_bytes(const uint8_t *bytes, size_t num_bytes, size_t len) { +// fits_in_bytes returns one if the |num_words| words in |words| can be +// represented in |num_bytes| bytes. +static int fits_in_bytes(const BN_ULONG *words, size_t num_words, + size_t num_bytes) { + const uint8_t *bytes = (const uint8_t *)words; + size_t tot_bytes = num_words * sizeof(BN_ULONG); uint8_t mask = 0; - for (size_t i = len; i < num_bytes; i++) { + for (size_t i = num_bytes; i < tot_bytes; i++) { mask |= bytes[i]; } return mask == 0; } +void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, + size_t in_len) { + // The caller should have selected an output length without truncation. + assert(fits_in_bytes(in, in_len, out_len)); + + // We only support little-endian platforms, so the internal representation is + // also little-endian as bytes. We can simply copy it in reverse. + const uint8_t *bytes = (const uint8_t *)in; + size_t num_bytes = in_len * sizeof(BN_ULONG); + if (out_len < num_bytes) { + num_bytes = out_len; + } + + for (size_t i = 0; i < num_bytes; i++) { + out[out_len - i - 1] = bytes[i]; + } + // Pad out the rest of the buffer with zeroes. + OPENSSL_memset(out, 0, out_len - num_bytes); +} + +size_t BN_bn2bin(const BIGNUM *in, uint8_t *out) { + size_t n = BN_num_bytes(in); + bn_words_to_big_endian(out, n, in->d, in->width); + return n; +} + int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) { + if (!fits_in_bytes(in->d, in->width, len)) { + return 0; + } + + // We only support little-endian platforms, so we can simply memcpy into the + // internal representation. const uint8_t *bytes = (const uint8_t *)in->d; size_t num_bytes = in->width * BN_BYTES; if (len < num_bytes) { - if (!fits_in_bytes(bytes, num_bytes, len)) { - return 0; - } num_bytes = len; } - // We only support little-endian platforms, so we can simply memcpy into the - // internal representation. OPENSSL_memcpy(out, bytes, num_bytes); // Pad out the rest of the buffer with zeroes. OPENSSL_memset(out + num_bytes, 0, len - num_bytes); @@ -181,22 +208,11 @@ int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in) { } int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in) { - const uint8_t *bytes = (const uint8_t *)in->d; - size_t num_bytes = in->width * BN_BYTES; - if (len < num_bytes) { - if (!fits_in_bytes(bytes, num_bytes, len)) { - return 0; - } - num_bytes = len; + if (!fits_in_bytes(in->d, in->width, len)) { + return 0; } - // We only support little-endian platforms, so we can simply write the buffer - // in reverse. - for (size_t i = 0; i < num_bytes; i++) { - out[len - i - 1] = bytes[i]; - } - // Pad out the rest of the buffer with zeroes. - OPENSSL_memset(out, 0, len - num_bytes); + bn_words_to_big_endian(out, len, in->d, in->width); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c index dcaa74e7..ebf8a617 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/div.c @@ -456,7 +456,7 @@ void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, const BIGNUM *divisor, - BN_CTX *ctx) { + unsigned divisor_min_bits, BN_CTX *ctx) { if (BN_is_negative(numerator) || BN_is_negative(divisor)) { OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; @@ -496,8 +496,26 @@ int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, r->neg = 0; // Incorporate |numerator| into |r|, one bit at a time, reducing after each - // step. At the start of each loop iteration, |r| < |divisor| - for (int i = numerator->width - 1; i >= 0; i--) { + // step. We maintain the invariant that |0 <= r < divisor| and + // |q * divisor + r = n| where |n| is the portion of |numerator| incorporated + // so far. + // + // First, we short-circuit the loop: if we know |divisor| has at least + // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated + // without reductions. This significantly speeds up |RSA_check_key|. For + // simplicity, we round down to a whole number of words. + assert(divisor_min_bits <= BN_num_bits(divisor)); + int initial_words = 0; + if (divisor_min_bits > 0) { + initial_words = (divisor_min_bits - 1) / BN_BITS2; + if (initial_words > numerator->width) { + initial_words = numerator->width; + } + OPENSSL_memcpy(r->d, numerator->d + numerator->width - initial_words, + initial_words * sizeof(BN_ULONG)); + } + + for (int i = numerator->width - initial_words - 1; i >= 0; i--) { for (int bit = BN_BITS2 - 1; bit >= 0; bit--) { // Incorporate the next bit of the numerator, by computing // r = 2*r or 2*r + 1. Note the result fits in one more word. We store the diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c index 56418e8c..74a820ee 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/exponentiation.c @@ -112,7 +112,6 @@ #include #include -#include #include #include diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd_extra.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd_extra.c index ce12510a..28a8c897 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd_extra.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/gcd_extra.c @@ -157,10 +157,11 @@ int bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { BN_CTX_start(ctx); unsigned shift; BIGNUM *gcd = BN_CTX_get(ctx); - int ret = gcd != NULL && + int ret = gcd != NULL && // bn_mul_consttime(r, a, b, ctx) && bn_gcd_consttime(gcd, &shift, a, b, ctx) && - bn_div_consttime(r, NULL, r, gcd, ctx) && + // |gcd| has a secret bit width. + bn_div_consttime(r, NULL, r, gcd, /*divisor_min_bits=*/0, ctx) && bn_rshift_secret_shift(r, r, shift, ctx); BN_CTX_end(ctx); return ret; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h index 4e33dcd1..b690fc92 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/internal.h @@ -552,12 +552,15 @@ int bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); // bn_div_consttime behaves like |BN_div|, but it rejects negative inputs and // treats both inputs, including their magnitudes, as secret. It is, as a // result, much slower than |BN_div| and should only be used for rare operations -// where Montgomery reduction is not available. +// where Montgomery reduction is not available. |divisor_min_bits| is a +// public lower bound for |BN_num_bits(divisor)|. When |divisor|'s bit width is +// public, this can speed up the operation. // // Note that |quotient->width| will be set pessimally to |numerator->width|. OPENSSL_EXPORT int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, - const BIGNUM *divisor, BN_CTX *ctx); + const BIGNUM *divisor, + unsigned divisor_min_bits, BN_CTX *ctx); // bn_is_relatively_prime checks whether GCD(|x|, |y|) is one. On success, it // returns one and sets |*out_relatively_prime| to one if the GCD was one and @@ -705,6 +708,25 @@ void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, const BN_MONT_CTX *mont); +// Word-based byte conversion functions. + +// bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian, +// unsigned integer and writes the result to |out_len| words in |out|. |out_len| +// must be large enough to represent any |in_len|-byte value. That is, |out_len| +// must be at least |BN_BYTES * in_len|. +void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, + size_t in_len); + +// bn_words_to_big_endian represents |in_len| words from |in| as a big-endian, +// unsigned integer in |out_len| bytes. It writes the result to |out|. |out_len| +// must be large enough to represent |in| without truncation. +// +// Note |out_len| may be less than |BN_BYTES * in_len| if |in| is known to have +// leading zeros. +void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, + size_t in_len); + + #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c index 896cfdef..d144fa59 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/prime.c @@ -359,6 +359,18 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); +BN_GENCB *BN_GENCB_new(void) { + BN_GENCB *callback = OPENSSL_malloc(sizeof(BN_GENCB)); + if (callback == NULL) { + OPENSSL_PUT_ERROR(BN, ERR_R_MALLOC_FAILURE); + return NULL; + } + OPENSSL_memset(callback, 0, sizeof(BN_GENCB)); + return callback; +} + +void BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); } + void BN_GENCB_set(BN_GENCB *callback, int (*f)(int event, int n, struct bn_gencb_st *), void *arg) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.h index 15c3b89b..c2fcc919 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/rsaz_exp.h @@ -16,9 +16,9 @@ #define OPENSSL_HEADER_BN_RSAZ_EXP_H #include -#include #include "internal.h" +#include "../../internal.h" #if defined(__cplusplus) extern "C" { @@ -41,18 +41,17 @@ void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16], BN_ULONG storage_words[MOD_EXP_CTIME_STORAGE_LEN]); OPENSSL_INLINE int rsaz_avx2_capable(void) { - const uint32_t *cap = OPENSSL_ia32cap_get(); - return (cap[2] & (1 << 5)) != 0; // AVX2 + return CRYPTO_is_AVX2_capable(); } OPENSSL_INLINE int rsaz_avx2_preferred(void) { - const uint32_t *cap = OPENSSL_ia32cap_get(); - static const uint32_t kBMI2AndADX = (1 << 8) | (1 << 19); - if ((cap[2] & kBMI2AndADX) == kBMI2AndADX) { - // If BMI2 and ADX are available, x86_64-mont5.pl is faster. + if (CRYPTO_is_BMI1_capable() && CRYPTO_is_BMI2_capable() && + CRYPTO_is_ADX_capable()) { + // If BMI1, BMI2, and ADX are available, x86_64-mont5.pl is faster. See the + // .Lmulx4x_enter and .Lpowerx5_enter branches. return 0; } - return (cap[2] & (1 << 5)) != 0; // AVX2 + return CRYPTO_is_AVX2_capable(); } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/sqrt.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/sqrt.c index ea371bf1..c50762b2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/sqrt.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/bn/sqrt.c @@ -75,10 +75,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { if (ret == NULL) { ret = BN_new(); } - if (ret == NULL) { - goto end; - } - if (!BN_set_word(ret, BN_is_bit_set(a, 0))) { + if (ret == NULL || + !BN_set_word(ret, BN_is_bit_set(a, 0))) { if (ret != in) { BN_free(ret); } @@ -88,17 +86,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { } OPENSSL_PUT_ERROR(BN, BN_R_P_IS_NOT_PRIME); - return (NULL); + return NULL; } if (BN_is_zero(a) || BN_is_one(a)) { if (ret == NULL) { ret = BN_new(); } - if (ret == NULL) { - goto end; - } - if (!BN_set_word(ret, BN_is_one(a))) { + if (ret == NULL || + !BN_set_word(ret, BN_is_one(a))) { if (ret != in) { BN_free(ret); } @@ -310,8 +306,7 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { } // x := a^((q-1)/2) - if (BN_is_zero(t)) // special case: p = 2^e + 1 - { + if (BN_is_zero(t)) { // special case: p = 2^e + 1 if (!BN_nnmod(t, A, p, ctx)) { goto end; } @@ -354,7 +349,6 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { // We have a*b = x^2, // y^2^(e-1) = -1, // b^2^(e-1) = 1. - if (BN_is_one(b)) { if (!BN_copy(ret, x)) { goto end; @@ -363,23 +357,26 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { goto vrfy; } - - // find smallest i such that b^(2^i) = 1 - i = 1; - if (!BN_mod_sqr(t, b, p, ctx)) { - goto end; - } - while (!BN_is_one(t)) { - i++; - if (i == e) { - OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE); - goto end; + // Find the smallest i, 0 < i < e, such that b^(2^i) = 1 + for (i = 1; i < e; i++) { + if (i == 1) { + if (!BN_mod_sqr(t, b, p, ctx)) { + goto end; + } + } else { + if (!BN_mod_mul(t, t, t, p, ctx)) { + goto end; + } } - if (!BN_mod_mul(t, t, t, p, ctx)) { - goto end; + if (BN_is_one(t)) { + break; } } - + // If not found, a is not a square or p is not a prime. + if (i >= e) { + OPENSSL_PUT_ERROR(BN, BN_R_NOT_A_SQUARE); + goto end; + } // t := y^2^(e - i - 1) if (!BN_copy(t, y)) { @@ -395,14 +392,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { !BN_mod_mul(b, b, y, p, ctx)) { goto end; } + + // e decreases each iteration, so this loop will terminate. + assert(i < e); e = i; } vrfy: if (!err) { - // verify the result -- the input might have been not a square - // (test added in 0.9.8) - + // Verify the result. The input might have been not a square. if (!BN_mod_sqr(x, ret, p, ctx)) { err = 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/aead.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/aead.c index 8e2d7804..0a8bc729 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/aead.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/aead.c @@ -51,6 +51,9 @@ EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead, const uint8_t *key, } void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx) { + if (ctx == NULL) { + return; + } EVP_AEAD_CTX_cleanup(ctx); OPENSSL_free(ctx); } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c index ff0c66f4..c1f03a5b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/cipher.c @@ -629,6 +629,18 @@ int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit(ctx, cipher, key, iv, 0); } +int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { + return EVP_CipherFinal_ex(ctx, out, out_len); +} + +int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { + return EVP_EncryptFinal_ex(ctx, out, out_len); +} + +int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len) { + return EVP_DecryptFinal_ex(ctx, out, out_len); +} + int EVP_add_cipher_alias(const char *a, const char *b) { return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c index e8f2798a..046376a7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/cipher/e_aes.c @@ -52,7 +52,6 @@ #include #include #include -#include #include #include #include @@ -911,6 +910,16 @@ static int aead_aes_gcm_init_impl(struct aead_aes_gcm_ctx *gcm_ctx, size_t key_len, size_t tag_len) { const size_t key_bits = key_len * 8; + switch (key_bits) { + case 128: + boringssl_fips_inc_counter(fips_counter_evp_aes_128_gcm); + break; + + case 256: + boringssl_fips_inc_counter(fips_counter_evp_aes_256_gcm); + break; + } + if (key_bits != 128 && key_bits != 192 && key_bits != 256) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); return 0; // EVP_AEAD_CTX_init should catch this. diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.linux.x86.S index d8028b0f..421ac695 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.windows.x86.S index f39650f2..73e34b8e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/co-586.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c index fb8795e7..21143ec3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/dh.c @@ -64,6 +64,7 @@ #include #include +#include "internal.h" #include "../../internal.h" #include "../bn/internal.h" @@ -186,6 +187,8 @@ int DH_set_length(DH *dh, unsigned priv_length) { } int DH_generate_key(DH *dh) { + boringssl_ensure_ffdh_self_test(); + int ok = 0; int generate_new_key = 0; BN_CTX *ctx = NULL; @@ -322,7 +325,8 @@ static int dh_compute_key(DH *dh, BIGNUM *out_shared_key, return ret; } -int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) { +int dh_compute_key_padded_no_self_test(unsigned char *out, + const BIGNUM *peers_key, DH *dh) { BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { return -1; @@ -343,7 +347,15 @@ int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) { return ret; } +int DH_compute_key_padded(unsigned char *out, const BIGNUM *peers_key, DH *dh) { + boringssl_ensure_ffdh_self_test(); + + return dh_compute_key_padded_no_self_test(out, peers_key, dh); +} + int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { + boringssl_ensure_ffdh_self_test(); + BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { return -1; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h new file mode 100644 index 00000000..1ae06c62 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/dh/internal.h @@ -0,0 +1,36 @@ +/* Copyright (c) 2022, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H +#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H + +#include + +#if defined(__cplusplus) +extern "C" { +#endif + + +// dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|, +// but doesn't try to run the self-test first. This is for use in the self tests +// themselves, to prevent an infinite loop. +int dh_compute_key_padded_no_self_test(unsigned char *out, + const BIGNUM *peers_key, DH *dh); + + +#if defined(__cplusplus) +} +#endif + +#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_DH_INTERNAL_H diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c index 16bf3895..87dd36b8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/digest/digest.c @@ -106,6 +106,11 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) { return 1; } +void EVP_MD_CTX_cleanse(EVP_MD_CTX *ctx) { + OPENSSL_cleanse(ctx->md_data, ctx->digest->ctx_size); + EVP_MD_CTX_cleanup(ctx); +} + void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { if (!ctx) { return; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c index 840902ed..f472e8b4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec.c @@ -246,7 +246,8 @@ DEFINE_METHOD_FUNCTION(struct built_in_curves, OPENSSL_built_in_curves) { out->curves[2].param_len = 32; out->curves[2].params = kP256Params; out->curves[2].method = -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) EC_GFp_nistz256_method(); #else @@ -943,8 +944,9 @@ static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, return ok; } -int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, - const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { +int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *g_scalar, const EC_POINT *p, + const BIGNUM *p_scalar, BN_CTX *ctx) { // Previously, this function set |r| to the point at infinity if there was // nothing to multiply. But, nobody should be calling this function with // nothing to multiply in the first place. @@ -1010,6 +1012,13 @@ int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, return ret; } +int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, + const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { + boringssl_ensure_ecc_self_test(); + + return ec_point_mul_no_self_test(group, r, g_scalar, p, p_scalar, ctx); +} + int ec_point_mul_scalar_public(const EC_GROUP *group, EC_RAW_POINT *r, const EC_SCALAR *g_scalar, const EC_RAW_POINT *p, const EC_SCALAR *p_scalar) { @@ -1166,15 +1175,12 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, return 0; } - // For simplicity, in case of width mismatches between |group->field| and - // |group->order|, zero any untouched words in |out|. - OPENSSL_memset(out, 0, sizeof(EC_SCALAR)); - for (size_t i = 0; i < len; i++) { - out->bytes[len - i - 1] = bytes[i]; - } - - // We must have p < 2×order, assuming p is not tiny (p >= 17). Thus rather we - // can reduce by performing at most one subtraction. + // The x-coordinate is bounded by p, but we need a scalar, bounded by the + // order. These may not have the same size. However, we must have p < 2×order, + // assuming p is not tiny (p >= 17). + // + // Thus |bytes| will fit in |order.width + 1| words, and we can reduce by + // performing at most one subtraction. // // Proof: We only work with prime order curves, so the number of points on // the curve is the order. Thus Hasse's theorem gives: @@ -1188,14 +1194,11 @@ int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, // // Additionally, one can manually check this property for built-in curves. It // is enforced for legacy custom curves in |EC_GROUP_set_generator|. - - // The above does not guarantee |group->field| is not one word larger than - // |group->order|, so read one extra carry word. - BN_ULONG tmp[EC_MAX_WORDS]; - BN_ULONG carry = - group->order.width < EC_MAX_WORDS ? out->words[group->order.width] : 0; - bn_reduce_once_in_place(out->words, carry, group->order.d, tmp, - group->order.width); + const BIGNUM *order = &group->order; + BN_ULONG words[EC_MAX_WORDS + 1]; + bn_big_endian_to_words(words, order->width + 1, bytes, len); + bn_reduce_once(out->words, words, /*carry=*/words[order->width], order->d, + order->width); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c index 47b4ac9d..a67e74ad 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/ec_key.c @@ -308,6 +308,9 @@ int EC_KEY_check_key(const EC_KEY *eckey) { } // Check the public and private keys match. + // + // NOTE: this is a FIPS pair-wise consistency check for the ECDH case. See SP + // 800-56Ar3, page 36. if (eckey->priv_key != NULL) { EC_RAW_POINT point; if (!ec_point_mul_scalar_base(eckey->group, &point, @@ -339,9 +342,9 @@ int EC_KEY_check_fips(const EC_KEY *key) { if (key->priv_key) { uint8_t data[16] = {0}; ECDSA_SIG *sig = ECDSA_do_sign(data, sizeof(data), key); -#if defined(BORINGSSL_FIPS_BREAK_ECDSA_PWCT) - data[0] = ~data[0]; -#endif + if (boringssl_fips_break_test("ECDSA_PWCT")) { + data[0] = ~data[0]; + } int ok = sig != NULL && ECDSA_do_verify(data, sizeof(data), sig, key); ECDSA_SIG_free(sig); @@ -439,6 +442,8 @@ int EC_KEY_generate_key(EC_KEY *key) { } int EC_KEY_generate_key_fips(EC_KEY *eckey) { + boringssl_ensure_ecc_self_test(); + if (EC_KEY_generate_key(eckey) && EC_KEY_check_fips(eckey)) { return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h index 08a5feb0..8064df04 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/internal.h @@ -100,9 +100,7 @@ OPENSSL_STATIC_ASSERT(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, // An EC_SCALAR is an integer fully reduced modulo the order. Only the first // |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP| // and must not be mixed between groups. -typedef union { - // bytes is the representation of the scalar in little-endian order. - uint8_t bytes[EC_MAX_BYTES]; +typedef struct { BN_ULONG words[EC_MAX_WORDS]; } EC_SCALAR; @@ -192,9 +190,7 @@ void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, // are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed // between groups. Additionally, the representation (whether or not elements are // represented in Montgomery-form) may vary between |EC_METHOD|s. -typedef union { - // bytes is the representation of the field element in little-endian order. - uint8_t bytes[EC_MAX_BYTES]; +typedef struct { BN_ULONG words[EC_MAX_WORDS]; } EC_FELEM; @@ -301,6 +297,13 @@ int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, const EC_FELEM *x, const EC_FELEM *y); +// ec_point_mul_no_self_test does the same as |EC_POINT_mul|, but doesn't try to +// run the self-test first. This is for use in the self tests themselves, to +// prevent an infinite loop. +int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *g_scalar, const EC_POINT *p, + const BIGNUM *p_scalar, BN_CTX *ctx); + // ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered // secret. int ec_point_mul_scalar(const EC_GROUP *group, EC_RAW_POINT *r, diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c index c9643d64..d0104f46 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p224-64.c @@ -52,11 +52,6 @@ typedef uint128_t p224_widelimb; typedef p224_limb p224_felem[4]; typedef p224_widelimb p224_widefelem[7]; -// Field element represented as a byte arrary. 28*8 = 224 bits is also the -// group order size for the elliptic curve, and we also use this type for -// scalars for point multiplication. -typedef uint8_t p224_felem_bytearray[28]; - // Precomputed multiples of the standard generator // Points are given in coordinates (X, Y, Z) where Z normally is 1 // (0 for the point at infinity). @@ -180,31 +175,16 @@ static const p224_felem g_p224_pre_comp[2][16][3] = { {0x32477c61b6e8c6, 0xb46a97570f018b, 0x91176d0a7e95d1, 0x3df90fbc4c7d0e}, {1, 0, 0, 0}}}}; -static uint64_t p224_load_u64(const uint8_t in[8]) { - uint64_t ret; - OPENSSL_memcpy(&ret, in, sizeof(ret)); - return ret; -} // Helper functions to convert field elements to/from internal representation -static void p224_bin28_to_felem(p224_felem out, const uint8_t in[28]) { - out[0] = p224_load_u64(in) & 0x00ffffffffffffff; - out[1] = p224_load_u64(in + 7) & 0x00ffffffffffffff; - out[2] = p224_load_u64(in + 14) & 0x00ffffffffffffff; - out[3] = p224_load_u64(in + 20) >> 8; -} - -static void p224_felem_to_bin28(uint8_t out[28], const p224_felem in) { - for (size_t i = 0; i < 7; ++i) { - out[i] = in[0] >> (8 * i); - out[i + 7] = in[1] >> (8 * i); - out[i + 14] = in[2] >> (8 * i); - out[i + 21] = in[3] >> (8 * i); - } -} static void p224_generic_to_felem(p224_felem out, const EC_FELEM *in) { - p224_bin28_to_felem(out, in->bytes); + // |p224_felem|'s minimal representation uses four 56-bit words. |EC_FELEM| + // uses four 64-bit words. (The top-most word only has 32 bits.) + out[0] = in->words[0] & 0x00ffffffffffffff; + out[1] = ((in->words[0] >> 56) | (in->words[1] << 8)) & 0x00ffffffffffffff; + out[2] = ((in->words[1] >> 48) | (in->words[2] << 16)) & 0x00ffffffffffffff; + out[3] = ((in->words[2] >> 40) | (in->words[3] << 24)) & 0x00ffffffffffffff; } // Requires 0 <= in < 2*p (always call p224_felem_reduce first) @@ -256,9 +236,12 @@ static void p224_felem_to_generic(EC_FELEM *out, const p224_felem in) { tmp2[2] = tmp[2]; tmp2[3] = tmp[3]; - p224_felem_to_bin28(out->bytes, tmp2); - // 224 is not a multiple of 64, so zero the remaining bytes. - OPENSSL_memset(out->bytes + 28, 0, 32 - 28); + // |p224_felem|'s minimal representation uses four 56-bit words. |EC_FELEM| + // uses four 64-bit words. (The top-most word only has 32 bits.) + out->words[0] = tmp2[0] | (tmp2[1] << 56); + out->words[1] = (tmp2[1] >> 8) | (tmp2[2] << 48); + out->words[2] = (tmp2[2] >> 16) | (tmp2[3] << 40); + out->words[3] = tmp2[3] >> 24; } @@ -865,12 +848,13 @@ static void p224_select_point(const uint64_t idx, size_t size, } } -// p224_get_bit returns the |i|th bit in |in| -static crypto_word_t p224_get_bit(const p224_felem_bytearray in, size_t i) { +// p224_get_bit returns the |i|th bit in |in|. +static crypto_word_t p224_get_bit(const EC_SCALAR *in, size_t i) { if (i >= 224) { return 0; } - return (in[i >> 3] >> (i & 7)) & 1; + static_assert(sizeof(in->words[0]) == 8, "BN_ULONG is not 64-bit"); + return (in->words[i >> 6] >> (i & 63)) & 1; } // Takes the Jacobian coordinates (X, Y, Z) of a point and returns @@ -977,12 +961,12 @@ static void ec_GFp_nistp224_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, // Add every 5 doublings. if (i % 5 == 0) { - crypto_word_t bits = p224_get_bit(scalar->bytes, i + 4) << 5; - bits |= p224_get_bit(scalar->bytes, i + 3) << 4; - bits |= p224_get_bit(scalar->bytes, i + 2) << 3; - bits |= p224_get_bit(scalar->bytes, i + 1) << 2; - bits |= p224_get_bit(scalar->bytes, i) << 1; - bits |= p224_get_bit(scalar->bytes, i - 1); + crypto_word_t bits = p224_get_bit(scalar, i + 4) << 5; + bits |= p224_get_bit(scalar, i + 3) << 4; + bits |= p224_get_bit(scalar, i + 2) << 3; + bits |= p224_get_bit(scalar, i + 1) << 2; + bits |= p224_get_bit(scalar, i) << 1; + bits |= p224_get_bit(scalar, i - 1); crypto_word_t sign, digit; ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); @@ -1022,10 +1006,10 @@ static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group, } // First, look 28 bits upwards. - crypto_word_t bits = p224_get_bit(scalar->bytes, i + 196) << 3; - bits |= p224_get_bit(scalar->bytes, i + 140) << 2; - bits |= p224_get_bit(scalar->bytes, i + 84) << 1; - bits |= p224_get_bit(scalar->bytes, i + 28); + crypto_word_t bits = p224_get_bit(scalar, i + 196) << 3; + bits |= p224_get_bit(scalar, i + 140) << 2; + bits |= p224_get_bit(scalar, i + 84) << 1; + bits |= p224_get_bit(scalar, i + 28); // Select the point to add, in constant time. p224_select_point(bits, 16, g_p224_pre_comp[1], tmp); @@ -1038,10 +1022,10 @@ static void ec_GFp_nistp224_point_mul_base(const EC_GROUP *group, } // Second, look at the current position/ - bits = p224_get_bit(scalar->bytes, i + 168) << 3; - bits |= p224_get_bit(scalar->bytes, i + 112) << 2; - bits |= p224_get_bit(scalar->bytes, i + 56) << 1; - bits |= p224_get_bit(scalar->bytes, i); + bits = p224_get_bit(scalar, i + 168) << 3; + bits |= p224_get_bit(scalar, i + 112) << 2; + bits |= p224_get_bit(scalar, i + 56) << 1; + bits |= p224_get_bit(scalar, i); // Select the point to add, in constant time. p224_select_point(bits, 16, g_p224_pre_comp[0], tmp); p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */, @@ -1080,10 +1064,10 @@ static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group, // Add multiples of the generator. if (i <= 27) { // First, look 28 bits upwards. - crypto_word_t bits = p224_get_bit(g_scalar->bytes, i + 196) << 3; - bits |= p224_get_bit(g_scalar->bytes, i + 140) << 2; - bits |= p224_get_bit(g_scalar->bytes, i + 84) << 1; - bits |= p224_get_bit(g_scalar->bytes, i + 28); + crypto_word_t bits = p224_get_bit(g_scalar, i + 196) << 3; + bits |= p224_get_bit(g_scalar, i + 140) << 2; + bits |= p224_get_bit(g_scalar, i + 84) << 1; + bits |= p224_get_bit(g_scalar, i + 28); size_t index = (size_t)bits; p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */, @@ -1092,10 +1076,10 @@ static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group, assert(!skip); // Second, look at the current position. - bits = p224_get_bit(g_scalar->bytes, i + 168) << 3; - bits |= p224_get_bit(g_scalar->bytes, i + 112) << 2; - bits |= p224_get_bit(g_scalar->bytes, i + 56) << 1; - bits |= p224_get_bit(g_scalar->bytes, i); + bits = p224_get_bit(g_scalar, i + 168) << 3; + bits |= p224_get_bit(g_scalar, i + 112) << 2; + bits |= p224_get_bit(g_scalar, i + 56) << 1; + bits |= p224_get_bit(g_scalar, i); index = (size_t)bits; p224_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], 1 /* mixed */, g_p224_pre_comp[0][index][0], g_p224_pre_comp[0][index][1], @@ -1104,12 +1088,12 @@ static void ec_GFp_nistp224_point_mul_public(const EC_GROUP *group, // Incorporate |p_scalar| every 5 doublings. if (i % 5 == 0) { - crypto_word_t bits = p224_get_bit(p_scalar->bytes, i + 4) << 5; - bits |= p224_get_bit(p_scalar->bytes, i + 3) << 4; - bits |= p224_get_bit(p_scalar->bytes, i + 2) << 3; - bits |= p224_get_bit(p_scalar->bytes, i + 1) << 2; - bits |= p224_get_bit(p_scalar->bytes, i) << 1; - bits |= p224_get_bit(p_scalar->bytes, i - 1); + crypto_word_t bits = p224_get_bit(p_scalar, i + 4) << 5; + bits |= p224_get_bit(p_scalar, i + 3) << 4; + bits |= p224_get_bit(p_scalar, i + 2) << 3; + bits |= p224_get_bit(p_scalar, i + 1) << 2; + bits |= p224_get_bit(p_scalar, i) << 1; + bits |= p224_get_bit(p_scalar, i - 1); crypto_word_t sign, digit; ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64-table.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz-table.h similarity index 99% rename from Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64-table.h rename to Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz-table.h index 3af0b016..b81480bd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64-table.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz-table.h @@ -9,7 +9,7 @@ */ // This is the precomputed constant time access table for the code in -// p256-x86_64.c, for the default generator. The table consists of 37 +// p256-nistz.c, for the default generator. The table consists of 37 // subtables, each subtable contains 64 affine points. The affine points are // encoded as eight uint64's, four for the x coordinate and four for the y. // Both values are in little-endian order. There are 37 tables because a diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c similarity index 97% rename from Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64.c rename to Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c index 34dc23d5..fd771373 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.c @@ -23,20 +23,17 @@ #include #include -#include #include #include -#include - #include "../bn/internal.h" #include "../delocate.h" #include "../../internal.h" #include "internal.h" -#include "p256-x86_64.h" - +#include "p256-nistz.h" -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; @@ -48,7 +45,7 @@ static const BN_ULONG ONE[P256_LIMBS] = { }; // Precomputed tables for the default generator -#include "p256-x86_64-table.h" +#include "p256-nistz-table.h" // Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in // util.c for details @@ -204,7 +201,7 @@ static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, // ~1599 ((96 * 16) + 63) bytes of stack space. alignas(64) P256_POINT table[16]; uint8_t p_str[33]; - OPENSSL_memcpy(p_str, p_scalar->bytes, 32); + OPENSSL_memcpy(p_str, p_scalar->words, 32); p_str[32] = 0; // table[0] is implicitly (0,0,0) (the point at infinity), therefore it is @@ -324,7 +321,7 @@ static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_RAW_POINT *r, alignas(32) p256_point_union_t t, p; uint8_t p_str[33]; - OPENSSL_memcpy(p_str, scalar->bytes, 32); + OPENSSL_memcpy(p_str, scalar->words, 32); p_str[32] = 0; // First window @@ -369,7 +366,7 @@ static void ecp_nistz256_points_mul_public(const EC_GROUP *group, alignas(32) p256_point_union_t t, p; uint8_t p_str[33]; - OPENSSL_memcpy(p_str, g_scalar->bytes, 32); + OPENSSL_memcpy(p_str, g_scalar->words, 32); p_str[32] = 0; // First window @@ -557,10 +554,12 @@ static void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out, static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *out, const EC_SCALAR *in) { - if ((OPENSSL_ia32cap_get()[1] & (1 << 28)) == 0) { +#if defined(OPENSSL_X86_64) + if (!CRYPTO_is_AVX_capable()) { // No AVX support; fallback to generic code. return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in); } +#endif assert(group->order.width == P256_LIMBS); if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.d)) { @@ -631,5 +630,6 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) { out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate; } -#endif /* !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ +#endif /* !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) */ diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.h similarity index 95% rename from Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64.h rename to Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.h index 5af98a13..693a7218 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-x86_64.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256-nistz.h @@ -30,7 +30,8 @@ extern "C" { #endif -#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_SMALL) // P-256 field operations. @@ -142,8 +143,9 @@ void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a, const P256_POINT_AFFINE *b); -#endif /* !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && \ - !defined(OPENSSL_SMALL) */ +#endif /* !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ + !defined(OPENSSL_SMALL) */ #if defined(__cplusplus) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c index fedd981e..1b3efd3b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/p256.c @@ -31,8 +31,10 @@ #include "../delocate.h" #include "./internal.h" +#if defined(OPENSSL_NO_ASM) +#define FIAT_P256_NO_ASM +#endif -// MSVC does not implement uint128_t, and crashes with intrinsics #if defined(BORINGSSL_HAS_UINT128) #define BORINGSSL_NISTP256_64BIT 1 #include "../../../third_party/fiat/p256_64.h" @@ -79,17 +81,22 @@ static void fiat_p256_cmovznz(fiat_p256_limb_t out[FIAT_P256_NLIMBS], fiat_p256_selectznz(out, !!t, z, nz); } +static void fiat_p256_from_words(fiat_p256_felem out, + const BN_ULONG in[32 / sizeof(BN_ULONG)]) { + // Typically, |BN_ULONG| and |fiat_p256_limb_t| will be the same type, but on + // 64-bit platforms without |uint128_t|, they are different. However, on + // little-endian systems, |uint64_t[4]| and |uint32_t[8]| have the same + // layout. + OPENSSL_memcpy(out, in, 32); +} + static void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) { - fiat_p256_from_bytes(out, in->bytes); + fiat_p256_from_words(out, in->words); } static void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) { - // This works because 256 is a multiple of 64, so there are no excess bytes to - // zero when rounding up to |BN_ULONG|s. - OPENSSL_STATIC_ASSERT( - 256 / 8 == sizeof(BN_ULONG) * ((256 + BN_BITS2 - 1) / BN_BITS2), - "fiat_p256_to_bytes leaves bytes uninitialized"); - fiat_p256_to_bytes(out->bytes, in); + // See |fiat_p256_from_words|. + OPENSSL_memcpy(out->words, in, 32); } // fiat_p256_inv_square calculates |out| = |in|^{-2} @@ -392,12 +399,18 @@ static void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size, } } -// fiat_p256_get_bit returns the |i|th bit in |in| -static crypto_word_t fiat_p256_get_bit(const uint8_t *in, int i) { +// fiat_p256_get_bit returns the |i|th bit in |in|. +static crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) { if (i < 0 || i >= 256) { return 0; } - return (in[i >> 3] >> (i & 7)) & 1; +#if defined(OPENSSL_64_BIT) + static_assert(sizeof(BN_ULONG) == 8, "BN_ULONG was not 64-bit"); + return (in->words[i >> 6] >> (i & 63)) & 1; +#else + static_assert(sizeof(BN_ULONG) == 4, "BN_ULONG was not 32-bit"); + return (in->words[i >> 5] >> (i & 31)) & 1; +#endif } // OPENSSL EC_METHOD FUNCTIONS @@ -498,12 +511,12 @@ static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_RAW_POINT *r, // do other additions every 5 doublings if (i % 5 == 0) { - crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 4) << 5; - bits |= fiat_p256_get_bit(scalar->bytes, i + 3) << 4; - bits |= fiat_p256_get_bit(scalar->bytes, i + 2) << 3; - bits |= fiat_p256_get_bit(scalar->bytes, i + 1) << 2; - bits |= fiat_p256_get_bit(scalar->bytes, i) << 1; - bits |= fiat_p256_get_bit(scalar->bytes, i - 1); + crypto_word_t bits = fiat_p256_get_bit(scalar, i + 4) << 5; + bits |= fiat_p256_get_bit(scalar, i + 3) << 4; + bits |= fiat_p256_get_bit(scalar, i + 2) << 3; + bits |= fiat_p256_get_bit(scalar, i + 1) << 2; + bits |= fiat_p256_get_bit(scalar, i) << 1; + bits |= fiat_p256_get_bit(scalar, i - 1); crypto_word_t sign, digit; ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); @@ -543,10 +556,10 @@ static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group, } // First, look 32 bits upwards. - crypto_word_t bits = fiat_p256_get_bit(scalar->bytes, i + 224) << 3; - bits |= fiat_p256_get_bit(scalar->bytes, i + 160) << 2; - bits |= fiat_p256_get_bit(scalar->bytes, i + 96) << 1; - bits |= fiat_p256_get_bit(scalar->bytes, i + 32); + crypto_word_t bits = fiat_p256_get_bit(scalar, i + 224) << 3; + bits |= fiat_p256_get_bit(scalar, i + 160) << 2; + bits |= fiat_p256_get_bit(scalar, i + 96) << 1; + bits |= fiat_p256_get_bit(scalar, i + 32); // Select the point to add, in constant time. fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15, fiat_p256_g_pre_comp[1], tmp); @@ -562,10 +575,10 @@ static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group, } // Second, look at the current position. - bits = fiat_p256_get_bit(scalar->bytes, i + 192) << 3; - bits |= fiat_p256_get_bit(scalar->bytes, i + 128) << 2; - bits |= fiat_p256_get_bit(scalar->bytes, i + 64) << 1; - bits |= fiat_p256_get_bit(scalar->bytes, i); + bits = fiat_p256_get_bit(scalar, i + 192) << 3; + bits |= fiat_p256_get_bit(scalar, i + 128) << 2; + bits |= fiat_p256_get_bit(scalar, i + 64) << 1; + bits |= fiat_p256_get_bit(scalar, i); // Select the point to add, in constant time. fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15, fiat_p256_g_pre_comp[0], tmp); @@ -615,10 +628,10 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, // constant-time lookup. if (i <= 31) { // First, look 32 bits upwards. - crypto_word_t bits = fiat_p256_get_bit(g_scalar->bytes, i + 224) << 3; - bits |= fiat_p256_get_bit(g_scalar->bytes, i + 160) << 2; - bits |= fiat_p256_get_bit(g_scalar->bytes, i + 96) << 1; - bits |= fiat_p256_get_bit(g_scalar->bytes, i + 32); + crypto_word_t bits = fiat_p256_get_bit(g_scalar, i + 224) << 3; + bits |= fiat_p256_get_bit(g_scalar, i + 160) << 2; + bits |= fiat_p256_get_bit(g_scalar, i + 96) << 1; + bits |= fiat_p256_get_bit(g_scalar, i + 32); if (bits != 0) { size_t index = (size_t)(bits - 1); fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2], @@ -629,10 +642,10 @@ static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, } // Second, look at the current position. - bits = fiat_p256_get_bit(g_scalar->bytes, i + 192) << 3; - bits |= fiat_p256_get_bit(g_scalar->bytes, i + 128) << 2; - bits |= fiat_p256_get_bit(g_scalar->bytes, i + 64) << 1; - bits |= fiat_p256_get_bit(g_scalar->bytes, i); + bits = fiat_p256_get_bit(g_scalar, i + 192) << 3; + bits |= fiat_p256_get_bit(g_scalar, i + 128) << 2; + bits |= fiat_p256_get_bit(g_scalar, i + 64) << 1; + bits |= fiat_p256_get_bit(g_scalar, i); if (bits != 0) { size_t index = (size_t)(bits - 1); fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2], @@ -685,7 +698,7 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, fiat_p256_mul(Z2_mont, Z2_mont, Z2_mont); fiat_p256_felem r_Z2; - fiat_p256_from_bytes(r_Z2, r->bytes); // r < order < p, so this is valid. + fiat_p256_from_words(r_Z2, r->words); // r < order < p, so this is valid. fiat_p256_mul(r_Z2, r_Z2, Z2_mont); fiat_p256_felem X; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c index 1c40c37a..71c801b8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/scalar.c @@ -54,9 +54,7 @@ int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_SCALAR *in) { size_t len = BN_num_bytes(&group->order); - for (size_t i = 0; i < len; i++) { - out[len - i - 1] = in->bytes[i]; - } + bn_words_to_big_endian(out, len, in->words, group->order.width); *out_len = len; } @@ -67,11 +65,7 @@ int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, return 0; } - OPENSSL_memset(out, 0, sizeof(EC_SCALAR)); - - for (size_t i = 0; i < len; i++) { - out->bytes[i] = in[len - i - 1]; - } + bn_big_endian_to_words(out->words, group->order.width, in, len); if (!bn_less_than_words(out->words, group->order.d, group->order.width)) { OPENSSL_PUT_ERROR(EC, EC_R_INVALID_SCALAR); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c index 6956175e..66a6b88c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ec/simple.c @@ -330,9 +330,7 @@ int ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_RAW_POINT *p, void ec_GFp_simple_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_FELEM *in) { size_t len = BN_num_bytes(&group->field); - for (size_t i = 0; i < len; i++) { - out[i] = in->bytes[len - 1 - i]; - } + bn_words_to_big_endian(out, len, in->words, group->field.width); *out_len = len; } @@ -343,10 +341,7 @@ int ec_GFp_simple_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, return 0; } - OPENSSL_memset(out, 0, sizeof(EC_FELEM)); - for (size_t i = 0; i < len; i++) { - out->bytes[i] = in[len - 1 - i]; - } + bn_big_endian_to_words(out->words, group->field.width, in, len); if (!bn_less_than_words(out->words, group->field.d, group->field.width)) { OPENSSL_PUT_ERROR(EC, EC_R_DECODE_ERROR); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdh/ecdh.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdh/ecdh.c index 96644422..4d8556fe 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdh/ecdh.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdh/ecdh.c @@ -75,10 +75,13 @@ #include #include "../ec/internal.h" +#include "../../internal.h" int ECDH_compute_key_fips(uint8_t *out, size_t out_len, const EC_POINT *pub_key, const EC_KEY *priv_key) { + boringssl_ensure_ecc_self_test(); + if (priv_key->priv_key == NULL) { OPENSSL_PUT_ERROR(ECDH, ECDH_R_NO_PRIVATE_VALUE); return 0; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c index 889891dc..d61b9882 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/ecdsa.c @@ -68,8 +68,7 @@ // digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for -// ECDSA. Note this value is not fully reduced modulo the order, only the -// correct number of bits. +// ECDSA. static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t *digest, size_t digest_len) { const BIGNUM *order = &group->order; @@ -79,10 +78,7 @@ static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, if (digest_len > num_bytes) { digest_len = num_bytes; } - OPENSSL_memset(out, 0, sizeof(EC_SCALAR)); - for (size_t i = 0; i < digest_len; i++) { - out->bytes[i] = digest[digest_len - 1 - i]; - } + bn_big_endian_to_words(out->words, order->width, digest, digest_len); // If it is still too long, truncate remaining bits with a shift. if (8 * digest_len > num_bits) { @@ -152,8 +148,8 @@ int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) { return 1; } -int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, - const ECDSA_SIG *sig, const EC_KEY *eckey) { +int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, + const ECDSA_SIG *sig, const EC_KEY *eckey) { const EC_GROUP *group = EC_KEY_get0_group(eckey); const EC_POINT *pub_key = EC_KEY_get0_public_key(eckey); if (group == NULL || pub_key == NULL || sig == NULL) { @@ -199,6 +195,13 @@ int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, return 1; } +int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, + const ECDSA_SIG *sig, const EC_KEY *eckey) { + boringssl_ensure_ecc_self_test(); + + return ecdsa_do_verify_no_self_test(digest, digest_len, sig, eckey); +} + static ECDSA_SIG *ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, const EC_SCALAR *priv_key, const EC_SCALAR *k, const uint8_t *digest, size_t digest_len) { @@ -293,12 +296,16 @@ ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest, ECDSA_SIG *ECDSA_sign_with_nonce_and_leak_private_key_for_testing( const uint8_t *digest, size_t digest_len, const EC_KEY *eckey, const uint8_t *nonce, size_t nonce_len) { + boringssl_ensure_ecc_self_test(); + return ecdsa_sign_with_nonce_for_known_answer_test(digest, digest_len, eckey, nonce, nonce_len); } ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, const EC_KEY *eckey) { + boringssl_ensure_ecc_self_test(); + if (eckey->ecdsa_meth && eckey->ecdsa_meth->sign) { OPENSSL_PUT_ERROR(ECDSA, ECDSA_R_NOT_IMPLEMENTED); return NULL; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/internal.h index 95c9067c..a5cb953b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ecdsa/internal.h @@ -31,6 +31,12 @@ ECDSA_SIG *ecdsa_sign_with_nonce_for_known_answer_test(const uint8_t *digest, const uint8_t *nonce, size_t nonce_len); +// ecdsa_do_verify_no_self_test does the same as |ECDSA_do_verify|, but doesn't +// try to run the self-test first. This is for use in the self tests themselves, +// to prevent an infinite loop. +int ecdsa_do_verify_no_self_test(const uint8_t *digest, size_t digest_len, + const ECDSA_SIG *sig, const EC_KEY *eckey); + #if defined(__cplusplus) } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.linux.x86.S index 231f00ab..e1a06721 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.windows.x86.S index c4996839..596038c5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.linux.x86_64.S index c8f55a8b..49338446 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.mac.x86_64.S index 7d4ad20e..758e2120 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-ssse3-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.linux.x86.S index 20a1a01c..5268d7ab 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.windows.x86.S index c5dd8beb..1436ba42 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.linux.x86_64.S index dad7a86e..ac236d6e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.mac.x86_64.S index a8eda109..c4a57a8e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghash-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.ios.aarch64.S index 23c949a1..5457e152 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.ios.aarch64.S @@ -121,7 +121,7 @@ _gcm_gmult_v8: movi v19.16b,#0xe1 ld1 {v20.2d,v21.2d},[x1] //load twisted H, ... shl v19.2d,v19.2d,#57 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v17.16b,v17.16b #endif ext v3.16b,v17.16b,v17.16b,#8 @@ -146,7 +146,7 @@ _gcm_gmult_v8: eor v18.16b,v18.16b,v2.16b eor v0.16b,v0.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b #endif ext v0.16b,v0.16b,v0.16b,#8 @@ -185,14 +185,14 @@ _gcm_ghash_v8: ext v0.16b,v0.16b,v0.16b,#8 //rotate Xi ld1 {v16.2d},[x2],#16 //load [rotated] I[0] shl v19.2d,v19.2d,#57 //compose 0xc2.0 constant -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v16.16b,v16.16b rev64 v0.16b,v0.16b #endif ext v3.16b,v16.16b,v16.16b,#8 //rotate I[0] b.lo Lodd_tail_v8 //x3 was less than 32 ld1 {v17.2d},[x2],x12 //load [rotated] I[1] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v17.16b,v17.16b #endif ext v7.16b,v17.16b,v17.16b,#8 @@ -224,13 +224,13 @@ Loop_mod2x_v8: eor v18.16b,v0.16b,v2.16b eor v1.16b,v1.16b,v17.16b ld1 {v17.2d},[x2],x12 //load [rotated] I[i+3] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v16.16b,v16.16b #endif eor v1.16b,v1.16b,v18.16b pmull v18.1q,v0.1d,v19.1d //1st phase of reduction -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v17.16b,v17.16b #endif ins v2.d[0],v1.d[1] @@ -280,7 +280,7 @@ Lodd_tail_v8: eor v0.16b,v0.16b,v18.16b Ldone_v8: -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b #endif ext v0.16b,v0.16b,v0.16b,#8 @@ -299,7 +299,7 @@ Lgcm_ghash_v8_4x: shl v19.2d,v19.2d,#57 //compose 0xc2.0 constant ld1 {v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b rev64 v5.16b,v5.16b rev64 v6.16b,v6.16b @@ -343,7 +343,7 @@ Loop4x: eor v16.16b,v4.16b,v0.16b ld1 {v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64 ext v3.16b,v16.16b,v16.16b,#8 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v5.16b,v5.16b rev64 v6.16b,v6.16b rev64 v7.16b,v7.16b @@ -426,7 +426,7 @@ Lthree: eor v1.16b,v1.16b,v17.16b ld1 {v4.2d,v5.2d,v6.2d},[x2] eor v1.16b,v1.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v5.16b,v5.16b rev64 v6.16b,v6.16b rev64 v4.16b,v4.16b @@ -478,7 +478,7 @@ Ltwo: eor v1.16b,v1.16b,v17.16b ld1 {v4.2d,v5.2d},[x2] eor v1.16b,v1.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v5.16b,v5.16b rev64 v4.16b,v4.16b #endif @@ -521,7 +521,7 @@ Lone: eor v1.16b,v1.16b,v17.16b ld1 {v4.2d},[x2] eor v1.16b,v1.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v4.16b,v4.16b #endif @@ -561,7 +561,7 @@ Ldone4x: eor v0.16b,v0.16b,v18.16b ext v0.16b,v0.16b,v0.16b,#8 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b #endif st1 {v0.2d},[x0] //write out Xi diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.linux.aarch64.S index bc1343e7..4e3fa61f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/ghashv8-armx64.linux.aarch64.S @@ -122,7 +122,7 @@ gcm_gmult_v8: movi v19.16b,#0xe1 ld1 {v20.2d,v21.2d},[x1] //load twisted H, ... shl v19.2d,v19.2d,#57 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v17.16b,v17.16b #endif ext v3.16b,v17.16b,v17.16b,#8 @@ -147,7 +147,7 @@ gcm_gmult_v8: eor v18.16b,v18.16b,v2.16b eor v0.16b,v0.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b #endif ext v0.16b,v0.16b,v0.16b,#8 @@ -186,14 +186,14 @@ gcm_ghash_v8: ext v0.16b,v0.16b,v0.16b,#8 //rotate Xi ld1 {v16.2d},[x2],#16 //load [rotated] I[0] shl v19.2d,v19.2d,#57 //compose 0xc2.0 constant -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v16.16b,v16.16b rev64 v0.16b,v0.16b #endif ext v3.16b,v16.16b,v16.16b,#8 //rotate I[0] b.lo .Lodd_tail_v8 //x3 was less than 32 ld1 {v17.2d},[x2],x12 //load [rotated] I[1] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v17.16b,v17.16b #endif ext v7.16b,v17.16b,v17.16b,#8 @@ -225,13 +225,13 @@ gcm_ghash_v8: eor v18.16b,v0.16b,v2.16b eor v1.16b,v1.16b,v17.16b ld1 {v17.2d},[x2],x12 //load [rotated] I[i+3] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v16.16b,v16.16b #endif eor v1.16b,v1.16b,v18.16b pmull v18.1q,v0.1d,v19.1d //1st phase of reduction -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v17.16b,v17.16b #endif ins v2.d[0],v1.d[1] @@ -281,7 +281,7 @@ gcm_ghash_v8: eor v0.16b,v0.16b,v18.16b .Ldone_v8: -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b #endif ext v0.16b,v0.16b,v0.16b,#8 @@ -300,7 +300,7 @@ gcm_ghash_v8_4x: shl v19.2d,v19.2d,#57 //compose 0xc2.0 constant ld1 {v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b rev64 v5.16b,v5.16b rev64 v6.16b,v6.16b @@ -344,7 +344,7 @@ gcm_ghash_v8_4x: eor v16.16b,v4.16b,v0.16b ld1 {v4.2d,v5.2d,v6.2d,v7.2d},[x2],#64 ext v3.16b,v16.16b,v16.16b,#8 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v5.16b,v5.16b rev64 v6.16b,v6.16b rev64 v7.16b,v7.16b @@ -427,7 +427,7 @@ gcm_ghash_v8_4x: eor v1.16b,v1.16b,v17.16b ld1 {v4.2d,v5.2d,v6.2d},[x2] eor v1.16b,v1.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v5.16b,v5.16b rev64 v6.16b,v6.16b rev64 v4.16b,v4.16b @@ -479,7 +479,7 @@ gcm_ghash_v8_4x: eor v1.16b,v1.16b,v17.16b ld1 {v4.2d,v5.2d},[x2] eor v1.16b,v1.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v5.16b,v5.16b rev64 v4.16b,v4.16b #endif @@ -522,7 +522,7 @@ gcm_ghash_v8_4x: eor v1.16b,v1.16b,v17.16b ld1 {v4.2d},[x2] eor v1.16b,v1.16b,v18.16b -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v4.16b,v4.16b #endif @@ -562,7 +562,7 @@ gcm_ghash_v8_4x: eor v0.16b,v0.16b,v18.16b ext v0.16b,v0.16b,v0.16b,#8 -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev64 v0.16b,v0.16b #endif st1 {v0.2d},[x0] //write out Xi diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/hmac/hmac.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/hmac/hmac.c index 5956200a..cac981f5 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/hmac/hmac.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/hmac/hmac.c @@ -102,6 +102,13 @@ void HMAC_CTX_cleanup(HMAC_CTX *ctx) { OPENSSL_cleanse(ctx, sizeof(HMAC_CTX)); } +void HMAC_CTX_cleanse(HMAC_CTX *ctx) { + EVP_MD_CTX_cleanse(&ctx->i_ctx); + EVP_MD_CTX_cleanse(&ctx->o_ctx); + EVP_MD_CTX_cleanse(&ctx->md_ctx); + OPENSSL_cleanse(ctx, sizeof(HMAC_CTX)); +} + void HMAC_CTX_free(HMAC_CTX *ctx) { if (ctx == NULL) { return; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md4/md4.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md4/md4.c index 19ac8fc8..f5ea9a33 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md4/md4.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md4/md4.c @@ -72,7 +72,7 @@ uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]) { return out; } -// Implemented from RFC1186 The MD4 Message-Digest Algorithm. +// Implemented from RFC 1186 The MD4 Message-Digest Algorithm. int MD4_Init(MD4_CTX *md4) { OPENSSL_memset(md4, 0, sizeof(MD4_CTX)); @@ -113,24 +113,22 @@ int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *c) { #define G(b, c, d) (((b) & (c)) | ((b) & (d)) | ((c) & (d))) #define H(b, c, d) ((b) ^ (c) ^ (d)) -#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) - #define R0(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + F((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ } while (0) #define R1(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + G((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ } while (0) #define R2(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + H((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ } while (0) void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) { @@ -237,7 +235,6 @@ void md4_block_data_order(uint32_t *state, const uint8_t *data, size_t num) { #undef F #undef G #undef H -#undef ROTATE #undef R0 #undef R1 #undef R2 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.linux.x86.S index a562f4e8..dc2e2c10 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.windows.x86.S index ca4df072..cad8f621 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-586.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.linux.x86_64.S index 74f8c470..c70d5498 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.mac.x86_64.S index fe31ccf7..19808324 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5/md5.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5/md5.c index 5c5f3ff1..604a4db7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5/md5.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/md5/md5.c @@ -119,33 +119,31 @@ int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *c) { #define H(b, c, d) ((b) ^ (c) ^ (d)) #define I(b, c, d) (((~(d)) | (b)) ^ (c)) -#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) - #define R0(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + F((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ (a) += (b); \ } while (0) #define R1(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + G((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ (a) += (b); \ } while (0) #define R2(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + H((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ (a) += (b); \ } while (0) #define R3(a, b, c, d, k, s, t) \ do { \ (a) += ((k) + (t) + I((b), (c), (d))); \ - (a) = ROTATE(a, s); \ + (a) = CRYPTO_rotl_u32(a, s); \ (a) += (b); \ } while (0) @@ -280,7 +278,6 @@ static void md5_block_data_order(uint32_t *state, const uint8_t *data, #undef G #undef H #undef I -#undef ROTATE #undef R0 #undef R1 #undef R2 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm.c index d98f71ac..03d62e3e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm.c @@ -52,7 +52,6 @@ #include #include -#include #include "internal.h" #include "../../internal.h" @@ -153,7 +152,7 @@ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, #if defined(GHASH_ASM_X86_64) if (crypto_gcm_clmul_enabled()) { - if (((OPENSSL_ia32cap_get()[1] >> 22) & 0x41) == 0x41) { // AVX+MOVBE + if (CRYPTO_is_AVX_capable() && CRYPTO_is_MOVBE_capable()) { gcm_init_avx(out_table, H.u); *out_mult = gcm_gmult_avx; *out_hash = gcm_ghash_avx; @@ -165,7 +164,7 @@ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, *out_hash = gcm_ghash_clmul; return; } - if (gcm_ssse3_capable()) { + if (CRYPTO_is_SSSE3_capable()) { gcm_init_ssse3(out_table, H.u); *out_mult = gcm_gmult_ssse3; *out_hash = gcm_ghash_ssse3; @@ -178,7 +177,7 @@ void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, *out_hash = gcm_ghash_clmul; return; } - if (gcm_ssse3_capable()) { + if (CRYPTO_is_SSSE3_capable()) { gcm_init_ssse3(out_table, H.u); *out_mult = gcm_gmult_ssse3; *out_hash = gcm_ghash_ssse3; @@ -723,9 +722,7 @@ void CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len) { #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) int crypto_gcm_clmul_enabled(void) { #if defined(GHASH_ASM_X86) || defined(GHASH_ASM_X86_64) - const uint32_t *ia32cap = OPENSSL_ia32cap_get(); - return (ia32cap[0] & (1 << 24)) && // check FXSR bit - (ia32cap[1] & (1 << 1)); // check PCLMULQDQ bit + return CRYPTO_is_FXSR_capable() && CRYPTO_is_PCLMUL_capable(); #else return 0; #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c index a368dbef..e77e304f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/gcm_nohw.c @@ -193,7 +193,7 @@ static void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a, #endif // BORINGSSL_HAS_UINT128 void gcm_init_nohw(u128 Htable[16], const uint64_t Xi[2]) { - // We implement GHASH in terms of POLYVAL, as described in RFC8452. This + // We implement GHASH in terms of POLYVAL, as described in RFC 8452. This // avoids a shift by 1 in the multiplication, needed to account for bit // reversal losing a bit after multiplication, that is, // rev128(X) * rev128(Y) = rev255(X*Y). diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/internal.h index 55bbcc8c..097e70df 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/modes/internal.h @@ -52,7 +52,6 @@ #include #include -#include #include #include @@ -254,10 +253,6 @@ void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]); void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp, size_t len); -OPENSSL_INLINE char gcm_ssse3_capable(void) { - return (OPENSSL_ia32cap_get()[1] & (1 << (41 - 32))) != 0; -} - // |gcm_gmult_ssse3| and |gcm_ghash_ssse3| require |Htable| to be // 16-byte-aligned, but |gcm_init_ssse3| does not. void gcm_init_ssse3(u128 Htable[16], const uint64_t Xi[2]); diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.ios.aarch64.S new file mode 100644 index 00000000..4546285d --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.ios.aarch64.S @@ -0,0 +1,1769 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#if defined(__aarch64__) && defined(__APPLE__) +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif +#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif + +#if !defined(OPENSSL_NO_ASM) +#if defined(BORINGSSL_PREFIX) +#include +#endif +#include "CJWTKitBoringSSL_arm_arch.h" + +.text +.align 5 +Lpoly: +.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 +LRR: // 2^512 mod P precomputed for NIST P256 polynomial +.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd +Lone_mont: +.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe +Lone: +.quad 1,0,0,0 +Lord: +.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 +LordK: +.quad 0xccd1c8aaee00bc4f +.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 + +// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_to_mont +.private_extern _ecp_nistz256_to_mont + +.align 6 +_ecp_nistz256_to_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr x3,LRR // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + adr x2,LRR // &bp[0] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_from_mont +.private_extern _ecp_nistz256_from_mont + +.align 4 +_ecp_nistz256_from_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + mov x3,#1 // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + adr x2,Lone // &bp[0] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl _ecp_nistz256_mul_mont +.private_extern _ecp_nistz256_mul_mont + +.align 4 +_ecp_nistz256_mul_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr x3,[x2] // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_sqr_mont +.private_extern _ecp_nistz256_sqr_mont + +.align 4 +_ecp_nistz256_sqr_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + + bl __ecp_nistz256_sqr_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_div_by_2 +.private_extern _ecp_nistz256_div_by_2 + +.align 4 +_ecp_nistz256_div_by_2: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + + bl __ecp_nistz256_div_by_2 + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_mul_by_2 +.private_extern _ecp_nistz256_mul_by_2 + +.align 4 +_ecp_nistz256_mul_by_2: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + + bl __ecp_nistz256_add_to // ret = a+a // 2*a + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_mul_by_3 +.private_extern _ecp_nistz256_mul_by_3 + +.align 4 +_ecp_nistz256_mul_by_3: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + mov x4,x14 + mov x5,x15 + mov x6,x16 + mov x7,x17 + + bl __ecp_nistz256_add_to // ret = a+a // 2*a + + mov x8,x4 + mov x9,x5 + mov x10,x6 + mov x11,x7 + + bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl _ecp_nistz256_sub +.private_extern _ecp_nistz256_sub + +.align 4 +_ecp_nistz256_sub: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl _ecp_nistz256_neg +.private_extern _ecp_nistz256_neg + +.align 4 +_ecp_nistz256_neg: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + mov x2,x1 + mov x14,xzr // a = 0 + mov x15,xzr + mov x16,xzr + mov x17,xzr + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret + + +// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded +// to x4-x7 and b[0] - to x3 + +.align 4 +__ecp_nistz256_mul_mont: + mul x14,x4,x3 // a[0]*b[0] + umulh x8,x4,x3 + + mul x15,x5,x3 // a[1]*b[0] + umulh x9,x5,x3 + + mul x16,x6,x3 // a[2]*b[0] + umulh x10,x6,x3 + + mul x17,x7,x3 // a[3]*b[0] + umulh x11,x7,x3 + ldr x3,[x2,#8] // b[1] + + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adc x19,xzr,x11 + mov x20,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + ldr x3,[x2,#8*(1+1)] // b[1+1] + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + ldr x3,[x2,#8*(2+1)] // b[2+1] + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + // last reduction + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + adcs x17,x19,x11 + adc x19,x20,xzr + + adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x19,xzr // did it borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret + + +// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded +// to x4-x7 + +.align 4 +__ecp_nistz256_sqr_mont: + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul x15,x5,x4 // a[1]*a[0] + umulh x9,x5,x4 + mul x16,x6,x4 // a[2]*a[0] + umulh x10,x6,x4 + mul x17,x7,x4 // a[3]*a[0] + umulh x19,x7,x4 + + adds x16,x16,x9 // accumulate high parts of multiplication + mul x8,x6,x5 // a[2]*a[1] + umulh x9,x6,x5 + adcs x17,x17,x10 + mul x10,x7,x5 // a[3]*a[1] + umulh x11,x7,x5 + adc x19,x19,xzr // can't overflow + + mul x20,x7,x6 // a[3]*a[2] + umulh x1,x7,x6 + + adds x9,x9,x10 // accumulate high parts of multiplication + mul x14,x4,x4 // a[0]*a[0] + adc x10,x11,xzr // can't overflow + + adds x17,x17,x8 // accumulate low parts of multiplication + umulh x4,x4,x4 + adcs x19,x19,x9 + mul x9,x5,x5 // a[1]*a[1] + adcs x20,x20,x10 + umulh x5,x5,x5 + adc x1,x1,xzr // can't overflow + + adds x15,x15,x15 // acc[1-6]*=2 + mul x10,x6,x6 // a[2]*a[2] + adcs x16,x16,x16 + umulh x6,x6,x6 + adcs x17,x17,x17 + mul x11,x7,x7 // a[3]*a[3] + adcs x19,x19,x19 + umulh x7,x7,x7 + adcs x20,x20,x20 + adcs x1,x1,x1 + adc x2,xzr,xzr + + adds x15,x15,x4 // +a[i]*a[i] + adcs x16,x16,x9 + adcs x17,x17,x5 + adcs x19,x19,x10 + adcs x20,x20,x6 + lsl x8,x14,#32 + adcs x1,x1,x11 + lsr x9,x14,#32 + adc x2,x2,x7 + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + adc x17,x11,xzr // can't overflow + + adds x14,x14,x19 // accumulate upper half + adcs x15,x15,x20 + adcs x16,x16,x1 + adcs x17,x17,x2 + adc x19,xzr,xzr + + adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x19,xzr // did it borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret + + +// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to +// x4-x7 and x8-x11. This is done because it's used in multiple +// contexts, e.g. in multiplication by 2 and 3... + +.align 4 +__ecp_nistz256_add_to: + adds x14,x14,x8 // ret = a+b + adcs x15,x15,x9 + adcs x16,x16,x10 + adcs x17,x17,x11 + adc x1,xzr,xzr // zap x1 + + adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x1,xzr // did subtraction borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret + + + +.align 4 +__ecp_nistz256_sub_from: + ldp x8,x9,[x2] + ldp x10,x11,[x2,#16] + subs x14,x14,x8 // ret = a-b + sbcs x15,x15,x9 + sbcs x16,x16,x10 + sbcs x17,x17,x11 + sbc x1,xzr,xzr // zap x1 + + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adc x11,x17,x13 + cmp x1,xzr // did subtraction borrow? + + csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret + csel x15,x15,x9,eq + csel x16,x16,x10,eq + stp x14,x15,[x0] + csel x17,x17,x11,eq + stp x16,x17,[x0,#16] + + ret + + + +.align 4 +__ecp_nistz256_sub_morf: + ldp x8,x9,[x2] + ldp x10,x11,[x2,#16] + subs x14,x8,x14 // ret = b-a + sbcs x15,x9,x15 + sbcs x16,x10,x16 + sbcs x17,x11,x17 + sbc x1,xzr,xzr // zap x1 + + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adc x11,x17,x13 + cmp x1,xzr // did subtraction borrow? + + csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret + csel x15,x15,x9,eq + csel x16,x16,x10,eq + stp x14,x15,[x0] + csel x17,x17,x11,eq + stp x16,x17,[x0,#16] + + ret + + + +.align 4 +__ecp_nistz256_div_by_2: + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adcs x11,x17,x13 + adc x1,xzr,xzr // zap x1 + tst x14,#1 // is a even? + + csel x14,x14,x8,eq // ret = even ? a : a+modulus + csel x15,x15,x9,eq + csel x16,x16,x10,eq + csel x17,x17,x11,eq + csel x1,xzr,x1,eq + + lsr x14,x14,#1 // ret >>= 1 + orr x14,x14,x15,lsl#63 + lsr x15,x15,#1 + orr x15,x15,x16,lsl#63 + lsr x16,x16,#1 + orr x16,x16,x17,lsl#63 + lsr x17,x17,#1 + stp x14,x15,[x0] + orr x17,x17,x1,lsl#63 + stp x16,x17,[x0,#16] + + ret + +.globl _ecp_nistz256_point_double +.private_extern _ecp_nistz256_point_double + +.align 5 +_ecp_nistz256_point_double: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + sub sp,sp,#32*4 + +Ldouble_shortcut: + ldp x14,x15,[x1,#32] + mov x21,x0 + ldp x16,x17,[x1,#48] + mov x22,x1 + ldr x12,Lpoly+8 + mov x8,x14 + ldr x13,Lpoly+24 + mov x9,x15 + ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[x22,#64+16] + add x0,sp,#0 + bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y); + + add x0,sp,#64 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); + + ldp x8,x9,[x22] + ldp x10,x11,[x22,#16] + mov x4,x14 // put Zsqr aside for p256_sub + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x0,sp,#32 + bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x); + + add x2,x22,#0 + mov x14,x4 // restore Zsqr + mov x15,x5 + ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont + mov x16,x6 + mov x17,x7 + ldp x6,x7,[sp,#0+16] + add x0,sp,#64 + bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); + + add x0,sp,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); + + ldr x3,[x22,#32] + ldp x4,x5,[x22,#64] + ldp x6,x7,[x22,#64+16] + add x2,x22,#32 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); + + mov x8,x14 + mov x9,x15 + ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[sp,#0+16] + add x0,x21,#64 + bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0); + + add x0,sp,#96 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); + + ldr x3,[sp,#64] // forward load for p256_mul_mont + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x0,x21,#32 + bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); + + add x2,sp,#64 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); + + mov x8,x14 // duplicate M + mov x9,x15 + mov x10,x16 + mov x11,x17 + mov x4,x14 // put M aside + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x0,sp,#32 + bl __ecp_nistz256_add_to + mov x8,x4 // restore M + mov x9,x5 + ldr x3,[x22] // forward load for p256_mul_mont + mov x10,x6 + ldp x4,x5,[sp,#0] + mov x11,x7 + ldp x6,x7,[sp,#0+16] + bl __ecp_nistz256_add_to // p256_mul_by_3(M, M); + + add x2,x22,#0 + add x0,sp,#0 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); + + mov x8,x14 + mov x9,x15 + ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[sp,#32+16] + add x0,sp,#96 + bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S); + + add x0,x21,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); + + add x2,sp,#96 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); + + add x2,sp,#0 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); + + ldr x3,[sp,#32] + mov x4,x14 // copy S + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x2,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); + + add x2,x21,#32 + add x0,x21,#32 + bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl _ecp_nistz256_point_add +.private_extern _ecp_nistz256_point_add + +.align 5 +_ecp_nistz256_point_add: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + sub sp,sp,#32*12 + + ldp x4,x5,[x2,#64] // in2_z + ldp x6,x7,[x2,#64+16] + mov x21,x0 + mov x22,x1 + mov x23,x2 + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + orr x8,x4,x5 + orr x10,x6,x7 + orr x25,x8,x10 + cmp x25,#0 + csetm x25,ne // ~in2infty + add x0,sp,#192 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); + + ldp x4,x5,[x22,#64] // in1_z + ldp x6,x7,[x22,#64+16] + orr x8,x4,x5 + orr x10,x6,x7 + orr x24,x8,x10 + cmp x24,#0 + csetm x24,ne // ~in1infty + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + ldr x3,[x23,#64] + ldp x4,x5,[sp,#192] + ldp x6,x7,[sp,#192+16] + add x2,x23,#64 + add x0,sp,#320 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,x22,#64 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr x3,[x22,#32] + ldp x4,x5,[sp,#320] + ldp x6,x7,[sp,#320+16] + add x2,x22,#32 + add x0,sp,#320 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); + + ldr x3,[x23,#32] + ldp x4,x5,[sp,#352] + ldp x6,x7,[sp,#352+16] + add x2,x23,#32 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add x2,sp,#320 + ldr x3,[sp,#192] // forward load for p256_mul_mont + ldp x4,x5,[x22] + ldp x6,x7,[x22,#16] + add x0,sp,#160 + bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); + + orr x14,x14,x15 // see if result is zero + orr x16,x16,x17 + orr x26,x14,x16 // ~is_equal(S1,S2) + + add x2,sp,#192 + add x0,sp,#256 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); + + ldr x3,[sp,#128] + ldp x4,x5,[x23] + ldp x6,x7,[x23,#16] + add x2,sp,#128 + add x0,sp,#288 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); + + add x2,sp,#256 + ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont + ldp x6,x7,[sp,#160+16] + add x0,sp,#96 + bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); + + orr x14,x14,x15 // see if result is zero + orr x16,x16,x17 + orr x14,x14,x16 // ~is_equal(U1,U2) + + mvn x27,x24 // -1/0 -> 0/-1 + mvn x28,x25 // -1/0 -> 0/-1 + orr x14,x14,x27 + orr x14,x14,x28 + orr x14,x14,x26 + cbnz x14,Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) + +Ladd_double: + mov x1,x22 + mov x0,x21 + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames + b Ldouble_shortcut + +.align 4 +Ladd_proceed: + add x0,sp,#192 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#96] + ldp x6,x7,[sp,#96+16] + add x2,x22,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldp x4,x5,[sp,#96] + ldp x6,x7,[sp,#96+16] + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldr x3,[x23,#64] + ldp x4,x5,[sp,#64] + ldp x6,x7,[sp,#64+16] + add x2,x23,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); + + ldr x3,[sp,#96] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,sp,#96 + add x0,sp,#224 + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr x3,[sp,#128] + ldp x4,x5,[sp,#256] + ldp x6,x7,[sp,#256+16] + add x2,sp,#128 + add x0,sp,#288 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); + + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + add x0,sp,#128 + bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); + + add x2,sp,#192 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add x2,sp,#224 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add x2,sp,#288 + ldr x3,[sp,#224] // forward load for p256_mul_mont + ldp x4,x5,[sp,#320] + ldp x6,x7,[sp,#320+16] + add x0,sp,#32 + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add x2,sp,#224 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); + + ldr x3,[sp,#160] + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x2,sp,#160 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add x2,sp,#352 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp x4,x5,[sp,#0] // res + ldp x6,x7,[sp,#0+16] + ldp x8,x9,[x23] // in2 + ldp x10,x11,[x23,#16] + ldp x14,x15,[x22,#0] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#0+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+0+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+0+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#0+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#0+48] + stp x14,x15,[x21,#0] + stp x16,x17,[x21,#0+16] + ldp x14,x15,[x22,#32] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#32+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+32+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+32+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#32+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#32+48] + stp x14,x15,[x21,#32] + stp x16,x17,[x21,#32+16] + ldp x14,x15,[x22,#64] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#64+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + csel x14,x8,x14,ne + csel x15,x9,x15,ne + csel x16,x10,x16,ne + csel x17,x11,x17,ne + stp x14,x15,[x21,#64] + stp x16,x17,[x21,#64+16] + +Ladd_done: + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret + +.globl _ecp_nistz256_point_add_affine +.private_extern _ecp_nistz256_point_add_affine + +.align 5 +_ecp_nistz256_point_add_affine: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + sub sp,sp,#32*10 + + mov x21,x0 + mov x22,x1 + mov x23,x2 + ldr x12,Lpoly+8 + ldr x13,Lpoly+24 + + ldp x4,x5,[x1,#64] // in1_z + ldp x6,x7,[x1,#64+16] + orr x8,x4,x5 + orr x10,x6,x7 + orr x24,x8,x10 + cmp x24,#0 + csetm x24,ne // ~in1infty + + ldp x14,x15,[x2] // in2_x + ldp x16,x17,[x2,#16] + ldp x8,x9,[x2,#32] // in2_y + ldp x10,x11,[x2,#48] + orr x14,x14,x15 + orr x16,x16,x17 + orr x8,x8,x9 + orr x10,x10,x11 + orr x14,x14,x16 + orr x8,x8,x10 + orr x25,x14,x8 + cmp x25,#0 + csetm x25,ne // ~in2infty + + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + mov x4,x14 + mov x5,x15 + mov x6,x16 + mov x7,x17 + ldr x3,[x23] + add x2,x23,#0 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); + + add x2,x22,#0 + ldr x3,[x22,#64] // forward load for p256_mul_mont + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x0,sp,#160 + bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); + + add x2,x22,#64 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#160] + ldp x6,x7,[sp,#160+16] + add x2,x22,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldr x3,[x23,#32] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,x23,#32 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add x2,x22,#32 + ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont + ldp x6,x7,[sp,#160+16] + add x0,sp,#192 + bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); + + add x0,sp,#224 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldp x4,x5,[sp,#192] + ldp x6,x7,[sp,#192+16] + add x0,sp,#288 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr x3,[sp,#160] + ldp x4,x5,[sp,#224] + ldp x6,x7,[sp,#224+16] + add x2,sp,#160 + add x0,sp,#256 + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr x3,[x22] + ldp x4,x5,[sp,#224] + ldp x6,x7,[sp,#224+16] + add x2,x22,#0 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); + + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + add x0,sp,#224 + bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); + + add x2,sp,#288 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add x2,sp,#256 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add x2,sp,#96 + ldr x3,[x22,#32] // forward load for p256_mul_mont + ldp x4,x5,[sp,#256] + ldp x6,x7,[sp,#256+16] + add x0,sp,#32 + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add x2,x22,#32 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); + + ldr x3,[sp,#192] + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x2,sp,#192 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add x2,sp,#128 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp x4,x5,[sp,#0] // res + ldp x6,x7,[sp,#0+16] + ldp x8,x9,[x23] // in2 + ldp x10,x11,[x23,#16] + ldp x14,x15,[x22,#0] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#0+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+0+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+0+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#0+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#0+48] + stp x14,x15,[x21,#0] + stp x16,x17,[x21,#0+16] + adr x23,Lone_mont-64 + ldp x14,x15,[x22,#32] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#32+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+32+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+32+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#32+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#32+48] + stp x14,x15,[x21,#32] + stp x16,x17,[x21,#32+16] + ldp x14,x15,[x22,#64] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#64+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + csel x14,x8,x14,ne + csel x15,x9,x15,ne + csel x16,x10,x16,ne + csel x17,x11,x17,ne + stp x14,x15,[x21,#64] + stp x16,x17,[x21,#64+16] + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x29,x30,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER + ret + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4], +// uint64_t b[4]); +.globl _ecp_nistz256_ord_mul_mont +.private_extern _ecp_nistz256_ord_mul_mont + +.align 4 +_ecp_nistz256_ord_mul_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + adr x23,Lord + ldr x3,[x2] // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + + ldp x12,x13,[x23,#0] + ldp x21,x22,[x23,#16] + ldr x23,[x23,#32] + + mul x14,x4,x3 // a[0]*b[0] + umulh x8,x4,x3 + + mul x15,x5,x3 // a[1]*b[0] + umulh x9,x5,x3 + + mul x16,x6,x3 // a[2]*b[0] + umulh x10,x6,x3 + + mul x17,x7,x3 // a[3]*b[0] + umulh x19,x7,x3 + + mul x24,x14,x23 + + adds x15,x15,x8 // accumulate high parts of multiplication + adcs x16,x16,x9 + adcs x17,x17,x10 + adc x19,x19,xzr + mov x20,xzr + ldr x3,[x2,#8*1] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + ldr x3,[x2,#8*2] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + ldr x3,[x2,#8*3] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + lsl x8,x24,#32 // last reduction + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + subs x8,x14,x12 // ret -= modulus + sbcs x9,x15,x13 + sbcs x10,x16,x21 + sbcs x11,x17,x22 + sbcs xzr,x19,xzr + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldr x29,[sp],#64 + ret + + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4], +// int rep); +.globl _ecp_nistz256_ord_sqr_mont +.private_extern _ecp_nistz256_ord_sqr_mont + +.align 4 +_ecp_nistz256_ord_sqr_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + adr x23,Lord + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + + ldp x12,x13,[x23,#0] + ldp x21,x22,[x23,#16] + ldr x23,[x23,#32] + b Loop_ord_sqr + +.align 4 +Loop_ord_sqr: + sub x2,x2,#1 + //////////////////////////////////////////////////////////////// + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul x15,x5,x4 // a[1]*a[0] + umulh x9,x5,x4 + mul x16,x6,x4 // a[2]*a[0] + umulh x10,x6,x4 + mul x17,x7,x4 // a[3]*a[0] + umulh x19,x7,x4 + + adds x16,x16,x9 // accumulate high parts of multiplication + mul x8,x6,x5 // a[2]*a[1] + umulh x9,x6,x5 + adcs x17,x17,x10 + mul x10,x7,x5 // a[3]*a[1] + umulh x11,x7,x5 + adc x19,x19,xzr // can't overflow + + mul x20,x7,x6 // a[3]*a[2] + umulh x1,x7,x6 + + adds x9,x9,x10 // accumulate high parts of multiplication + mul x14,x4,x4 // a[0]*a[0] + adc x10,x11,xzr // can't overflow + + adds x17,x17,x8 // accumulate low parts of multiplication + umulh x4,x4,x4 + adcs x19,x19,x9 + mul x9,x5,x5 // a[1]*a[1] + adcs x20,x20,x10 + umulh x5,x5,x5 + adc x1,x1,xzr // can't overflow + + adds x15,x15,x15 // acc[1-6]*=2 + mul x10,x6,x6 // a[2]*a[2] + adcs x16,x16,x16 + umulh x6,x6,x6 + adcs x17,x17,x17 + mul x11,x7,x7 // a[3]*a[3] + adcs x19,x19,x19 + umulh x7,x7,x7 + adcs x20,x20,x20 + adcs x1,x1,x1 + adc x3,xzr,xzr + + adds x15,x15,x4 // +a[i]*a[i] + mul x24,x14,x23 + adcs x16,x16,x9 + adcs x17,x17,x5 + adcs x19,x19,x10 + adcs x20,x20,x6 + adcs x1,x1,x11 + adc x3,x3,x7 + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adc x17,xzr,x24 // can't overflow + mul x11,x14,x23 + lsl x8,x24,#32 + subs x15,x15,x24 + lsr x9,x24,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x11 + mul x10,x13,x11 + umulh x24,x13,x11 + + adcs x10,x10,x9 + adc x24,x24,xzr + + adds x14,x15,x10 + adcs x15,x16,x24 + adcs x16,x17,x11 + adc x17,xzr,x11 // can't overflow + mul x24,x14,x23 + lsl x8,x11,#32 + subs x15,x15,x11 + lsr x9,x11,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adc x17,xzr,x24 // can't overflow + mul x11,x14,x23 + lsl x8,x24,#32 + subs x15,x15,x24 + lsr x9,x24,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x11 + mul x10,x13,x11 + umulh x24,x13,x11 + + adcs x10,x10,x9 + adc x24,x24,xzr + + adds x14,x15,x10 + adcs x15,x16,x24 + adcs x16,x17,x11 + adc x17,xzr,x11 // can't overflow + lsl x8,x11,#32 + subs x15,x15,x11 + lsr x9,x11,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + adds x14,x14,x19 // accumulate upper half + adcs x15,x15,x20 + adcs x16,x16,x1 + adcs x17,x17,x3 + adc x19,xzr,xzr + + subs x8,x14,x12 // ret -= modulus + sbcs x9,x15,x13 + sbcs x10,x16,x21 + sbcs x11,x17,x22 + sbcs xzr,x19,xzr + + csel x4,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x5,x15,x9,lo + csel x6,x16,x10,lo + csel x7,x17,x11,lo + + cbnz x2,Loop_ord_sqr + + stp x4,x5,[x0] + stp x6,x7,[x0,#16] + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldr x29,[sp],#64 + ret + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index); +.globl _ecp_nistz256_select_w5 +.private_extern _ecp_nistz256_select_w5 + +.align 4 +_ecp_nistz256_select_w5: + AARCH64_VALID_CALL_TARGET + + // x10 := x0 + // w9 := 0; loop counter and incremented internal index + mov x10, x0 + mov w9, #0 + + // [v16-v21] := 0 + movi v16.16b, #0 + movi v17.16b, #0 + movi v18.16b, #0 + movi v19.16b, #0 + movi v20.16b, #0 + movi v21.16b, #0 + +Lselect_w5_loop: + // Loop 16 times. + + // Increment index (loop counter); tested at the end of the loop + add w9, w9, #1 + + // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1 + // and advance x1 to point to the next entry + ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 + + // x11 := (w9 == w2)? All 1s : All 0s + cmp w9, w2 + csetm x11, eq + + // continue loading ... + ld1 {v26.2d, v27.2d}, [x1],#32 + + // duplicate mask_64 into Mask (all 0s or all 1s) + dup v3.2d, x11 + + // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] + // i.e., values in output registers will remain the same if w9 != w2 + bit v16.16b, v22.16b, v3.16b + bit v17.16b, v23.16b, v3.16b + + bit v18.16b, v24.16b, v3.16b + bit v19.16b, v25.16b, v3.16b + + bit v20.16b, v26.16b, v3.16b + bit v21.16b, v27.16b, v3.16b + + // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back + tbz w9, #4, Lselect_w5_loop + + // Write [v16-v21] to memory at the output pointer + st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64 + st1 {v20.2d, v21.2d}, [x10] + + ret + + + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index); +.globl _ecp_nistz256_select_w7 +.private_extern _ecp_nistz256_select_w7 + +.align 4 +_ecp_nistz256_select_w7: + AARCH64_VALID_CALL_TARGET + + // w9 := 0; loop counter and incremented internal index + mov w9, #0 + + // [v16-v21] := 0 + movi v16.16b, #0 + movi v17.16b, #0 + movi v18.16b, #0 + movi v19.16b, #0 + +Lselect_w7_loop: + // Loop 64 times. + + // Increment index (loop counter); tested at the end of the loop + add w9, w9, #1 + + // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1 + // and advance x1 to point to the next entry + ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 + + // x11 := (w9 == w2)? All 1s : All 0s + cmp w9, w2 + csetm x11, eq + + // duplicate mask_64 into Mask (all 0s or all 1s) + dup v3.2d, x11 + + // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] + // i.e., values in output registers will remain the same if w9 != w2 + bit v16.16b, v22.16b, v3.16b + bit v17.16b, v23.16b, v3.16b + + bit v18.16b, v24.16b, v3.16b + bit v19.16b, v25.16b, v3.16b + + // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back + tbz w9, #6, Lselect_w7_loop + + // Write [v16-v19] to memory at the output pointer + st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0] + + ret + +#endif // !OPENSSL_NO_ASM +#endif // defined(__aarch64__) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.linux.aarch64.S new file mode 100644 index 00000000..87ad42a1 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-armv8-asm.linux.aarch64.S @@ -0,0 +1,1772 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#if defined(__aarch64__) && defined(__linux__) +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif +#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif + +#if !defined(OPENSSL_NO_ASM) +#if defined(__aarch64__) +#if defined(BORINGSSL_PREFIX) +#include +#endif +#include "CJWTKitBoringSSL_arm_arch.h" + +.text +.align 5 +.Lpoly: +.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 +.LRR: // 2^512 mod P precomputed for NIST P256 polynomial +.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd +.Lone_mont: +.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe +.Lone: +.quad 1,0,0,0 +.Lord: +.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 +.LordK: +.quad 0xccd1c8aaee00bc4f +.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 + +// void ecp_nistz256_to_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_to_mont +.hidden ecp_nistz256_to_mont +.type ecp_nistz256_to_mont,%function +.align 6 +ecp_nistz256_to_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr x3,.LRR // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + adr x2,.LRR // &bp[0] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_to_mont,.-ecp_nistz256_to_mont + +// void ecp_nistz256_from_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_from_mont +.hidden ecp_nistz256_from_mont +.type ecp_nistz256_from_mont,%function +.align 4 +ecp_nistz256_from_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + mov x3,#1 // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + adr x2,.Lone // &bp[0] + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_from_mont,.-ecp_nistz256_from_mont + +// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_mul_mont +.hidden ecp_nistz256_mul_mont +.type ecp_nistz256_mul_mont,%function +.align 4 +ecp_nistz256_mul_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldr x3,[x2] // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + + bl __ecp_nistz256_mul_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont + +// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_sqr_mont +.hidden ecp_nistz256_sqr_mont +.type ecp_nistz256_sqr_mont,%function +.align 4 +ecp_nistz256_sqr_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + + bl __ecp_nistz256_sqr_mont + + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont + +// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_div_by_2 +.hidden ecp_nistz256_div_by_2 +.type ecp_nistz256_div_by_2,%function +.align 4 +ecp_nistz256_div_by_2: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + + bl __ecp_nistz256_div_by_2 + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 + +// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_mul_by_2 +.hidden ecp_nistz256_mul_by_2 +.type ecp_nistz256_mul_by_2,%function +.align 4 +ecp_nistz256_mul_by_2: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + + bl __ecp_nistz256_add_to // ret = a+a // 2*a + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 + +// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_mul_by_3 +.hidden ecp_nistz256_mul_by_3 +.type ecp_nistz256_mul_by_3,%function +.align 4 +ecp_nistz256_mul_by_3: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + mov x4,x14 + mov x5,x15 + mov x6,x16 + mov x7,x17 + + bl __ecp_nistz256_add_to // ret = a+a // 2*a + + mov x8,x4 + mov x9,x5 + mov x10,x6 + mov x11,x7 + + bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 + +// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], +// const BN_ULONG x2[4]); +.globl ecp_nistz256_sub +.hidden ecp_nistz256_sub +.type ecp_nistz256_sub,%function +.align 4 +ecp_nistz256_sub: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ldp x14,x15,[x1] + ldp x16,x17,[x1,#16] + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_sub,.-ecp_nistz256_sub + +// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); +.globl ecp_nistz256_neg +.hidden ecp_nistz256_neg +.type ecp_nistz256_neg,%function +.align 4 +ecp_nistz256_neg: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + mov x2,x1 + mov x14,xzr // a = 0 + mov x15,xzr + mov x16,xzr + mov x17,xzr + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + + bl __ecp_nistz256_sub_from + + ldp x29,x30,[sp],#16 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_neg,.-ecp_nistz256_neg + +// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded +// to x4-x7 and b[0] - to x3 +.type __ecp_nistz256_mul_mont,%function +.align 4 +__ecp_nistz256_mul_mont: + mul x14,x4,x3 // a[0]*b[0] + umulh x8,x4,x3 + + mul x15,x5,x3 // a[1]*b[0] + umulh x9,x5,x3 + + mul x16,x6,x3 // a[2]*b[0] + umulh x10,x6,x3 + + mul x17,x7,x3 // a[3]*b[0] + umulh x11,x7,x3 + ldr x3,[x2,#8] // b[1] + + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adc x19,xzr,x11 + mov x20,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + ldr x3,[x2,#8*(1+1)] // b[1+1] + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + ldr x3,[x2,#8*(2+1)] // b[2+1] + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x4,x3 // lo(a[0]*b[i]) + adcs x15,x16,x9 + mul x9,x5,x3 // lo(a[1]*b[i]) + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + mul x10,x6,x3 // lo(a[2]*b[i]) + adcs x17,x19,x11 + mul x11,x7,x3 // lo(a[3]*b[i]) + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts of multiplication + umulh x8,x4,x3 // hi(a[0]*b[i]) + adcs x15,x15,x9 + umulh x9,x5,x3 // hi(a[1]*b[i]) + adcs x16,x16,x10 + umulh x10,x6,x3 // hi(a[2]*b[i]) + adcs x17,x17,x11 + umulh x11,x7,x3 // hi(a[3]*b[i]) + adc x19,x19,xzr + adds x15,x15,x8 // accumulate high parts of multiplication + lsl x8,x14,#32 + adcs x16,x16,x9 + lsr x9,x14,#32 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + // last reduction + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + adcs x17,x19,x11 + adc x19,x20,xzr + + adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x19,xzr // did it borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret +.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont + +// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded +// to x4-x7 +.type __ecp_nistz256_sqr_mont,%function +.align 4 +__ecp_nistz256_sqr_mont: + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul x15,x5,x4 // a[1]*a[0] + umulh x9,x5,x4 + mul x16,x6,x4 // a[2]*a[0] + umulh x10,x6,x4 + mul x17,x7,x4 // a[3]*a[0] + umulh x19,x7,x4 + + adds x16,x16,x9 // accumulate high parts of multiplication + mul x8,x6,x5 // a[2]*a[1] + umulh x9,x6,x5 + adcs x17,x17,x10 + mul x10,x7,x5 // a[3]*a[1] + umulh x11,x7,x5 + adc x19,x19,xzr // can't overflow + + mul x20,x7,x6 // a[3]*a[2] + umulh x1,x7,x6 + + adds x9,x9,x10 // accumulate high parts of multiplication + mul x14,x4,x4 // a[0]*a[0] + adc x10,x11,xzr // can't overflow + + adds x17,x17,x8 // accumulate low parts of multiplication + umulh x4,x4,x4 + adcs x19,x19,x9 + mul x9,x5,x5 // a[1]*a[1] + adcs x20,x20,x10 + umulh x5,x5,x5 + adc x1,x1,xzr // can't overflow + + adds x15,x15,x15 // acc[1-6]*=2 + mul x10,x6,x6 // a[2]*a[2] + adcs x16,x16,x16 + umulh x6,x6,x6 + adcs x17,x17,x17 + mul x11,x7,x7 // a[3]*a[3] + adcs x19,x19,x19 + umulh x7,x7,x7 + adcs x20,x20,x20 + adcs x1,x1,x1 + adc x2,xzr,xzr + + adds x15,x15,x4 // +a[i]*a[i] + adcs x16,x16,x9 + adcs x17,x17,x5 + adcs x19,x19,x10 + adcs x20,x20,x6 + lsl x8,x14,#32 + adcs x1,x1,x11 + lsr x9,x14,#32 + adc x2,x2,x7 + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + lsl x8,x14,#32 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + lsr x9,x14,#32 + adc x17,x11,xzr // can't overflow + subs x10,x14,x8 // "*0xffff0001" + sbc x11,x14,x9 + adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] + adcs x15,x16,x9 + adcs x16,x17,x10 // +=acc[0]*0xffff0001 + adc x17,x11,xzr // can't overflow + + adds x14,x14,x19 // accumulate upper half + adcs x15,x15,x20 + adcs x16,x16,x1 + adcs x17,x17,x2 + adc x19,xzr,xzr + + adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x19,xzr // did it borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret +.size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont + +// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to +// x4-x7 and x8-x11. This is done because it's used in multiple +// contexts, e.g. in multiplication by 2 and 3... +.type __ecp_nistz256_add_to,%function +.align 4 +__ecp_nistz256_add_to: + adds x14,x14,x8 // ret = a+b + adcs x15,x15,x9 + adcs x16,x16,x10 + adcs x17,x17,x11 + adc x1,xzr,xzr // zap x1 + + adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus + sbcs x9,x15,x12 + sbcs x10,x16,xzr + sbcs x11,x17,x13 + sbcs xzr,x1,xzr // did subtraction borrow? + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ret +.size __ecp_nistz256_add_to,.-__ecp_nistz256_add_to + +.type __ecp_nistz256_sub_from,%function +.align 4 +__ecp_nistz256_sub_from: + ldp x8,x9,[x2] + ldp x10,x11,[x2,#16] + subs x14,x14,x8 // ret = a-b + sbcs x15,x15,x9 + sbcs x16,x16,x10 + sbcs x17,x17,x11 + sbc x1,xzr,xzr // zap x1 + + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adc x11,x17,x13 + cmp x1,xzr // did subtraction borrow? + + csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret + csel x15,x15,x9,eq + csel x16,x16,x10,eq + stp x14,x15,[x0] + csel x17,x17,x11,eq + stp x16,x17,[x0,#16] + + ret +.size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from + +.type __ecp_nistz256_sub_morf,%function +.align 4 +__ecp_nistz256_sub_morf: + ldp x8,x9,[x2] + ldp x10,x11,[x2,#16] + subs x14,x8,x14 // ret = b-a + sbcs x15,x9,x15 + sbcs x16,x10,x16 + sbcs x17,x11,x17 + sbc x1,xzr,xzr // zap x1 + + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adc x11,x17,x13 + cmp x1,xzr // did subtraction borrow? + + csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret + csel x15,x15,x9,eq + csel x16,x16,x10,eq + stp x14,x15,[x0] + csel x17,x17,x11,eq + stp x16,x17,[x0,#16] + + ret +.size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf + +.type __ecp_nistz256_div_by_2,%function +.align 4 +__ecp_nistz256_div_by_2: + subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus + adcs x9,x15,x12 + adcs x10,x16,xzr + adcs x11,x17,x13 + adc x1,xzr,xzr // zap x1 + tst x14,#1 // is a even? + + csel x14,x14,x8,eq // ret = even ? a : a+modulus + csel x15,x15,x9,eq + csel x16,x16,x10,eq + csel x17,x17,x11,eq + csel x1,xzr,x1,eq + + lsr x14,x14,#1 // ret >>= 1 + orr x14,x14,x15,lsl#63 + lsr x15,x15,#1 + orr x15,x15,x16,lsl#63 + lsr x16,x16,#1 + orr x16,x16,x17,lsl#63 + lsr x17,x17,#1 + stp x14,x15,[x0] + orr x17,x17,x1,lsl#63 + stp x16,x17,[x0,#16] + + ret +.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2 +.globl ecp_nistz256_point_double +.hidden ecp_nistz256_point_double +.type ecp_nistz256_point_double,%function +.align 5 +ecp_nistz256_point_double: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + sub sp,sp,#32*4 + +.Ldouble_shortcut: + ldp x14,x15,[x1,#32] + mov x21,x0 + ldp x16,x17,[x1,#48] + mov x22,x1 + ldr x12,.Lpoly+8 + mov x8,x14 + ldr x13,.Lpoly+24 + mov x9,x15 + ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[x22,#64+16] + add x0,sp,#0 + bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y); + + add x0,sp,#64 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); + + ldp x8,x9,[x22] + ldp x10,x11,[x22,#16] + mov x4,x14 // put Zsqr aside for p256_sub + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x0,sp,#32 + bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x); + + add x2,x22,#0 + mov x14,x4 // restore Zsqr + mov x15,x5 + ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont + mov x16,x6 + mov x17,x7 + ldp x6,x7,[sp,#0+16] + add x0,sp,#64 + bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); + + add x0,sp,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); + + ldr x3,[x22,#32] + ldp x4,x5,[x22,#64] + ldp x6,x7,[x22,#64+16] + add x2,x22,#32 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); + + mov x8,x14 + mov x9,x15 + ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[sp,#0+16] + add x0,x21,#64 + bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0); + + add x0,sp,#96 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); + + ldr x3,[sp,#64] // forward load for p256_mul_mont + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x0,x21,#32 + bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); + + add x2,sp,#64 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); + + mov x8,x14 // duplicate M + mov x9,x15 + mov x10,x16 + mov x11,x17 + mov x4,x14 // put M aside + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x0,sp,#32 + bl __ecp_nistz256_add_to + mov x8,x4 // restore M + mov x9,x5 + ldr x3,[x22] // forward load for p256_mul_mont + mov x10,x6 + ldp x4,x5,[sp,#0] + mov x11,x7 + ldp x6,x7,[sp,#0+16] + bl __ecp_nistz256_add_to // p256_mul_by_3(M, M); + + add x2,x22,#0 + add x0,sp,#0 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); + + mov x8,x14 + mov x9,x15 + ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont + mov x10,x16 + mov x11,x17 + ldp x6,x7,[sp,#32+16] + add x0,sp,#96 + bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S); + + add x0,x21,#0 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); + + add x2,sp,#96 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); + + add x2,sp,#0 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); + + ldr x3,[sp,#32] + mov x4,x14 // copy S + mov x5,x15 + mov x6,x16 + mov x7,x17 + add x2,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); + + add x2,x21,#32 + add x0,x21,#32 + bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_point_double,.-ecp_nistz256_point_double +.globl ecp_nistz256_point_add +.hidden ecp_nistz256_point_add +.type ecp_nistz256_point_add,%function +.align 5 +ecp_nistz256_point_add: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-96]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + sub sp,sp,#32*12 + + ldp x4,x5,[x2,#64] // in2_z + ldp x6,x7,[x2,#64+16] + mov x21,x0 + mov x22,x1 + mov x23,x2 + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + orr x8,x4,x5 + orr x10,x6,x7 + orr x25,x8,x10 + cmp x25,#0 + csetm x25,ne // ~in2infty + add x0,sp,#192 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); + + ldp x4,x5,[x22,#64] // in1_z + ldp x6,x7,[x22,#64+16] + orr x8,x4,x5 + orr x10,x6,x7 + orr x24,x8,x10 + cmp x24,#0 + csetm x24,ne // ~in1infty + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + ldr x3,[x23,#64] + ldp x4,x5,[sp,#192] + ldp x6,x7,[sp,#192+16] + add x2,x23,#64 + add x0,sp,#320 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,x22,#64 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr x3,[x22,#32] + ldp x4,x5,[sp,#320] + ldp x6,x7,[sp,#320+16] + add x2,x22,#32 + add x0,sp,#320 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); + + ldr x3,[x23,#32] + ldp x4,x5,[sp,#352] + ldp x6,x7,[sp,#352+16] + add x2,x23,#32 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add x2,sp,#320 + ldr x3,[sp,#192] // forward load for p256_mul_mont + ldp x4,x5,[x22] + ldp x6,x7,[x22,#16] + add x0,sp,#160 + bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); + + orr x14,x14,x15 // see if result is zero + orr x16,x16,x17 + orr x26,x14,x16 // ~is_equal(S1,S2) + + add x2,sp,#192 + add x0,sp,#256 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); + + ldr x3,[sp,#128] + ldp x4,x5,[x23] + ldp x6,x7,[x23,#16] + add x2,sp,#128 + add x0,sp,#288 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); + + add x2,sp,#256 + ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont + ldp x6,x7,[sp,#160+16] + add x0,sp,#96 + bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); + + orr x14,x14,x15 // see if result is zero + orr x16,x16,x17 + orr x14,x14,x16 // ~is_equal(U1,U2) + + mvn x27,x24 // -1/0 -> 0/-1 + mvn x28,x25 // -1/0 -> 0/-1 + orr x14,x14,x27 + orr x14,x14,x28 + orr x14,x14,x26 + cbnz x14,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) + +.Ladd_double: + mov x1,x22 + mov x0,x21 + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames + b .Ldouble_shortcut + +.align 4 +.Ladd_proceed: + add x0,sp,#192 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#96] + ldp x6,x7,[sp,#96+16] + add x2,x22,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldp x4,x5,[sp,#96] + ldp x6,x7,[sp,#96+16] + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldr x3,[x23,#64] + ldp x4,x5,[sp,#64] + ldp x6,x7,[sp,#64+16] + add x2,x23,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); + + ldr x3,[sp,#96] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,sp,#96 + add x0,sp,#224 + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr x3,[sp,#128] + ldp x4,x5,[sp,#256] + ldp x6,x7,[sp,#256+16] + add x2,sp,#128 + add x0,sp,#288 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); + + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + add x0,sp,#128 + bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); + + add x2,sp,#192 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add x2,sp,#224 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add x2,sp,#288 + ldr x3,[sp,#224] // forward load for p256_mul_mont + ldp x4,x5,[sp,#320] + ldp x6,x7,[sp,#320+16] + add x0,sp,#32 + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add x2,sp,#224 + add x0,sp,#352 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); + + ldr x3,[sp,#160] + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x2,sp,#160 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add x2,sp,#352 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp x4,x5,[sp,#0] // res + ldp x6,x7,[sp,#0+16] + ldp x8,x9,[x23] // in2 + ldp x10,x11,[x23,#16] + ldp x14,x15,[x22,#0] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#0+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+0+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+0+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#0+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#0+48] + stp x14,x15,[x21,#0] + stp x16,x17,[x21,#0+16] + ldp x14,x15,[x22,#32] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#32+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+32+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+32+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#32+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#32+48] + stp x14,x15,[x21,#32] + stp x16,x17,[x21,#32+16] + ldp x14,x15,[x22,#64] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#64+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + csel x14,x8,x14,ne + csel x15,x9,x15,ne + csel x16,x10,x16,ne + csel x17,x11,x17,ne + stp x14,x15,[x21,#64] + stp x16,x17,[x21,#64+16] + +.Ladd_done: + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x27,x28,[x29,#80] + ldp x29,x30,[sp],#96 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_point_add,.-ecp_nistz256_point_add +.globl ecp_nistz256_point_add_affine +.hidden ecp_nistz256_point_add_affine +.type ecp_nistz256_point_add_affine,%function +.align 5 +ecp_nistz256_point_add_affine: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-80]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + sub sp,sp,#32*10 + + mov x21,x0 + mov x22,x1 + mov x23,x2 + ldr x12,.Lpoly+8 + ldr x13,.Lpoly+24 + + ldp x4,x5,[x1,#64] // in1_z + ldp x6,x7,[x1,#64+16] + orr x8,x4,x5 + orr x10,x6,x7 + orr x24,x8,x10 + cmp x24,#0 + csetm x24,ne // ~in1infty + + ldp x14,x15,[x2] // in2_x + ldp x16,x17,[x2,#16] + ldp x8,x9,[x2,#32] // in2_y + ldp x10,x11,[x2,#48] + orr x14,x14,x15 + orr x16,x16,x17 + orr x8,x8,x9 + orr x10,x10,x11 + orr x14,x14,x16 + orr x8,x8,x10 + orr x25,x14,x8 + cmp x25,#0 + csetm x25,ne // ~in2infty + + add x0,sp,#128 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); + + mov x4,x14 + mov x5,x15 + mov x6,x16 + mov x7,x17 + ldr x3,[x23] + add x2,x23,#0 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); + + add x2,x22,#0 + ldr x3,[x22,#64] // forward load for p256_mul_mont + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x0,sp,#160 + bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); + + add x2,x22,#64 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); + + ldr x3,[x22,#64] + ldp x4,x5,[sp,#160] + ldp x6,x7,[sp,#160+16] + add x2,x22,#64 + add x0,sp,#64 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); + + ldr x3,[x23,#32] + ldp x4,x5,[sp,#128] + ldp x6,x7,[sp,#128+16] + add x2,x23,#32 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); + + add x2,x22,#32 + ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont + ldp x6,x7,[sp,#160+16] + add x0,sp,#192 + bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); + + add x0,sp,#224 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); + + ldp x4,x5,[sp,#192] + ldp x6,x7,[sp,#192+16] + add x0,sp,#288 + bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); + + ldr x3,[sp,#160] + ldp x4,x5,[sp,#224] + ldp x6,x7,[sp,#224+16] + add x2,sp,#160 + add x0,sp,#256 + bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); + + ldr x3,[x22] + ldp x4,x5,[sp,#224] + ldp x6,x7,[sp,#224+16] + add x2,x22,#0 + add x0,sp,#96 + bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); + + mov x8,x14 + mov x9,x15 + mov x10,x16 + mov x11,x17 + add x0,sp,#224 + bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); + + add x2,sp,#288 + add x0,sp,#0 + bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); + + add x2,sp,#256 + bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); + + add x2,sp,#96 + ldr x3,[x22,#32] // forward load for p256_mul_mont + ldp x4,x5,[sp,#256] + ldp x6,x7,[sp,#256+16] + add x0,sp,#32 + bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); + + add x2,x22,#32 + add x0,sp,#128 + bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); + + ldr x3,[sp,#192] + ldp x4,x5,[sp,#32] + ldp x6,x7,[sp,#32+16] + add x2,sp,#192 + add x0,sp,#32 + bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); + + add x2,sp,#128 + bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); + + ldp x4,x5,[sp,#0] // res + ldp x6,x7,[sp,#0+16] + ldp x8,x9,[x23] // in2 + ldp x10,x11,[x23,#16] + ldp x14,x15,[x22,#0] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#0+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+0+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+0+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#0+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#0+48] + stp x14,x15,[x21,#0] + stp x16,x17,[x21,#0+16] + adr x23,.Lone_mont-64 + ldp x14,x15,[x22,#32] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#32+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + ldp x4,x5,[sp,#0+32+32] // res + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + ldp x6,x7,[sp,#0+32+48] + csel x14,x8,x14,ne + csel x15,x9,x15,ne + ldp x8,x9,[x23,#32+32] // in2 + csel x16,x10,x16,ne + csel x17,x11,x17,ne + ldp x10,x11,[x23,#32+48] + stp x14,x15,[x21,#32] + stp x16,x17,[x21,#32+16] + ldp x14,x15,[x22,#64] // in1 + cmp x24,#0 // ~, remember? + ldp x16,x17,[x22,#64+16] + csel x8,x4,x8,ne + csel x9,x5,x9,ne + csel x10,x6,x10,ne + csel x11,x7,x11,ne + cmp x25,#0 // ~, remember? + csel x14,x8,x14,ne + csel x15,x9,x15,ne + csel x16,x10,x16,ne + csel x17,x11,x17,ne + stp x14,x15,[x21,#64] + stp x16,x17,[x21,#64+16] + + add sp,x29,#0 // destroy frame + ldp x19,x20,[x29,#16] + ldp x21,x22,[x29,#32] + ldp x23,x24,[x29,#48] + ldp x25,x26,[x29,#64] + ldp x29,x30,[sp],#80 + AARCH64_VALIDATE_LINK_REGISTER + ret +.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4], +// uint64_t b[4]); +.globl ecp_nistz256_ord_mul_mont +.hidden ecp_nistz256_ord_mul_mont +.type ecp_nistz256_ord_mul_mont,%function +.align 4 +ecp_nistz256_ord_mul_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + adr x23,.Lord + ldr x3,[x2] // bp[0] + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + + ldp x12,x13,[x23,#0] + ldp x21,x22,[x23,#16] + ldr x23,[x23,#32] + + mul x14,x4,x3 // a[0]*b[0] + umulh x8,x4,x3 + + mul x15,x5,x3 // a[1]*b[0] + umulh x9,x5,x3 + + mul x16,x6,x3 // a[2]*b[0] + umulh x10,x6,x3 + + mul x17,x7,x3 // a[3]*b[0] + umulh x19,x7,x3 + + mul x24,x14,x23 + + adds x15,x15,x8 // accumulate high parts of multiplication + adcs x16,x16,x9 + adcs x17,x17,x10 + adc x19,x19,xzr + mov x20,xzr + ldr x3,[x2,#8*1] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + ldr x3,[x2,#8*2] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + ldr x3,[x2,#8*3] // b[i] + + lsl x8,x24,#32 + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + mul x8,x4,x3 + adc x11,x11,xzr + mul x9,x5,x3 + + adds x14,x15,x10 + mul x10,x6,x3 + adcs x15,x16,x11 + mul x11,x7,x3 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + adds x14,x14,x8 // accumulate low parts + umulh x8,x4,x3 + adcs x15,x15,x9 + umulh x9,x5,x3 + adcs x16,x16,x10 + umulh x10,x6,x3 + adcs x17,x17,x11 + umulh x11,x7,x3 + adc x19,x19,xzr + mul x24,x14,x23 + adds x15,x15,x8 // accumulate high parts + adcs x16,x16,x9 + adcs x17,x17,x10 + adcs x19,x19,x11 + adc x20,xzr,xzr + lsl x8,x24,#32 // last reduction + subs x16,x16,x24 + lsr x9,x24,#32 + sbcs x17,x17,x8 + sbcs x19,x19,x9 + sbc x20,x20,xzr + + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adcs x17,x19,x24 + adc x19,x20,xzr + + subs x8,x14,x12 // ret -= modulus + sbcs x9,x15,x13 + sbcs x10,x16,x21 + sbcs x11,x17,x22 + sbcs xzr,x19,xzr + + csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x15,x15,x9,lo + csel x16,x16,x10,lo + stp x14,x15,[x0] + csel x17,x17,x11,lo + stp x16,x17,[x0,#16] + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldr x29,[sp],#64 + ret +.size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_ord_sqr_mont(uint64_t res[4], uint64_t a[4], +// int rep); +.globl ecp_nistz256_ord_sqr_mont +.hidden ecp_nistz256_ord_sqr_mont +.type ecp_nistz256_ord_sqr_mont,%function +.align 4 +ecp_nistz256_ord_sqr_mont: + AARCH64_VALID_CALL_TARGET + // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. + stp x29,x30,[sp,#-64]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + + adr x23,.Lord + ldp x4,x5,[x1] + ldp x6,x7,[x1,#16] + + ldp x12,x13,[x23,#0] + ldp x21,x22,[x23,#16] + ldr x23,[x23,#32] + b .Loop_ord_sqr + +.align 4 +.Loop_ord_sqr: + sub x2,x2,#1 + //////////////////////////////////////////////////////////////// + // | | | | | |a1*a0| | + // | | | | |a2*a0| | | + // | |a3*a2|a3*a0| | | | + // | | | |a2*a1| | | | + // | | |a3*a1| | | | | + // *| | | | | | | | 2| + // +|a3*a3|a2*a2|a1*a1|a0*a0| + // |--+--+--+--+--+--+--+--| + // |A7|A6|A5|A4|A3|A2|A1|A0|, where Ax is , i.e. follow + // + // "can't overflow" below mark carrying into high part of + // multiplication result, which can't overflow, because it + // can never be all ones. + + mul x15,x5,x4 // a[1]*a[0] + umulh x9,x5,x4 + mul x16,x6,x4 // a[2]*a[0] + umulh x10,x6,x4 + mul x17,x7,x4 // a[3]*a[0] + umulh x19,x7,x4 + + adds x16,x16,x9 // accumulate high parts of multiplication + mul x8,x6,x5 // a[2]*a[1] + umulh x9,x6,x5 + adcs x17,x17,x10 + mul x10,x7,x5 // a[3]*a[1] + umulh x11,x7,x5 + adc x19,x19,xzr // can't overflow + + mul x20,x7,x6 // a[3]*a[2] + umulh x1,x7,x6 + + adds x9,x9,x10 // accumulate high parts of multiplication + mul x14,x4,x4 // a[0]*a[0] + adc x10,x11,xzr // can't overflow + + adds x17,x17,x8 // accumulate low parts of multiplication + umulh x4,x4,x4 + adcs x19,x19,x9 + mul x9,x5,x5 // a[1]*a[1] + adcs x20,x20,x10 + umulh x5,x5,x5 + adc x1,x1,xzr // can't overflow + + adds x15,x15,x15 // acc[1-6]*=2 + mul x10,x6,x6 // a[2]*a[2] + adcs x16,x16,x16 + umulh x6,x6,x6 + adcs x17,x17,x17 + mul x11,x7,x7 // a[3]*a[3] + adcs x19,x19,x19 + umulh x7,x7,x7 + adcs x20,x20,x20 + adcs x1,x1,x1 + adc x3,xzr,xzr + + adds x15,x15,x4 // +a[i]*a[i] + mul x24,x14,x23 + adcs x16,x16,x9 + adcs x17,x17,x5 + adcs x19,x19,x10 + adcs x20,x20,x6 + adcs x1,x1,x11 + adc x3,x3,x7 + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adc x17,xzr,x24 // can't overflow + mul x11,x14,x23 + lsl x8,x24,#32 + subs x15,x15,x24 + lsr x9,x24,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x11 + mul x10,x13,x11 + umulh x24,x13,x11 + + adcs x10,x10,x9 + adc x24,x24,xzr + + adds x14,x15,x10 + adcs x15,x16,x24 + adcs x16,x17,x11 + adc x17,xzr,x11 // can't overflow + mul x24,x14,x23 + lsl x8,x11,#32 + subs x15,x15,x11 + lsr x9,x11,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x24 + mul x10,x13,x24 + umulh x11,x13,x24 + + adcs x10,x10,x9 + adc x11,x11,xzr + + adds x14,x15,x10 + adcs x15,x16,x11 + adcs x16,x17,x24 + adc x17,xzr,x24 // can't overflow + mul x11,x14,x23 + lsl x8,x24,#32 + subs x15,x15,x24 + lsr x9,x24,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + subs xzr,x14,#1 + umulh x9,x12,x11 + mul x10,x13,x11 + umulh x24,x13,x11 + + adcs x10,x10,x9 + adc x24,x24,xzr + + adds x14,x15,x10 + adcs x15,x16,x24 + adcs x16,x17,x11 + adc x17,xzr,x11 // can't overflow + lsl x8,x11,#32 + subs x15,x15,x11 + lsr x9,x11,#32 + sbcs x16,x16,x8 + sbc x17,x17,x9 // can't borrow + adds x14,x14,x19 // accumulate upper half + adcs x15,x15,x20 + adcs x16,x16,x1 + adcs x17,x17,x3 + adc x19,xzr,xzr + + subs x8,x14,x12 // ret -= modulus + sbcs x9,x15,x13 + sbcs x10,x16,x21 + sbcs x11,x17,x22 + sbcs xzr,x19,xzr + + csel x4,x14,x8,lo // ret = borrow ? ret : ret-modulus + csel x5,x15,x9,lo + csel x6,x16,x10,lo + csel x7,x17,x11,lo + + cbnz x2,.Loop_ord_sqr + + stp x4,x5,[x0] + stp x6,x7,[x0,#16] + + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldr x29,[sp],#64 + ret +.size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index); +.globl ecp_nistz256_select_w5 +.hidden ecp_nistz256_select_w5 +.type ecp_nistz256_select_w5,%function +.align 4 +ecp_nistz256_select_w5: + AARCH64_VALID_CALL_TARGET + + // x10 := x0 + // w9 := 0; loop counter and incremented internal index + mov x10, x0 + mov w9, #0 + + // [v16-v21] := 0 + movi v16.16b, #0 + movi v17.16b, #0 + movi v18.16b, #0 + movi v19.16b, #0 + movi v20.16b, #0 + movi v21.16b, #0 + +.Lselect_w5_loop: + // Loop 16 times. + + // Increment index (loop counter); tested at the end of the loop + add w9, w9, #1 + + // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1 + // and advance x1 to point to the next entry + ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 + + // x11 := (w9 == w2)? All 1s : All 0s + cmp w9, w2 + csetm x11, eq + + // continue loading ... + ld1 {v26.2d, v27.2d}, [x1],#32 + + // duplicate mask_64 into Mask (all 0s or all 1s) + dup v3.2d, x11 + + // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] + // i.e., values in output registers will remain the same if w9 != w2 + bit v16.16b, v22.16b, v3.16b + bit v17.16b, v23.16b, v3.16b + + bit v18.16b, v24.16b, v3.16b + bit v19.16b, v25.16b, v3.16b + + bit v20.16b, v26.16b, v3.16b + bit v21.16b, v27.16b, v3.16b + + // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back + tbz w9, #4, .Lselect_w5_loop + + // Write [v16-v21] to memory at the output pointer + st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64 + st1 {v20.2d, v21.2d}, [x10] + + ret +.size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5 + + +//////////////////////////////////////////////////////////////////////// +// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index); +.globl ecp_nistz256_select_w7 +.hidden ecp_nistz256_select_w7 +.type ecp_nistz256_select_w7,%function +.align 4 +ecp_nistz256_select_w7: + AARCH64_VALID_CALL_TARGET + + // w9 := 0; loop counter and incremented internal index + mov w9, #0 + + // [v16-v21] := 0 + movi v16.16b, #0 + movi v17.16b, #0 + movi v18.16b, #0 + movi v19.16b, #0 + +.Lselect_w7_loop: + // Loop 64 times. + + // Increment index (loop counter); tested at the end of the loop + add w9, w9, #1 + + // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1 + // and advance x1 to point to the next entry + ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 + + // x11 := (w9 == w2)? All 1s : All 0s + cmp w9, w2 + csetm x11, eq + + // duplicate mask_64 into Mask (all 0s or all 1s) + dup v3.2d, x11 + + // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] + // i.e., values in output registers will remain the same if w9 != w2 + bit v16.16b, v22.16b, v3.16b + bit v17.16b, v23.16b, v3.16b + + bit v18.16b, v24.16b, v3.16b + bit v19.16b, v25.16b, v3.16b + + // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back + tbz w9, #6, .Lselect_w7_loop + + // Write [v16-v19] to memory at the output pointer + st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0] + + ret +.size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 +#endif +#endif // !OPENSSL_NO_ASM +.section .note.GNU-stack,"",%progbits +#endif // defined(__aarch64__) && defined(__linux__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.linux.x86_64.S index 04e22777..2052fd6b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.mac.x86_64.S index 08cf6d3c..e1e7f8a0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256-x86_64-asm.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.ios.aarch64.S new file mode 100644 index 00000000..fab8e07e --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.ios.aarch64.S @@ -0,0 +1,324 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#if defined(__aarch64__) && defined(__APPLE__) +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif +#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif + +#if !defined(OPENSSL_NO_ASM) +#if defined(BORINGSSL_PREFIX) +#include +#endif +#include "CJWTKitBoringSSL_arm_arch.h" + +.text +.globl _beeu_mod_inverse_vartime +.private_extern _beeu_mod_inverse_vartime + +.align 4 +_beeu_mod_inverse_vartime: + // Reserve enough space for 14 8-byte registers on the stack + // in the first stp call for x29, x30. + // Then store the remaining callee-saved registers. + // + // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 | + // ^ ^ + // sp <------------------- 112 bytes ----------------> old sp + // x29 (FP) + // + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-112]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + stp x0,x2,[sp,#96] + + // B = b3..b0 := a + ldp x25,x26,[x1] + ldp x27,x28,[x1,#16] + + // n3..n0 := n + // Note: the value of input params are changed in the following. + ldp x0,x1,[x2] + ldp x2,x30,[x2,#16] + + // A = a3..a0 := n + mov x21, x0 + mov x22, x1 + mov x23, x2 + mov x24, x30 + + // X = x4..x0 := 1 + mov x3, #1 + eor x4, x4, x4 + eor x5, x5, x5 + eor x6, x6, x6 + eor x7, x7, x7 + + // Y = y4..y0 := 0 + eor x8, x8, x8 + eor x9, x9, x9 + eor x10, x10, x10 + eor x11, x11, x11 + eor x12, x12, x12 + +Lbeeu_loop: + // if B == 0, jump to .Lbeeu_loop_end + orr x14, x25, x26 + orr x14, x14, x27 + + // reverse the bit order of x25. This is needed for clz after this macro + rbit x15, x25 + + orr x14, x14, x28 + cbz x14,Lbeeu_loop_end + + + // 0 < B < |n|, + // 0 < A <= |n|, + // (1) X*a == B (mod |n|), + // (2) (-1)*Y*a == A (mod |n|) + + // Now divide B by the maximum possible power of two in the + // integers, and divide X by the same value mod |n|. + // When we're done, (1) still holds. + + // shift := number of trailing 0s in x25 + // ( = number of leading 0s in x15; see the "rbit" instruction in TEST_B_ZERO) + clz x13, x15 + + // If there is no shift, goto shift_A_Y + cbz x13, Lbeeu_shift_A_Y + + // Shift B right by "x13" bits + neg x14, x13 + lsr x25, x25, x13 + lsl x15, x26, x14 + + lsr x26, x26, x13 + lsl x19, x27, x14 + + orr x25, x25, x15 + + lsr x27, x27, x13 + lsl x20, x28, x14 + + orr x26, x26, x19 + + lsr x28, x28, x13 + + orr x27, x27, x20 + + + // Shift X right by "x13" bits, adding n whenever X becomes odd. + // x13--; + // x14 := 0; needed in the addition to the most significant word in SHIFT1 + eor x14, x14, x14 +Lbeeu_shift_loop_X: + tbz x3, #0, Lshift1_0 + adds x3, x3, x0 + adcs x4, x4, x1 + adcs x5, x5, x2 + adcs x6, x6, x30 + adc x7, x7, x14 +Lshift1_0: + // var0 := [var1|var0]<64..1>; + // i.e. concatenate var1 and var0, + // extract bits <64..1> from the resulting 128-bit value + // and put them in var0 + extr x3, x4, x3, #1 + extr x4, x5, x4, #1 + extr x5, x6, x5, #1 + extr x6, x7, x6, #1 + lsr x7, x7, #1 + + subs x13, x13, #1 + bne Lbeeu_shift_loop_X + + // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl + // with the following differences: + // - "x13" is set directly to the number of trailing 0s in B + // (using rbit and clz instructions) + // - The loop is only used to call SHIFT1(X) + // and x13 is decreased while executing the X loop. + // - SHIFT256(B, x13) is performed before right-shifting X; they are independent + +Lbeeu_shift_A_Y: + // Same for A and Y. + // Afterwards, (2) still holds. + // Reverse the bit order of x21 + // x13 := number of trailing 0s in x21 (= number of leading 0s in x15) + rbit x15, x21 + clz x13, x15 + + // If there is no shift, goto |B-A|, X+Y update + cbz x13, Lbeeu_update_B_X_or_A_Y + + // Shift A right by "x13" bits + neg x14, x13 + lsr x21, x21, x13 + lsl x15, x22, x14 + + lsr x22, x22, x13 + lsl x19, x23, x14 + + orr x21, x21, x15 + + lsr x23, x23, x13 + lsl x20, x24, x14 + + orr x22, x22, x19 + + lsr x24, x24, x13 + + orr x23, x23, x20 + + + // Shift Y right by "x13" bits, adding n whenever Y becomes odd. + // x13--; + // x14 := 0; needed in the addition to the most significant word in SHIFT1 + eor x14, x14, x14 +Lbeeu_shift_loop_Y: + tbz x8, #0, Lshift1_1 + adds x8, x8, x0 + adcs x9, x9, x1 + adcs x10, x10, x2 + adcs x11, x11, x30 + adc x12, x12, x14 +Lshift1_1: + // var0 := [var1|var0]<64..1>; + // i.e. concatenate var1 and var0, + // extract bits <64..1> from the resulting 128-bit value + // and put them in var0 + extr x8, x9, x8, #1 + extr x9, x10, x9, #1 + extr x10, x11, x10, #1 + extr x11, x12, x11, #1 + lsr x12, x12, #1 + + subs x13, x13, #1 + bne Lbeeu_shift_loop_Y + +Lbeeu_update_B_X_or_A_Y: + // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow) + // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words + // without taking a sign bit if generated. The lack of a carry would + // indicate a negative result. See, for example, + // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes + subs x14, x25, x21 + sbcs x15, x26, x22 + sbcs x19, x27, x23 + sbcs x20, x28, x24 + bcs Lbeeu_B_greater_than_A + + // Else A > B => + // A := A - B; Y := Y + X; goto beginning of the loop + subs x21, x21, x25 + sbcs x22, x22, x26 + sbcs x23, x23, x27 + sbcs x24, x24, x28 + + adds x8, x8, x3 + adcs x9, x9, x4 + adcs x10, x10, x5 + adcs x11, x11, x6 + adc x12, x12, x7 + b Lbeeu_loop + +Lbeeu_B_greater_than_A: + // Continue with B > A => + // B := B - A; X := X + Y; goto beginning of the loop + mov x25, x14 + mov x26, x15 + mov x27, x19 + mov x28, x20 + + adds x3, x3, x8 + adcs x4, x4, x9 + adcs x5, x5, x10 + adcs x6, x6, x11 + adc x7, x7, x12 + b Lbeeu_loop + +Lbeeu_loop_end: + // The Euclid's algorithm loop ends when A == gcd(a,n); + // this would be 1, when a and n are co-prime (i.e. do not have a common factor). + // Since (-1)*Y*a == A (mod |n|), Y>0 + // then out = -Y mod n + + // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|) + // Is A-1 == 0? + // If not, fail. + sub x14, x21, #1 + orr x14, x14, x22 + orr x14, x14, x23 + orr x14, x14, x24 + cbnz x14, Lbeeu_err + + // If Y>n ==> Y:=Y-n +Lbeeu_reduction_loop: + // x_i := y_i - n_i (X is no longer needed, use it as temp) + // (x14 = 0 from above) + subs x3, x8, x0 + sbcs x4, x9, x1 + sbcs x5, x10, x2 + sbcs x6, x11, x30 + sbcs x7, x12, x14 + + // If result is non-negative (i.e., cs = carry set = no borrow), + // y_i := x_i; goto reduce again + // else + // y_i := y_i; continue + csel x8, x3, x8, cs + csel x9, x4, x9, cs + csel x10, x5, x10, cs + csel x11, x6, x11, cs + csel x12, x7, x12, cs + bcs Lbeeu_reduction_loop + + // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0) + // out = -Y = n-Y + subs x8, x0, x8 + sbcs x9, x1, x9 + sbcs x10, x2, x10 + sbcs x11, x30, x11 + + // Save Y in output (out (x0) was saved on the stack) + ldr x3, [sp,#96] + stp x8, x9, [x3] + stp x10, x11, [x3,#16] + // return 1 (success) + mov x0, #1 + b Lbeeu_finish + +Lbeeu_err: + // return 0 (error) + eor x0, x0, x0 + +Lbeeu_finish: + // Restore callee-saved registers, except x0, x2 + add sp,x29,#0 + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldp x25,x26,[sp,#64] + ldp x27,x28,[sp,#80] + ldp x29,x30,[sp],#112 + + AARCH64_VALIDATE_LINK_REGISTER + ret + +#endif // !OPENSSL_NO_ASM +#endif // defined(__aarch64__) && defined(__APPLE__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.linux.aarch64.S new file mode 100644 index 00000000..87118fa6 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-armv8-asm.linux.aarch64.S @@ -0,0 +1,327 @@ +#define BORINGSSL_PREFIX CJWTKitBoringSSL +#if defined(__aarch64__) && defined(__linux__) +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. + +#if !defined(__has_feature) +#define __has_feature(x) 0 +#endif +#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) +#define OPENSSL_NO_ASM +#endif + +#if !defined(OPENSSL_NO_ASM) +#if defined(__aarch64__) +#if defined(BORINGSSL_PREFIX) +#include +#endif +#include "CJWTKitBoringSSL_arm_arch.h" + +.text +.globl beeu_mod_inverse_vartime +.hidden beeu_mod_inverse_vartime +.type beeu_mod_inverse_vartime, %function +.align 4 +beeu_mod_inverse_vartime: + // Reserve enough space for 14 8-byte registers on the stack + // in the first stp call for x29, x30. + // Then store the remaining callee-saved registers. + // + // | x29 | x30 | x19 | x20 | ... | x27 | x28 | x0 | x2 | + // ^ ^ + // sp <------------------- 112 bytes ----------------> old sp + // x29 (FP) + // + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-112]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + stp x21,x22,[sp,#32] + stp x23,x24,[sp,#48] + stp x25,x26,[sp,#64] + stp x27,x28,[sp,#80] + stp x0,x2,[sp,#96] + + // B = b3..b0 := a + ldp x25,x26,[x1] + ldp x27,x28,[x1,#16] + + // n3..n0 := n + // Note: the value of input params are changed in the following. + ldp x0,x1,[x2] + ldp x2,x30,[x2,#16] + + // A = a3..a0 := n + mov x21, x0 + mov x22, x1 + mov x23, x2 + mov x24, x30 + + // X = x4..x0 := 1 + mov x3, #1 + eor x4, x4, x4 + eor x5, x5, x5 + eor x6, x6, x6 + eor x7, x7, x7 + + // Y = y4..y0 := 0 + eor x8, x8, x8 + eor x9, x9, x9 + eor x10, x10, x10 + eor x11, x11, x11 + eor x12, x12, x12 + +.Lbeeu_loop: + // if B == 0, jump to .Lbeeu_loop_end + orr x14, x25, x26 + orr x14, x14, x27 + + // reverse the bit order of x25. This is needed for clz after this macro + rbit x15, x25 + + orr x14, x14, x28 + cbz x14,.Lbeeu_loop_end + + + // 0 < B < |n|, + // 0 < A <= |n|, + // (1) X*a == B (mod |n|), + // (2) (-1)*Y*a == A (mod |n|) + + // Now divide B by the maximum possible power of two in the + // integers, and divide X by the same value mod |n|. + // When we're done, (1) still holds. + + // shift := number of trailing 0s in x25 + // ( = number of leading 0s in x15; see the "rbit" instruction in TEST_B_ZERO) + clz x13, x15 + + // If there is no shift, goto shift_A_Y + cbz x13, .Lbeeu_shift_A_Y + + // Shift B right by "x13" bits + neg x14, x13 + lsr x25, x25, x13 + lsl x15, x26, x14 + + lsr x26, x26, x13 + lsl x19, x27, x14 + + orr x25, x25, x15 + + lsr x27, x27, x13 + lsl x20, x28, x14 + + orr x26, x26, x19 + + lsr x28, x28, x13 + + orr x27, x27, x20 + + + // Shift X right by "x13" bits, adding n whenever X becomes odd. + // x13--; + // x14 := 0; needed in the addition to the most significant word in SHIFT1 + eor x14, x14, x14 +.Lbeeu_shift_loop_X: + tbz x3, #0, .Lshift1_0 + adds x3, x3, x0 + adcs x4, x4, x1 + adcs x5, x5, x2 + adcs x6, x6, x30 + adc x7, x7, x14 +.Lshift1_0: + // var0 := [var1|var0]<64..1>; + // i.e. concatenate var1 and var0, + // extract bits <64..1> from the resulting 128-bit value + // and put them in var0 + extr x3, x4, x3, #1 + extr x4, x5, x4, #1 + extr x5, x6, x5, #1 + extr x6, x7, x6, #1 + lsr x7, x7, #1 + + subs x13, x13, #1 + bne .Lbeeu_shift_loop_X + + // Note: the steps above perform the same sequence as in p256_beeu-x86_64-asm.pl + // with the following differences: + // - "x13" is set directly to the number of trailing 0s in B + // (using rbit and clz instructions) + // - The loop is only used to call SHIFT1(X) + // and x13 is decreased while executing the X loop. + // - SHIFT256(B, x13) is performed before right-shifting X; they are independent + +.Lbeeu_shift_A_Y: + // Same for A and Y. + // Afterwards, (2) still holds. + // Reverse the bit order of x21 + // x13 := number of trailing 0s in x21 (= number of leading 0s in x15) + rbit x15, x21 + clz x13, x15 + + // If there is no shift, goto |B-A|, X+Y update + cbz x13, .Lbeeu_update_B_X_or_A_Y + + // Shift A right by "x13" bits + neg x14, x13 + lsr x21, x21, x13 + lsl x15, x22, x14 + + lsr x22, x22, x13 + lsl x19, x23, x14 + + orr x21, x21, x15 + + lsr x23, x23, x13 + lsl x20, x24, x14 + + orr x22, x22, x19 + + lsr x24, x24, x13 + + orr x23, x23, x20 + + + // Shift Y right by "x13" bits, adding n whenever Y becomes odd. + // x13--; + // x14 := 0; needed in the addition to the most significant word in SHIFT1 + eor x14, x14, x14 +.Lbeeu_shift_loop_Y: + tbz x8, #0, .Lshift1_1 + adds x8, x8, x0 + adcs x9, x9, x1 + adcs x10, x10, x2 + adcs x11, x11, x30 + adc x12, x12, x14 +.Lshift1_1: + // var0 := [var1|var0]<64..1>; + // i.e. concatenate var1 and var0, + // extract bits <64..1> from the resulting 128-bit value + // and put them in var0 + extr x8, x9, x8, #1 + extr x9, x10, x9, #1 + extr x10, x11, x10, #1 + extr x11, x12, x11, #1 + lsr x12, x12, #1 + + subs x13, x13, #1 + bne .Lbeeu_shift_loop_Y + +.Lbeeu_update_B_X_or_A_Y: + // Try T := B - A; if cs, continue with B > A (cs: carry set = no borrow) + // Note: this is a case of unsigned arithmetic, where T fits in 4 64-bit words + // without taking a sign bit if generated. The lack of a carry would + // indicate a negative result. See, for example, + // https://community.arm.com/developer/ip-products/processors/b/processors-ip-blog/posts/condition-codes-1-condition-flags-and-codes + subs x14, x25, x21 + sbcs x15, x26, x22 + sbcs x19, x27, x23 + sbcs x20, x28, x24 + bcs .Lbeeu_B_greater_than_A + + // Else A > B => + // A := A - B; Y := Y + X; goto beginning of the loop + subs x21, x21, x25 + sbcs x22, x22, x26 + sbcs x23, x23, x27 + sbcs x24, x24, x28 + + adds x8, x8, x3 + adcs x9, x9, x4 + adcs x10, x10, x5 + adcs x11, x11, x6 + adc x12, x12, x7 + b .Lbeeu_loop + +.Lbeeu_B_greater_than_A: + // Continue with B > A => + // B := B - A; X := X + Y; goto beginning of the loop + mov x25, x14 + mov x26, x15 + mov x27, x19 + mov x28, x20 + + adds x3, x3, x8 + adcs x4, x4, x9 + adcs x5, x5, x10 + adcs x6, x6, x11 + adc x7, x7, x12 + b .Lbeeu_loop + +.Lbeeu_loop_end: + // The Euclid's algorithm loop ends when A == gcd(a,n); + // this would be 1, when a and n are co-prime (i.e. do not have a common factor). + // Since (-1)*Y*a == A (mod |n|), Y>0 + // then out = -Y mod n + + // Verify that A = 1 ==> (-1)*Y*a = A = 1 (mod |n|) + // Is A-1 == 0? + // If not, fail. + sub x14, x21, #1 + orr x14, x14, x22 + orr x14, x14, x23 + orr x14, x14, x24 + cbnz x14, .Lbeeu_err + + // If Y>n ==> Y:=Y-n +.Lbeeu_reduction_loop: + // x_i := y_i - n_i (X is no longer needed, use it as temp) + // (x14 = 0 from above) + subs x3, x8, x0 + sbcs x4, x9, x1 + sbcs x5, x10, x2 + sbcs x6, x11, x30 + sbcs x7, x12, x14 + + // If result is non-negative (i.e., cs = carry set = no borrow), + // y_i := x_i; goto reduce again + // else + // y_i := y_i; continue + csel x8, x3, x8, cs + csel x9, x4, x9, cs + csel x10, x5, x10, cs + csel x11, x6, x11, cs + csel x12, x7, x12, cs + bcs .Lbeeu_reduction_loop + + // Now Y < n (Y cannot be equal to n, since the inverse cannot be 0) + // out = -Y = n-Y + subs x8, x0, x8 + sbcs x9, x1, x9 + sbcs x10, x2, x10 + sbcs x11, x30, x11 + + // Save Y in output (out (x0) was saved on the stack) + ldr x3, [sp,#96] + stp x8, x9, [x3] + stp x10, x11, [x3,#16] + // return 1 (success) + mov x0, #1 + b .Lbeeu_finish + +.Lbeeu_err: + // return 0 (error) + eor x0, x0, x0 + +.Lbeeu_finish: + // Restore callee-saved registers, except x0, x2 + add sp,x29,#0 + ldp x19,x20,[sp,#16] + ldp x21,x22,[sp,#32] + ldp x23,x24,[sp,#48] + ldp x25,x26,[sp,#64] + ldp x27,x28,[sp,#80] + ldp x29,x30,[sp],#112 + + AARCH64_VALIDATE_LINK_REGISTER + ret +.size beeu_mod_inverse_vartime,.-beeu_mod_inverse_vartime +#endif +#endif // !OPENSSL_NO_ASM +.section .note.GNU-stack,"",%progbits +#endif // defined(__aarch64__) && defined(__linux__) +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif + diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.linux.x86_64.S index cd672ffc..6c2fc03d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.mac.x86_64.S index 706214c0..32e1f454 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/p256_beeu-x86_64-asm.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h index 7b835bcc..f7606c91 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/internal.h @@ -16,7 +16,6 @@ #define OPENSSL_HEADER_CRYPTO_RAND_INTERNAL_H #include -#include #include "../../internal.h" #include "../modes/internal.h" @@ -144,15 +143,14 @@ OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg); #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) OPENSSL_INLINE int have_rdrand(void) { - return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0; + return CRYPTO_is_RDRAND_capable(); } // have_fast_rdrand returns true if RDRAND is supported and it's reasonably // fast. Concretely the latter is defined by whether the chip is Intel (fast) or // not (assumed slow). OPENSSL_INLINE int have_fast_rdrand(void) { - const uint32_t *const ia32cap = OPENSSL_ia32cap_get(); - return (ia32cap[1] & (1u << 30)) && (ia32cap[0] & (1u << 30)); + return CRYPTO_is_RDRAND_capable() && CRYPTO_is_intel_cpu(); } // CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c index b6aecc23..faedde88 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/rand.c @@ -23,7 +23,6 @@ #endif #include -#include #include #include @@ -171,11 +170,11 @@ void CRYPTO_get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len, CRYPTO_sysrand_for_seed(out_entropy, out_entropy_len); } -#if defined(BORINGSSL_FIPS_BREAK_CRNG) - // This breaks the "continuous random number generator test" defined in FIPS - // 140-2, section 4.9.2, and implemented in |rand_get_seed|. - OPENSSL_memset(out_entropy, 0, out_entropy_len); -#endif + if (boringssl_fips_break_test("CRNG")) { + // This breaks the "continuous random number generator test" defined in FIPS + // 140-2, section 4.9.2, and implemented in |rand_get_seed|. + OPENSSL_memset(out_entropy, 0, out_entropy_len); + } } // In passive entropy mode, entropy is supplied from outside of the module via @@ -356,7 +355,7 @@ void RAND_bytes_with_additional_data(uint8_t *out, size_t out_len, int used_cpu; rand_get_seed(state, seed, &used_cpu); - uint8_t personalization[CTR_DRBG_ENTROPY_LEN]; + uint8_t personalization[CTR_DRBG_ENTROPY_LEN] = {0}; size_t personalization_len = 0; #if defined(OPENSSL_URANDOM) // If we used RDRAND, also opportunistically read from the system. This diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c index 4a58e35d..40ed954e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rand/urandom.c @@ -135,7 +135,7 @@ static void maybe_set_extra_getrandom_flags(void) { } value[length] = 0; - if (strcasecmp(value, "true") == 0) { + if (OPENSSL_strcasecmp(value, "true") == 0) { *extra_getrandom_flags_for_seed_bss_get() = GRND_RANDOM; } #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.linux.x86_64.S index c415a837..c0192006 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.mac.x86_64.S index ddfe1e95..8372e240 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rdrand-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h index e66eced5..8092487b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/internal.h @@ -124,6 +124,28 @@ extern const BN_ULONG kBoringSSLRSASqrtTwo[]; extern const size_t kBoringSSLRSASqrtTwoLen; +// Functions that avoid self-tests. +// +// Self-tests need to call functions that don't try and ensure that the +// self-tests have passed. These functions, in turn, need to limit themselves +// to such functions too. +// +// These functions are the same as their public versions, but skip the self-test +// check. + +int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, + size_t digest_len, const uint8_t *sig, + size_t sig_len, RSA *rsa); + +int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, + size_t max_out, const uint8_t *in, + size_t in_len, int padding); + +int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, + unsigned digest_len, uint8_t *out, unsigned *out_len, + RSA *rsa); + + #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c index 8b1a8d01..6d53841b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa.c @@ -206,6 +206,12 @@ void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, } } +const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) { + // We do not support the id-RSASSA-PSS key encoding. If we add support later, + // the |maskHash| field should be filled in for OpenSSL compatibility. + return NULL; +} + void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, const BIGNUM **out_dmq1, const BIGNUM **out_iqmp) { if (out_dmp1 != NULL) { @@ -297,8 +303,9 @@ int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, return out_len; } -int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, - const uint8_t *in, size_t in_len, int padding) { +static int rsa_sign_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, + size_t max_out, const uint8_t *in, + size_t in_len, int padding) { if (rsa->meth->sign_raw) { return rsa->meth->sign_raw(rsa, out_len, out, max_out, in, in_len, padding); } @@ -306,6 +313,13 @@ int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, return rsa_default_sign_raw(rsa, out_len, out, max_out, in, in_len, padding); } +int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, + const uint8_t *in, size_t in_len, int padding) { + boringssl_ensure_rsa_self_test(); + return rsa_sign_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, + padding); +} + int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, int padding) { size_t out_len; @@ -517,8 +531,9 @@ int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, return 0; } -int RSA_sign(int hash_nid, const uint8_t *digest, unsigned digest_len, - uint8_t *out, unsigned *out_len, RSA *rsa) { +int rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, + unsigned digest_len, uint8_t *out, unsigned *out_len, + RSA *rsa) { const unsigned rsa_size = RSA_size(rsa); int ret = 0; uint8_t *signed_msg = NULL; @@ -533,8 +548,9 @@ int RSA_sign(int hash_nid, const uint8_t *digest, unsigned digest_len, if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, &signed_msg_is_alloced, hash_nid, digest, digest_len) || - !RSA_sign_raw(rsa, &size_t_out_len, out, rsa_size, signed_msg, - signed_msg_len, RSA_PKCS1_PADDING)) { + !rsa_sign_raw_no_self_test(rsa, &size_t_out_len, out, rsa_size, + signed_msg, signed_msg_len, + RSA_PKCS1_PADDING)) { goto err; } @@ -548,6 +564,13 @@ int RSA_sign(int hash_nid, const uint8_t *digest, unsigned digest_len, return ret; } +int RSA_sign(int hash_nid, const uint8_t *digest, unsigned digest_len, + uint8_t *out, unsigned *out_len, RSA *rsa) { + boringssl_ensure_rsa_self_test(); + + return rsa_sign_no_self_test(hash_nid, digest, digest_len, out, out_len, rsa); +} + int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *digest, size_t digest_len, const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len) { @@ -571,8 +594,9 @@ int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, return ret; } -int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, - const uint8_t *sig, size_t sig_len, RSA *rsa) { +int rsa_verify_no_self_test(int hash_nid, const uint8_t *digest, + size_t digest_len, const uint8_t *sig, + size_t sig_len, RSA *rsa) { if (rsa->n == NULL || rsa->e == NULL) { OPENSSL_PUT_ERROR(RSA, RSA_R_VALUE_MISSING); return 0; @@ -596,12 +620,9 @@ int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, return 0; } - if (!RSA_verify_raw(rsa, &len, buf, rsa_size, sig, sig_len, - RSA_PKCS1_PADDING)) { - goto out; - } - - if (!RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, + if (!rsa_verify_raw_no_self_test(rsa, &len, buf, rsa_size, sig, sig_len, + RSA_PKCS1_PADDING) || + !RSA_add_pkcs1_prefix(&signed_msg, &signed_msg_len, &signed_msg_is_alloced, hash_nid, digest, digest_len)) { goto out; @@ -624,6 +645,13 @@ int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, return ret; } +int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, + const uint8_t *sig, size_t sig_len, RSA *rsa) { + boringssl_ensure_rsa_self_test(); + return rsa_verify_no_self_test(hash_nid, digest, digest_len, sig, sig_len, + rsa); +} + int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, const uint8_t *sig, size_t sig_len) { @@ -657,7 +685,8 @@ int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, } static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, - const BIGNUM *m, BN_CTX *ctx) { + const BIGNUM *m, unsigned m_min_bits, + BN_CTX *ctx) { if (BN_is_negative(ainv) || BN_cmp(ainv, m) >= 0) { *out_ok = 0; return 1; @@ -670,7 +699,7 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, BIGNUM *tmp = BN_CTX_get(ctx); int ret = tmp != NULL && bn_mul_consttime(tmp, a, ainv, ctx) && - bn_div_consttime(NULL, tmp, tmp, m, ctx); + bn_div_consttime(NULL, tmp, tmp, m, m_min_bits, ctx); if (ret) { *out_ok = BN_is_one(tmp); } @@ -750,10 +779,15 @@ int RSA_check_key(const RSA *key) { // simply check that d * e is one mod p-1 and mod q-1. Note d and e were bound // by earlier checks in this function. if (!bn_usub_consttime(&pm1, key->p, BN_value_one()) || - !bn_usub_consttime(&qm1, key->q, BN_value_one()) || - !bn_mul_consttime(&de, key->d, key->e, ctx) || - !bn_div_consttime(NULL, &tmp, &de, &pm1, ctx) || - !bn_div_consttime(NULL, &de, &de, &qm1, ctx)) { + !bn_usub_consttime(&qm1, key->q, BN_value_one())) { + OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); + goto out; + } + const unsigned pm1_bits = BN_num_bits(&pm1); + const unsigned qm1_bits = BN_num_bits(&qm1); + if (!bn_mul_consttime(&de, key->d, key->e, ctx) || + !bn_div_consttime(NULL, &tmp, &de, &pm1, pm1_bits, ctx) || + !bn_div_consttime(NULL, &de, &de, &qm1, qm1_bits, ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); goto out; } @@ -772,9 +806,12 @@ int RSA_check_key(const RSA *key) { if (has_crt_values) { int dmp1_ok, dmq1_ok, iqmp_ok; - if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, ctx) || - !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, ctx) || - !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, ctx)) { + if (!check_mod_inverse(&dmp1_ok, key->e, key->dmp1, &pm1, pm1_bits, ctx) || + !check_mod_inverse(&dmq1_ok, key->e, key->dmq1, &qm1, qm1_bits, ctx) || + // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't, + // we only need a lower bound anyway. + !check_mod_inverse(&iqmp_ok, key->q, key->iqmp, key->p, pm1_bits, + ctx)) { OPENSSL_PUT_ERROR(RSA, ERR_LIB_BN); goto out; } @@ -890,9 +927,9 @@ int RSA_check_fips(RSA *key) { ret = 0; goto cleanup; } -#if defined(BORINGSSL_FIPS_BREAK_RSA_PWCT) - data[0] = ~data[0]; -#endif + if (boringssl_fips_break_test("RSA_PWCT")) { + data[0] = ~data[0]; + } if (!RSA_verify(NID_sha256, data, sizeof(data), sig, sig_len, key)) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); ret = 0; @@ -915,6 +952,8 @@ int RSA_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, int RSA_flags(const RSA *rsa) { return rsa->flags; } +int RSA_test_flags(const RSA *rsa, int flags) { return rsa->flags & flags; } + int RSA_blinding_on(RSA *rsa, BN_CTX *ctx) { return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c index ca8ca677..eb75a5d0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsa/rsa_impl.c @@ -261,6 +261,8 @@ size_t rsa_default_size(const RSA *rsa) { int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding) { + boringssl_ensure_rsa_self_test(); + if (!rsa_check_public_key(rsa)) { return 0; } @@ -528,6 +530,8 @@ int rsa_default_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding) { + boringssl_ensure_rsa_self_test(); + const unsigned rsa_size = RSA_size(rsa); uint8_t *buf = NULL; int ret = 0; @@ -593,8 +597,9 @@ int rsa_default_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, static int mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx); -int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, - const uint8_t *in, size_t in_len, int padding) { +int rsa_verify_raw_no_self_test(RSA *rsa, size_t *out_len, uint8_t *out, + size_t max_out, const uint8_t *in, + size_t in_len, int padding) { if (!rsa_check_public_key(rsa)) { return 0; } @@ -686,6 +691,14 @@ int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, return ret; } +int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, + size_t max_out, const uint8_t *in, + size_t in_len, int padding) { + boringssl_ensure_rsa_self_test(); + return rsa_verify_raw_no_self_test(rsa, out_len, out, max_out, in, in_len, + padding); +} + int rsa_default_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len) { if (rsa->n == NULL || rsa->d == NULL) { @@ -1262,12 +1275,14 @@ static int rsa_generate_key_impl(RSA *rsa, int bits, const BIGNUM *e_value, // values for d. } while (BN_cmp(rsa->d, pow2_prime_bits) <= 0); + assert(BN_num_bits(pm1) == (unsigned)prime_bits); + assert(BN_num_bits(qm1) == (unsigned)prime_bits); if (// Calculate n. !bn_mul_consttime(rsa->n, rsa->p, rsa->q, ctx) || // Calculate d mod (p-1). - !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, ctx) || + !bn_div_consttime(NULL, rsa->dmp1, rsa->d, pm1, prime_bits, ctx) || // Calculate d mod (q-1) - !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, ctx)) { + !bn_div_consttime(NULL, rsa->dmq1, rsa->d, qm1, prime_bits, ctx)) { goto bn_err; } bn_set_minimal_width(rsa->n); @@ -1322,6 +1337,8 @@ static void replace_bn_mont_ctx(BN_MONT_CTX **out, BN_MONT_CTX **in) { static int RSA_generate_key_ex_maybe_fips(RSA *rsa, int bits, const BIGNUM *e_value, BN_GENCB *cb, int check_fips) { + boringssl_ensure_rsa_self_test(); + RSA *tmp = NULL; uint32_t err; int ret = 0; diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.linux.x86_64.S index 9705c97e..8819ebde 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.mac.x86_64.S index fd35623f..8a740a3d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/rsaz-avx2.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c index d583a150..6d4304ee 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/fips.c @@ -28,6 +28,47 @@ int FIPS_mode(void) { int FIPS_mode_set(int on) { return on == FIPS_mode(); } +const char *FIPS_module_name(void) { return "BoringCrypto"; } + +uint32_t FIPS_version(void) { + return 0; +} + +int FIPS_query_algorithm_status(const char *algorithm) { +#if defined(BORINGSSL_FIPS) + static const char kApprovedAlgorithms[][13] = { + "AES-CBC", + "AES-CCM", + "AES-CTR", + "AES-ECB", + "AES-GCM", + "AES-KW", + "AES-KWP", + "ctrDRBG", + "ECC-SSC", + "ECDSA-sign", + "ECDSA-verify", + "FFC-SSC", + "HMAC", + "RSA-sign", + "RSA-verify", + "SHA-1", + "SHA2-224", + "SHA2-256", + "SHA2-384", + "SHA2-512", + "SHA2-512/256", + }; + for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(kApprovedAlgorithms); i++) { + if (strcmp(algorithm, kApprovedAlgorithms[i]) == 0) { + return 1; + } + } +#endif // BORINGSSL_FIPS + + return 0; +} + #if defined(BORINGSSL_FIPS_COUNTERS) size_t FIPS_read_counter(enum fips_counter_t counter) { diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c index 8341050c..e5907e1c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/self_check/self_check.c @@ -20,20 +20,22 @@ #include #include #include -#include #include #include #include #include #include +#include #include #include #include #include "../../internal.h" +#include "../dh/internal.h" #include "../ec/internal.h" #include "../ecdsa/internal.h" #include "../rand/internal.h" +#include "../rsa/internal.h" #include "../tls/internal.h" @@ -47,21 +49,6 @@ int BORINGSSL_self_test(void) { #else -#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID) -// FIPS builds on Android will test for flag files, named after the module hash, -// in /dev/boringssl/selftest/. If such a flag file exists, it's assumed that -// self-tests have already passed and thus do not need to be repeated. (The -// integrity tests always run, however.) -// -// If self-tests complete successfully and the environment variable named in -// |kFlagWriteEnableEnvVar| is present, then the flag file will be created. The -// flag file isn't written without the environment variable being set in order -// to avoid SELinux violations on Android. -#define BORINGSSL_FIPS_SELF_TEST_FLAG_FILE -static const char kFlagPrefix[] = "/dev/boringssl/selftest/"; -static const char kFlagWriteEnableEnvVar[] = "BORINGSSL_SELF_TEST_CREATE_FLAG"; -#endif - static void hexdump(const uint8_t *in, size_t len) { for (size_t i = 0; i < len; i++) { fprintf(stderr, "%02x", in[i]); @@ -71,7 +58,7 @@ static void hexdump(const uint8_t *in, size_t len) { static int check_test(const void *expected, const void *actual, size_t expected_len, const char *name) { if (OPENSSL_memcmp(actual, expected, expected_len) != 0) { - fprintf(stderr, "%s failed.\nExpected: ", name); + fprintf(stderr, "%s failed.\nExpected: ", name); hexdump(expected, expected_len); fprintf(stderr, "\nCalculated: "); hexdump(actual, expected_len); @@ -87,6 +74,28 @@ static int set_bignum(BIGNUM **out, const uint8_t *in, size_t len) { return *out != NULL; } +static int serialize_ecdsa_sig(uint8_t *out, size_t out_len, + const ECDSA_SIG *sig) { + if ((out_len & 1) || // + !BN_bn2bin_padded(out, out_len / 2, sig->r) || + !BN_bn2bin_padded(out + out_len / 2, out_len / 2, sig->s)) { + return 0; + } + return 1; +} + +static ECDSA_SIG *parse_ecdsa_sig(const uint8_t *in, size_t in_len) { + ECDSA_SIG *ret = ECDSA_SIG_new(); + if (!ret || // + (in_len & 1) || + BN_bin2bn(in, in_len/2, ret->r) == NULL || + BN_bin2bn(in + in_len/2, in_len/2, ret->s) == NULL) { + ECDSA_SIG_free(ret); + ret = NULL; + } + return ret; +} + static RSA *self_test_rsa_key(void) { static const uint8_t kN[] = { 0xd3, 0x3a, 0x62, 0x9f, 0x07, 0x77, 0xb0, 0x18, 0xf3, 0xff, 0xfe, 0xcc, @@ -289,195 +298,185 @@ static DH *self_test_dh(void) { return NULL; } -#if defined(OPENSSL_ANDROID) -static const size_t kModuleDigestSize = SHA256_DIGEST_LENGTH; -#else -static const size_t kModuleDigestSize = SHA512_DIGEST_LENGTH; -#endif -int boringssl_fips_self_test( - const uint8_t *module_hash, size_t module_hash_len) { -#if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE) - char flag_path[sizeof(kFlagPrefix) + 2*kModuleDigestSize]; - if (module_hash_len != 0) { - if (module_hash_len != kModuleDigestSize) { - fprintf(stderr, - "module hash of length %zu does not match expected length %zu\n", - module_hash_len, kModuleDigestSize); - BORINGSSL_FIPS_abort(); - } - - // Test whether the flag file exists. - memcpy(flag_path, kFlagPrefix, sizeof(kFlagPrefix) - 1); - static const char kHexTable[17] = "0123456789abcdef"; - for (size_t i = 0; i < kModuleDigestSize; i++) { - flag_path[sizeof(kFlagPrefix) - 1 + 2 * i] = - kHexTable[module_hash[i] >> 4]; - flag_path[sizeof(kFlagPrefix) - 1 + 2 * i + 1] = - kHexTable[module_hash[i] & 15]; - } - flag_path[sizeof(flag_path) - 1] = 0; - - if (access(flag_path, F_OK) == 0) { - // Flag file found. Skip self-tests. - return 1; - } - } -#endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE +// Lazy self-tests +// +// Self tests that are slow are deferred until the corresponding algorithm is +// actually exercised, in FIPS mode. (In non-FIPS mode these tests are only run +// when requested by |BORINGSSL_self_test|.) - static const uint8_t kAESKey[16] = "BoringCrypto Key"; - static const uint8_t kAESIV[16] = {0}; - static const uint8_t kPlaintext[64] = - "BoringCryptoModule FIPS KAT Encryption and Decryption Plaintext!"; - static const uint8_t kAESCBCCiphertext[64] = { - 0x87, 0x2d, 0x98, 0xc2, 0xcc, 0x31, 0x5b, 0x41, 0xe0, 0xfa, 0x7b, - 0x0a, 0x71, 0xc0, 0x42, 0xbf, 0x4f, 0x61, 0xd0, 0x0d, 0x58, 0x8c, - 0xf7, 0x05, 0xfb, 0x94, 0x89, 0xd3, 0xbc, 0xaa, 0x1a, 0x50, 0x45, - 0x1f, 0xc3, 0x8c, 0xb8, 0x98, 0x86, 0xa3, 0xe3, 0x6c, 0xfc, 0xad, - 0x3a, 0xb5, 0x59, 0x27, 0x7d, 0x21, 0x07, 0xca, 0x4c, 0x1d, 0x55, - 0x34, 0xdd, 0x5a, 0x2d, 0xc4, 0xb4, 0xf5, 0xa8, -#if !defined(BORINGSSL_FIPS_BREAK_AES_CBC) - 0x35 -#else - 0x00 -#endif +static int boringssl_self_test_rsa(void) { + int ret = 0; + uint8_t output[256]; + + RSA *const rsa_key = self_test_rsa_key(); + if (rsa_key == NULL) { + fprintf(stderr, "RSA key construction failed\n"); + goto err; + } + + // RSA Sign KAT + + static const uint8_t kRSASignDigest[32] = { + 0xd2, 0xb5, 0x6e, 0x53, 0x30, 0x6f, 0x72, 0x0d, 0x79, 0x29, 0xd8, + 0x70, 0x8b, 0xf4, 0x6f, 0x1c, 0x22, 0x30, 0x03, 0x05, 0x58, 0x2b, + 0x11, 0x5b, 0xed, 0xca, 0xc7, 0x22, 0xd8, 0xaa, 0x5a, 0xb2, }; - static const uint8_t kAESGCMCiphertext[80] = { - 0x4a, 0xd8, 0xe7, 0x7d, 0x78, 0xd7, 0x7d, 0x5e, 0xb2, 0x11, 0xb6, 0xc9, - 0xa4, 0xbc, 0xb2, 0xae, 0xbe, 0x93, 0xd1, 0xb7, 0xfe, 0x65, 0xc1, 0x82, - 0x2a, 0xb6, 0x71, 0x5f, 0x1a, 0x7c, 0xe0, 0x1b, 0x2b, 0xe2, 0x53, 0xfa, - 0xa0, 0x47, 0xfa, 0xd7, 0x8f, 0xb1, 0x4a, 0xc4, 0xdc, 0x89, 0xf9, 0xb4, - 0x14, 0x4d, 0xde, 0x95, 0xea, 0x29, 0x69, 0x76, 0x81, 0xa3, 0x5c, 0x33, - 0xd8, 0x37, 0xd8, 0xfa, 0x47, 0x19, 0x46, 0x2f, 0xf1, 0x90, 0xb7, 0x61, - 0x8f, 0x6f, 0xdd, 0x31, 0x3f, 0x6a, 0x64, -#if !defined(BORINGSSL_FIPS_BREAK_AES_GCM) - 0x0d -#else - 0x00 -#endif + static const uint8_t kRSASignSignature[256] = { + 0x64, 0xce, 0xdd, 0x91, 0x27, 0xb0, 0x4f, 0xb9, 0x14, 0xea, 0xc0, 0xb4, + 0xa2, 0x06, 0xc5, 0xd8, 0x40, 0x0f, 0x6c, 0x54, 0xac, 0xf7, 0x02, 0xde, + 0x26, 0xbb, 0xfd, 0x33, 0xe5, 0x2f, 0x4d, 0xb1, 0x53, 0xc4, 0xff, 0xd0, + 0x5f, 0xea, 0x15, 0x89, 0x83, 0x4c, 0xe3, 0x80, 0x0b, 0xe9, 0x13, 0x82, + 0x1d, 0x71, 0x92, 0x1a, 0x03, 0x60, 0x2c, 0xaf, 0xe2, 0x16, 0xc7, 0x43, + 0x3f, 0xde, 0x6b, 0x94, 0xfd, 0x6e, 0x08, 0x7b, 0x11, 0xf1, 0x34, 0x52, + 0xe5, 0xc0, 0x97, 0x66, 0x4a, 0xe0, 0x91, 0x45, 0xc8, 0xb1, 0x3d, 0x6a, + 0x54, 0xc1, 0x32, 0x0f, 0x32, 0xad, 0x25, 0x11, 0x3e, 0x49, 0xad, 0x41, + 0xce, 0x7b, 0xca, 0x95, 0x6b, 0x54, 0x5e, 0x86, 0x1b, 0xce, 0xfa, 0x2a, + 0x60, 0xe8, 0xfa, 0xbb, 0x23, 0xb2, 0x41, 0xbc, 0x7c, 0x98, 0xec, 0x73, + 0x20, 0xed, 0xb3, 0xcf, 0xab, 0x07, 0x24, 0x85, 0x6a, 0x2a, 0x61, 0x76, + 0x28, 0xf8, 0x00, 0x80, 0xeb, 0xd9, 0x3a, 0x63, 0xe2, 0x01, 0xb1, 0xee, + 0x6d, 0xe9, 0x73, 0xe9, 0xb6, 0x75, 0x2e, 0xf9, 0x81, 0xd9, 0xa8, 0x79, + 0xf6, 0x8f, 0xe3, 0x02, 0x7d, 0xf6, 0xea, 0xdc, 0x35, 0xe4, 0x62, 0x0d, + 0x91, 0xba, 0x3e, 0x7d, 0x8b, 0x82, 0xbf, 0x15, 0x74, 0x6a, 0x4e, 0x29, + 0xf8, 0x9b, 0x2c, 0x94, 0x8d, 0xa7, 0x00, 0x4d, 0x7b, 0xbf, 0x35, 0x07, + 0xeb, 0xdd, 0x10, 0xef, 0xd5, 0x2f, 0xe6, 0x98, 0x4b, 0x7e, 0x24, 0x80, + 0xe2, 0x01, 0xf2, 0x66, 0xb7, 0xd3, 0x93, 0xfe, 0x2a, 0xb3, 0x74, 0xed, + 0xec, 0x4b, 0xb1, 0x5f, 0x5f, 0xee, 0x85, 0x44, 0xa7, 0x26, 0xdf, 0xc1, + 0x2e, 0x7a, 0xf3, 0xa5, 0x8f, 0xf8, 0x64, 0xda, 0x65, 0xad, 0x91, 0xe2, + 0x90, 0x94, 0x20, 0x16, 0xb8, 0x61, 0xa5, 0x0a, 0x7d, 0xb4, 0xbf, 0xc0, + 0x10, 0xaf, 0x72, 0x67, }; - static const DES_cblock kDESKey1 = {"BCMDESK1"}; - static const DES_cblock kDESKey2 = {"BCMDESK2"}; - static const DES_cblock kDESKey3 = {"BCMDESK3"}; - static const DES_cblock kDESIV = {"BCMDESIV"}; - static const uint8_t kDESCiphertext[64] = { - 0xa4, 0x30, 0x7a, 0x4c, 0x1f, 0x60, 0x16, 0xd7, 0x4f, 0x41, 0xe1, - 0xbb, 0x27, 0xc4, 0x27, 0x37, 0xd4, 0x7f, 0xb9, 0x10, 0xf8, 0xbc, - 0xaf, 0x93, 0x91, 0xb8, 0x88, 0x24, 0xb1, 0xf6, 0xf8, 0xbd, 0x31, - 0x96, 0x06, 0x76, 0xde, 0x32, 0xcd, 0x29, 0x29, 0xba, 0x70, 0x5f, - 0xea, 0xc0, 0xcb, 0xde, 0xc7, 0x75, 0x90, 0xe0, 0x0f, 0x5e, 0x2c, - 0x0d, 0x49, 0x20, 0xd5, 0x30, 0x83, 0xf8, 0x08, -#if !defined(BORINGSSL_FIPS_BREAK_DES) - 0x5a -#else - 0x00 -#endif + + unsigned sig_len; + if (!rsa_sign_no_self_test(NID_sha256, kRSASignDigest, sizeof(kRSASignDigest), + output, &sig_len, rsa_key) || + !check_test(kRSASignSignature, output, sizeof(kRSASignSignature), + "RSA-sign KAT")) { + fprintf(stderr, "RSA signing test failed.\n"); + goto err; + } + + // RSA Verify KAT + + static const uint8_t kRSAVerifyDigest[32] = { + 0x09, 0x65, 0x2f, 0xd8, 0xed, 0x9d, 0xc2, 0x6d, 0xbc, 0xbf, 0xf2, + 0xa7, 0xa5, 0xed, 0xe1, 0x37, 0x13, 0x78, 0x21, 0x36, 0xcf, 0x8d, + 0x22, 0x3d, 0xab, 0x93, 0xb4, 0x12, 0xa8, 0xb5, 0x15, 0x53, }; - static const uint8_t kPlaintextSHA1[20] = { - 0xc6, 0xf8, 0xc9, 0x63, 0x1c, 0x14, 0x23, 0x62, 0x9b, 0xbd, - 0x55, 0x82, 0xf4, 0xd6, 0x1d, 0xf2, 0xab, 0x7d, 0xc8, -#if !defined(BORINGSSL_FIPS_BREAK_SHA_1) - 0x28 -#else - 0x00 -#endif + static const uint8_t kRSAVerifySignature[256] = { + 0xab, 0xe2, 0xcb, 0xc1, 0x3d, 0x6b, 0xd3, 0x9d, 0x48, 0xdb, 0x53, 0x34, + 0xdd, 0xbf, 0x8d, 0x07, 0x0a, 0x93, 0xbd, 0xcb, 0x10, 0x4e, 0x2c, 0xc5, + 0xd0, 0xee, 0x48, 0x6e, 0xe2, 0x95, 0xf6, 0xb3, 0x1b, 0xda, 0x12, 0x6c, + 0x41, 0x89, 0x0b, 0x98, 0xb7, 0x3e, 0x70, 0xe6, 0xb6, 0x5d, 0x82, 0xf9, + 0x5c, 0x66, 0x31, 0x21, 0x75, 0x5a, 0x90, 0x74, 0x4c, 0x8d, 0x1c, 0x21, + 0x14, 0x8a, 0x19, 0x60, 0xbe, 0x0e, 0xca, 0x44, 0x6e, 0x9f, 0xf4, 0x97, + 0xf1, 0x34, 0x5c, 0x53, 0x7e, 0xf8, 0x11, 0x9b, 0x9a, 0x43, 0x98, 0xe9, + 0x5c, 0x5c, 0x6d, 0xe2, 0xb1, 0xc9, 0x55, 0x90, 0x5c, 0x52, 0x99, 0xd8, + 0xce, 0x7a, 0x3b, 0x6a, 0xb7, 0x63, 0x80, 0xd9, 0xba, 0xbd, 0xd1, 0x5f, + 0x61, 0x02, 0x37, 0xe1, 0xf3, 0xf2, 0xaa, 0x1c, 0x1f, 0x1e, 0x77, 0x0b, + 0x62, 0xfb, 0xb5, 0x96, 0x38, 0x1b, 0x2e, 0xbd, 0xd7, 0x7e, 0xce, 0xf9, + 0xc9, 0x0d, 0x4c, 0x92, 0xf7, 0xb6, 0xb0, 0x5f, 0xed, 0x29, 0x36, 0x28, + 0x5f, 0xa9, 0x48, 0x26, 0xe6, 0x20, 0x55, 0x32, 0x2a, 0x33, 0xb6, 0xf0, + 0x4c, 0x74, 0xce, 0x69, 0xe5, 0xd8, 0xd7, 0x37, 0xfb, 0x83, 0x8b, 0x79, + 0xd2, 0xd4, 0x8e, 0x3d, 0xaf, 0x71, 0x38, 0x75, 0x31, 0x88, 0x25, 0x31, + 0xa9, 0x5a, 0xc9, 0x64, 0xd0, 0x2e, 0xa4, 0x13, 0xbf, 0x85, 0x95, 0x29, + 0x82, 0xbb, 0xc0, 0x89, 0x52, 0x7d, 0xaf, 0xf5, 0xb8, 0x45, 0xc9, 0xa0, + 0xf4, 0xd1, 0x4e, 0xf1, 0x95, 0x6d, 0x9c, 0x3a, 0xca, 0xe8, 0x82, 0xd1, + 0x2d, 0xa6, 0x6d, 0xa0, 0xf3, 0x57, 0x94, 0xf5, 0xee, 0x32, 0x23, 0x23, + 0x33, 0x51, 0x7d, 0xb9, 0x31, 0x52, 0x32, 0xa1, 0x83, 0xb9, 0x91, 0x65, + 0x4d, 0xbe, 0xa4, 0x16, 0x15, 0x34, 0x5c, 0x88, 0x53, 0x25, 0x92, 0x67, + 0x44, 0xa5, 0x39, 0x15, }; - static const uint8_t kPlaintextSHA256[32] = { - 0x37, 0xbd, 0x70, 0x53, 0x72, 0xfc, 0xd4, 0x03, 0x79, 0x70, 0xfb, - 0x06, 0x95, 0xb1, 0x2a, 0x82, 0x48, 0xe1, 0x3e, 0xf2, 0x33, 0xfb, - 0xef, 0x29, 0x81, 0x22, 0x45, 0x40, 0x43, 0x70, 0xce, -#if !defined(BORINGSSL_FIPS_BREAK_SHA_256) - 0x0f -#else - 0x00 -#endif - }; - static const uint8_t kPlaintextSHA512[64] = { - 0x08, 0x6a, 0x1c, 0x84, 0x61, 0x9d, 0x8e, 0xb3, 0xc0, 0x97, 0x4e, - 0xa1, 0x9f, 0x9c, 0xdc, 0xaf, 0x3b, 0x5c, 0x31, 0xf0, 0xf2, 0x74, - 0xc3, 0xbd, 0x6e, 0xd6, 0x1e, 0xb2, 0xbb, 0x34, 0x74, 0x72, 0x5c, - 0x51, 0x29, 0x8b, 0x87, 0x3a, 0xa3, 0xf2, 0x25, 0x23, 0xd4, 0x1c, - 0x82, 0x1b, 0xfe, 0xd3, 0xc6, 0xee, 0xb5, 0xd6, 0xaf, 0x07, 0x7b, - 0x98, 0xca, 0xa7, 0x01, 0xf3, 0x94, 0xf3, 0x68, -#if !defined(BORINGSSL_FIPS_BREAK_SHA_512) - 0x14 -#else - 0x00 -#endif + if (!rsa_verify_no_self_test(NID_sha256, kRSAVerifyDigest, + sizeof(kRSAVerifyDigest), kRSAVerifySignature, + sizeof(kRSAVerifySignature), rsa_key)) { + fprintf(stderr, "RSA-verify KAT failed.\n"); + goto err; + } + + ret = 1; + +err: + RSA_free(rsa_key); + + return ret; +} + +static int boringssl_self_test_ecc(void) { + int ret = 0; + EC_KEY *ec_key = NULL; + EC_GROUP *ec_group = NULL; + EC_POINT *ec_point_in = NULL; + EC_POINT *ec_point_out = NULL; + BIGNUM *ec_scalar = NULL; + ECDSA_SIG *sig = NULL; + + ec_key = self_test_ecdsa_key(); + if (ec_key == NULL) { + fprintf(stderr, "ECDSA KeyGen failed\n"); + goto err; + } + + // ECDSA Sign/Verify KAT + + static const uint8_t kECDSASignDigest[32] = { + 0x1e, 0x35, 0x93, 0x0b, 0xe8, 0x60, 0xd0, 0x94, 0x2c, 0xa7, 0xbb, + 0xd6, 0xf6, 0xde, 0xd8, 0x7f, 0x15, 0x7e, 0x4d, 0xe2, 0x4f, 0x81, + 0xed, 0x4b, 0x87, 0x5c, 0x0e, 0x01, 0x8e, 0x89, 0xa8, 0x1f, }; - static const uint8_t kRSASignature[256] = { - 0x62, 0x66, 0x4b, 0xe3, 0xb1, 0xd2, 0x83, 0xf1, 0xa8, 0x56, 0x2b, 0x33, - 0x60, 0x1e, 0xdb, 0x1e, 0x06, 0xf7, 0xa7, 0x1e, 0xa8, 0xef, 0x03, 0x4d, - 0x0c, 0xf6, 0x83, 0x75, 0x7a, 0xf0, 0x14, 0xc7, 0xe2, 0x94, 0x3a, 0xb5, - 0x67, 0x56, 0xa5, 0x48, 0x7f, 0x3a, 0xa5, 0xbf, 0xf7, 0x1d, 0x44, 0xa6, - 0x34, 0xed, 0x9b, 0xd6, 0x51, 0xaa, 0x2c, 0x4e, 0xce, 0x60, 0x5f, 0xe9, - 0x0e, 0xd5, 0xcd, 0xeb, 0x23, 0x27, 0xf8, 0xfb, 0x45, 0xe5, 0x34, 0x63, - 0x77, 0x7f, 0x2e, 0x80, 0xcf, 0x9d, 0x2e, 0xfc, 0xe2, 0x50, 0x75, 0x29, - 0x46, 0xf4, 0xaf, 0x91, 0xed, 0x36, 0xe1, 0x5e, 0xef, 0x66, 0xa1, 0xff, - 0x27, 0xfc, 0x87, 0x7e, 0x60, 0x84, 0x0f, 0x54, 0x51, 0x56, 0x0f, 0x68, - 0x99, 0xc0, 0x3f, 0xeb, 0xa5, 0xa0, 0x46, 0xb0, 0x86, 0x02, 0xb0, 0xc8, - 0xe8, 0x46, 0x13, 0x06, 0xcd, 0xb7, 0x8a, 0xd0, 0x3b, 0x46, 0xd0, 0x14, - 0x64, 0x53, 0x9b, 0x5b, 0x5e, 0x02, 0x45, 0xba, 0x6e, 0x7e, 0x0a, 0xb9, - 0x9e, 0x62, 0xb7, 0xd5, 0x7a, 0x87, 0xea, 0xd3, 0x24, 0xa5, 0xef, 0xb3, - 0xdc, 0x05, 0x9c, 0x04, 0x60, 0x4b, 0xde, 0xa8, 0x90, 0x08, 0x7b, 0x6a, - 0x5f, 0xb4, 0x3f, 0xda, 0xc5, 0x1f, 0x6e, 0xd6, 0x15, 0xde, 0x65, 0xa4, - 0x6e, 0x62, 0x9d, 0x8f, 0xa8, 0xbe, 0x86, 0xf6, 0x09, 0x90, 0x40, 0xa5, - 0xf4, 0x23, 0xc5, 0xf6, 0x38, 0x86, 0x0d, 0x1c, 0xed, 0x4a, 0x0a, 0xae, - 0xa4, 0x26, 0xc2, 0x2e, 0xd3, 0x13, 0x66, 0x61, 0xea, 0x35, 0x01, 0x0e, - 0x13, 0xda, 0x78, 0x20, 0xae, 0x59, 0x5f, 0x9b, 0xa9, 0x6c, 0xf9, 0x1b, - 0xdf, 0x76, 0x53, 0xc8, 0xa7, 0xf5, 0x63, 0x6d, 0xf3, 0xff, 0xfd, 0xaf, - 0x75, 0x4b, 0xac, 0x67, 0xb1, 0x3c, 0xbf, 0x5e, 0xde, 0x73, 0x02, 0x6d, - 0xd2, 0x0c, 0xb1, -#if !defined(BORINGSSL_FIPS_BREAK_RSA_SIG) - 0x64 -#else - 0x00 -#endif + static const uint8_t kECDSASignSig[64] = { + 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, + 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, + 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x68, + 0x04, 0x73, 0x40, 0x94, 0xb2, 0xd1, 0x90, 0xac, 0x2d, 0x0c, 0xd7, + 0xa5, 0x7f, 0x2f, 0x2e, 0xb2, 0x62, 0xb0, 0x09, 0x16, 0xe1, 0xa6, + 0x70, 0xb5, 0xbb, 0x0d, 0xfd, 0x8e, 0x0c, 0x02, 0x3f, }; - const uint8_t kDRBGEntropy[48] = - "BCM Known Answer Test DBRG Initial Entropy "; - const uint8_t kDRBGPersonalization[18] = "BCMPersonalization"; - const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD "; - const uint8_t kDRBGOutput[64] = { - 0x1d, 0x63, 0xdf, 0x05, 0x51, 0x49, 0x22, 0x46, 0xcd, 0x9b, 0xc5, - 0xbb, 0xf1, 0x5d, 0x44, 0xae, 0x13, 0x78, 0xb1, 0xe4, 0x7c, 0xf1, - 0x96, 0x33, 0x3d, 0x60, 0xb6, 0x29, 0xd4, 0xbb, 0x6b, 0x44, 0xf9, - 0xef, 0xd9, 0xf4, 0xa2, 0xba, 0x48, 0xea, 0x39, 0x75, 0x59, 0x32, - 0xf7, 0x31, 0x2c, 0x98, 0x14, 0x2b, 0x49, 0xdf, 0x02, 0xb6, 0x5d, - 0x71, 0x09, 0x50, 0xdb, 0x23, 0xdb, 0xe5, 0x22, -#if !defined(BORINGSSL_FIPS_BREAK_DRBG) - 0x95 -#else - 0x00 -#endif + + // The 'k' value for ECDSA is fixed to avoid an entropy draw. + uint8_t ecdsa_k[32] = {0}; + ecdsa_k[31] = 42; + + sig = ecdsa_sign_with_nonce_for_known_answer_test( + kECDSASignDigest, sizeof(kECDSASignDigest), ec_key, ecdsa_k, + sizeof(ecdsa_k)); + + uint8_t ecdsa_sign_output[64]; + if (sig == NULL || + !serialize_ecdsa_sig(ecdsa_sign_output, sizeof(ecdsa_sign_output), sig) || + !check_test(kECDSASignSig, ecdsa_sign_output, sizeof(ecdsa_sign_output), + "ECDSA-sign signature")) { + fprintf(stderr, "ECDSA-sign KAT failed.\n"); + goto err; + } + + static const uint8_t kECDSAVerifyDigest[32] = { + 0x78, 0x7c, 0x50, 0x5c, 0x60, 0xc9, 0xe4, 0x13, 0x6c, 0xe4, 0x48, + 0xba, 0x93, 0xff, 0x71, 0xfa, 0x9c, 0x18, 0xf4, 0x17, 0x09, 0x4f, + 0xdf, 0x5a, 0xe2, 0x75, 0xc0, 0xcc, 0xd2, 0x67, 0x97, 0xad, }; - const uint8_t kDRBGEntropy2[48] = - "BCM Known Answer Test DBRG Reseed Entropy "; - const uint8_t kDRBGReseedOutput[64] = { - 0xa4, 0x77, 0x05, 0xdb, 0x14, 0x11, 0x76, 0x71, 0x42, 0x5b, 0xd8, - 0xd7, 0xa5, 0x4f, 0x8b, 0x39, 0xf2, 0x10, 0x4a, 0x50, 0x5b, 0xa2, - 0xc8, 0xf0, 0xbb, 0x3e, 0xa1, 0xa5, 0x90, 0x7d, 0x54, 0xd9, 0xc6, - 0xb0, 0x96, 0xc0, 0x2b, 0x7e, 0x9b, 0xc9, 0xa1, 0xdd, 0x78, 0x2e, - 0xd5, 0xa8, 0x66, 0x16, 0xbd, 0x18, 0x3c, 0xf2, 0xaa, 0x7a, 0x2b, - 0x37, 0xf9, 0xab, 0x35, 0x64, 0x15, 0x01, 0x3f, 0xc4, - }; - const uint8_t kECDSASigR[32] = { + static const uint8_t kECDSAVerifySig[64] = { 0x67, 0x80, 0xc5, 0xfc, 0x70, 0x27, 0x5e, 0x2c, 0x70, 0x61, 0xa0, 0xe7, 0x87, 0x7b, 0xb1, 0x74, 0xde, 0xad, 0xeb, 0x98, 0x87, 0x02, - 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, -#if !defined(BORINGSSL_FIPS_BREAK_ECDSA_SIG) - 0x0c, -#else - 0x00, -#endif - }; - const uint8_t kECDSASigS[32] = { - 0xa5, 0x93, 0xe0, 0x23, 0x91, 0xe7, 0x4b, 0x8d, 0x77, 0x25, 0xa6, - 0xba, 0x4d, 0xd9, 0x86, 0x77, 0xda, 0x7d, 0x8f, 0xef, 0xc4, 0x1a, - 0xf0, 0xcc, 0x81, 0xe5, 0xea, 0x3f, 0xc2, 0x41, 0x7f, 0xd8, + 0x7f, 0x3f, 0xa8, 0x36, 0x54, 0x15, 0x8b, 0xa7, 0xf5, 0x0c, 0x2d, + 0x36, 0xe5, 0x79, 0x97, 0x90, 0xbf, 0xbe, 0x21, 0x83, 0xd3, 0x3e, + 0x96, 0xf3, 0xc5, 0x1f, 0x6a, 0x23, 0x2f, 0x2a, 0x24, 0x48, 0x8c, + 0x8e, 0x5f, 0x64, 0xc3, 0x7e, 0xa2, 0xcf, 0x05, 0x29, }; + + ECDSA_SIG_free(sig); + sig = parse_ecdsa_sig(kECDSAVerifySig, sizeof(kECDSAVerifySig)); + if (!sig || + !ecdsa_do_verify_no_self_test(kECDSAVerifyDigest, + sizeof(kECDSAVerifyDigest), sig, ec_key)) { + fprintf(stderr, "ECDSA-verify KAT failed.\n"); + goto err; + } + + // Primitive Z Computation KAT (IG 9.6). + // kP256Point is SHA256("Primitive Z Computation KAT")×G within P-256. - const uint8_t kP256Point[65] = { + static const uint8_t kP256Point[65] = { 0x04, 0x4e, 0xc1, 0x94, 0x8c, 0x5c, 0xf4, 0x37, 0x35, 0x0d, 0xa3, 0xf9, 0x55, 0xf9, 0x8b, 0x26, 0x23, 0x5c, 0x43, 0xe0, 0x83, 0x51, 0x2b, 0x0d, 0x4b, 0x56, 0x24, 0xc3, 0xe4, 0xa5, 0xa8, 0xe2, 0xe9, @@ -486,50 +485,64 @@ int boringssl_fips_self_test( 0x79, 0x93, 0x7c, 0x0b, 0x92, 0x2b, 0x7f, 0x17, 0xa5, 0x80, }; // kP256Scalar is SHA256("Primitive Z Computation KAT scalar"). - const uint8_t kP256Scalar[32] = { + static const uint8_t kP256Scalar[32] = { 0xe7, 0x60, 0x44, 0x91, 0x26, 0x9a, 0xfb, 0x5b, 0x10, 0x2d, 0x6e, 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf, 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b, }; // kP256PointResult is |kP256Scalar|×|kP256Point|. - const uint8_t kP256PointResult[65] = { + static const uint8_t kP256PointResult[65] = { 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac, 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6, 0xbb, 0x30, 0x32, 0x22, 0x37, 0xb6, 0x2a, 0x80, 0xe8, 0x9e, 0x6e, 0x6f, 0x36, 0x02, 0xe7, 0x21, 0xd2, 0x31, 0xdb, 0x94, 0x63, 0xb7, 0xd8, 0x19, 0x0e, 0xc2, 0xc0, 0xa7, 0x2f, 0x15, 0x49, 0x1a, 0xa2, - 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, -#if !defined(BORINGSSL_FIPS_BREAK_Z_COMPUTATION) - 0x0c, -#else - 0x00, -#endif - }; - const uint8_t kTLSOutput[32] = { - 0x67, 0x85, 0xde, 0x60, 0xfc, 0x0a, 0x83, 0xe9, 0xa2, 0x2a, 0xb3, - 0xf0, 0x27, 0x0c, 0xba, 0xf7, 0xfa, 0x82, 0x3d, 0x14, 0x77, 0x1d, - 0x86, 0x29, 0x79, 0x39, 0x77, 0x8a, 0xd5, 0x0e, 0x9d, -#if !defined(BORINGSSL_FIPS_BREAK_TLS_KDF) - 0x32, -#else - 0x00, -#endif - }; - const uint8_t kTLSSecret[32] = { - 0xbf, 0xe4, 0xb7, 0xe0, 0x26, 0x55, 0x5f, 0x6a, 0xdf, 0x5d, 0x27, - 0xd6, 0x89, 0x99, 0x2a, 0xd6, 0xf7, 0x65, 0x66, 0x07, 0x4b, 0x55, - 0x5f, 0x64, 0x55, 0xcd, 0xd5, 0x77, 0xa4, 0xc7, 0x09, 0x61, - }; - const char kTLSLabel[] = "FIPS self test"; - const uint8_t kTLSSeed1[16] = { - 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2, - 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65, - }; - const uint8_t kTLSSeed2[16] = { - 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c, - 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, + 0x7c, 0x41, 0x8f, 0xaf, 0x9c, 0x40, 0xaf, 0x2e, 0x4a, 0x0c, }; + ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); + if (ec_group == NULL) { + fprintf(stderr, "Failed to create P-256 group.\n"); + goto err; + } + ec_point_in = EC_POINT_new(ec_group); + ec_point_out = EC_POINT_new(ec_group); + ec_scalar = BN_new(); + uint8_t z_comp_result[65]; + if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL || + !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point), + NULL) || + !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) || + !ec_point_mul_no_self_test(ec_group, ec_point_out, NULL, ec_point_in, + ec_scalar, NULL) || + !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED, + z_comp_result, sizeof(z_comp_result), NULL) || + !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result), + "Z Computation Result")) { + fprintf(stderr, "Z-computation KAT failed.\n"); + goto err; + } + + ret = 1; + +err: + EC_KEY_free(ec_key); + EC_POINT_free(ec_point_in); + EC_POINT_free(ec_point_out); + EC_GROUP_free(ec_group); + BN_free(ec_scalar); + ECDSA_SIG_free(sig); + + return ret; +} + +static int boringssl_self_test_ffdh(void) { + int ret = 0; + DH *dh = NULL; + BIGNUM *ffdhe2048_value = NULL; + + // FFC Diffie-Hellman KAT + // kFFDHE2048PublicValueData is an arbitrary public value, mod // kFFDHE2048Data. (The private key happens to be 4096.) static const BN_ULONG kFFDHE2048PublicValueData[] = { @@ -550,8 +563,7 @@ int boringssl_fips_self_test( TOBN(0xbae7b0b3, 0x6e362dc0), TOBN(0xa57c73bd, 0xdc70fb82), TOBN(0xfaff50d2, 0x9d573457), TOBN(0x352bd399, 0xbe84058e), }; - - const uint8_t kDHOutput[2048 / 8] = { + static const uint8_t kDHOutput[2048 / 8] = { 0x2a, 0xe6, 0xd3, 0xa6, 0x13, 0x58, 0x8e, 0xce, 0x53, 0xaa, 0xf6, 0x5d, 0x9a, 0xae, 0x02, 0x12, 0xf5, 0x80, 0x3d, 0x06, 0x09, 0x76, 0xac, 0x57, 0x37, 0x9e, 0xab, 0x38, 0x62, 0x25, 0x05, 0x1d, 0xf3, 0xa9, 0x39, 0x60, @@ -573,23 +585,144 @@ int boringssl_fips_self_test( 0x06, 0x80, 0x2a, 0x4e, 0x5a, 0xf0, 0x1e, 0xaa, 0xcb, 0xab, 0x06, 0x0e, 0x27, 0x0f, 0xd9, 0x88, 0xd9, 0x01, 0xe3, 0x07, 0xeb, 0xdf, 0xc3, 0x12, 0xe3, 0x40, 0x88, 0x7b, 0x5f, 0x59, 0x78, 0x6e, 0x26, 0x20, 0xc3, 0xdf, - 0xc8, 0xe4, 0x5e, -#if !defined(BORINGSSL_FIPS_BREAK_FFC_DH) - 0xb8, -#else - 0x00, -#endif + 0xc8, 0xe4, 0x5e, 0xb8, + }; + + ffdhe2048_value = BN_new(); + if (ffdhe2048_value) { + bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData, + OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData)); + } + + dh = self_test_dh(); + uint8_t dh_out[sizeof(kDHOutput)]; + if (dh == NULL || ffdhe2048_value == NULL || sizeof(dh_out) != DH_size(dh) || + dh_compute_key_padded_no_self_test(dh_out, ffdhe2048_value, dh) != + sizeof(dh_out) || + !check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH")) { + fprintf(stderr, "FFDH failed.\n"); + goto err; + } + + ret = 1; + +err: + DH_free(dh); + BN_free(ffdhe2048_value); + + return ret; +} + +#if defined(BORINGSSL_FIPS) + +static void run_self_test_rsa(void) { + if (!boringssl_self_test_rsa()) { + BORINGSSL_FIPS_abort(); + } +} + +DEFINE_STATIC_ONCE(g_self_test_once_rsa); + +void boringssl_ensure_rsa_self_test(void) { + CRYPTO_once(g_self_test_once_rsa_bss_get(), run_self_test_rsa); +} + +static void run_self_test_ecc(void) { + if (!boringssl_self_test_ecc()) { + BORINGSSL_FIPS_abort(); + } +} + +DEFINE_STATIC_ONCE(g_self_test_once_ecc); + +void boringssl_ensure_ecc_self_test(void) { + CRYPTO_once(g_self_test_once_ecc_bss_get(), run_self_test_ecc); +} + +static void run_self_test_ffdh(void) { + if (!boringssl_self_test_ffdh()) { + BORINGSSL_FIPS_abort(); + } +} + +DEFINE_STATIC_ONCE(g_self_test_once_ffdh); + +void boringssl_ensure_ffdh_self_test(void) { + CRYPTO_once(g_self_test_once_ffdh_bss_get(), run_self_test_ffdh); +} + +#endif // BORINGSSL_FIPS + + +// Startup self tests. +// +// These tests are run at process start when in FIPS mode. + +int boringssl_self_test_sha256(void) { + static const uint8_t kInput[16] = { + 0xff, 0x3b, 0x85, 0x7d, 0xa7, 0x23, 0x6a, 0x2b, + 0xaa, 0x0f, 0x39, 0x6b, 0x51, 0x52, 0x22, 0x17, + }; + static const uint8_t kPlaintextSHA256[32] = { + 0x7f, 0xe4, 0xd5, 0xf1, 0xa1, 0xe3, 0x82, 0x87, 0xd9, 0x58, 0xf5, + 0x11, 0xc7, 0x1d, 0x5e, 0x27, 0x5e, 0xcc, 0xd2, 0x66, 0xcf, 0xb9, + 0xc8, 0xc6, 0x60, 0xd8, 0x92, 0x1e, 0x57, 0xfd, 0x46, 0x75, + }; + uint8_t output[SHA256_DIGEST_LENGTH]; + + // SHA-256 KAT + SHA256(kInput, sizeof(kInput), output); + return check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256), + "SHA-256 KAT"); +} + +int boringssl_self_test_sha512(void) { + static const uint8_t kInput[16] = { + 0x21, 0x25, 0x12, 0xf8, 0xd2, 0xad, 0x83, 0x22, + 0x78, 0x1c, 0x6c, 0x4d, 0x69, 0xa9, 0xda, 0xa1, + }; + static const uint8_t kPlaintextSHA512[64] = { + 0x29, 0x3c, 0x94, 0x35, 0x4e, 0x98, 0x83, 0xe5, 0xc2, 0x78, 0x36, + 0x7a, 0xe5, 0x18, 0x90, 0xbf, 0x35, 0x41, 0x01, 0x64, 0x19, 0x8d, + 0x26, 0xeb, 0xe1, 0xf8, 0x2f, 0x04, 0x8e, 0xfa, 0x8b, 0x2b, 0xc6, + 0xb2, 0x9d, 0x5d, 0x46, 0x76, 0x5a, 0xc8, 0xb5, 0x25, 0xa3, 0xea, + 0x52, 0x84, 0x47, 0x6d, 0x6d, 0xf4, 0xc9, 0x71, 0xf3, 0x3d, 0x89, + 0x4c, 0x3b, 0x20, 0x8c, 0x5b, 0x75, 0xe8, 0xf8, 0x7c, + }; + uint8_t output[SHA512_DIGEST_LENGTH]; + + // SHA-512 KAT + SHA512(kInput, sizeof(kInput), output); + return check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512), + "SHA-512 KAT"); +} + +int boringssl_self_test_hmac_sha256(void) { + static const uint8_t kInput[16] = { + 0xda, 0xd9, 0x12, 0x93, 0xdf, 0xcf, 0x2a, 0x7c, + 0x8e, 0xcd, 0x13, 0xfe, 0x35, 0x3f, 0xa7, 0x5b, }; + static const uint8_t kPlaintextHMACSHA256[32] = { + 0x36, 0x5f, 0x5b, 0xd5, 0xf5, 0xeb, 0xfd, 0xc7, 0x6e, 0x53, 0xa5, + 0x73, 0x6d, 0x73, 0x20, 0x13, 0xaa, 0xd3, 0xbc, 0x86, 0x4b, 0xb8, + 0x84, 0x94, 0x16, 0x46, 0x88, 0x9c, 0x48, 0xee, 0xa9, 0x0e, + }; + uint8_t output[EVP_MAX_MD_SIZE]; + + unsigned output_len; + HMAC(EVP_sha256(), kInput, sizeof(kInput), kInput, sizeof(kInput), output, + &output_len); + return output_len == sizeof(kPlaintextHMACSHA256) && + check_test(kPlaintextHMACSHA256, output, sizeof(kPlaintextHMACSHA256), + "HMAC-SHA-256 KAT"); +} + +static int boringssl_self_test_fast(void) { + static const uint8_t kAESKey[16] = "BoringCrypto Key"; + static const uint8_t kAESIV[16] = {0}; EVP_AEAD_CTX aead_ctx; EVP_AEAD_CTX_zero(&aead_ctx); - RSA *rsa_key = NULL; - EC_KEY *ec_key = NULL; - EC_GROUP *ec_group = NULL; - EC_POINT *ec_point_in = NULL; - EC_POINT *ec_point_out = NULL; - BIGNUM *ec_scalar = NULL; - ECDSA_SIG *sig = NULL; int ret = 0; AES_KEY aes_key; @@ -597,28 +730,48 @@ int boringssl_fips_self_test( uint8_t output[256]; // AES-CBC Encryption KAT + static const uint8_t kAESCBCEncPlaintext[32] = { + 0x07, 0x86, 0x09, 0xa6, 0xc5, 0xac, 0x25, 0x44, 0x69, 0x9a, 0xdf, + 0x68, 0x2f, 0xa3, 0x77, 0xf9, 0xbe, 0x8a, 0xb6, 0xae, 0xf5, 0x63, + 0xe8, 0xc5, 0x6a, 0x36, 0xb8, 0x4f, 0x55, 0x7f, 0xad, 0xd3, + }; + static const uint8_t kAESCBCEncCiphertext[sizeof(kAESCBCEncPlaintext)] = { + 0x56, 0x46, 0xc1, 0x41, 0xf4, 0x13, 0xd6, 0xff, 0x62, 0x92, 0x41, + 0x7a, 0x26, 0xc6, 0x86, 0xbd, 0x30, 0x5f, 0xb6, 0x57, 0xa7, 0xd2, + 0x50, 0x3a, 0xc5, 0x5e, 0x8e, 0x93, 0x40, 0xf2, 0x10, 0xd8, + }; memcpy(aes_iv, kAESIV, sizeof(kAESIV)); if (AES_set_encrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { fprintf(stderr, "AES_set_encrypt_key failed.\n"); goto err; } - AES_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &aes_key, aes_iv, - AES_ENCRYPT); - if (!check_test(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext), - "AES-CBC Encryption KAT")) { + AES_cbc_encrypt(kAESCBCEncPlaintext, output, sizeof(kAESCBCEncPlaintext), + &aes_key, aes_iv, AES_ENCRYPT); + if (!check_test(kAESCBCEncCiphertext, output, sizeof(kAESCBCEncCiphertext), + "AES-CBC-encrypt KAT")) { goto err; } // AES-CBC Decryption KAT + static const uint8_t kAESCBCDecCiphertext[32] = { + 0x34, 0x7a, 0xa5, 0xa0, 0x24, 0xb2, 0x82, 0x57, 0xb3, 0x65, 0x10, + 0xbe, 0x58, 0x3d, 0x4f, 0x47, 0xad, 0xb7, 0xbb, 0xee, 0xdc, 0x60, + 0x05, 0xbb, 0xbd, 0x0d, 0x0a, 0x9f, 0x06, 0xbb, 0x7b, 0x10, + }; + static const uint8_t kAESCBCDecPlaintext[sizeof(kAESCBCDecCiphertext)] = { + 0x51, 0xa7, 0xa0, 0x1f, 0x6b, 0x79, 0x6c, 0xcd, 0x48, 0x03, 0xa1, + 0x41, 0xdc, 0x56, 0xa6, 0xc2, 0x16, 0xb5, 0xd1, 0xd3, 0xb7, 0x06, + 0xb2, 0x25, 0x6f, 0xa6, 0xd0, 0xd2, 0x0e, 0x6f, 0x19, 0xb5, + }; memcpy(aes_iv, kAESIV, sizeof(kAESIV)); if (AES_set_decrypt_key(kAESKey, 8 * sizeof(kAESKey), &aes_key) != 0) { fprintf(stderr, "AES_set_decrypt_key failed.\n"); goto err; } - AES_cbc_encrypt(kAESCBCCiphertext, output, sizeof(kAESCBCCiphertext), + AES_cbc_encrypt(kAESCBCDecCiphertext, output, sizeof(kAESCBCDecCiphertext), &aes_key, aes_iv, AES_DECRYPT); - if (!check_test(kPlaintext, output, sizeof(kPlaintext), - "AES-CBC Decryption KAT")) { + if (!check_test(kAESCBCDecPlaintext, output, sizeof(kAESCBCDecPlaintext), + "AES-CBC-decrypt KAT")) { goto err; } @@ -632,194 +785,115 @@ int boringssl_fips_self_test( } // AES-GCM Encryption KAT + static const uint8_t kAESGCMEncPlaintext[32] = { + 0x8f, 0xcc, 0x40, 0x99, 0x80, 0x8e, 0x75, 0xca, 0xaf, 0xf5, 0x82, + 0x89, 0x88, 0x48, 0xa8, 0x8d, 0x80, 0x8b, 0x55, 0xab, 0x4e, 0x93, + 0x70, 0x79, 0x7d, 0x94, 0x0b, 0xe8, 0xcc, 0x1d, 0x78, 0x84, + }; + static const uint8_t kAESGCMCiphertext[sizeof(kAESGCMEncPlaintext) + 16] = { + 0x87, 0x7b, 0xd5, 0x8d, 0x96, 0x3e, 0x4b, 0xe6, 0x64, 0x94, 0x40, 0x2f, + 0x61, 0x9b, 0x7e, 0x56, 0x52, 0x7d, 0xa4, 0x5a, 0xf9, 0xa6, 0xe2, 0xdb, + 0x1c, 0x63, 0x2e, 0x97, 0x93, 0x0f, 0xfb, 0xed, 0xb5, 0x9e, 0x1c, 0x20, + 0xb2, 0xb0, 0x58, 0xda, 0x48, 0x07, 0x2d, 0xbd, 0x96, 0x0d, 0x34, 0xc6, + }; if (!EVP_AEAD_CTX_seal(&aead_ctx, output, &out_len, sizeof(output), nonce, EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), - kPlaintext, sizeof(kPlaintext), NULL, 0) || + kAESGCMEncPlaintext, sizeof(kAESGCMEncPlaintext), NULL, + 0) || !check_test(kAESGCMCiphertext, output, sizeof(kAESGCMCiphertext), - "AES-GCM Encryption KAT")) { + "AES-GCM-encrypt KAT")) { fprintf(stderr, "EVP_AEAD_CTX_seal for AES-128-GCM failed.\n"); goto err; } // AES-GCM Decryption KAT + static const uint8_t kAESGCMDecCiphertext[48] = { + 0x35, 0xf3, 0x05, 0x8f, 0x87, 0x57, 0x60, 0xff, 0x09, 0xd3, 0x12, 0x0f, + 0x70, 0xc4, 0xbc, 0x9e, 0xd7, 0xa8, 0x68, 0x72, 0xe1, 0x34, 0x52, 0x20, + 0x21, 0x76, 0xf7, 0x37, 0x1a, 0xe0, 0x4f, 0xaa, 0xe1, 0xdd, 0x39, 0x19, + 0x20, 0xf5, 0xd1, 0x39, 0x53, 0xd8, 0x96, 0x78, 0x59, 0x94, 0x82, 0x3c, + }; + static const uint8_t kAESGCMDecPlaintext[sizeof(kAESGCMDecCiphertext) - 16] = + { + 0x3d, 0x44, 0x90, 0x9b, 0x91, 0xe7, 0x5e, 0xd3, 0xc2, 0xb2, 0xd0, + 0xa9, 0x99, 0x17, 0x6a, 0x45, 0x05, 0x5e, 0x99, 0x83, 0x56, 0x01, + 0xc0, 0x82, 0x40, 0x81, 0xd2, 0x48, 0x45, 0xf2, 0xcc, 0xc3, + }; if (!EVP_AEAD_CTX_open(&aead_ctx, output, &out_len, sizeof(output), nonce, EVP_AEAD_nonce_length(EVP_aead_aes_128_gcm()), - kAESGCMCiphertext, sizeof(kAESGCMCiphertext), NULL, - 0) || - !check_test(kPlaintext, output, sizeof(kPlaintext), - "AES-GCM Decryption KAT")) { - fprintf(stderr, "EVP_AEAD_CTX_open for AES-128-GCM failed.\n"); - goto err; - } - - DES_key_schedule des1, des2, des3; - DES_cblock des_iv; - DES_set_key(&kDESKey1, &des1); - DES_set_key(&kDESKey2, &des2); - DES_set_key(&kDESKey3, &des3); - - // 3DES Encryption KAT - memcpy(&des_iv, &kDESIV, sizeof(des_iv)); - DES_ede3_cbc_encrypt(kPlaintext, output, sizeof(kPlaintext), &des1, &des2, - &des3, &des_iv, DES_ENCRYPT); - if (!check_test(kDESCiphertext, output, sizeof(kDESCiphertext), - "3DES Encryption KAT")) { - goto err; - } - - // 3DES Decryption KAT - memcpy(&des_iv, &kDESIV, sizeof(des_iv)); - DES_ede3_cbc_encrypt(kDESCiphertext, output, sizeof(kDESCiphertext), &des1, - &des2, &des3, &des_iv, DES_DECRYPT); - if (!check_test(kPlaintext, output, sizeof(kPlaintext), - "3DES Decryption KAT")) { + kAESGCMDecCiphertext, sizeof(kAESGCMDecCiphertext), + NULL, 0) || + !check_test(kAESGCMDecPlaintext, output, sizeof(kAESGCMDecPlaintext), + "AES-GCM-decrypt KAT")) { + fprintf(stderr, + "AES-GCM-decrypt KAT failed because EVP_AEAD_CTX_open failed.\n"); goto err; } // SHA-1 KAT - SHA1(kPlaintext, sizeof(kPlaintext), output); - if (!check_test(kPlaintextSHA1, output, sizeof(kPlaintextSHA1), + static const uint8_t kSHA1Input[16] = { + 0x13, 0x2f, 0xd9, 0xba, 0xd5, 0xc1, 0x82, 0x62, + 0x63, 0xba, 0xfb, 0xb6, 0x99, 0xf7, 0x07, 0xa5, + }; + static const uint8_t kSHA1Digest[20] = { + 0x94, 0x19, 0x55, 0x93, 0x0a, 0x58, 0x29, 0x38, 0xeb, 0xf5, + 0x09, 0x11, 0x6d, 0x1a, 0xfd, 0x0f, 0x1e, 0x11, 0xe3, 0xcb, + }; + SHA1(kSHA1Input, sizeof(kSHA1Input), output); + if (!check_test(kSHA1Digest, output, sizeof(kSHA1Digest), "SHA-1 KAT")) { goto err; } - // SHA-256 KAT - SHA256(kPlaintext, sizeof(kPlaintext), output); - if (!check_test(kPlaintextSHA256, output, sizeof(kPlaintextSHA256), - "SHA-256 KAT")) { - goto err; - } - - // SHA-512 KAT - SHA512(kPlaintext, sizeof(kPlaintext), output); - if (!check_test(kPlaintextSHA512, output, sizeof(kPlaintextSHA512), - "SHA-512 KAT")) { - goto err; - } - - rsa_key = self_test_rsa_key(); - if (rsa_key == NULL) { - fprintf(stderr, "RSA KeyGen failed\n"); - goto err; - } - - // RSA Sign KAT - unsigned sig_len; - - // Disable blinding for the power-on tests because it's not needed and - // triggers an entropy draw. - rsa_key->flags |= RSA_FLAG_NO_BLINDING; - - if (!RSA_sign(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), output, - &sig_len, rsa_key) || - !check_test(kRSASignature, output, sizeof(kRSASignature), - "RSA Sign KAT")) { - fprintf(stderr, "RSA signing test failed.\n"); - goto err; - } - - // RSA Verify KAT - if (!RSA_verify(NID_sha256, kPlaintextSHA256, sizeof(kPlaintextSHA256), - kRSASignature, sizeof(kRSASignature), rsa_key)) { - fprintf(stderr, "RSA Verify KAT failed.\n"); - goto err; - } - - ec_key = self_test_ecdsa_key(); - if (ec_key == NULL) { - fprintf(stderr, "ECDSA KeyGen failed\n"); - goto err; - } - - // ECDSA Sign/Verify KAT - - // The 'k' value for ECDSA is fixed to avoid an entropy draw. - uint8_t ecdsa_k[32] = {0}; - ecdsa_k[31] = 42; - - sig = ecdsa_sign_with_nonce_for_known_answer_test( - kPlaintextSHA256, sizeof(kPlaintextSHA256), ec_key, ecdsa_k, - sizeof(ecdsa_k)); - - uint8_t ecdsa_r_bytes[sizeof(kECDSASigR)]; - uint8_t ecdsa_s_bytes[sizeof(kECDSASigS)]; - if (sig == NULL || - BN_num_bytes(sig->r) != sizeof(ecdsa_r_bytes) || - !BN_bn2bin(sig->r, ecdsa_r_bytes) || - BN_num_bytes(sig->s) != sizeof(ecdsa_s_bytes) || - !BN_bn2bin(sig->s, ecdsa_s_bytes) || - !check_test(kECDSASigR, ecdsa_r_bytes, sizeof(kECDSASigR), "ECDSA R") || - !check_test(kECDSASigS, ecdsa_s_bytes, sizeof(kECDSASigS), "ECDSA S")) { - fprintf(stderr, "ECDSA signature KAT failed.\n"); - goto err; - } - - if (!ECDSA_do_verify(kPlaintextSHA256, sizeof(kPlaintextSHA256), sig, - ec_key)) { - fprintf(stderr, "ECDSA verification KAT failed.\n"); - goto err; - } - - // Primitive Z Computation KAT (IG 9.6). - ec_group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); - if (ec_group == NULL) { - fprintf(stderr, "Failed to create P-256 group.\n"); - goto err; - } - ec_point_in = EC_POINT_new(ec_group); - ec_point_out = EC_POINT_new(ec_group); - ec_scalar = BN_new(); - uint8_t z_comp_result[65]; - if (ec_point_in == NULL || ec_point_out == NULL || ec_scalar == NULL || - !EC_POINT_oct2point(ec_group, ec_point_in, kP256Point, sizeof(kP256Point), - NULL) || - !BN_bin2bn(kP256Scalar, sizeof(kP256Scalar), ec_scalar) || - !EC_POINT_mul(ec_group, ec_point_out, NULL, ec_point_in, ec_scalar, - NULL) || - !EC_POINT_point2oct(ec_group, ec_point_out, POINT_CONVERSION_UNCOMPRESSED, - z_comp_result, sizeof(z_comp_result), NULL) || - !check_test(kP256PointResult, z_comp_result, sizeof(z_comp_result), - "Z Computation Result")) { - fprintf(stderr, "Z Computation KAT failed.\n"); - goto err; - } - - // FFC Diffie-Hellman KAT - - BIGNUM *const ffdhe2048_value = BN_new(); - DH *const dh = self_test_dh(); - int dh_ok = 0; - if (ffdhe2048_value && dh) { - bn_set_static_words(ffdhe2048_value, kFFDHE2048PublicValueData, - OPENSSL_ARRAY_SIZE(kFFDHE2048PublicValueData)); - - uint8_t dh_out[sizeof(kDHOutput)]; - dh_ok = - sizeof(dh_out) == DH_size(dh) && - DH_compute_key_padded(dh_out, ffdhe2048_value, dh) == sizeof(dh_out) && - check_test(kDHOutput, dh_out, sizeof(dh_out), "FFC DH"); - } - - BN_free(ffdhe2048_value); - DH_free(dh); - if (!dh_ok) { - fprintf(stderr, "FFDH failed.\n"); + if (!boringssl_self_test_sha256() || + !boringssl_self_test_sha512() || + !boringssl_self_test_hmac_sha256()) { goto err; } // DBRG KAT + static const uint8_t kDRBGEntropy[48] = { + 0xc4, 0xda, 0x07, 0x40, 0xd5, 0x05, 0xf1, 0xee, 0x28, 0x0b, 0x95, 0xe5, + 0x8c, 0x49, 0x31, 0xac, 0x6d, 0xe8, 0x46, 0xa0, 0x15, 0x2f, 0xbb, 0x4a, + 0x3f, 0x17, 0x4c, 0xf4, 0x78, 0x7a, 0x4f, 0x1a, 0x40, 0xc2, 0xb5, 0x0b, + 0xab, 0xe1, 0x4a, 0xae, 0x53, 0x0b, 0xe5, 0x88, 0x6d, 0x91, 0x0a, 0x27, + }; + static const uint8_t kDRBGPersonalization[18] = "BCMPersonalization"; + static const uint8_t kDRBGAD[16] = "BCM DRBG KAT AD "; + static const uint8_t kDRBGOutput[64] = { + 0x19, 0x1f, 0x2b, 0x49, 0x76, 0x85, 0xfd, 0x51, 0xb6, 0x56, 0xbc, + 0x1c, 0x7d, 0xd5, 0xdd, 0x44, 0x76, 0xa3, 0x5e, 0x17, 0x9b, 0x8e, + 0xb8, 0x98, 0x65, 0x12, 0xca, 0x35, 0x6c, 0xa0, 0x6f, 0xa0, 0x22, + 0xe4, 0xf6, 0xd8, 0x43, 0xed, 0x4e, 0x2d, 0x97, 0x39, 0x43, 0x3b, + 0x57, 0xfc, 0x23, 0x3f, 0x71, 0x0a, 0xe0, 0xed, 0xfe, 0xd5, 0xb8, + 0x67, 0x7a, 0x00, 0x39, 0xb2, 0x6e, 0xa9, 0x25, 0x97, + }; + static const uint8_t kDRBGEntropy2[48] = { + 0xc7, 0x16, 0x1c, 0xa3, 0x6c, 0x23, 0x09, 0xb7, 0x16, 0xe9, 0x85, 0x9b, + 0xb9, 0x6c, 0x6d, 0x49, 0xbd, 0xc8, 0x35, 0x21, 0x03, 0xa1, 0x8c, 0xd2, + 0x4e, 0xf4, 0x2e, 0xc9, 0x7e, 0xf4, 0x6b, 0xf4, 0x46, 0xeb, 0x1a, 0x45, + 0x76, 0xc1, 0x86, 0xe9, 0x35, 0x18, 0x03, 0x76, 0x3a, 0x79, 0x12, 0xfe, + }; + static const uint8_t kDRBGReseedOutput[64] = { + 0x00, 0xf2, 0x05, 0xaa, 0xfd, 0x11, 0x6c, 0x77, 0xbc, 0x81, 0x86, + 0x99, 0xca, 0x51, 0xcf, 0x80, 0x15, 0x9f, 0x02, 0x9e, 0x0b, 0xcd, + 0x26, 0xc8, 0x4b, 0x87, 0x8a, 0x15, 0x1a, 0xdd, 0xf2, 0xf3, 0xeb, + 0x94, 0x0b, 0x08, 0xc8, 0xc9, 0x57, 0xa4, 0x0b, 0x4b, 0x0f, 0x13, + 0xde, 0x7c, 0x0c, 0x6a, 0xac, 0x34, 0x4a, 0x9a, 0xf2, 0xd0, 0x83, + 0x02, 0x05, 0x17, 0xc9, 0x81, 0x8f, 0x2a, 0x81, 0x92, + }; CTR_DRBG_STATE drbg; if (!CTR_DRBG_init(&drbg, kDRBGEntropy, kDRBGPersonalization, sizeof(kDRBGPersonalization)) || !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGOutput), kDRBGAD, sizeof(kDRBGAD)) || !check_test(kDRBGOutput, output, sizeof(kDRBGOutput), - "DBRG Generate KAT") || + "DRBG Generate KAT") || !CTR_DRBG_reseed(&drbg, kDRBGEntropy2, kDRBGAD, sizeof(kDRBGAD)) || !CTR_DRBG_generate(&drbg, output, sizeof(kDRBGReseedOutput), kDRBGAD, sizeof(kDRBGAD)) || !check_test(kDRBGReseedOutput, output, sizeof(kDRBGReseedOutput), - "DRBG Reseed KAT")) { + "DRBG-reseed KAT")) { fprintf(stderr, "CTR-DRBG failed.\n"); goto err; } @@ -832,43 +906,59 @@ int boringssl_fips_self_test( } // TLS KDF KAT + static const uint8_t kTLSSecret[32] = { + 0xab, 0xc3, 0x65, 0x7b, 0x09, 0x4c, 0x76, 0x28, 0xa0, 0xb2, 0x82, + 0x99, 0x6f, 0xe7, 0x5a, 0x75, 0xf4, 0x98, 0x4f, 0xd9, 0x4d, 0x4e, + 0xcc, 0x2f, 0xcf, 0x53, 0xa2, 0xc4, 0x69, 0xa3, 0xf7, 0x31, + }; + static const char kTLSLabel[] = "FIPS self test"; + static const uint8_t kTLSSeed1[16] = { + 0x8f, 0x0d, 0xe8, 0xb6, 0x90, 0x8f, 0xb1, 0xd2, + 0x6d, 0x51, 0xf4, 0x79, 0x18, 0x63, 0x51, 0x65, + }; + static const uint8_t kTLSSeed2[16] = { + 0x7d, 0x24, 0x1a, 0x9d, 0x3c, 0x59, 0xbf, 0x3c, + 0x31, 0x1e, 0x2b, 0x21, 0x41, 0x8d, 0x32, 0x81, + }; + static const uint8_t kTLSOutput[32] = { + 0xe2, 0x1d, 0xd6, 0xc2, 0x68, 0xc7, 0x57, 0x03, 0x2c, 0x2c, 0xeb, + 0xbb, 0xb8, 0xa9, 0x7d, 0xe9, 0xee, 0xe6, 0xc9, 0x47, 0x83, 0x0a, + 0xbd, 0x11, 0x60, 0x5d, 0xd5, 0x2c, 0x47, 0xb6, 0x05, 0x88, + }; uint8_t tls_output[sizeof(kTLSOutput)]; if (!CRYPTO_tls1_prf(EVP_sha256(), tls_output, sizeof(tls_output), kTLSSecret, sizeof(kTLSSecret), kTLSLabel, sizeof(kTLSLabel), kTLSSeed1, sizeof(kTLSSeed1), kTLSSeed2, sizeof(kTLSSeed2)) || - !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS KDF KAT")) { + !check_test(kTLSOutput, tls_output, sizeof(kTLSOutput), "TLS-KDF KAT")) { fprintf(stderr, "TLS KDF failed.\n"); goto err; } ret = 1; -#if defined(BORINGSSL_FIPS_SELF_TEST_FLAG_FILE) - // Tests were successful. Write flag file if requested. - if (module_hash_len != 0 && getenv(kFlagWriteEnableEnvVar) != NULL) { - const int fd = open(flag_path, O_WRONLY | O_CREAT | O_TRUNC, 0644); - if (fd >= 0) { - close(fd); - } - } -#endif // BORINGSSL_FIPS_SELF_TEST_FLAG_FILE - err: EVP_AEAD_CTX_cleanup(&aead_ctx); - RSA_free(rsa_key); - EC_KEY_free(ec_key); - EC_POINT_free(ec_point_in); - EC_POINT_free(ec_point_out); - EC_GROUP_free(ec_group); - BN_free(ec_scalar); - ECDSA_SIG_free(sig); return ret; } int BORINGSSL_self_test(void) { - return boringssl_fips_self_test(NULL, 0); + if (!boringssl_self_test_fast() || + // When requested to run self tests, also run the lazy tests. + !boringssl_self_test_rsa() || + !boringssl_self_test_ecc() || + !boringssl_self_test_ffdh()) { + return 0; + } + + return 1; } +#if defined(BORINGSSL_FIPS) +int boringssl_self_test_startup(void) { + return boringssl_self_test_fast(); +} +#endif + #endif // !_MSC_VER diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c index 6c54b04a..cb7c5957 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha1.c @@ -111,11 +111,10 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { return 1; } -#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) -#define Xupdate(a, ix, ia, ib, ic, id) \ - do { \ - (a) = ((ia) ^ (ib) ^ (ic) ^ (id)); \ - (ix) = (a) = ROTATE((a), 1); \ +#define Xupdate(a, ix, ia, ib, ic, id) \ + do { \ + (a) = ((ia) ^ (ib) ^ (ic) ^ (id)); \ + (ix) = (a) = CRYPTO_rotl_u32((a), 1); \ } while (0) #define K_00_19 0x5a827999UL @@ -133,45 +132,47 @@ int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c) { #define F_40_59(b, c, d) (((b) & (c)) | (((b) | (c)) & (d))) #define F_60_79(b, c, d) F_20_39(b, c, d) -#define BODY_00_15(i, a, b, c, d, e, f, xi) \ - do { \ - (f) = (xi) + (e) + K_00_19 + ROTATE((a), 5) + F_00_19((b), (c), (d)); \ - (b) = ROTATE((b), 30); \ +#define BODY_00_15(i, a, b, c, d, e, f, xi) \ + do { \ + (f) = (xi) + (e) + K_00_19 + CRYPTO_rotl_u32((a), 5) + \ + F_00_19((b), (c), (d)); \ + (b) = CRYPTO_rotl_u32((b), 30); \ } while (0) -#define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ - do { \ - Xupdate(f, xi, xa, xb, xc, xd); \ - (f) += (e) + K_00_19 + ROTATE((a), 5) + F_00_19((b), (c), (d)); \ - (b) = ROTATE((b), 30); \ +#define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ + do { \ + Xupdate(f, xi, xa, xb, xc, xd); \ + (f) += (e) + K_00_19 + CRYPTO_rotl_u32((a), 5) + F_00_19((b), (c), (d)); \ + (b) = CRYPTO_rotl_u32((b), 30); \ } while (0) -#define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ - do { \ - Xupdate(f, xi, xa, xb, xc, xd); \ - (f) += (e) + K_20_39 + ROTATE((a), 5) + F_20_39((b), (c), (d)); \ - (b) = ROTATE((b), 30); \ +#define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ + do { \ + Xupdate(f, xi, xa, xb, xc, xd); \ + (f) += (e) + K_20_39 + CRYPTO_rotl_u32((a), 5) + F_20_39((b), (c), (d)); \ + (b) = CRYPTO_rotl_u32((b), 30); \ } while (0) -#define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd) \ - do { \ - Xupdate(f, xa, xa, xb, xc, xd); \ - (f) += (e) + K_20_39 + ROTATE((a), 5) + F_20_39((b), (c), (d)); \ - (b) = ROTATE((b), 30); \ +#define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd) \ + do { \ + Xupdate(f, xa, xa, xb, xc, xd); \ + (f) += (e) + K_20_39 + CRYPTO_rotl_u32((a), 5) + F_20_39((b), (c), (d)); \ + (b) = CRYPTO_rotl_u32((b), 30); \ } while (0) -#define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd) \ - do { \ - Xupdate(f, xa, xa, xb, xc, xd); \ - (f) += (e) + K_40_59 + ROTATE((a), 5) + F_40_59((b), (c), (d)); \ - (b) = ROTATE((b), 30); \ +#define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd) \ + do { \ + Xupdate(f, xa, xa, xb, xc, xd); \ + (f) += (e) + K_40_59 + CRYPTO_rotl_u32((a), 5) + F_40_59((b), (c), (d)); \ + (b) = CRYPTO_rotl_u32((b), 30); \ } while (0) -#define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd) \ - do { \ - Xupdate(f, xa, xa, xb, xc, xd); \ - (f) = (xa) + (e) + K_60_79 + ROTATE((a), 5) + F_60_79((b), (c), (d)); \ - (b) = ROTATE((b), 30); \ +#define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd) \ + do { \ + Xupdate(f, xa, xa, xb, xc, xd); \ + (f) = (xa) + (e) + K_60_79 + CRYPTO_rotl_u32((a), 5) + \ + F_60_79((b), (c), (d)); \ + (b) = CRYPTO_rotl_u32((b), 30); \ } while (0) #ifdef X @@ -338,7 +339,6 @@ static void sha1_block_data_order(uint32_t *state, const uint8_t *data, } #endif -#undef ROTATE #undef Xupdate #undef K_00_19 #undef K_20_39 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c index 62ac8a41..4111fa2d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha256.c @@ -161,6 +161,7 @@ int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) { // TODO(davidben): Add an assert and fix code to match them up. return sha256_final_impl(out, c); } + int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { // SHA224_Init sets |ctx->md_len| to |SHA224_DIGEST_LENGTH|, so this has a // smaller output. @@ -184,15 +185,17 @@ static const uint32_t K256[64] = { 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL}; -#define ROTATE(a, n) (((a) << (n)) | ((a) >> (32 - (n)))) - -// FIPS specification refers to right rotations, while our ROTATE macro -// is left one. This is why you might notice that rotation coefficients -// differ from those observed in FIPS document by 32-N... -#define Sigma0(x) (ROTATE((x), 30) ^ ROTATE((x), 19) ^ ROTATE((x), 10)) -#define Sigma1(x) (ROTATE((x), 26) ^ ROTATE((x), 21) ^ ROTATE((x), 7)) -#define sigma0(x) (ROTATE((x), 25) ^ ROTATE((x), 14) ^ ((x) >> 3)) -#define sigma1(x) (ROTATE((x), 15) ^ ROTATE((x), 13) ^ ((x) >> 10)) +// See FIPS 180-4, section 4.1.2. +#define Sigma0(x) \ + (CRYPTO_rotr_u32((x), 2) ^ CRYPTO_rotr_u32((x), 13) ^ \ + CRYPTO_rotr_u32((x), 22)) +#define Sigma1(x) \ + (CRYPTO_rotr_u32((x), 6) ^ CRYPTO_rotr_u32((x), 11) ^ \ + CRYPTO_rotr_u32((x), 25)) +#define sigma0(x) \ + (CRYPTO_rotr_u32((x), 7) ^ CRYPTO_rotr_u32((x), 18) ^ ((x) >> 3)) +#define sigma1(x) \ + (CRYPTO_rotr_u32((x), 17) ^ CRYPTO_rotr_u32((x), 19) ^ ((x) >> 10)) #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) @@ -309,7 +312,6 @@ void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data, sha256_block_data_order(state, data, num_blocks); } -#undef ROTATE #undef Sigma0 #undef Sigma1 #undef sigma0 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c index 4608879c..738dfc3b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha/sha512.c @@ -321,42 +321,16 @@ static const uint64_t K512[80] = { UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817), }; -#if defined(__GNUC__) && __GNUC__ >= 2 && !defined(OPENSSL_NO_ASM) -#if defined(__x86_64) || defined(__x86_64__) -#define ROTR(a, n) \ - ({ \ - uint64_t ret; \ - __asm__("rorq %1, %0" : "=r"(ret) : "J"(n), "0"(a) : "cc"); \ - ret; \ - }) -#elif(defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64) -#define ROTR(a, n) \ - ({ \ - uint64_t ret; \ - __asm__("rotrdi %0, %1, %2" : "=r"(ret) : "r"(a), "K"(n)); \ - ret; \ - }) -#elif defined(__aarch64__) -#define ROTR(a, n) \ - ({ \ - uint64_t ret; \ - __asm__("ror %0, %1, %2" : "=r"(ret) : "r"(a), "I"(n)); \ - ret; \ - }) -#endif -#elif defined(_MSC_VER) && defined(_WIN64) -#pragma intrinsic(_rotr64) -#define ROTR(a, n) _rotr64((a), n) -#endif - -#ifndef ROTR -#define ROTR(x, s) (((x) >> s) | (x) << (64 - s)) -#endif - -#define Sigma0(x) (ROTR((x), 28) ^ ROTR((x), 34) ^ ROTR((x), 39)) -#define Sigma1(x) (ROTR((x), 14) ^ ROTR((x), 18) ^ ROTR((x), 41)) -#define sigma0(x) (ROTR((x), 1) ^ ROTR((x), 8) ^ ((x) >> 7)) -#define sigma1(x) (ROTR((x), 19) ^ ROTR((x), 61) ^ ((x) >> 6)) +#define Sigma0(x) \ + (CRYPTO_rotr_u64((x), 28) ^ CRYPTO_rotr_u64((x), 34) ^ \ + CRYPTO_rotr_u64((x), 39)) +#define Sigma1(x) \ + (CRYPTO_rotr_u64((x), 14) ^ CRYPTO_rotr_u64((x), 18) ^ \ + CRYPTO_rotr_u64((x), 41)) +#define sigma0(x) \ + (CRYPTO_rotr_u64((x), 1) ^ CRYPTO_rotr_u64((x), 8) ^ ((x) >> 7)) +#define sigma1(x) \ + (CRYPTO_rotr_u64((x), 19) ^ CRYPTO_rotr_u64((x), 61) ^ ((x) >> 6)) #define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) #define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) @@ -524,7 +498,6 @@ static void sha512_block_data_order(uint64_t *state, const uint8_t *in, #endif // !SHA512_ASM -#undef ROTR #undef Sigma0 #undef Sigma1 #undef sigma0 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.linux.x86.S index 4326f98d..4d36a64b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.windows.x86.S index d95bc2a5..8c33378a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-586.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.ios.aarch64.S index 87f4c5a9..c5fada59 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.ios.aarch64.S @@ -53,7 +53,7 @@ Loop: movz w28,#0x7999 sub x2,x2,#1 movk w28,#0x5a82,lsl#16 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x3,x3,#32 #else rev32 x3,x3 @@ -71,7 +71,7 @@ Loop: ror w21,w21,#2 add w23,w23,w4 // future e+=X[i] add w24,w24,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x5,x5,#32 #else rev32 x5,x5 @@ -96,7 +96,7 @@ Loop: ror w24,w24,#2 add w21,w21,w6 // future e+=X[i] add w22,w22,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x7,x7,#32 #else rev32 x7,x7 @@ -121,7 +121,7 @@ Loop: ror w22,w22,#2 add w24,w24,w8 // future e+=X[i] add w20,w20,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x9,x9,#32 #else rev32 x9,x9 @@ -146,7 +146,7 @@ Loop: ror w20,w20,#2 add w22,w22,w10 // future e+=X[i] add w23,w23,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x11,x11,#32 #else rev32 x11,x11 @@ -171,7 +171,7 @@ Loop: ror w23,w23,#2 add w20,w20,w12 // future e+=X[i] add w21,w21,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x13,x13,#32 #else rev32 x13,x13 @@ -196,7 +196,7 @@ Loop: ror w21,w21,#2 add w23,w23,w14 // future e+=X[i] add w24,w24,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x15,x15,#32 #else rev32 x15,x15 @@ -221,7 +221,7 @@ Loop: ror w24,w24,#2 add w21,w21,w16 // future e+=X[i] add w22,w22,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x17,x17,#32 #else rev32 x17,x17 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.linux.aarch64.S index 446f85fd..6cb79ac0 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-armv8.linux.aarch64.S @@ -54,7 +54,7 @@ sha1_block_data_order: movz w28,#0x7999 sub x2,x2,#1 movk w28,#0x5a82,lsl#16 -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x3,x3,#32 #else rev32 x3,x3 @@ -72,7 +72,7 @@ sha1_block_data_order: ror w21,w21,#2 add w23,w23,w4 // future e+=X[i] add w24,w24,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x5,x5,#32 #else rev32 x5,x5 @@ -97,7 +97,7 @@ sha1_block_data_order: ror w24,w24,#2 add w21,w21,w6 // future e+=X[i] add w22,w22,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x7,x7,#32 #else rev32 x7,x7 @@ -122,7 +122,7 @@ sha1_block_data_order: ror w22,w22,#2 add w24,w24,w8 // future e+=X[i] add w20,w20,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x9,x9,#32 #else rev32 x9,x9 @@ -147,7 +147,7 @@ sha1_block_data_order: ror w20,w20,#2 add w22,w22,w10 // future e+=X[i] add w23,w23,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x11,x11,#32 #else rev32 x11,x11 @@ -172,7 +172,7 @@ sha1_block_data_order: ror w23,w23,#2 add w20,w20,w12 // future e+=X[i] add w21,w21,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x13,x13,#32 #else rev32 x13,x13 @@ -197,7 +197,7 @@ sha1_block_data_order: ror w21,w21,#2 add w23,w23,w14 // future e+=X[i] add w24,w24,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x15,x15,#32 #else rev32 x15,x15 @@ -222,7 +222,7 @@ sha1_block_data_order: ror w24,w24,#2 add w21,w21,w16 // future e+=X[i] add w22,w22,w25 // e+=F(b,c,d) -#ifdef __ARMEB__ +#ifdef __AARCH64EB__ ror x17,x17,#32 #else rev32 x17,x17 diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.linux.x86_64.S index 36d10c80..040ea85f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.mac.x86_64.S index f364276d..7c12d77b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha1-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.linux.x86.S index 04ad4f3b..e8ab3146 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.windows.x86.S index 6ea386cb..3dd01726 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-586.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.ios.aarch64.S index d27e2482..8be5abb3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.ios.aarch64.S @@ -14,7 +14,7 @@ #if defined(BORINGSSL_PREFIX) #include #endif -// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use // this file except in compliance with the License. You can obtain a copy @@ -42,6 +42,7 @@ // Denver 2.01 10.5 (+26%) 6.70 (+8%) // X-Gene 20.0 (+100%) 12.8 (+300%(***)) // Mongoose 2.36 13.0 (+50%) 8.36 (+33%) +// Kryo 1.92 17.4 (+30%) 11.2 (+8%) // // (*) Software SHA256 results are of lesser relevance, presented // mostly for informational purposes. @@ -50,7 +51,7 @@ // on Cortex-A53 (or by 4 cycles per round). // (***) Super-impressive coefficients over gcc-generated code are // indication of some compiler "pathology", most notably code -// generated with -mgeneral-regs-only is significanty faster +// generated with -mgeneral-regs-only is significantly faster // and the gap is only 40-90%. #ifndef __KERNEL__ @@ -102,7 +103,7 @@ Loop: ldr w19,[x30],#4 // *K++ eor w28,w21,w22 // magic seed str x1,[x29,#112] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w3,w3 // 0 #endif ror w16,w24,#6 @@ -125,7 +126,7 @@ Loop: add w27,w27,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w27,w27,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w4,w4 // 1 #endif ldp w5,w6,[x1],#2*4 @@ -150,7 +151,7 @@ Loop: add w26,w26,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w26,w26,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w5,w5 // 2 #endif add w26,w26,w17 // h+=Sigma0(a) @@ -174,7 +175,7 @@ Loop: add w25,w25,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w25,w25,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w6,w6 // 3 #endif ldp w7,w8,[x1],#2*4 @@ -199,7 +200,7 @@ Loop: add w24,w24,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w24,w24,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w7,w7 // 4 #endif add w24,w24,w17 // h+=Sigma0(a) @@ -223,7 +224,7 @@ Loop: add w23,w23,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w23,w23,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w8,w8 // 5 #endif ldp w9,w10,[x1],#2*4 @@ -248,7 +249,7 @@ Loop: add w22,w22,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w22,w22,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w9,w9 // 6 #endif add w22,w22,w17 // h+=Sigma0(a) @@ -272,7 +273,7 @@ Loop: add w21,w21,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w21,w21,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w10,w10 // 7 #endif ldp w11,w12,[x1],#2*4 @@ -297,7 +298,7 @@ Loop: add w20,w20,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w20,w20,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w11,w11 // 8 #endif add w20,w20,w17 // h+=Sigma0(a) @@ -321,7 +322,7 @@ Loop: add w27,w27,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w27,w27,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w12,w12 // 9 #endif ldp w13,w14,[x1],#2*4 @@ -346,7 +347,7 @@ Loop: add w26,w26,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w26,w26,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w13,w13 // 10 #endif add w26,w26,w17 // h+=Sigma0(a) @@ -370,7 +371,7 @@ Loop: add w25,w25,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w25,w25,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w14,w14 // 11 #endif ldp w15,w0,[x1],#2*4 @@ -396,7 +397,7 @@ Loop: add w24,w24,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w24,w24,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w15,w15 // 12 #endif add w24,w24,w17 // h+=Sigma0(a) @@ -421,7 +422,7 @@ Loop: add w23,w23,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w23,w23,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w0,w0 // 13 #endif ldp w1,w2,[x1] @@ -447,7 +448,7 @@ Loop: add w22,w22,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w22,w22,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w1,w1 // 14 #endif ldr w6,[sp,#12] @@ -473,7 +474,7 @@ Loop: add w21,w21,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w21,w21,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w2,w2 // 15 #endif ldr w7,[sp,#0] diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.linux.aarch64.S index 1836a745..741353ae 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-armv8.linux.aarch64.S @@ -15,7 +15,7 @@ #if defined(BORINGSSL_PREFIX) #include #endif -// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use // this file except in compliance with the License. You can obtain a copy @@ -43,6 +43,7 @@ // Denver 2.01 10.5 (+26%) 6.70 (+8%) // X-Gene 20.0 (+100%) 12.8 (+300%(***)) // Mongoose 2.36 13.0 (+50%) 8.36 (+33%) +// Kryo 1.92 17.4 (+30%) 11.2 (+8%) // // (*) Software SHA256 results are of lesser relevance, presented // mostly for informational purposes. @@ -51,7 +52,7 @@ // on Cortex-A53 (or by 4 cycles per round). // (***) Super-impressive coefficients over gcc-generated code are // indication of some compiler "pathology", most notably code -// generated with -mgeneral-regs-only is significanty faster +// generated with -mgeneral-regs-only is significantly faster // and the gap is only 40-90%. #ifndef __KERNEL__ @@ -103,7 +104,7 @@ sha256_block_data_order: ldr w19,[x30],#4 // *K++ eor w28,w21,w22 // magic seed str x1,[x29,#112] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w3,w3 // 0 #endif ror w16,w24,#6 @@ -126,7 +127,7 @@ sha256_block_data_order: add w27,w27,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w27,w27,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w4,w4 // 1 #endif ldp w5,w6,[x1],#2*4 @@ -151,7 +152,7 @@ sha256_block_data_order: add w26,w26,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w26,w26,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w5,w5 // 2 #endif add w26,w26,w17 // h+=Sigma0(a) @@ -175,7 +176,7 @@ sha256_block_data_order: add w25,w25,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w25,w25,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w6,w6 // 3 #endif ldp w7,w8,[x1],#2*4 @@ -200,7 +201,7 @@ sha256_block_data_order: add w24,w24,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w24,w24,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w7,w7 // 4 #endif add w24,w24,w17 // h+=Sigma0(a) @@ -224,7 +225,7 @@ sha256_block_data_order: add w23,w23,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w23,w23,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w8,w8 // 5 #endif ldp w9,w10,[x1],#2*4 @@ -249,7 +250,7 @@ sha256_block_data_order: add w22,w22,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w22,w22,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w9,w9 // 6 #endif add w22,w22,w17 // h+=Sigma0(a) @@ -273,7 +274,7 @@ sha256_block_data_order: add w21,w21,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w21,w21,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w10,w10 // 7 #endif ldp w11,w12,[x1],#2*4 @@ -298,7 +299,7 @@ sha256_block_data_order: add w20,w20,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w20,w20,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w11,w11 // 8 #endif add w20,w20,w17 // h+=Sigma0(a) @@ -322,7 +323,7 @@ sha256_block_data_order: add w27,w27,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w27,w27,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w12,w12 // 9 #endif ldp w13,w14,[x1],#2*4 @@ -347,7 +348,7 @@ sha256_block_data_order: add w26,w26,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w26,w26,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w13,w13 // 10 #endif add w26,w26,w17 // h+=Sigma0(a) @@ -371,7 +372,7 @@ sha256_block_data_order: add w25,w25,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w25,w25,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w14,w14 // 11 #endif ldp w15,w0,[x1],#2*4 @@ -397,7 +398,7 @@ sha256_block_data_order: add w24,w24,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w24,w24,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w15,w15 // 12 #endif add w24,w24,w17 // h+=Sigma0(a) @@ -422,7 +423,7 @@ sha256_block_data_order: add w23,w23,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w23,w23,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w0,w0 // 13 #endif ldp w1,w2,[x1] @@ -448,7 +449,7 @@ sha256_block_data_order: add w22,w22,w19 // h+=Maj(a,b,c) ldr w19,[x30],#4 // *K++, w28 in next round //add w22,w22,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w1,w1 // 14 #endif ldr w6,[sp,#12] @@ -474,7 +475,7 @@ sha256_block_data_order: add w21,w21,w28 // h+=Maj(a,b,c) ldr w28,[x30],#4 // *K++, w19 in next round //add w21,w21,w17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev w2,w2 // 15 #endif ldr w7,[sp,#0] diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.linux.x86_64.S index d4432a39..4cf4576f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) @@ -27,6 +27,8 @@ sha256_block_data_order: movl 0(%r11),%r9d movl 4(%r11),%r10d movl 8(%r11),%r11d + testl $536870912,%r11d + jnz .Lshaext_shortcut andl $1073741824,%r9d andl $268435968,%r10d orl %r9d,%r10d @@ -1783,6 +1785,215 @@ K256: .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.type sha256_block_data_order_shaext,@function +.align 64 +sha256_block_data_order_shaext: +.cfi_startproc +.Lshaext_shortcut: + leaq K256+128(%rip),%rcx + movdqu (%rdi),%xmm1 + movdqu 16(%rdi),%xmm2 + movdqa 512-128(%rcx),%xmm7 + + pshufd $0x1b,%xmm1,%xmm0 + pshufd $0xb1,%xmm1,%xmm1 + pshufd $0x1b,%xmm2,%xmm2 + movdqa %xmm7,%xmm8 +.byte 102,15,58,15,202,8 + punpcklqdq %xmm0,%xmm2 + jmp .Loop_shaext + +.align 16 +.Loop_shaext: + movdqu (%rsi),%xmm3 + movdqu 16(%rsi),%xmm4 + movdqu 32(%rsi),%xmm5 +.byte 102,15,56,0,223 + movdqu 48(%rsi),%xmm6 + + movdqa 0-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 102,15,56,0,231 + movdqa %xmm2,%xmm10 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + nop + movdqa %xmm1,%xmm9 +.byte 15,56,203,202 + + movdqa 32-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 102,15,56,0,239 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + leaq 64(%rsi),%rsi +.byte 15,56,204,220 +.byte 15,56,203,202 + + movdqa 64-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 102,15,56,0,247 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm6,%xmm7 +.byte 102,15,58,15,253,4 + nop + paddd %xmm7,%xmm3 +.byte 15,56,204,229 +.byte 15,56,203,202 + + movdqa 96-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 +.byte 15,56,205,222 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm3,%xmm7 +.byte 102,15,58,15,254,4 + nop + paddd %xmm7,%xmm4 +.byte 15,56,204,238 +.byte 15,56,203,202 + movdqa 128-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 15,56,205,227 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm4,%xmm7 +.byte 102,15,58,15,251,4 + nop + paddd %xmm7,%xmm5 +.byte 15,56,204,243 +.byte 15,56,203,202 + movdqa 160-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 15,56,205,236 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm5,%xmm7 +.byte 102,15,58,15,252,4 + nop + paddd %xmm7,%xmm6 +.byte 15,56,204,220 +.byte 15,56,203,202 + movdqa 192-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 15,56,205,245 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm6,%xmm7 +.byte 102,15,58,15,253,4 + nop + paddd %xmm7,%xmm3 +.byte 15,56,204,229 +.byte 15,56,203,202 + movdqa 224-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 +.byte 15,56,205,222 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm3,%xmm7 +.byte 102,15,58,15,254,4 + nop + paddd %xmm7,%xmm4 +.byte 15,56,204,238 +.byte 15,56,203,202 + movdqa 256-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 15,56,205,227 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm4,%xmm7 +.byte 102,15,58,15,251,4 + nop + paddd %xmm7,%xmm5 +.byte 15,56,204,243 +.byte 15,56,203,202 + movdqa 288-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 15,56,205,236 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm5,%xmm7 +.byte 102,15,58,15,252,4 + nop + paddd %xmm7,%xmm6 +.byte 15,56,204,220 +.byte 15,56,203,202 + movdqa 320-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 15,56,205,245 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm6,%xmm7 +.byte 102,15,58,15,253,4 + nop + paddd %xmm7,%xmm3 +.byte 15,56,204,229 +.byte 15,56,203,202 + movdqa 352-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 +.byte 15,56,205,222 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm3,%xmm7 +.byte 102,15,58,15,254,4 + nop + paddd %xmm7,%xmm4 +.byte 15,56,204,238 +.byte 15,56,203,202 + movdqa 384-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 15,56,205,227 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm4,%xmm7 +.byte 102,15,58,15,251,4 + nop + paddd %xmm7,%xmm5 +.byte 15,56,204,243 +.byte 15,56,203,202 + movdqa 416-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 15,56,205,236 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm5,%xmm7 +.byte 102,15,58,15,252,4 +.byte 15,56,203,202 + paddd %xmm7,%xmm6 + + movdqa 448-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 +.byte 15,56,205,245 + movdqa %xmm8,%xmm7 +.byte 15,56,203,202 + + movdqa 480-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 + nop +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + decq %rdx + nop +.byte 15,56,203,202 + + paddd %xmm10,%xmm2 + paddd %xmm9,%xmm1 + jnz .Loop_shaext + + pshufd $0xb1,%xmm2,%xmm2 + pshufd $0x1b,%xmm1,%xmm7 + pshufd $0xb1,%xmm1,%xmm1 + punpckhqdq %xmm2,%xmm1 +.byte 102,15,58,15,215,8 + + movdqu %xmm1,(%rdi) + movdqu %xmm2,16(%rdi) + .byte 0xf3,0xc3 +.cfi_endproc +.size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext .type sha256_block_data_order_ssse3,@function .align 64 sha256_block_data_order_ssse3: diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.mac.x86_64.S index 9fda18b3..ba129602 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha256-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) @@ -26,6 +26,8 @@ _sha256_block_data_order: movl 0(%r11),%r9d movl 4(%r11),%r10d movl 8(%r11),%r11d + testl $536870912,%r11d + jnz L$shaext_shortcut andl $1073741824,%r9d andl $268435968,%r10d orl %r9d,%r10d @@ -1783,6 +1785,215 @@ K256: .long 0xffffffff,0xffffffff,0x03020100,0x0b0a0908 .byte 83,72,65,50,53,54,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 +sha256_block_data_order_shaext: + +L$shaext_shortcut: + leaq K256+128(%rip),%rcx + movdqu (%rdi),%xmm1 + movdqu 16(%rdi),%xmm2 + movdqa 512-128(%rcx),%xmm7 + + pshufd $0x1b,%xmm1,%xmm0 + pshufd $0xb1,%xmm1,%xmm1 + pshufd $0x1b,%xmm2,%xmm2 + movdqa %xmm7,%xmm8 +.byte 102,15,58,15,202,8 + punpcklqdq %xmm0,%xmm2 + jmp L$oop_shaext + +.p2align 4 +L$oop_shaext: + movdqu (%rsi),%xmm3 + movdqu 16(%rsi),%xmm4 + movdqu 32(%rsi),%xmm5 +.byte 102,15,56,0,223 + movdqu 48(%rsi),%xmm6 + + movdqa 0-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 102,15,56,0,231 + movdqa %xmm2,%xmm10 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + nop + movdqa %xmm1,%xmm9 +.byte 15,56,203,202 + + movdqa 32-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 102,15,56,0,239 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + leaq 64(%rsi),%rsi +.byte 15,56,204,220 +.byte 15,56,203,202 + + movdqa 64-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 102,15,56,0,247 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm6,%xmm7 +.byte 102,15,58,15,253,4 + nop + paddd %xmm7,%xmm3 +.byte 15,56,204,229 +.byte 15,56,203,202 + + movdqa 96-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 +.byte 15,56,205,222 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm3,%xmm7 +.byte 102,15,58,15,254,4 + nop + paddd %xmm7,%xmm4 +.byte 15,56,204,238 +.byte 15,56,203,202 + movdqa 128-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 15,56,205,227 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm4,%xmm7 +.byte 102,15,58,15,251,4 + nop + paddd %xmm7,%xmm5 +.byte 15,56,204,243 +.byte 15,56,203,202 + movdqa 160-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 15,56,205,236 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm5,%xmm7 +.byte 102,15,58,15,252,4 + nop + paddd %xmm7,%xmm6 +.byte 15,56,204,220 +.byte 15,56,203,202 + movdqa 192-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 15,56,205,245 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm6,%xmm7 +.byte 102,15,58,15,253,4 + nop + paddd %xmm7,%xmm3 +.byte 15,56,204,229 +.byte 15,56,203,202 + movdqa 224-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 +.byte 15,56,205,222 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm3,%xmm7 +.byte 102,15,58,15,254,4 + nop + paddd %xmm7,%xmm4 +.byte 15,56,204,238 +.byte 15,56,203,202 + movdqa 256-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 15,56,205,227 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm4,%xmm7 +.byte 102,15,58,15,251,4 + nop + paddd %xmm7,%xmm5 +.byte 15,56,204,243 +.byte 15,56,203,202 + movdqa 288-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 15,56,205,236 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm5,%xmm7 +.byte 102,15,58,15,252,4 + nop + paddd %xmm7,%xmm6 +.byte 15,56,204,220 +.byte 15,56,203,202 + movdqa 320-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 15,56,205,245 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm6,%xmm7 +.byte 102,15,58,15,253,4 + nop + paddd %xmm7,%xmm3 +.byte 15,56,204,229 +.byte 15,56,203,202 + movdqa 352-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 +.byte 15,56,205,222 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm3,%xmm7 +.byte 102,15,58,15,254,4 + nop + paddd %xmm7,%xmm4 +.byte 15,56,204,238 +.byte 15,56,203,202 + movdqa 384-128(%rcx),%xmm0 + paddd %xmm3,%xmm0 +.byte 15,56,205,227 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm4,%xmm7 +.byte 102,15,58,15,251,4 + nop + paddd %xmm7,%xmm5 +.byte 15,56,204,243 +.byte 15,56,203,202 + movdqa 416-128(%rcx),%xmm0 + paddd %xmm4,%xmm0 +.byte 15,56,205,236 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + movdqa %xmm5,%xmm7 +.byte 102,15,58,15,252,4 +.byte 15,56,203,202 + paddd %xmm7,%xmm6 + + movdqa 448-128(%rcx),%xmm0 + paddd %xmm5,%xmm0 +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 +.byte 15,56,205,245 + movdqa %xmm8,%xmm7 +.byte 15,56,203,202 + + movdqa 480-128(%rcx),%xmm0 + paddd %xmm6,%xmm0 + nop +.byte 15,56,203,209 + pshufd $0x0e,%xmm0,%xmm0 + decq %rdx + nop +.byte 15,56,203,202 + + paddd %xmm10,%xmm2 + paddd %xmm9,%xmm1 + jnz L$oop_shaext + + pshufd $0xb1,%xmm2,%xmm2 + pshufd $0x1b,%xmm1,%xmm7 + pshufd $0xb1,%xmm1,%xmm1 + punpckhqdq %xmm2,%xmm1 +.byte 102,15,58,15,215,8 + + movdqu %xmm1,(%rdi) + movdqu %xmm2,16(%rdi) + .byte 0xf3,0xc3 + + + .p2align 6 sha256_block_data_order_ssse3: diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.linux.x86.S index 08071795..0f036bd6 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.windows.x86.S index 1fd67958..aa715fca 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-586.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.ios.aarch64.S index f714f0a9..f1a15c41 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.ios.aarch64.S @@ -14,7 +14,7 @@ #if defined(BORINGSSL_PREFIX) #include #endif -// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use // this file except in compliance with the License. You can obtain a copy @@ -42,6 +42,7 @@ // Denver 2.01 10.5 (+26%) 6.70 (+8%) // X-Gene 20.0 (+100%) 12.8 (+300%(***)) // Mongoose 2.36 13.0 (+50%) 8.36 (+33%) +// Kryo 1.92 17.4 (+30%) 11.2 (+8%) // // (*) Software SHA256 results are of lesser relevance, presented // mostly for informational purposes. @@ -50,7 +51,7 @@ // on Cortex-A53 (or by 4 cycles per round). // (***) Super-impressive coefficients over gcc-generated code are // indication of some compiler "pathology", most notably code -// generated with -mgeneral-regs-only is significanty faster +// generated with -mgeneral-regs-only is significantly faster // and the gap is only 40-90%. #ifndef __KERNEL__ @@ -66,6 +67,17 @@ .align 6 _sha512_block_data_order: + AARCH64_VALID_CALL_TARGET +#ifndef __KERNEL__ +#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 + adrp x16,:pg_hi21_nc:_OPENSSL_armcap_P +#else + adrp x16,_OPENSSL_armcap_P@PAGE +#endif + ldr w16,[x16,_OPENSSL_armcap_P@PAGEOFF] + tst w16,#ARMV8_SHA512 + b.ne Lv8_entry +#endif AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -91,7 +103,7 @@ Loop: ldr x19,[x30],#8 // *K++ eor x28,x21,x22 // magic seed str x1,[x29,#112] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x3,x3 // 0 #endif ror x16,x24,#14 @@ -114,7 +126,7 @@ Loop: add x27,x27,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x27,x27,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x4,x4 // 1 #endif ldp x5,x6,[x1],#2*8 @@ -139,7 +151,7 @@ Loop: add x26,x26,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x26,x26,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x5,x5 // 2 #endif add x26,x26,x17 // h+=Sigma0(a) @@ -163,7 +175,7 @@ Loop: add x25,x25,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x25,x25,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x6,x6 // 3 #endif ldp x7,x8,[x1],#2*8 @@ -188,7 +200,7 @@ Loop: add x24,x24,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x24,x24,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x7,x7 // 4 #endif add x24,x24,x17 // h+=Sigma0(a) @@ -212,7 +224,7 @@ Loop: add x23,x23,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x23,x23,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x8,x8 // 5 #endif ldp x9,x10,[x1],#2*8 @@ -237,7 +249,7 @@ Loop: add x22,x22,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x22,x22,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x9,x9 // 6 #endif add x22,x22,x17 // h+=Sigma0(a) @@ -261,7 +273,7 @@ Loop: add x21,x21,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x21,x21,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x10,x10 // 7 #endif ldp x11,x12,[x1],#2*8 @@ -286,7 +298,7 @@ Loop: add x20,x20,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x20,x20,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x11,x11 // 8 #endif add x20,x20,x17 // h+=Sigma0(a) @@ -310,7 +322,7 @@ Loop: add x27,x27,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x27,x27,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x12,x12 // 9 #endif ldp x13,x14,[x1],#2*8 @@ -335,7 +347,7 @@ Loop: add x26,x26,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x26,x26,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x13,x13 // 10 #endif add x26,x26,x17 // h+=Sigma0(a) @@ -359,7 +371,7 @@ Loop: add x25,x25,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x25,x25,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x14,x14 // 11 #endif ldp x15,x0,[x1],#2*8 @@ -385,7 +397,7 @@ Loop: add x24,x24,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x24,x24,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x15,x15 // 12 #endif add x24,x24,x17 // h+=Sigma0(a) @@ -410,7 +422,7 @@ Loop: add x23,x23,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x23,x23,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x0,x0 // 13 #endif ldp x1,x2,[x1] @@ -436,7 +448,7 @@ Loop: add x22,x22,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x22,x22,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x1,x1 // 14 #endif ldr x6,[sp,#24] @@ -462,7 +474,7 @@ Loop: add x21,x21,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x21,x21,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x2,x2 // 15 #endif ldr x7,[sp,#0] @@ -1080,6 +1092,527 @@ LK512: .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.text +#ifndef __KERNEL__ + +.align 6 +sha512_block_armv8: +Lv8_entry: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ld1 {v16.16b,v17.16b,v18.16b,v19.16b},[x1],#64 // load input + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + + ld1 {v0.2d,v1.2d,v2.2d,v3.2d},[x0] // load context + adrp x3,LK512@PAGE + add x3,x3,LK512@PAGEOFF + + rev64 v16.16b,v16.16b + rev64 v17.16b,v17.16b + rev64 v18.16b,v18.16b + rev64 v19.16b,v19.16b + rev64 v20.16b,v20.16b + rev64 v21.16b,v21.16b + rev64 v22.16b,v22.16b + rev64 v23.16b,v23.16b + b Loop_hw + +.align 4 +Loop_hw: + ld1 {v24.2d},[x3],#16 + subs x2,x2,#1 + sub x4,x1,#128 + orr v26.16b,v0.16b,v0.16b // offload + orr v27.16b,v1.16b,v1.16b + orr v28.16b,v2.16b,v2.16b + orr v29.16b,v3.16b,v3.16b + csel x1,x1,x4,ne // conditional rewind + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.long 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.long 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.long 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.long 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.long 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.long 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.long 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v16.2d + ld1 {v16.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b + rev64 v16.16b,v16.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v17.2d + ld1 {v17.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b + rev64 v17.16b,v17.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v18.2d + ld1 {v18.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b + rev64 v18.16b,v18.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v19.2d + ld1 {v19.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b + rev64 v19.16b,v19.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.long 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v20.2d + ld1 {v20.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b + rev64 v20.16b,v20.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.long 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v21.2d + ld1 {v21.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b + rev64 v21.16b,v21.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.long 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v22.2d + ld1 {v22.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.long 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b + rev64 v22.16b,v22.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.long 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + sub x3,x3,#80*8 // rewind + add v25.2d,v25.2d,v23.2d + ld1 {v23.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.long 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b + rev64 v23.16b,v23.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.long 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v0.2d,v0.2d,v26.2d // accumulate + add v1.2d,v1.2d,v27.2d + add v2.2d,v2.2d,v28.2d + add v3.2d,v3.2d,v29.2d + + cbnz x2,Loop_hw + + st1 {v0.2d,v1.2d,v2.2d,v3.2d},[x0] // store context + + ldr x29,[sp],#16 + ret + +#endif #endif // !OPENSSL_NO_ASM #endif // defined(__aarch64__) && defined(__APPLE__) #if defined(__linux__) && defined(__ELF__) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.linux.aarch64.S index 543694dd..29ae308f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-armv8.linux.aarch64.S @@ -15,7 +15,7 @@ #if defined(BORINGSSL_PREFIX) #include #endif -// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +// Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. // // Licensed under the OpenSSL license (the "License"). You may not use // this file except in compliance with the License. You can obtain a copy @@ -43,6 +43,7 @@ // Denver 2.01 10.5 (+26%) 6.70 (+8%) // X-Gene 20.0 (+100%) 12.8 (+300%(***)) // Mongoose 2.36 13.0 (+50%) 8.36 (+33%) +// Kryo 1.92 17.4 (+30%) 11.2 (+8%) // // (*) Software SHA256 results are of lesser relevance, presented // mostly for informational purposes. @@ -51,7 +52,7 @@ // on Cortex-A53 (or by 4 cycles per round). // (***) Super-impressive coefficients over gcc-generated code are // indication of some compiler "pathology", most notably code -// generated with -mgeneral-regs-only is significanty faster +// generated with -mgeneral-regs-only is significantly faster // and the gap is only 40-90%. #ifndef __KERNEL__ @@ -67,6 +68,17 @@ .type sha512_block_data_order,%function .align 6 sha512_block_data_order: + AARCH64_VALID_CALL_TARGET +#ifndef __KERNEL__ +#if __has_feature(hwaddress_sanitizer) && __clang_major__ >= 10 + adrp x16,:pg_hi21_nc:OPENSSL_armcap_P +#else + adrp x16,OPENSSL_armcap_P +#endif + ldr w16,[x16,:lo12:OPENSSL_armcap_P] + tst w16,#ARMV8_SHA512 + b.ne .Lv8_entry +#endif AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-128]! add x29,sp,#0 @@ -92,7 +104,7 @@ sha512_block_data_order: ldr x19,[x30],#8 // *K++ eor x28,x21,x22 // magic seed str x1,[x29,#112] -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x3,x3 // 0 #endif ror x16,x24,#14 @@ -115,7 +127,7 @@ sha512_block_data_order: add x27,x27,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x27,x27,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x4,x4 // 1 #endif ldp x5,x6,[x1],#2*8 @@ -140,7 +152,7 @@ sha512_block_data_order: add x26,x26,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x26,x26,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x5,x5 // 2 #endif add x26,x26,x17 // h+=Sigma0(a) @@ -164,7 +176,7 @@ sha512_block_data_order: add x25,x25,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x25,x25,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x6,x6 // 3 #endif ldp x7,x8,[x1],#2*8 @@ -189,7 +201,7 @@ sha512_block_data_order: add x24,x24,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x24,x24,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x7,x7 // 4 #endif add x24,x24,x17 // h+=Sigma0(a) @@ -213,7 +225,7 @@ sha512_block_data_order: add x23,x23,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x23,x23,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x8,x8 // 5 #endif ldp x9,x10,[x1],#2*8 @@ -238,7 +250,7 @@ sha512_block_data_order: add x22,x22,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x22,x22,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x9,x9 // 6 #endif add x22,x22,x17 // h+=Sigma0(a) @@ -262,7 +274,7 @@ sha512_block_data_order: add x21,x21,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x21,x21,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x10,x10 // 7 #endif ldp x11,x12,[x1],#2*8 @@ -287,7 +299,7 @@ sha512_block_data_order: add x20,x20,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x20,x20,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x11,x11 // 8 #endif add x20,x20,x17 // h+=Sigma0(a) @@ -311,7 +323,7 @@ sha512_block_data_order: add x27,x27,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x27,x27,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x12,x12 // 9 #endif ldp x13,x14,[x1],#2*8 @@ -336,7 +348,7 @@ sha512_block_data_order: add x26,x26,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x26,x26,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x13,x13 // 10 #endif add x26,x26,x17 // h+=Sigma0(a) @@ -360,7 +372,7 @@ sha512_block_data_order: add x25,x25,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x25,x25,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x14,x14 // 11 #endif ldp x15,x0,[x1],#2*8 @@ -386,7 +398,7 @@ sha512_block_data_order: add x24,x24,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x24,x24,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x15,x15 // 12 #endif add x24,x24,x17 // h+=Sigma0(a) @@ -411,7 +423,7 @@ sha512_block_data_order: add x23,x23,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x23,x23,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x0,x0 // 13 #endif ldp x1,x2,[x1] @@ -437,7 +449,7 @@ sha512_block_data_order: add x22,x22,x19 // h+=Maj(a,b,c) ldr x19,[x30],#8 // *K++, x28 in next round //add x22,x22,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x1,x1 // 14 #endif ldr x6,[sp,#24] @@ -463,7 +475,7 @@ sha512_block_data_order: add x21,x21,x28 // h+=Maj(a,b,c) ldr x28,[x30],#8 // *K++, x19 in next round //add x21,x21,x17 // h+=Sigma0(a) -#ifndef __ARMEB__ +#ifndef __AARCH64EB__ rev x2,x2 // 15 #endif ldr x7,[sp,#0] @@ -1081,6 +1093,527 @@ sha512_block_data_order: .byte 83,72,65,53,49,50,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 2 +.text +#ifndef __KERNEL__ +.type sha512_block_armv8,%function +.align 6 +sha512_block_armv8: +.Lv8_entry: + stp x29,x30,[sp,#-16]! + add x29,sp,#0 + + ld1 {v16.16b,v17.16b,v18.16b,v19.16b},[x1],#64 // load input + ld1 {v20.16b,v21.16b,v22.16b,v23.16b},[x1],#64 + + ld1 {v0.2d,v1.2d,v2.2d,v3.2d},[x0] // load context + adrp x3,.LK512 + add x3,x3,:lo12:.LK512 + + rev64 v16.16b,v16.16b + rev64 v17.16b,v17.16b + rev64 v18.16b,v18.16b + rev64 v19.16b,v19.16b + rev64 v20.16b,v20.16b + rev64 v21.16b,v21.16b + rev64 v22.16b,v22.16b + rev64 v23.16b,v23.16b + b .Loop_hw + +.align 4 +.Loop_hw: + ld1 {v24.2d},[x3],#16 + subs x2,x2,#1 + sub x4,x1,#128 + orr v26.16b,v0.16b,v0.16b // offload + orr v27.16b,v1.16b,v1.16b + orr v28.16b,v2.16b,v2.16b + orr v29.16b,v3.16b,v3.16b + csel x1,x1,x4,ne // conditional rewind + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.inst 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.inst 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.inst 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.inst 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.inst 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.inst 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.inst 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.inst 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.inst 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.inst 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.inst 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.inst 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.inst 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.inst 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v24.2d,v24.2d,v16.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08230 //sha512su0 v16.16b,v17.16b + ext v7.16b,v20.16b,v21.16b,#8 +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.inst 0xce678af0 //sha512su1 v16.16b,v23.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v25.2d,v25.2d,v17.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08251 //sha512su0 v17.16b,v18.16b + ext v7.16b,v21.16b,v22.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678a11 //sha512su1 v17.16b,v16.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v24.2d,v24.2d,v18.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec08272 //sha512su0 v18.16b,v19.16b + ext v7.16b,v22.16b,v23.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678a32 //sha512su1 v18.16b,v17.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + add v25.2d,v25.2d,v19.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08293 //sha512su0 v19.16b,v20.16b + ext v7.16b,v23.16b,v16.16b,#8 +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b +.inst 0xce678a53 //sha512su1 v19.16b,v18.16b,v7.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + add v24.2d,v24.2d,v20.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082b4 //sha512su0 v20.16b,v21.16b + ext v7.16b,v16.16b,v17.16b,#8 +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b +.inst 0xce678a74 //sha512su1 v20.16b,v19.16b,v7.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + add v25.2d,v25.2d,v21.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec082d5 //sha512su0 v21.16b,v22.16b + ext v7.16b,v17.16b,v18.16b,#8 +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b +.inst 0xce678a95 //sha512su1 v21.16b,v20.16b,v7.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v24.2d,v24.2d,v22.2d + ld1 {v25.2d},[x3],#16 + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xcec082f6 //sha512su0 v22.16b,v23.16b + ext v7.16b,v18.16b,v19.16b,#8 +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b +.inst 0xce678ab6 //sha512su1 v22.16b,v21.16b,v7.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + add v25.2d,v25.2d,v23.2d + ld1 {v24.2d},[x3],#16 + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xcec08217 //sha512su0 v23.16b,v16.16b + ext v7.16b,v19.16b,v20.16b,#8 +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b +.inst 0xce678ad7 //sha512su1 v23.16b,v22.16b,v7.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v16.2d + ld1 {v16.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b + rev64 v16.16b,v16.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v17.2d + ld1 {v17.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b + rev64 v17.16b,v17.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v18.2d + ld1 {v18.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b + rev64 v18.16b,v18.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v19.2d + ld1 {v19.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v2.16b,v3.16b,#8 + ext v6.16b,v1.16b,v2.16b,#8 + add v3.2d,v3.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xce6680a3 //sha512h v3.16b,v5.16b,v6.16b + rev64 v19.16b,v19.16b + add v4.2d,v1.2d,v3.2d // "D + T1" +.inst 0xce608423 //sha512h2 v3.16b,v1.16b,v0.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v20.2d + ld1 {v20.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v4.16b,v2.16b,#8 + ext v6.16b,v0.16b,v4.16b,#8 + add v2.2d,v2.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xce6680a2 //sha512h v2.16b,v5.16b,v6.16b + rev64 v20.16b,v20.16b + add v1.2d,v0.2d,v2.2d // "D + T1" +.inst 0xce638402 //sha512h2 v2.16b,v0.16b,v3.16b + ld1 {v24.2d},[x3],#16 + add v25.2d,v25.2d,v21.2d + ld1 {v21.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v1.16b,v4.16b,#8 + ext v6.16b,v3.16b,v1.16b,#8 + add v4.2d,v4.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xce6680a4 //sha512h v4.16b,v5.16b,v6.16b + rev64 v21.16b,v21.16b + add v0.2d,v3.2d,v4.2d // "D + T1" +.inst 0xce628464 //sha512h2 v4.16b,v3.16b,v2.16b + ld1 {v25.2d},[x3],#16 + add v24.2d,v24.2d,v22.2d + ld1 {v22.16b},[x1],#16 // load next input + ext v24.16b,v24.16b,v24.16b,#8 + ext v5.16b,v0.16b,v1.16b,#8 + ext v6.16b,v2.16b,v0.16b,#8 + add v1.2d,v1.2d,v24.2d // "T1 + H + K512[i]" +.inst 0xce6680a1 //sha512h v1.16b,v5.16b,v6.16b + rev64 v22.16b,v22.16b + add v3.2d,v2.2d,v1.2d // "D + T1" +.inst 0xce648441 //sha512h2 v1.16b,v2.16b,v4.16b + sub x3,x3,#80*8 // rewind + add v25.2d,v25.2d,v23.2d + ld1 {v23.16b},[x1],#16 // load next input + ext v25.16b,v25.16b,v25.16b,#8 + ext v5.16b,v3.16b,v0.16b,#8 + ext v6.16b,v4.16b,v3.16b,#8 + add v0.2d,v0.2d,v25.2d // "T1 + H + K512[i]" +.inst 0xce6680a0 //sha512h v0.16b,v5.16b,v6.16b + rev64 v23.16b,v23.16b + add v2.2d,v4.2d,v0.2d // "D + T1" +.inst 0xce618480 //sha512h2 v0.16b,v4.16b,v1.16b + add v0.2d,v0.2d,v26.2d // accumulate + add v1.2d,v1.2d,v27.2d + add v2.2d,v2.2d,v28.2d + add v3.2d,v3.2d,v29.2d + + cbnz x2,.Loop_hw + + st1 {v0.2d,v1.2d,v2.2d,v3.2d},[x0] // store context + + ldr x29,[sp],#16 + ret +.size sha512_block_armv8,.-sha512_block_armv8 +#endif #endif #endif // !OPENSSL_NO_ASM .section .note.GNU-stack,"",%progbits diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.linux.x86_64.S index 243a34b7..d67987af 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.mac.x86_64.S index ffbd310a..56e219e7 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/sha512-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.ios.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.ios.aarch64.S index 2e7f9ad1..85961276 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.ios.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.ios.aarch64.S @@ -1101,8 +1101,8 @@ Lcbc_enc_loop: st1 {v0.16b}, [x4] // write ivec ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER Lcbc_abort: + AARCH64_VALIDATE_LINK_REGISTER ret diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.linux.aarch64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.linux.aarch64.S index b00b5878..e82f5a2b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.linux.aarch64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-armv8.linux.aarch64.S @@ -1102,8 +1102,8 @@ vpaes_cbc_encrypt: st1 {v0.16b}, [x4] // write ivec ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER .Lcbc_abort: + AARCH64_VALIDATE_LINK_REGISTER ret .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.linux.x86.S index 0e61190e..a0418789 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.windows.x86.S index bd78a885..b7a5720b 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.linux.x86_64.S index b58c8a24..2f6a19bc 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.mac.x86_64.S index 6d58ee13..9c503cc3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/vpaes-x86_64.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.linux.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.linux.x86.S index fc4e93b9..48e60d79 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.linux.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.linux.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.windows.x86.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.windows.x86.S index 9290ad4d..bdae84e9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.windows.x86.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86-mont.windows.x86.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__i386__) && defined(_WIN32) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__i386__) #if defined(BORINGSSL_PREFIX) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.linux.x86_64.S index ccbd05e5..25e79c7c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.mac.x86_64.S index 2bc0d141..c358fca8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.linux.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.linux.x86_64.S index f002edd3..090e0db3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.linux.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.linux.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__linux__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.mac.x86_64.S b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.mac.x86_64.S index 132948f0..747c0243 100644 --- a/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.mac.x86_64.S +++ b/Sources/CJWTKitBoringSSL/crypto/fipsmodule/x86_64-mont5.mac.x86_64.S @@ -1,7 +1,7 @@ #define BORINGSSL_PREFIX CJWTKitBoringSSL #if defined(__x86_64__) && defined(__APPLE__) -# This file is generated from a similarly-named Perl script in the BoringSSL -# source tree. Do not edit by hand. +// This file is generated from a similarly-named Perl script in the BoringSSL +// source tree. Do not edit by hand. #if defined(__has_feature) #if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) diff --git a/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c b/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c index 92725f50..7d42df3e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c +++ b/Sources/CJWTKitBoringSSL/crypto/hpke/hpke.c @@ -30,7 +30,7 @@ #include "../internal.h" -// This file implements draft-irtf-cfrg-hpke-08. +// This file implements RFC 9180. #define MAX_SEED_LEN X25519_PRIVATE_KEY_LEN #define MAX_SHARED_SECRET_LEN SHA256_DIGEST_LENGTH @@ -115,7 +115,7 @@ static int hpke_labeled_expand(const EVP_MD *hkdf_md, uint8_t *out_key, // KEM implementations. // dhkem_extract_and_expand implements the ExtractAndExpand operation in the -// DHKEM construction. See section 4.1 of draft-irtf-cfrg-hpke-08. +// DHKEM construction. See section 4.1 of RFC 9180. static int dhkem_extract_and_expand(uint16_t kem_id, const EVP_MD *hkdf_md, uint8_t *out_key, size_t out_len, const uint8_t *dh, size_t dh_len, diff --git a/Sources/CJWTKitBoringSSL/crypto/hrss/hrss.c b/Sources/CJWTKitBoringSSL/crypto/hrss/hrss.c index b28b620a..746fba79 100644 --- a/Sources/CJWTKitBoringSSL/crypto/hrss/hrss.c +++ b/Sources/CJWTKitBoringSSL/crypto/hrss/hrss.c @@ -20,7 +20,6 @@ #include #include -#include #include #include #include @@ -39,8 +38,7 @@ #include #endif -#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ - (defined(__ARM_NEON__) || defined(__ARM_NEON)) +#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && defined(__ARM_NEON) #include #endif @@ -190,8 +188,7 @@ static inline vec_t vec_broadcast_bit(vec_t a) { // compiler requires that |i| be a compile-time constant.) #define vec_get_word(v, i) _mm_extract_epi16(v, i) -#elif (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ - (defined(__ARM_NEON__) || defined(__ARM_NEON)) +#elif (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && defined(__ARM_NEON) #define HRSS_HAVE_VECTOR_UNIT typedef uint16x8_t vec_t; @@ -930,6 +927,20 @@ struct poly { #endif }; +// poly_normalize zeros out the excess elements of |x| which are included only +// for alignment. +static void poly_normalize(struct poly *x) { + OPENSSL_memset(&x->v[N], 0, 3 * sizeof(uint16_t)); +} + +// poly_assert_normalized asserts that the excess elements of |x| are zeroed out +// for the cases that case. (E.g. |poly_mul_vec|.) +static void poly_assert_normalized(const struct poly *x) { + assert(x->v[N] == 0); + assert(x->v[N + 1] == 0); + assert(x->v[N + 2] == 0); +} + OPENSSL_UNUSED static void poly_print(const struct poly *p) { printf("["); for (unsigned i = 0; i < N; i++) { @@ -1216,13 +1227,12 @@ static void poly_mul_vec_aux(vec_t *restrict out, vec_t *restrict scratch, // poly_mul_vec sets |*out| to |x|×|y| mod (𝑥^n - 1). static void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, const struct poly *x, const struct poly *y) { - OPENSSL_memset((uint16_t *)&x->v[N], 0, 3 * sizeof(uint16_t)); - OPENSSL_memset((uint16_t *)&y->v[N], 0, 3 * sizeof(uint16_t)); - OPENSSL_STATIC_ASSERT(sizeof(out->v) == sizeof(vec_t) * VECS_PER_POLY, "struct poly is the wrong size"); OPENSSL_STATIC_ASSERT(alignof(struct poly) == alignof(vec_t), "struct poly has incorrect alignment"); + poly_assert_normalized(x); + poly_assert_normalized(y); vec_t *const prod = scratch->u.vec.prod; vec_t *const aux_scratch = scratch->u.vec.scratch; @@ -1318,22 +1328,24 @@ static void poly_mul_novec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, static void poly_mul(struct POLY_MUL_SCRATCH *scratch, struct poly *r, const struct poly *a, const struct poly *b) { #if defined(POLY_RQ_MUL_ASM) - const int has_avx2 = (OPENSSL_ia32cap_P[2] & (1 << 5)) != 0; - if (has_avx2) { + if (CRYPTO_is_AVX2_capable()) { poly_Rq_mul(r->v, a->v, b->v, scratch->u.rq); - return; - } + poly_normalize(r); + } else #endif #if defined(HRSS_HAVE_VECTOR_UNIT) if (vec_capable()) { poly_mul_vec(scratch, r, a, b); - return; - } + } else #endif // Fallback, non-vector case. - poly_mul_novec(scratch, r, a, b); + { + poly_mul_novec(scratch, r, a, b); + } + + poly_assert_normalized(r); } // poly_mul_x_minus_1 sets |p| to |p|×(𝑥 - 1) mod (𝑥^n - 1). @@ -1498,6 +1510,8 @@ static void poly_from_poly2(struct poly *out, const struct poly2 *in) { shift = 0; } } + + poly_normalize(out); } static void poly_from_poly3(struct poly *out, const struct poly3 *in) { @@ -1522,6 +1536,8 @@ static void poly_from_poly3(struct poly *out, const struct poly3 *in) { shift = 0; } } + + poly_normalize(out); } // Polynomial inversion @@ -1575,6 +1591,7 @@ static void poly_invert_mod2(struct poly *out, const struct poly *in) { assert(f.v[0] & 1); poly2_reverse_700(&v, &v); poly_from_poly2(out, &v); + poly_assert_normalized(out); } // poly_invert sets |*out| to |in^-1| (i.e. such that |*out|×|in| = 1 mod Φ(N)). @@ -1588,6 +1605,7 @@ static void poly_invert(struct POLY_MUL_SCRATCH *scratch, struct poly *out, for (unsigned i = 0; i < N; i++) { a.v[i] = -in->v[i]; } + poly_normalize(&a); // b = in^-1 mod 2. b = out; @@ -1600,6 +1618,8 @@ static void poly_invert(struct POLY_MUL_SCRATCH *scratch, struct poly *out, tmp.v[0] += 2; poly_mul(scratch, b, b, &tmp); } + + poly_assert_normalized(out); } // Marshal and unmarshal functions for various basic types. @@ -1689,6 +1709,7 @@ static int poly_unmarshal(struct poly *out, const uint8_t in[POLY_BYTES]) { } out->v[N - 1] = (uint16_t)(0u - sum); + poly_normalize(out); return 1; } @@ -1740,6 +1761,7 @@ static void poly_short_sample(struct poly *out, out->v[i] = v; } out->v[N - 1] = 0; + poly_normalize(out); } // poly_short_sample_plus performs the T+ sample as defined in [HRSSNIST], @@ -1762,6 +1784,7 @@ static void poly_short_sample_plus(struct poly *out, for (unsigned i = 0; i < N; i += 2) { out->v[i] = (unsigned) out->v[i] * scale; } + poly_assert_normalized(out); } // poly_lift computes the function discussed in [HRSS], appendix B. @@ -1877,6 +1900,7 @@ static void poly_lift(struct poly *out, const struct poly *a) { } poly_mul_x_minus_1(out); + poly_normalize(out); } struct public_key { @@ -1956,6 +1980,10 @@ int HRSS_generate_key( return 0; } +#if !defined(NDEBUG) + OPENSSL_memset(vars, 0xff, sizeof(struct vars)); +#endif + OPENSSL_memcpy(priv->hmac_key, in + 2 * HRSS_SAMPLE_BYTES, sizeof(priv->hmac_key)); @@ -2015,6 +2043,10 @@ int HRSS_encap(uint8_t out_ciphertext[POLY_BYTES], uint8_t out_shared_key[32], return 0; } +#if !defined(NDEBUG) + OPENSSL_memset(vars, 0xff, sizeof(struct vars)); +#endif + poly_short_sample(&vars->m, in); poly_short_sample(&vars->r, in + HRSS_SAMPLE_BYTES); poly_lift(&vars->m_lifted, &vars->m); @@ -2072,6 +2104,10 @@ int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], return 0; } +#if !defined(NDEBUG) + OPENSSL_memset(vars, 0xff, sizeof(struct vars)); +#endif + // This is HMAC, expanded inline rather than using the |HMAC| function so that // we can avoid dealing with possible allocation failures and so keep this // function infallible. @@ -2122,6 +2158,7 @@ int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], for (unsigned i = 0; i < N; i++) { vars->r.v[i] = vars->c.v[i] - vars->m_lifted.v[i]; } + poly_normalize(&vars->r); poly_mul(&vars->scratch, &vars->r, &vars->r, &priv->ph_inverse); poly_mod_phiN(&vars->r); poly_clamp(&vars->r); diff --git a/Sources/CJWTKitBoringSSL/crypto/internal.h b/Sources/CJWTKitBoringSSL/crypto/internal.h index d63a9096..d1c75689 100644 --- a/Sources/CJWTKitBoringSSL/crypto/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/internal.h @@ -121,11 +121,23 @@ #include #endif +#if defined(BORINGSSL_FIPS_BREAK_TESTS) +#include +#endif + #if !defined(__cplusplus) -#if defined(_MSC_VER) +#if defined(_MSC_VER) && !defined(__clang__) #define alignas(x) __declspec(align(x)) #define alignof __alignof #else +// With the exception of MSVC, we require C11 to build the library. C11 is a +// prerequisite for improved refcounting performance. All our supported C +// compilers have long implemented C11 and made it default. The most likely +// cause of pre-C11 modes is stale -std=c99 or -std=gnu99 flags in build +// configuration. Such flags can be removed. +#if __STDC_VERSION__ < 201112L +#error "BoringSSL must be built in C11 mode or higher." +#endif #include #endif #endif @@ -889,23 +901,105 @@ static inline void CRYPTO_store_word_le(void *out, crypto_word_t v) { OPENSSL_memcpy(out, &v, sizeof(v)); } +static inline crypto_word_t CRYPTO_load_word_be(const void *in) { + crypto_word_t v; + OPENSSL_memcpy(&v, in, sizeof(v)); +#if defined(OPENSSL_64_BIT) + static_assert(sizeof(v) == 8, "crypto_word_t has unexpected size"); + return CRYPTO_bswap8(v); +#else + static_assert(sizeof(v) == 4, "crypto_word_t has unexpected size"); + return CRYPTO_bswap4(v); +#endif +} + + +// Bit rotation functions. +// +// Note these functions use |(-shift) & 31|, etc., because shifting by the bit +// width is undefined. Both Clang and GCC recognize this pattern as a rotation, +// but MSVC does not. Instead, we call MSVC's built-in functions. + +static inline uint32_t CRYPTO_rotl_u32(uint32_t value, int shift) { +#if defined(_MSC_VER) + return _rotl(value, shift); +#else + return (value << shift) | (value >> ((-shift) & 31)); +#endif +} + +static inline uint32_t CRYPTO_rotr_u32(uint32_t value, int shift) { +#if defined(_MSC_VER) + return _rotr(value, shift); +#else + return (value >> shift) | (value << ((-shift) & 31)); +#endif +} + +static inline uint64_t CRYPTO_rotl_u64(uint64_t value, int shift) { +#if defined(_MSC_VER) + return _rotl64(value, shift); +#else + return (value << shift) | (value >> ((-shift) & 63)); +#endif +} + +static inline uint64_t CRYPTO_rotr_u64(uint64_t value, int shift) { +#if defined(_MSC_VER) + return _rotr64(value, shift); +#else + return (value >> shift) | (value << ((-shift) & 63)); +#endif +} + // FIPS functions. #if defined(BORINGSSL_FIPS) + // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test // fails. It prevents any further cryptographic operations by the current // process. void BORINGSSL_FIPS_abort(void) __attribute__((noreturn)); -#endif -// boringssl_fips_self_test runs the FIPS KAT-based self tests. It returns one -// on success and zero on error. The argument is the integrity hash of the FIPS -// module and may be used to check and write flag files to suppress duplicate -// self-tests. If |module_hash_len| is zero then no flag file will be checked -// nor written and tests will always be run. -int boringssl_fips_self_test(const uint8_t *module_hash, - size_t module_hash_len); +// boringssl_self_test_startup runs all startup self tests and returns one on +// success or zero on error. Startup self tests do not include lazy tests. +// Call |BORINGSSL_self_test| to run every self test. +int boringssl_self_test_startup(void); + +// boringssl_ensure_rsa_self_test checks whether the RSA self-test has been run +// in this address space. If not, it runs it and crashes the address space if +// unsuccessful. +void boringssl_ensure_rsa_self_test(void); + +// boringssl_ensure_ecc_self_test checks whether the ECDSA and ECDH self-test +// has been run in this address space. If not, it runs it and crashes the +// address space if unsuccessful. +void boringssl_ensure_ecc_self_test(void); + +// boringssl_ensure_ffdh_self_test checks whether the FFDH self-test has been +// run in this address space. If not, it runs it and crashes the address space +// if unsuccessful. +void boringssl_ensure_ffdh_self_test(void); + +#else + +// Outside of FIPS mode, the lazy tests are no-ops. + +OPENSSL_INLINE void boringssl_ensure_rsa_self_test(void) {} +OPENSSL_INLINE void boringssl_ensure_ecc_self_test(void) {} +OPENSSL_INLINE void boringssl_ensure_ffdh_self_test(void) {} + +#endif // FIPS + +// boringssl_self_test_sha256 performs a SHA-256 KAT. +int boringssl_self_test_sha256(void); + +// boringssl_self_test_sha512 performs a SHA-512 KAT. +int boringssl_self_test_sha512(void); + +// boringssl_self_test_hmac_sha256 performs an HMAC-SHA-256 KAT. +int boringssl_self_test_hmac_sha256(void); #if defined(BORINGSSL_FIPS_COUNTERS) void boringssl_fips_inc_counter(enum fips_counter_t counter); @@ -913,6 +1007,260 @@ void boringssl_fips_inc_counter(enum fips_counter_t counter); OPENSSL_INLINE void boringssl_fips_inc_counter(enum fips_counter_t counter) {} #endif +#if defined(BORINGSSL_FIPS_BREAK_TESTS) +OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { + const char *const value = getenv("BORINGSSL_FIPS_BREAK_TEST"); + return value != NULL && strcmp(value, test) == 0; +} +#else +OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { + return 0; +} +#endif // BORINGSSL_FIPS_BREAK_TESTS + + +// Runtime CPU feature support + +#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) +// OPENSSL_ia32cap_P contains the Intel CPUID bits when running on an x86 or +// x86-64 system. +// +// Index 0: +// EDX for CPUID where EAX = 1 +// Bit 20 is always zero +// Bit 28 is adjusted to reflect whether the data cache is shared between +// multiple logical cores +// Bit 30 is used to indicate an Intel CPU +// Index 1: +// ECX for CPUID where EAX = 1 +// Bit 11 is used to indicate AMD XOP support, not SDBG +// Index 2: +// EBX for CPUID where EAX = 7 +// Index 3: +// ECX for CPUID where EAX = 7 +// +// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM +// bits in XCR0, so it is not necessary to check those. +extern uint32_t OPENSSL_ia32cap_P[4]; + +#if defined(BORINGSSL_FIPS) && !defined(BORINGSSL_SHARED_LIBRARY) +// The FIPS module, as a static library, requires an out-of-line version of +// |OPENSSL_ia32cap_get| so accesses can be rewritten by delocate. Mark the +// function const so multiple accesses can be optimized together. +const uint32_t *OPENSSL_ia32cap_get(void) __attribute__((const)); +#else +OPENSSL_INLINE const uint32_t *OPENSSL_ia32cap_get(void) { + return OPENSSL_ia32cap_P; +} +#endif + +// See Intel manual, volume 2A, table 3-11. + +OPENSSL_INLINE int CRYPTO_is_FXSR_capable(void) { +#if defined(__FXSR__) + return 1; +#else + return (OPENSSL_ia32cap_get()[0] & (1 << 24)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_intel_cpu(void) { + // The reserved bit 30 is used to indicate an Intel CPU. + return (OPENSSL_ia32cap_get()[0] & (1 << 30)) != 0; +} + +// See Intel manual, volume 2A, table 3-10. + +OPENSSL_INLINE int CRYPTO_is_PCLMUL_capable(void) { +#if defined(__PCLMUL__) + return 1; +#else + return (OPENSSL_ia32cap_get()[1] & (1 << 1)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_SSSE3_capable(void) { +#if defined(__SSSE3__) + return 1; +#else + return (OPENSSL_ia32cap_get()[1] & (1 << 9)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_SSE4_1_capable(void) { +#if defined(__SSE4_1__) + return 1; +#else + return (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_MOVBE_capable(void) { +#if defined(__MOVBE__) + return 1; +#else + return (OPENSSL_ia32cap_get()[1] & (1 << 22)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_AESNI_capable(void) { +#if defined(__AES__) + return 1; +#else + return (OPENSSL_ia32cap_get()[1] & (1 << 25)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_AVX_capable(void) { +#if defined(__AVX__) + return 1; +#else + return (OPENSSL_ia32cap_get()[1] & (1 << 28)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_RDRAND_capable(void) { + // The GCC/Clang feature name and preprocessor symbol for RDRAND are "rdrnd" + // and |__RDRND__|, respectively. +#if defined(__RDRND__) + return 1; +#else + return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0; +#endif +} + +// See Intel manual, volume 2A, table 3-8. + +OPENSSL_INLINE int CRYPTO_is_BMI1_capable(void) { +#if defined(__BMI1__) + return 1; +#else + return (OPENSSL_ia32cap_get()[2] & (1 << 3)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_AVX2_capable(void) { +#if defined(__AVX2__) + return 1; +#else + return (OPENSSL_ia32cap_get()[2] & (1 << 5)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_BMI2_capable(void) { +#if defined(__BMI2__) + return 1; +#else + return (OPENSSL_ia32cap_get()[2] & (1 << 8)) != 0; +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { +#if defined(__ADX__) + return 1; +#else + return (OPENSSL_ia32cap_get()[2] & (1 << 19)) != 0; +#endif +} + +#endif // OPENSSL_X86 || OPENSSL_X86_64 + +#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) + +#if defined(OPENSSL_APPLE) && defined(OPENSSL_ARM) +// We do not detect any features at runtime for Apple's 32-bit ARM platforms. On +// 64-bit ARM, we detect some post-ARMv8.0 features. +#define OPENSSL_STATIC_ARMCAP +#endif + +// Normalize some older feature flags to their modern ACLE values. +// https://developer.arm.com/architectures/system-architectures/software-standards/acle +#if defined(__ARM_NEON__) && !defined(__ARM_NEON) +#define __ARM_NEON 1 +#endif +#if defined(__ARM_FEATURE_CRYPTO) +#if !defined(__ARM_FEATURE_AES) +#define __ARM_FEATURE_AES 1 +#endif +#if !defined(__ARM_FEATURE_SHA2) +#define __ARM_FEATURE_SHA2 1 +#endif +#endif + +#if !defined(OPENSSL_STATIC_ARMCAP) +// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON +// unit. Note that |OPENSSL_armcap_P| also exists and contains the same +// information in a form that's easier for assembly to use. +OPENSSL_EXPORT int CRYPTO_is_NEON_capable_at_runtime(void); + +// CRYPTO_is_ARMv8_AES_capable_at_runtime returns true if the current CPU +// supports the ARMv8 AES instruction. +int CRYPTO_is_ARMv8_AES_capable_at_runtime(void); + +// CRYPTO_is_ARMv8_PMULL_capable_at_runtime returns true if the current CPU +// supports the ARMv8 PMULL instruction. +int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void); +#endif // !OPENSSL_STATIC_ARMCAP + +// CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If +// this is known statically, it is a constant inline function. +OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) { +#if defined(OPENSSL_STATIC_ARMCAP_NEON) || defined(__ARM_NEON) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return CRYPTO_is_NEON_capable_at_runtime(); +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_AES_capable(void) { +#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_AES) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return CRYPTO_is_ARMv8_AES_capable_at_runtime(); +#endif +} + +OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) { +#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_AES) + return 1; +#elif defined(OPENSSL_STATIC_ARMCAP) + return 0; +#else + return CRYPTO_is_ARMv8_PMULL_capable_at_runtime(); +#endif +} + +#endif // OPENSSL_ARM || OPENSSL_AARCH64 + +#if defined(OPENSSL_PPC64LE) + +// CRYPTO_is_PPC64LE_vcrypto_capable returns true iff the current CPU supports +// the Vector.AES category of instructions. +int CRYPTO_is_PPC64LE_vcrypto_capable(void); + +extern unsigned long OPENSSL_ppc64le_hwcap2; + +#endif // OPENSSL_PPC64LE + +#if defined(BORINGSSL_DISPATCH_TEST) +// Runtime CPU dispatch testing support + +// BORINGSSL_function_hit is an array of flags. The following functions will +// set these flags if BORINGSSL_DISPATCH_TEST is defined. +// 0: aes_hw_ctr32_encrypt_blocks +// 1: aes_hw_encrypt +// 2: aesni_gcm_encrypt +// 3: aes_hw_set_encrypt_key +// 4: vpaes_encrypt +// 5: vpaes_set_encrypt_key +extern uint8_t BORINGSSL_function_hit[7]; +#endif // BORINGSSL_DISPATCH_TEST + + #if defined(__cplusplus) } // extern C #endif diff --git a/Sources/CJWTKitBoringSSL/crypto/mem.c b/Sources/CJWTKitBoringSSL/crypto/mem.c index 42e03688..d3f19567 100644 --- a/Sources/CJWTKitBoringSSL/crypto/mem.c +++ b/Sources/CJWTKitBoringSSL/crypto/mem.c @@ -93,19 +93,15 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {} #define WEAK_SYMBOL_FUNC(rettype, name, args) static rettype(*name) args = NULL; #endif -#if defined(BORINGSSL_SDALLOCX) // sdallocx is a sized |free| function. By passing the size (which we happen to -// always know in BoringSSL), the malloc implementation can save work. +// always know in BoringSSL), the malloc implementation can save work. We cannot +// depend on |sdallocx| being available, however, so it's a weak symbol. // -// This is guarded by BORINGSSL_SDALLOCX, rather than being a weak symbol, -// because it can work poorly if there are two malloc implementations in the -// address space. (Which probably isn't valid, ODR etc, but -// https://github.com/grpc/grpc/issues/25450). In that situation, |malloc| can -// come from one allocator but |sdallocx| from another and crashes quickly -// result. We can't match |sdallocx| with |mallocx| because tcmalloc only -// provides the former, so a mismatch can still happen. -void sdallocx(void *ptr, size_t size, int flags); -#endif +// This will always be safe, but will only be overridden if the malloc +// implementation is statically linked with BoringSSL. So, if |sdallocx| is +// provided in, say, libc.so, we still won't use it because that's dynamically +// linked. This isn't an ideal result, but its helps in some cases. +WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags)); // The following three functions can be defined to override default heap // allocation and freeing. If defined, it is the responsibility of @@ -129,6 +125,16 @@ WEAK_SYMBOL_FUNC(void*, OPENSSL_memory_alloc, (size_t size)); WEAK_SYMBOL_FUNC(void, OPENSSL_memory_free, (void *ptr)); WEAK_SYMBOL_FUNC(size_t, OPENSSL_memory_get_size, (void *ptr)); +// kBoringSSLBinaryTag is a distinctive byte sequence to identify binaries that +// are linking in BoringSSL and, roughly, what version they are using. +static const uint8_t kBoringSSLBinaryTag[18] = { + // 16 bytes of magic tag. + 0x8c, 0x62, 0x20, 0x0b, 0xd2, 0xa0, 0x72, 0x58, + 0x44, 0xa8, 0x96, 0x69, 0xad, 0x55, 0x7e, 0xec, + // Current source iteration. Incremented ~monthly. + 3, 0, +}; + void *OPENSSL_malloc(size_t size) { if (OPENSSL_memory_alloc != NULL) { assert(OPENSSL_memory_free != NULL); @@ -137,6 +143,14 @@ void *OPENSSL_malloc(size_t size) { } if (size + OPENSSL_MALLOC_PREFIX < size) { + // |OPENSSL_malloc| is a central function in BoringSSL thus a reference to + // |kBoringSSLBinaryTag| is created here so that the tag isn't discarded by + // the linker. The following is sufficient to stop GCC, Clang, and MSVC + // optimising away the reference at the time of writing. Since this + // probably results in an actual memory reference, it is put in this very + // rare code path. + uint8_t unused = *(volatile uint8_t *)kBoringSSLBinaryTag; + (void) unused; return NULL; } @@ -166,10 +180,16 @@ void OPENSSL_free(void *orig_ptr) { size_t size = *(size_t *)ptr; OPENSSL_cleanse(ptr, size + OPENSSL_MALLOC_PREFIX); -#if defined(BORINGSSL_SDALLOCX) - sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */); -#else + +// ASan knows to intercept malloc and free, but not sdallocx. +#if defined(OPENSSL_ASAN) free(ptr); +#else + if (sdallocx) { + sdallocx(ptr, size + OPENSSL_MALLOC_PREFIX, 0 /* flags */); + } else { + free(ptr); + } #endif } @@ -328,22 +348,15 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) { } char *OPENSSL_strndup(const char *str, size_t size) { - char *ret; - size_t alloc_size; - - if (str == NULL) { - return NULL; - } - size = OPENSSL_strnlen(str, size); - alloc_size = size + 1; + size_t alloc_size = size + 1; if (alloc_size < size) { // overflow OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE); return NULL; } - ret = OPENSSL_malloc(alloc_size); + char *ret = OPENSSL_malloc(alloc_size); if (ret == NULL) { OPENSSL_PUT_ERROR(CRYPTO, ERR_R_MALLOC_FAILURE); return NULL; @@ -391,3 +404,13 @@ void *OPENSSL_memdup(const void *data, size_t size) { OPENSSL_memcpy(ret, data, size); return ret; } + +void *CRYPTO_malloc(size_t size, const char *file, int line) { + return OPENSSL_malloc(size); +} + +void *CRYPTO_realloc(void *ptr, size_t new_size, const char *file, int line) { + return OPENSSL_realloc(ptr, new_size); +} + +void CRYPTO_free(void *ptr, const char *file, int line) { OPENSSL_free(ptr); } diff --git a/Sources/CJWTKitBoringSSL/crypto/pem/pem_all.c b/Sources/CJWTKitBoringSSL/crypto/pem/pem_all.c index eda0c0d9..baf9525d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pem/pem_all.c +++ b/Sources/CJWTKitBoringSSL/crypto/pem/pem_all.c @@ -200,7 +200,7 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) - IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) +IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u) { EVP_PKEY *pktmp; @@ -237,7 +237,7 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb, IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) - IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) +IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb, void *u) { @@ -247,6 +247,6 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb, } -IMPLEMENT_PEM_write_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams) +IMPLEMENT_PEM_rw_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams) - IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) +IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY) diff --git a/Sources/CJWTKitBoringSSL/crypto/pem/pem_pkey.c b/Sources/CJWTKitBoringSSL/crypto/pem/pem_pkey.c index 7355fe45..54551e74 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pem/pem_pkey.c +++ b/Sources/CJWTKitBoringSSL/crypto/pem/pem_pkey.c @@ -176,39 +176,3 @@ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, BIO_free(b); return ret; } - - -/* Transparently read in PKCS#3 or X9.42 DH parameters */ - -DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) -{ - char *nm = NULL; - const unsigned char *p = NULL; - unsigned char *data = NULL; - long len; - DH *ret = NULL; - - if (!PEM_bytes_read_bio(&data, &len, &nm, PEM_STRING_DHPARAMS, bp, cb, u)) - return NULL; - p = data; - - ret = d2i_DHparams(x, &p, len); - - if (ret == NULL) - OPENSSL_PUT_ERROR(PEM, ERR_R_ASN1_LIB); - OPENSSL_free(nm); - OPENSSL_free(data); - return ret; -} - -DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u) -{ - BIO *b = BIO_new_fp(fp, BIO_NOCLOSE); - if (b == NULL) { - OPENSSL_PUT_ERROR(PEM, ERR_R_BUF_LIB); - return NULL; - } - DH *ret = PEM_read_bio_DHparams(b, x, cb, u); - BIO_free(b); - return ret; -} diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs7/internal.h b/Sources/CJWTKitBoringSSL/crypto/pkcs7/internal.h index 823d5af1..03b78d38 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs7/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs7/internal.h @@ -32,14 +32,23 @@ extern "C" { // NULL. int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs); -// pkcs7_bundle writes a PKCS#7, SignedData structure to |out| and then calls -// |cb| with a CBB to which certificate or CRL data can be written, and the -// opaque context pointer, |arg|. The callback can return zero to indicate an -// error. +// pkcs7_add_signed_data writes a PKCS#7, SignedData structure to |out|. While +// doing so it makes callbacks to let the caller fill in parts of the structure. +// All callbacks are ignored if NULL and return one on success or zero on error. // -// pkcs7_bundle returns one on success or zero on error. -int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg), - const void *arg); +// digest_algos_cb: may write AlgorithmIdentifiers into the given CBB, which +// is a SET of digest algorithms. +// cert_crl_cb: may write the |certificates| or |crls| fields. +// (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1) +// signer_infos_cb: may write the contents of the |signerInfos| field. +// (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1) +// +// pkcs7_add_signed_data returns one on success or zero on error. +int pkcs7_add_signed_data(CBB *out, + int (*digest_algos_cb)(CBB *out, const void *arg), + int (*cert_crl_cb)(CBB *out, const void *arg), + int (*signer_infos_cb)(CBB *out, const void *arg), + const void *arg); #if defined(__cplusplus) diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7.c b/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7.c index 8f545b51..dc935d3f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7.c @@ -131,8 +131,40 @@ int PKCS7_get_raw_certificates(STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, return ret; } -int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg), - const void *arg) { +static int pkcs7_bundle_raw_certificates_cb(CBB *out, const void *arg) { + const STACK_OF(CRYPTO_BUFFER) *certs = arg; + CBB certificates; + + // See https://tools.ietf.org/html/rfc2315#section-9.1 + if (!CBB_add_asn1(out, &certificates, + CBS_ASN1_CONTEXT_SPECIFIC | CBS_ASN1_CONSTRUCTED | 0)) { + return 0; + } + + for (size_t i = 0; i < sk_CRYPTO_BUFFER_num(certs); i++) { + CRYPTO_BUFFER *cert = sk_CRYPTO_BUFFER_value(certs, i); + if (!CBB_add_bytes(&certificates, CRYPTO_BUFFER_data(cert), + CRYPTO_BUFFER_len(cert))) { + return 0; + } + } + + // |certificates| is a implicitly-tagged SET OF. + return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out); +} + +int PKCS7_bundle_raw_certificates(CBB *out, + const STACK_OF(CRYPTO_BUFFER) *certs) { + return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL, + pkcs7_bundle_raw_certificates_cb, + /*signer_infos_cb=*/NULL, certs); +} + +int pkcs7_add_signed_data(CBB *out, + int (*digest_algos_cb)(CBB *out, const void *arg), + int (*cert_crl_cb)(CBB *out, const void *arg), + int (*signer_infos_cb)(CBB *out, const void *arg), + const void *arg) { CBB outer_seq, oid, wrapped_seq, seq, version_bytes, digest_algos_set, content_info, signer_infos; @@ -147,11 +179,13 @@ int pkcs7_bundle(CBB *out, int (*cb)(CBB *out, const void *arg), !CBB_add_asn1(&seq, &version_bytes, CBS_ASN1_INTEGER) || !CBB_add_u8(&version_bytes, 1) || !CBB_add_asn1(&seq, &digest_algos_set, CBS_ASN1_SET) || + (digest_algos_cb != NULL && !digest_algos_cb(&digest_algos_set, arg)) || !CBB_add_asn1(&seq, &content_info, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&content_info, &oid, CBS_ASN1_OBJECT) || !CBB_add_bytes(&oid, kPKCS7Data, sizeof(kPKCS7Data)) || - !cb(&seq, arg) || - !CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET)) { + (cert_crl_cb != NULL && !cert_crl_cb(&seq, arg)) || + !CBB_add_asn1(&seq, &signer_infos, CBS_ASN1_SET) || + (signer_infos_cb != NULL && !signer_infos_cb(&signer_infos, arg))) { return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c b/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c index 0935175c..42b868c1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs7/pkcs7_x509.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include #include @@ -197,7 +198,9 @@ static int pkcs7_bundle_certificates_cb(CBB *out, const void *arg) { } int PKCS7_bundle_certificates(CBB *out, const STACK_OF(X509) *certs) { - return pkcs7_bundle(out, pkcs7_bundle_certificates_cb, certs); + return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL, + pkcs7_bundle_certificates_cb, + /*signer_infos_cb=*/NULL, certs); } static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) { @@ -228,7 +231,9 @@ static int pkcs7_bundle_crls_cb(CBB *out, const void *arg) { } int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) { - return pkcs7_bundle(out, pkcs7_bundle_crls_cb, crls); + return pkcs7_add_signed_data(out, /*digest_algos_cb=*/NULL, + pkcs7_bundle_crls_cb, + /*signer_infos_cb=*/NULL, crls); } static PKCS7 *pkcs7_new(CBS *cbs) { @@ -362,26 +367,160 @@ int PKCS7_type_is_enveloped(const PKCS7 *p7) { return 0; } int PKCS7_type_is_signed(const PKCS7 *p7) { return 1; } int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7) { return 0; } +// write_sha256_ai writes an AlgorithmIdentifier for SHA-256 to +// |digest_algos_set|. +static int write_sha256_ai(CBB *digest_algos_set, const void *arg) { + CBB seq; + return CBB_add_asn1(digest_algos_set, &seq, CBS_ASN1_SEQUENCE) && + OBJ_nid2cbb(&seq, NID_sha256) && // + // https://datatracker.ietf.org/doc/html/rfc5754#section-2 + // "Implementations MUST generate SHA2 AlgorithmIdentifiers with absent + // parameters." + CBB_flush(digest_algos_set); +} + +// sign_sha256 writes at most |max_out_sig| bytes of the signature of |data| by +// |pkey| to |out_sig| and sets |*out_sig_len| to the number of bytes written. +// It returns one on success or zero on error. +static int sign_sha256(uint8_t *out_sig, size_t *out_sig_len, + size_t max_out_sig, EVP_PKEY *pkey, BIO *data) { + static const size_t kBufSize = 4096; + uint8_t *buffer = OPENSSL_malloc(kBufSize); + if (!buffer) { + return 0; + } + + EVP_MD_CTX ctx; + EVP_MD_CTX_init(&ctx); + + int ret = 0; + if (!EVP_DigestSignInit(&ctx, NULL, EVP_sha256(), NULL, pkey)) { + goto out; + } + + for (;;) { + const int n = BIO_read(data, buffer, kBufSize); + if (n == 0) { + break; + } else if (n < 0 || !EVP_DigestSignUpdate(&ctx, buffer, n)) { + goto out; + } + } + + *out_sig_len = max_out_sig; + if (!EVP_DigestSignFinal(&ctx, out_sig, out_sig_len)) { + goto out; + } + + ret = 1; + +out: + EVP_MD_CTX_cleanup(&ctx); + OPENSSL_free(buffer); + return ret; +} + +struct signer_info_data { + const X509 *sign_cert; + uint8_t *signature; + size_t signature_len; +}; + +// write_signer_info writes the SignerInfo structure from +// https://datatracker.ietf.org/doc/html/rfc2315#section-9.2 to |out|. It +// returns one on success or zero on error. +static int write_signer_info(CBB *out, const void *arg) { + const struct signer_info_data *const si_data = arg; + + int ret = 0; + uint8_t *subject_bytes = NULL; + uint8_t *serial_bytes = NULL; + + const int subject_len = + i2d_X509_NAME(X509_get_subject_name(si_data->sign_cert), &subject_bytes); + const int serial_len = i2d_ASN1_INTEGER( + (ASN1_INTEGER *)X509_get0_serialNumber(si_data->sign_cert), + &serial_bytes); + + CBB seq, issuer_and_serial, signing_algo, null, signature; + if (subject_len < 0 || + serial_len < 0 || + !CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || + // version + !CBB_add_asn1_uint64(&seq, 1) || + !CBB_add_asn1(&seq, &issuer_and_serial, CBS_ASN1_SEQUENCE) || + !CBB_add_bytes(&issuer_and_serial, subject_bytes, subject_len) || + !CBB_add_bytes(&issuer_and_serial, serial_bytes, serial_len) || + !write_sha256_ai(&seq, NULL) || + !CBB_add_asn1(&seq, &signing_algo, CBS_ASN1_SEQUENCE) || + !OBJ_nid2cbb(&signing_algo, NID_rsaEncryption) || + !CBB_add_asn1(&signing_algo, &null, CBS_ASN1_NULL) || + !CBB_add_asn1(&seq, &signature, CBS_ASN1_OCTETSTRING) || + !CBB_add_bytes(&signature, si_data->signature, si_data->signature_len) || + !CBB_flush(out)) { + goto out; + } + + ret = 1; + +out: + OPENSSL_free(subject_bytes); + OPENSSL_free(serial_bytes); + return ret; +} + PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags) { - if (sign_cert != NULL || pkey != NULL || flags != PKCS7_DETACHED) { - OPENSSL_PUT_ERROR(PKCS7, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + CBB cbb; + if (!CBB_init(&cbb, 2048)) { return NULL; } - uint8_t *der; + uint8_t *der = NULL; size_t len; - CBB cbb; - if (!CBB_init(&cbb, 2048) || - !PKCS7_bundle_certificates(&cbb, certs) || - !CBB_finish(&cbb, &der, &len)) { - CBB_cleanup(&cbb); - return NULL; + PKCS7 *ret = NULL; + + if (sign_cert == NULL && pkey == NULL && flags == PKCS7_DETACHED) { + // Caller just wants to bundle certificates. + if (!PKCS7_bundle_certificates(&cbb, certs)) { + goto out; + } + } else if (sign_cert != NULL && pkey != NULL && certs == NULL && + data != NULL && + flags == (PKCS7_NOATTR | PKCS7_BINARY | PKCS7_NOCERTS | + PKCS7_DETACHED) && + EVP_PKEY_id(pkey) == NID_rsaEncryption) { + // sign-file.c from the Linux kernel. + const size_t signature_max_len = EVP_PKEY_size(pkey); + struct signer_info_data si_data = { + .sign_cert = sign_cert, + .signature = OPENSSL_malloc(signature_max_len), + }; + + if (!si_data.signature || + !sign_sha256(si_data.signature, &si_data.signature_len, + signature_max_len, pkey, data) || + !pkcs7_add_signed_data(&cbb, write_sha256_ai, /*cert_crl_cb=*/NULL, + write_signer_info, &si_data)) { + OPENSSL_free(si_data.signature); + goto out; + } + OPENSSL_free(si_data.signature); + } else { + OPENSSL_PUT_ERROR(PKCS7, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + goto out; + } + + if (!CBB_finish(&cbb, &der, &len)) { + goto out; } CBS cbs; CBS_init(&cbs, der, len); - PKCS7 *ret = pkcs7_new(&cbs); + ret = pkcs7_new(&cbs); + +out: + CBB_cleanup(&cbb); OPENSSL_free(der); return ret; } diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h b/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h index 353d9817..49a28943 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/internal.h @@ -112,7 +112,6 @@ struct pbe_suite { const char *pass, size_t pass_len, CBS *param); }; -#define PKCS5_DEFAULT_ITERATIONS 2048 #define PKCS5_SALT_LEN 8 int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c index 4b619de4..61024e12 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8.c @@ -469,7 +469,7 @@ int PKCS8_marshal_encrypted_private_key(CBB *out, int pbe_nid, } if (iterations <= 0) { - iterations = PKCS5_DEFAULT_ITERATIONS; + iterations = PKCS12_DEFAULT_ITER; } // Serialize the input key. diff --git a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c index 0d3d25d3..666c9058 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/pkcs8/pkcs8_x509.c @@ -993,8 +993,8 @@ int PKCS12_verify_mac(const PKCS12 *p12, const char *password, // add_bag_attributes adds the bagAttributes field of a SafeBag structure, // containing the specified friendlyName and localKeyId attributes. -static int add_bag_attributes(CBB *bag, const char *name, const uint8_t *key_id, - size_t key_id_len) { +static int add_bag_attributes(CBB *bag, const char *name, size_t name_len, + const uint8_t *key_id, size_t key_id_len) { if (name == NULL && key_id_len == 0) { return 1; // Omit the OPTIONAL SET. } @@ -1003,7 +1003,7 @@ static int add_bag_attributes(CBB *bag, const char *name, const uint8_t *key_id, if (!CBB_add_asn1(bag, &attrs, CBS_ASN1_SET)) { return 0; } - if (name != NULL) { + if (name_len != 0) { // See https://tools.ietf.org/html/rfc2985, section 5.5.1. if (!CBB_add_asn1(&attrs, &attr, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&attr, &oid, CBS_ASN1_OBJECT) || @@ -1014,7 +1014,7 @@ static int add_bag_attributes(CBB *bag, const char *name, const uint8_t *key_id, } // Convert the friendly name to a BMPString. CBS name_cbs; - CBS_init(&name_cbs, (const uint8_t *)name, strlen(name)); + CBS_init(&name_cbs, (const uint8_t *)name, name_len); while (CBS_len(&name_cbs) != 0) { uint32_t c; if (!cbs_get_utf8(&name_cbs, &c) || @@ -1059,10 +1059,24 @@ static int add_cert_bag(CBB *cbb, X509 *cert, const char *name, } uint8_t *buf; int len = i2d_X509(cert, NULL); + + int int_name_len = 0; + const char *cert_name = (const char *)X509_alias_get0(cert, &int_name_len); + size_t name_len = int_name_len; + if (name) { + if (name_len != 0) { + OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_AMBIGUOUS_FRIENDLY_NAME); + return 0; + } + name_len = strlen(name); + } else { + name = cert_name; + } + if (len < 0 || !CBB_add_space(&cert_value, &buf, (size_t)len) || i2d_X509(cert, &buf) < 0 || - !add_bag_attributes(&bag, name, key_id, key_id_len) || + !add_bag_attributes(&bag, name, name_len, key_id, key_id_len) || !CBB_flush(cbb)) { return 0; } @@ -1161,7 +1175,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, cert_nid = NID_pbe_WithSHA1And40BitRC2_CBC; } if (iterations == 0) { - iterations = PKCS5_DEFAULT_ITERATIONS; + iterations = PKCS12_DEFAULT_ITER; } if (mac_iterations == 0) { mac_iterations = 1; @@ -1180,7 +1194,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, } // PKCS#12 is a very confusing recursive data format, built out of another - // recursive data format. Section 5.1 of RFC7292 describes the encoding + // recursive data format. Section 5.1 of RFC 7292 describes the encoding // algorithm, but there is no clear overview. A quick summary: // // PKCS#7 defines a ContentInfo structure, which is a overgeneralized typed @@ -1323,7 +1337,11 @@ PKCS12 *PKCS12_create(const char *password, const char *name, goto err; } } - if (!add_bag_attributes(&bag, name, key_id, key_id_len) || + size_t name_len = 0; + if (name) { + name_len = strlen(name); + } + if (!add_bag_attributes(&bag, name, name_len, key_id, key_id_len) || !CBB_flush(&content_infos)) { goto err; } diff --git a/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305.c b/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305.c index 5aa6f250..76c818ca 100644 --- a/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305.c +++ b/Sources/CJWTKitBoringSSL/crypto/poly1305/poly1305.c @@ -20,8 +20,6 @@ #include -#include - #include "internal.h" #include "../internal.h" @@ -206,6 +204,11 @@ void CRYPTO_poly1305_update(poly1305_state *statep, const uint8_t *in, size_t in_len) { struct poly1305_state_st *state = poly1305_aligned_state(statep); + // Work around a C language bug. See https://crbug.com/1019588. + if (in_len == 0) { + return; + } + #if defined(OPENSSL_POLY1305_NEON) if (CRYPTO_is_NEON_capable()) { CRYPTO_poly1305_update_neon(statep, in, in_len); diff --git a/Sources/CJWTKitBoringSSL/crypto/pool/internal.h b/Sources/CJWTKitBoringSSL/crypto/pool/internal.h index 4a6036e9..bf632e0f 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pool/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/pool/internal.h @@ -18,23 +18,28 @@ #include #include +#include "../lhash/internal.h" + + #if defined(__cplusplus) extern "C" { #endif -DECLARE_LHASH_OF(CRYPTO_BUFFER) +DEFINE_LHASH_OF(CRYPTO_BUFFER) struct crypto_buffer_st { CRYPTO_BUFFER_POOL *pool; uint8_t *data; size_t len; CRYPTO_refcount_t references; + int data_is_static; }; struct crypto_buffer_pool_st { LHASH_OF(CRYPTO_BUFFER) *bufs; CRYPTO_MUTEX lock; + const uint64_t hash_key[2]; }; diff --git a/Sources/CJWTKitBoringSSL/crypto/pool/pool.c b/Sources/CJWTKitBoringSSL/crypto/pool/pool.c index b3122d14..e0348a79 100644 --- a/Sources/CJWTKitBoringSSL/crypto/pool/pool.c +++ b/Sources/CJWTKitBoringSSL/crypto/pool/pool.c @@ -19,20 +19,22 @@ #include #include +#include +#include #include #include "../internal.h" -#include "../lhash/internal.h" #include "internal.h" -DEFINE_LHASH_OF(CRYPTO_BUFFER) - static uint32_t CRYPTO_BUFFER_hash(const CRYPTO_BUFFER *buf) { - return OPENSSL_hash32(buf->data, buf->len); + return (uint32_t)SIPHASH_24(buf->pool->hash_key, buf->data, buf->len); } static int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) { + // Only |CRYPTO_BUFFER|s from the same pool have compatible hashes. + assert(a->pool != NULL); + assert(a->pool == b->pool); if (a->len != b->len) { return 1; } @@ -53,6 +55,7 @@ CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void) { } CRYPTO_MUTEX_init(&pool->lock); + RAND_bytes((uint8_t *)&pool->hash_key, sizeof(pool->hash_key)); return pool; } @@ -73,16 +76,29 @@ void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool) { OPENSSL_free(pool); } -CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, - CRYPTO_BUFFER_POOL *pool) { +static void crypto_buffer_free_object(CRYPTO_BUFFER *buf) { + if (!buf->data_is_static) { + OPENSSL_free(buf->data); + } + OPENSSL_free(buf); +} + +static CRYPTO_BUFFER *crypto_buffer_new(const uint8_t *data, size_t len, + int data_is_static, + CRYPTO_BUFFER_POOL *pool) { if (pool != NULL) { CRYPTO_BUFFER tmp; tmp.data = (uint8_t *) data; tmp.len = len; + tmp.pool = pool; CRYPTO_MUTEX_lock_read(&pool->lock); - CRYPTO_BUFFER *const duplicate = - lh_CRYPTO_BUFFER_retrieve(pool->bufs, &tmp); + CRYPTO_BUFFER *duplicate = lh_CRYPTO_BUFFER_retrieve(pool->bufs, &tmp); + if (data_is_static && duplicate != NULL && !duplicate->data_is_static) { + // If the new |CRYPTO_BUFFER| would have static data, but the duplicate + // does not, we replace the old one with the new static version. + duplicate = NULL; + } if (duplicate != NULL) { CRYPTO_refcount_inc(&duplicate->references); } @@ -99,10 +115,15 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, } OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER)); - buf->data = OPENSSL_memdup(data, len); - if (len != 0 && buf->data == NULL) { - OPENSSL_free(buf); - return NULL; + if (data_is_static) { + buf->data = (uint8_t *)data; + buf->data_is_static = 1; + } else { + buf->data = OPENSSL_memdup(data, len); + if (len != 0 && buf->data == NULL) { + OPENSSL_free(buf); + return NULL; + } } buf->len = len; @@ -116,11 +137,18 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, CRYPTO_MUTEX_lock_write(&pool->lock); CRYPTO_BUFFER *duplicate = lh_CRYPTO_BUFFER_retrieve(pool->bufs, buf); + if (data_is_static && duplicate != NULL && !duplicate->data_is_static) { + // If the new |CRYPTO_BUFFER| would have static data, but the duplicate does + // not, we replace the old one with the new static version. + duplicate = NULL; + } int inserted = 0; if (duplicate == NULL) { CRYPTO_BUFFER *old = NULL; inserted = lh_CRYPTO_BUFFER_insert(pool->bufs, &old, buf); - assert(old == NULL); + // |old| may be non-NULL if a match was found but ignored. |pool->bufs| does + // not increment refcounts, so there is no need to clean up after the + // replacement. } else { CRYPTO_refcount_inc(&duplicate->references); } @@ -129,14 +157,18 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, if (!inserted) { // We raced to insert |buf| into the pool and lost, or else there was an // error inserting. - OPENSSL_free(buf->data); - OPENSSL_free(buf); + crypto_buffer_free_object(buf); return duplicate; } return buf; } +CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, + CRYPTO_BUFFER_POOL *pool) { + return crypto_buffer_new(data, len, /*data_is_static=*/0, pool); +} + CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len) { CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER)); if (buf == NULL) { @@ -156,10 +188,16 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len) { return buf; } -CRYPTO_BUFFER* CRYPTO_BUFFER_new_from_CBS(CBS *cbs, CRYPTO_BUFFER_POOL *pool) { +CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS(const CBS *cbs, + CRYPTO_BUFFER_POOL *pool) { return CRYPTO_BUFFER_new(CBS_data(cbs), CBS_len(cbs), pool); } +CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_static_data_unsafe( + const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool) { + return crypto_buffer_new(data, len, /*data_is_static=*/1, pool); +} + void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf) { if (buf == NULL) { return; @@ -171,8 +209,7 @@ void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf) { // If a reference count of zero is observed, there cannot be a reference // from any pool to this buffer and thus we are able to free this // buffer. - OPENSSL_free(buf->data); - OPENSSL_free(buf); + crypto_buffer_free_object(buf); } return; @@ -188,13 +225,19 @@ void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf) { // find this buffer and increment the reference count. Thus, if the count is // zero there are and can never be any more references and thus we can free // this buffer. - void *found = lh_CRYPTO_BUFFER_delete(pool->bufs, buf); - assert(found != NULL); - assert(found == buf); - (void)found; + // + // Note it is possible |buf| is no longer in the pool, if it was replaced by a + // static version. If that static version was since removed, it is even + // possible for |found| to be NULL. + CRYPTO_BUFFER *found = lh_CRYPTO_BUFFER_retrieve(pool->bufs, buf); + if (found == buf) { + found = lh_CRYPTO_BUFFER_delete(pool->bufs, buf); + assert(found == buf); + (void)found; + } + CRYPTO_MUTEX_unlock_write(&buf->pool->lock); - OPENSSL_free(buf->data); - OPENSSL_free(buf); + crypto_buffer_free_object(buf); } int CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf) { diff --git a/Sources/CJWTKitBoringSSL/crypto/siphash/siphash.c b/Sources/CJWTKitBoringSSL/crypto/siphash/siphash.c index 65a7b068..d63806e1 100644 --- a/Sources/CJWTKitBoringSSL/crypto/siphash/siphash.c +++ b/Sources/CJWTKitBoringSSL/crypto/siphash/siphash.c @@ -23,18 +23,18 @@ static void siphash_round(uint64_t v[4]) { v[0] += v[1]; v[2] += v[3]; - v[1] = (v[1] << 13) | (v[1] >> (64 - 13)); - v[3] = (v[3] << 16) | (v[3] >> (64 - 16)); + v[1] = CRYPTO_rotl_u64(v[1], 13); + v[3] = CRYPTO_rotl_u64(v[3], 16); v[1] ^= v[0]; v[3] ^= v[2]; - v[0] = (v[0] << 32) | (v[0] >> 32); + v[0] = CRYPTO_rotl_u64(v[0], 32); v[2] += v[1]; v[0] += v[3]; - v[1] = (v[1] << 17) | (v[1] >> (64 - 17)); - v[3] = (v[3] << 21) | (v[3] >> (64 - 21)); + v[1] = CRYPTO_rotl_u64(v[1], 17); + v[3] = CRYPTO_rotl_u64(v[3], 21); v[1] ^= v[2]; v[3] ^= v[0]; - v[2] = (v[2] << 32) | (v[2] >> 32); + v[2] = CRYPTO_rotl_u64(v[2], 32); } uint64_t SIPHASH_24(const uint64_t key[2], const uint8_t *input, diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c b/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c index 24758fdf..b3d210e9 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/asn1_gen.c @@ -66,6 +66,7 @@ #include "../internal.h" #include "../x509v3/internal.h" +#include "internal.h" /* * Although this file is in crypto/x509 for layering purposes, it emits @@ -136,17 +137,6 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); -ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf) -{ - X509V3_CTX cnf; - - if (!nconf) - return ASN1_generate_v3(str, NULL); - - X509V3_set_nconf(&cnf, nconf); - return ASN1_generate_v3(str, &cnf); -} - ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf) { int err = 0; @@ -225,13 +215,7 @@ static ASN1_TYPE *generate_v3(const char *str, X509V3_CTX *cnf, int depth, * For IMPLICIT tagging the length should match the original length * and constructed flag should be consistent. */ - if (r & 0x1) { - /* Indefinite length constructed */ - hdr_constructed = 2; - hdr_len = 0; - } else - /* Just retain constructed flag */ - hdr_constructed = r & V_ASN1_CONSTRUCTED; + hdr_constructed = r & V_ASN1_CONSTRUCTED; /* * Work out new length with IMPLICIT tag: ignore constructed because * it will mess up if indefinite length diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c b/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c index 61e3621c..8aeadab2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/by_dir.c @@ -438,6 +438,13 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, ok = 1; ret->type = tmp->type; OPENSSL_memcpy(&ret->data, &tmp->data, sizeof(ret->data)); + + /* + * Clear any errors that might have been raised processing empty + * or malformed files. + */ + ERR_clear_error(); + /* * If we were going to up the reference count, we would need * to do it on a perl 'type' basis diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c b/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c index 6010b541..2e8b867a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/by_file.c @@ -61,6 +61,8 @@ #include #include +#include "internal.h" + #ifndef OPENSSL_NO_STDIO static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, @@ -124,8 +126,6 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) int i, count = 0; X509 *x = NULL; - if (file == NULL) - return (1); in = BIO_new(BIO_s_file()); if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) { @@ -169,6 +169,11 @@ int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, int type) OPENSSL_PUT_ERROR(X509, X509_R_BAD_X509_FILETYPE); goto err; } + + if (ret == 0) { + OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATE_FOUND); + } + err: if (x != NULL) X509_free(x); @@ -184,8 +189,6 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) int i, count = 0; X509_CRL *x = NULL; - if (file == NULL) - return (1); in = BIO_new(BIO_s_file()); if ((in == NULL) || (BIO_read_filename(in, file) <= 0)) { @@ -229,6 +232,11 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) OPENSSL_PUT_ERROR(X509, X509_R_BAD_X509_FILETYPE); goto err; } + + if (ret == 0) { + OPENSSL_PUT_ERROR(X509, X509_R_NO_CRL_FOUND); + } + err: if (x != NULL) X509_CRL_free(x); @@ -244,6 +252,7 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) BIO *in; size_t i; int count = 0; + if (type != X509_FILETYPE_PEM) return X509_load_cert_file(ctx, file, type); in = BIO_new_file(file, "r"); @@ -260,14 +269,24 @@ int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) for (i = 0; i < sk_X509_INFO_num(inf); i++) { itmp = sk_X509_INFO_value(inf, i); if (itmp->x509) { - X509_STORE_add_cert(ctx->store_ctx, itmp->x509); + if (!X509_STORE_add_cert(ctx->store_ctx, itmp->x509)) { + goto err; + } count++; } if (itmp->crl) { - X509_STORE_add_crl(ctx->store_ctx, itmp->crl); + if (!X509_STORE_add_crl(ctx->store_ctx, itmp->crl)) { + goto err; + } count++; } } + + if (count == 0) { + OPENSSL_PUT_ERROR(X509, X509_R_NO_CERTIFICATE_OR_CRL_FOUND); + } + +err: sk_X509_INFO_pop_free(inf, X509_INFO_free); return count; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/internal.h b/Sources/CJWTKitBoringSSL/crypto/x509/internal.h index 75435450..249974d8 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/x509/internal.h @@ -63,6 +63,8 @@ #include #include +#include "../asn1/internal.h" + #if defined(__cplusplus) extern "C" { #endif @@ -70,10 +72,12 @@ extern "C" { /* Internal structures. */ -struct X509_val_st { +typedef struct X509_val_st { ASN1_TIME *notBefore; ASN1_TIME *notAfter; -} /* X509_VAL */; +} X509_VAL; + +DECLARE_ASN1_FUNCTIONS(X509_VAL) struct X509_pubkey_st { X509_ALGOR *algor; @@ -81,18 +85,35 @@ struct X509_pubkey_st { EVP_PKEY *pkey; } /* X509_PUBKEY */; +struct X509_name_entry_st { + ASN1_OBJECT *object; + ASN1_STRING *value; + int set; +} /* X509_NAME_ENTRY */; + +// we always keep X509_NAMEs in 2 forms. +struct X509_name_st { + STACK_OF(X509_NAME_ENTRY) *entries; + int modified; // true if 'bytes' needs to be built + BUF_MEM *bytes; + // unsigned long hash; Keep the hash around for lookups + unsigned char *canon_enc; + int canon_enclen; +} /* X509_NAME */; + struct x509_attributes_st { ASN1_OBJECT *object; STACK_OF(ASN1_TYPE) *set; } /* X509_ATTRIBUTE */; -struct x509_cert_aux_st { +typedef struct x509_cert_aux_st { STACK_OF(ASN1_OBJECT) *trust; // trusted uses STACK_OF(ASN1_OBJECT) *reject; // rejected uses ASN1_UTF8STRING *alias; // "friendly name" ASN1_OCTET_STRING *keyid; // key id of private key - STACK_OF(X509_ALGOR) *other; // other unspecified info -} /* X509_CERT_AUX */; +} X509_CERT_AUX; + +DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) struct X509_extension_st { ASN1_OBJECT *object; @@ -100,6 +121,47 @@ struct X509_extension_st { ASN1_OCTET_STRING *value; } /* X509_EXTENSION */; +typedef struct { + ASN1_INTEGER *version; // [ 0 ] default of v1 + ASN1_INTEGER *serialNumber; + X509_ALGOR *signature; + X509_NAME *issuer; + X509_VAL *validity; + X509_NAME *subject; + X509_PUBKEY *key; + ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 + ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 + STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 + ASN1_ENCODING enc; +} X509_CINF; + +DECLARE_ASN1_FUNCTIONS(X509_CINF) + +struct x509_st { + X509_CINF *cert_info; + X509_ALGOR *sig_alg; + ASN1_BIT_STRING *signature; + CRYPTO_refcount_t references; + CRYPTO_EX_DATA ex_data; + // These contain copies of various extension values + long ex_pathlen; + long ex_pcpathlen; + unsigned long ex_flags; + unsigned long ex_kusage; + unsigned long ex_xkusage; + unsigned long ex_nscert; + ASN1_OCTET_STRING *skid; + AUTHORITY_KEYID *akid; + X509_POLICY_CACHE *policy_cache; + STACK_OF(DIST_POINT) *crldp; + STACK_OF(GENERAL_NAME) *altname; + NAME_CONSTRAINTS *nc; + unsigned char cert_hash[SHA256_DIGEST_LENGTH]; + X509_CERT_AUX *aux; + CRYPTO_BUFFER *buf; + CRYPTO_MUTEX lock; +} /* X509 */; + typedef struct { ASN1_ENCODING enc; ASN1_INTEGER *version; @@ -118,6 +180,16 @@ struct X509_req_st { CRYPTO_refcount_t references; } /* X509_REQ */; +struct x509_revoked_st { + ASN1_INTEGER *serialNumber; + ASN1_TIME *revocationDate; + STACK_OF(X509_EXTENSION) /* optional */ *extensions; + // Set up if indirect CRL + STACK_OF(GENERAL_NAME) *issuer; + // Revocation reason + int reason; +} /* X509_REVOKED */; + typedef struct { ASN1_INTEGER *version; X509_ALGOR *sig_alg; @@ -147,13 +219,12 @@ struct X509_crl_st { // CRL and base CRL numbers for delta processing ASN1_INTEGER *crl_number; ASN1_INTEGER *base_crl_number; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; + unsigned char crl_hash[SHA256_DIGEST_LENGTH]; STACK_OF(GENERAL_NAMES) *issuers; const X509_CRL_METHOD *meth; void *meth_data; } /* X509_CRL */; - struct X509_VERIFY_PARAM_st { char *name; time_t check_time; // Time to use @@ -174,6 +245,134 @@ struct X509_VERIFY_PARAM_st { unsigned char poison; // Fail all verifications at name checking } /* X509_VERIFY_PARAM */; +struct x509_object_st { + // one of the above types + int type; + union { + char *ptr; + X509 *x509; + X509_CRL *crl; + EVP_PKEY *pkey; + } data; +} /* X509_OBJECT */; + +// This is a static that defines the function interface +struct x509_lookup_method_st { + const char *name; + int (*new_item)(X509_LOOKUP *ctx); + void (*free)(X509_LOOKUP *ctx); + int (*init)(X509_LOOKUP *ctx); + int (*shutdown)(X509_LOOKUP *ctx); + int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, + char **ret); + int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, + ASN1_INTEGER *serial, X509_OBJECT *ret); + int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes, + int len, X509_OBJECT *ret); + int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len, + X509_OBJECT *ret); +} /* X509_LOOKUP_METHOD */; + +// This is used to hold everything. It is used for all certificate +// validation. Once we have a certificate chain, the 'verify' +// function is then called to actually check the cert chain. +struct x509_store_st { + // The following is a cache of trusted certs + int cache; // if true, stash any hits + STACK_OF(X509_OBJECT) *objs; // Cache of all objects + CRYPTO_MUTEX objs_lock; + + // These are external lookup methods + STACK_OF(X509_LOOKUP) *get_cert_methods; + + X509_VERIFY_PARAM *param; + + // Callbacks for various operations + X509_STORE_CTX_verify_fn verify; // called to verify a certificate + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx + X509_STORE_CTX_check_issued_fn check_issued; // check issued + X509_STORE_CTX_check_revocation_fn + check_revocation; // Check revocation status of chain + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL + X509_STORE_CTX_lookup_certs_fn lookup_certs; + X509_STORE_CTX_lookup_crls_fn lookup_crls; + X509_STORE_CTX_cleanup_fn cleanup; + + CRYPTO_refcount_t references; +} /* X509_STORE */; + + +// This is the functions plus an instance of the local variables. +struct x509_lookup_st { + int init; // have we been started + int skip; // don't use us. + X509_LOOKUP_METHOD *method; // the functions + char *method_data; // method data + + X509_STORE *store_ctx; // who owns us +} /* X509_LOOKUP */; + +// This is a used when verifying cert chains. Since the +// gathering of the cert chain can take some time (and have to be +// 'retried', this needs to be kept and passed around. +struct x509_store_ctx_st { + X509_STORE *ctx; + + // The following are set by the caller + X509 *cert; // The cert to check + STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in + STACK_OF(X509_CRL) *crls; // set of CRLs passed in + + X509_VERIFY_PARAM *param; + void *other_ctx; // Other info for use with get_issuer() + + // Callbacks for various operations + X509_STORE_CTX_verify_fn verify; // called to verify a certificate + X509_STORE_CTX_verify_cb verify_cb; // error callback + X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx + X509_STORE_CTX_check_issued_fn check_issued; // check issued + X509_STORE_CTX_check_revocation_fn + check_revocation; // Check revocation status of chain + X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL + X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity + X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL + X509_STORE_CTX_check_policy_fn check_policy; + X509_STORE_CTX_lookup_certs_fn lookup_certs; + X509_STORE_CTX_lookup_crls_fn lookup_crls; + X509_STORE_CTX_cleanup_fn cleanup; + + // The following is built up + int valid; // if 0, rebuild chain + int last_untrusted; // index of last untrusted cert + STACK_OF(X509) *chain; // chain of X509s - built up and trusted + X509_POLICY_TREE *tree; // Valid policy tree + + int explicit_policy; // Require explicit policy value + + // When something goes wrong, this is why + int error_depth; + int error; + X509 *current_cert; + X509 *current_issuer; // cert currently being tested as valid issuer + X509_CRL *current_crl; // current CRL + + int current_crl_score; // score of current CRL + unsigned int current_reasons; // Reason mask + + X509_STORE_CTX *parent; // For CRL path validation: parent context + + CRYPTO_EX_DATA ex_data; +} /* X509_STORE_CTX */; + +ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf); + +int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); + /* RSA-PSS functions. */ diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/name_print.c b/Sources/CJWTKitBoringSSL/crypto/x509/name_print.c index 00cacdc8..12ac7b6a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/name_print.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/name_print.c @@ -155,7 +155,7 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent, else ent = X509_NAME_get_entry(n, i); if (prev != -1) { - if (prev == ent->set) { + if (prev == X509_NAME_ENTRY_set(ent)) { if (!maybe_write(out, sep_mv, sep_mv_len)) return -1; outlen += sep_mv_len; @@ -168,7 +168,7 @@ static int do_name_ex(BIO *out, const X509_NAME *n, int indent, outlen += indent; } } - prev = ent->set; + prev = X509_NAME_ENTRY_set(ent); fn = X509_NAME_ENTRY_get_object(ent); val = X509_NAME_ENTRY_get_data(ent); fn_nid = OBJ_obj2nid(fn); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c b/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c index 1423455a..01f1d994 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/rsa_pss.c @@ -67,12 +67,21 @@ #include "internal.h" -ASN1_SEQUENCE(RSA_PSS_PARAMS) = { +static int rsa_pss_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, + void *exarg) { + if (operation == ASN1_OP_FREE_PRE) { + RSA_PSS_PARAMS *pss = (RSA_PSS_PARAMS *)*pval; + X509_ALGOR_free(pss->maskHash); + } + return 1; +} + +ASN1_SEQUENCE_cb(RSA_PSS_PARAMS, rsa_pss_cb) = { ASN1_EXP_OPT(RSA_PSS_PARAMS, hashAlgorithm, X509_ALGOR,0), ASN1_EXP_OPT(RSA_PSS_PARAMS, maskGenAlgorithm, X509_ALGOR,1), ASN1_EXP_OPT(RSA_PSS_PARAMS, saltLength, ASN1_INTEGER,2), ASN1_EXP_OPT(RSA_PSS_PARAMS, trailerField, ASN1_INTEGER,3), -} ASN1_SEQUENCE_END(RSA_PSS_PARAMS) +} ASN1_SEQUENCE_END_cb(RSA_PSS_PARAMS, RSA_PSS_PARAMS) IMPLEMENT_ASN1_FUNCTIONS(RSA_PSS_PARAMS) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c index 238c582b..9c24987d 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_crl.c @@ -75,56 +75,74 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x) int X509_CRL_print(BIO *out, X509_CRL *x) { - STACK_OF(X509_REVOKED) *rev; - X509_REVOKED *r; - long l; - size_t i; - char *p; - - BIO_printf(out, "Certificate Revocation List (CRL):\n"); - l = X509_CRL_get_version(x); - BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l); + long version = X509_CRL_get_version(x); const X509_ALGOR *sig_alg; const ASN1_BIT_STRING *signature; X509_CRL_get0_signature(x, &signature, &sig_alg); - // Note this and the other |X509_signature_print| call print the outer - // signature algorithm twice, rather than both the inner and outer ones. - // This matches OpenSSL, though it was probably a bug. - X509_signature_print(out, sig_alg, NULL); - p = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0); - BIO_printf(out, "%8sIssuer: %s\n", "", p); - OPENSSL_free(p); - BIO_printf(out, "%8sLast Update: ", ""); - ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x)); - BIO_printf(out, "\n%8sNext Update: ", ""); - if (X509_CRL_get0_nextUpdate(x)) - ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x)); - else - BIO_printf(out, "NONE"); - BIO_printf(out, "\n"); + if (BIO_printf(out, "Certificate Revocation List (CRL):\n") <= 0 || + // TODO(https://crbug.com/boringssl/467): This loses information on some + // invalid versions, but we should fix this by making invalid versions + // impossible. + BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", version + 1, + (unsigned long)version) <= 0 || + // Note this and the other |X509_signature_print| call both print the + // outer signature algorithm, rather than printing the inner and outer + // ones separately. This matches OpenSSL, though it was probably a bug. + !X509_signature_print(out, sig_alg, NULL)) { + return 0; + } - X509V3_extensions_print(out, "CRL extensions", X509_CRL_get0_extensions(x), - 0, 8); + char *issuer = X509_NAME_oneline(X509_CRL_get_issuer(x), NULL, 0); + int ok = issuer != NULL && + BIO_printf(out, "%8sIssuer: %s\n", "", issuer) > 0; + OPENSSL_free(issuer); + if (!ok) { + return 0; + } - rev = X509_CRL_get_REVOKED(x); + if (BIO_printf(out, "%8sLast Update: ", "") <= 0 || + !ASN1_TIME_print(out, X509_CRL_get0_lastUpdate(x)) || + BIO_printf(out, "\n%8sNext Update: ", "") <= 0) { + return 0; + } + if (X509_CRL_get0_nextUpdate(x)) { + if (!ASN1_TIME_print(out, X509_CRL_get0_nextUpdate(x))) { + return 0; + } + } else { + if (BIO_printf(out, "NONE") <= 0) { + return 0; + } + } - if (sk_X509_REVOKED_num(rev) > 0) - BIO_printf(out, "Revoked Certificates:\n"); - else - BIO_printf(out, "No Revoked Certificates.\n"); + if (BIO_printf(out, "\n") <= 0 || + !X509V3_extensions_print(out, "CRL extensions", + X509_CRL_get0_extensions(x), 0, 8)) { + return 0; + } - for (i = 0; i < sk_X509_REVOKED_num(rev); i++) { - r = sk_X509_REVOKED_value(rev, i); - BIO_printf(out, " Serial Number: "); - i2a_ASN1_INTEGER(out, r->serialNumber); - BIO_printf(out, "\n Revocation Date: "); - ASN1_TIME_print(out, r->revocationDate); - BIO_printf(out, "\n"); - X509V3_extensions_print(out, "CRL entry extensions", - r->extensions, 0, 8); + const STACK_OF(X509_REVOKED) *rev = X509_CRL_get_REVOKED(x); + if (sk_X509_REVOKED_num(rev) > 0) { + if (BIO_printf(out, "Revoked Certificates:\n") <= 0) { + return 0; + } + } else { + if (BIO_printf(out, "No Revoked Certificates.\n") <= 0) { + return 0; + } } - X509_signature_print(out, sig_alg, signature); - return 1; + for (size_t i = 0; i < sk_X509_REVOKED_num(rev); i++) { + const X509_REVOKED *r = sk_X509_REVOKED_value(rev, i); + if (BIO_printf(out, " Serial Number: ") <= 0 || + i2a_ASN1_INTEGER(out, X509_REVOKED_get0_serialNumber(r)) <= 0 || + BIO_printf(out, "\n Revocation Date: ") <= 0 || + !ASN1_TIME_print(out, X509_REVOKED_get0_revocationDate(r)) || + BIO_printf(out, "\n") <= 0 || + !X509V3_extensions_print(out, "CRL entry extensions", + X509_REVOKED_get0_extensions(r), 0, 8)) { + } + } + return X509_signature_print(out, sig_alg, signature); } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c index 837b64b2..e9e05373 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_req.c @@ -103,8 +103,12 @@ int X509_REQ_print_ex(BIO *bio, X509_REQ *x, unsigned long nmflags, } } if (!(cflag & X509_FLAG_NO_VERSION)) { + /* TODO(https://crbug.com/boringssl/467): This loses information on some + * invalid versions, but we should fix this by making invalid versions + * impossible. */ l = X509_REQ_get_version(x); - if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1, l) <= 0) { + if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1, + (unsigned long)l) <= 0) { goto err; } } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c index 9b57cfe6..8eb8cb17 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_x509.c @@ -54,6 +54,8 @@ * copied and put under another distribution licence * [including the GNU Public Licence.] */ +#include + #include #include #include @@ -98,7 +100,6 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, char *m = NULL, mlch = ' '; int nmindent = 0; X509_CINF *ci; - ASN1_INTEGER *bs; EVP_PKEY *pkey = NULL; const char *neg; @@ -118,38 +119,41 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, goto err; } if (!(cflag & X509_FLAG_NO_VERSION)) { + /* TODO(https://crbug.com/boringssl/467): This loses information on some + * invalid versions, but we should fix this by making invalid versions + * impossible. */ l = X509_get_version(x); - if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", "", l + 1, l) <= 0) + if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", "", l + 1, + (unsigned long)l) <= 0) { goto err; + } } if (!(cflag & X509_FLAG_NO_SERIAL)) { - - if (BIO_write(bp, " Serial Number:", 22) <= 0) + if (BIO_write(bp, " Serial Number:", 22) <= 0) { goto err; + } - bs = X509_get_serialNumber(x); - if (bs->length < (int)sizeof(long) - || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) { - l = ASN1_INTEGER_get(bs); - if (bs->type == V_ASN1_NEG_INTEGER) { - l = -l; - neg = "-"; - } else - neg = ""; - if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", neg, l, neg, l) <= 0) - goto err; + const ASN1_INTEGER *serial = X509_get0_serialNumber(x); + uint64_t serial_u64; + if (ASN1_INTEGER_get_uint64(&serial_u64, serial)) { + assert(serial->type != V_ASN1_NEG_INTEGER); + if (BIO_printf(bp, " %" PRIu64 " (0x%" PRIx64 ")\n", serial_u64, + serial_u64) <= 0) { + goto err; + } } else { - neg = (bs->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; - if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) + neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; + if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) { goto err; + } - for (i = 0; i < bs->length; i++) { - if (BIO_printf(bp, "%02x%c", bs->data[i], - ((i + 1 == bs->length) ? '\n' : ':')) <= 0) + for (i = 0; i < serial->length; i++) { + if (BIO_printf(bp, "%02x%c", serial->data[i], + ((i + 1 == serial->length) ? '\n' : ':')) <= 0) { goto err; + } } } - } if (!(cflag & X509_FLAG_NO_SIGNAME)) { @@ -318,9 +322,7 @@ int X509_signature_print(BIO *bp, const X509_ALGOR *sigalg, int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) { char *s, *c, *b; - int ret = 0, l, i; - - l = 80 - 2 - obase; + int ret = 0, i; b = X509_NAME_oneline(name, NULL, 0); if (!b) @@ -347,12 +349,10 @@ int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) if (BIO_write(bp, ", ", 2) != 2) goto err; } - l--; } if (*s == '\0') break; s++; - l--; } ret = 1; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/t_x509a.c b/Sources/CJWTKitBoringSSL/crypto/x509/t_x509a.c index dd3ad22c..25938b62 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/t_x509a.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/t_x509a.c @@ -102,8 +102,10 @@ int X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent) BIO_puts(out, "\n"); } else BIO_printf(out, "%*sNo Rejected Uses.\n", indent, ""); - if (aux->alias) - BIO_printf(out, "%*sAlias: %s\n", indent, "", aux->alias->data); + if (aux->alias) { + BIO_printf(out, "%*sAlias: %.*s\n", indent, "", aux->alias->length, + aux->alias->data); + } if (aux->keyid) { BIO_printf(out, "%*sKey Id: ", indent, ""); for (j = 0; j < aux->keyid->length; j++) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c index 23d4d161..7b172510 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_cmp.c @@ -101,7 +101,7 @@ int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) int X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { - return OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, 20); + return OPENSSL_memcmp(a->crl_hash, b->crl_hash, SHA256_DIGEST_LENGTH); } X509_NAME *X509_get_issuer_name(const X509 *a) @@ -154,7 +154,7 @@ unsigned long X509_subject_name_hash_old(X509 *x) */ int X509_cmp(const X509 *a, const X509 *b) { - /* Fill in the |sha1_hash| fields. + /* Fill in the |cert_hash| fields. * * TODO(davidben): This may fail, in which case the the hash will be all * zeros. This produces a consistent comparison (failures are sticky), but @@ -165,18 +165,7 @@ int X509_cmp(const X509 *a, const X509 *b) x509v3_cache_extensions((X509 *)a); x509v3_cache_extensions((X509 *)b); - int rv = OPENSSL_memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH); - if (rv) - return rv; - /* Check for match against stored encoding too */ - if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) { - rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len); - if (rv) - return rv; - return OPENSSL_memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc, - a->cert_info->enc.len); - } - return rv; + return OPENSSL_memcmp(a->cert_hash, b->cert_hash, SHA256_DIGEST_LENGTH); } int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c index 78ee7361..063f901e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_lu.c @@ -332,81 +332,54 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, return 1; } -int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) +static int x509_store_add(X509_STORE *ctx, void *x, int is_crl) { - X509_OBJECT *obj; - int ret = 1; - - if (x == NULL) + if (x == NULL) { return 0; - obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); + } + + X509_OBJECT *const obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); if (obj == NULL) { OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); return 0; } - obj->type = X509_LU_X509; - obj->data.x509 = x; - CRYPTO_MUTEX_lock_write(&ctx->objs_lock); - - X509_OBJECT_up_ref_count(obj); - - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); - OPENSSL_PUT_ERROR(X509, X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret = 0; - } else if (!sk_X509_OBJECT_push(ctx->objs, obj)) { - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); - OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - ret = 0; + if (is_crl) { + obj->type = X509_LU_CRL; + obj->data.crl = (X509_CRL *)x; + } else { + obj->type = X509_LU_X509; + obj->data.x509 = (X509 *)x; } + X509_OBJECT_up_ref_count(obj); - CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); - - return ret; -} + CRYPTO_MUTEX_lock_write(&ctx->objs_lock); -int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) -{ - X509_OBJECT *obj; int ret = 1; - - if (x == NULL) - return 0; - obj = (X509_OBJECT *)OPENSSL_malloc(sizeof(X509_OBJECT)); - if (obj == NULL) { - OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - return 0; + int added = 0; + /* Duplicates are silently ignored */ + if (!X509_OBJECT_retrieve_match(ctx->objs, obj)) { + ret = added = (sk_X509_OBJECT_push(ctx->objs, obj) != 0); } - obj->type = X509_LU_CRL; - obj->data.crl = x; - - CRYPTO_MUTEX_lock_write(&ctx->objs_lock); - X509_OBJECT_up_ref_count(obj); + CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); - if (X509_OBJECT_retrieve_match(ctx->objs, obj)) { + if (!added) { X509_OBJECT_free_contents(obj); OPENSSL_free(obj); - OPENSSL_PUT_ERROR(X509, X509_R_CERT_ALREADY_IN_HASH_TABLE); - ret = 0; - } else if (!sk_X509_OBJECT_push(ctx->objs, obj)) { - X509_OBJECT_free_contents(obj); - OPENSSL_free(obj); - OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - ret = 0; } - CRYPTO_MUTEX_unlock_write(&ctx->objs_lock); - return ret; } -void X509_STORE_set0_additional_untrusted(X509_STORE *ctx, - STACK_OF(X509) *untrusted) { - ctx->additional_untrusted = untrusted; +int X509_STORE_add_cert(X509_STORE *ctx, X509 *x) +{ + return x509_store_add(ctx, x, /*is_crl=*/0); +} + +int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x) +{ + return x509_store_add(ctx, x, /*is_crl=*/1); } int X509_OBJECT_up_ref_count(X509_OBJECT *a) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_obj.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_obj.c index 7ae96084..8e13a938 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_obj.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_obj.c @@ -64,6 +64,7 @@ #include #include "../internal.h" +#include "internal.h" /* diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_set.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_set.c index 0b42b289..6178b5f3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_set.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_set.c @@ -74,7 +74,7 @@ long X509_get_version(const X509 *x509) int X509_set_version(X509 *x, long version) { - // TODO(davidben): Reject invalid version numbers. + // TODO(https://crbug.com/boringssl/467): Reject invalid version numbers. if (x == NULL) return (0); if (version == 0) { diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c index 3d212a44..bd783588 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_trs.c @@ -71,7 +71,6 @@ static int trust_1oid(X509_TRUST *trust, X509 *x, int flags); static int trust_compat(X509_TRUST *trust, X509 *x, int flags); static int obj_trust(int id, X509 *x, int flags); -static int (*default_trust) (int id, X509 *x, int flags) = obj_trust; /* * WARNING: the following table should be kept in order of trust and without @@ -106,14 +105,6 @@ static int tr_cmp(const X509_TRUST **a, const X509_TRUST **b) return (*a)->trust - (*b)->trust; } -int (*X509_TRUST_set_default(int (*trust) (int, X509 *, int))) (int, X509 *, - int) { - int (*oldtrust) (int, X509 *, int); - oldtrust = default_trust; - default_trust = trust; - return oldtrust; -} - int X509_check_trust(X509 *x, int id, int flags) { X509_TRUST *pt; @@ -130,7 +121,7 @@ int X509_check_trust(X509 *x, int id, int flags) } idx = X509_TRUST_get_by_id(id); if (idx == -1) - return default_trust(id, x, flags); + return obj_trust(id, x, flags); pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c index 22fc53de..f5e70b37 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vfy.c @@ -190,8 +190,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509_VERIFY_PARAM *param = ctx->param; int depth, i, ok = 0; int num, j, retry, trust; - int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; + if (ctx->cert == NULL) { OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); ctx->error = X509_V_ERR_INVALID_CALL; @@ -207,8 +207,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) return -1; } - cb = ctx->verify_cb; - /* * first we make sure the chain we are going to build is present and that * the first entry is in place @@ -222,8 +220,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) X509_up_ref(ctx->cert); ctx->last_untrusted = 1; - /* We use a temporary STACK so we can chop and hack at it. - * sktmp = ctx->untrusted ++ ctx->ctx->additional_untrusted */ + /* We use a temporary STACK so we can chop and hack at it. */ if (ctx->untrusted != NULL && (sktmp = sk_X509_dup(ctx->untrusted)) == NULL) { OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); @@ -231,28 +228,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx) goto end; } - if (ctx->ctx->additional_untrusted != NULL) { - if (sktmp == NULL) { - sktmp = sk_X509_new_null(); - if (sktmp == NULL) { - OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - goto end; - } - } - - for (size_t k = 0; k < sk_X509_num(ctx->ctx->additional_untrusted); - k++) { - if (!sk_X509_push(sktmp, - sk_X509_value(ctx->ctx->additional_untrusted, - k))) { - OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - ctx->error = X509_V_ERR_OUT_OF_MEM; - goto end; - } - } - } - num = sk_X509_num(ctx->chain); x = sk_X509_value(ctx->chain, num - 1); depth = param->depth; @@ -354,7 +329,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (ok == 1) X509_free(xtmp); bad_chain = 1; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } else { @@ -480,7 +455,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) ctx->error_depth = num - 1; bad_chain = 1; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -510,7 +485,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) if (err != X509_V_OK) { ctx->error = err; ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -600,11 +575,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) { int i, ok = 0, plen = 0; X509 *x; - int (*cb) (int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; int allow_proxy_certs; - cb = ctx->verify_cb; enum { // ca_or_leaf allows either type of certificate so that direct use of @@ -635,7 +608,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error_depth = i; ctx->current_cert = x; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -643,7 +616,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error_depth = i; ctx->current_cert = x; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -674,7 +647,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) if (ret == 0) { ctx->error_depth = i; ctx->current_cert = x; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -685,7 +658,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error_depth = i; ctx->current_cert = x; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -697,7 +670,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -714,7 +687,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx) ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error_depth = i; ctx->current_cert = x; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } @@ -882,8 +855,6 @@ static int check_trust(X509_STORE_CTX *ctx) size_t i; int ok; X509 *x = NULL; - int (*cb) (int xok, X509_STORE_CTX *xctx); - cb = ctx->verify_cb; /* Check all trusted certificates in chain */ for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { x = sk_X509_value(ctx->chain, i); @@ -899,7 +870,7 @@ static int check_trust(X509_STORE_CTX *ctx) ctx->error_depth = i; ctx->current_cert = x; ctx->error = X509_V_ERR_CERT_REJECTED; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) return X509_TRUST_REJECTED; } @@ -1351,17 +1322,6 @@ static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, return; } } - - for (i = 0; i < sk_X509_num(ctx->ctx->additional_untrusted); i++) { - crl_issuer = sk_X509_value(ctx->ctx->additional_untrusted, i); - if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) - continue; - if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) { - *pissuer = crl_issuer; - *pcrl_score |= CRL_SCORE_AKID; - return; - } - } } /* @@ -1403,12 +1363,12 @@ static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) } /* - * RFC3280 says nothing about the relationship between CRL path and + * RFC 3280 says nothing about the relationship between CRL path and * certificate path, which could lead to situations where a certificate could - * be revoked or validated by a CA not authorised to do so. RFC5280 is more + * be revoked or validated by a CA not authorised to do so. RFC 5280 is more * strict and states that the two paths must end in the same trust anchor, * though some discussions remain... until this is resolved we use the - * RFC5280 version + * RFC 5280 version */ static int check_crl_chain(X509_STORE_CTX *ctx, @@ -1826,9 +1786,6 @@ static int internal_verify(X509_STORE_CTX *ctx) int ok = 0, n; X509 *xs, *xi; EVP_PKEY *pkey = NULL; - int (*cb) (int xok, X509_STORE_CTX *xctx); - - cb = ctx->verify_cb; n = sk_X509_num(ctx->chain); ctx->error_depth = n - 1; @@ -1845,7 +1802,7 @@ static int internal_verify(X509_STORE_CTX *ctx) if (n <= 0) { ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->current_cert = xi; - ok = cb(0, ctx); + ok = ctx->verify_cb(0, ctx); goto end; } else { n--; @@ -1867,13 +1824,13 @@ static int internal_verify(X509_STORE_CTX *ctx) if ((pkey = X509_get_pubkey(xi)) == NULL) { ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->current_cert = xi; - ok = (*cb) (0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) goto end; } else if (X509_verify(xs, pkey) <= 0) { ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->current_cert = xs; - ok = (*cb) (0, ctx); + ok = ctx->verify_cb(0, ctx); if (!ok) { EVP_PKEY_free(pkey); goto end; @@ -1891,7 +1848,7 @@ static int internal_verify(X509_STORE_CTX *ctx) /* The last error (if any) is still in the error value */ ctx->current_issuer = xi; ctx->current_cert = xs; - ok = (*cb) (1, ctx); + ok = ctx->verify_cb(1, ctx); if (!ok) goto end; @@ -1919,8 +1876,8 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) int i, day, sec, ret = 0; /* - * Note that ASN.1 allows much more slack in the time format than RFC5280. - * In RFC5280, the representation is fixed: + * Note that ASN.1 allows much more slack in the time format than RFC 5280. + * In RFC 5280, the representation is fixed: * UTCTime: YYMMDDHHMMSSZ * GeneralizedTime: YYYYMMDDHHMMSSZ * diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c index f3ce024b..3d410a1a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509_vpm.c @@ -528,7 +528,7 @@ static const X509_VERIFY_PARAM default_table[] = { (char *)"default", /* X509 default parameters */ 0, /* Check time */ 0, /* internal flags */ - 0, /* flags */ + X509_V_FLAG_TRUSTED_FIRST, /* flags */ 0, /* purpose */ 0, /* trust */ 100, /* depth */ diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509cset.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509cset.c index e3960991..92c5d986 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509cset.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509cset.c @@ -64,6 +64,9 @@ int X509_CRL_set_version(X509_CRL *x, long version) { + /* TODO(https://crbug.com/boringssl/467): Reject invalid version + * numbers. Also correctly handle |X509_CRL_VERSION_1|, which should omit + * the encoding. */ if (x == NULL) return (0); if (x->crl->version == NULL) { @@ -116,16 +119,8 @@ int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) int X509_CRL_sort(X509_CRL *c) { - size_t i; - X509_REVOKED *r; - /* - * sort the data so it will be written in serial number order - */ + /* Sort the data so it will be written in serial number order. */ sk_X509_REVOKED_sort(c->crl->revoked); - for (i = 0; i < sk_X509_REVOKED_num(c->crl->revoked); i++) { - r = sk_X509_REVOKED_value(c->crl->revoked, i); - r->sequence = i; - } c->crl->enc.modified = 1; return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c index b7719fe6..7466a696 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509name.c @@ -64,6 +64,7 @@ #include #include "../internal.h" +#include "internal.h" int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, char *buf, @@ -367,10 +368,7 @@ int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, if (!i) return (0); if (type != V_ASN1_UNDEF) { - if (type == V_ASN1_APP_CHOOSE) - ne->value->type = ASN1_PRINTABLE_type(bytes, len); - else - ne->value->type = type; + ne->value->type = type; } return (1); } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x509rset.c b/Sources/CJWTKitBoringSSL/crypto/x509/x509rset.c index 2ef6e0c9..131c3035 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x509rset.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x509rset.c @@ -64,6 +64,8 @@ int X509_REQ_set_version(X509_REQ *x, long version) { + /* TODO(https://crbug.com/boringssl/467): Reject invalid version + * numbers. */ if (x == NULL) return (0); return (ASN1_INTEGER_set(x->req_info->version, version)); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c index 071249c3..a3c70cf2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_crl.c @@ -127,7 +127,10 @@ static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, * affect the output of X509_CRL_print(). */ case ASN1_OP_D2I_POST: - /* TODO(davidben): Check that default |versions| are never encoded and + /* TODO(https://crbug.com/boringssl/467): Reject invalid version + * numbers. + * + * TODO(davidben): Check that default |versions| are never encoded and * that |extensions| is only present in v2. */ (void)sk_X509_REVOKED_set_cmp_func(a->revoked, X509_REVOKED_cmp); @@ -248,7 +251,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, break; case ASN1_OP_D2I_POST: - if (!X509_CRL_digest(crl, EVP_sha1(), crl->sha1_hash, NULL)) { + if (!X509_CRL_digest(crl, EVP_sha256(), crl->crl_hash, NULL)) { return 0; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c index 3d17ef3f..79042285 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_name.c @@ -68,6 +68,7 @@ #include "../asn1/internal.h" #include "../internal.h" +#include "internal.h" typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; @@ -260,17 +261,13 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) { - int ret; X509_NAME *a = (X509_NAME *)*val; - if (a->modified) { - ret = x509_name_encode(a); - if (ret < 0) - return ret; - ret = x509_name_canon(a); - if (ret < 0) - return ret; + if (a->modified && + (!x509_name_encode(a) || + !x509_name_canon(a))) { + return -1; } - ret = a->bytes->length; + int ret = a->bytes->length; if (out != NULL) { OPENSSL_memcpy(*out, a->bytes->data, ret); *out += ret; @@ -306,22 +303,29 @@ static int x509_name_encode(X509_NAME *a) goto memerr; } ASN1_VALUE *intname_val = (ASN1_VALUE *)intname; - len = ASN1_item_ex_i2d(&intname_val, NULL, - ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + len = + ASN1_item_ex_i2d(&intname_val, NULL, ASN1_ITEM_rptr(X509_NAME_INTERNAL), + /*tag=*/-1, /*aclass=*/0); + if (len <= 0) { + goto err; + } if (!BUF_MEM_grow(a->bytes, len)) goto memerr; p = (unsigned char *)a->bytes->data; - ASN1_item_ex_i2d(&intname_val, - &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1); + if (ASN1_item_ex_i2d(&intname_val, &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), + /*tag=*/-1, /*aclass=*/0) <= 0) { + goto err; + } sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, local_sk_X509_NAME_ENTRY_free); a->modified = 0; - return len; + return 1; memerr: + OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); +err: sk_STACK_OF_X509_NAME_ENTRY_pop_free(intname, local_sk_X509_NAME_ENTRY_free); - OPENSSL_PUT_ERROR(X509, ERR_R_MALLOC_FAILURE); - return -1; + return 0; } /* @@ -503,8 +507,8 @@ static int i2d_name_canon(STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname, len = 0; for (i = 0; i < sk_ASN1_VALUE_num(intname); i++) { v = sk_ASN1_VALUE_value(intname, i); - ltmp = ASN1_item_ex_i2d(&v, in, - ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1); + ltmp = ASN1_item_ex_i2d(&v, in, ASN1_ITEM_rptr(X509_NAME_ENTRIES), + /*tag=*/-1, /*aclass=*/0); if (ltmp < 0) return ltmp; len += ltmp; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_req.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_req.c index 121859b1..83db57ec 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_req.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_req.c @@ -82,6 +82,9 @@ static int rinf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, if (!rinf->attributes) return 0; } + + /* TODO(https://crbug.com/boringssl/467): Add an |ASN1_OP_D2I_POST| callback + * and check the version. */ return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c index 3fafd7af..cab19065 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509.c @@ -69,6 +69,7 @@ #include #include "../internal.h" +#include "internal.h" static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT; @@ -128,14 +129,14 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, } } - /* Per RFC5280, section 4.1.2.8, these fields require v2 or v3. */ + /* Per RFC 5280, section 4.1.2.8, these fields require v2 or v3. */ if (version == 0 && (ret->cert_info->issuerUID != NULL || ret->cert_info->subjectUID != NULL)) { OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION); return 0; } - /* Per RFC5280, section 4.1.2.9, extensions require v3. */ + /* Per RFC 5280, section 4.1.2.9, extensions require v3. */ if (version != 2 && ret->cert_info->extensions != NULL) { OPENSSL_PUT_ERROR(X509, X509_R_INVALID_FIELD_FOR_VERSION); return 0; @@ -288,13 +289,15 @@ static int i2d_x509_aux_internal(X509 *a, unsigned char **pp) return length; } - tmplen = i2d_X509_CERT_AUX(a->aux, pp); - if (tmplen < 0) { - if (start != NULL) - *pp = start; - return tmplen; + if (a->aux != NULL) { + tmplen = i2d_X509_CERT_AUX(a->aux, pp); + if (tmplen < 0) { + if (start != NULL) + *pp = start; + return tmplen; + } + length += tmplen; } - length += tmplen; return length; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c index c72fca33..dc3b6916 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509/x_x509a.c @@ -78,7 +78,6 @@ ASN1_SEQUENCE(X509_CERT_AUX) = { ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, reject, ASN1_OBJECT, 0), ASN1_OPT(X509_CERT_AUX, alias, ASN1_UTF8STRING), ASN1_OPT(X509_CERT_AUX, keyid, ASN1_OCTET_STRING), - ASN1_IMP_SEQUENCE_OF_OPT(X509_CERT_AUX, other, X509_ALGOR, 1) } ASN1_SEQUENCE_END(X509_CERT_AUX) IMPLEMENT_ASN1_FUNCTIONS(X509_CERT_AUX) @@ -95,6 +94,9 @@ static X509_CERT_AUX *aux_get(X509 *x) int X509_alias_set1(X509 *x, const unsigned char *name, int len) { X509_CERT_AUX *aux; + /* TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the + * getters cannot quite represent them. Also erase the object if |len| is + * zero. */ if (!name) { if (!x || !x->aux || !x->aux->alias) return 1; @@ -112,6 +114,9 @@ int X509_alias_set1(X509 *x, const unsigned char *name, int len) int X509_keyid_set1(X509 *x, const unsigned char *id, int len) { X509_CERT_AUX *aux; + /* TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the + * getters cannot quite represent them. Also erase the object if |len| is + * zero. */ if (!id) { if (!x || !x->aux || !x->aux->keyid) return 1; @@ -126,22 +131,22 @@ int X509_keyid_set1(X509 *x, const unsigned char *id, int len) return ASN1_STRING_set(aux->keyid, id, len); } -unsigned char *X509_alias_get0(X509 *x, int *len) +unsigned char *X509_alias_get0(X509 *x, int *out_len) { - if (!x->aux || !x->aux->alias) - return NULL; - if (len) - *len = x->aux->alias->length; - return x->aux->alias->data; + const ASN1_UTF8STRING *alias = x->aux != NULL ? x->aux->alias : NULL; + if (out_len != NULL) { + *out_len = alias != NULL ? alias->length : 0; + } + return alias != NULL ? alias->data : NULL; } -unsigned char *X509_keyid_get0(X509 *x, int *len) +unsigned char *X509_keyid_get0(X509 *x, int *out_len) { - if (!x->aux || !x->aux->keyid) - return NULL; - if (len) - *len = x->aux->keyid->length; - return x->aux->keyid->data; + const ASN1_OCTET_STRING *keyid = x->aux != NULL ? x->aux->keyid : NULL; + if (out_len != NULL) { + *out_len = keyid != NULL ? keyid->length : 0; + } + return keyid != NULL ? keyid->data : NULL; } int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h b/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h index 3b9a8206..9dd62825 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/internal.h @@ -1,42 +1,90 @@ -/* Copyright (c) 2018, Google Inc. +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 2004. + */ +/* ==================================================================== + * Copyright (c) 2004 The OpenSSL Project. All rights reserved. * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ #ifndef OPENSSL_HEADER_X509V3_INTERNAL_H #define OPENSSL_HEADER_X509V3_INTERNAL_H #include +#include +#include +#include + #if defined(__cplusplus) extern "C" { #endif -// x509v3_bytes_to_hex encodes |len| bytes from |buffer| to hex and returns a +// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a // newly-allocated NUL-terminated string containing the result, or NULL on // allocation error. // -// Note this function was historically named |hex_to_string| in OpenSSL, not -// |string_to_hex|. -char *x509v3_bytes_to_hex(const unsigned char *buffer, long len); +// This function was historically named |hex_to_string| in OpenSSL. Despite the +// name, |hex_to_string| converted to hex. +OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); // x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated // array containing the result, or NULL on error. On success, it sets |*len| to // the length of the result. Colon separators between bytes in the input are // allowed and ignored. // -// Note this function was historically named |string_to_hex| in OpenSSL, not -// |hex_to_string|. +// This function was historically named |string_to_hex| in OpenSSL. Despite the +// name, |string_to_hex| converted from hex. unsigned char *x509v3_hex_to_bytes(const char *str, long *len); // x509v3_name_cmp returns zero if |name| is equal to |cmp| or begins with |cmp| @@ -67,6 +115,172 @@ typedef struct { const char *sname; } BIT_STRING_BITNAME; +// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name +// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a +// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and +// zero on error. +int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, + STACK_OF(CONF_VALUE) **extlist); + +typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; + +DEFINE_STACK_OF(X509_POLICY_DATA) + +/* Internal structures */ + +/* + * This structure and the field names correspond to the Policy 'node' of + * RFC 3280. NB this structure contains no pointers to parent or child data: + * X509_POLICY_NODE contains that. This means that the main policy data can + * be kept static and cached with the certificate. + */ + +struct X509_POLICY_DATA_st { + unsigned int flags; + /* Policy OID and qualifiers for this data */ + ASN1_OBJECT *valid_policy; + STACK_OF(POLICYQUALINFO) *qualifier_set; + STACK_OF(ASN1_OBJECT) *expected_policy_set; +}; + +/* X509_POLICY_DATA flags values */ + +/* + * This flag indicates the structure has been mapped using a policy mapping + * extension. If policy mapping is not active its references get deleted. + */ + +#define POLICY_DATA_FLAG_MAPPED 0x1 + +/* + * This flag indicates the data doesn't correspond to a policy in Certificate + * Policies: it has been mapped to any policy. + */ + +#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 + +/* AND with flags to see if any mapping has occurred */ + +#define POLICY_DATA_FLAG_MAP_MASK 0x3 + +/* qualifiers are shared and shouldn't be freed */ + +#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 + +/* Parent node is an extra node and should be freed */ + +#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 + +/* Corresponding CertificatePolicies is critical */ + +#define POLICY_DATA_FLAG_CRITICAL 0x10 + +/* This structure is cached with a certificate */ + +struct X509_POLICY_CACHE_st { + /* anyPolicy data or NULL if no anyPolicy */ + X509_POLICY_DATA *anyPolicy; + /* other policy data */ + STACK_OF(X509_POLICY_DATA) *data; + /* If InhibitAnyPolicy present this is its value or -1 if absent. */ + long any_skip; + /* + * If policyConstraints and requireExplicitPolicy present this is its + * value or -1 if absent. + */ + long explicit_skip; + /* + * If policyConstraints and policyMapping present this is its value or -1 + * if absent. + */ + long map_skip; +}; + +/* + * #define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL + */ + +/* This structure represents the relationship between nodes */ + +struct X509_POLICY_NODE_st { + /* node data this refers to */ + const X509_POLICY_DATA *data; + /* Parent node */ + X509_POLICY_NODE *parent; + /* Number of child nodes */ + int nchild; +}; + +struct X509_POLICY_LEVEL_st { + /* Cert for this level */ + X509 *cert; + /* nodes at this level */ + STACK_OF(X509_POLICY_NODE) *nodes; + /* anyPolicy node */ + X509_POLICY_NODE *anyPolicy; + /* Extra data */ + /* + * STACK_OF(X509_POLICY_DATA) *extra_data; + */ + unsigned int flags; +}; + +struct X509_POLICY_TREE_st { + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; + /* + * Extra policy data when additional nodes (not from the certificate) are + * required. + */ + STACK_OF(X509_POLICY_DATA) *extra_data; + /* This is the authority constained policy set */ + STACK_OF(X509_POLICY_NODE) *auth_policies; + STACK_OF(X509_POLICY_NODE) *user_policies; + unsigned int flags; +}; + +/* Set if anyPolicy present in user policies */ +#define POLICY_FLAG_ANY_POLICY 0x2 + +/* Useful macros */ + +#define node_data_critical(data) ((data)->flags & POLICY_DATA_FLAG_CRITICAL) +#define node_critical(node) node_data_critical((node)->data) + +/* Internal functions */ + +X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, + int crit); +void policy_data_free(X509_POLICY_DATA *data); + +X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, + const ASN1_OBJECT *id); +int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); + +STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); + +void policy_cache_init(void); + +void policy_cache_free(X509_POLICY_CACHE *cache); + +X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, + const X509_POLICY_NODE *parent, + const ASN1_OBJECT *id); + +X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + const ASN1_OBJECT *id); + +X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, + X509_POLICY_TREE *tree); +void policy_node_free(X509_POLICY_NODE *node); +int policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); + +const X509_POLICY_CACHE *policy_cache_set(X509 *x); + #if defined(__cplusplus) } /* extern C */ diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_cache.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_cache.c index 0f2a96e0..7a77803a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_cache.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_cache.c @@ -60,8 +60,9 @@ #include #include -#include "pcy_int.h" #include "../internal.h" +#include "../x509/internal.h" +#include "internal.h" static int policy_data_cmp(const X509_POLICY_DATA **a, const X509_POLICY_DATA **b); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_data.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_data.c index a1e6724d..ebff3fbd 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_data.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_data.c @@ -62,7 +62,7 @@ #include #include -#include "pcy_int.h" +#include "internal.h" /* Policy Node routines */ @@ -79,7 +79,7 @@ void policy_data_free(X509_POLICY_DATA *data) /* * Create a data based on an existing policy. If 'id' is NULL use the oid in * the policy, otherwise use 'id'. This behaviour covers the two types of - * data in RFC3280: data with from a CertificatePolcies extension and + * data in RFC 3280: data with from a CertificatePolcies extension and * additional data with just the qualifiers of anyPolicy and ID from another * source. */ diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_int.h b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_int.h deleted file mode 100644 index fc6e20a9..00000000 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_int.h +++ /dev/null @@ -1,217 +0,0 @@ -/* pcy_int.h */ -/* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; - -DEFINE_STACK_OF(X509_POLICY_DATA) - -/* Internal structures */ - -/* - * This structure and the field names correspond to the Policy 'node' of - * RFC3280. NB this structure contains no pointers to parent or child data: - * X509_POLICY_NODE contains that. This means that the main policy data can - * be kept static and cached with the certificate. - */ - -struct X509_POLICY_DATA_st { - unsigned int flags; - /* Policy OID and qualifiers for this data */ - ASN1_OBJECT *valid_policy; - STACK_OF(POLICYQUALINFO) *qualifier_set; - STACK_OF(ASN1_OBJECT) *expected_policy_set; -}; - -/* X509_POLICY_DATA flags values */ - -/* - * This flag indicates the structure has been mapped using a policy mapping - * extension. If policy mapping is not active its references get deleted. - */ - -#define POLICY_DATA_FLAG_MAPPED 0x1 - -/* - * This flag indicates the data doesn't correspond to a policy in Certificate - * Policies: it has been mapped to any policy. - */ - -#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 - -/* AND with flags to see if any mapping has occurred */ - -#define POLICY_DATA_FLAG_MAP_MASK 0x3 - -/* qualifiers are shared and shouldn't be freed */ - -#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 - -/* Parent node is an extra node and should be freed */ - -#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 - -/* Corresponding CertificatePolicies is critical */ - -#define POLICY_DATA_FLAG_CRITICAL 0x10 - -/* This structure is cached with a certificate */ - -struct X509_POLICY_CACHE_st { - /* anyPolicy data or NULL if no anyPolicy */ - X509_POLICY_DATA *anyPolicy; - /* other policy data */ - STACK_OF(X509_POLICY_DATA) *data; - /* If InhibitAnyPolicy present this is its value or -1 if absent. */ - long any_skip; - /* - * If policyConstraints and requireExplicitPolicy present this is its - * value or -1 if absent. - */ - long explicit_skip; - /* - * If policyConstraints and policyMapping present this is its value or -1 - * if absent. - */ - long map_skip; -}; - -/* - * #define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL - */ - -/* This structure represents the relationship between nodes */ - -struct X509_POLICY_NODE_st { - /* node data this refers to */ - const X509_POLICY_DATA *data; - /* Parent node */ - X509_POLICY_NODE *parent; - /* Number of child nodes */ - int nchild; -}; - -struct X509_POLICY_LEVEL_st { - /* Cert for this level */ - X509 *cert; - /* nodes at this level */ - STACK_OF(X509_POLICY_NODE) *nodes; - /* anyPolicy node */ - X509_POLICY_NODE *anyPolicy; - /* Extra data */ - /* - * STACK_OF(X509_POLICY_DATA) *extra_data; - */ - unsigned int flags; -}; - -struct X509_POLICY_TREE_st { - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; - /* - * Extra policy data when additional nodes (not from the certificate) are - * required. - */ - STACK_OF(X509_POLICY_DATA) *extra_data; - /* This is the authority constained policy set */ - STACK_OF(X509_POLICY_NODE) *auth_policies; - STACK_OF(X509_POLICY_NODE) *user_policies; - unsigned int flags; -}; - -/* Set if anyPolicy present in user policies */ -#define POLICY_FLAG_ANY_POLICY 0x2 - -/* Useful macros */ - -#define node_data_critical(data) ((data)->flags & POLICY_DATA_FLAG_CRITICAL) -#define node_critical(node) node_data_critical((node)->data) - -/* Internal functions */ - -X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, - int crit); -void policy_data_free(X509_POLICY_DATA *data); - -X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id); -int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); - -STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); - -void policy_cache_init(void); - -void policy_cache_free(X509_POLICY_CACHE *cache); - -X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - const X509_POLICY_NODE *parent, - const ASN1_OBJECT *id); - -X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - const ASN1_OBJECT *id); - -X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree); -void policy_node_free(X509_POLICY_NODE *node); -int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); - -const X509_POLICY_CACHE *policy_cache_set(X509 *x); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_lib.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_lib.c index b4bbea04..48daa929 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_lib.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_lib.c @@ -58,7 +58,7 @@ #include #include -#include "pcy_int.h" +#include "internal.h" /* accessor functions */ diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_map.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_map.c index 58045d5c..3bc2553a 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_map.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_map.c @@ -61,7 +61,8 @@ #include #include -#include "pcy_int.h" +#include "../x509/internal.h" +#include "internal.h" /* * Set policy mapping entries in cache. Note: this modifies the passed diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_node.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_node.c index 5315875f..59d32da2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_node.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_node.c @@ -61,7 +61,7 @@ #include #include -#include "pcy_int.h" +#include "internal.h" static int node_cmp(const X509_POLICY_NODE **a, const X509_POLICY_NODE **b) { diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_tree.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_tree.c index bf1c1c4f..f2c96ca3 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_tree.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/pcy_tree.c @@ -65,8 +65,9 @@ #include #include -#include "pcy_int.h" #include "../internal.h" +#include "../x509/internal.h" +#include "internal.h" /* * Enable this to print out the complete policy tree at various point during @@ -332,7 +333,7 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, } /* - * This corresponds to RFC3280 6.1.3(d)(1): link any data from + * This corresponds to RFC 3280 6.1.3(d)(1): link any data from * CertificatePolicies onto matching parent or anyPolicy if no match. */ @@ -365,7 +366,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, } /* - * This corresponds to RFC3280 6.1.3(d)(2): Create new data for any unmatched + * This corresponds to RFC 3280 6.1.3(d)(2): Create new data for any unmatched * policies in the parent and link to anyPolicy. */ @@ -500,7 +501,7 @@ static int tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) if (curr->flags & X509_V_FLAG_INHIBIT_MAP) { for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) { node = sk_X509_POLICY_NODE_value(nodes, i); - /* Delete any mapped data: see RFC3280 XXXX */ + /* Delete any mapped data: see RFC 3280 XXXX */ if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) { node->parent->nchild--; OPENSSL_free(node); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c index 0ea08c9b..516cfae2 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_akey.c @@ -93,20 +93,36 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, STACK_OF(CONF_VALUE) *extlist) { - char *tmp; + int extlist_was_null = extlist == NULL; if (akeyid->keyid) { - tmp = x509v3_bytes_to_hex(akeyid->keyid->data, akeyid->keyid->length); - X509V3_add_value("keyid", tmp, &extlist); + char *tmp = x509v3_bytes_to_hex(akeyid->keyid->data, + akeyid->keyid->length); + int ok = tmp != NULL && X509V3_add_value("keyid", tmp, &extlist); OPENSSL_free(tmp); + if (!ok) { + goto err; + } + } + if (akeyid->issuer) { + STACK_OF(CONF_VALUE) *tmpextlist = + i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); + if (tmpextlist == NULL) { + goto err; + } + extlist = tmpextlist; } - if (akeyid->issuer) - extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); if (akeyid->serial) { - tmp = x509v3_bytes_to_hex(akeyid->serial->data, akeyid->serial->length); - X509V3_add_value("serial", tmp, &extlist); - OPENSSL_free(tmp); + if (!X509V3_add_value_int("serial", akeyid->serial, &extlist)) { + goto err; + } } return extlist; + +err: + if (extlist_was_null) { + sk_CONF_VALUE_pop_free(extlist, X509V3_conf_free); + } + return NULL; } /* diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c index 5e36dfa3..0adf0c01 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_alt.c @@ -64,6 +64,7 @@ #include #include +#include "../x509/internal.h" #include "internal.h" @@ -104,11 +105,17 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret) { - size_t i; - GENERAL_NAME *gen; - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - gen = sk_GENERAL_NAME_value(gens, i); - ret = i2v_GENERAL_NAME(method, gen, ret); + int ret_was_null = ret == NULL; + for (size_t i = 0; i < sk_GENERAL_NAME_num(gens); i++) { + GENERAL_NAME *gen = sk_GENERAL_NAME_value(gens, i); + STACK_OF(CONF_VALUE) *tmp = i2v_GENERAL_NAME(method, gen, ret); + if (tmp == NULL) { + if (ret_was_null) { + sk_CONF_VALUE_pop_free(ret, X509V3_conf_free); + } + return NULL; + } + ret = tmp; } if (!ret) return sk_CONF_VALUE_new_null(); @@ -119,6 +126,9 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) { + /* Note the error-handling for this function relies on there being at most + * one |X509V3_add_value| call. If there were two and the second failed, we + * would need to sometimes free the first call's result. */ unsigned char *p; char oline[256], htmp[5]; int i; @@ -139,17 +149,17 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, break; case GEN_EMAIL: - if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret)) + if (!x509V3_add_value_asn1_string("email", gen->d.ia5, &ret)) return NULL; break; case GEN_DNS: - if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret)) + if (!x509V3_add_value_asn1_string("DNS", gen->d.ia5, &ret)) return NULL; break; case GEN_URI: - if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret)) + if (!x509V3_add_value_asn1_string("URI", gen->d.ia5, &ret)) return NULL; break; @@ -162,12 +172,13 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, case GEN_IPADD: p = gen->d.ip->data; if (gen->d.ip->length == 4) - BIO_snprintf(oline, sizeof oline, + BIO_snprintf(oline, sizeof(oline), "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); else if (gen->d.ip->length == 16) { oline[0] = 0; for (i = 0; i < 8; i++) { - BIO_snprintf(htmp, sizeof htmp, "%X", p[0] << 8 | p[1]); + uint16_t v = ((uint16_t)p[0] << 8) | p[1]; + BIO_snprintf(htmp, sizeof(htmp), "%X", v); p += 2; OPENSSL_strlcat(oline, htmp, sizeof(oline)); if (i != 7) @@ -236,7 +247,8 @@ int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) else if (gen->d.ip->length == 16) { BIO_printf(out, "IP Address"); for (i = 0; i < 8; i++) { - BIO_printf(out, ":%X", p[0] << 8 | p[1]); + uint16_t v = ((uint16_t)p[0] << 8) | p[1]; + BIO_printf(out, ":%X", v); p += 2; } BIO_puts(out, "\n"); diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c index b58e420c..a96925e4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_cpols.c @@ -70,7 +70,6 @@ #include #include "internal.h" -#include "pcy_int.h" /* Certificate policies extension support: this one is a bit complex... */ @@ -432,8 +431,8 @@ static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, qualinfo = sk_POLICYQUALINFO_value(quals, i); switch (OBJ_obj2nid(qualinfo->pqualid)) { case NID_id_qt_cps: - BIO_printf(out, "%*sCPS: %s\n", indent, "", - qualinfo->d.cpsuri->data); + BIO_printf(out, "%*sCPS: %.*s\n", indent, "", + qualinfo->d.cpsuri->length, qualinfo->d.cpsuri->data); break; case NID_id_qt_unotice: @@ -457,8 +456,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent) if (notice->noticeref) { NOTICEREF *ref; ref = notice->noticeref; - BIO_printf(out, "%*sOrganization: %s\n", indent, "", - ref->organization->data); + BIO_printf(out, "%*sOrganization: %.*s\n", indent, "", + ref->organization->length, ref->organization->data); BIO_printf(out, "%*sNumber%s: ", indent, "", sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : ""); for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) { @@ -480,8 +479,8 @@ static void print_notice(BIO *out, USERNOTICE *notice, int indent) BIO_puts(out, "\n"); } if (notice->exptext) - BIO_printf(out, "%*sExplicit Text: %s\n", indent, "", - notice->exptext->data); + BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", + notice->exptext->length, notice->exptext->data); } void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c index 920dadf3..eaf53e43 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_crld.c @@ -67,6 +67,7 @@ #include #include "internal.h" +#include "../x509/internal.h" static void *v2i_crld(const X509V3_EXT_METHOD *method, diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c index c7ef608e..7d00bb7c 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_lib.c @@ -213,10 +213,27 @@ void *X509V3_EXT_d2i(const X509_EXTENSION *ext) if (!(method = X509V3_EXT_get(ext))) return NULL; p = ext->value->data; - if (method->it) - return ASN1_item_d2i(NULL, &p, ext->value->length, - ASN1_ITEM_ptr(method->it)); - return method->d2i(NULL, &p, ext->value->length); + void *ret; + if (method->it) { + ret = ASN1_item_d2i(NULL, &p, ext->value->length, + ASN1_ITEM_ptr(method->it)); + } else { + ret = method->d2i(NULL, &p, ext->value->length); + } + if (ret == NULL) { + return NULL; + } + /* Check for trailing data. */ + if (p != ext->value->data + ext->value->length) { + if (method->it) { + ASN1_item_free(ret, ASN1_ITEM_ptr(method->it)); + } else { + method->ext_free(ret); + } + OPENSSL_PUT_ERROR(X509V3, X509V3_R_TRAILING_DATA_IN_EXTENSION); + return NULL; + } + return ret; } void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, int nid, diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c index 4b180d5e..11688f87 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_ncons.c @@ -66,6 +66,7 @@ #include #include "../internal.h" +#include "../x509/internal.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, @@ -202,7 +203,8 @@ static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip) p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]); } else if (len == 32) { for (i = 0; i < 16; i++) { - BIO_printf(bp, "%X", p[0] << 8 | p[1]); + uint16_t v = ((uint16_t)p[0] << 8) | p[1]; + BIO_printf(bp, "%X", v); p += 2; if (i == 7) BIO_puts(bp, "/"); @@ -389,25 +391,73 @@ static int nc_dn(X509_NAME *nm, X509_NAME *base) return X509_V_OK; } +static int starts_with(const CBS *cbs, uint8_t c) +{ + return CBS_len(cbs) > 0 && CBS_data(cbs)[0] == c; +} + +static int equal_case(const CBS *a, const CBS *b) +{ + if (CBS_len(a) != CBS_len(b)) { + return 0; + } + /* Note we cannot use |OPENSSL_strncasecmp| because that would stop + * iterating at NUL. */ + const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b); + for (size_t i = 0; i < CBS_len(a); i++) { + if (OPENSSL_tolower(a_data[i]) != OPENSSL_tolower(b_data[i])) { + return 0; + } + } + return 1; +} + +static int has_suffix_case(const CBS *a, const CBS *b) +{ + if (CBS_len(a) < CBS_len(b)) { + return 0; + } + CBS copy = *a; + CBS_skip(©, CBS_len(a) - CBS_len(b)); + return equal_case(©, b); +} + static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) { - char *baseptr = (char *)base->data; - char *dnsptr = (char *)dns->data; + CBS dns_cbs, base_cbs; + CBS_init(&dns_cbs, dns->data, dns->length); + CBS_init(&base_cbs, base->data, base->length); + /* Empty matches everything */ - if (!*baseptr) + if (CBS_len(&base_cbs) == 0) { return X509_V_OK; + } + + /* If |base_cbs| begins with a '.', do a simple suffix comparison. This is + * not part of RFC5280, but is part of OpenSSL's original behavior. */ + if (starts_with(&base_cbs, '.')) { + if (has_suffix_case(&dns_cbs, &base_cbs)) { + return X509_V_OK; + } + return X509_V_ERR_PERMITTED_VIOLATION; + } + /* * Otherwise can add zero or more components on the left so compare RHS * and if dns is longer and expect '.' as preceding character. */ - if (dns->length > base->length) { - dnsptr += dns->length - base->length; - if (*baseptr != '.' && dnsptr[-1] != '.') + if (CBS_len(&dns_cbs) > CBS_len(&base_cbs)) { + uint8_t dot; + if (!CBS_skip(&dns_cbs, CBS_len(&dns_cbs) - CBS_len(&base_cbs) - 1) || + !CBS_get_u8(&dns_cbs, &dot) || + dot != '.') { return X509_V_ERR_PERMITTED_VIOLATION; + } } - if (OPENSSL_strcasecmp(baseptr, dnsptr)) + if (!equal_case(&dns_cbs, &base_cbs)) { return X509_V_ERR_PERMITTED_VIOLATION; + } return X509_V_OK; @@ -415,86 +465,94 @@ static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base) static int nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) { - const char *baseptr = (char *)base->data; - const char *emlptr = (char *)eml->data; - - const char *baseat = strchr(baseptr, '@'); - const char *emlat = strchr(emlptr, '@'); - if (!emlat) + CBS eml_cbs, base_cbs; + CBS_init(&eml_cbs, eml->data, eml->length); + CBS_init(&base_cbs, base->data, base->length); + + /* TODO(davidben): In OpenSSL 1.1.1, this switched from the first '@' to the + * last one. Match them here, or perhaps do an actual parse. Looks like + * multiple '@'s may be allowed in quoted strings. */ + CBS eml_local, base_local; + if (!CBS_get_until_first(&eml_cbs, &eml_local, '@')) { return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + } + int base_has_at = CBS_get_until_first(&base_cbs, &base_local, '@'); + /* Special case: inital '.' is RHS match */ - if (!baseat && (*baseptr == '.')) { - if (eml->length > base->length) { - emlptr += eml->length - base->length; - if (!OPENSSL_strcasecmp(baseptr, emlptr)) - return X509_V_OK; + if (!base_has_at && starts_with(&base_cbs, '.')) { + if (has_suffix_case(&eml_cbs, &base_cbs)) { + return X509_V_OK; } return X509_V_ERR_PERMITTED_VIOLATION; } /* If we have anything before '@' match local part */ - - if (baseat) { - if (baseat != baseptr) { - if ((baseat - baseptr) != (emlat - emlptr)) - return X509_V_ERR_PERMITTED_VIOLATION; + if (base_has_at) { + /* TODO(davidben): This interprets a constraint of "@example.com" as + * "example.com", which is not part of RFC5280. */ + if (CBS_len(&base_local) > 0) { /* Case sensitive match of local part */ - if (strncmp(baseptr, emlptr, emlat - emlptr)) + if (!CBS_mem_equal(&base_local, CBS_data(&eml_local), + CBS_len(&eml_local))) { return X509_V_ERR_PERMITTED_VIOLATION; + } } /* Position base after '@' */ - baseptr = baseat + 1; + assert(starts_with(&base_cbs, '@')); + CBS_skip(&base_cbs, 1); } - emlptr = emlat + 1; + /* Just have hostname left to match: case insensitive */ - if (OPENSSL_strcasecmp(baseptr, emlptr)) + assert(starts_with(&eml_cbs, '@')); + CBS_skip(&eml_cbs, 1); + if (!equal_case(&base_cbs, &eml_cbs)) { return X509_V_ERR_PERMITTED_VIOLATION; + } return X509_V_OK; - } static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) { - const char *baseptr = (char *)base->data; - const char *hostptr = (char *)uri->data; - const char *p = strchr(hostptr, ':'); - int hostlen; + CBS uri_cbs, base_cbs; + CBS_init(&uri_cbs, uri->data, uri->length); + CBS_init(&base_cbs, base->data, base->length); + /* Check for foo:// and skip past it */ - if (!p || (p[1] != '/') || (p[2] != '/')) + CBS scheme; + uint8_t byte; + if (!CBS_get_until_first(&uri_cbs, &scheme, ':') || + !CBS_skip(&uri_cbs, 1) || // Skip the colon + !CBS_get_u8(&uri_cbs, &byte) || byte != '/' || + !CBS_get_u8(&uri_cbs, &byte) || byte != '/') { return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - hostptr = p + 3; - - /* Determine length of hostname part of URI */ - - /* Look for a port indicator as end of hostname first */ - - p = strchr(hostptr, ':'); - /* Otherwise look for trailing slash */ - if (!p) - p = strchr(hostptr, '/'); + } - if (!p) - hostlen = strlen(hostptr); - else - hostlen = p - hostptr; + /* Look for a port indicator as end of hostname first. Otherwise look for + * trailing slash, or the end of the string. + * TODO(davidben): This is not a correct URI parser and mishandles IPv6 + * literals. */ + CBS host; + if (!CBS_get_until_first(&uri_cbs, &host, ':') && + !CBS_get_until_first(&uri_cbs, &host, '/')) { + host = uri_cbs; + } - if (hostlen == 0) + if (CBS_len(&host) == 0) { return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + } /* Special case: inital '.' is RHS match */ - if (*baseptr == '.') { - if (hostlen > base->length) { - p = hostptr + hostlen - base->length; - if (!OPENSSL_strncasecmp(p, baseptr, base->length)) - return X509_V_OK; + if (starts_with(&base_cbs, '.')) { + if (has_suffix_case(&host, &base_cbs)) { + return X509_V_OK; } return X509_V_ERR_PERMITTED_VIOLATION; } - if ((base->length != (int)hostlen) - || OPENSSL_strncasecmp(hostptr, baseptr, hostlen)) + if (!equal_case(&base_cbs, &host)) { return X509_V_ERR_PERMITTED_VIOLATION; + } return X509_V_OK; diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pci.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pci.c index c0316c4e..77c255a4 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pci.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_pci.c @@ -75,7 +75,8 @@ static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); BIO_puts(out, "\n"); if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) - BIO_printf(out, "%*sPolicy Text: %s\n", indent, "", + BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "", + pci->proxyPolicy->policy->length, pci->proxyPolicy->policy->data); return 1; } diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c index 5e383a0b..c15acf99 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_purp.c @@ -64,10 +64,10 @@ #include #include #include -#include #include #include "../internal.h" +#include "../x509/internal.h" #include "internal.h" #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) @@ -437,7 +437,7 @@ int x509v3_cache_extensions(X509 *x) return (x->ex_flags & EXFLAG_INVALID) == 0; } - if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL)) + if (!X509_digest(x, EVP_sha256(), x->cert_hash, NULL)) x->ex_flags |= EXFLAG_INVALID; /* V1 should mean no extensions ... */ if (X509_get_version(x) == X509_VERSION_1) diff --git a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c index 976888e4..e2141b3e 100644 --- a/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c +++ b/Sources/CJWTKitBoringSSL/crypto/x509v3/v3_utl.c @@ -63,6 +63,7 @@ #include #include +#include #include #include #include @@ -88,42 +89,69 @@ static int ipv6_hex(unsigned char *out, const char *in, int inlen); /* Add a CONF_VALUE name value pair to stack */ -int X509V3_add_value(const char *name, const char *value, - STACK_OF(CONF_VALUE) **extlist) +static int x509V3_add_len_value(const char *name, const char *value, + size_t value_len, int omit_value, + STACK_OF(CONF_VALUE) **extlist) { CONF_VALUE *vtmp = NULL; char *tname = NULL, *tvalue = NULL; + int extlist_was_null = *extlist == NULL; if (name && !(tname = OPENSSL_strdup(name))) - goto err; - if (value && !(tvalue = OPENSSL_strdup(value))) - goto err; + goto malloc_err; + if (!omit_value) { + /* |CONF_VALUE| cannot represent strings with NULs. */ + if (OPENSSL_memchr(value, 0, value_len)) { + OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE); + goto err; + } + tvalue = OPENSSL_strndup(value, value_len); + if (tvalue == NULL) { + goto malloc_err; + } + } if (!(vtmp = CONF_VALUE_new())) - goto err; + goto malloc_err; if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) - goto err; + goto malloc_err; vtmp->section = NULL; vtmp->name = tname; vtmp->value = tvalue; if (!sk_CONF_VALUE_push(*extlist, vtmp)) - goto err; + goto malloc_err; return 1; - err: + malloc_err: OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); - if (vtmp) - OPENSSL_free(vtmp); - if (tname) - OPENSSL_free(tname); - if (tvalue) - OPENSSL_free(tvalue); + err: + if (extlist_was_null) { + sk_CONF_VALUE_free(*extlist); + *extlist = NULL; + } + OPENSSL_free(vtmp); + OPENSSL_free(tname); + OPENSSL_free(tvalue); return 0; } +int X509V3_add_value(const char *name, const char *value, + STACK_OF(CONF_VALUE) **extlist) +{ + return x509V3_add_len_value(name, value, value != NULL ? strlen(value) : 0, + /*omit_value=*/value == NULL, extlist); +} + int X509V3_add_value_uchar(const char *name, const unsigned char *value, STACK_OF(CONF_VALUE) **extlist) { return X509V3_add_value(name, (const char *)value, extlist); } +int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, + STACK_OF(CONF_VALUE) **extlist) +{ + return x509V3_add_len_value(name, (const char *)value->data, value->length, + /*omit_value=*/0, extlist); +} + /* Free function for STACK_OF(CONF_VALUE) */ void X509V3_conf_free(CONF_VALUE *conf) @@ -268,7 +296,7 @@ ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value) return aint; } -int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, +int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, STACK_OF(CONF_VALUE) **extlist) { char *strtmp; @@ -440,33 +468,33 @@ static char *strip_spaces(char *name) /* hex string utilities */ -/* - * Given a buffer of length 'len' return a OPENSSL_malloc'ed string with its - * hex representation @@@ (Contents of buffer are always kept in ASCII, also - * on EBCDIC machines) - */ - -char *x509v3_bytes_to_hex(const unsigned char *buffer, long len) +char *x509v3_bytes_to_hex(const uint8_t *in, size_t len) { - char *tmp, *q; - const unsigned char *p; - int i; - static const char hexdig[] = "0123456789ABCDEF"; - if (!buffer || !len) - return NULL; - if (!(tmp = OPENSSL_malloc(len * 3 + 1))) { - OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); - return NULL; + CBB cbb; + if (!CBB_init(&cbb, len * 3 + 1)) { + goto err; } - q = tmp; - for (i = 0, p = buffer; i < len; i++, p++) { - *q++ = hexdig[(*p >> 4) & 0xf]; - *q++ = hexdig[*p & 0xf]; - *q++ = ':'; + for (size_t i = 0; i < len; i++) { + static const char hex[] = "0123456789ABCDEF"; + if ((i > 0 && !CBB_add_u8(&cbb, ':')) || + !CBB_add_u8(&cbb, hex[in[i] >> 4]) || + !CBB_add_u8(&cbb, hex[in[i] & 0xf])) { + goto err; + } } - q[-1] = 0; + uint8_t *ret; + size_t unused_len; + if (!CBB_add_u8(&cbb, 0) || + !CBB_finish(&cbb, &ret, &unused_len)) { + goto err; + } + + return (char *)ret; - return tmp; +err: + OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); + CBB_cleanup(&cbb); + return NULL; } unsigned char *x509v3_hex_to_bytes(const char *str, long *len) @@ -631,27 +659,45 @@ static void str_free(OPENSSL_STRING str) static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email) { - char *emtmp; /* First some sanity checks */ if (email->type != V_ASN1_IA5STRING) return 1; - if (!email->data || !email->length) + if (email->data == NULL || email->length == 0) + return 1; + /* |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not + * report them as outputs. */ + if (OPENSSL_memchr(email->data, 0, email->length) != NULL) return 1; + + char *emtmp = NULL; if (!*sk) *sk = sk_OPENSSL_STRING_new(sk_strcmp); if (!*sk) - return 0; + goto err; + + emtmp = OPENSSL_strndup((char *)email->data, email->length); + if (emtmp == NULL) { + goto err; + } + /* Don't add duplicates */ sk_OPENSSL_STRING_sort(*sk); - if (sk_OPENSSL_STRING_find(*sk, NULL, (char *)email->data)) + if (sk_OPENSSL_STRING_find(*sk, NULL, emtmp)) { + OPENSSL_free(emtmp); return 1; - emtmp = OPENSSL_strdup((char *)email->data); - if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) { - X509_email_free(*sk); - *sk = NULL; - return 0; + } + if (!sk_OPENSSL_STRING_push(*sk, emtmp)) { + goto err; } return 1; + +err: + /* TODO(davidben): Fix the error-handling in this file. It currently relies + * on |append_ia5| leaving |*sk| at NULL on error. */ + OPENSSL_free(emtmp); + X509_email_free(*sk); + *sk = NULL; + return 0; } void X509_email_free(STACK_OF(OPENSSL_STRING) *sk) @@ -663,44 +709,11 @@ typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len, const unsigned char *subject, size_t subject_len, unsigned int flags); -/* Skip pattern prefix to match "wildcard" subject */ -static void skip_prefix(const unsigned char **p, size_t *plen, - const unsigned char *subject, size_t subject_len, - unsigned int flags) -{ - const unsigned char *pattern = *p; - size_t pattern_len = *plen; - - /* - * If subject starts with a leading '.' followed by more octets, and - * pattern is longer, compare just an equal-length suffix with the - * full subject (starting at the '.'), provided the prefix contains - * no NULs. - */ - if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0) - return; - - while (pattern_len > subject_len && *pattern) { - if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) && - *pattern == '.') - break; - ++pattern; - --pattern_len; - } - - /* Skip if entire prefix acceptable */ - if (pattern_len == subject_len) { - *p = pattern; - *plen = pattern_len; - } -} - /* Compare while ASCII ignoring case. */ static int equal_nocase(const unsigned char *pattern, size_t pattern_len, const unsigned char *subject, size_t subject_len, unsigned int flags) { - skip_prefix(&pattern, &pattern_len, subject, subject_len, flags); if (pattern_len != subject_len) return 0; while (pattern_len) { @@ -729,7 +742,6 @@ static int equal_case(const unsigned char *pattern, size_t pattern_len, const unsigned char *subject, size_t subject_len, unsigned int flags) { - skip_prefix(&pattern, &pattern_len, subject, subject_len, flags); if (pattern_len != subject_len) return 0; return !OPENSSL_memcmp(pattern, subject, pattern_len); @@ -776,7 +788,6 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len, const unsigned char *wildcard_start; const unsigned char *wildcard_end; const unsigned char *p; - int allow_multi = 0; int allow_idna = 0; if (subject_len < prefix_len + suffix_len) @@ -795,8 +806,6 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len, if (wildcard_start == wildcard_end) return 0; allow_idna = 1; - if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS) - allow_multi = 1; } /* IDNA labels cannot match partial wildcards */ if (!allow_idna && @@ -808,14 +817,13 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len, return 1; /* * Check that the part matched by the wildcard contains only - * permitted characters and only matches a single label unless - * allow_multi is set. + * permitted characters and only matches a single label. */ for (p = wildcard_start; p != wildcard_end; ++p) if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') || ('a' <= *p && *p <= 'z') || - *p == '-' || (allow_multi && *p == '.'))) + *p == '-')) return 0; return 1; } @@ -847,12 +855,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len, */ if (star != NULL || (state & LABEL_IDNA) != 0 || dots) return NULL; - /* Only full-label '*.example.com' wildcards? */ - if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS) - && (!atstart || !atend)) - return NULL; - /* No 'foo*bar' wildcards */ - if (!atstart && !atend) + /* Only full-label '*.example.com' wildcards. */ + if (!atstart || !atend) return NULL; star = &p[i]; state &= ~LABEL_START; @@ -1014,17 +1018,12 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, int rv = 0; equal_fn equal; - /* See below, this flag is internal-only */ - flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS; if (check_type == GEN_EMAIL) { cnid = NID_pkcs9_emailAddress; alt_type = V_ASN1_IA5STRING; equal = equal_email; } else if (check_type == GEN_DNS) { cnid = NID_commonName; - /* Implicit client-side DNS sub-domain pattern */ - if (chklen > 1 && chk[0] == '.') - flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS; alt_type = V_ASN1_IA5STRING; if (flags & X509_CHECK_FLAG_NO_WILDCARDS) equal = equal_nocase; @@ -1120,7 +1119,7 @@ int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) /* * Convert IP addresses both IPv4 and IPv6 into an OCTET STRING compatible - * with RFC3280. + * with RFC 3280. */ ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc) diff --git a/Sources/CJWTKitBoringSSL/hash.txt b/Sources/CJWTKitBoringSSL/hash.txt index 4c64eeac..f3c2d5c5 100644 --- a/Sources/CJWTKitBoringSSL/hash.txt +++ b/Sources/CJWTKitBoringSSL/hash.txt @@ -1 +1 @@ -This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision 80df7398ce52574801821ce7a76c031c35d6b882 +This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision ce2a353d0147bac03ef883d91dcd9c405ab527fa diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h index 4f94e719..987833d0 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL.h @@ -2,17 +2,16 @@ // // This source file is part of the Vapor open source project // -// Copyright (c) 2017-2020 Vapor project authors +// Copyright (c) 2022 Vapor project authors // Licensed under MIT // // See LICENSE for license information // -// SPDX-License-Identifier: Apache-2.0 +// SPDX-License-Identifier: MIT // //===----------------------------------------------------------------------===// #ifndef C_VAPORJWT_BORINGSSL_H #define C_VAPORJWT_BORINGSSL_H - #include "CJWTKitBoringSSL_aes.h" #include "CJWTKitBoringSSL_arm_arch.h" #include "CJWTKitBoringSSL_asn1_mac.h" @@ -39,7 +38,6 @@ #include "CJWTKitBoringSSL_evp.h" #include "CJWTKitBoringSSL_hkdf.h" #include "CJWTKitBoringSSL_hmac.h" -#include "CJWTKitBoringSSL_hpke.h" #include "CJWTKitBoringSSL_hrss.h" #include "CJWTKitBoringSSL_md4.h" #include "CJWTKitBoringSSL_md5.h" @@ -59,5 +57,4 @@ #include "CJWTKitBoringSSL_siphash.h" #include "CJWTKitBoringSSL_trust_token.h" #include "CJWTKitBoringSSL_x509v3.h" - #endif // C_VAPORJWT_BORINGSSL_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_aead.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_aead.h index 25dfe995..e10a4c3b 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_aead.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_aead.h @@ -212,15 +212,15 @@ union evp_aead_ctx_st_state { uint64_t alignment; }; -// An EVP_AEAD_CTX represents an AEAD algorithm configured with a specific key -// and message-independent IV. -typedef struct evp_aead_ctx_st { +// An evp_aead_ctx_st (typedefed as |EVP_AEAD_CTX| in base.h) represents an AEAD +// algorithm configured with a specific key and message-independent IV. +struct evp_aead_ctx_st { const EVP_AEAD *aead; union evp_aead_ctx_st_state state; // tag_len may contain the actual length of the authentication tag if it is // known at initialization time. uint8_t tag_len; -} EVP_AEAD_CTX; +}; // EVP_AEAD_MAX_KEY_LENGTH contains the maximum key length used by // any AEAD defined in this header. diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h index e35202ab..7215f62e 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h @@ -50,58 +50,15 @@ * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). */ -#if __arm__ || __arm64__ || __aarch64__ #ifndef OPENSSL_HEADER_ARM_ARCH_H #define OPENSSL_HEADER_ARM_ARCH_H -#if !defined(__ARM_ARCH__) -# if defined(__CC_ARM) -# define __ARM_ARCH__ __TARGET_ARCH_ARM -# if defined(__BIG_ENDIAN) -# define __ARMEB__ -# else -# define __ARMEL__ -# endif -# elif defined(__GNUC__) -# if defined(__aarch64__) -# define __ARM_ARCH__ 8 -# if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ -# define __ARMEB__ -# else -# define __ARMEL__ -# endif - // Why doesn't gcc define __ARM_ARCH__? Instead it defines - // bunch of below macros. See all_architectires[] table in - // gcc/config/arm/arm.c. On a side note it defines - // __ARMEL__/__ARMEB__ for little-/big-endian. -# elif defined(__ARM_ARCH) -# define __ARM_ARCH__ __ARM_ARCH -# elif defined(__ARM_ARCH_8A__) -# define __ARM_ARCH__ 8 -# elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \ - defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__) || \ - defined(__ARM_ARCH_7EM__) -# define __ARM_ARCH__ 7 -# elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__) || \ - defined(__ARM_ARCH_6K__)|| defined(__ARM_ARCH_6M__) || \ - defined(__ARM_ARCH_6Z__)|| defined(__ARM_ARCH_6ZK__) || \ - defined(__ARM_ARCH_6T2__) -# define __ARM_ARCH__ 6 -# elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__) || \ - defined(__ARM_ARCH_5E__)|| defined(__ARM_ARCH_5TE__) || \ - defined(__ARM_ARCH_5TEJ__) -# define __ARM_ARCH__ 5 -# elif defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__) -# define __ARM_ARCH__ 4 -# else -# error "unsupported ARM architecture" -# endif -# endif -#endif +// arm_arch.h contains symbols used by ARM assembly, and the C code that calls +// it. It is included as a public header to simplify the build, but is not +// intended for external use. -// Even when building for 32-bit ARM, support for aarch64 crypto instructions -// will be included. -#define __ARM_MAX_ARCH__ 8 +#if defined(__ARMEL__) || defined(_M_ARM) || defined(__AARCH64EL__) || \ + defined(_M_ARM64) // ARMV7_NEON is true when a NEON unit is present in the current CPU. #define ARMV7_NEON (1 << 0) @@ -118,8 +75,28 @@ // ARMV8_PMULL indicates support for carryless multiplication. #define ARMV8_PMULL (1 << 5) +// ARMV8_SHA512 indicates support for hardware SHA-512 instructions. +#define ARMV8_SHA512 (1 << 6) + #if defined(__ASSEMBLER__) +// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language +// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does +// not implement ACLE, but we require Clang's assembler on Windows. +#if !defined(__ARM_ARCH) +#error "ARM assembler must define __ARM_ARCH" +#endif + +// __ARM_ARCH__ is used by OpenSSL assembly to determine the minimum target ARM +// version. +// +// TODO(davidben): Switch the assembly to use |__ARM_ARCH| directly. +#define __ARM_ARCH__ __ARM_ARCH + +// Even when building for 32-bit ARM, support for aarch64 crypto instructions +// will be included. +#define __ARM_MAX_ARCH__ 8 + // Support macros for // - Armv8.3-A Pointer Authentication and // - Armv8.5-A Branch Target Identification @@ -236,7 +213,8 @@ .popsection; #endif -#endif /* defined __ASSEMBLER__ */ +#endif // __ASSEMBLER__ + +#endif // __ARMEL__ || _M_ARM || __AARCH64EL__ || _M_ARM64 #endif // OPENSSL_HEADER_ARM_ARCH_H -#endif // __arm__ || __arm64__ || __aarch64__ diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h index 686e407b..3820f1ef 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1.h @@ -63,11 +63,10 @@ #include #include "CJWTKitBoringSSL_bio.h" -#include "CJWTKitBoringSSL_stack.h" - #include "CJWTKitBoringSSL_bn.h" +#include "CJWTKitBoringSSL_stack.h" -#ifdef __cplusplus +#if defined(__cplusplus) extern "C" { #endif @@ -75,8 +74,12 @@ extern "C" { // Legacy ASN.1 library. // // This header is part of OpenSSL's ASN.1 implementation. It is retained for -// compatibility but otherwise underdocumented and not actively maintained. Use -// the new |CBS| and |CBB| library in instead. +// compatibility but should not be used by new code. The functions are difficult +// to use correctly, and have buggy or non-standard behaviors. They are thus +// particularly prone to behavior changes and API removals, as BoringSSL +// iterates on these issues. +// +// Use the new |CBS| and |CBB| library in instead. // Tag constants. @@ -111,10 +114,6 @@ extern "C" { // V_ASN1_UNDEF is used in some APIs to indicate an ASN.1 element is omitted. #define V_ASN1_UNDEF (-1) -// V_ASN1_APP_CHOOSE is used in some APIs to specify a default ASN.1 type based -// on the context. -#define V_ASN1_APP_CHOOSE (-2) - // V_ASN1_OTHER is used in |ASN1_TYPE| to indicate a non-universal ASN.1 type. #define V_ASN1_OTHER (-3) @@ -178,11 +177,307 @@ extern "C" { #define B_ASN1_GENERALIZEDTIME 0x8000 #define B_ASN1_SEQUENCE 0x10000 +// ASN1_tag2bit converts |tag| from the tag number of a universal type to a +// corresponding |B_ASN1_*| constant, |B_ASN1_UNKNOWN|, or zero. If the +// |B_ASN1_*| constant above is defined, it will map the corresponding +// |V_ASN1_*| constant to it. Otherwise, whether it returns |B_ASN1_UNKNOWN| or +// zero is ill-defined and callers should not rely on it. +// +// TODO(https://crbug.com/boringssl/412): Figure out what |B_ASN1_UNNOWN| vs +// zero is meant to be. The main impact is what values go in |B_ASN1_PRINTABLE|. +// To that end, we must return zero on types that can't go in |ASN1_STRING|. +OPENSSL_EXPORT unsigned long ASN1_tag2bit(int tag); + // ASN1_tag2str returns a string representation of |tag|, interpret as a tag // number for a universal type, or |V_ASN1_NEG_*|. OPENSSL_EXPORT const char *ASN1_tag2str(int tag); +// API conventions. +// +// The following sample functions document the calling conventions used by +// legacy ASN.1 APIs. + +#if 0 // Sample functions + +// d2i_SAMPLE parses a structure from up to |len| bytes at |*inp|. On success, +// it advances |*inp| by the number of bytes read and returns a newly-allocated +// |SAMPLE| object containing the parsed structure. If |out| is non-NULL, it +// additionally frees the previous value at |*out| and updates |*out| to the +// result. If parsing or allocating the result fails, it returns NULL. +// +// This function does not reject trailing data in the input. This allows the +// caller to parse a sequence of concatenated structures. Callers parsing only +// one structure should check for trailing data by comparing the updated |*inp| +// with the end of the input. +// +// Note: If |out| and |*out| are both non-NULL, the object at |*out| is not +// updated in-place. Instead, it is freed, and the pointer is updated to the +// new object. This differs from OpenSSL, which behaves more like +// |d2i_SAMPLE_with_reuse|. Callers are recommended to set |out| to NULL and +// instead use the return value. +SAMPLE *d2i_SAMPLE(SAMPLE **out, const uint8_t **inp, long len); + +// d2i_SAMPLE_with_reuse parses a structure from up to |len| bytes at |*inp|. On +// success, it advances |*inp| by the number of bytes read and returns a +// non-NULL pointer to an object containing the parsed structure. The object is +// determined from |out| as follows: +// +// If |out| is NULL, the function places the result in a newly-allocated +// |SAMPLE| object and returns it. This mode is recommended. +// +// If |out| is non-NULL, but |*out| is NULL, the function also places the result +// in a newly-allocated |SAMPLE| object. It sets |*out| to this object and also +// returns it. +// +// If |out| and |*out| are both non-NULL, the function updates the object at +// |*out| in-place with the result and returns |*out|. +// +// If any of the above fail, the function returns NULL. +// +// This function does not reject trailing data in the input. This allows the +// caller to parse a sequence of concatenated structures. Callers parsing only +// one structure should check for trailing data by comparing the updated |*inp| +// with the end of the input. +// +// WARNING: Callers should not rely on the in-place update mode. It often +// produces the wrong result or breaks the type's internal invariants. Future +// revisions of BoringSSL may standardize on the |d2i_SAMPLE| behavior. +SAMPLE *d2i_SAMPLE_with_reuse(SAMPLE **out, const uint8_t **inp, long len); + +// i2d_SAMPLE marshals |in|. On error, it returns a negative value. On success, +// it returns the length of the result and outputs it via |outp| as follows: +// +// If |outp| is NULL, the function writes nothing. This mode can be used to size +// buffers. +// +// If |outp| is non-NULL but |*outp| is NULL, the function sets |*outp| to a +// newly-allocated buffer containing the result. The caller is responsible for +// releasing |*outp| with |OPENSSL_free|. This mode is recommended for most +// callers. +// +// If |outp| and |*outp| are non-NULL, the function writes the result to +// |*outp|, which must have enough space available, and advances |*outp| just +// past the output. +// +// WARNING: In the third mode, the function does not internally check output +// bounds. Failing to correctly size the buffer will result in a potentially +// exploitable memory error. +int i2d_SAMPLE(const SAMPLE *in, uint8_t **outp); + +#endif // Sample functions + +// The following typedefs are sometimes used for pointers to functions like +// |d2i_SAMPLE| and |i2d_SAMPLE|. Note, however, that these act on |void*|. +// Calling a function with a different pointer type is undefined in C, so this +// is only valid with a wrapper. +typedef void *d2i_of_void(void **, const unsigned char **, long); +typedef int i2d_of_void(const void *, unsigned char **); + + +// ASN.1 types. +// +// An |ASN1_ITEM| represents an ASN.1 type and allows working with ASN.1 types +// generically. +// +// |ASN1_ITEM|s use a different namespace from C types and are accessed via +// |ASN1_ITEM_*| macros. So, for example, |ASN1_OCTET_STRING| is both a C type +// and the name of an |ASN1_ITEM|, referenced as +// |ASN1_ITEM_rptr(ASN1_OCTET_STRING)|. +// +// Each |ASN1_ITEM| has a corresponding C type, typically with the same name, +// which represents values in the ASN.1 type. This type is either a pointer type +// or |ASN1_BOOLEAN|. When it is a pointer, NULL pointers represent omitted +// values. For example, an OCTET STRING value is declared with the C type +// |ASN1_OCTET_STRING*| and uses the |ASN1_ITEM| named |ASN1_OCTET_STRING|. An +// OPTIONAL OCTET STRING uses the same C type and represents an omitted value +// with a NULL pointer. |ASN1_BOOLEAN| is described in a later section. + +// DECLARE_ASN1_ITEM declares an |ASN1_ITEM| with name |name|. The |ASN1_ITEM| +// may be referenced with |ASN1_ITEM_rptr|. Uses of this macro should document +// the corresponding ASN.1 and C types. +#define DECLARE_ASN1_ITEM(name) extern OPENSSL_EXPORT const ASN1_ITEM name##_it; + +// ASN1_ITEM_rptr returns the |const ASN1_ITEM *| named |name|. +#define ASN1_ITEM_rptr(name) (&(name##_it)) + +// ASN1_ITEM_EXP is an abstraction for referencing an |ASN1_ITEM| in a +// constant-initialized structure, such as a method table. It exists because, on +// some OpenSSL platforms, |ASN1_ITEM| references are indirected through +// functions. Structures reference the |ASN1_ITEM| by declaring a field like +// |ASN1_ITEM_EXP *item| and initializing it with |ASN1_ITEM_ref|. +typedef const ASN1_ITEM ASN1_ITEM_EXP; + +// ASN1_ITEM_ref returns an |ASN1_ITEM_EXP*| for the |ASN1_ITEM| named |name|. +#define ASN1_ITEM_ref(name) (&(name##_it)) + +// ASN1_ITEM_ptr converts |iptr|, which must be an |ASN1_ITEM_EXP*| to a +// |const ASN1_ITEM*|. +#define ASN1_ITEM_ptr(iptr) (iptr) + +// ASN1_VALUE_st (aka |ASN1_VALUE|) is an opaque type used as a placeholder for +// the C type corresponding to an |ASN1_ITEM|. +typedef struct ASN1_VALUE_st ASN1_VALUE; + +// ASN1_item_new allocates a new value of the C type corresponding to |it|, or +// NULL on error. On success, the caller must release the value with +// |ASN1_item_free|, or the corresponding C type's free function, when done. The +// new value will initialize fields of the value to some default state, such as +// an empty string. Note, however, that this default state sometimes omits +// required values, such as with CHOICE types. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Casting the result of this function to the wrong type is a +// potentially exploitable memory error. Callers must ensure the value is used +// consistently with |it|. Prefer using type-specific functions such as +// |ASN1_OCTET_STRING_new|. +OPENSSL_EXPORT ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); + +// ASN1_item_free releases memory associated with |val|, which must be an object +// of the C type corresponding to |it|. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Passing a pointer of the wrong type into this function is a +// potentially exploitable memory error. Callers must ensure |val| is consistent +// with |it|. Prefer using type-specific functions such as +// |ASN1_OCTET_STRING_free|. +OPENSSL_EXPORT void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); + +// ASN1_item_d2i parses the ASN.1 type |it| from up to |len| bytes at |*inp|. +// It behaves like |d2i_SAMPLE_with_reuse|, except that |out| and the return +// value are cast to |ASN1_VALUE| pointers. +// +// TODO(https://crbug.com/boringssl/444): C strict aliasing forbids type-punning +// |T*| and |ASN1_VALUE*| the way this function signature does. When that bug is +// resolved, we will need to pick which type |*out| is (probably |T*|). Do not +// use a non-NULL |out| to avoid ending up on the wrong side of this question. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Casting the result of this function to the wrong type, or passing a +// pointer of the wrong type into this function, are potentially exploitable +// memory errors. Callers must ensure |out| is consistent with |it|. Prefer +// using type-specific functions such as |d2i_ASN1_OCTET_STRING|. +OPENSSL_EXPORT ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **out, + const unsigned char **inp, long len, + const ASN1_ITEM *it); + +// ASN1_item_i2d marshals |val| as the ASN.1 type associated with |it|, as +// described in |i2d_SAMPLE|. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Passing a pointer of the wrong type into this function is a +// potentially exploitable memory error. Callers must ensure |val| is consistent +// with |it|. Prefer using type-specific functions such as +// |i2d_ASN1_OCTET_STRING|. +OPENSSL_EXPORT int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **outp, + const ASN1_ITEM *it); + +// ASN1_item_dup returns a newly-allocated copy of |x|, or NULL on error. |x| +// must be an object of |it|'s C type. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Casting the result of this function to the wrong type, or passing a +// pointer of the wrong type into this function, are potentially exploitable +// memory errors. Prefer using type-specific functions such as +// |ASN1_STRING_dup|. +OPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x); + +// The following functions behave like |ASN1_item_d2i| but read from |in| +// instead. |out| is the same parameter as in |ASN1_item_d2i|, but written with +// |void*| instead. The return values similarly match. +// +// These functions may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: These functions do not bound how much data is read from |in|. +// Parsing an untrusted input could consume unbounded memory. +OPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *out); +OPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *out); + +// The following functions behave like |ASN1_item_i2d| but write to |out| +// instead. |in| is the same parameter as in |ASN1_item_i2d|, but written with +// |void*| instead. +// +// These functions may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +OPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *in); +OPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *in); + +// ASN1_item_unpack parses |oct|'s contents as |it|'s ASN.1 type. It returns a +// newly-allocated instance of |it|'s C type on success, or NULL on error. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Casting the result of this function to the wrong type is a +// potentially exploitable memory error. Callers must ensure the value is used +// consistently with |it|. +OPENSSL_EXPORT void *ASN1_item_unpack(const ASN1_STRING *oct, + const ASN1_ITEM *it); + +// ASN1_item_pack marshals |obj| as |it|'s ASN.1 type. If |out| is NULL, it +// returns a newly-allocated |ASN1_STRING| with the result, or NULL on error. +// If |out| is non-NULL, but |*out| is NULL, it does the same but additionally +// sets |*out| to the result. If both |out| and |*out| are non-NULL, it writes +// the result to |*out| and returns |*out| on success or NULL on error. +// +// This function may not be used with |ASN1_ITEM|s whose C type is +// |ASN1_BOOLEAN|. +// +// WARNING: Passing a pointer of the wrong type into this function is a +// potentially exploitable memory error. Callers must ensure |val| is consistent +// with |it|. +OPENSSL_EXPORT ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, + ASN1_STRING **out); + + +// Booleans. +// +// This library represents ASN.1 BOOLEAN values with |ASN1_BOOLEAN|, which is an +// integer type. FALSE is zero, TRUE is 0xff, and an omitted OPTIONAL BOOLEAN is +// -1. + +// d2i_ASN1_BOOLEAN parses a DER-encoded ASN.1 BOOLEAN from up to |len| bytes at +// |*inp|. On success, it advances |*inp| by the number of bytes read and +// returns the result. If |out| is non-NULL, it additionally writes the result +// to |*out|. On error, it returns -1. +// +// This function does not reject trailing data in the input. This allows the +// caller to parse a sequence of concatenated structures. Callers parsing only +// one structure should check for trailing data by comparing the updated |*inp| +// with the end of the input. +// +// WARNING: This function's is slightly different from other |d2i_*| functions +// because |ASN1_BOOLEAN| is not a pointer type. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_BOOLEAN d2i_ASN1_BOOLEAN(ASN1_BOOLEAN *out, + const unsigned char **inp, + long len); + +// i2d_ASN1_BOOLEAN marshals |a| as a DER-encoded ASN.1 BOOLEAN, as described in +// |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_BOOLEAN(ASN1_BOOLEAN a, unsigned char **outp); + +// The following |ASN1_ITEM|s have ASN.1 type BOOLEAN and C type |ASN1_BOOLEAN|. +// |ASN1_TBOOLEAN| and |ASN1_FBOOLEAN| must be marked OPTIONAL. When omitted, +// they are parsed as TRUE and FALSE, respectively, rather than -1. +DECLARE_ASN1_ITEM(ASN1_BOOLEAN) +DECLARE_ASN1_ITEM(ASN1_TBOOLEAN) +DECLARE_ASN1_ITEM(ASN1_FBOOLEAN) + + // Strings. // // ASN.1 contains a myriad of string types, as well as types that contain data @@ -241,9 +536,10 @@ OPENSSL_EXPORT const char *ASN1_tag2str(int tag); // invariants on the |X509| object and break the |X509_get0_serialNumber| // invariant. // -// TODO(davidben): This is very unfriendly. Getting the type field wrong should -// not cause memory errors, but it may do strange things. We should add runtime -// checks to anything that consumes |ASN1_STRING|s from the caller. +// TODO(https://crbug.com/boringssl/445): This is very unfriendly. Getting the +// type field wrong should not cause memory errors, but it may do strange +// things. We should add runtime checks to anything that consumes |ASN1_STRING|s +// from the caller. struct asn1_string_st { int length; int type; @@ -304,16 +600,14 @@ OPENSSL_EXPORT int ASN1_STRING_length(const ASN1_STRING *str); // suitable for sorting, callers should not rely on the exact order when |a| // and |b| are different types. // -// If |a| or |b| are BIT STRINGs, this function does not compare the -// |ASN1_STRING_FLAG_BITS_LEFT| flags. Additionally, if |a| and |b| are -// INTEGERs, this comparison does not order the values numerically. For a -// numerical comparison, use |ASN1_INTEGER_cmp|. -// -// TODO(davidben): The BIT STRING comparison seems like a bug. Fix it? +// Note that, if |a| and |b| are INTEGERs, this comparison does not order the +// values numerically. For a numerical comparison, use |ASN1_INTEGER_cmp|. OPENSSL_EXPORT int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b); // ASN1_STRING_set sets the contents of |str| to a copy of |len| bytes from -// |data|. It returns one on success and zero on error. +// |data|. It returns one on success and zero on error. If |data| is NULL, it +// updates the length and allocates the buffer as needed, but does not +// initialize the contents. OPENSSL_EXPORT int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); // ASN1_STRING_set0 sets the contents of |str| to |len| bytes from |data|. It @@ -321,6 +615,102 @@ OPENSSL_EXPORT int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); // |OPENSSL_malloc|. OPENSSL_EXPORT void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); +// The following functions call |ASN1_STRING_type_new| with the corresponding +// |V_ASN1_*| constant. +OPENSSL_EXPORT ASN1_BMPSTRING *ASN1_BMPSTRING_new(void); +OPENSSL_EXPORT ASN1_GENERALSTRING *ASN1_GENERALSTRING_new(void); +OPENSSL_EXPORT ASN1_IA5STRING *ASN1_IA5STRING_new(void); +OPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_new(void); +OPENSSL_EXPORT ASN1_PRINTABLESTRING *ASN1_PRINTABLESTRING_new(void); +OPENSSL_EXPORT ASN1_T61STRING *ASN1_T61STRING_new(void); +OPENSSL_EXPORT ASN1_UNIVERSALSTRING *ASN1_UNIVERSALSTRING_new(void); +OPENSSL_EXPORT ASN1_UTF8STRING *ASN1_UTF8STRING_new(void); +OPENSSL_EXPORT ASN1_VISIBLESTRING *ASN1_VISIBLESTRING_new(void); + +// The following functions call |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_BMPSTRING_free(ASN1_BMPSTRING *str); +OPENSSL_EXPORT void ASN1_GENERALSTRING_free(ASN1_GENERALSTRING *str); +OPENSSL_EXPORT void ASN1_IA5STRING_free(ASN1_IA5STRING *str); +OPENSSL_EXPORT void ASN1_OCTET_STRING_free(ASN1_OCTET_STRING *str); +OPENSSL_EXPORT void ASN1_PRINTABLESTRING_free(ASN1_PRINTABLESTRING *str); +OPENSSL_EXPORT void ASN1_T61STRING_free(ASN1_T61STRING *str); +OPENSSL_EXPORT void ASN1_UNIVERSALSTRING_free(ASN1_UNIVERSALSTRING *str); +OPENSSL_EXPORT void ASN1_UTF8STRING_free(ASN1_UTF8STRING *str); +OPENSSL_EXPORT void ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *str); + +// The following functions parse up to |len| bytes from |*inp| as a +// DER-encoded ASN.1 value of the corresponding type, as described in +// |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **out, + const uint8_t **inp, + long len); +OPENSSL_EXPORT ASN1_GENERALSTRING *d2i_ASN1_GENERALSTRING( + ASN1_GENERALSTRING **out, const uint8_t **inp, long len); +OPENSSL_EXPORT ASN1_IA5STRING *d2i_ASN1_IA5STRING(ASN1_IA5STRING **out, + const uint8_t **inp, + long len); +OPENSSL_EXPORT ASN1_OCTET_STRING *d2i_ASN1_OCTET_STRING(ASN1_OCTET_STRING **out, + const uint8_t **inp, + long len); +OPENSSL_EXPORT ASN1_PRINTABLESTRING *d2i_ASN1_PRINTABLESTRING( + ASN1_PRINTABLESTRING **out, const uint8_t **inp, long len); +OPENSSL_EXPORT ASN1_T61STRING *d2i_ASN1_T61STRING(ASN1_T61STRING **out, + const uint8_t **inp, + long len); +OPENSSL_EXPORT ASN1_UNIVERSALSTRING *d2i_ASN1_UNIVERSALSTRING( + ASN1_UNIVERSALSTRING **out, const uint8_t **inp, long len); +OPENSSL_EXPORT ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **out, + const uint8_t **inp, + long len); +OPENSSL_EXPORT ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING( + ASN1_VISIBLESTRING **out, const uint8_t **inp, long len); + +// The following functions marshal |in| as a DER-encoded ASN.1 value of the +// corresponding type, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_BMPSTRING(const ASN1_BMPSTRING *in, uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_GENERALSTRING(const ASN1_GENERALSTRING *in, + uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_IA5STRING(const ASN1_IA5STRING *in, uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_OCTET_STRING(const ASN1_OCTET_STRING *in, + uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_PRINTABLESTRING(const ASN1_PRINTABLESTRING *in, + uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_T61STRING(const ASN1_T61STRING *in, uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_UNIVERSALSTRING(const ASN1_UNIVERSALSTRING *in, + uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_UTF8STRING(const ASN1_UTF8STRING *in, + uint8_t **outp); +OPENSSL_EXPORT int i2d_ASN1_VISIBLESTRING(const ASN1_VISIBLESTRING *in, + uint8_t **outp); + +// The following |ASN1_ITEM|s have the ASN.1 type referred to in their name and +// C type |ASN1_STRING*|. The C type may also be written as the corresponding +// typedef. +DECLARE_ASN1_ITEM(ASN1_BMPSTRING) +DECLARE_ASN1_ITEM(ASN1_GENERALSTRING) +DECLARE_ASN1_ITEM(ASN1_IA5STRING) +DECLARE_ASN1_ITEM(ASN1_OCTET_STRING) +DECLARE_ASN1_ITEM(ASN1_PRINTABLESTRING) +DECLARE_ASN1_ITEM(ASN1_T61STRING) +DECLARE_ASN1_ITEM(ASN1_UNIVERSALSTRING) +DECLARE_ASN1_ITEM(ASN1_UTF8STRING) +DECLARE_ASN1_ITEM(ASN1_VISIBLESTRING) + +// ASN1_OCTET_STRING_dup calls |ASN1_STRING_dup|. +OPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup( + const ASN1_OCTET_STRING *a); + +// ASN1_OCTET_STRING_cmp calls |ASN1_STRING_cmp|. +OPENSSL_EXPORT int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a, + const ASN1_OCTET_STRING *b); + +// ASN1_OCTET_STRING_set calls |ASN1_STRING_set|. +OPENSSL_EXPORT int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, + const unsigned char *data, int len); + // ASN1_STRING_to_UTF8 converts |in| to UTF-8. On success, sets |*out| to a // newly-allocated buffer containing the resulting string and returns the length // of the string. The caller must call |OPENSSL_free| to release |*out| when @@ -329,10 +719,9 @@ OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in); // The following formats define encodings for use with functions like -// |ASN1_mbstring_copy|. +// |ASN1_mbstring_copy|. Note |MBSTRING_ASC| refers to Latin-1, not ASCII. #define MBSTRING_FLAG 0x1000 #define MBSTRING_UTF8 (MBSTRING_FLAG) -// |MBSTRING_ASC| refers to Latin-1, not ASCII. #define MBSTRING_ASC (MBSTRING_FLAG | 1) #define MBSTRING_BMP (MBSTRING_FLAG | 2) #define MBSTRING_UNIV (MBSTRING_FLAG | 4) @@ -374,7 +763,125 @@ OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in, int len, int inform, unsigned long mask, long minsize, long maxsize); -// TODO(davidben): Expand and document function prototypes generated in macros. +// ASN1_STRING_set_by_NID behaves like |ASN1_mbstring_ncopy|, but determines +// |mask|, |minsize|, and |maxsize| based on |nid|. When |nid| is a recognized +// X.509 attribute type, it will pick a suitable ASN.1 string type and bounds. +// For most attribute types, it preferentially chooses UTF8String. If |nid| is +// unrecognized, it uses UTF8String by default. +// +// Slightly unlike |ASN1_mbstring_ncopy|, this function interprets |out| and +// returns its result as follows: If |out| is NULL, it returns a newly-allocated +// |ASN1_STRING| containing the result. If |out| is non-NULL and +// |*out| is NULL, it additionally sets |*out| to the result. If both |out| and +// |*out| are non-NULL, it instead updates the object at |*out| and returns +// |*out|. In all cases, it returns NULL on error. +// +// This function supports the following NIDs: |NID_countryName|, +// |NID_dnQualifier|, |NID_domainComponent|, |NID_friendlyName|, +// |NID_givenName|, |NID_initials|, |NID_localityName|, |NID_ms_csp_name|, +// |NID_name|, |NID_organizationalUnitName|, |NID_organizationName|, +// |NID_pkcs9_challengePassword|, |NID_pkcs9_emailAddress|, +// |NID_pkcs9_unstructuredAddress|, |NID_pkcs9_unstructuredName|, +// |NID_serialNumber|, |NID_stateOrProvinceName|, and |NID_surname|. Additional +// NIDs may be registered with |ASN1_STRING_set_by_NID|, but it is recommended +// to call |ASN1_mbstring_ncopy| directly instead. +OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, + const unsigned char *in, + int len, int inform, + int nid); + +// STABLE_NO_MASK causes |ASN1_STRING_TABLE_add| to allow types other than +// UTF8String. +#define STABLE_NO_MASK 0x02 + +// ASN1_STRING_TABLE_add registers the corresponding parameters with |nid|, for +// use with |ASN1_STRING_set_by_NID|. It returns one on success and zero on +// error. It is an error to call this function if |nid| is a built-in NID, or +// was already registered by a previous call. +// +// WARNING: This function affects global state in the library. If two libraries +// in the same address space register information for the same OID, one call +// will fail. Prefer directly passing the desired parametrs to +// |ASN1_mbstring_copy| or |ASN1_mbstring_ncopy| instead. +OPENSSL_EXPORT int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, + unsigned long mask, + unsigned long flags); + + +// Multi-strings. +// +// A multi-string, or "MSTRING", is an |ASN1_STRING| that represents a CHOICE of +// several string or string-like types, such as X.509's DirectoryString. The +// |ASN1_STRING|'s type field determines which type is used. +// +// Multi-string types are associated with a bitmask, using the |B_ASN1_*| +// constants, which defines which types are valid. + +// B_ASN1_DIRECTORYSTRING is a bitmask of types allowed in an X.509 +// DirectoryString (RFC 5280). +#define B_ASN1_DIRECTORYSTRING \ + (B_ASN1_PRINTABLESTRING | B_ASN1_TELETEXSTRING | B_ASN1_BMPSTRING | \ + B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING) + +// DIRECTORYSTRING_new returns a newly-allocated |ASN1_STRING| with type -1, or +// NULL on error. The resulting |ASN1_STRING| is not a valid X.509 +// DirectoryString until initialized with a value. +OPENSSL_EXPORT ASN1_STRING *DIRECTORYSTRING_new(void); + +// DIRECTORYSTRING_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void DIRECTORYSTRING_free(ASN1_STRING *str); + +// d2i_DIRECTORYSTRING parses up to |len| bytes from |*inp| as a DER-encoded +// X.509 DirectoryString (RFC 5280), as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +// +// TODO(https://crbug.com/boringssl/449): DirectoryString's non-empty string +// requirement is not currently enforced. +OPENSSL_EXPORT ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **out, + const uint8_t **inp, long len); + +// i2d_DIRECTORYSTRING marshals |in| as a DER-encoded X.509 DirectoryString (RFC +// 5280), as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_DIRECTORYSTRING(const ASN1_STRING *in, uint8_t **outp); + +// DIRECTORYSTRING is an |ASN1_ITEM| whose ASN.1 type is X.509 DirectoryString +// (RFC 5280) and C type is |ASN1_STRING*|. +DECLARE_ASN1_ITEM(DIRECTORYSTRING) + +// B_ASN1_DISPLAYTEXT is a bitmask of types allowed in an X.509 DisplayText (RFC +// 5280). +#define B_ASN1_DISPLAYTEXT \ + (B_ASN1_IA5STRING | B_ASN1_VISIBLESTRING | B_ASN1_BMPSTRING | \ + B_ASN1_UTF8STRING) + +// DISPLAYTEXT_new returns a newly-allocated |ASN1_STRING| with type -1, or NULL +// on error. The resulting |ASN1_STRING| is not a valid X.509 DisplayText until +// initialized with a value. +OPENSSL_EXPORT ASN1_STRING *DISPLAYTEXT_new(void); + +// DISPLAYTEXT_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void DISPLAYTEXT_free(ASN1_STRING *str); + +// d2i_DISPLAYTEXT parses up to |len| bytes from |*inp| as a DER-encoded X.509 +// DisplayText (RFC 5280), as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +// +// TODO(https://crbug.com/boringssl/449): DisplayText's size limits are not +// currently enforced. +OPENSSL_EXPORT ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **out, + const uint8_t **inp, long len); + +// i2d_DISPLAYTEXT marshals |in| as a DER-encoded X.509 DisplayText (RFC 5280), +// as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_DISPLAYTEXT(const ASN1_STRING *in, uint8_t **outp); + +// DISPLAYTEXT is an |ASN1_ITEM| whose ASN.1 type is X.509 DisplayText (RFC +// 5280) and C type is |ASN1_STRING*|. +DECLARE_ASN1_ITEM(DISPLAYTEXT) // Bit strings. @@ -384,7 +891,7 @@ OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in, // in several forms: // // Some BIT STRINGs represent a bitmask of named bits, such as the X.509 key -// usage extension in RFC5280, section 4.2.1.3. For such bit strings, DER +// usage extension in RFC 5280, section 4.2.1.3. For such bit strings, DER // imposes an additional restriction that trailing zero bits are removed. Some // functions like |ASN1_BIT_STRING_set_bit| help in maintaining this. // @@ -410,7 +917,58 @@ OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in, // {0x80} and flags of ASN1_STRING_FLAG_BITS_LEFT | 6. If // |ASN1_STRING_FLAG_BITS_LEFT| is unset, trailing zero bits are implicitly // removed. Callers should not rely this representation when constructing bit -// strings. +// strings. The padding bits in the |ASN1_STRING| data must be zero. + +// ASN1_BIT_STRING_new calls |ASN1_STRING_type_new| with |V_ASN1_BIT_STRING|. +OPENSSL_EXPORT ASN1_BIT_STRING *ASN1_BIT_STRING_new(void); + +// ASN1_BIT_STRING_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_BIT_STRING_free(ASN1_BIT_STRING *str); + +// d2i_ASN1_BIT_STRING parses up to |len| bytes from |*inp| as a DER-encoded +// ASN.1 BIT STRING, as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out, + const uint8_t **inp, + long len); + +// i2d_ASN1_BIT_STRING marshals |in| as a DER-encoded ASN.1 BIT STRING, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_BIT_STRING(const ASN1_BIT_STRING *in, + uint8_t **outp); + +// c2i_ASN1_BIT_STRING decodes |len| bytes from |*inp| as the contents of a +// DER-encoded BIT STRING, excluding the tag and length. It behaves like +// |d2i_SAMPLE_with_reuse| except, on success, it always consumes all |len| +// bytes. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out, + const uint8_t **inp, + long len); + +// i2c_ASN1_BIT_STRING encodes |in| as the contents of a DER-encoded BIT STRING, +// excluding the tag and length. If |outp| is non-NULL, it writes the result to +// |*outp|, advances |*outp| just past the output, and returns the number of +// bytes written. |*outp| must have space available for the result. If |outp| is +// NULL, it returns the number of bytes without writing anything. On error, it +// returns a value <= 0. +// +// Note this function differs slightly from |i2d_SAMPLE|. If |outp| is non-NULL +// and |*outp| is NULL, it does not allocate a new buffer. +// +// TODO(davidben): This function currently returns zero on error instead of -1, +// but it is also mostly infallible. I've currently documented <= 0 to suggest +// callers work with both. +OPENSSL_EXPORT int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *in, + uint8_t **outp); + +// ASN1_BIT_STRING is an |ASN1_ITEM| with ASN.1 type BIT STRING and C type +// |ASN1_BIT_STRING*|. +DECLARE_ASN1_ITEM(ASN1_BIT_STRING) // ASN1_BIT_STRING_num_bytes computes the length of |str| in bytes. If |str|'s // bit length is a multiple of 8, it sets |*out| to the byte length and returns @@ -449,8 +1007,6 @@ OPENSSL_EXPORT int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *str, const unsigned char *flags, int flags_len); -// TODO(davidben): Expand and document function prototypes generated in macros. - // Integers and enumerated values. // @@ -460,17 +1016,85 @@ OPENSSL_EXPORT int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *str, // |V_ASN1_INTEGER| or |V_ASN1_ENUMERATED|, while negative values have a type of // |V_ASN1_NEG_INTEGER| or |V_ASN1_NEG_ENUMERATED|. Note this differs from DER's // two's complement representation. +// +// The data in the |ASN1_STRING| may not have leading zeros. Note this means +// zero is represented as the empty string. Parsing functions will never return +// invalid representations. If an invalid input is constructed, the marshaling +// functions will skip leading zeros, however other functions, such as +// |ASN1_INTEGER_cmp| or |ASN1_INTEGER_get|, may not return the correct result. + +DEFINE_STACK_OF(ASN1_INTEGER) + +// ASN1_INTEGER_new calls |ASN1_STRING_type_new| with |V_ASN1_INTEGER|. The +// resulting object has value zero. +OPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_new(void); + +// ASN1_INTEGER_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_INTEGER_free(ASN1_INTEGER *str); + +// ASN1_INTEGER_dup calls |ASN1_STRING_dup|. +OPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x); + +// d2i_ASN1_INTEGER parses up to |len| bytes from |*inp| as a DER-encoded +// ASN.1 INTEGER, as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **out, + const uint8_t **inp, long len); + +// i2d_ASN1_INTEGER marshals |in| as a DER-encoded ASN.1 INTEGER, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp); + +// c2i_ASN1_INTEGER decodes |len| bytes from |*inp| as the contents of a +// DER-encoded INTEGER, excluding the tag and length. It behaves like +// |d2i_SAMPLE_with_reuse| except, on success, it always consumes all |len| +// bytes. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// some invalid inputs, but this will be removed in the future. +OPENSSL_EXPORT ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **in, + const uint8_t **outp, long len); + +// i2c_ASN1_INTEGER encodes |in| as the contents of a DER-encoded INTEGER, +// excluding the tag and length. If |outp| is non-NULL, it writes the result to +// |*outp|, advances |*outp| just past the output, and returns the number of +// bytes written. |*outp| must have space available for the result. If |outp| is +// NULL, it returns the number of bytes without writing anything. On error, it +// returns a value <= 0. +// +// Note this function differs slightly from |i2d_SAMPLE|. If |outp| is non-NULL +// and |*outp| is NULL, it does not allocate a new buffer. +// +// TODO(davidben): This function currently returns zero on error instead of -1, +// but it is also mostly infallible. I've currently documented <= 0 to suggest +// callers work with both. +OPENSSL_EXPORT int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp); + +// ASN1_INTEGER is an |ASN1_ITEM| with ASN.1 type INTEGER and C type +// |ASN1_INTEGER*|. +DECLARE_ASN1_ITEM(ASN1_INTEGER) + +// ASN1_INTEGER_set_uint64 sets |a| to an INTEGER with value |v|. It returns one +// on success and zero on error. +OPENSSL_EXPORT int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v); // ASN1_INTEGER_set sets |a| to an INTEGER with value |v|. It returns one on // success and zero on error. OPENSSL_EXPORT int ASN1_INTEGER_set(ASN1_INTEGER *a, long v); -// ASN1_INTEGER_set sets |a| to an INTEGER with value |v|. It returns one on -// success and zero on error. -OPENSSL_EXPORT int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v); +// ASN1_INTEGER_get_uint64 converts |a| to a |uint64_t|. On success, it returns +// one and sets |*out| to the result. If |a| did not fit or has the wrong type, +// it returns zero. +OPENSSL_EXPORT int ASN1_INTEGER_get_uint64(uint64_t *out, + const ASN1_INTEGER *a); // ASN1_INTEGER_get returns the value of |a| as a |long|, or -1 if |a| is out of // range or the wrong type. +// +// WARNING: This function's return value cannot distinguish errors from -1. +// Prefer |ASN1_INTEGER_get_uint64|. OPENSSL_EXPORT long ASN1_INTEGER_get(const ASN1_INTEGER *a); // BN_to_ASN1_INTEGER sets |ai| to an INTEGER with value |bn| and returns |ai| @@ -491,18 +1115,56 @@ OPENSSL_EXPORT BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); OPENSSL_EXPORT int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y); +// ASN1_ENUMERATED_new calls |ASN1_STRING_type_new| with |V_ASN1_ENUMERATED|. +// The resulting object has value zero. +OPENSSL_EXPORT ASN1_ENUMERATED *ASN1_ENUMERATED_new(void); + +// ASN1_ENUMERATED_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_ENUMERATED_free(ASN1_ENUMERATED *str); + +// d2i_ASN1_ENUMERATED parses up to |len| bytes from |*inp| as a DER-encoded +// ASN.1 ENUMERATED, as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **out, + const uint8_t **inp, + long len); + +// i2d_ASN1_ENUMERATED marshals |in| as a DER-encoded ASN.1 ENUMERATED, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_ENUMERATED(const ASN1_ENUMERATED *in, + uint8_t **outp); + +// ASN1_ENUMERATED is an |ASN1_ITEM| with ASN.1 type ENUMERATED and C type +// |ASN1_ENUMERATED*|. +DECLARE_ASN1_ITEM(ASN1_ENUMERATED) + +// ASN1_ENUMERATED_set_uint64 sets |a| to an ENUMERATED with value |v|. It +// returns one on success and zero on error. +OPENSSL_EXPORT int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v); + // ASN1_ENUMERATED_set sets |a| to an ENUMERATED with value |v|. It returns one // on success and zero on error. OPENSSL_EXPORT int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); -// ASN1_INTEGER_get returns the value of |a| as a |long|, or -1 if |a| is out of -// range or the wrong type. +// ASN1_ENUMERATED_get_uint64 converts |a| to a |uint64_t|. On success, it +// returns one and sets |*out| to the result. If |a| did not fit or has the +// wrong type, it returns zero. +OPENSSL_EXPORT int ASN1_ENUMERATED_get_uint64(uint64_t *out, + const ASN1_ENUMERATED *a); + +// ASN1_ENUMERATED_get returns the value of |a| as a |long|, or -1 if |a| is out +// of range or the wrong type. +// +// WARNING: This function's return value cannot distinguish errors from -1. +// Prefer |ASN1_ENUMERATED_get_uint64|. OPENSSL_EXPORT long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); // BN_to_ASN1_ENUMERATED sets |ai| to an ENUMERATED with value |bn| and returns // |ai| on success or NULL or error. If |ai| is NULL, it returns a -// newly-allocated |ASN1_INTEGER| on success instead, which the caller must -// release with |ASN1_INTEGER_free|. +// newly-allocated |ASN1_ENUMERATED| on success instead, which the caller must +// release with |ASN1_ENUMERATED_free|. OPENSSL_EXPORT ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); @@ -512,8 +1174,6 @@ OPENSSL_EXPORT ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, OPENSSL_EXPORT BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn); -// TODO(davidben): Expand and document function prototypes generated in macros. - // Time. // @@ -523,14 +1183,39 @@ OPENSSL_EXPORT BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, // epoch would be "19700101000000Z" for a GeneralizedTime and "700101000000Z" // for a UTCTime. // -// ASN.1 does not define how to interpret UTCTime's two-digit year. RFC5280 +// ASN.1 does not define how to interpret UTCTime's two-digit year. RFC 5280 // defines it as a range from 1950 to 2049 for X.509. The library uses the -// RFC5280 interpretation. It does not currently enforce the restrictions from -// BER, and the additional restrictions from RFC5280, but future versions may. +// RFC 5280 interpretation. It does not currently enforce the restrictions from +// BER, and the additional restrictions from RFC 5280, but future versions may. // Callers should not rely on fractional seconds and non-UTC time zones. // -// The |ASN1_TIME| typedef represents the X.509 Time type, which is a CHOICE of -// GeneralizedTime and UTCTime, using UTCTime when the value is in range. +// The |ASN1_TIME| typedef is a multi-string representing the X.509 Time type, +// which is a CHOICE of GeneralizedTime and UTCTime, using UTCTime when the +// value is in range. + +// ASN1_UTCTIME_new calls |ASN1_STRING_type_new| with |V_ASN1_UTCTIME|. The +// resulting object contains empty contents and must be initialized to be a +// valid UTCTime. +OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_new(void); + +// ASN1_UTCTIME_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_UTCTIME_free(ASN1_UTCTIME *str); + +// d2i_ASN1_UTCTIME parses up to |len| bytes from |*inp| as a DER-encoded +// ASN.1 UTCTime, as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **out, + const uint8_t **inp, long len); + +// i2d_ASN1_UTCTIME marshals |in| as a DER-encoded ASN.1 UTCTime, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_UTCTIME(const ASN1_UTCTIME *in, uint8_t **outp); + +// ASN1_UTCTIME is an |ASN1_ITEM| with ASN.1 type UTCTime and C type +// |ASN1_UTCTIME*|. +DECLARE_ASN1_ITEM(ASN1_UTCTIME) // ASN1_UTCTIME_check returns one if |a| is a valid UTCTime and zero otherwise. OPENSSL_EXPORT int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); @@ -562,6 +1247,31 @@ OPENSSL_EXPORT int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); // they are equal, 1 if |s| > |t|, and -2 on error. OPENSSL_EXPORT int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); +// ASN1_GENERALIZEDTIME_new calls |ASN1_STRING_type_new| with +// |V_ASN1_GENERALIZEDTIME|. The resulting object contains empty contents and +// must be initialized to be a valid GeneralizedTime. +OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_new(void); + +// ASN1_GENERALIZEDTIME_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *str); + +// d2i_ASN1_GENERALIZEDTIME parses up to |len| bytes from |*inp| as a +// DER-encoded ASN.1 GeneralizedTime, as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME( + ASN1_GENERALIZEDTIME **out, const uint8_t **inp, long len); + +// i2d_ASN1_GENERALIZEDTIME marshals |in| as a DER-encoded ASN.1 +// GeneralizedTime, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_GENERALIZEDTIME(const ASN1_GENERALIZEDTIME *in, + uint8_t **outp); + +// ASN1_GENERALIZEDTIME is an |ASN1_ITEM| with ASN.1 type GeneralizedTime and C +// type |ASN1_GENERALIZEDTIME*|. +DECLARE_ASN1_ITEM(ASN1_GENERALIZEDTIME) + // ASN1_GENERALIZEDTIME_check returns one if |a| is a valid GeneralizedTime and // zero otherwise. OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); @@ -592,6 +1302,33 @@ OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj( OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str); +// B_ASN1_TIME is a bitmask of types allowed in an X.509 Time. +#define B_ASN1_TIME (B_ASN1_UTCTIME | B_ASN1_GENERALIZEDTIME) + +// ASN1_TIME_new returns a newly-allocated |ASN1_TIME| with type -1, or NULL on +// error. The resulting |ASN1_TIME| is not a valid X.509 Time until initialized +// with a value. +OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_new(void); + +// ASN1_TIME_free releases memory associated with |str|. +OPENSSL_EXPORT void ASN1_TIME_free(ASN1_TIME *str); + +// d2i_ASN1_TIME parses up to |len| bytes from |*inp| as a DER-encoded X.509 +// Time (RFC 5280), as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **out, const uint8_t **inp, + long len); + +// i2d_ASN1_TIME marshals |in| as a DER-encoded X.509 Time (RFC 5280), as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_TIME(const ASN1_TIME *in, uint8_t **outp); + +// ASN1_TIME is an |ASN1_ITEM| whose ASN.1 type is X.509 Time (RFC 5280) and C +// type is |ASN1_TIME*|. +DECLARE_ASN1_ITEM(ASN1_TIME) + // ASN1_TIME_diff computes |to| - |from|. On success, it sets |*out_days| to the // difference in days, rounded towards zero, sets |*out_seconds| to the // remainder, and returns one. On error, it returns zero. @@ -606,7 +1343,7 @@ OPENSSL_EXPORT int ASN1_TIME_diff(int *out_days, int *out_seconds, const ASN1_TIME *from, const ASN1_TIME *to); // ASN1_TIME_set represents |t| as a GeneralizedTime or UTCTime and writes -// the result to |s|. As in RFC5280, section 4.1.2.5, it uses UTCTime when the +// the result to |s|. As in RFC 5280, section 4.1.2.5, it uses UTCTime when the // time fits and GeneralizedTime otherwise. It returns |s| on success and NULL // on error. If |s| is NULL, it returns a newly-allocated |ASN1_TIME| instead. // @@ -614,7 +1351,7 @@ OPENSSL_EXPORT int ASN1_TIME_diff(int *out_days, int *out_seconds, OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); // ASN1_TIME_adj adds |offset_day| days and |offset_sec| seconds to -// |t| and writes the result to |s|. As in RFC5280, section 4.1.2.5, it uses +// |t| and writes the result to |s|. As in RFC 5280, section 4.1.2.5, it uses // UTCTime when the time fits and GeneralizedTime otherwise. It returns |s| on // success and NULL on error. If |s| is NULL, it returns a newly-allocated // |ASN1_GENERALIZEDTIME| instead. @@ -645,15 +1382,95 @@ OPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); // TODO(davidben): Expand and document function prototypes generated in macros. -// Arbitrary elements. +// NULL values. +// +// This library represents the ASN.1 NULL value by a non-NULL pointer to the +// opaque type |ASN1_NULL|. An omitted OPTIONAL ASN.1 NULL value is a NULL +// pointer. Unlike other pointer types, it is not necessary to free |ASN1_NULL| +// pointers, but it is safe to do so. -// ASN1_VALUE_st (aka |ASN1_VALUE|) is an opaque type used internally in the -// library. -typedef struct ASN1_VALUE_st ASN1_VALUE; +// ASN1_NULL_new returns an opaque, non-NULL pointer. It is safe to call +// |ASN1_NULL_free| on the result, but not necessary. +OPENSSL_EXPORT ASN1_NULL *ASN1_NULL_new(void); + +// ASN1_NULL_free does nothing. +OPENSSL_EXPORT void ASN1_NULL_free(ASN1_NULL *null); + +// d2i_ASN1_NULL parses a DER-encoded ASN.1 NULL value from up to |len| bytes +// at |*inp|, as described in |d2i_SAMPLE|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **out, const uint8_t **inp, + long len); + +// i2d_ASN1_NULL marshals |in| as a DER-encoded ASN.1 NULL value, as described +// in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_NULL(const ASN1_NULL *in, uint8_t **outp); + +// ASN1_NULL is an |ASN1_ITEM| with ASN.1 type NULL and C type |ASN1_NULL*|. +DECLARE_ASN1_ITEM(ASN1_NULL) + + +// Object identifiers. +// +// An |ASN1_OBJECT| represents a ASN.1 OBJECT IDENTIFIER. See also obj.h for +// additional functions relating to |ASN1_OBJECT|. +// +// TODO(davidben): What's the relationship between asn1.h and obj.h? Most of +// obj.h deals with the large NID table, but then functions like |OBJ_get0_data| +// or |OBJ_dup| are general |ASN1_OBJECT| functions. + +DEFINE_STACK_OF(ASN1_OBJECT) + +// ASN1_OBJECT_create returns a newly-allocated |ASN1_OBJECT| with |len| bytes +// from |data| as the encoded OID, or NULL on error. |data| should contain the +// DER-encoded identifier, excluding the tag and length. +// +// |nid| should be |NID_undef|. Passing a NID value that does not match |data| +// will cause some functions to misbehave. |sn| and |ln| should be NULL. If +// non-NULL, they are stored as short and long names, respectively, but these +// values have no effect for |ASN1_OBJECT|s created through this function. +// +// TODO(davidben): Should we just ignore all those parameters? NIDs and names +// are only relevant for |ASN1_OBJECT|s in the obj.h table. +OPENSSL_EXPORT ASN1_OBJECT *ASN1_OBJECT_create(int nid, const uint8_t *data, + int len, const char *sn, + const char *ln); + +// ASN1_OBJECT_free releases memory associated with |a|. If |a| is a static +// |ASN1_OBJECT|, returned from |OBJ_nid2obj|, this function does nothing. +OPENSSL_EXPORT void ASN1_OBJECT_free(ASN1_OBJECT *a); + +// d2i_ASN1_OBJECT parses a DER-encoded ASN.1 OBJECT IDENTIFIER from up to |len| +// bytes at |*inp|, as described in |d2i_SAMPLE_with_reuse|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **out, + const uint8_t **inp, long len); + +// i2d_ASN1_OBJECT marshals |in| as a DER-encoded ASN.1 OBJECT IDENTIFIER, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, uint8_t **outp); + +// c2i_ASN1_OBJECT decodes |len| bytes from |*inp| as the contents of a +// DER-encoded OBJECT IDENTIFIER, excluding the tag and length. It behaves like +// |d2i_SAMPLE_with_reuse| except, on success, it always consumes all |len| +// bytes. +OPENSSL_EXPORT ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **out, + const uint8_t **inp, long len); + +// ASN1_OBJECT is an |ASN1_ITEM| with ASN.1 type OBJECT IDENTIFIER and C type +// |ASN1_OBJECT*|. +DECLARE_ASN1_ITEM(ASN1_OBJECT) + + +// Arbitrary elements. // An asn1_type_st (aka |ASN1_TYPE|) represents an arbitrary ASN.1 element, -// typically used used for ANY types. It contains a |type| field and a |value| -// union dependent on |type|. +// typically used for ANY types. It contains a |type| field and a |value| union +// dependent on |type|. // // WARNING: This struct has a complex representation. Callers must not construct // |ASN1_TYPE| values manually. Use |ASN1_TYPE_set| and |ASN1_TYPE_set1| @@ -719,6 +1536,34 @@ struct asn1_type_st { } value; }; +DEFINE_STACK_OF(ASN1_TYPE) + +// ASN1_TYPE_new returns a newly-allocated |ASN1_TYPE|, or NULL on allocation +// failure. The resulting object has type -1 and must be initialized to be +// a valid ANY value. +OPENSSL_EXPORT ASN1_TYPE *ASN1_TYPE_new(void); + +// ASN1_TYPE_free releases memory associated with |a|. +OPENSSL_EXPORT void ASN1_TYPE_free(ASN1_TYPE *a); + +// d2i_ASN1_TYPE parses up to |len| bytes from |*inp| as an ASN.1 value of any +// type, as described in |d2i_SAMPLE_with_reuse|. Note this function only +// validates primitive, universal types supported by this library. Values of +// type |V_ASN1_SEQUENCE|, |V_ASN1_SET|, |V_ASN1_OTHER|, or an unsupported +// primitive type must be validated by the caller when interpreting. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **out, const uint8_t **inp, + long len); + +// i2d_ASN1_TYPE marshals |in| as DER, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_TYPE(const ASN1_TYPE *in, uint8_t **outp); + +// ASN1_ANY is an |ASN1_ITEM| with ASN.1 type ANY and C type |ASN1_TYPE*|. Note +// the |ASN1_ITEM| name and C type do not match. +DECLARE_ASN1_ITEM(ASN1_ANY) + // ASN1_TYPE_get returns the type of |a|, which will be one of the |V_ASN1_*| // constants, or zero if |a| is not fully initialized. OPENSSL_EXPORT int ASN1_TYPE_get(const ASN1_TYPE *a); @@ -746,8 +1591,39 @@ OPENSSL_EXPORT int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); // ordering. OPENSSL_EXPORT int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); -// TODO(davidben): Most of |ASN1_TYPE|'s APIs are hidden behind macros. Expand -// the macros, document them, and move them to this section. +typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY; + +// d2i_ASN1_SEQUENCE_ANY parses up to |len| bytes from |*inp| as a DER-encoded +// ASN.1 SEQUENCE OF ANY structure, as described in |d2i_SAMPLE_with_reuse|. The +// resulting |ASN1_SEQUENCE_ANY| owns its contents and thus must be released +// with |sk_ASN1_TYPE_pop_free| and |ASN1_TYPE_free|, not |sk_ASN1_TYPE_free|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_SEQUENCE_ANY *d2i_ASN1_SEQUENCE_ANY(ASN1_SEQUENCE_ANY **out, + const uint8_t **inp, + long len); + +// i2d_ASN1_SEQUENCE_ANY marshals |in| as a DER-encoded SEQUENCE OF ANY +// structure, as described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_SEQUENCE_ANY(const ASN1_SEQUENCE_ANY *in, + uint8_t **outp); + +// d2i_ASN1_SET_ANY parses up to |len| bytes from |*inp| as a DER-encoded ASN.1 +// SET OF ANY structure, as described in |d2i_SAMPLE_with_reuse|. The resulting +// |ASN1_SEQUENCE_ANY| owns its contents and thus must be released with +// |sk_ASN1_TYPE_pop_free| and |ASN1_TYPE_free|, not |sk_ASN1_TYPE_free|. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_SEQUENCE_ANY *d2i_ASN1_SET_ANY(ASN1_SEQUENCE_ANY **out, + const uint8_t **inp, + long len); + +// i2d_ASN1_SET_ANY marshals |in| as a DER-encoded SET OF ANY structure, as +// described in |i2d_SAMPLE|. +OPENSSL_EXPORT int i2d_ASN1_SET_ANY(const ASN1_SEQUENCE_ANY *in, + uint8_t **outp); // Human-readable output. @@ -774,7 +1650,9 @@ OPENSSL_EXPORT int ASN1_TIME_print(BIO *out, const ASN1_TIME *a); // replaced with '.'. OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); -// ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC2253, section +// The following flags must not collide with |XN_FLAG_*|. + +// ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section // 2.4. #define ASN1_STRFLGS_ESC_2253 1 @@ -805,7 +1683,7 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); #define ASN1_STRFLGS_SHOW_TYPE 0x40 // ASN1_STRFLGS_DUMP_ALL causes all strings to be printed as a hexdump, using -// RFC2253 hexstring notation, such as "#0123456789ABCDEF". +// RFC 2253 hexstring notation, such as "#0123456789ABCDEF". #define ASN1_STRFLGS_DUMP_ALL 0x80 // ASN1_STRFLGS_DUMP_UNKNOWN behaves like |ASN1_STRFLGS_DUMP_ALL| but only @@ -815,11 +1693,11 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); // ASN1_STRFLGS_DUMP_DER causes hexdumped strings (as determined by // |ASN1_STRFLGS_DUMP_ALL| or |ASN1_STRFLGS_DUMP_UNKNOWN|) to print the entire -// DER element as in RFC2253, rather than only the contents of the +// DER element as in RFC 2253, rather than only the contents of the // |ASN1_STRING|. #define ASN1_STRFLGS_DUMP_DER 0x200 -// ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC2253, +// ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC 2253, // additionally escaping control characters. #define ASN1_STRFLGS_RFC2253 \ (ASN1_STRFLGS_ESC_2253 | ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | \ @@ -842,48 +1720,90 @@ OPENSSL_EXPORT int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, OPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags); +// i2a_ASN1_INTEGER writes a human-readable representation of |a| to |bp|. It +// returns the number of bytes written on success, or a negative number on +// error. On error, this function may have written a partial output to |bp|. +OPENSSL_EXPORT int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a); + +// i2a_ASN1_ENUMERATED writes a human-readable representation of |a| to |bp|. It +// returns the number of bytes written on success, or a negative number on +// error. On error, this function may have written a partial output to |bp|. +OPENSSL_EXPORT int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a); -// Underdocumented functions. +// i2a_ASN1_OBJECT writes a human-readable representation of |a| to |bp|. It +// returns the number of bytes written on success, or a negative number on +// error. On error, this function may have written a partial output to |bp|. +OPENSSL_EXPORT int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a); + +// i2a_ASN1_STRING writes a text representation of |a|'s contents to |bp|. It +// returns the number of bytes written on success, or a negative number on +// error. On error, this function may have written a partial output to |bp|. +// |type| is ignored. // -// The following functions are not yet documented and organized. +// This function does not decode |a| into a Unicode string. It only hex-encodes +// the internal representation of |a|. This is suitable for printing an OCTET +// STRING, but may not be human-readable for any other string type. +OPENSSL_EXPORT int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type); -DEFINE_STACK_OF(ASN1_OBJECT) +// i2t_ASN1_OBJECT calls |OBJ_obj2txt| with |always_return_oid| set to zero. +OPENSSL_EXPORT int i2t_ASN1_OBJECT(char *buf, int buf_len, + const ASN1_OBJECT *a); -// ASN1_ENCODING structure: this is used to save the received -// encoding of an ASN1 type. This is useful to get round -// problems with invalid encodings which can break signatures. - -typedef struct ASN1_ENCODING_st { - unsigned char *enc; // DER encoding - long len; // Length of encoding - int modified; // set to 1 if 'enc' is invalid - // alias_only is zero if |enc| owns the buffer that it points to - // (although |enc| may still be NULL). If one, |enc| points into a - // buffer that is owned elsewhere. - unsigned alias_only : 1; - // alias_only_on_next_parse is one iff the next parsing operation - // should avoid taking a copy of the input and rather set - // |alias_only|. - unsigned alias_only_on_next_parse : 1; -} ASN1_ENCODING; - -#define STABLE_FLAGS_MALLOC 0x01 -#define STABLE_NO_MASK 0x02 -typedef struct asn1_string_table_st { - int nid; - long minsize; - long maxsize; - unsigned long mask; - unsigned long flags; -} ASN1_STRING_TABLE; +// Low-level encoding functions. + +// ASN1_get_object parses a BER element from up to |max_len| bytes at |*inp|. It +// returns |V_ASN1_CONSTRUCTED| if it successfully parsed a constructed element, +// zero if it successfully parsed a primitive element, and 0x80 on error. On +// success, it additionally advances |*inp| to the element body, sets +// |*out_length|, |*out_tag|, and |*out_class| to the element's length, tag +// number, and tag class, respectively, +// +// Unlike OpenSSL, this function does not support indefinite-length elements. +// +// This function is difficult to use correctly. Use |CBS_get_asn1| and related +// functions from bytestring.h. +// +// TODO(https://crbug.com/boringssl/354): Remove support for non-minimal +// lengths. +OPENSSL_EXPORT int ASN1_get_object(const unsigned char **inp, long *out_length, + int *out_tag, int *out_class, long max_len); + +// ASN1_put_object writes the header for a DER or BER element to |*outp| and +// advances |*outp| by the number of bytes written. The caller is responsible +// for ensuring |*outp| has enough space for the output. The header describes an +// element with length |length|, tag number |tag|, and class |xclass|. |xclass| +// should be one of the |V_ASN1_*| tag class constants. The element is primitive +// if |constructed| is zero and constructed if it is one or two. If +// |constructed| is two, |length| is ignored and the element uses +// indefinite-length encoding. +// +// Use |CBB_add_asn1| instead. +OPENSSL_EXPORT void ASN1_put_object(unsigned char **outp, int constructed, + int length, int tag, int xclass); + +// ASN1_put_eoc writes two zero bytes to |*outp|, advances |*outp| to point past +// those bytes, and returns two. +// +// Use definite-length encoding instead. +OPENSSL_EXPORT int ASN1_put_eoc(unsigned char **outp); + +// ASN1_object_size returns the number of bytes needed to encode a DER or BER +// value with length |length| and tag number |tag|, or -1 on error. |tag| should +// not include the constructed bit or tag class. If |constructed| is zero or +// one, the result uses a definite-length encoding with minimally-encoded +// length, as in DER. If |constructed| is two, the result uses BER +// indefinite-length encoding. +// +// Use |CBB_add_asn1| instead. +OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag); -// Declarations for template structures: for full definitions -// see asn1t.h -typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE; -typedef struct ASN1_TLC_st ASN1_TLC; -// Declare ASN1 functions: the implement macro in in asn1t.h +// Function declaration macros. +// +// The following macros declare functions for ASN.1 types. Prefer writing the +// prototypes directly. Particularly when |type|, |itname|, or |name| differ, +// the macros can be difficult to understand. #define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type) @@ -918,71 +1838,29 @@ typedef struct ASN1_TLC_st ASN1_TLC; OPENSSL_EXPORT type *name##_new(void); \ OPENSSL_EXPORT void name##_free(type *a); -#define DECLARE_ASN1_PRINT_FUNCTION(stname) \ - DECLARE_ASN1_PRINT_FUNCTION_fname(stname, stname) - -#define DECLARE_ASN1_PRINT_FUNCTION_fname(stname, fname) \ - OPENSSL_EXPORT int fname##_print_ctx(BIO *out, stname *x, int indent, \ - const ASN1_PCTX *pctx); -typedef void *d2i_of_void(void **, const unsigned char **, long); -typedef int i2d_of_void(const void *, unsigned char **); +// Deprecated functions. -// The following macros and typedefs allow an ASN1_ITEM -// to be embedded in a structure and referenced. Since -// the ASN1_ITEM pointers need to be globally accessible -// (possibly from shared libraries) they may exist in -// different forms. On platforms that support it the -// ASN1_ITEM structure itself will be globally exported. -// Other platforms will export a function that returns -// an ASN1_ITEM pointer. -// -// To handle both cases transparently the macros below -// should be used instead of hard coding an ASN1_ITEM -// pointer in a structure. -// -// The structure will look like this: -// -// typedef struct SOMETHING_st { -// ... -// ASN1_ITEM_EXP *iptr; -// ... -// } SOMETHING; -// -// It would be initialised as e.g.: -// -// SOMETHING somevar = {...,ASN1_ITEM_ref(X509),...}; -// -// and the actual pointer extracted with: +// ASN1_PRINTABLE_type interprets |len| bytes from |s| as a Latin-1 string. It +// returns the first of |V_ASN1_PRINTABLESTRING|, |V_ASN1_IA5STRING|, or +// |V_ASN1_T61STRING| that can represent every character. If |len| is negative, +// |strlen(s)| is used instead. // -// const ASN1_ITEM *it = ASN1_ITEM_ptr(somevar.iptr); -// -// Finally an ASN1_ITEM pointer can be extracted from an -// appropriate reference with: ASN1_ITEM_rptr(X509). This -// would be used when a function takes an ASN1_ITEM * argument. -// - -// ASN1_ITEM pointer exported type -typedef const ASN1_ITEM ASN1_ITEM_EXP; - -// Macro to obtain ASN1_ITEM pointer from exported type -#define ASN1_ITEM_ptr(iptr) (iptr) +// TODO(davidben): Remove this once all copies of Conscrypt have been updated +// past https://github.com/google/conscrypt/pull/1032. +OPENSSL_EXPORT int ASN1_PRINTABLE_type(const unsigned char *s, int len); -// Macro to include ASN1_ITEM pointer from base type -#define ASN1_ITEM_ref(iptr) (&(iptr##_it)) - -#define ASN1_ITEM_rptr(ref) (&(ref##_it)) - -#define DECLARE_ASN1_ITEM(name) extern OPENSSL_EXPORT const ASN1_ITEM name##_it; - -DEFINE_STACK_OF(ASN1_INTEGER) +// ASN1_STRING_set_default_mask does nothing. +OPENSSL_EXPORT void ASN1_STRING_set_default_mask(unsigned long mask); -DEFINE_STACK_OF(ASN1_TYPE) +// ASN1_STRING_set_default_mask_asc returns one. +OPENSSL_EXPORT int ASN1_STRING_set_default_mask_asc(const char *p); -typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY; +// ASN1_STRING_get_default_mask returns |B_ASN1_UTF8STRING|. +OPENSSL_EXPORT unsigned long ASN1_STRING_get_default_mask(void); -DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SEQUENCE_ANY) -DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SET_ANY) +// ASN1_STRING_TABLE_cleanup does nothing. +OPENSSL_EXPORT void ASN1_STRING_TABLE_cleanup(void); // M_ASN1_* are legacy aliases for various |ASN1_STRING| functions. Use the // functions themselves. @@ -1032,157 +1910,53 @@ DECLARE_ASN1_ENCODE_FUNCTIONS_const(ASN1_SEQUENCE_ANY, ASN1_SET_ANY) #define M_ASN1_UTF8STRING_new() ASN1_UTF8STRING_new() #define M_ASN1_UTF8STRING_free(a) ASN1_UTF8STRING_free(a) -#define B_ASN1_TIME B_ASN1_UTCTIME | B_ASN1_GENERALIZEDTIME - +// B_ASN1_PRINTABLE is a bitmask for an ad-hoc subset of string-like types. Note +// the presence of |B_ASN1_UNKNOWN| means it includes types which |ASN1_tag2bit| +// maps to |B_ASN1_UNKNOWN|. +// +// Do not use this. Despite the name, it has no connection to PrintableString or +// printable characters. See https://crbug.com/boringssl/412. #define B_ASN1_PRINTABLE \ - B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | \ - B_ASN1_IA5STRING | B_ASN1_BIT_STRING | B_ASN1_UNIVERSALSTRING | \ - B_ASN1_BMPSTRING | B_ASN1_UTF8STRING | B_ASN1_SEQUENCE | B_ASN1_UNKNOWN - -#define B_ASN1_DIRECTORYSTRING \ - B_ASN1_PRINTABLESTRING | B_ASN1_TELETEXSTRING | B_ASN1_BMPSTRING | \ - B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING - -#define B_ASN1_DISPLAYTEXT \ - B_ASN1_IA5STRING | B_ASN1_VISIBLESTRING | B_ASN1_BMPSTRING | B_ASN1_UTF8STRING - -DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE) - -OPENSSL_EXPORT ASN1_OBJECT *ASN1_OBJECT_new(void); -OPENSSL_EXPORT void ASN1_OBJECT_free(ASN1_OBJECT *a); -OPENSSL_EXPORT int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp); -OPENSSL_EXPORT ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, - const unsigned char **pp, - long length); -OPENSSL_EXPORT ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, - const unsigned char **pp, - long length); - -DECLARE_ASN1_ITEM(ASN1_OBJECT) - -DECLARE_ASN1_FUNCTIONS(ASN1_BIT_STRING) -OPENSSL_EXPORT int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *a, - unsigned char **pp); -OPENSSL_EXPORT ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, - const unsigned char **pp, - long length); - -OPENSSL_EXPORT int i2d_ASN1_BOOLEAN(int a, unsigned char **pp); -OPENSSL_EXPORT int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, - long length); - -DECLARE_ASN1_FUNCTIONS(ASN1_INTEGER) -OPENSSL_EXPORT int i2c_ASN1_INTEGER(const ASN1_INTEGER *a, unsigned char **pp); -OPENSSL_EXPORT ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, - const unsigned char **pp, - long length); -OPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x); - -DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED) - -DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING) -OPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup( - const ASN1_OCTET_STRING *a); -OPENSSL_EXPORT int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a, - const ASN1_OCTET_STRING *b); -OPENSSL_EXPORT int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, - const unsigned char *data, int len); - -DECLARE_ASN1_FUNCTIONS(ASN1_VISIBLESTRING) -DECLARE_ASN1_FUNCTIONS(ASN1_UNIVERSALSTRING) -DECLARE_ASN1_FUNCTIONS(ASN1_UTF8STRING) -DECLARE_ASN1_FUNCTIONS(ASN1_NULL) -DECLARE_ASN1_FUNCTIONS(ASN1_BMPSTRING) - -DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, ASN1_PRINTABLE) - -DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DIRECTORYSTRING) -DECLARE_ASN1_FUNCTIONS_name(ASN1_STRING, DISPLAYTEXT) -DECLARE_ASN1_FUNCTIONS(ASN1_PRINTABLESTRING) -DECLARE_ASN1_FUNCTIONS(ASN1_T61STRING) -DECLARE_ASN1_FUNCTIONS(ASN1_IA5STRING) -DECLARE_ASN1_FUNCTIONS(ASN1_GENERALSTRING) -DECLARE_ASN1_FUNCTIONS(ASN1_UTCTIME) -DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME) -DECLARE_ASN1_FUNCTIONS(ASN1_TIME) - -OPENSSL_EXPORT int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a); -OPENSSL_EXPORT int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a); -OPENSSL_EXPORT int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a); -OPENSSL_EXPORT int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type); -OPENSSL_EXPORT int i2t_ASN1_OBJECT(char *buf, int buf_len, - const ASN1_OBJECT *a); - -OPENSSL_EXPORT ASN1_OBJECT *ASN1_OBJECT_create(int nid, - const unsigned char *data, - int len, const char *sn, - const char *ln); - -// General -// given a string, return the correct type, max is the maximum length -OPENSSL_EXPORT int ASN1_PRINTABLE_type(const unsigned char *s, int max); - -OPENSSL_EXPORT unsigned long ASN1_tag2bit(int tag); - -// SPECIALS -OPENSSL_EXPORT int ASN1_get_object(const unsigned char **pp, long *plength, - int *ptag, int *pclass, long omax); -OPENSSL_EXPORT void ASN1_put_object(unsigned char **pp, int constructed, - int length, int tag, int xclass); -OPENSSL_EXPORT int ASN1_put_eoc(unsigned char **pp); -OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag); - -OPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x); - -OPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x); -OPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x); - -OPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x); -OPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x); - -// Used to load and write netscape format cert - -OPENSSL_EXPORT void *ASN1_item_unpack(const ASN1_STRING *oct, - const ASN1_ITEM *it); + (B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING | B_ASN1_T61STRING | \ + B_ASN1_IA5STRING | B_ASN1_BIT_STRING | B_ASN1_UNIVERSALSTRING | \ + B_ASN1_BMPSTRING | B_ASN1_UTF8STRING | B_ASN1_SEQUENCE | B_ASN1_UNKNOWN) -OPENSSL_EXPORT ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, - ASN1_OCTET_STRING **oct); - -// ASN1_STRING_set_default_mask does nothing. -OPENSSL_EXPORT void ASN1_STRING_set_default_mask(unsigned long mask); +// ASN1_PRINTABLE_new returns a newly-allocated |ASN1_STRING| with type -1, or +// NULL on error. The resulting |ASN1_STRING| is not a valid ASN.1 value until +// initialized with a value. +OPENSSL_EXPORT ASN1_STRING *ASN1_PRINTABLE_new(void); -// ASN1_STRING_set_default_mask_asc returns one. -OPENSSL_EXPORT int ASN1_STRING_set_default_mask_asc(const char *p); - -// ASN1_STRING_get_default_mask returns |B_ASN1_UTF8STRING|. -OPENSSL_EXPORT unsigned long ASN1_STRING_get_default_mask(void); - -OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, - const unsigned char *in, - int inlen, int inform, - int nid); -OPENSSL_EXPORT ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid); -OPENSSL_EXPORT int ASN1_STRING_TABLE_add(int, long, long, unsigned long, - unsigned long); -OPENSSL_EXPORT void ASN1_STRING_TABLE_cleanup(void); +// ASN1_PRINTABLE_free calls |ASN1_STRING_free|. +OPENSSL_EXPORT void ASN1_PRINTABLE_free(ASN1_STRING *str); -// ASN1 template functions +// d2i_ASN1_PRINTABLE parses up to |len| bytes from |*inp| as a DER-encoded +// CHOICE of an ad-hoc subset of string-like types, as described in +// |d2i_SAMPLE_with_reuse|. +// +// Do not use this. Despite, the name it has no connection to PrintableString or +// printable characters. See https://crbug.com/boringssl/412. +// +// TODO(https://crbug.com/boringssl/354): This function currently also accepts +// BER, but this will be removed in the future. +OPENSSL_EXPORT ASN1_STRING *d2i_ASN1_PRINTABLE(ASN1_STRING **out, + const uint8_t **inp, long len); -// Old API compatible functions -OPENSSL_EXPORT ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); -OPENSSL_EXPORT void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); -OPENSSL_EXPORT ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, - const unsigned char **in, long len, - const ASN1_ITEM *it); -OPENSSL_EXPORT int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, - const ASN1_ITEM *it); +// i2d_ASN1_PRINTABLE marshals |in| as DER, as described in |i2d_SAMPLE|. +// +// Do not use this. Despite the name, it has no connection to PrintableString or +// printable characters. See https://crbug.com/boringssl/412. +OPENSSL_EXPORT int i2d_ASN1_PRINTABLE(const ASN1_STRING *in, uint8_t **outp); -OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf); -OPENSSL_EXPORT ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf); +// ASN1_PRINTABLE is an |ASN1_ITEM| whose ASN.1 type is a CHOICE of an ad-hoc +// subset of string-like types, and whose C type is |ASN1_STRING*|. +// +// Do not use this. Despite the name, it has no connection to PrintableString or +// printable characters. See https://crbug.com/boringssl/412. +DECLARE_ASN1_ITEM(ASN1_PRINTABLE) -#ifdef __cplusplus -} +#if defined(__cplusplus) +} // extern C extern "C++" { @@ -1292,5 +2066,8 @@ BSSL_NAMESPACE_END #define ASN1_R_WRONG_TYPE 191 #define ASN1_R_NESTED_TOO_DEEP 192 #define ASN1_R_BAD_TEMPLATE 193 +#define ASN1_R_INVALID_BIT_STRING_PADDING 194 +#define ASN1_R_WRONG_INTEGER_TYPE 195 +#define ASN1_R_INVALID_INTEGER 196 #endif diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1t.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1t.h index 04b4cbf8..e2ddf87a 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1t.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_asn1t.h @@ -72,6 +72,9 @@ extern "C" { * |CBB| library in instead. */ +typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE; +typedef struct ASN1_TLC_st ASN1_TLC; + /* Macro to obtain ASN1_ADB pointer from a type (only used internally) */ #define ASN1_ADB_ptr(iptr) ((const ASN1_ADB *)(iptr)) @@ -257,7 +260,6 @@ extern "C" { /* Any defined by macros: the field used is in the table itself */ #define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) } -#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) } /* Plain simple type */ #define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type) @@ -374,7 +376,7 @@ struct ASN1_ADB_st { }; struct ASN1_ADB_TABLE_st { - long value; /* NID for an object or value for an int */ + int value; /* NID for an object */ const ASN1_TEMPLATE tt; /* item for this value */ }; @@ -439,8 +441,6 @@ struct ASN1_ADB_TABLE_st { #define ASN1_TFLG_ADB_OID (0x1<<8) -#define ASN1_TFLG_ADB_INT (0x1<<9) - /* This flag means a parent structure is passed * instead of the field: this is useful is a * SEQUENCE is being combined with a CHOICE for @@ -509,19 +509,8 @@ const char *sname; /* Structure name */ #define ASN1_ITYPE_MSTRING 0x5 -/* Cache for ASN1 tag and length, so we - * don't keep re-reading it for things - * like CHOICE - */ - -struct ASN1_TLC_st{ - char valid; /* Values below are valid */ - int ret; /* return value */ - long plen; /* length */ - int ptag; /* class value */ - int pclass; /* class value */ - int hdrlen; /* header length */ -}; +/* Deprecated tag and length cache */ +struct ASN1_TLC_st; /* Typedefs for ASN1 function pointers */ @@ -595,8 +584,8 @@ typedef struct ASN1_AUX_st { #define ASN1_OP_FREE_POST 3 #define ASN1_OP_D2I_PRE 4 #define ASN1_OP_D2I_POST 5 -#define ASN1_OP_I2D_PRE 6 -#define ASN1_OP_I2D_POST 7 +/* ASN1_OP_I2D_PRE and ASN1_OP_I2D_POST are not supported. We leave the + * constants undefined so code relying on them does not accidentally compile. */ #define ASN1_OP_PRINT_PRE 8 #define ASN1_OP_PRINT_POST 9 #define ASN1_OP_STREAM_PRE 10 @@ -705,9 +694,6 @@ typedef struct ASN1_AUX_st { /* external definitions for primitive types */ -DECLARE_ASN1_ITEM(ASN1_BOOLEAN) -DECLARE_ASN1_ITEM(ASN1_TBOOLEAN) -DECLARE_ASN1_ITEM(ASN1_FBOOLEAN) DECLARE_ASN1_ITEM(ASN1_SEQUENCE) DEFINE_STACK_OF(ASN1_VALUE) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h index 8fb3f7d9..a20c399e 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base.h @@ -153,7 +153,7 @@ extern "C" { // Trusty isn't Linux but currently defines __linux__. As a workaround, we // exclude it here. // TODO(b/169780122): Remove this workaround once Trusty no longer defines it. -#if defined(__linux__) && !defined(TRUSTY) +#if defined(__linux__) && !defined(__TRUSTY__) #define OPENSSL_LINUX #endif @@ -161,7 +161,7 @@ extern "C" { #define OPENSSL_FUCHSIA #endif -#if defined(TRUSTY) +#if defined(__TRUSTY__) #define OPENSSL_TRUSTY #define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED #endif @@ -203,7 +203,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 16 +#define BORINGSSL_API_VERSION 17 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -336,8 +336,11 @@ enum ssl_verify_result_t BORINGSSL_ENUM_INT; // CRYPTO_THREADID is a dummy value. typedef int CRYPTO_THREADID; +// An |ASN1_NULL| is an opaque type. asn1.h represents the ASN.1 NULL value as +// an opaque, non-NULL |ASN1_NULL*| pointer. +typedef struct asn1_null_st ASN1_NULL; + typedef int ASN1_BOOLEAN; -typedef int ASN1_NULL; typedef struct ASN1_ITEM_st ASN1_ITEM; typedef struct asn1_object_st ASN1_OBJECT; typedef struct asn1_pctx_st ASN1_PCTX; @@ -381,7 +384,6 @@ typedef struct X509_name_st X509_NAME; typedef struct X509_pubkey_st X509_PUBKEY; typedef struct X509_req_st X509_REQ; typedef struct X509_sig_st X509_SIG; -typedef struct X509_val_st X509_VAL; typedef struct bignum_ctx BN_CTX; typedef struct bignum_st BIGNUM; typedef struct bio_method_st BIO_METHOD; @@ -408,6 +410,7 @@ typedef struct engine_st ENGINE; typedef struct env_md_ctx_st EVP_MD_CTX; typedef struct env_md_st EVP_MD; typedef struct evp_aead_st EVP_AEAD; +typedef struct evp_aead_ctx_st EVP_AEAD_CTX; typedef struct evp_cipher_ctx_st EVP_CIPHER_CTX; typedef struct evp_cipher_st EVP_CIPHER; typedef struct evp_encode_ctx_st EVP_ENCODE_CTX; @@ -430,6 +433,7 @@ typedef struct private_key_st X509_PKEY; typedef struct rand_meth_st RAND_METHOD; typedef struct rc4_key_st RC4_KEY; typedef struct rsa_meth_st RSA_METHOD; +typedef struct rsa_pss_params_st RSA_PSS_PARAMS; typedef struct rsa_st RSA; typedef struct sha256_state_st SHA256_CTX; typedef struct sha512_state_st SHA512_CTX; @@ -438,6 +442,7 @@ typedef struct spake2_ctx_st SPAKE2_CTX; typedef struct srtp_protection_profile_st SRTP_PROTECTION_PROFILE; typedef struct ssl_cipher_st SSL_CIPHER; typedef struct ssl_ctx_st SSL_CTX; +typedef struct ssl_early_callback_ctx SSL_CLIENT_HELLO; typedef struct ssl_ech_keys_st SSL_ECH_KEYS; typedef struct ssl_method_st SSL_METHOD; typedef struct ssl_private_key_method_st SSL_PRIVATE_KEY_METHOD; @@ -452,10 +457,10 @@ typedef struct trust_token_issuer_st TRUST_TOKEN_ISSUER; typedef struct trust_token_method_st TRUST_TOKEN_METHOD; typedef struct v3_ext_ctx X509V3_CTX; typedef struct x509_attributes_st X509_ATTRIBUTE; -typedef struct x509_cert_aux_st X509_CERT_AUX; -typedef struct x509_cinf_st X509_CINF; typedef struct x509_crl_method_st X509_CRL_METHOD; typedef struct x509_lookup_st X509_LOOKUP; +typedef struct x509_lookup_method_st X509_LOOKUP_METHOD; +typedef struct x509_object_st X509_OBJECT; typedef struct x509_revoked_st X509_REVOKED; typedef struct x509_st X509; typedef struct x509_store_ctx_st X509_STORE_CTX; diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base64.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base64.h index 11fbbf78..fe2f1272 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base64.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_base64.h @@ -111,6 +111,14 @@ OPENSSL_EXPORT int EVP_DecodeBase64(uint8_t *out, size_t *out_len, // very specific to PEM. It is also very lenient of invalid input. Use of any of // these functions is thus deprecated. +// EVP_ENCODE_CTX_new returns a newly-allocated |EVP_ENCODE_CTX| or NULL on +// error. The caller must release the result with |EVP_ENCODE_CTX_free| when +// done. +OPENSSL_EXPORT EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void); + +// EVP_ENCODE_CTX_free releases memory associated with |ctx|. +OPENSSL_EXPORT void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); + // EVP_EncodeInit initialises |*ctx|, which is typically stack // allocated, for an encoding operation. // diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h index cd981265..b681ecc2 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bio.h @@ -508,6 +508,25 @@ OPENSSL_EXPORT int BIO_append_filename(BIO *bio, const char *filename); // |FILE| will be closed when |bio| is freed. OPENSSL_EXPORT int BIO_rw_filename(BIO *bio, const char *filename); +// BIO_tell returns the file offset of |bio|, or a negative number on error or +// if |bio| does not support the operation. +// +// TODO(https://crbug.com/boringssl/465): On platforms where |long| is 32-bit, +// this function cannot report 64-bit offsets. +OPENSSL_EXPORT long BIO_tell(BIO *bio); + +// BIO_seek sets the file offset of |bio| to |offset|. It returns a non-negative +// number on success and a negative number on error. If |bio| is a file +// descriptor |BIO|, it returns the resulting file offset on success. If |bio| +// is a file |BIO|, it returns zero on success. +// +// WARNING: This function's return value conventions differs from most functions +// in this library. +// +// TODO(https://crbug.com/boringssl/465): On platforms where |long| is 32-bit, +// this function cannot handle 64-bit offsets. +OPENSSL_EXPORT long BIO_seek(BIO *bio, long offset); + // Socket BIOs. // diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h index 72538247..1bcabd09 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h @@ -126,6 +126,7 @@ #include "CJWTKitBoringSSL_base.h" #include "CJWTKitBoringSSL_thread.h" +#include // for PRIu64 and friends #include #include // for FILE* @@ -148,14 +149,14 @@ extern "C" { // Projects which use |BN_*_FMT*| with outdated C headers may need to define it // externally. #if defined(OPENSSL_64_BIT) -#define BN_ULONG uint64_t +typedef uint64_t BN_ULONG; #define BN_BITS2 64 #define BN_DEC_FMT1 "%" PRIu64 #define BN_DEC_FMT2 "%019" PRIu64 #define BN_HEX_FMT1 "%" PRIx64 #define BN_HEX_FMT2 "%016" PRIx64 #elif defined(OPENSSL_32_BIT) -#define BN_ULONG uint32_t +typedef uint32_t BN_ULONG; #define BN_BITS2 32 #define BN_DEC_FMT1 "%" PRIu32 #define BN_DEC_FMT2 "%09" PRIu32 @@ -584,9 +585,14 @@ OPENSSL_EXPORT int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m); // BN_mod_sqrt returns a newly-allocated |BIGNUM|, r, such that -// r^2 == a (mod p). |p| must be a prime. It returns NULL on error or if |a| is -// not a square mod |p|. In the latter case, it will add |BN_R_NOT_A_SQUARE| to -// the error queue. +// r^2 == a (mod p). It returns NULL on error or if |a| is not a square mod |p|. +// In the latter case, it will add |BN_R_NOT_A_SQUARE| to the error queue. +// If |a| is a square and |p| > 2, there are two possible square roots. This +// function may return either and may even select one non-deterministically. +// +// This function only works if |p| is a prime. If |p| is composite, it may fail +// or return an arbitrary value. Callers should not pass attacker-controlled +// values of |p|. OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); @@ -658,6 +664,14 @@ struct bn_gencb_st { int (*callback)(int event, int n, struct bn_gencb_st *); }; +// BN_GENCB_new returns a newly-allocated |BN_GENCB| object, or NULL on +// allocation failure. The result must be released with |BN_GENCB_free| when +// done. +OPENSSL_EXPORT BN_GENCB *BN_GENCB_new(void); + +// BN_GENCB_free releases memory associated with |callback|. +OPENSSL_EXPORT void BN_GENCB_free(BN_GENCB *callback); + // BN_GENCB_set configures |callback| to call |f| and sets |callout->arg| to // |arg|. OPENSSL_EXPORT void BN_GENCB_set(BN_GENCB *callback, @@ -687,9 +701,9 @@ OPENSSL_EXPORT int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, // BN_prime_checks_for_validation can be used as the |checks| argument to the // primarily testing functions when validating an externally-supplied candidate // prime. It gives a false positive rate of at most 2^{-128}. (The worst case -// false positive rate for a single iteration is 1/4, so we perform 32 -// iterations.) -#define BN_prime_checks_for_validation 32 +// false positive rate for a single iteration is 1/4 per +// https://eprint.iacr.org/2018/749. (1/4)^64 = 2^{-128}.) +#define BN_prime_checks_for_validation 64 // BN_prime_checks_for_generation can be used as the |checks| argument to the // primality testing functions when generating random primes. It gives a false diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h index d2267e02..2ae315dd 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols.h @@ -49,9 +49,11 @@ #define ASN1_BOOLEAN_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_BOOLEAN_it) #define ASN1_ENUMERATED_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_free) #define ASN1_ENUMERATED_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_get) +#define ASN1_ENUMERATED_get_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_get_uint64) #define ASN1_ENUMERATED_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_it) #define ASN1_ENUMERATED_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_new) #define ASN1_ENUMERATED_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_set) +#define ASN1_ENUMERATED_set_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_set_uint64) #define ASN1_ENUMERATED_to_BN BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_ENUMERATED_to_BN) #define ASN1_FBOOLEAN_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_FBOOLEAN_it) #define ASN1_GENERALIZEDTIME_adj BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_adj) @@ -72,6 +74,7 @@ #define ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_dup) #define ASN1_INTEGER_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_free) #define ASN1_INTEGER_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_get) +#define ASN1_INTEGER_get_uint64 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_get_uint64) #define ASN1_INTEGER_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_it) #define ASN1_INTEGER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_new) #define ASN1_INTEGER_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_INTEGER_set) @@ -102,7 +105,6 @@ #define ASN1_SET_ANY_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_SET_ANY_it) #define ASN1_STRING_TABLE_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_TABLE_add) #define ASN1_STRING_TABLE_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_TABLE_cleanup) -#define ASN1_STRING_TABLE_get BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_TABLE_get) #define ASN1_STRING_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_cmp) #define ASN1_STRING_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_copy) #define ASN1_STRING_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_STRING_data) @@ -162,7 +164,6 @@ #define ASN1_VISIBLESTRING_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_it) #define ASN1_VISIBLESTRING_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_new) #define ASN1_digest BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_digest) -#define ASN1_generate_nconf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_generate_nconf) #define ASN1_generate_v3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_generate_v3) #define ASN1_get_object BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_get_object) #define ASN1_item_d2i BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ASN1_item_d2i) @@ -269,6 +270,7 @@ #define BIO_s_file BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_file) #define BIO_s_mem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_mem) #define BIO_s_socket BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_s_socket) +#define BIO_seek BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_seek) #define BIO_set_close BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_close) #define BIO_set_conn_hostname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_hostname) #define BIO_set_conn_int_port BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_conn_int_port) @@ -293,6 +295,7 @@ #define BIO_should_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_should_write) #define BIO_shutdown_wr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_shutdown_wr) #define BIO_snprintf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_snprintf) +#define BIO_tell BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_tell) #define BIO_test_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_test_flags) #define BIO_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_up_ref) #define BIO_vfree BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_vfree) @@ -316,6 +319,8 @@ #define BN_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_new) #define BN_CTX_start BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_CTX_start) #define BN_GENCB_call BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_call) +#define BN_GENCB_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_free) +#define BN_GENCB_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_new) #define BN_GENCB_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_GENCB_set) #define BN_MONT_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_copy) #define BN_MONT_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BN_MONT_CTX_free) @@ -465,6 +470,7 @@ #define CBB_add_u64le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u64le) #define CBB_add_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u8) #define CBB_add_u8_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_u8_length_prefixed) +#define CBB_add_zeros BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_add_zeros) #define CBB_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_cleanup) #define CBB_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_data) #define CBB_did_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBB_did_write) @@ -510,6 +516,7 @@ #define CBS_get_u64le BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u64le) #define CBS_get_u8 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u8) #define CBS_get_u8_length_prefixed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_u8_length_prefixed) +#define CBS_get_until_first BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_get_until_first) #define CBS_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_init) #define CBS_is_unsigned_asn1_integer BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_unsigned_asn1_integer) #define CBS_is_valid_asn1_bitstring BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CBS_is_valid_asn1_bitstring) @@ -546,6 +553,7 @@ #define CRYPTO_BUFFER_len BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_len) #define CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_new) #define CRYPTO_BUFFER_new_from_CBS BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_CBS) +#define CRYPTO_BUFFER_new_from_static_data_unsafe BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_static_data_unsafe) #define CRYPTO_BUFFER_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_BUFFER_up_ref) #define CRYPTO_MUTEX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_cleanup) #define CRYPTO_MUTEX_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_MUTEX_init) @@ -574,6 +582,7 @@ #define CRYPTO_ctr128_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt) #define CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32) #define CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing) +#define CRYPTO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free) #define CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_free_ex_data) #define CRYPTO_gcm128_aad BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_aad) #define CRYPTO_gcm128_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_gcm128_decrypt) @@ -602,6 +611,7 @@ #define CRYPTO_is_NEON_capable_at_runtime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_NEON_capable_at_runtime) #define CRYPTO_is_confidential_build BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_is_confidential_build) #define CRYPTO_library_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_library_init) +#define CRYPTO_malloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_malloc) #define CRYPTO_malloc_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_malloc_init) #define CRYPTO_memcmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_memcmp) #define CRYPTO_new_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_new_ex_data) @@ -614,6 +624,7 @@ #define CRYPTO_pre_sandbox_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_pre_sandbox_init) #define CRYPTO_rdrand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_rdrand) #define CRYPTO_rdrand_multiple8_buf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_rdrand_multiple8_buf) +#define CRYPTO_realloc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_realloc) #define CRYPTO_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_refcount_dec_and_test_zero) #define CRYPTO_refcount_inc BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_refcount_inc) #define CRYPTO_set_add_lock_callback BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, CRYPTO_set_add_lock_callback) @@ -683,9 +694,11 @@ #define DIST_POINT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_new) #define DIST_POINT_set_dpname BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DIST_POINT_set_dpname) #define DSA_SIG_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_free) +#define DSA_SIG_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_get0) #define DSA_SIG_marshal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_marshal) #define DSA_SIG_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_new) #define DSA_SIG_parse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_parse) +#define DSA_SIG_set0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_SIG_set0) #define DSA_check_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_check_signature) #define DSA_do_check_signature BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_do_check_signature) #define DSA_do_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, DSA_do_sign) @@ -866,6 +879,7 @@ #define ERR_remove_thread_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_remove_thread_state) #define ERR_restore_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_restore_state) #define ERR_save_state BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_save_state) +#define ERR_set_error_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_set_error_data) #define ERR_set_mark BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ERR_set_mark) #define EVP_AEAD_CTX_aead BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_aead) #define EVP_AEAD_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_AEAD_CTX_cleanup) @@ -912,6 +926,7 @@ #define EVP_CIPHER_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_mode) #define EVP_CIPHER_nid BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CIPHER_nid) #define EVP_Cipher BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_Cipher) +#define EVP_CipherFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherFinal) #define EVP_CipherFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherFinal_ex) #define EVP_CipherInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherInit) #define EVP_CipherInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_CipherInit_ex) @@ -922,6 +937,7 @@ #define EVP_DecodeInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeInit) #define EVP_DecodeUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodeUpdate) #define EVP_DecodedLength BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecodedLength) +#define EVP_DecryptFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptFinal) #define EVP_DecryptFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptFinal_ex) #define EVP_DecryptInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptInit) #define EVP_DecryptInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DecryptInit_ex) @@ -941,11 +957,14 @@ #define EVP_DigestVerifyFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerifyFinal) #define EVP_DigestVerifyInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerifyInit) #define EVP_DigestVerifyUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_DigestVerifyUpdate) +#define EVP_ENCODE_CTX_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_ENCODE_CTX_free) +#define EVP_ENCODE_CTX_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_ENCODE_CTX_new) #define EVP_EncodeBlock BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeBlock) #define EVP_EncodeFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeFinal) #define EVP_EncodeInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeInit) #define EVP_EncodeUpdate BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodeUpdate) #define EVP_EncodedLength BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncodedLength) +#define EVP_EncryptFinal BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptFinal) #define EVP_EncryptFinal_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptFinal_ex) #define EVP_EncryptInit BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptInit) #define EVP_EncryptInit_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_EncryptInit_ex) @@ -978,6 +997,7 @@ #define EVP_HPKE_KEY_public_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_public_key) #define EVP_HPKE_KEY_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_HPKE_KEY_zero) #define EVP_MD_CTX_block_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_block_size) +#define EVP_MD_CTX_cleanse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_cleanse) #define EVP_MD_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_cleanup) #define EVP_MD_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_copy) #define EVP_MD_CTX_copy_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EVP_MD_CTX_copy_ex) @@ -1180,7 +1200,10 @@ #define EXTENDED_KEY_USAGE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_new) #define FIPS_mode BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_mode) #define FIPS_mode_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_mode_set) +#define FIPS_module_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_module_name) +#define FIPS_query_algorithm_status BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_query_algorithm_status) #define FIPS_read_counter BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_read_counter) +#define FIPS_version BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, FIPS_version) #define GENERAL_NAMES_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAMES_free) #define GENERAL_NAMES_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAMES_it) #define GENERAL_NAMES_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, GENERAL_NAMES_new) @@ -1201,6 +1224,7 @@ #define HKDF_expand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HKDF_expand) #define HKDF_extract BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HKDF_extract) #define HMAC BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC) +#define HMAC_CTX_cleanse BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_cleanse) #define HMAC_CTX_cleanup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_cleanup) #define HMAC_CTX_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_copy) #define HMAC_CTX_copy_ex BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, HMAC_CTX_copy_ex) @@ -1434,6 +1458,7 @@ #define PKCS5_pbe2_encrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS5_pbe2_encrypt_init) #define PKCS7_bundle_CRLs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_bundle_CRLs) #define PKCS7_bundle_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_bundle_certificates) +#define PKCS7_bundle_raw_certificates BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_bundle_raw_certificates) #define PKCS7_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_free) #define PKCS7_get_CRLs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_CRLs) #define PKCS7_get_PEM_CRLs BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS7_get_PEM_CRLs) @@ -1521,6 +1546,7 @@ #define RSA_get0_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_key) #define RSA_get0_n BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_n) #define RSA_get0_p BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_p) +#define RSA_get0_pss_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_pss_params) #define RSA_get0_q BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get0_q) #define RSA_get_ex_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get_ex_data) #define RSA_get_ex_new_index BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_get_ex_new_index) @@ -1557,6 +1583,7 @@ #define RSA_sign_pss_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_sign_pss_mgf1) #define RSA_sign_raw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_sign_raw) #define RSA_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_size) +#define RSA_test_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_test_flags) #define RSA_up_ref BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_up_ref) #define RSA_verify BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_verify) #define RSA_verify_PKCS1_PSS_mgf1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, RSA_verify_PKCS1_PSS_mgf1) @@ -1963,7 +1990,6 @@ #define X509_STORE_get_verify_cb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_get_verify_cb) #define X509_STORE_load_locations BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_load_locations) #define X509_STORE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_new) -#define X509_STORE_set0_additional_untrusted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set0_additional_untrusted) #define X509_STORE_set1_param BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set1_param) #define X509_STORE_set_cert_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_cert_crl) #define X509_STORE_set_check_crl BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_STORE_set_check_crl) @@ -1991,7 +2017,6 @@ #define X509_TRUST_get_flags BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_flags) #define X509_TRUST_get_trust BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_get_trust) #define X509_TRUST_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_set) -#define X509_TRUST_set_default BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_TRUST_set_default) #define X509_VAL_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_free) #define X509_VAL_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_it) #define X509_VAL_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, X509_VAL_new) @@ -2206,6 +2231,7 @@ #define aesgcmsiv_polyval_horner BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesgcmsiv_polyval_horner) #define aesni_gcm_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesni_gcm_decrypt) #define aesni_gcm_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, aesni_gcm_encrypt) +#define asn1_bit_string_length BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_bit_string_length) #define asn1_do_adb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_do_adb) #define asn1_enc_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_enc_free) #define asn1_enc_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_enc_init) @@ -2214,6 +2240,8 @@ #define asn1_generalizedtime_to_tm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_generalizedtime_to_tm) #define asn1_get_choice_selector BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_get_choice_selector) #define asn1_get_field_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_get_field_ptr) +#define asn1_get_string_table_for_testing BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_get_string_table_for_testing) +#define asn1_is_printable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_is_printable) #define asn1_item_combine_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_item_combine_free) #define asn1_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_refcount_dec_and_test_zero) #define asn1_refcount_set_one BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, asn1_refcount_set_one) @@ -2228,6 +2256,7 @@ #define bio_socket_nbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bio_socket_nbio) #define bn_abs_sub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_abs_sub_consttime) #define bn_add_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_add_words) +#define bn_big_endian_to_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_big_endian_to_words) #define bn_copy_words BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_copy_words) #define bn_div_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_div_consttime) #define bn_expand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_expand) @@ -2296,7 +2325,10 @@ #define bn_uadd_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_uadd_consttime) #define bn_usub_consttime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_usub_consttime) #define bn_wexpand BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_wexpand) -#define boringssl_fips_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_fips_self_test) +#define bn_words_to_big_endian BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, bn_words_to_big_endian) +#define boringssl_self_test_hmac_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_self_test_hmac_sha256) +#define boringssl_self_test_sha256 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_self_test_sha256) +#define boringssl_self_test_sha512 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, boringssl_self_test_sha512) #define c2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_BIT_STRING) #define c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_INTEGER) #define c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, c2i_ASN1_OBJECT) @@ -2432,6 +2464,7 @@ #define d2i_X509_VAL BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_VAL) #define d2i_X509_bio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_bio) #define d2i_X509_fp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, d2i_X509_fp) +#define dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test) #define dsa_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_asn1_meth) #define dsa_check_parameters BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, dsa_check_parameters) #define ec_GFp_mont_add BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_GFp_mont_add) @@ -2491,6 +2524,7 @@ #define ec_jacobian_to_affine_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_jacobian_to_affine_batch) #define ec_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_pkey_meth) #define ec_point_from_uncompressed BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_from_uncompressed) +#define ec_point_mul_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_no_self_test) #define ec_point_mul_scalar BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar) #define ec_point_mul_scalar_base BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_base) #define ec_point_mul_scalar_batch BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_point_mul_scalar_batch) @@ -2519,8 +2553,13 @@ #define ec_set_to_safe_point BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_set_to_safe_point) #define ec_simple_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_simple_scalar_inv0_montgomery) #define ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ec_simple_scalar_to_montgomery_inv_vartime) +#define ecdsa_do_verify_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_do_verify_no_self_test) #define ecdsa_sign_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecdsa_sign_with_nonce_for_known_answer_test) #define ecp_nistz256_avx2_select_w7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_avx2_select_w7) +#define ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_div_by_2) +#define ecp_nistz256_from_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_from_mont) +#define ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_by_2) +#define ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_by_3) #define ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_mul_mont) #define ecp_nistz256_neg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_neg) #define ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont) @@ -2531,6 +2570,8 @@ #define ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w5) #define ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_select_w7) #define ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont) +#define ecp_nistz256_sub BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_sub) +#define ecp_nistz256_to_mont BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ecp_nistz256_to_mont) #define ed25519_asn1_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_asn1_meth) #define ed25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, ed25519_pkey_meth) #define gcm_ghash_avx BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, gcm_ghash_avx) @@ -2708,7 +2749,7 @@ #define pkcs12_iterations_acceptable BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs12_iterations_acceptable) #define pkcs12_key_gen BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs12_key_gen) #define pkcs12_pbe_encrypt_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs12_pbe_encrypt_init) -#define pkcs7_bundle BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs7_bundle) +#define pkcs7_add_signed_data BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs7_add_signed_data) #define pkcs7_parse_header BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs7_parse_header) #define pkcs8_pbe_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pkcs8_pbe_decrypt) #define pmbtoken_exp1_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, pmbtoken_exp1_blind) @@ -2745,6 +2786,9 @@ #define rsa_default_sign_raw BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_default_sign_raw) #define rsa_default_size BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_default_size) #define rsa_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_pkey_meth) +#define rsa_sign_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_sign_no_self_test) +#define rsa_verify_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_verify_no_self_test) +#define rsa_verify_raw_no_self_test BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsa_verify_raw_no_self_test) #define rsaz_1024_gather5_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_gather5_avx2) #define rsaz_1024_mul_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_mul_avx2) #define rsaz_1024_norm2red_avx2 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, rsaz_1024_norm2red_avx2) @@ -2833,6 +2877,7 @@ #define x25519_ge_tobytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_ge_tobytes) #define x25519_pkey_meth BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_pkey_meth) #define x25519_sc_reduce BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x25519_sc_reduce) +#define x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509V3_add_value_asn1_string) #define x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_sign_algorithm) #define x509_digest_verify_init BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_digest_verify_init) #define x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509_print_rsa_pss_params) @@ -2844,29 +2889,6 @@ #define x509v3_hex_to_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_hex_to_bytes) #define x509v3_looks_like_dns_name BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_looks_like_dns_name) #define x509v3_name_cmp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, x509v3_name_cmp) -#define sk_ASN1_STRING_TABLE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_call_free_func) -#define sk_ASN1_STRING_TABLE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_call_copy_func) -#define sk_ASN1_STRING_TABLE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_call_cmp_func) -#define sk_ASN1_STRING_TABLE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_new) -#define sk_ASN1_STRING_TABLE_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_new_null) -#define sk_ASN1_STRING_TABLE_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_num) -#define sk_ASN1_STRING_TABLE_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_zero) -#define sk_ASN1_STRING_TABLE_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_value) -#define sk_ASN1_STRING_TABLE_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_set) -#define sk_ASN1_STRING_TABLE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_free) -#define sk_ASN1_STRING_TABLE_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_pop_free) -#define sk_ASN1_STRING_TABLE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_insert) -#define sk_ASN1_STRING_TABLE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_delete) -#define sk_ASN1_STRING_TABLE_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_delete_ptr) -#define sk_ASN1_STRING_TABLE_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_find) -#define sk_ASN1_STRING_TABLE_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_shift) -#define sk_ASN1_STRING_TABLE_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_push) -#define sk_ASN1_STRING_TABLE_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_pop) -#define sk_ASN1_STRING_TABLE_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_dup) -#define sk_ASN1_STRING_TABLE_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_sort) -#define sk_ASN1_STRING_TABLE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_is_sorted) -#define sk_ASN1_STRING_TABLE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_set_cmp_func) -#define sk_ASN1_STRING_TABLE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_deep_copy) #define sk_TRUST_TOKEN_PRETOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_free_func) #define sk_TRUST_TOKEN_PRETOKEN_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_copy_func) #define sk_TRUST_TOKEN_PRETOKEN_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_cmp_func) @@ -3258,6 +3280,75 @@ #define sk_X509_INFO_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_is_sorted) #define sk_X509_INFO_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_set_cmp_func) #define sk_X509_INFO_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_INFO_deep_copy) +#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func) +#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func) +#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func) +#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new) +#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null) +#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num) +#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero) +#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value) +#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set) +#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free) +#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free) +#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert) +#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete) +#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr) +#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find) +#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift) +#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push) +#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop) +#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup) +#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort) +#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted) +#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func) +#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy) +#define sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func) +#define sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func) +#define sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func) +#define sk_X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new) +#define sk_X509_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new_null) +#define sk_X509_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_num) +#define sk_X509_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_zero) +#define sk_X509_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_value) +#define sk_X509_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set) +#define sk_X509_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_free) +#define sk_X509_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop_free) +#define sk_X509_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_insert) +#define sk_X509_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_delete) +#define sk_X509_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_delete_ptr) +#define sk_X509_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_find) +#define sk_X509_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_shift) +#define sk_X509_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_push) +#define sk_X509_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop) +#define sk_X509_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_dup) +#define sk_X509_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_sort) +#define sk_X509_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_is_sorted) +#define sk_X509_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set_cmp_func) +#define sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy) +#define sk_X509_VERIFY_PARAM_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_free_func) +#define sk_X509_VERIFY_PARAM_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_copy_func) +#define sk_X509_VERIFY_PARAM_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_cmp_func) +#define sk_X509_VERIFY_PARAM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new) +#define sk_X509_VERIFY_PARAM_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new_null) +#define sk_X509_VERIFY_PARAM_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_num) +#define sk_X509_VERIFY_PARAM_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_zero) +#define sk_X509_VERIFY_PARAM_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_value) +#define sk_X509_VERIFY_PARAM_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set) +#define sk_X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_free) +#define sk_X509_VERIFY_PARAM_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop_free) +#define sk_X509_VERIFY_PARAM_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_insert) +#define sk_X509_VERIFY_PARAM_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete) +#define sk_X509_VERIFY_PARAM_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete_ptr) +#define sk_X509_VERIFY_PARAM_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_find) +#define sk_X509_VERIFY_PARAM_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_shift) +#define sk_X509_VERIFY_PARAM_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_push) +#define sk_X509_VERIFY_PARAM_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop) +#define sk_X509_VERIFY_PARAM_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_dup) +#define sk_X509_VERIFY_PARAM_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_sort) +#define sk_X509_VERIFY_PARAM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_is_sorted) +#define sk_X509_VERIFY_PARAM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set_cmp_func) +#define sk_X509_VERIFY_PARAM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_deep_copy) #define sk_CRYPTO_BUFFER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_free_func) #define sk_CRYPTO_BUFFER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_copy_func) #define sk_CRYPTO_BUFFER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_call_cmp_func) @@ -3281,29 +3372,6 @@ #define sk_CRYPTO_BUFFER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_is_sorted) #define sk_CRYPTO_BUFFER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_set_cmp_func) #define sk_CRYPTO_BUFFER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_BUFFER_deep_copy) -#define sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func) -#define sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func) -#define sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func) -#define sk_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new) -#define sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null) -#define sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num) -#define sk_ASN1_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_zero) -#define sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value) -#define sk_ASN1_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set) -#define sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free) -#define sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free) -#define sk_ASN1_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_insert) -#define sk_ASN1_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete) -#define sk_ASN1_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete_ptr) -#define sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find) -#define sk_ASN1_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_shift) -#define sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push) -#define sk_ASN1_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop) -#define sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup) -#define sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort) -#define sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted) -#define sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func) -#define sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy) #define sk_ASN1_INTEGER_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_free_func) #define sk_ASN1_INTEGER_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_copy_func) #define sk_ASN1_INTEGER_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_call_cmp_func) @@ -3327,6 +3395,29 @@ #define sk_ASN1_INTEGER_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_is_sorted) #define sk_ASN1_INTEGER_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_set_cmp_func) #define sk_ASN1_INTEGER_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_INTEGER_deep_copy) +#define sk_ASN1_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_free_func) +#define sk_ASN1_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_copy_func) +#define sk_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_call_cmp_func) +#define sk_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new) +#define sk_ASN1_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_new_null) +#define sk_ASN1_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_num) +#define sk_ASN1_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_zero) +#define sk_ASN1_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_value) +#define sk_ASN1_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set) +#define sk_ASN1_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_free) +#define sk_ASN1_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop_free) +#define sk_ASN1_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_insert) +#define sk_ASN1_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete) +#define sk_ASN1_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_delete_ptr) +#define sk_ASN1_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_find) +#define sk_ASN1_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_shift) +#define sk_ASN1_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_push) +#define sk_ASN1_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_pop) +#define sk_ASN1_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_dup) +#define sk_ASN1_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_sort) +#define sk_ASN1_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_is_sorted) +#define sk_ASN1_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_set_cmp_func) +#define sk_ASN1_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_OBJECT_deep_copy) #define sk_ASN1_TYPE_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_free_func) #define sk_ASN1_TYPE_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_copy_func) #define sk_ASN1_TYPE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_TYPE_call_cmp_func) @@ -3649,75 +3740,6 @@ #define sk_CONF_VALUE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_is_sorted) #define sk_CONF_VALUE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_set_cmp_func) #define sk_CONF_VALUE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CONF_VALUE_deep_copy) -#define sk_X509_LOOKUP_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_free_func) -#define sk_X509_LOOKUP_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_copy_func) -#define sk_X509_LOOKUP_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_call_cmp_func) -#define sk_X509_LOOKUP_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new) -#define sk_X509_LOOKUP_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_new_null) -#define sk_X509_LOOKUP_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_num) -#define sk_X509_LOOKUP_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_zero) -#define sk_X509_LOOKUP_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_value) -#define sk_X509_LOOKUP_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set) -#define sk_X509_LOOKUP_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_free) -#define sk_X509_LOOKUP_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop_free) -#define sk_X509_LOOKUP_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_insert) -#define sk_X509_LOOKUP_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete) -#define sk_X509_LOOKUP_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_delete_ptr) -#define sk_X509_LOOKUP_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_find) -#define sk_X509_LOOKUP_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_shift) -#define sk_X509_LOOKUP_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_push) -#define sk_X509_LOOKUP_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_pop) -#define sk_X509_LOOKUP_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_dup) -#define sk_X509_LOOKUP_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_sort) -#define sk_X509_LOOKUP_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_is_sorted) -#define sk_X509_LOOKUP_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_set_cmp_func) -#define sk_X509_LOOKUP_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_LOOKUP_deep_copy) -#define sk_X509_OBJECT_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_free_func) -#define sk_X509_OBJECT_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_copy_func) -#define sk_X509_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_call_cmp_func) -#define sk_X509_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new) -#define sk_X509_OBJECT_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_new_null) -#define sk_X509_OBJECT_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_num) -#define sk_X509_OBJECT_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_zero) -#define sk_X509_OBJECT_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_value) -#define sk_X509_OBJECT_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set) -#define sk_X509_OBJECT_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_free) -#define sk_X509_OBJECT_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop_free) -#define sk_X509_OBJECT_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_insert) -#define sk_X509_OBJECT_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_delete) -#define sk_X509_OBJECT_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_delete_ptr) -#define sk_X509_OBJECT_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_find) -#define sk_X509_OBJECT_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_shift) -#define sk_X509_OBJECT_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_push) -#define sk_X509_OBJECT_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_pop) -#define sk_X509_OBJECT_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_dup) -#define sk_X509_OBJECT_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_sort) -#define sk_X509_OBJECT_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_is_sorted) -#define sk_X509_OBJECT_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_set_cmp_func) -#define sk_X509_OBJECT_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_OBJECT_deep_copy) -#define sk_X509_VERIFY_PARAM_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_free_func) -#define sk_X509_VERIFY_PARAM_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_copy_func) -#define sk_X509_VERIFY_PARAM_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_call_cmp_func) -#define sk_X509_VERIFY_PARAM_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new) -#define sk_X509_VERIFY_PARAM_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_new_null) -#define sk_X509_VERIFY_PARAM_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_num) -#define sk_X509_VERIFY_PARAM_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_zero) -#define sk_X509_VERIFY_PARAM_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_value) -#define sk_X509_VERIFY_PARAM_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set) -#define sk_X509_VERIFY_PARAM_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_free) -#define sk_X509_VERIFY_PARAM_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop_free) -#define sk_X509_VERIFY_PARAM_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_insert) -#define sk_X509_VERIFY_PARAM_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete) -#define sk_X509_VERIFY_PARAM_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_delete_ptr) -#define sk_X509_VERIFY_PARAM_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_find) -#define sk_X509_VERIFY_PARAM_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_shift) -#define sk_X509_VERIFY_PARAM_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_push) -#define sk_X509_VERIFY_PARAM_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_pop) -#define sk_X509_VERIFY_PARAM_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_dup) -#define sk_X509_VERIFY_PARAM_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_sort) -#define sk_X509_VERIFY_PARAM_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_is_sorted) -#define sk_X509_VERIFY_PARAM_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_set_cmp_func) -#define sk_X509_VERIFY_PARAM_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_X509_VERIFY_PARAM_deep_copy) #define sk_void_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_call_free_func) #define sk_void_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_call_copy_func) #define sk_void_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_void_call_cmp_func) @@ -3810,6 +3832,20 @@ #define sk_ASN1_VALUE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_is_sorted) #define sk_ASN1_VALUE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_set_cmp_func) #define sk_ASN1_VALUE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_VALUE_deep_copy) +#define lh_ASN1_STRING_TABLE_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_cmp_func) +#define lh_ASN1_STRING_TABLE_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_hash_func) +#define lh_ASN1_STRING_TABLE_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_new) +#define lh_ASN1_STRING_TABLE_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_free) +#define lh_ASN1_STRING_TABLE_num_items BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_num_items) +#define lh_ASN1_STRING_TABLE_retrieve BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_retrieve) +#define lh_ASN1_STRING_TABLE_call_cmp_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_cmp_key) +#define lh_ASN1_STRING_TABLE_retrieve_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_retrieve_key) +#define lh_ASN1_STRING_TABLE_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_insert) +#define lh_ASN1_STRING_TABLE_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_delete) +#define lh_ASN1_STRING_TABLE_call_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_doall) +#define lh_ASN1_STRING_TABLE_call_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_call_doall_arg) +#define lh_ASN1_STRING_TABLE_doall BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_doall) +#define lh_ASN1_STRING_TABLE_doall_arg BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_STRING_TABLE_doall_arg) #define lh_ASN1_OBJECT_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_cmp_func) #define lh_ASN1_OBJECT_call_hash_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_call_hash_func) #define lh_ASN1_OBJECT_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, lh_ASN1_OBJECT_new) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h index 2e413527..15de346e 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_boringssl_prefix_symbols_asm.h @@ -54,9 +54,11 @@ #define _ASN1_BOOLEAN_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_BOOLEAN_it) #define _ASN1_ENUMERATED_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_free) #define _ASN1_ENUMERATED_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_get) +#define _ASN1_ENUMERATED_get_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_get_uint64) #define _ASN1_ENUMERATED_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_it) #define _ASN1_ENUMERATED_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_new) #define _ASN1_ENUMERATED_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_set) +#define _ASN1_ENUMERATED_set_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_set_uint64) #define _ASN1_ENUMERATED_to_BN BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_ENUMERATED_to_BN) #define _ASN1_FBOOLEAN_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_FBOOLEAN_it) #define _ASN1_GENERALIZEDTIME_adj BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_GENERALIZEDTIME_adj) @@ -77,6 +79,7 @@ #define _ASN1_INTEGER_dup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_dup) #define _ASN1_INTEGER_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_free) #define _ASN1_INTEGER_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_get) +#define _ASN1_INTEGER_get_uint64 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_get_uint64) #define _ASN1_INTEGER_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_it) #define _ASN1_INTEGER_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_new) #define _ASN1_INTEGER_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_INTEGER_set) @@ -107,7 +110,6 @@ #define _ASN1_SET_ANY_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_SET_ANY_it) #define _ASN1_STRING_TABLE_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_TABLE_add) #define _ASN1_STRING_TABLE_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_TABLE_cleanup) -#define _ASN1_STRING_TABLE_get BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_TABLE_get) #define _ASN1_STRING_cmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_cmp) #define _ASN1_STRING_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_copy) #define _ASN1_STRING_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_STRING_data) @@ -167,7 +169,6 @@ #define _ASN1_VISIBLESTRING_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_it) #define _ASN1_VISIBLESTRING_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_VISIBLESTRING_new) #define _ASN1_digest BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_digest) -#define _ASN1_generate_nconf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_generate_nconf) #define _ASN1_generate_v3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_generate_v3) #define _ASN1_get_object BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_get_object) #define _ASN1_item_d2i BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ASN1_item_d2i) @@ -274,6 +275,7 @@ #define _BIO_s_file BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_file) #define _BIO_s_mem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_mem) #define _BIO_s_socket BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_s_socket) +#define _BIO_seek BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_seek) #define _BIO_set_close BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_close) #define _BIO_set_conn_hostname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_hostname) #define _BIO_set_conn_int_port BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_conn_int_port) @@ -298,6 +300,7 @@ #define _BIO_should_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_should_write) #define _BIO_shutdown_wr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_shutdown_wr) #define _BIO_snprintf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_snprintf) +#define _BIO_tell BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_tell) #define _BIO_test_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_test_flags) #define _BIO_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_up_ref) #define _BIO_vfree BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_vfree) @@ -321,6 +324,8 @@ #define _BN_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_new) #define _BN_CTX_start BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_CTX_start) #define _BN_GENCB_call BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_call) +#define _BN_GENCB_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_free) +#define _BN_GENCB_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_new) #define _BN_GENCB_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_GENCB_set) #define _BN_MONT_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_copy) #define _BN_MONT_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BN_MONT_CTX_free) @@ -470,6 +475,7 @@ #define _CBB_add_u64le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u64le) #define _CBB_add_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u8) #define _CBB_add_u8_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_u8_length_prefixed) +#define _CBB_add_zeros BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_add_zeros) #define _CBB_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_cleanup) #define _CBB_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_data) #define _CBB_did_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBB_did_write) @@ -515,6 +521,7 @@ #define _CBS_get_u64le BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u64le) #define _CBS_get_u8 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u8) #define _CBS_get_u8_length_prefixed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_u8_length_prefixed) +#define _CBS_get_until_first BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_get_until_first) #define _CBS_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_init) #define _CBS_is_unsigned_asn1_integer BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_unsigned_asn1_integer) #define _CBS_is_valid_asn1_bitstring BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CBS_is_valid_asn1_bitstring) @@ -551,6 +558,7 @@ #define _CRYPTO_BUFFER_len BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_len) #define _CRYPTO_BUFFER_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_new) #define _CRYPTO_BUFFER_new_from_CBS BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_CBS) +#define _CRYPTO_BUFFER_new_from_static_data_unsafe BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_new_from_static_data_unsafe) #define _CRYPTO_BUFFER_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_BUFFER_up_ref) #define _CRYPTO_MUTEX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_cleanup) #define _CRYPTO_MUTEX_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_MUTEX_init) @@ -579,6 +587,7 @@ #define _CRYPTO_ctr128_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt) #define _CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_ctr128_encrypt_ctr32) #define _CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing) +#define _CRYPTO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free) #define _CRYPTO_free_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_free_ex_data) #define _CRYPTO_gcm128_aad BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_aad) #define _CRYPTO_gcm128_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_gcm128_decrypt) @@ -607,6 +616,7 @@ #define _CRYPTO_is_NEON_capable_at_runtime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_NEON_capable_at_runtime) #define _CRYPTO_is_confidential_build BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_is_confidential_build) #define _CRYPTO_library_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_library_init) +#define _CRYPTO_malloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_malloc) #define _CRYPTO_malloc_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_malloc_init) #define _CRYPTO_memcmp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_memcmp) #define _CRYPTO_new_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_new_ex_data) @@ -619,6 +629,7 @@ #define _CRYPTO_pre_sandbox_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_pre_sandbox_init) #define _CRYPTO_rdrand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_rdrand) #define _CRYPTO_rdrand_multiple8_buf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_rdrand_multiple8_buf) +#define _CRYPTO_realloc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_realloc) #define _CRYPTO_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_refcount_dec_and_test_zero) #define _CRYPTO_refcount_inc BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_refcount_inc) #define _CRYPTO_set_add_lock_callback BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, CRYPTO_set_add_lock_callback) @@ -688,9 +699,11 @@ #define _DIST_POINT_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_new) #define _DIST_POINT_set_dpname BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DIST_POINT_set_dpname) #define _DSA_SIG_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_free) +#define _DSA_SIG_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_get0) #define _DSA_SIG_marshal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_marshal) #define _DSA_SIG_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_new) #define _DSA_SIG_parse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_parse) +#define _DSA_SIG_set0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_SIG_set0) #define _DSA_check_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_check_signature) #define _DSA_do_check_signature BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_do_check_signature) #define _DSA_do_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, DSA_do_sign) @@ -871,6 +884,7 @@ #define _ERR_remove_thread_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_remove_thread_state) #define _ERR_restore_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_restore_state) #define _ERR_save_state BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_save_state) +#define _ERR_set_error_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_set_error_data) #define _ERR_set_mark BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ERR_set_mark) #define _EVP_AEAD_CTX_aead BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_aead) #define _EVP_AEAD_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_AEAD_CTX_cleanup) @@ -917,6 +931,7 @@ #define _EVP_CIPHER_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_mode) #define _EVP_CIPHER_nid BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CIPHER_nid) #define _EVP_Cipher BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_Cipher) +#define _EVP_CipherFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherFinal) #define _EVP_CipherFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherFinal_ex) #define _EVP_CipherInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherInit) #define _EVP_CipherInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_CipherInit_ex) @@ -927,6 +942,7 @@ #define _EVP_DecodeInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeInit) #define _EVP_DecodeUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodeUpdate) #define _EVP_DecodedLength BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecodedLength) +#define _EVP_DecryptFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptFinal) #define _EVP_DecryptFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptFinal_ex) #define _EVP_DecryptInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptInit) #define _EVP_DecryptInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DecryptInit_ex) @@ -946,11 +962,14 @@ #define _EVP_DigestVerifyFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerifyFinal) #define _EVP_DigestVerifyInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerifyInit) #define _EVP_DigestVerifyUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_DigestVerifyUpdate) +#define _EVP_ENCODE_CTX_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_ENCODE_CTX_free) +#define _EVP_ENCODE_CTX_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_ENCODE_CTX_new) #define _EVP_EncodeBlock BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeBlock) #define _EVP_EncodeFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeFinal) #define _EVP_EncodeInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeInit) #define _EVP_EncodeUpdate BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodeUpdate) #define _EVP_EncodedLength BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncodedLength) +#define _EVP_EncryptFinal BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptFinal) #define _EVP_EncryptFinal_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptFinal_ex) #define _EVP_EncryptInit BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptInit) #define _EVP_EncryptInit_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_EncryptInit_ex) @@ -983,6 +1002,7 @@ #define _EVP_HPKE_KEY_public_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_public_key) #define _EVP_HPKE_KEY_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_HPKE_KEY_zero) #define _EVP_MD_CTX_block_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_block_size) +#define _EVP_MD_CTX_cleanse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_cleanse) #define _EVP_MD_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_cleanup) #define _EVP_MD_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_copy) #define _EVP_MD_CTX_copy_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EVP_MD_CTX_copy_ex) @@ -1185,7 +1205,10 @@ #define _EXTENDED_KEY_USAGE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, EXTENDED_KEY_USAGE_new) #define _FIPS_mode BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_mode) #define _FIPS_mode_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_mode_set) +#define _FIPS_module_name BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_module_name) +#define _FIPS_query_algorithm_status BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_query_algorithm_status) #define _FIPS_read_counter BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_read_counter) +#define _FIPS_version BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, FIPS_version) #define _GENERAL_NAMES_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAMES_free) #define _GENERAL_NAMES_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAMES_it) #define _GENERAL_NAMES_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, GENERAL_NAMES_new) @@ -1206,6 +1229,7 @@ #define _HKDF_expand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HKDF_expand) #define _HKDF_extract BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HKDF_extract) #define _HMAC BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC) +#define _HMAC_CTX_cleanse BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_cleanse) #define _HMAC_CTX_cleanup BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_cleanup) #define _HMAC_CTX_copy BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_copy) #define _HMAC_CTX_copy_ex BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, HMAC_CTX_copy_ex) @@ -1439,6 +1463,7 @@ #define _PKCS5_pbe2_encrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS5_pbe2_encrypt_init) #define _PKCS7_bundle_CRLs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_bundle_CRLs) #define _PKCS7_bundle_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_bundle_certificates) +#define _PKCS7_bundle_raw_certificates BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_bundle_raw_certificates) #define _PKCS7_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_free) #define _PKCS7_get_CRLs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_CRLs) #define _PKCS7_get_PEM_CRLs BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS7_get_PEM_CRLs) @@ -1526,6 +1551,7 @@ #define _RSA_get0_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_key) #define _RSA_get0_n BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_n) #define _RSA_get0_p BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_p) +#define _RSA_get0_pss_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_pss_params) #define _RSA_get0_q BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get0_q) #define _RSA_get_ex_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get_ex_data) #define _RSA_get_ex_new_index BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_get_ex_new_index) @@ -1562,6 +1588,7 @@ #define _RSA_sign_pss_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_sign_pss_mgf1) #define _RSA_sign_raw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_sign_raw) #define _RSA_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_size) +#define _RSA_test_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_test_flags) #define _RSA_up_ref BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_up_ref) #define _RSA_verify BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_verify) #define _RSA_verify_PKCS1_PSS_mgf1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, RSA_verify_PKCS1_PSS_mgf1) @@ -1968,7 +1995,6 @@ #define _X509_STORE_get_verify_cb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_get_verify_cb) #define _X509_STORE_load_locations BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_load_locations) #define _X509_STORE_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_new) -#define _X509_STORE_set0_additional_untrusted BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set0_additional_untrusted) #define _X509_STORE_set1_param BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set1_param) #define _X509_STORE_set_cert_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_cert_crl) #define _X509_STORE_set_check_crl BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_STORE_set_check_crl) @@ -1996,7 +2022,6 @@ #define _X509_TRUST_get_flags BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_flags) #define _X509_TRUST_get_trust BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_get_trust) #define _X509_TRUST_set BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_set) -#define _X509_TRUST_set_default BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_TRUST_set_default) #define _X509_VAL_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_free) #define _X509_VAL_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_it) #define _X509_VAL_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, X509_VAL_new) @@ -2211,6 +2236,7 @@ #define _aesgcmsiv_polyval_horner BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesgcmsiv_polyval_horner) #define _aesni_gcm_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesni_gcm_decrypt) #define _aesni_gcm_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, aesni_gcm_encrypt) +#define _asn1_bit_string_length BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_bit_string_length) #define _asn1_do_adb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_do_adb) #define _asn1_enc_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_enc_free) #define _asn1_enc_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_enc_init) @@ -2219,6 +2245,8 @@ #define _asn1_generalizedtime_to_tm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_generalizedtime_to_tm) #define _asn1_get_choice_selector BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_get_choice_selector) #define _asn1_get_field_ptr BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_get_field_ptr) +#define _asn1_get_string_table_for_testing BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_get_string_table_for_testing) +#define _asn1_is_printable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_is_printable) #define _asn1_item_combine_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_item_combine_free) #define _asn1_refcount_dec_and_test_zero BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_refcount_dec_and_test_zero) #define _asn1_refcount_set_one BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, asn1_refcount_set_one) @@ -2233,6 +2261,7 @@ #define _bio_socket_nbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bio_socket_nbio) #define _bn_abs_sub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_abs_sub_consttime) #define _bn_add_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_add_words) +#define _bn_big_endian_to_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_big_endian_to_words) #define _bn_copy_words BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_copy_words) #define _bn_div_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_div_consttime) #define _bn_expand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_expand) @@ -2301,7 +2330,10 @@ #define _bn_uadd_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_uadd_consttime) #define _bn_usub_consttime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_usub_consttime) #define _bn_wexpand BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_wexpand) -#define _boringssl_fips_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_fips_self_test) +#define _bn_words_to_big_endian BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, bn_words_to_big_endian) +#define _boringssl_self_test_hmac_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_self_test_hmac_sha256) +#define _boringssl_self_test_sha256 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_self_test_sha256) +#define _boringssl_self_test_sha512 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, boringssl_self_test_sha512) #define _c2i_ASN1_BIT_STRING BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_BIT_STRING) #define _c2i_ASN1_INTEGER BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_INTEGER) #define _c2i_ASN1_OBJECT BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, c2i_ASN1_OBJECT) @@ -2437,6 +2469,7 @@ #define _d2i_X509_VAL BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_VAL) #define _d2i_X509_bio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_bio) #define _d2i_X509_fp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, d2i_X509_fp) +#define _dh_compute_key_padded_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dh_compute_key_padded_no_self_test) #define _dsa_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_asn1_meth) #define _dsa_check_parameters BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, dsa_check_parameters) #define _ec_GFp_mont_add BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_GFp_mont_add) @@ -2496,6 +2529,7 @@ #define _ec_jacobian_to_affine_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_jacobian_to_affine_batch) #define _ec_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_pkey_meth) #define _ec_point_from_uncompressed BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_from_uncompressed) +#define _ec_point_mul_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_no_self_test) #define _ec_point_mul_scalar BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar) #define _ec_point_mul_scalar_base BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_base) #define _ec_point_mul_scalar_batch BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_point_mul_scalar_batch) @@ -2524,8 +2558,13 @@ #define _ec_set_to_safe_point BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_set_to_safe_point) #define _ec_simple_scalar_inv0_montgomery BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_simple_scalar_inv0_montgomery) #define _ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ec_simple_scalar_to_montgomery_inv_vartime) +#define _ecdsa_do_verify_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_do_verify_no_self_test) #define _ecdsa_sign_with_nonce_for_known_answer_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecdsa_sign_with_nonce_for_known_answer_test) #define _ecp_nistz256_avx2_select_w7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_avx2_select_w7) +#define _ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_div_by_2) +#define _ecp_nistz256_from_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_from_mont) +#define _ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_by_2) +#define _ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_by_3) #define _ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_mul_mont) #define _ecp_nistz256_neg BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_neg) #define _ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_ord_mul_mont) @@ -2536,6 +2575,8 @@ #define _ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w5) #define _ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_select_w7) #define _ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sqr_mont) +#define _ecp_nistz256_sub BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_sub) +#define _ecp_nistz256_to_mont BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ecp_nistz256_to_mont) #define _ed25519_asn1_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_asn1_meth) #define _ed25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, ed25519_pkey_meth) #define _gcm_ghash_avx BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, gcm_ghash_avx) @@ -2713,7 +2754,7 @@ #define _pkcs12_iterations_acceptable BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs12_iterations_acceptable) #define _pkcs12_key_gen BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs12_key_gen) #define _pkcs12_pbe_encrypt_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs12_pbe_encrypt_init) -#define _pkcs7_bundle BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs7_bundle) +#define _pkcs7_add_signed_data BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs7_add_signed_data) #define _pkcs7_parse_header BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs7_parse_header) #define _pkcs8_pbe_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pkcs8_pbe_decrypt) #define _pmbtoken_exp1_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, pmbtoken_exp1_blind) @@ -2750,6 +2791,9 @@ #define _rsa_default_sign_raw BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_default_sign_raw) #define _rsa_default_size BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_default_size) #define _rsa_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_pkey_meth) +#define _rsa_sign_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_sign_no_self_test) +#define _rsa_verify_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_verify_no_self_test) +#define _rsa_verify_raw_no_self_test BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsa_verify_raw_no_self_test) #define _rsaz_1024_gather5_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_gather5_avx2) #define _rsaz_1024_mul_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_mul_avx2) #define _rsaz_1024_norm2red_avx2 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, rsaz_1024_norm2red_avx2) @@ -2838,6 +2882,7 @@ #define _x25519_ge_tobytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_ge_tobytes) #define _x25519_pkey_meth BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_pkey_meth) #define _x25519_sc_reduce BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x25519_sc_reduce) +#define _x509V3_add_value_asn1_string BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509V3_add_value_asn1_string) #define _x509_digest_sign_algorithm BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_sign_algorithm) #define _x509_digest_verify_init BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_digest_verify_init) #define _x509_print_rsa_pss_params BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, x509_print_rsa_pss_params) diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h index 8548d9a1..761d3117 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bytestring.h @@ -154,6 +154,11 @@ OPENSSL_EXPORT int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out); // returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out); +// CBS_get_until_first finds the first instance of |c| in |cbs|. If found, it +// sets |*out| to the text before the match, advances |cbs| over it, and returns +// one. Otherwise, it returns zero and leaves |cbs| unmodified. +OPENSSL_EXPORT int CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c); + // Parsing ASN.1 // @@ -254,15 +259,21 @@ OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out, // CBS_get_any_ber_asn1_element acts the same as |CBS_get_any_asn1_element| but // also allows indefinite-length elements to be returned and does not enforce -// that lengths are minimal. For indefinite-lengths, |*out_header_len| and +// that lengths are minimal. It sets |*out_indefinite| to one if the length was +// indefinite and zero otherwise. If indefinite, |*out_header_len| and // |CBS_len(out)| will be equal as only the header is returned (although this is -// also true for empty elements so the length must be checked too). If +// also true for empty elements so |*out_indefinite| should be checked). If // |out_ber_found| is not NULL then it is set to one if any case of invalid DER // but valid BER is found, and to zero otherwise. +// +// This function will not successfully parse an end-of-contents (EOC) as an +// element. Callers parsing indefinite-length encoding must check for EOC +// separately. OPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, unsigned *out_tag, size_t *out_header_len, - int *out_ber_found); + int *out_ber_found, + int *out_indefinite); // CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1| // and sets |*out| to its value. It returns one on success and zero on error, @@ -463,6 +474,10 @@ OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, unsigned tag); // success and zero otherwise. OPENSSL_EXPORT int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len); +// CBB_add_zeros append |len| bytes with value zero to |cbb|. It returns one on +// success and zero otherwise. +OPENSSL_EXPORT int CBB_add_zeros(CBB *cbb, size_t len); + // CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to // the beginning of that space. The caller must then write |len| bytes of // actual contents to |*out_data|. It returns one on success and zero diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h index 54b62687..2b367f5f 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cipher.h @@ -106,7 +106,10 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_rc2_cbc(void); const EVP_CIPHER *EVP_rc2_40_cbc(void); // EVP_get_cipherbynid returns the cipher corresponding to the given NID, or -// NULL if no such cipher is known. +// NULL if no such cipher is known. Note using this function links almost every +// cipher implemented by BoringSSL into the binary, whether the caller uses them +// or not. Size-conscious callers, such as client software, should not use this +// function. OPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbynid(int nid); @@ -198,7 +201,7 @@ OPENSSL_EXPORT int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, // // WARNING: it is unsafe to call this function with unauthenticated // ciphertext if padding is enabled. -OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, +OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); // EVP_Cipher performs a one-shot encryption/decryption operation. No partial @@ -405,11 +408,26 @@ OPENSSL_EXPORT int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const uint8_t *key, const uint8_t *iv); +// EVP_CipherFinal calls |EVP_CipherFinal_ex|. +OPENSSL_EXPORT int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, + int *out_len); + +// EVP_EncryptFinal calls |EVP_EncryptFinal_ex|. +OPENSSL_EXPORT int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, + int *out_len); + +// EVP_DecryptFinal calls |EVP_DecryptFinal_ex|. +OPENSSL_EXPORT int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, + int *out_len); + // EVP_add_cipher_alias does nothing and returns one. OPENSSL_EXPORT int EVP_add_cipher_alias(const char *a, const char *b); // EVP_get_cipherbyname returns an |EVP_CIPHER| given a human readable name in -// |name|, or NULL if the name is unknown. +// |name|, or NULL if the name is unknown. Note using this function links almost +// every cipher implemented by BoringSSL into the binary, not just the ones the +// caller requests. Size-conscious callers, such as client software, should not +// use this function. OPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbyname(const char *name); // These AEADs are deprecated AES-GCM implementations that set diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cpu.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cpu.h index 86d27bc5..ae1fca35 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cpu.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_cpu.h @@ -1,202 +1,18 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. +/* Copyright (c) 2014, Google Inc. * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). */ - -#ifndef OPENSSL_HEADER_CPU_H -#define OPENSSL_HEADER_CPU_H - -#include "CJWTKitBoringSSL_base.h" - -#if defined(__cplusplus) -extern "C" { -#endif - - -// Runtime CPU feature support - - -#if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) -// OPENSSL_ia32cap_P contains the Intel CPUID bits when running on an x86 or -// x86-64 system. -// -// Index 0: -// EDX for CPUID where EAX = 1 -// Bit 20 is always zero -// Bit 28 is adjusted to reflect whether the data cache is shared between -// multiple logical cores -// Bit 30 is used to indicate an Intel CPU -// Index 1: -// ECX for CPUID where EAX = 1 -// Bit 11 is used to indicate AMD XOP support, not SDBG -// Index 2: -// EBX for CPUID where EAX = 7 -// Index 3: -// ECX for CPUID where EAX = 7 -// -// Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM -// bits in XCR0, so it is not necessary to check those. -extern uint32_t OPENSSL_ia32cap_P[4]; - -#if defined(BORINGSSL_FIPS) && !defined(BORINGSSL_SHARED_LIBRARY) -const uint32_t *OPENSSL_ia32cap_get(void); -#else -OPENSSL_INLINE const uint32_t *OPENSSL_ia32cap_get(void) { - return OPENSSL_ia32cap_P; -} -#endif - -#endif - -#if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) - -#if defined(OPENSSL_APPLE) -// iOS builds use the static ARM configuration. -#define OPENSSL_STATIC_ARMCAP -#endif - -#if !defined(OPENSSL_STATIC_ARMCAP) -// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON -// unit. Note that |OPENSSL_armcap_P| also exists and contains the same -// information in a form that's easier for assembly to use. -OPENSSL_EXPORT int CRYPTO_is_NEON_capable_at_runtime(void); - -// CRYPTO_is_ARMv8_AES_capable_at_runtime returns true if the current CPU -// supports the ARMv8 AES instruction. -int CRYPTO_is_ARMv8_AES_capable_at_runtime(void); - -// CRYPTO_is_ARMv8_PMULL_capable_at_runtime returns true if the current CPU -// supports the ARMv8 PMULL instruction. -int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void); - -#if defined(OPENSSL_ARM) -// CRYPTO_has_broken_NEON returns one if the current CPU is known to have a -// broken NEON unit. See https://crbug.com/341598. -OPENSSL_EXPORT int CRYPTO_has_broken_NEON(void); - -// CRYPTO_needs_hwcap2_workaround returns one if the ARMv8 AArch32 AT_HWCAP2 -// workaround was needed. See https://crbug.com/boringssl/46. -OPENSSL_EXPORT int CRYPTO_needs_hwcap2_workaround(void); -#endif -#endif // !OPENSSL_STATIC_ARMCAP - -// CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If -// this is known statically, it is a constant inline function. -OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) { -#if defined(__ARM_NEON__) || defined(__ARM_NEON) || \ - defined(OPENSSL_STATIC_ARMCAP_NEON) - return 1; -#elif defined(OPENSSL_STATIC_ARMCAP) - return 0; -#else - return CRYPTO_is_NEON_capable_at_runtime(); -#endif -} - -OPENSSL_INLINE int CRYPTO_is_ARMv8_AES_capable(void) { -#if defined(OPENSSL_STATIC_ARMCAP_AES) || defined(__ARM_FEATURE_CRYPTO) - return 1; -#elif defined(OPENSSL_STATIC_ARMCAP) - return 0; -#else - return CRYPTO_is_ARMv8_AES_capable_at_runtime(); -#endif -} - -OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) { -#if defined(OPENSSL_STATIC_ARMCAP_PMULL) || defined(__ARM_FEATURE_CRYPTO) - return 1; -#elif defined(OPENSSL_STATIC_ARMCAP) - return 0; -#else - return CRYPTO_is_ARMv8_PMULL_capable_at_runtime(); -#endif -} - -#endif // OPENSSL_ARM || OPENSSL_AARCH64 - -#if defined(OPENSSL_PPC64LE) - -// CRYPTO_is_PPC64LE_vcrypto_capable returns true iff the current CPU supports -// the Vector.AES category of instructions. -int CRYPTO_is_PPC64LE_vcrypto_capable(void); - -extern unsigned long OPENSSL_ppc64le_hwcap2; - -#endif // OPENSSL_PPC64LE - -#if defined(BORINGSSL_DISPATCH_TEST) -// Runtime CPU dispatch testing support - -// BORINGSSL_function_hit is an array of flags. The following functions will -// set these flags if BORINGSSL_DISPATCH_TEST is defined. -// 0: aes_hw_ctr32_encrypt_blocks -// 1: aes_hw_encrypt -// 2: aesni_gcm_encrypt -// 3: aes_hw_set_encrypt_key -// 4: vpaes_encrypt -// 5: vpaes_set_encrypt_key -extern uint8_t BORINGSSL_function_hit[7]; -#endif // BORINGSSL_DISPATCH_TEST - - -#if defined(__cplusplus) -} // extern C -#endif - -#endif // OPENSSL_HEADER_CPU_H + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +// This header is provided for compatibility with older revisions of BoringSSL. +// TODO(davidben): Remove this header. + +#include "CJWTKitBoringSSL_crypto.h" diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_crypto.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_crypto.h index 0ea29932..9a8e4a82 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_crypto.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_crypto.h @@ -59,6 +59,12 @@ OPENSSL_EXPORT int CRYPTO_has_asm(void); // success and zero on error. OPENSSL_EXPORT int BORINGSSL_self_test(void); +// BORINGSSL_integrity_test triggers the module's integrity test where the code +// and data of the module is matched against a hash injected at build time. It +// returns one on success or zero if there's a mismatch. This function only +// exists if the module was built in FIPS mode without ASAN. +OPENSSL_EXPORT int BORINGSSL_integrity_test(void); + // CRYPTO_pre_sandbox_init initializes the crypto library, pre-acquiring some // unusual resources to aid running in sandboxed environments. It is safe to // call this function multiple times and concurrently from multiple threads. @@ -67,6 +73,17 @@ OPENSSL_EXPORT int BORINGSSL_self_test(void); // SANDBOXING.md in the source tree. OPENSSL_EXPORT void CRYPTO_pre_sandbox_init(void); +#if defined(OPENSSL_ARM) && defined(OPENSSL_LINUX) && \ + !defined(OPENSSL_STATIC_ARMCAP) +// CRYPTO_has_broken_NEON returns one if the current CPU is known to have a +// broken NEON unit. See https://crbug.com/341598. +OPENSSL_EXPORT int CRYPTO_has_broken_NEON(void); + +// CRYPTO_needs_hwcap2_workaround returns one if the ARMv8 AArch32 AT_HWCAP2 +// workaround was needed. See https://crbug.com/boringssl/46. +OPENSSL_EXPORT int CRYPTO_needs_hwcap2_workaround(void); +#endif // OPENSSL_ARM && OPENSSL_LINUX && !OPENSSL_STATIC_ARMCAP + // FIPS monitoring @@ -161,6 +178,21 @@ OPENSSL_EXPORT void OPENSSL_cleanup(void); // |BORINGSSL_FIPS| and zero otherwise. OPENSSL_EXPORT int FIPS_mode_set(int on); +// FIPS_module_name returns the name of the FIPS module. +OPENSSL_EXPORT const char *FIPS_module_name(void); + +// FIPS_version returns the version of the FIPS module, or zero if the build +// isn't exactly at a verified version. The version, expressed in base 10, will +// be a date in the form yyyymmddXX where XX is often "00", but can be +// incremented if multiple versions are defined on a single day. +// +// (This format exceeds a |uint32_t| in the year 4294.) +OPENSSL_EXPORT uint32_t FIPS_version(void); + +// FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in +// the current BoringSSL and zero otherwise. +OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm); + #if defined(__cplusplus) } // extern C diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h index 7f6772bc..d624e6b4 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dh.h @@ -267,22 +267,14 @@ OPENSSL_EXPORT DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int, int, void *), void *cb_arg); -// d2i_DHparams parses an ASN.1, DER encoded Diffie-Hellman parameters structure -// from |len| bytes at |*inp|. If |ret| is not NULL then, on exit, a pointer to -// the result is in |*ret|. Note that, even if |*ret| is already non-NULL on -// entry, it will not be written to. Rather, a fresh |DH| is allocated and the -// previous one is freed. -// -// On successful exit, |*inp| is advanced past the DER structure. It -// returns the result or NULL on error. +// d2i_DHparams parses a DER-encoded DHParameter structure (PKCS #3) from |len| +// bytes at |*inp|, as in |d2i_SAMPLE|. // // Use |DH_parse_parameters| instead. OPENSSL_EXPORT DH *d2i_DHparams(DH **ret, const unsigned char **inp, long len); -// i2d_DHparams marshals |in| to an ASN.1, DER structure. If |outp| is not NULL -// then the result is written to |*outp| and |*outp| is advanced just past the -// output. It returns the number of bytes in the result, whether written or -// not, or a negative value on error. +// i2d_DHparams marshals |in| to a DER-encoded DHParameter structure (PKCS #3), +// as described in |i2d_SAMPLE|. // // Use |DH_marshal_parameters| instead. OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_digest.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_digest.h index fa133eb3..90e7ce2a 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_digest.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_digest.h @@ -117,6 +117,13 @@ OPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_new(void); // freshly initialised state. It does not free |ctx| itself. It returns one. OPENSSL_EXPORT int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); +// EVP_MD_CTX_cleanse zeros the digest state in |ctx| and then performs the +// actions of |EVP_MD_CTX_cleanup|. Note that some |EVP_MD_CTX| objects contain +// more than just a digest (e.g. those resulting from |EVP_DigestSignInit|) but +// this function does not zero out more than just the digest state even in that +// case. +OPENSSL_EXPORT void EVP_MD_CTX_cleanse(EVP_MD_CTX *ctx); + // EVP_MD_CTX_free calls |EVP_MD_CTX_cleanup| and then frees |ctx| itself. OPENSSL_EXPORT void EVP_MD_CTX_free(EVP_MD_CTX *ctx); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h index c989e69e..f333043d 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_dsa.h @@ -189,6 +189,16 @@ OPENSSL_EXPORT DSA_SIG *DSA_SIG_new(void); // DSA_SIG_free frees the contents of |sig| and then frees |sig| itself. OPENSSL_EXPORT void DSA_SIG_free(DSA_SIG *sig); +// DSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two components +// of |sig|. +OPENSSL_EXPORT void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r, + const BIGNUM **out_s); + +// DSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may be +// NULL. On success, it takes ownership of each argument and returns one. +// Otherwise, it returns zero. +OPENSSL_EXPORT int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); + // DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa| // and returns an allocated, DSA_SIG structure, or NULL on error. OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, @@ -299,7 +309,7 @@ OPENSSL_EXPORT int DSA_marshal_private_key(CBB *cbb, const DSA *dsa); OPENSSL_EXPORT DSA *DSA_parse_parameters(CBS *cbs); // DSA_marshal_parameters marshals |dsa| as a DER-encoded Dss-Parms structure -// (RFC 3447) and appends the result to |cbb|. It returns one on success and +// (RFC 3279) and appends the result to |cbb|. It returns one on success and // zero on failure. OPENSSL_EXPORT int DSA_marshal_parameters(CBB *cbb, const DSA *dsa); @@ -326,75 +336,51 @@ OPENSSL_EXPORT void *DSA_get_ex_data(const DSA *dsa, int idx); // Deprecated functions. -// d2i_DSA_SIG parses an ASN.1, DER-encoded, DSA signature from |len| bytes at -// |*inp|. If |out_sig| is not NULL then, on exit, a pointer to the result is -// in |*out_sig|. Note that, even if |*out_sig| is already non-NULL on entry, it -// will not be written to. Rather, a fresh |DSA_SIG| is allocated and the -// previous one is freed. On successful exit, |*inp| is advanced past the DER -// structure. It returns the result or NULL on error. +// d2i_DSA_SIG parses a DER-encoded DSA-Sig-Value structure from |len| bytes at +// |*inp|, as described in |d2i_SAMPLE|. // // Use |DSA_SIG_parse| instead. OPENSSL_EXPORT DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp, long len); -// i2d_DSA_SIG marshals |in| to an ASN.1, DER structure. If |outp| is not NULL -// then the result is written to |*outp| and |*outp| is advanced just past the -// output. It returns the number of bytes in the result, whether written or not, -// or a negative value on error. +// i2d_DSA_SIG marshals |in| to a DER-encoded DSA-Sig-Value structure, as +// described in |i2d_SAMPLE|. // // Use |DSA_SIG_marshal| instead. OPENSSL_EXPORT int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp); -// d2i_DSAPublicKey parses an ASN.1, DER-encoded, DSA public key from |len| -// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result -// is in |*out|. Note that, even if |*ou| is already non-NULL on entry, it will -// not be written to. Rather, a fresh |DSA| is allocated and the previous one is -// freed. On successful exit, |*inp| is advanced past the DER structure. It -// returns the result or NULL on error. +// d2i_DSAPublicKey parses a DER-encoded DSA public key from |len| bytes at +// |*inp|, as described in |d2i_SAMPLE|. // // Use |DSA_parse_public_key| instead. OPENSSL_EXPORT DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len); -// i2d_DSAPublicKey marshals a public key from |in| to an ASN.1, DER structure. -// If |outp| is not NULL then the result is written to |*outp| and |*outp| is -// advanced just past the output. It returns the number of bytes in the result, -// whether written or not, or a negative value on error. +// i2d_DSAPublicKey marshals |in| as a DER-encoded DSA public key, as described +// in |i2d_SAMPLE|. // // Use |DSA_marshal_public_key| instead. OPENSSL_EXPORT int i2d_DSAPublicKey(const DSA *in, uint8_t **outp); -// d2i_DSAPrivateKey parses an ASN.1, DER-encoded, DSA private key from |len| -// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result -// is in |*out|. Note that, even if |*out| is already non-NULL on entry, it will -// not be written to. Rather, a fresh |DSA| is allocated and the previous one is -// freed. On successful exit, |*inp| is advanced past the DER structure. It -// returns the result or NULL on error. +// d2i_DSAPrivateKey parses a DER-encoded DSA private key from |len| bytes at +// |*inp|, as described in |d2i_SAMPLE|. // // Use |DSA_parse_private_key| instead. OPENSSL_EXPORT DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len); -// i2d_DSAPrivateKey marshals a private key from |in| to an ASN.1, DER -// structure. If |outp| is not NULL then the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_DSAPrivateKey marshals |in| as a DER-encoded DSA private key, as +// described in |i2d_SAMPLE|. // // Use |DSA_marshal_private_key| instead. OPENSSL_EXPORT int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp); -// d2i_DSAparams parses ASN.1, DER-encoded, DSA parameters from |len| bytes at -// |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in -// |*out|. Note that, even if |*out| is already non-NULL on entry, it will not -// be written to. Rather, a fresh |DSA| is allocated and the previous one is -// freed. On successful exit, |*inp| is advanced past the DER structure. It -// returns the result or NULL on error. +// d2i_DSAparams parses a DER-encoded Dss-Parms structure (RFC 3279) from |len| +// bytes at |*inp|, as described in |d2i_SAMPLE|. // // Use |DSA_parse_parameters| instead. OPENSSL_EXPORT DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len); -// i2d_DSAparams marshals DSA parameters from |in| to an ASN.1, DER structure. -// If |outp| is not NULL then the result is written to |*outp| and |*outp| is -// advanced just past the output. It returns the number of bytes in the result, -// whether written or not, or a negative value on error. +// i2d_DSAparams marshals |in|'s parameters as a DER-encoded Dss-Parms structure +// (RFC 3279), as described in |i2d_SAMPLE|. // // Use |DSA_marshal_parameters| instead. OPENSSL_EXPORT int i2d_DSAparams(const DSA *in, uint8_t **outp); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h index 6dd5eb62..0eef6070 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec.h @@ -323,7 +323,15 @@ OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, // |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always // return |NID_undef|. // -// Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| instead. +// This function is provided for compatibility with some legacy applications +// only. Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| +// instead. This ensures the result meets preconditions necessary for +// elliptic curve algorithms to function correctly and securely. +// +// Given invalid parameters, this function may fail or it may return an +// |EC_GROUP| which breaks these preconditions. Subsequent operations may then +// return arbitrary, incorrect values. Callers should not pass +// attacker-controlled values to this function. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h index a8b8a2b7..3ee84c67 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ec_key.h @@ -167,8 +167,9 @@ OPENSSL_EXPORT void EC_KEY_set_conv_form(EC_KEY *key, // about the problem can be found on the error stack. OPENSSL_EXPORT int EC_KEY_check_key(const EC_KEY *key); -// EC_KEY_check_fips performs a signing pairwise consistency test (FIPS 140-2 -// 4.9.2). It returns one if it passes and zero otherwise. +// EC_KEY_check_fips performs both a signing pairwise consistency test +// (FIPS 140-2 4.9.2) and the consistency test from SP 800-56Ar3 section +// 5.6.2.1.4. It returns one if it passes and zero otherwise. OPENSSL_EXPORT int EC_KEY_check_fips(const EC_KEY *key); // EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to @@ -194,7 +195,9 @@ OPENSSL_EXPORT size_t EC_KEY_key2buf(const EC_KEY *key, OPENSSL_EXPORT int EC_KEY_generate_key(EC_KEY *key); // EC_KEY_generate_key_fips behaves like |EC_KEY_generate_key| but performs -// additional checks for FIPS compliance. +// additional checks for FIPS compliance. This function is applicable when +// generating keys for either signing/verification or key agreement because +// both types of consistency check (PCT) are performed. OPENSSL_EXPORT int EC_KEY_generate_key_fips(EC_KEY *key); // EC_KEY_derive_from_secret deterministically derives a private key for |group| @@ -294,43 +297,30 @@ struct ecdsa_method_st { // EC_KEY_set_asn1_flag does nothing. OPENSSL_EXPORT void EC_KEY_set_asn1_flag(EC_KEY *key, int flag); -// d2i_ECPrivateKey parses an ASN.1, DER-encoded, private key from |len| bytes -// at |*inp|. If |out_key| is not NULL then, on exit, a pointer to the result -// is in |*out_key|. Note that, even if |*out_key| is already non-NULL on entry, -// it * will not be written to. Rather, a fresh |EC_KEY| is allocated and the -// previous * one is freed. On successful exit, |*inp| is advanced past the DER -// structure. It returns the result or NULL on error. -// -// On input, if |*out_key| is non-NULL and has a group configured, the -// parameters field may be omitted but must match that group if present. +// d2i_ECPrivateKey parses a DER-encoded ECPrivateKey structure (RFC 5915) from +// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. On input, if |*out_key| +// is non-NULL and has a group configured, the parameters field may be omitted +// but must match that group if present. // // Use |EC_KEY_parse_private_key| instead. OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey(EC_KEY **out_key, const uint8_t **inp, long len); -// i2d_ECPrivateKey marshals an EC private key from |key| to an ASN.1, DER -// structure. If |outp| is not NULL then the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_ECPrivateKey marshals |key| as a DER-encoded ECPrivateKey structure (RFC +// 5915), as described in |i2d_SAMPLE|. // // Use |EC_KEY_marshal_private_key| instead. OPENSSL_EXPORT int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp); -// d2i_ECParameters parses an ASN.1, DER-encoded, set of EC parameters from -// |len| bytes at |*inp|. If |out_key| is not NULL then, on exit, a pointer to -// the result is in |*out_key|. Note that, even if |*out_key| is already -// non-NULL on entry, it will not be written to. Rather, a fresh |EC_KEY| is -// allocated and the previous one is freed. On successful exit, |*inp| is -// advanced past the DER structure. It returns the result or NULL on error. +// d2i_ECParameters parses a DER-encoded ECParameters structure (RFC 5480) from +// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. // // Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead. OPENSSL_EXPORT EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, long len); -// i2d_ECParameters marshals EC parameters from |key| to an ASN.1, DER -// structure. If |outp| is not NULL then the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_ECParameters marshals |key|'s parameters as a DER-encoded OBJECT +// IDENTIFIER, as described in |i2d_SAMPLE|. // // Use |EC_KEY_marshal_curve_name| instead. OPENSSL_EXPORT int i2d_ECParameters(const EC_KEY *key, uint8_t **outp); @@ -344,10 +334,8 @@ OPENSSL_EXPORT int i2d_ECParameters(const EC_KEY *key, uint8_t **outp); OPENSSL_EXPORT EC_KEY *o2i_ECPublicKey(EC_KEY **out_key, const uint8_t **inp, long len); -// i2o_ECPublicKey marshals an EC point from |key|. If |outp| is not NULL then -// the result is written to |*outp| and |*outp| is advanced just past the -// output. It returns the number of bytes in the result, whether written or -// not, or a negative value on error. +// i2o_ECPublicKey marshals an EC point from |key|, as described in +// |i2d_SAMPLE|. // // Use |EC_POINT_point2cbb| instead. OPENSSL_EXPORT int i2o_ECPublicKey(const EC_KEY *key, unsigned char **outp); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ecdsa.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ecdsa.h index 2912d04c..745136a9 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ecdsa.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_ecdsa.h @@ -197,19 +197,17 @@ ECDSA_sign_with_nonce_and_leak_private_key_for_testing(const uint8_t *digest, // Deprecated functions. -// d2i_ECDSA_SIG parses an ASN.1, DER-encoded, signature from |len| bytes at -// |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in -// |*out|. Note that, even if |*out| is already non-NULL on entry, it will not -// be written to. Rather, a fresh |ECDSA_SIG| is allocated and the previous one -// is freed. On successful exit, |*inp| is advanced past the DER structure. It -// returns the result or NULL on error. +// d2i_ECDSA_SIG parses aa DER-encoded ECDSA-Sig-Value structure from |len| +// bytes at |*inp|, as described in |d2i_SAMPLE|. +// +// Use |ECDSA_SIG_parse| instead. OPENSSL_EXPORT ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len); -// i2d_ECDSA_SIG marshals a signature from |sig| to an ASN.1, DER -// structure. If |outp| is not NULL then the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_ECDSA_SIG marshals |sig| as a DER-encoded ECDSA-Sig-Value, as described +// in |i2d_SAMPLE|. +// +// Use |ECDSA_SIG_marshal| instead. OPENSSL_EXPORT int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_err.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_err.h index 33957e81..5a183d13 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_err.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_err.h @@ -183,6 +183,11 @@ OPENSSL_EXPORT uint32_t ERR_get_error_line(const char **file, int *line); // can be printed. This is always set if |data| is non-NULL. #define ERR_FLAG_STRING 1 +// ERR_FLAG_MALLOCED is passed into |ERR_set_error_data| to indicate that |data| +// was allocated with |OPENSSL_malloc|. It is never returned from +// |ERR_get_error_line_data|. +#define ERR_FLAG_MALLOCED 2 + // ERR_get_error_line_data acts like |ERR_get_error_line|, but also returns the // error-specific data pointer and flags. The flags are a bitwise-OR of // |ERR_FLAG_*| values. The error-specific data is owned by the error queue @@ -408,9 +413,10 @@ OPENSSL_EXPORT char *ERR_error_string(uint32_t packed_error, char *buf); // ERR_GET_FUNC returns zero. BoringSSL errors do not report a function code. #define ERR_GET_FUNC(packed_error) 0 -// ERR_TXT_STRING is provided for compatibility with code that assumes that -// it's using OpenSSL. +// ERR_TXT_* are provided for compatibility with code that assumes that it's +// using OpenSSL. #define ERR_TXT_STRING ERR_FLAG_STRING +#define ERR_TXT_MALLOCED ERR_FLAG_MALLOCED // Private functions. @@ -444,6 +450,17 @@ OPENSSL_EXPORT void ERR_add_error_data(unsigned count, ...); OPENSSL_EXPORT void ERR_add_error_dataf(const char *format, ...) OPENSSL_PRINTF_FORMAT_FUNC(1, 2); +// ERR_set_error_data sets the data on the most recent error to |data|, which +// must be a NUL-terminated string. |flags| must contain |ERR_FLAG_STRING|. If +// |flags| contains |ERR_FLAG_MALLOCED|, this function takes ownership of +// |data|, which must have been allocated with |OPENSSL_malloc|. Otherwise, it +// saves a copy of |data|. +// +// Note this differs from OpenSSL which, when |ERR_FLAG_MALLOCED| is unset, +// saves the pointer as-is and requires it remain valid for the lifetime of the +// address space. +OPENSSL_EXPORT void ERR_set_error_data(char *data, int flags); + // ERR_NUM_ERRORS is one more than the limit of the number of errors in the // queue. #define ERR_NUM_ERRORS 16 diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h index 5803ce4c..a19a0fcf 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_evp.h @@ -873,34 +873,27 @@ OPENSSL_EXPORT void EVP_MD_do_all(void (*callback)(const EVP_MD *cipher, void *arg), void *arg); -// i2d_PrivateKey marshals a private key from |key| to an ASN.1, DER -// structure. If |outp| is not NULL then the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_PrivateKey marshals a private key from |key| to type-specific format, as +// described in |i2d_SAMPLE|. // -// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 3447) structure. +// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 8017) structure. // EC keys are serialized as a DER-encoded ECPrivateKey (RFC 5915) structure. // // Use |RSA_marshal_private_key| or |EC_KEY_marshal_private_key| instead. OPENSSL_EXPORT int i2d_PrivateKey(const EVP_PKEY *key, uint8_t **outp); -// i2d_PublicKey marshals a public key from |key| to a type-specific format. -// If |outp| is not NULL then the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_PublicKey marshals a public key from |key| to a type-specific format, as +// described in |i2d_SAMPLE|. // -// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 3447) structure. +// RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 8017) structure. // EC keys are serialized as an EC point per SEC 1. // // Use |RSA_marshal_public_key| or |EC_POINT_point2cbb| instead. OPENSSL_EXPORT int i2d_PublicKey(const EVP_PKEY *key, uint8_t **outp); -// d2i_PrivateKey parses an ASN.1, DER-encoded, private key from |len| bytes at -// |*inp|. If |out| is not NULL then, on exit, a pointer to the result is in -// |*out|. Note that, even if |*out| is already non-NULL on entry, it will not -// be written to. Rather, a fresh |EVP_PKEY| is allocated and the previous one -// is freed. On successful exit, |*inp| is advanced past the DER structure. It -// returns the result or NULL on error. +// d2i_PrivateKey parses a DER-encoded private key from |len| bytes at |*inp|, +// as described in |d2i_SAMPLE|. The private key must have type |type|, +// otherwise it will be rejected. // // This function tries to detect one of several formats. Instead, use // |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an @@ -917,15 +910,12 @@ OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, OPENSSL_EXPORT EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, long len); -// d2i_PublicKey parse a public key from |len| bytes at |*inp| in a type- -// specific format specified by |type|. If |out| is not NULL then, on exit, a -// pointer to the result is in |*out|. Note that, even if |*out| is already non- -// NULL on entry, it will not be written to. Rather, a fresh |EVP_PKEY| is -// allocated and the previous one is freed. On successful exit, |*inp| is -// advanced past the decoded key. It returns the result or NULL on error. +// d2i_PublicKey parses a public key from |len| bytes at |*inp| in a type- +// specific format specified by |type|, as described in |d2i_SAMPLE|. // -// RSA keys are parsed as a DER-encoded RSAPublicKey (RFC 3447) structure. -// Parsing EC keys is not supported by this function. +// The only supported value for |type| is |EVP_PKEY_RSA|, which parses a +// DER-encoded RSAPublicKey (RFC 8017) structure. Parsing EC keys is not +// supported by this function. // // Use |RSA_parse_public_key| instead. OPENSSL_EXPORT EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, @@ -974,70 +964,54 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -// i2d_PUBKEY marshals a public key from |pkey| as a DER-encoded -// SubjectPublicKeyInfo. If |outp| is not NULL, the result is written to |*outp| -// and |*outp| is advanced just past the output. It returns the number of bytes -// in the result, whether written or not, or a negative value on error. +// i2d_PUBKEY marshals |pkey| as a DER-encoded SubjectPublicKeyInfo, as +// described in |i2d_SAMPLE|. // // Use |EVP_marshal_public_key| instead. OPENSSL_EXPORT int i2d_PUBKEY(const EVP_PKEY *pkey, uint8_t **outp); // d2i_PUBKEY parses a DER-encoded SubjectPublicKeyInfo from |len| bytes at -// |*inp|. It returns a newly-allocated result, or NULL on error. On success, -// |*inp| is advanced past the DER structure. If |out| is not NULL, it also -// frees any existing object pointed by |*out| and writes the result. +// |*inp|, as described in |d2i_SAMPLE|. // // Use |EVP_parse_public_key| instead. OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY(EVP_PKEY **out, const uint8_t **inp, long len); -// i2d_RSA_PUBKEY marshals |rsa| as a DER-encoded SubjectPublicKeyInfo. If -// |outp| is not NULL, the result is written to |*outp| and -// |*outp| is advanced just past the output. It returns the number of bytes in -// the result, whether written or not, or a negative value on error. +// i2d_RSA_PUBKEY marshals |rsa| as a DER-encoded SubjectPublicKeyInfo +// structure, as described in |i2d_SAMPLE|. // // Use |EVP_marshal_public_key| instead. OPENSSL_EXPORT int i2d_RSA_PUBKEY(const RSA *rsa, uint8_t **outp); // d2i_RSA_PUBKEY parses an RSA public key as a DER-encoded SubjectPublicKeyInfo -// from |len| bytes at |*inp|. It returns a newly-allocated result, or NULL on -// error. On success, |*inp| is advanced past the DER structure. If |out| is not -// NULL, it also frees any existing object pointed by |*out| and writes the -// result. +// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// SubjectPublicKeyInfo structures containing other key types are rejected. // // Use |EVP_parse_public_key| instead. OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY(RSA **out, const uint8_t **inp, long len); -// i2d_DSA_PUBKEY marshals |dsa| as a DER-encoded SubjectPublicKeyInfo. If -// |outp| is not NULL, the result is written to |*outp| and |*outp| is advanced -// just past the output. It returns the number of bytes in the result, whether -// written or not, or a negative value on error. +// i2d_DSA_PUBKEY marshals |dsa| as a DER-encoded SubjectPublicKeyInfo, as +// described in |i2d_SAMPLE|. // // Use |EVP_marshal_public_key| instead. OPENSSL_EXPORT int i2d_DSA_PUBKEY(const DSA *dsa, uint8_t **outp); // d2i_DSA_PUBKEY parses a DSA public key as a DER-encoded SubjectPublicKeyInfo -// from |len| bytes at |*inp|. It returns a newly-allocated result, or NULL on -// error. On success, |*inp| is advanced past the DER structure. If |out| is not -// NULL, it also frees any existing object pointed by |*out| and writes the -// result. +// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// SubjectPublicKeyInfo structures containing other key types are rejected. // // Use |EVP_parse_public_key| instead. OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY(DSA **out, const uint8_t **inp, long len); -// i2d_EC_PUBKEY marshals |ec_key| as a DER-encoded SubjectPublicKeyInfo. If -// |outp| is not NULL, the result is written to |*outp| and |*outp| is advanced -// just past the output. It returns the number of bytes in the result, whether -// written or not, or a negative value on error. +// i2d_EC_PUBKEY marshals |ec_key| as a DER-encoded SubjectPublicKeyInfo, as +// described in |i2d_SAMPLE|. // // Use |EVP_marshal_public_key| instead. OPENSSL_EXPORT int i2d_EC_PUBKEY(const EC_KEY *ec_key, uint8_t **outp); // d2i_EC_PUBKEY parses an EC public key as a DER-encoded SubjectPublicKeyInfo -// from |len| bytes at |*inp|. It returns a newly-allocated result, or NULL on -// error. On success, |*inp| is advanced past the DER structure. If |out| is not -// NULL, it also frees any existing object pointed by |*out| and writes the -// result. +// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// SubjectPublicKeyInfo structures containing other key types are rejected. // // Use |EVP_parse_public_key| instead. OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp, diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hkdf.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hkdf.h index 3913fd41..356d46dc 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hkdf.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hkdf.h @@ -41,6 +41,10 @@ OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, // keying material |secret| and salt |salt| using |digest|, and outputs // |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|. // It returns one on success and zero on error. +// +// WARNING: This function orders the inputs differently from RFC 5869 +// specification. Double-check which parameter is the secret/IKM and which is +// the salt when using. OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len, const EVP_MD *digest, const uint8_t *secret, size_t secret_len, const uint8_t *salt, diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hmac.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hmac.h index 4231d3fd..f700bf33 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hmac.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hmac.h @@ -98,6 +98,10 @@ OPENSSL_EXPORT HMAC_CTX *HMAC_CTX_new(void); // HMAC_CTX_cleanup frees data owned by |ctx|. It does not free |ctx| itself. OPENSSL_EXPORT void HMAC_CTX_cleanup(HMAC_CTX *ctx); +// HMAC_CTX_cleanse zeros the digest state from |ctx| and then performs the +// actions of |HMAC_CTX_cleanup|. +OPENSSL_EXPORT void HMAC_CTX_cleanse(HMAC_CTX *ctx); + // HMAC_CTX_free calls |HMAC_CTX_cleanup| and then frees |ctx| itself. OPENSSL_EXPORT void HMAC_CTX_free(HMAC_CTX *ctx); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h index dfa9c8b6..7edd2d2e 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_hpke.h @@ -30,7 +30,7 @@ extern "C" { // Hybrid Public Key Encryption (HPKE) enables a sender to encrypt messages to a // receiver with a public key. // -// See https://tools.ietf.org/html/draft-irtf-cfrg-hpke-08. +// See RFC 9180. // Parameters. diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h index 3b579b60..f283f348 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_mem.h @@ -150,9 +150,15 @@ OPENSSL_EXPORT size_t OPENSSL_strlcat(char *dst, const char *src, // Deprecated functions. -#define CRYPTO_malloc OPENSSL_malloc -#define CRYPTO_realloc OPENSSL_realloc -#define CRYPTO_free OPENSSL_free +// CRYPTO_malloc calls |OPENSSL_malloc|. |file| and |line| are ignored. +OPENSSL_EXPORT void *CRYPTO_malloc(size_t size, const char *file, int line); + +// CRYPTO_realloc calls |OPENSSL_realloc|. |file| and |line| are ignored. +OPENSSL_EXPORT void *CRYPTO_realloc(void *ptr, size_t new_size, + const char *file, int line); + +// CRYPTO_free calls |OPENSSL_free|. |file| and |line| are ignored. +OPENSSL_EXPORT void CRYPTO_free(void *ptr, const char *file, int line); // OPENSSL_clear_free calls |OPENSSL_free|. BoringSSL automatically clears all // allocations on free, but we define |OPENSSL_clear_free| for compatibility. diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs7.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs7.h index ad1c4d3c..2f01dade 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs7.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs7.h @@ -49,10 +49,15 @@ OPENSSL_EXPORT int PKCS7_get_raw_certificates( // them into |X509| objects. OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs); -// PKCS7_bundle_certificates appends a PKCS#7, SignedData structure containing -// |certs| to |out|. It returns one on success and zero on error. Note that -// certificates in SignedData structures are unordered. The order in |certs| -// will not be preserved. +// PKCS7_bundle_raw_certificates appends a PKCS#7, SignedData structure +// containing |certs| to |out|. It returns one on success and zero on error. +// Note that certificates in SignedData structures are unordered. The order in +// |certs| will not be preserved. +OPENSSL_EXPORT int PKCS7_bundle_raw_certificates( + CBB *out, const STACK_OF(CRYPTO_BUFFER) *certs); + +// PKCS7_bundle_certificates behaves like |PKCS7_bundle_raw_certificates| but +// takes |X509| objects as input. OPENSSL_EXPORT int PKCS7_bundle_certificates( CBB *out, const STACK_OF(X509) *certs); @@ -137,11 +142,7 @@ typedef struct { } PKCS7; // d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from -// |len| bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the -// result is in |*out|. Note that, even if |*out| is already non-NULL on entry, -// it will not be written to. Rather, a fresh |PKCS7| is allocated and the -// previous one is freed. On successful exit, |*inp| is advanced past the BER -// structure. It returns the result or NULL on error. +// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, size_t len); @@ -152,10 +153,8 @@ OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, // from |bio|. OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out); -// i2d_PKCS7 is a dummy function which copies the contents of |p7|. If |out| is -// not NULL then the result is written to |*out| and |*out| is advanced just -// past the output. It returns the number of bytes in the result, whether -// written or not, or a negative value on error. +// i2d_PKCS7 marshals |p7| as a DER-encoded PKCS#7 ContentInfo structure, as +// described in |i2d_SAMPLE|. OPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out); // i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on @@ -200,15 +199,22 @@ OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); #define PKCS7_STREAM 0x1000 #define PKCS7_PARTIAL 0x4000 -// PKCS7_sign assembles |certs| into a PKCS#7 signed data ContentInfo with +// PKCS7_sign can operate in two modes to provide some backwards compatibility: +// +// The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with // external data and no signatures. It returns a newly-allocated |PKCS7| on // success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is -// ignored. |flags| must be equal to |PKCS7_DETACHED|. -// -// Note this function only implements a subset of the corresponding OpenSSL -// function. It is provided for backwards compatibility only. Additionally, +// ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally, // certificates in SignedData structures are unordered. The order of |certs| // will not be preserved. +// +// The second mode generates a detached RSA SHA-256 signature of |data| using +// |pkey| and produces a PKCS#7 SignedData structure containing it. |certs| +// must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY | +// PKCS7_NOCERTS | PKCS7_DETACHED|. +// +// Note this function only implements a subset of the corresponding OpenSSL +// function. It is provided for backwards compatibility only. OPENSSL_EXPORT PKCS7 *PKCS7_sign(X509 *sign_cert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, int flags); diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs8.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs8.h index 9da58fea..27c193b0 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs8.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pkcs8.h @@ -122,6 +122,8 @@ OPENSSL_EXPORT EVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs, // and decrypts it using |password|, sets |*out_key| to the included private // key and appends the included certificates to |out_certs|. It returns one on // success and zero on error. The caller takes ownership of the outputs. +// Any friendlyName attributes (RFC 2985) in the PKCS#12 structure will be +// returned on the |X509| objects as aliases. See also |X509_alias_get0|. OPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, CBS *in, const char *password); @@ -197,6 +199,10 @@ OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password, OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password, int password_len); +// PKCS12_DEFAULT_ITER is the default number of KDF iterations used when +// creating a |PKCS12| object. +#define PKCS12_DEFAULT_ITER 2048 + // PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|, // |cert|, and |chain|, encrypted with the specified password. |name|, if not // NULL, specifies a user-friendly name to encode with the key and @@ -207,13 +213,19 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password, // // Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero // to use defaults, which are |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|, -// |NID_pbe_WithSHA1And40BitRC2_CBC|, 2048, and one, respectively. +// |NID_pbe_WithSHA1And40BitRC2_CBC|, |PKCS12_DEFAULT_ITER|, and one, +// respectively. // // |key_nid| or |cert_nid| may also be -1 to disable encryption of the key or // certificate, respectively. This option is not recommended and is only // implemented for compatibility with external packages. Note the output still // requires a password for the MAC. Unencrypted keys in PKCS#12 are also not // widely supported and may not open in other implementations. +// +// If |cert| or |chain| have associated aliases (see |X509_alias_set1|), they +// will be included in the output as friendlyName attributes (RFC 2985). It is +// an error to specify both an alias on |cert| and a non-NULL |name| +// parameter. OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name, const EVP_PKEY *pkey, X509 *cert, const STACK_OF(X509) *chain, int key_nid, @@ -273,5 +285,6 @@ BSSL_NAMESPACE_END #define PKCS8_R_UNSUPPORTED_PRF 130 #define PKCS8_R_INVALID_CHARACTERS 131 #define PKCS8_R_UNSUPPORTED_OPTIONS 132 +#define PKCS8_R_AMBIGUOUS_FRIENDLY_NAME 133 #endif // OPENSSL_HEADER_PKCS8_H diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pool.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pool.h index 4a46453c..1b60a63b 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pool.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_pool.h @@ -60,7 +60,13 @@ OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, // CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|. OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS( - CBS *cbs, CRYPTO_BUFFER_POOL *pool); + const CBS *cbs, CRYPTO_BUFFER_POOL *pool); + +// CRYPTO_BUFFER_new_from_static_data_unsafe behaves like |CRYPTO_BUFFER_new| +// but does not copy |data|. |data| must be immutable and last for the lifetime +// of the address space. +OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_static_data_unsafe( + const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool); // CRYPTO_BUFFER_free decrements the reference count of |buf|. If there are no // other references, or if the only remaining reference is from a pool, then diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h index 48de9c11..2a1e4c8b 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_rsa.h @@ -526,44 +526,44 @@ OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, // ASN.1 functions. -// RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 3447) +// RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 8017) // from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on // error. OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs); // RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure -// (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. +// (RFC 8017). It returns a newly-allocated |RSA| or NULL on error. OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len); // RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure -// (RFC 3447) and appends the result to |cbb|. It returns one on success and +// (RFC 8017) and appends the result to |cbb|. It returns one on success and // zero on failure. OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa); // RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey -// structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated +// structure (RFC 8017) and, on success, sets |*out_bytes| to a newly allocated // buffer containing the result and returns one. Otherwise, it returns zero. The // result should be freed with |OPENSSL_free|. OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, const RSA *rsa); -// RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 3447) +// RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 8017) // from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on // error. OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs); // RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey -// structure (RFC 3447). It returns a newly-allocated |RSA| or NULL on error. +// structure (RFC 8017). It returns a newly-allocated |RSA| or NULL on error. OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len); // RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey -// structure (RFC 3447) and appends the result to |cbb|. It returns one on +// structure (RFC 8017) and appends the result to |cbb|. It returns one on // success and zero on failure. OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa); // RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey -// structure (RFC 3447) and, on success, sets |*out_bytes| to a newly allocated +// structure (RFC 8017) and, on success, sets |*out_bytes| to a newly allocated // buffer containing the result and returns one. Otherwise, it returns zero. The // result should be freed with |OPENSSL_free|. OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, @@ -615,6 +615,9 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx); // constants. OPENSSL_EXPORT int RSA_flags(const RSA *rsa); +// RSA_test_flags returns the subset of flags in |flags| which are set in |rsa|. +OPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags); + // RSA_blinding_on returns one. OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); @@ -625,32 +628,28 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); OPENSSL_EXPORT RSA *RSA_generate_key(int bits, unsigned long e, void *callback, void *cb_arg); -// d2i_RSAPublicKey parses an ASN.1, DER-encoded, RSA public key from |len| -// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result -// is in |*out|. Note that, even if |*out| is already non-NULL on entry, it -// will not be written to. Rather, a fresh |RSA| is allocated and the previous -// one is freed. On successful exit, |*inp| is advanced past the DER structure. -// It returns the result or NULL on error. +// d2i_RSAPublicKey parses a DER-encoded RSAPublicKey structure (RFC 8017) from +// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// +// Use |RSA_parse_public_key| instead. OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len); -// i2d_RSAPublicKey marshals |in| to an ASN.1, DER structure. If |outp| is not -// NULL then the result is written to |*outp| and |*outp| is advanced just past -// the output. It returns the number of bytes in the result, whether written or -// not, or a negative value on error. +// i2d_RSAPublicKey marshals |in| to a DER-encoded RSAPublicKey structure (RFC +// 8017), as described in |i2d_SAMPLE|. +// +// Use |RSA_marshal_public_key| instead. OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp); -// d2i_RSAPrivateKey parses an ASN.1, DER-encoded, RSA private key from |len| -// bytes at |*inp|. If |out| is not NULL then, on exit, a pointer to the result -// is in |*out|. Note that, even if |*out| is already non-NULL on entry, it -// will not be written to. Rather, a fresh |RSA| is allocated and the previous -// one is freed. On successful exit, |*inp| is advanced past the DER structure. -// It returns the result or NULL on error. +// d2i_RSAPrivateKey parses a DER-encoded RSAPrivateKey structure (RFC 8017) +// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// +// Use |RSA_parse_private_key| instead. OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len); -// i2d_RSAPrivateKey marshals |in| to an ASN.1, DER structure. If |outp| is not -// NULL then the result is written to |*outp| and |*outp| is advanced just past -// the output. It returns the number of bytes in the result, whether written or -// not, or a negative value on error. +// i2d_RSAPrivateKey marshals |in| to a DER-encoded RSAPrivateKey structure (RFC +// 8017), as described in |i2d_SAMPLE|. +// +// Use |RSA_marshal_private_key| instead. OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp); // RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the @@ -684,6 +683,11 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, // on success or zero otherwise. OPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent); +// RSA_get0_pss_params returns NULL. In OpenSSL, this function retries RSA-PSS +// parameters associated with |RSA| objects, but BoringSSL does not support +// the id-RSASSA-PSS key encoding. +OPENSSL_EXPORT const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa); + struct rsa_meth_st { struct openssl_method_common_st common; diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h index 7295450a..3be615b0 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_span.h @@ -94,20 +94,17 @@ class SpanBase { template class Span : private internal::SpanBase { private: + static const size_t npos = static_cast(-1); + // Heuristically test whether C is a container type that can be converted into // a Span by checking for data() and size() member functions. // - // TODO(davidben): Switch everything to std::enable_if_t when we remove - // support for MSVC 2015. Although we could write our own enable_if_t and MSVC - // 2015 has std::enable_if_t anyway, MSVC 2015's SFINAE implementation is - // problematic and does not work below unless we write the ::type at use. + // TODO(davidben): Require C++17 support for std::is_convertible_v, etc. template - using EnableIfContainer = std::enable_if< + using EnableIfContainer = std::enable_if_t< std::is_convertible().data()), T *>::value && std::is_integral().size())>::value>; - static const size_t npos = static_cast(-1); - public: constexpr Span() : Span(nullptr, 0) {} constexpr Span(T *ptr, size_t len) : data_(ptr), size_(len) {} @@ -115,14 +112,12 @@ class Span : private internal::SpanBase { template constexpr Span(T (&array)[N]) : Span(array, N) {} - template < - typename C, typename = typename EnableIfContainer::type, - typename = typename std::enable_if::value, C>::type> + template , + typename = std::enable_if_t::value, C>> Span(const C &container) : data_(container.data()), size_(container.size()) {} - template < - typename C, typename = typename EnableIfContainer::type, - typename = typename std::enable_if::value, C>::type> + template , + typename = std::enable_if_t::value, C>> explicit Span(C &container) : data_(container.data()), size_(container.size()) {} diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h index 1183a77e..39613c13 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_stack.h @@ -443,16 +443,14 @@ namespace internal { // Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|. template -struct DeleterImpl< - Stack, typename std::enable_if::kIsConst>::type> { +struct DeleterImpl::kIsConst>> { static void Free(Stack *sk) { sk_free(reinterpret_cast<_STACK *>(sk)); } }; // Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the // corresponding type's deleter. template -struct DeleterImpl< - Stack, typename std::enable_if::kIsConst>::type> { +struct DeleterImpl::kIsConst>> { static void Free(Stack *sk) { // sk_FOO_pop_free is defined by macros and bound by name, so we cannot // access it from C++ here. @@ -502,18 +500,17 @@ class StackIteratorImpl { }; template -using StackIterator = typename std::enable_if::kIsStack, - StackIteratorImpl>::type; +using StackIterator = + std::enable_if_t::kIsStack, StackIteratorImpl>; } // namespace internal // PushToStack pushes |elem| to |sk|. It returns true on success and false on // allocation failure. template -inline - typename std::enable_if::kIsConst, bool>::type - PushToStack(Stack *sk, - UniquePtr::Type> elem) { +inline std::enable_if_t::kIsConst, bool> +PushToStack(Stack *sk, + UniquePtr::Type> elem) { if (!sk_push(reinterpret_cast<_STACK *>(sk), elem.get())) { return false; } diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h index cec78b3d..5803f437 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_thread.h @@ -77,14 +77,13 @@ typedef struct crypto_mutex_st { typedef union crypto_mutex_st { void *handle; } CRYPTO_MUTEX; -#elif defined(__MACH__) && defined(__APPLE__) +#elif !defined(__GLIBC__) typedef pthread_rwlock_t CRYPTO_MUTEX; #else -// It is reasonable to include pthread.h on non-Windows systems, however the -// |pthread_rwlock_t| that we need is hidden under feature flags, and we can't -// ensure that we'll be able to get it. It's statically asserted that this -// structure is large enough to contain a |pthread_rwlock_t| by -// thread_pthread.c. +// On glibc, |pthread_rwlock_t| is hidden under feature flags, and we can't +// ensure that we'll be able to get it from a public header. It's statically +// asserted that this structure is large enough to contain a |pthread_rwlock_t| +// by thread_pthread.c. typedef union crypto_mutex_st { double alignment; uint8_t padding[3*sizeof(int) + 5*sizeof(unsigned) + 16 + 8]; diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_type_check.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_type_check.h index 90395263..86277e84 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_type_check.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_type_check.h @@ -71,7 +71,12 @@ extern "C" { // C11 defines the |_Static_assert| keyword and the |static_assert| macro in // assert.h. While the former is available at all versions in Clang and GCC, the // later depends on libc and, in glibc, depends on being built in C11 mode. We -// do not require this, for now, so use |_Static_assert| directly. +// require C11 mode to build the library but, for now, do not require it in +// public headers. Use |_Static_assert| directly. +// +// TODO(davidben): In July 2022, if the C11 change has not been reverted, switch +// all uses of this macro within the library to C11 |static_assert|. This macro +// will only be necessary in public headers. #define OPENSSL_STATIC_ASSERT(cond, msg) _Static_assert(cond, msg) #endif diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h index 58e2c410..cf482b41 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509.h @@ -82,7 +82,7 @@ #include "CJWTKitBoringSSL_thread.h" #include -#ifdef __cplusplus +#if defined(__cplusplus) extern "C" { #endif @@ -121,24 +121,8 @@ DEFINE_STACK_OF(X509_ALGOR) typedef STACK_OF(X509_ALGOR) X509_ALGORS; -struct X509_name_entry_st { - ASN1_OBJECT *object; - ASN1_STRING *value; - int set; -} /* X509_NAME_ENTRY */; - DEFINE_STACK_OF(X509_NAME_ENTRY) -// we always keep X509_NAMEs in 2 forms. -struct X509_name_st { - STACK_OF(X509_NAME_ENTRY) *entries; - int modified; // true if 'bytes' needs to be built - BUF_MEM *bytes; - // unsigned long hash; Keep the hash around for lookups - unsigned char *canon_enc; - int canon_enclen; -} /* X509_NAME */; - DEFINE_STACK_OF(X509_NAME) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; @@ -147,20 +131,6 @@ DEFINE_STACK_OF(X509_EXTENSION) DEFINE_STACK_OF(X509_ATTRIBUTE) -struct x509_cinf_st { - ASN1_INTEGER *version; // [ 0 ] default of v1 - ASN1_INTEGER *serialNumber; - X509_ALGOR *signature; - X509_NAME *issuer; - X509_VAL *validity; - X509_NAME *subject; - X509_PUBKEY *key; - ASN1_BIT_STRING *issuerUID; // [ 1 ] optional in v2 - ASN1_BIT_STRING *subjectUID; // [ 2 ] optional in v2 - STACK_OF(X509_EXTENSION) *extensions; // [ 3 ] optional in v3 - ASN1_ENCODING enc; -} /* X509_CINF */; - // This stuff is certificate "auxiliary info" // it contains details which are useful in certificate // stores and databases. When used this is tagged onto @@ -169,31 +139,6 @@ struct x509_cinf_st { DECLARE_STACK_OF(DIST_POINT) DECLARE_STACK_OF(GENERAL_NAME) -struct x509_st { - X509_CINF *cert_info; - X509_ALGOR *sig_alg; - ASN1_BIT_STRING *signature; - CRYPTO_refcount_t references; - CRYPTO_EX_DATA ex_data; - // These contain copies of various extension values - long ex_pathlen; - long ex_pcpathlen; - unsigned long ex_flags; - unsigned long ex_kusage; - unsigned long ex_xkusage; - unsigned long ex_nscert; - ASN1_OCTET_STRING *skid; - AUTHORITY_KEYID *akid; - X509_POLICY_CACHE *policy_cache; - STACK_OF(DIST_POINT) *crldp; - STACK_OF(GENERAL_NAME) *altname; - NAME_CONSTRAINTS *nc; - unsigned char sha1_hash[SHA_DIGEST_LENGTH]; - X509_CERT_AUX *aux; - CRYPTO_BUFFER *buf; - CRYPTO_MUTEX lock; -} /* X509 */; - DEFINE_STACK_OF(X509) // This is used for a table of trust checking functions @@ -254,14 +199,15 @@ DEFINE_STACK_OF(X509_TRUST) #define X509_FLAG_NO_ATTRIBUTES (1L << 11) #define X509_FLAG_NO_IDS (1L << 12) -// Flags specific to X509_NAME_print_ex() +// Flags specific to X509_NAME_print_ex(). These flags must not collide with +// |ASN1_STRFLGS_*|. // The field separator information #define XN_FLAG_SEP_MASK (0xf << 16) #define XN_FLAG_COMPAT 0 // Traditional SSLeay: use old X509_NAME_print -#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC2253 ,+ +#define XN_FLAG_SEP_COMMA_PLUS (1 << 16) // RFC 2253 ,+ #define XN_FLAG_SEP_CPLUS_SPC (2 << 16) // ,+ spaced: more readable #define XN_FLAG_SEP_SPLUS_SPC (3 << 16) // ;+ spaced #define XN_FLAG_SEP_MULTILINE (4 << 16) // One line per field @@ -280,13 +226,13 @@ DEFINE_STACK_OF(X509_TRUST) #define XN_FLAG_SPC_EQ (1 << 23) // Put spaces round '=' // This determines if we dump fields we don't recognise: -// RFC2253 requires this. +// RFC 2253 requires this. #define XN_FLAG_DUMP_UNKNOWN_FIELDS (1 << 24) #define XN_FLAG_FN_ALIGN (1 << 25) // Align field names to 20 characters -// Complete set of RFC2253 flags +// Complete set of RFC 2253 flags #define XN_FLAG_RFC2253 \ (ASN1_STRFLGS_RFC2253 | XN_FLAG_SEP_COMMA_PLUS | XN_FLAG_DN_REV | \ @@ -304,17 +250,6 @@ DEFINE_STACK_OF(X509_TRUST) (ASN1_STRFLGS_ESC_CTRL | ASN1_STRFLGS_ESC_MSB | XN_FLAG_SEP_MULTILINE | \ XN_FLAG_SPC_EQ | XN_FLAG_FN_LN | XN_FLAG_FN_ALIGN) -struct x509_revoked_st { - ASN1_INTEGER *serialNumber; - ASN1_TIME *revocationDate; - STACK_OF(X509_EXTENSION) /* optional */ *extensions; - // Set up if indirect CRL - STACK_OF(GENERAL_NAME) *issuer; - // Revocation reason - int reason; - int sequence; // load sequence -}; - DEFINE_STACK_OF(X509_REVOKED) DECLARE_STACK_OF(GENERAL_NAMES) @@ -339,7 +274,6 @@ struct private_key_st { EVP_CIPHER_INFO cipher; } /* X509_PKEY */; -#ifndef OPENSSL_NO_EVP struct X509_info_st { X509 *x509; X509_CRL *crl; @@ -352,7 +286,6 @@ struct X509_info_st { } /* X509_INFO */; DEFINE_STACK_OF(X509_INFO) -#endif // The next 2 structures and their 8 routines were sent to me by // Pat Richard and are used to manipulate @@ -368,16 +301,6 @@ struct Netscape_spki_st { ASN1_BIT_STRING *signature; } /* NETSCAPE_SPKI */; -#ifdef __cplusplus -} -#endif - -#include "CJWTKitBoringSSL_x509_vfy.h" - -#ifdef __cplusplus -extern "C" { -#endif - // TODO(davidben): Document remaining functions, reorganize them, and define // supported patterns for using |X509| objects in general. In particular, when // it is safe to call mutating functions is a little tricky due to various @@ -463,7 +386,7 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, #define X509_extract_key(x) X509_get_pubkey(x) // X509_get_pathlen returns path length constraint from the basic constraints -// extension in |x509|. (See RFC5280, section 4.2.1.9.) It returns -1 if the +// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the // constraint is not present, or if some extension in |x509| was invalid. // // Note that decoding an |X509| object will not check for invalid extensions. To @@ -577,9 +500,6 @@ OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); // X509_verify_cert_error_string returns |err| as a human-readable string, where // |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns // a default description. -// -// TODO(davidben): Move this function to x509_vfy.h, with the |X509_V_*| -// definitions, or fold x509_vfy.h into this function. OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); // X509_verify checks that |x509| has a valid signature by |pkey|. It returns @@ -901,7 +821,6 @@ OPENSSL_EXPORT X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); DECLARE_ASN1_ENCODE_FUNCTIONS(X509_ALGORS, X509_ALGORS, X509_ALGORS) -DECLARE_ASN1_FUNCTIONS(X509_VAL) DECLARE_ASN1_FUNCTIONS(X509_PUBKEY) @@ -939,10 +858,7 @@ DECLARE_ASN1_FUNCTIONS(X509_NAME) // to the copy, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, X509_NAME *name); -DECLARE_ASN1_FUNCTIONS(X509_CINF) - DECLARE_ASN1_FUNCTIONS(X509) -DECLARE_ASN1_FUNCTIONS(X509_CERT_AUX) // X509_up_ref adds one to the reference count of |x509| and returns one. OPENSSL_EXPORT int X509_up_ref(X509 *x509); @@ -953,32 +869,17 @@ OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_free *free_func); OPENSSL_EXPORT int X509_set_ex_data(X509 *r, int idx, void *arg); OPENSSL_EXPORT void *X509_get_ex_data(X509 *r, int idx); -OPENSSL_EXPORT int i2d_X509_AUX(X509 *a, unsigned char **pp); -OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, - long length); -// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|. If |outp| is -// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is -// written to |*outp|, which must have enough space available, and |*outp| is -// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it -// sets |*outp| to a newly-allocated buffer containing the result. The caller is -// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this -// function returns the number of bytes in the result, whether written or not, -// or a negative value on error. +// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described +// in |i2d_SAMPLE|. // // This function re-encodes the TBSCertificate and may not reflect |x509|'s // original encoding. It may be used to manually generate a signature for a new // certificate. To verify certificates, use |i2d_X509_tbs| instead. OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, unsigned char **outp); -// i2d_X509_tbs serializes the TBSCertificate portion of |x509|. If |outp| is -// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is -// written to |*outp|, which must have enough space available, and |*outp| is -// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it -// sets |*outp| to a newly-allocated buffer containing the result. The caller is -// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this -// function returns the number of bytes in the result, whether written or not, -// or a negative value on error. +// i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in +// |i2d_SAMPLE|. // // This function preserves the original encoding of the TBSCertificate and may // not reflect modifications made to |x509|. It may be used to manually verify @@ -1020,19 +921,81 @@ OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig, // a known NID. OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); -OPENSSL_EXPORT int X509_alias_set1(X509 *x, const unsigned char *name, int len); -OPENSSL_EXPORT int X509_keyid_set1(X509 *x, const unsigned char *id, int len); -OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x, int *len); -OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x, int *len); -OPENSSL_EXPORT int (*X509_TRUST_set_default(int (*trust)(int, X509 *, - int)))(int, X509 *, - int); -OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); + +// Auxiliary properties. +// +// |X509| objects optionally maintain auxiliary properties. These are not part +// of the certificates themselves, and thus are not covered by signatures or +// preserved by the standard serialization. They are used as inputs or outputs +// to other functions in this library. + +// i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), +// followed optionally by a separate, OpenSSL-specific structure with auxiliary +// properties. It behaves as described in |i2d_SAMPLE|. +// +// Unlike similarly-named functions, this function does not output a single +// ASN.1 element. Directly embedding the output in a larger ASN.1 structure will +// not behave correctly. +OPENSSL_EXPORT int i2d_X509_AUX(X509 *x509, unsigned char **outp); + +// d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 +// Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific +// structure with auxiliary properties. It behaves as described in +// |d2i_SAMPLE_with_reuse|. +// +// Some auxiliary properties affect trust decisions, so this function should not +// be used with untrusted input. +// +// Unlike similarly-named functions, this function does not parse a single +// ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 +// structure will not behave correctly. +OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const unsigned char **inp, + long length); + +// X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is +// NULL, the alias is cleared instead. Aliases are not part of the certificate +// itself and will not be serialized by |i2d_X509|. +OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const unsigned char *name, + int len); + +// X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is +// NULL, the key ID is cleared instead. Key IDs are not part of the certificate +// itself and will not be serialized by |i2d_X509|. +OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const unsigned char *id, + int len); + +// X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the +// alias's length and returns a pointer to a buffer containing the contents. If +// not found, it outputs the empty string by returning NULL and setting +// |*out_len| to zero. +// +// If |x509| was parsed from a PKCS#12 structure (see +// |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName +// attribute (RFC 2985). +// +// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was +// missing. Callers that target both OpenSSL and BoringSSL should set the value +// to zero before calling this function. +OPENSSL_EXPORT unsigned char *X509_alias_get0(X509 *x509, int *out_len); + +// X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the +// key ID's length and returns a pointer to a buffer containing the contents. If +// not found, it outputs the empty string by returning NULL and setting +// |*out_len| to zero. +// +// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was +// missing. Callers that target both OpenSSL and BoringSSL should set the value +// to zero before calling this function. +OPENSSL_EXPORT unsigned char *X509_keyid_get0(X509 *x509, int *out_len); + OPENSSL_EXPORT int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); OPENSSL_EXPORT int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); OPENSSL_EXPORT void X509_trust_clear(X509 *x); OPENSSL_EXPORT void X509_reject_clear(X509 *x); + +OPENSSL_EXPORT int X509_TRUST_set(int *t, int trust); + DECLARE_ASN1_FUNCTIONS(X509_REVOKED) DECLARE_ASN1_FUNCTIONS(X509_CRL) @@ -1144,14 +1107,8 @@ OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, // a known NID. OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); -// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC2986) -// portion of |req|. If |outp| is NULL, nothing is written. Otherwise, if -// |*outp| is not NULL, the result is written to |*outp|, which must have enough -// space available, and |*outp| is advanced just past the output. If |outp| is -// non-NULL and |*outp| is NULL, it sets |*outp| to a newly-allocated buffer -// containing the result. The caller is responsible for releasing the buffer -// with |OPENSSL_free|. In all cases, this function returns the number of bytes -// in the result, whether written or not, or a negative value on error. +// i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) +// portion of |req|, as described in |i2d_SAMPLE|. // // This function re-encodes the CertificationRequestInfo and may not reflect // |req|'s original encoding. It may be used to manually generate a signature @@ -1171,7 +1128,7 @@ OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req); // X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type // for carrying extensions and zero otherwise. The supported types are -// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC2985) and |NID_ms_ext_req| +// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| // (a Microsoft szOID_CERT_EXTENSIONS variant). OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); @@ -1179,7 +1136,7 @@ OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); // returns a newly-allocated |STACK_OF(X509_EXTENSION)| containing the result. // It returns NULL on error, or if |req| did not request extensions. // -// This function supports both pkcs-9-at-extensionRequest from RFC2985 and the +// This function supports both pkcs-9-at-extensionRequest from RFC 2985 and the // Microsoft szOID_CERT_EXTENSIONS variant. OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req); @@ -1289,28 +1246,16 @@ OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl, // a known NID. OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl); -// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|. If |outp| is -// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is -// written to |*outp|, which must have enough space available, and |*outp| is -// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it -// sets |*outp| to a newly-allocated buffer containing the result. The caller is -// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this -// function returns the number of bytes in the result, whether written or not, -// or a negative value on error. +// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described +// in |i2d_SAMPLE|. // // This function re-encodes the TBSCertList and may not reflect |crl|'s original // encoding. It may be used to manually generate a signature for a new CRL. To // verify CRLs, use |i2d_X509_CRL_tbs| instead. OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); -// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|. If |outp| is -// NULL, nothing is written. Otherwise, if |*outp| is not NULL, the result is -// written to |*outp|, which must have enough space available, and |*outp| is -// advanced just past the output. If |outp| is non-NULL and |*outp| is NULL, it -// sets |*outp| to a newly-allocated buffer containing the result. The caller is -// responsible for releasing the buffer with |OPENSSL_free|. In all cases, this -// function returns the number of bytes in the result, whether written or not, -// or a negative value on error. +// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in +// |i2d_SAMPLE|. // // This function preserves the original encoding of the TBSCertList and may not // reflect modifications made to |crl|. It may be used to manually verify the @@ -1414,7 +1359,6 @@ OPENSSL_EXPORT int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, unsigned long cflag); OPENSSL_EXPORT int X509_print(BIO *bp, X509 *x); OPENSSL_EXPORT int X509_ocspid_print(BIO *bp, X509 *x); -OPENSSL_EXPORT int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); OPENSSL_EXPORT int X509_CRL_print(BIO *bp, X509_CRL *x); OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag); @@ -1944,19 +1888,502 @@ OPENSSL_EXPORT char *X509_TRUST_get0_name(const X509_TRUST *xp); OPENSSL_EXPORT int X509_TRUST_get_trust(const X509_TRUST *xp); -typedef struct rsa_pss_params_st { +struct rsa_pss_params_st { X509_ALGOR *hashAlgorithm; X509_ALGOR *maskGenAlgorithm; ASN1_INTEGER *saltLength; ASN1_INTEGER *trailerField; -} RSA_PSS_PARAMS; + // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the + // cases apply to BoringSSL, so this is always NULL, but Node expects the + // field to be present. + X509_ALGOR *maskHash; +} /* RSA_PSS_PARAMS */; DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS) +/* +SSL_CTX -> X509_STORE + -> X509_LOOKUP + ->X509_LOOKUP_METHOD + -> X509_LOOKUP + ->X509_LOOKUP_METHOD + +SSL -> X509_STORE_CTX + ->X509_STORE + +The X509_STORE holds the tables etc for verification stuff. +A X509_STORE_CTX is used while validating a single certificate. +The X509_STORE has X509_LOOKUPs for looking up certs. +The X509_STORE then calls a function to actually verify the +certificate chain. +*/ + +#define X509_LU_X509 1 +#define X509_LU_CRL 2 +#define X509_LU_PKEY 3 + +DEFINE_STACK_OF(X509_LOOKUP) +DEFINE_STACK_OF(X509_OBJECT) +DEFINE_STACK_OF(X509_VERIFY_PARAM) + +typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); +typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); +typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, X509_STORE_CTX *ctx, + X509 *x); +typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *x, + X509 *issuer); +typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); +typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, + X509 *x); +typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); +typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl, + X509 *x); +typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); +typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, + X509_NAME *nm); +typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( + X509_STORE_CTX *ctx, X509_NAME *nm); +typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); + +OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); + +OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); + +#define X509_STORE_CTX_set_app_data(ctx, data) \ + X509_STORE_CTX_set_ex_data(ctx, 0, data) +#define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) + +#define X509_L_FILE_LOAD 1 +#define X509_L_ADD_DIR 2 + +#define X509_LOOKUP_load_file(x, name, type) \ + X509_LOOKUP_ctrl((x), X509_L_FILE_LOAD, (name), (long)(type), NULL) + +#define X509_LOOKUP_add_dir(x, name, type) \ + X509_LOOKUP_ctrl((x), X509_L_ADD_DIR, (name), (long)(type), NULL) + +#define X509_V_OK 0 +#define X509_V_ERR_UNSPECIFIED 1 + +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 +#define X509_V_ERR_UNABLE_TO_GET_CRL 3 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 +#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 +#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 +#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 +#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_HAS_EXPIRED 10 +#define X509_V_ERR_CRL_NOT_YET_VALID 11 +#define X509_V_ERR_CRL_HAS_EXPIRED 12 +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 +#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 +#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 +#define X509_V_ERR_OUT_OF_MEM 17 +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 +#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 +#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 +#define X509_V_ERR_CERT_REVOKED 23 +#define X509_V_ERR_INVALID_CA 24 +#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 +#define X509_V_ERR_INVALID_PURPOSE 26 +#define X509_V_ERR_CERT_UNTRUSTED 27 +#define X509_V_ERR_CERT_REJECTED 28 +// These are 'informational' when looking for issuer cert +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 + +#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 + +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 +#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 + +#define X509_V_ERR_UNNESTED_RESOURCE 46 + +#define X509_V_ERR_PERMITTED_VIOLATION 47 +#define X509_V_ERR_EXCLUDED_VIOLATION 48 +#define X509_V_ERR_SUBTREE_MINMAX 49 +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 +#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 +#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 + +// Suite B mode algorithm violation +#define X509_V_ERR_SUITE_B_INVALID_VERSION 56 +#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 +#define X509_V_ERR_SUITE_B_INVALID_CURVE 58 +#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 +#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 +#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 + +// Host, email and IP check errors +#define X509_V_ERR_HOSTNAME_MISMATCH 62 +#define X509_V_ERR_EMAIL_MISMATCH 63 +#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 + +// Caller error +#define X509_V_ERR_INVALID_CALL 65 +// Issuer lookup error +#define X509_V_ERR_STORE_LOOKUP 66 + +#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 + +// Certificate verify flags + +// Send issuer+subject checks to verify_cb +#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +// Use check time instead of current time +#define X509_V_FLAG_USE_CHECK_TIME 0x2 +// Lookup CRLs +#define X509_V_FLAG_CRL_CHECK 0x4 +// Lookup CRLs for whole chain +#define X509_V_FLAG_CRL_CHECK_ALL 0x8 +// Ignore unhandled critical extensions +#define X509_V_FLAG_IGNORE_CRITICAL 0x10 +// Does nothing as its functionality has been enabled by default. +#define X509_V_FLAG_X509_STRICT 0x00 +// Enable proxy certificate validation +#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 +// Enable policy checking +#define X509_V_FLAG_POLICY_CHECK 0x80 +// Policy variable require-explicit-policy +#define X509_V_FLAG_EXPLICIT_POLICY 0x100 +// Policy variable inhibit-any-policy +#define X509_V_FLAG_INHIBIT_ANY 0x200 +// Policy variable inhibit-policy-mapping +#define X509_V_FLAG_INHIBIT_MAP 0x400 +// Notify callback that policy is OK +#define X509_V_FLAG_NOTIFY_POLICY 0x800 +// Extended CRL features such as indirect CRLs, alternate CRL signing keys +#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 +// Delta CRL support +#define X509_V_FLAG_USE_DELTAS 0x2000 +// Check selfsigned CA signature +#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +// Use trusted store first +#define X509_V_FLAG_TRUSTED_FIRST 0x8000 +// Suite B 128 bit only mode: not normally used +#define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000 +// Suite B 192 bit only mode +#define X509_V_FLAG_SUITEB_192_LOS 0x20000 +// Suite B 128 bit mode allowing 192 bit algorithms +#define X509_V_FLAG_SUITEB_128_LOS 0x30000 + +// Allow partial chains if at least one certificate is in trusted store +#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 + +// If the initial chain is not trusted, do not attempt to build an alternative +// chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag +// will force the behaviour to match that of previous versions. +#define X509_V_FLAG_NO_ALT_CHAINS 0x100000 + +#define X509_VP_FLAG_DEFAULT 0x1 +#define X509_VP_FLAG_OVERWRITE 0x2 +#define X509_VP_FLAG_RESET_FLAGS 0x4 +#define X509_VP_FLAG_LOCKED 0x8 +#define X509_VP_FLAG_ONCE 0x10 + +// Internal use: mask of policy related options +#define X509_V_FLAG_POLICY_MASK \ + (X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY | \ + X509_V_FLAG_INHIBIT_ANY | X509_V_FLAG_INHIBIT_MAP) + +OPENSSL_EXPORT int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, + int type, X509_NAME *name); +OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_by_subject( + STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); +OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, + X509_OBJECT *x); +OPENSSL_EXPORT int X509_OBJECT_up_ref_count(X509_OBJECT *a); +OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *a); +OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *a); +OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); +OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); +OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); +OPENSSL_EXPORT void X509_STORE_free(X509_STORE *v); + +OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, + X509_NAME *nm); +OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, + X509_NAME *nm); +OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); +OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); +OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); +OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, + X509_VERIFY_PARAM *pm); +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); + +OPENSSL_EXPORT void X509_STORE_set_verify(X509_STORE *ctx, + X509_STORE_CTX_verify_fn verify); +#define X509_STORE_set_verify_func(ctx, func) \ + X509_STORE_set_verify((ctx), (func)) +OPENSSL_EXPORT void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, + X509_STORE_CTX_verify_fn verify); +OPENSSL_EXPORT X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_verify_cb( + X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); +#define X509_STORE_set_verify_cb_func(ctx, func) \ + X509_STORE_set_verify_cb((ctx), (func)) +OPENSSL_EXPORT X509_STORE_CTX_verify_cb +X509_STORE_get_verify_cb(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_get_issuer( + X509_STORE *ctx, X509_STORE_CTX_get_issuer_fn get_issuer); +OPENSSL_EXPORT X509_STORE_CTX_get_issuer_fn +X509_STORE_get_get_issuer(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_check_issued( + X509_STORE *ctx, X509_STORE_CTX_check_issued_fn check_issued); +OPENSSL_EXPORT X509_STORE_CTX_check_issued_fn +X509_STORE_get_check_issued(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_check_revocation( + X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation); +OPENSSL_EXPORT X509_STORE_CTX_check_revocation_fn +X509_STORE_get_check_revocation(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_get_crl(X509_STORE *ctx, + X509_STORE_CTX_get_crl_fn get_crl); +OPENSSL_EXPORT X509_STORE_CTX_get_crl_fn +X509_STORE_get_get_crl(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_check_crl( + X509_STORE *ctx, X509_STORE_CTX_check_crl_fn check_crl); +OPENSSL_EXPORT X509_STORE_CTX_check_crl_fn +X509_STORE_get_check_crl(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_cert_crl( + X509_STORE *ctx, X509_STORE_CTX_cert_crl_fn cert_crl); +OPENSSL_EXPORT X509_STORE_CTX_cert_crl_fn +X509_STORE_get_cert_crl(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_lookup_certs( + X509_STORE *ctx, X509_STORE_CTX_lookup_certs_fn lookup_certs); +OPENSSL_EXPORT X509_STORE_CTX_lookup_certs_fn +X509_STORE_get_lookup_certs(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_lookup_crls( + X509_STORE *ctx, X509_STORE_CTX_lookup_crls_fn lookup_crls); +#define X509_STORE_set_lookup_crls_cb(ctx, func) \ + X509_STORE_set_lookup_crls((ctx), (func)) +OPENSSL_EXPORT X509_STORE_CTX_lookup_crls_fn +X509_STORE_get_lookup_crls(X509_STORE *ctx); +OPENSSL_EXPORT void X509_STORE_set_cleanup(X509_STORE *ctx, + X509_STORE_CTX_cleanup_fn cleanup); +OPENSSL_EXPORT X509_STORE_CTX_cleanup_fn +X509_STORE_get_cleanup(X509_STORE *ctx); + +OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); + +OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer, + X509_STORE_CTX *ctx, X509 *x); + +OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx); +OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); +OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, + X509 *x509, STACK_OF(X509) *chain); +OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, + STACK_OF(X509) *sk); +OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); + +OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); +OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); + +OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, + X509_LOOKUP_METHOD *m); + +OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); +OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_file(void); + +OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); +OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); + +OPENSSL_EXPORT int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, + X509_NAME *name, X509_OBJECT *ret); + +OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, + long argl, char **ret); + +#ifndef OPENSSL_NO_STDIO +OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, + int type); +OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, + int type); +OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, + int type); +#endif +OPENSSL_EXPORT X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); +OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); +OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx); +OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, + X509_NAME *name, X509_OBJECT *ret); +OPENSSL_EXPORT int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, + X509_NAME *name, + ASN1_INTEGER *serial, + X509_OBJECT *ret); +OPENSSL_EXPORT int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, + unsigned char *bytes, int len, + X509_OBJECT *ret); +OPENSSL_EXPORT int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, + int len, X509_OBJECT *ret); +OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); + +#ifndef OPENSSL_NO_STDIO +OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file, + const char *dir); +OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); +#endif -#ifdef __cplusplus -} +OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_unused *unused, + CRYPTO_EX_dup *dup_unused, + CRYPTO_EX_free *free_func); +OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, + void *data); +OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); +OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); +OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); +OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); +OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); +OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx); +OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx); +OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( + X509_STORE_CTX *ctx); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); +OPENSSL_EXPORT void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x); +OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *c, + STACK_OF(X509) *sk); +OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( + X509_STORE_CTX *ctx); +OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, + STACK_OF(X509_CRL) *sk); +OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); +OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); +OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, + int def_purpose, int purpose, + int trust); +OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, + unsigned long flags); +OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, + unsigned long flags, time_t t); +OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( + X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); + +OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree( + X509_STORE_CTX *ctx); +OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); + +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( + X509_STORE_CTX *ctx); +OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, + X509_VERIFY_PARAM *param); +OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, + const char *name); + +// X509_VERIFY_PARAM functions + +OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); +OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); +OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, + const X509_VERIFY_PARAM *from); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, + const char *name); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, + unsigned long flags); +OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, + unsigned long flags); +OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( + X509_VERIFY_PARAM *param); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, + int purpose); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, + int trust); +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, + int depth); +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, + time_t t); +OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, + ASN1_OBJECT *policy); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( + X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies); + +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t namelen); +OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, + const char *name, + size_t namelen); +OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, + unsigned int flags); +OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, + const char *email, + size_t emaillen); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, + const unsigned char *ip, + size_t iplen); +OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, + const char *ipasc); + +OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); +OPENSSL_EXPORT const char *X509_VERIFY_PARAM_get0_name( + const X509_VERIFY_PARAM *param); + +OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); +OPENSSL_EXPORT int X509_VERIFY_PARAM_get_count(void); +OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id); +OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup( + const char *name); +OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void); + +OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree, + int *pexplicit_policy, + STACK_OF(X509) *certs, + STACK_OF(ASN1_OBJECT) *policy_oids, + unsigned int flags); + +OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree); + +OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); +OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level( + const X509_POLICY_TREE *tree, int i); + +OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies( + const X509_POLICY_TREE *tree); + +OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies( + const X509_POLICY_TREE *tree); + +OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level); + +OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node( + X509_POLICY_LEVEL *level, int i); + +OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy( + const X509_POLICY_NODE *node); + +OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers( + const X509_POLICY_NODE *node); +OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent( + const X509_POLICY_NODE *node); + + +#if defined(__cplusplus) +} // extern C #endif #if !defined(BORINGSSL_NO_CXX) @@ -1989,10 +2416,6 @@ BORINGSSL_MAKE_UP_REF(X509_STORE, X509_STORE_up_ref) BORINGSSL_MAKE_DELETER(X509_STORE_CTX, X509_STORE_CTX_free) BORINGSSL_MAKE_DELETER(X509_VERIFY_PARAM, X509_VERIFY_PARAM_free) -using ScopedX509_STORE_CTX = - internal::StackAllocated; - BSSL_NAMESPACE_END } // extern C++ @@ -2039,5 +2462,8 @@ BSSL_NAMESPACE_END #define X509_R_DELTA_CRL_WITHOUT_CRL_NUMBER 138 #define X509_R_INVALID_FIELD_FOR_VERSION 139 #define X509_R_INVALID_VERSION 140 +#define X509_R_NO_CERTIFICATE_FOUND 141 +#define X509_R_NO_CERTIFICATE_OR_CRL_FOUND 142 +#define X509_R_NO_CRL_FOUND 143 #endif diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509_vfy.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509_vfy.h index c44d6813..2ed532fc 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509_vfy.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509_vfy.h @@ -1,697 +1,18 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. +/* Copyright (c) 2021, Google Inc. * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_X509_H -#include "CJWTKitBoringSSL_x509.h" -// openssl/x509.h ends up #include-ing this file at about the only -// appropriate moment. -#endif - -#ifndef HEADER_X509_VFY_H -#define HEADER_X509_VFY_H - -#include "CJWTKitBoringSSL_thread.h" - -#ifdef __cplusplus -extern "C" { -#endif - -// Legacy X.509 library. -// -// This header is part of OpenSSL's X.509 implementation. It is retained for -// compatibility but otherwise underdocumented and not actively maintained. In -// the future, a replacement library will be available. Meanwhile, minimize -// dependencies on this header where possible. - - -/* -SSL_CTX -> X509_STORE - -> X509_LOOKUP - ->X509_LOOKUP_METHOD - -> X509_LOOKUP - ->X509_LOOKUP_METHOD - -SSL -> X509_STORE_CTX - ->X509_STORE - -The X509_STORE holds the tables etc for verification stuff. -A X509_STORE_CTX is used while validating a single certificate. -The X509_STORE has X509_LOOKUPs for looking up certs. -The X509_STORE then calls a function to actually verify the -certificate chain. -*/ - -#define X509_LU_X509 1 -#define X509_LU_CRL 2 -#define X509_LU_PKEY 3 - -typedef struct x509_object_st { - // one of the above types - int type; - union { - char *ptr; - X509 *x509; - X509_CRL *crl; - EVP_PKEY *pkey; - } data; -} X509_OBJECT; - -DEFINE_STACK_OF(X509_LOOKUP) -DEFINE_STACK_OF(X509_OBJECT) - -// This is a static that defines the function interface -typedef struct x509_lookup_method_st { - const char *name; - int (*new_item)(X509_LOOKUP *ctx); - void (*free)(X509_LOOKUP *ctx); - int (*init)(X509_LOOKUP *ctx); - int (*shutdown)(X509_LOOKUP *ctx); - int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, - char **ret); - int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, - X509_OBJECT *ret); - int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, - ASN1_INTEGER *serial, X509_OBJECT *ret); - int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, unsigned char *bytes, - int len, X509_OBJECT *ret); - int (*get_by_alias)(X509_LOOKUP *ctx, int type, char *str, int len, - X509_OBJECT *ret); -} X509_LOOKUP_METHOD; - -DEFINE_STACK_OF(X509_VERIFY_PARAM) - -typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *); -typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer, X509_STORE_CTX *ctx, - X509 *x); -typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, X509 *x, - X509 *issuer); -typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx); -typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx, X509_CRL **crl, - X509 *x); -typedef int (*X509_STORE_CTX_check_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl); -typedef int (*X509_STORE_CTX_cert_crl_fn)(X509_STORE_CTX *ctx, X509_CRL *crl, - X509 *x); -typedef int (*X509_STORE_CTX_check_policy_fn)(X509_STORE_CTX *ctx); -typedef STACK_OF(X509) *(*X509_STORE_CTX_lookup_certs_fn)(X509_STORE_CTX *ctx, - X509_NAME *nm); -typedef STACK_OF(X509_CRL) *(*X509_STORE_CTX_lookup_crls_fn)( - X509_STORE_CTX *ctx, X509_NAME *nm); -typedef int (*X509_STORE_CTX_cleanup_fn)(X509_STORE_CTX *ctx); - -// This is used to hold everything. It is used for all certificate -// validation. Once we have a certificate chain, the 'verify' -// function is then called to actually check the cert chain. -struct x509_store_st { - // The following is a cache of trusted certs - int cache; // if true, stash any hits - STACK_OF(X509_OBJECT) *objs; // Cache of all objects - CRYPTO_MUTEX objs_lock; - STACK_OF(X509) *additional_untrusted; - - // These are external lookup methods - STACK_OF(X509_LOOKUP) *get_cert_methods; - - X509_VERIFY_PARAM *param; - - // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; - - CRYPTO_refcount_t references; -} /* X509_STORE */; - -OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); - -// This is the functions plus an instance of the local variables. -struct x509_lookup_st { - int init; // have we been started - int skip; // don't use us. - X509_LOOKUP_METHOD *method; // the functions - char *method_data; // method data - - X509_STORE *store_ctx; // who owns us -} /* X509_LOOKUP */; - -// This is a used when verifying cert chains. Since the -// gathering of the cert chain can take some time (and have to be -// 'retried', this needs to be kept and passed around. -struct x509_store_ctx_st // X509_STORE_CTX -{ - X509_STORE *ctx; - - // The following are set by the caller - X509 *cert; // The cert to check - STACK_OF(X509) *untrusted; // chain of X509s - untrusted - passed in - STACK_OF(X509_CRL) *crls; // set of CRLs passed in - - X509_VERIFY_PARAM *param; - void *other_ctx; // Other info for use with get_issuer() - - // Callbacks for various operations - X509_STORE_CTX_verify_fn verify; // called to verify a certificate - X509_STORE_CTX_verify_cb verify_cb; // error callback - X509_STORE_CTX_get_issuer_fn get_issuer; // get issuers cert from ctx - X509_STORE_CTX_check_issued_fn check_issued; // check issued - X509_STORE_CTX_check_revocation_fn - check_revocation; // Check revocation status of chain - X509_STORE_CTX_get_crl_fn get_crl; // retrieve CRL - X509_STORE_CTX_check_crl_fn check_crl; // Check CRL validity - X509_STORE_CTX_cert_crl_fn cert_crl; // Check certificate against CRL - X509_STORE_CTX_check_policy_fn check_policy; - X509_STORE_CTX_lookup_certs_fn lookup_certs; - X509_STORE_CTX_lookup_crls_fn lookup_crls; - X509_STORE_CTX_cleanup_fn cleanup; - - // The following is built up - int valid; // if 0, rebuild chain - int last_untrusted; // index of last untrusted cert - STACK_OF(X509) *chain; // chain of X509s - built up and trusted - X509_POLICY_TREE *tree; // Valid policy tree - - int explicit_policy; // Require explicit policy value - - // When something goes wrong, this is why - int error_depth; - int error; - X509 *current_cert; - X509 *current_issuer; // cert currently being tested as valid issuer - X509_CRL *current_crl; // current CRL - - int current_crl_score; // score of current CRL - unsigned int current_reasons; // Reason mask - - X509_STORE_CTX *parent; // For CRL path validation: parent context - - CRYPTO_EX_DATA ex_data; -} /* X509_STORE_CTX */; - -OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); - -#define X509_STORE_CTX_set_app_data(ctx, data) \ - X509_STORE_CTX_set_ex_data(ctx, 0, data) -#define X509_STORE_CTX_get_app_data(ctx) X509_STORE_CTX_get_ex_data(ctx, 0) - -#define X509_L_FILE_LOAD 1 -#define X509_L_ADD_DIR 2 - -#define X509_LOOKUP_load_file(x, name, type) \ - X509_LOOKUP_ctrl((x), X509_L_FILE_LOAD, (name), (long)(type), NULL) - -#define X509_LOOKUP_add_dir(x, name, type) \ - X509_LOOKUP_ctrl((x), X509_L_ADD_DIR, (name), (long)(type), NULL) - -#define X509_V_OK 0 -#define X509_V_ERR_UNSPECIFIED 1 - -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 -#define X509_V_ERR_UNABLE_TO_GET_CRL 3 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 -#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 -#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 -#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 -#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID 9 -#define X509_V_ERR_CERT_HAS_EXPIRED 10 -#define X509_V_ERR_CRL_NOT_YET_VALID 11 -#define X509_V_ERR_CRL_HAS_EXPIRED 12 -#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 -#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 -#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 -#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 -#define X509_V_ERR_OUT_OF_MEM 17 -#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 -#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 -#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 -#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 -#define X509_V_ERR_CERT_REVOKED 23 -#define X509_V_ERR_INVALID_CA 24 -#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 -#define X509_V_ERR_INVALID_PURPOSE 26 -#define X509_V_ERR_CERT_UNTRUSTED 27 -#define X509_V_ERR_CERT_REJECTED 28 -// These are 'informational' when looking for issuer cert -#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 -#define X509_V_ERR_AKID_SKID_MISMATCH 30 -#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 -#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 - -#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 -#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 -#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 -#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 -#define X509_V_ERR_INVALID_NON_CA 37 -#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 -#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 -#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 - -#define X509_V_ERR_INVALID_EXTENSION 41 -#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 -#define X509_V_ERR_NO_EXPLICIT_POLICY 43 -#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 -#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#define X509_V_ERR_UNNESTED_RESOURCE 46 +/* This header is provided in order to make compiling against code that expects + OpenSSL easier. */ -#define X509_V_ERR_PERMITTED_VIOLATION 47 -#define X509_V_ERR_EXCLUDED_VIOLATION 48 -#define X509_V_ERR_SUBTREE_MINMAX 49 -#define X509_V_ERR_APPLICATION_VERIFICATION 50 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 -#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 -#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 -#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 - -// Suite B mode algorithm violation -#define X509_V_ERR_SUITE_B_INVALID_VERSION 56 -#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 -#define X509_V_ERR_SUITE_B_INVALID_CURVE 58 -#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 -#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 -#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 - -// Host, email and IP check errors -#define X509_V_ERR_HOSTNAME_MISMATCH 62 -#define X509_V_ERR_EMAIL_MISMATCH 63 -#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 - -// Caller error -#define X509_V_ERR_INVALID_CALL 65 -// Issuer lookup error -#define X509_V_ERR_STORE_LOOKUP 66 - -#define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 - -// Certificate verify flags - -// Send issuer+subject checks to verify_cb -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 -// Use check time instead of current time -#define X509_V_FLAG_USE_CHECK_TIME 0x2 -// Lookup CRLs -#define X509_V_FLAG_CRL_CHECK 0x4 -// Lookup CRLs for whole chain -#define X509_V_FLAG_CRL_CHECK_ALL 0x8 -// Ignore unhandled critical extensions -#define X509_V_FLAG_IGNORE_CRITICAL 0x10 -// Does nothing as its functionality has been enabled by default. -#define X509_V_FLAG_X509_STRICT 0x00 -// Enable proxy certificate validation -#define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 -// Enable policy checking -#define X509_V_FLAG_POLICY_CHECK 0x80 -// Policy variable require-explicit-policy -#define X509_V_FLAG_EXPLICIT_POLICY 0x100 -// Policy variable inhibit-any-policy -#define X509_V_FLAG_INHIBIT_ANY 0x200 -// Policy variable inhibit-policy-mapping -#define X509_V_FLAG_INHIBIT_MAP 0x400 -// Notify callback that policy is OK -#define X509_V_FLAG_NOTIFY_POLICY 0x800 -// Extended CRL features such as indirect CRLs, alternate CRL signing keys -#define X509_V_FLAG_EXTENDED_CRL_SUPPORT 0x1000 -// Delta CRL support -#define X509_V_FLAG_USE_DELTAS 0x2000 -// Check selfsigned CA signature -#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 -// Use trusted store first -#define X509_V_FLAG_TRUSTED_FIRST 0x8000 -// Suite B 128 bit only mode: not normally used -#define X509_V_FLAG_SUITEB_128_LOS_ONLY 0x10000 -// Suite B 192 bit only mode -#define X509_V_FLAG_SUITEB_192_LOS 0x20000 -// Suite B 128 bit mode allowing 192 bit algorithms -#define X509_V_FLAG_SUITEB_128_LOS 0x30000 - -// Allow partial chains if at least one certificate is in trusted store -#define X509_V_FLAG_PARTIAL_CHAIN 0x80000 - -// If the initial chain is not trusted, do not attempt to build an alternative -// chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag -// will force the behaviour to match that of previous versions. -#define X509_V_FLAG_NO_ALT_CHAINS 0x100000 - -#define X509_VP_FLAG_DEFAULT 0x1 -#define X509_VP_FLAG_OVERWRITE 0x2 -#define X509_VP_FLAG_RESET_FLAGS 0x4 -#define X509_VP_FLAG_LOCKED 0x8 -#define X509_VP_FLAG_ONCE 0x10 - -// Internal use: mask of policy related options -#define X509_V_FLAG_POLICY_MASK \ - (X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY | \ - X509_V_FLAG_INHIBIT_ANY | X509_V_FLAG_INHIBIT_MAP) - -OPENSSL_EXPORT int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, - int type, X509_NAME *name); -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_by_subject( - STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); -OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, - X509_OBJECT *x); -OPENSSL_EXPORT int X509_OBJECT_up_ref_count(X509_OBJECT *a); -OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *a); -OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *a); -OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a); -OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); -OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); -OPENSSL_EXPORT void X509_STORE_free(X509_STORE *v); - -OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, - X509_NAME *nm); -OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, - X509_NAME *nm); -OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags); -OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *ctx, int purpose); -OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *ctx, int trust); -OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *ctx, - X509_VERIFY_PARAM *pm); -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *ctx); -// X509_STORE_set0_additional_untrusted sets a stack of additional, untrusted -// certificates that are available for chain building. This function does not -// take ownership of the stack. -OPENSSL_EXPORT void X509_STORE_set0_additional_untrusted( - X509_STORE *ctx, STACK_OF(X509) *untrusted); - -OPENSSL_EXPORT void X509_STORE_set_verify(X509_STORE *ctx, - X509_STORE_CTX_verify_fn verify); -#define X509_STORE_set_verify_func(ctx, func) \ - X509_STORE_set_verify((ctx), (func)) -OPENSSL_EXPORT void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, - X509_STORE_CTX_verify_fn verify); -OPENSSL_EXPORT X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_verify_cb( - X509_STORE *ctx, X509_STORE_CTX_verify_cb verify_cb); -#define X509_STORE_set_verify_cb_func(ctx, func) \ - X509_STORE_set_verify_cb((ctx), (func)) -OPENSSL_EXPORT X509_STORE_CTX_verify_cb -X509_STORE_get_verify_cb(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_get_issuer( - X509_STORE *ctx, X509_STORE_CTX_get_issuer_fn get_issuer); -OPENSSL_EXPORT X509_STORE_CTX_get_issuer_fn -X509_STORE_get_get_issuer(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_issued( - X509_STORE *ctx, X509_STORE_CTX_check_issued_fn check_issued); -OPENSSL_EXPORT X509_STORE_CTX_check_issued_fn -X509_STORE_get_check_issued(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_revocation( - X509_STORE *ctx, X509_STORE_CTX_check_revocation_fn check_revocation); -OPENSSL_EXPORT X509_STORE_CTX_check_revocation_fn -X509_STORE_get_check_revocation(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_get_crl(X509_STORE *ctx, - X509_STORE_CTX_get_crl_fn get_crl); -OPENSSL_EXPORT X509_STORE_CTX_get_crl_fn -X509_STORE_get_get_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_check_crl( - X509_STORE *ctx, X509_STORE_CTX_check_crl_fn check_crl); -OPENSSL_EXPORT X509_STORE_CTX_check_crl_fn -X509_STORE_get_check_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_cert_crl( - X509_STORE *ctx, X509_STORE_CTX_cert_crl_fn cert_crl); -OPENSSL_EXPORT X509_STORE_CTX_cert_crl_fn -X509_STORE_get_cert_crl(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_lookup_certs( - X509_STORE *ctx, X509_STORE_CTX_lookup_certs_fn lookup_certs); -OPENSSL_EXPORT X509_STORE_CTX_lookup_certs_fn -X509_STORE_get_lookup_certs(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_lookup_crls( - X509_STORE *ctx, X509_STORE_CTX_lookup_crls_fn lookup_crls); -#define X509_STORE_set_lookup_crls_cb(ctx, func) \ - X509_STORE_set_lookup_crls((ctx), (func)) -OPENSSL_EXPORT X509_STORE_CTX_lookup_crls_fn -X509_STORE_get_lookup_crls(X509_STORE *ctx); -OPENSSL_EXPORT void X509_STORE_set_cleanup(X509_STORE *ctx, - X509_STORE_CTX_cleanup_fn cleanup); -OPENSSL_EXPORT X509_STORE_CTX_cleanup_fn -X509_STORE_get_cleanup(X509_STORE *ctx); - - -OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); - -OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **issuer, - X509_STORE_CTX *ctx, X509 *x); - -OPENSSL_EXPORT void X509_STORE_CTX_zero(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, - X509 *x509, STACK_OF(X509) *chain); -OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, - STACK_OF(X509) *sk); -OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); - -OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx); - -OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, - X509_LOOKUP_METHOD *m); - -OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); -OPENSSL_EXPORT X509_LOOKUP_METHOD *X509_LOOKUP_file(void); - -OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *ctx, X509 *x); -OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *ctx, X509_CRL *x); - -OPENSSL_EXPORT int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, - X509_NAME *name, X509_OBJECT *ret); - -OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, - long argl, char **ret); - -#ifndef OPENSSL_NO_STDIO -OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *ctx, const char *file, - int type); -OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, - int type); -OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, - int type); -#endif - - -OPENSSL_EXPORT X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method); -OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); -OPENSSL_EXPORT int X509_LOOKUP_init(X509_LOOKUP *ctx); -OPENSSL_EXPORT int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, - X509_NAME *name, X509_OBJECT *ret); -OPENSSL_EXPORT int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, - X509_NAME *name, - ASN1_INTEGER *serial, - X509_OBJECT *ret); -OPENSSL_EXPORT int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, - unsigned char *bytes, int len, - X509_OBJECT *ret); -OPENSSL_EXPORT int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, - int len, X509_OBJECT *ret); -OPENSSL_EXPORT int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); - -#ifndef OPENSSL_NO_STDIO -OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *ctx, const char *file, - const char *dir); -OPENSSL_EXPORT int X509_STORE_set_default_paths(X509_STORE *ctx); -#endif - -OPENSSL_EXPORT int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, - CRYPTO_EX_unused *unused, - CRYPTO_EX_dup *dup_unused, - CRYPTO_EX_free *free_func); -OPENSSL_EXPORT int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, - void *data); -OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); -OPENSSL_EXPORT int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s); -OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx); -OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set_cert(X509_STORE_CTX *c, X509 *x); -OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *c, - STACK_OF(X509) *sk); -OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *c, - STACK_OF(X509_CRL) *sk); -OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); -OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); -OPENSSL_EXPORT int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, - int def_purpose, int purpose, - int trust); -OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, - unsigned long flags); -OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, - unsigned long flags, time_t t); -OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( - X509_STORE_CTX *ctx, int (*verify_cb)(int, X509_STORE_CTX *)); - -OPENSSL_EXPORT X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); - -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( - X509_STORE_CTX *ctx); -OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, - X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, - const char *name); - -// X509_VERIFY_PARAM functions - -OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); -OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, - const X509_VERIFY_PARAM *from); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, - const char *name); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, - unsigned long flags); -OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, - unsigned long flags); -OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( - X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, - int purpose); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, - int trust); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, - int depth); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, - time_t t); -OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, - ASN1_OBJECT *policy); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( - X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies); - -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t namelen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, - const char *name, - size_t namelen); -OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, - unsigned int flags); -OPENSSL_EXPORT char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, - const char *email, - size_t emaillen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, - const unsigned char *ip, - size_t iplen); -OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, - const char *ipasc); - -OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); -OPENSSL_EXPORT const char *X509_VERIFY_PARAM_get0_name( - const X509_VERIFY_PARAM *param); - -OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); -OPENSSL_EXPORT int X509_VERIFY_PARAM_get_count(void); -OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_get0(int id); -OPENSSL_EXPORT const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup( - const char *name); -OPENSSL_EXPORT void X509_VERIFY_PARAM_table_cleanup(void); - -OPENSSL_EXPORT int X509_policy_check(X509_POLICY_TREE **ptree, - int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); - -OPENSSL_EXPORT void X509_policy_tree_free(X509_POLICY_TREE *tree); - -OPENSSL_EXPORT int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); -OPENSSL_EXPORT X509_POLICY_LEVEL *X509_policy_tree_get0_level( - const X509_POLICY_TREE *tree, int i); - -OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_policies( - const X509_POLICY_TREE *tree); - -OPENSSL_EXPORT STACK_OF(X509_POLICY_NODE) *X509_policy_tree_get0_user_policies( - const X509_POLICY_TREE *tree); - -OPENSSL_EXPORT int X509_policy_level_node_count(X509_POLICY_LEVEL *level); - -OPENSSL_EXPORT X509_POLICY_NODE *X509_policy_level_get0_node( - X509_POLICY_LEVEL *level, int i); - -OPENSSL_EXPORT const ASN1_OBJECT *X509_policy_node_get0_policy( - const X509_POLICY_NODE *node); - -OPENSSL_EXPORT STACK_OF(POLICYQUALINFO) *X509_policy_node_get0_qualifiers( - const X509_POLICY_NODE *node); -OPENSSL_EXPORT const X509_POLICY_NODE *X509_policy_node_get0_parent( - const X509_POLICY_NODE *node); - -#ifdef __cplusplus -} -#endif -#endif +#include "CJWTKitBoringSSL_x509.h" diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h index 905bc864..dbb9b4bd 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_x509v3.h @@ -60,7 +60,7 @@ #include "CJWTKitBoringSSL_lhash.h" #include "CJWTKitBoringSSL_x509.h" -#ifdef __cplusplus +#if defined(__cplusplus) extern "C" { #endif @@ -483,12 +483,30 @@ OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING( X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *extlist); +// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it +// appends the value to |ret| and returns |ret| on success or NULL on error. If +// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| +// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the +// result. |method| is ignored. +// +// Do not use this function. This is an internal implementation detail of the +// human-readable print functions. If extracting a SAN list from a certificate, +// look at |gen| directly. OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret); OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen); DECLARE_ASN1_FUNCTIONS(GENERAL_NAMES) +// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is +// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL +// on error. If it returns NULL, the caller is still responsible for freeing +// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| +// containing the results. |method| is ignored. +// +// Do not use this function. This is an internal implementation detail of the +// human-readable print functions. If extracting a SAN list from a certificate, +// look at |gen| directly. OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( X509V3_EXT_METHOD *method, GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist); @@ -602,15 +620,35 @@ OPENSSL_EXPORT void X509V3_section_free(X509V3_CTX *ctx, OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, X509_REQ *req, X509_CRL *crl, int flags); +// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to +// |*extlist|. It returns one on success and zero on error. If |*extlist| is +// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| +// containing the result. Either |name| or |value| may be NULL to omit the +// field. +// +// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the +// function returns. OPENSSL_EXPORT int X509V3_add_value(const char *name, const char *value, STACK_OF(CONF_VALUE) **extlist); + +// X509V3_add_value_uchar behaves like |X509V3_add_value| but takes an +// |unsigned char| pointer. OPENSSL_EXPORT int X509V3_add_value_uchar(const char *name, const unsigned char *value, STACK_OF(CONF_VALUE) **extlist); + +// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value +// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. OPENSSL_EXPORT int X509V3_add_value_bool(const char *name, int asn1_bool, STACK_OF(CONF_VALUE) **extlist); -OPENSSL_EXPORT int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, + +// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string +// representation of |aint|. Note this string representation may be decimal or +// hexadecimal, depending on the size of |aint|. +OPENSSL_EXPORT int X509V3_add_value_int(const char *name, + const ASN1_INTEGER *aint, STACK_OF(CONF_VALUE) **extlist); + OPENSSL_EXPORT char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint); OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, @@ -657,7 +695,7 @@ OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); // extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions // are not treated as an error. Callers, however, should not rely on this // behavior as it may be removed in the future. Duplicate extensions are -// forbidden in RFC5280. +// forbidden in RFC 5280. // // WARNING: This function is difficult to use correctly. Callers should pass a // non-NULL |out_critical| and check both the return value and |*out_critical| @@ -787,7 +825,7 @@ OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x); OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); // X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. -// (See RFC5280, section 4.2.1.2.) It returns NULL if the extension is not +// (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not // present or if some extension in |x509| was invalid. // // Note that decoding an |X509| object will not check for invalid extensions. To @@ -796,7 +834,7 @@ OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x); OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); // X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key -// identifier, if the extension and field are present. (See RFC5280, +// identifier, if the extension and field are present. (See RFC 5280, // section 4.2.1.1.) It returns NULL if the extension is not present, if it is // present but lacks a keyIdentifier field, or if some extension in |x509| was // invalid. @@ -808,7 +846,7 @@ OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); // X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s // authority key identifier, if the extension and field are present. (See -// RFC5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, // if it is present but lacks a authorityCertIssuer field, or if some extension // in |x509| was invalid. // @@ -819,7 +857,7 @@ OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); // X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s // authority key identifier, if the extension and field are present. (See -// RFC5280, section 4.2.1.1.) It returns NULL if the extension is not present, +// RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, // if it is present but lacks a authorityCertSerialNumber field, or if some // extension in |x509| was invalid. // @@ -852,19 +890,16 @@ OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); #define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT 0 // Disable wildcard matching for dnsName fields and common name. #define X509_CHECK_FLAG_NO_WILDCARDS 0x2 -// Wildcards must not match a partial label. -#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4 -// Allow (non-partial) wildcards to match multiple labels. -#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 -// Constraint verifier subdomain patterns to match a single labels. -#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 +// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS does nothing, but is necessary in +// OpenSSL to enable standard wildcard matching. In BoringSSL, this behavior is +// always enabled. +#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 +// Deprecated: this flag does nothing +#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0 +// Deprecated: this flag does nothing +#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0 // Skip the subject common name fallback if subjectAltNames is missing. #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 -// -// Match reference identifiers starting with "." to any sub-domain. -// This is a non-public flag, turned on implicitly when the subject -// reference identity is a DNS name. -#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000 OPENSSL_EXPORT int X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, char **peername); @@ -890,8 +925,8 @@ DEFINE_STACK_OF(X509_POLICY_NODE) // made after this point may be overwritten when the script is next run. -#ifdef __cplusplus -} +#if defined(__cplusplus) +} // extern C extern "C++" { @@ -900,8 +935,11 @@ BSSL_NAMESPACE_BEGIN BORINGSSL_MAKE_DELETER(ACCESS_DESCRIPTION, ACCESS_DESCRIPTION_free) BORINGSSL_MAKE_DELETER(AUTHORITY_KEYID, AUTHORITY_KEYID_free) BORINGSSL_MAKE_DELETER(BASIC_CONSTRAINTS, BASIC_CONSTRAINTS_free) +// TODO(davidben): Move this to conf.h and rename to CONF_VALUE_free. +BORINGSSL_MAKE_DELETER(CONF_VALUE, X509V3_conf_free) BORINGSSL_MAKE_DELETER(DIST_POINT, DIST_POINT_free) BORINGSSL_MAKE_DELETER(GENERAL_NAME, GENERAL_NAME_free) +BORINGSSL_MAKE_DELETER(GENERAL_SUBTREE, GENERAL_SUBTREE_free) BORINGSSL_MAKE_DELETER(NAME_CONSTRAINTS, NAME_CONSTRAINTS_free) BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) @@ -974,5 +1012,7 @@ BSSL_NAMESPACE_END #define X509V3_R_UNSUPPORTED_OPTION 160 #define X509V3_R_UNSUPPORTED_TYPE 161 #define X509V3_R_USER_TOO_LONG 162 +#define X509V3_R_INVALID_VALUE 163 +#define X509V3_R_TRAILING_DATA_IN_EXTENSION 164 #endif diff --git a/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc b/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc index 359bf772..5af5b0e7 100644 --- a/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc +++ b/Sources/CJWTKitBoringSSL/include/boringssl_prefix_symbols_nasm.inc @@ -46,9 +46,11 @@ %xdefine _ASN1_BOOLEAN_it _ %+ BORINGSSL_PREFIX %+ _ASN1_BOOLEAN_it %xdefine _ASN1_ENUMERATED_free _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_free %xdefine _ASN1_ENUMERATED_get _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get +%xdefine _ASN1_ENUMERATED_get_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get_uint64 %xdefine _ASN1_ENUMERATED_it _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_it %xdefine _ASN1_ENUMERATED_new _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_new %xdefine _ASN1_ENUMERATED_set _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set +%xdefine _ASN1_ENUMERATED_set_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set_uint64 %xdefine _ASN1_ENUMERATED_to_BN _ %+ BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_to_BN %xdefine _ASN1_FBOOLEAN_it _ %+ BORINGSSL_PREFIX %+ _ASN1_FBOOLEAN_it %xdefine _ASN1_GENERALIZEDTIME_adj _ %+ BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_adj @@ -69,6 +71,7 @@ %xdefine _ASN1_INTEGER_dup _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_dup %xdefine _ASN1_INTEGER_free _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_free %xdefine _ASN1_INTEGER_get _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_get +%xdefine _ASN1_INTEGER_get_uint64 _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_get_uint64 %xdefine _ASN1_INTEGER_it _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_it %xdefine _ASN1_INTEGER_new _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_new %xdefine _ASN1_INTEGER_set _ %+ BORINGSSL_PREFIX %+ _ASN1_INTEGER_set @@ -99,7 +102,6 @@ %xdefine _ASN1_SET_ANY_it _ %+ BORINGSSL_PREFIX %+ _ASN1_SET_ANY_it %xdefine _ASN1_STRING_TABLE_add _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_add %xdefine _ASN1_STRING_TABLE_cleanup _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_cleanup -%xdefine _ASN1_STRING_TABLE_get _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_get %xdefine _ASN1_STRING_cmp _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_cmp %xdefine _ASN1_STRING_copy _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_copy %xdefine _ASN1_STRING_data _ %+ BORINGSSL_PREFIX %+ _ASN1_STRING_data @@ -159,7 +161,6 @@ %xdefine _ASN1_VISIBLESTRING_it _ %+ BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_it %xdefine _ASN1_VISIBLESTRING_new _ %+ BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_new %xdefine _ASN1_digest _ %+ BORINGSSL_PREFIX %+ _ASN1_digest -%xdefine _ASN1_generate_nconf _ %+ BORINGSSL_PREFIX %+ _ASN1_generate_nconf %xdefine _ASN1_generate_v3 _ %+ BORINGSSL_PREFIX %+ _ASN1_generate_v3 %xdefine _ASN1_get_object _ %+ BORINGSSL_PREFIX %+ _ASN1_get_object %xdefine _ASN1_item_d2i _ %+ BORINGSSL_PREFIX %+ _ASN1_item_d2i @@ -266,6 +267,7 @@ %xdefine _BIO_s_file _ %+ BORINGSSL_PREFIX %+ _BIO_s_file %xdefine _BIO_s_mem _ %+ BORINGSSL_PREFIX %+ _BIO_s_mem %xdefine _BIO_s_socket _ %+ BORINGSSL_PREFIX %+ _BIO_s_socket +%xdefine _BIO_seek _ %+ BORINGSSL_PREFIX %+ _BIO_seek %xdefine _BIO_set_close _ %+ BORINGSSL_PREFIX %+ _BIO_set_close %xdefine _BIO_set_conn_hostname _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_hostname %xdefine _BIO_set_conn_int_port _ %+ BORINGSSL_PREFIX %+ _BIO_set_conn_int_port @@ -290,6 +292,7 @@ %xdefine _BIO_should_write _ %+ BORINGSSL_PREFIX %+ _BIO_should_write %xdefine _BIO_shutdown_wr _ %+ BORINGSSL_PREFIX %+ _BIO_shutdown_wr %xdefine _BIO_snprintf _ %+ BORINGSSL_PREFIX %+ _BIO_snprintf +%xdefine _BIO_tell _ %+ BORINGSSL_PREFIX %+ _BIO_tell %xdefine _BIO_test_flags _ %+ BORINGSSL_PREFIX %+ _BIO_test_flags %xdefine _BIO_up_ref _ %+ BORINGSSL_PREFIX %+ _BIO_up_ref %xdefine _BIO_vfree _ %+ BORINGSSL_PREFIX %+ _BIO_vfree @@ -313,6 +316,8 @@ %xdefine _BN_CTX_new _ %+ BORINGSSL_PREFIX %+ _BN_CTX_new %xdefine _BN_CTX_start _ %+ BORINGSSL_PREFIX %+ _BN_CTX_start %xdefine _BN_GENCB_call _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_call +%xdefine _BN_GENCB_free _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_free +%xdefine _BN_GENCB_new _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_new %xdefine _BN_GENCB_set _ %+ BORINGSSL_PREFIX %+ _BN_GENCB_set %xdefine _BN_MONT_CTX_copy _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_copy %xdefine _BN_MONT_CTX_free _ %+ BORINGSSL_PREFIX %+ _BN_MONT_CTX_free @@ -462,6 +467,7 @@ %xdefine _CBB_add_u64le _ %+ BORINGSSL_PREFIX %+ _CBB_add_u64le %xdefine _CBB_add_u8 _ %+ BORINGSSL_PREFIX %+ _CBB_add_u8 %xdefine _CBB_add_u8_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBB_add_u8_length_prefixed +%xdefine _CBB_add_zeros _ %+ BORINGSSL_PREFIX %+ _CBB_add_zeros %xdefine _CBB_cleanup _ %+ BORINGSSL_PREFIX %+ _CBB_cleanup %xdefine _CBB_data _ %+ BORINGSSL_PREFIX %+ _CBB_data %xdefine _CBB_did_write _ %+ BORINGSSL_PREFIX %+ _CBB_did_write @@ -507,6 +513,7 @@ %xdefine _CBS_get_u64le _ %+ BORINGSSL_PREFIX %+ _CBS_get_u64le %xdefine _CBS_get_u8 _ %+ BORINGSSL_PREFIX %+ _CBS_get_u8 %xdefine _CBS_get_u8_length_prefixed _ %+ BORINGSSL_PREFIX %+ _CBS_get_u8_length_prefixed +%xdefine _CBS_get_until_first _ %+ BORINGSSL_PREFIX %+ _CBS_get_until_first %xdefine _CBS_init _ %+ BORINGSSL_PREFIX %+ _CBS_init %xdefine _CBS_is_unsigned_asn1_integer _ %+ BORINGSSL_PREFIX %+ _CBS_is_unsigned_asn1_integer %xdefine _CBS_is_valid_asn1_bitstring _ %+ BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_bitstring @@ -543,6 +550,7 @@ %xdefine _CRYPTO_BUFFER_len _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_len %xdefine _CRYPTO_BUFFER_new _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new %xdefine _CRYPTO_BUFFER_new_from_CBS _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_CBS +%xdefine _CRYPTO_BUFFER_new_from_static_data_unsafe _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_static_data_unsafe %xdefine _CRYPTO_BUFFER_up_ref _ %+ BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_up_ref %xdefine _CRYPTO_MUTEX_cleanup _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_cleanup %xdefine _CRYPTO_MUTEX_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_init @@ -571,6 +579,7 @@ %xdefine _CRYPTO_ctr128_encrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt %xdefine _CRYPTO_ctr128_encrypt_ctr32 _ %+ BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32 %xdefine _CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing _ %+ BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing +%xdefine _CRYPTO_free _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free %xdefine _CRYPTO_free_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data %xdefine _CRYPTO_gcm128_aad _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_aad %xdefine _CRYPTO_gcm128_decrypt _ %+ BORINGSSL_PREFIX %+ _CRYPTO_gcm128_decrypt @@ -599,6 +608,7 @@ %xdefine _CRYPTO_is_NEON_capable_at_runtime _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_NEON_capable_at_runtime %xdefine _CRYPTO_is_confidential_build _ %+ BORINGSSL_PREFIX %+ _CRYPTO_is_confidential_build %xdefine _CRYPTO_library_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_library_init +%xdefine _CRYPTO_malloc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_malloc %xdefine _CRYPTO_malloc_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_malloc_init %xdefine _CRYPTO_memcmp _ %+ BORINGSSL_PREFIX %+ _CRYPTO_memcmp %xdefine _CRYPTO_new_ex_data _ %+ BORINGSSL_PREFIX %+ _CRYPTO_new_ex_data @@ -611,6 +621,7 @@ %xdefine _CRYPTO_pre_sandbox_init _ %+ BORINGSSL_PREFIX %+ _CRYPTO_pre_sandbox_init %xdefine _CRYPTO_rdrand _ %+ BORINGSSL_PREFIX %+ _CRYPTO_rdrand %xdefine _CRYPTO_rdrand_multiple8_buf _ %+ BORINGSSL_PREFIX %+ _CRYPTO_rdrand_multiple8_buf +%xdefine _CRYPTO_realloc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_realloc %xdefine _CRYPTO_refcount_dec_and_test_zero _ %+ BORINGSSL_PREFIX %+ _CRYPTO_refcount_dec_and_test_zero %xdefine _CRYPTO_refcount_inc _ %+ BORINGSSL_PREFIX %+ _CRYPTO_refcount_inc %xdefine _CRYPTO_set_add_lock_callback _ %+ BORINGSSL_PREFIX %+ _CRYPTO_set_add_lock_callback @@ -680,9 +691,11 @@ %xdefine _DIST_POINT_new _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_new %xdefine _DIST_POINT_set_dpname _ %+ BORINGSSL_PREFIX %+ _DIST_POINT_set_dpname %xdefine _DSA_SIG_free _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_free +%xdefine _DSA_SIG_get0 _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_get0 %xdefine _DSA_SIG_marshal _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_marshal %xdefine _DSA_SIG_new _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_new %xdefine _DSA_SIG_parse _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_parse +%xdefine _DSA_SIG_set0 _ %+ BORINGSSL_PREFIX %+ _DSA_SIG_set0 %xdefine _DSA_check_signature _ %+ BORINGSSL_PREFIX %+ _DSA_check_signature %xdefine _DSA_do_check_signature _ %+ BORINGSSL_PREFIX %+ _DSA_do_check_signature %xdefine _DSA_do_sign _ %+ BORINGSSL_PREFIX %+ _DSA_do_sign @@ -863,6 +876,7 @@ %xdefine _ERR_remove_thread_state _ %+ BORINGSSL_PREFIX %+ _ERR_remove_thread_state %xdefine _ERR_restore_state _ %+ BORINGSSL_PREFIX %+ _ERR_restore_state %xdefine _ERR_save_state _ %+ BORINGSSL_PREFIX %+ _ERR_save_state +%xdefine _ERR_set_error_data _ %+ BORINGSSL_PREFIX %+ _ERR_set_error_data %xdefine _ERR_set_mark _ %+ BORINGSSL_PREFIX %+ _ERR_set_mark %xdefine _EVP_AEAD_CTX_aead _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_aead %xdefine _EVP_AEAD_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_cleanup @@ -909,6 +923,7 @@ %xdefine _EVP_CIPHER_mode _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_mode %xdefine _EVP_CIPHER_nid _ %+ BORINGSSL_PREFIX %+ _EVP_CIPHER_nid %xdefine _EVP_Cipher _ %+ BORINGSSL_PREFIX %+ _EVP_Cipher +%xdefine _EVP_CipherFinal _ %+ BORINGSSL_PREFIX %+ _EVP_CipherFinal %xdefine _EVP_CipherFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_CipherFinal_ex %xdefine _EVP_CipherInit _ %+ BORINGSSL_PREFIX %+ _EVP_CipherInit %xdefine _EVP_CipherInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_CipherInit_ex @@ -919,6 +934,7 @@ %xdefine _EVP_DecodeInit _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeInit %xdefine _EVP_DecodeUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DecodeUpdate %xdefine _EVP_DecodedLength _ %+ BORINGSSL_PREFIX %+ _EVP_DecodedLength +%xdefine _EVP_DecryptFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptFinal %xdefine _EVP_DecryptFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptFinal_ex %xdefine _EVP_DecryptInit _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptInit %xdefine _EVP_DecryptInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_DecryptInit_ex @@ -938,11 +954,14 @@ %xdefine _EVP_DigestVerifyFinal _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerifyFinal %xdefine _EVP_DigestVerifyInit _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerifyInit %xdefine _EVP_DigestVerifyUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_DigestVerifyUpdate +%xdefine _EVP_ENCODE_CTX_free _ %+ BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_free +%xdefine _EVP_ENCODE_CTX_new _ %+ BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_new %xdefine _EVP_EncodeBlock _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeBlock %xdefine _EVP_EncodeFinal _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeFinal %xdefine _EVP_EncodeInit _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeInit %xdefine _EVP_EncodeUpdate _ %+ BORINGSSL_PREFIX %+ _EVP_EncodeUpdate %xdefine _EVP_EncodedLength _ %+ BORINGSSL_PREFIX %+ _EVP_EncodedLength +%xdefine _EVP_EncryptFinal _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptFinal %xdefine _EVP_EncryptFinal_ex _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptFinal_ex %xdefine _EVP_EncryptInit _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptInit %xdefine _EVP_EncryptInit_ex _ %+ BORINGSSL_PREFIX %+ _EVP_EncryptInit_ex @@ -975,6 +994,7 @@ %xdefine _EVP_HPKE_KEY_public_key _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_public_key %xdefine _EVP_HPKE_KEY_zero _ %+ BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_zero %xdefine _EVP_MD_CTX_block_size _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_block_size +%xdefine _EVP_MD_CTX_cleanse _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanse %xdefine _EVP_MD_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanup %xdefine _EVP_MD_CTX_copy _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy %xdefine _EVP_MD_CTX_copy_ex _ %+ BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy_ex @@ -1177,7 +1197,10 @@ %xdefine _EXTENDED_KEY_USAGE_new _ %+ BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_new %xdefine _FIPS_mode _ %+ BORINGSSL_PREFIX %+ _FIPS_mode %xdefine _FIPS_mode_set _ %+ BORINGSSL_PREFIX %+ _FIPS_mode_set +%xdefine _FIPS_module_name _ %+ BORINGSSL_PREFIX %+ _FIPS_module_name +%xdefine _FIPS_query_algorithm_status _ %+ BORINGSSL_PREFIX %+ _FIPS_query_algorithm_status %xdefine _FIPS_read_counter _ %+ BORINGSSL_PREFIX %+ _FIPS_read_counter +%xdefine _FIPS_version _ %+ BORINGSSL_PREFIX %+ _FIPS_version %xdefine _GENERAL_NAMES_free _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAMES_free %xdefine _GENERAL_NAMES_it _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAMES_it %xdefine _GENERAL_NAMES_new _ %+ BORINGSSL_PREFIX %+ _GENERAL_NAMES_new @@ -1198,6 +1221,7 @@ %xdefine _HKDF_expand _ %+ BORINGSSL_PREFIX %+ _HKDF_expand %xdefine _HKDF_extract _ %+ BORINGSSL_PREFIX %+ _HKDF_extract %xdefine _HMAC _ %+ BORINGSSL_PREFIX %+ _HMAC +%xdefine _HMAC_CTX_cleanse _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_cleanse %xdefine _HMAC_CTX_cleanup _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_cleanup %xdefine _HMAC_CTX_copy _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_copy %xdefine _HMAC_CTX_copy_ex _ %+ BORINGSSL_PREFIX %+ _HMAC_CTX_copy_ex @@ -1431,6 +1455,7 @@ %xdefine _PKCS5_pbe2_encrypt_init _ %+ BORINGSSL_PREFIX %+ _PKCS5_pbe2_encrypt_init %xdefine _PKCS7_bundle_CRLs _ %+ BORINGSSL_PREFIX %+ _PKCS7_bundle_CRLs %xdefine _PKCS7_bundle_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_bundle_certificates +%xdefine _PKCS7_bundle_raw_certificates _ %+ BORINGSSL_PREFIX %+ _PKCS7_bundle_raw_certificates %xdefine _PKCS7_free _ %+ BORINGSSL_PREFIX %+ _PKCS7_free %xdefine _PKCS7_get_CRLs _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_CRLs %xdefine _PKCS7_get_PEM_CRLs _ %+ BORINGSSL_PREFIX %+ _PKCS7_get_PEM_CRLs @@ -1518,6 +1543,7 @@ %xdefine _RSA_get0_key _ %+ BORINGSSL_PREFIX %+ _RSA_get0_key %xdefine _RSA_get0_n _ %+ BORINGSSL_PREFIX %+ _RSA_get0_n %xdefine _RSA_get0_p _ %+ BORINGSSL_PREFIX %+ _RSA_get0_p +%xdefine _RSA_get0_pss_params _ %+ BORINGSSL_PREFIX %+ _RSA_get0_pss_params %xdefine _RSA_get0_q _ %+ BORINGSSL_PREFIX %+ _RSA_get0_q %xdefine _RSA_get_ex_data _ %+ BORINGSSL_PREFIX %+ _RSA_get_ex_data %xdefine _RSA_get_ex_new_index _ %+ BORINGSSL_PREFIX %+ _RSA_get_ex_new_index @@ -1554,6 +1580,7 @@ %xdefine _RSA_sign_pss_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_sign_pss_mgf1 %xdefine _RSA_sign_raw _ %+ BORINGSSL_PREFIX %+ _RSA_sign_raw %xdefine _RSA_size _ %+ BORINGSSL_PREFIX %+ _RSA_size +%xdefine _RSA_test_flags _ %+ BORINGSSL_PREFIX %+ _RSA_test_flags %xdefine _RSA_up_ref _ %+ BORINGSSL_PREFIX %+ _RSA_up_ref %xdefine _RSA_verify _ %+ BORINGSSL_PREFIX %+ _RSA_verify %xdefine _RSA_verify_PKCS1_PSS_mgf1 _ %+ BORINGSSL_PREFIX %+ _RSA_verify_PKCS1_PSS_mgf1 @@ -1960,7 +1987,6 @@ %xdefine _X509_STORE_get_verify_cb _ %+ BORINGSSL_PREFIX %+ _X509_STORE_get_verify_cb %xdefine _X509_STORE_load_locations _ %+ BORINGSSL_PREFIX %+ _X509_STORE_load_locations %xdefine _X509_STORE_new _ %+ BORINGSSL_PREFIX %+ _X509_STORE_new -%xdefine _X509_STORE_set0_additional_untrusted _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set0_additional_untrusted %xdefine _X509_STORE_set1_param _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set1_param %xdefine _X509_STORE_set_cert_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_cert_crl %xdefine _X509_STORE_set_check_crl _ %+ BORINGSSL_PREFIX %+ _X509_STORE_set_check_crl @@ -1988,7 +2014,6 @@ %xdefine _X509_TRUST_get_flags _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_flags %xdefine _X509_TRUST_get_trust _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_get_trust %xdefine _X509_TRUST_set _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_set -%xdefine _X509_TRUST_set_default _ %+ BORINGSSL_PREFIX %+ _X509_TRUST_set_default %xdefine _X509_VAL_free _ %+ BORINGSSL_PREFIX %+ _X509_VAL_free %xdefine _X509_VAL_it _ %+ BORINGSSL_PREFIX %+ _X509_VAL_it %xdefine _X509_VAL_new _ %+ BORINGSSL_PREFIX %+ _X509_VAL_new @@ -2203,6 +2228,7 @@ %xdefine _aesgcmsiv_polyval_horner _ %+ BORINGSSL_PREFIX %+ _aesgcmsiv_polyval_horner %xdefine _aesni_gcm_decrypt _ %+ BORINGSSL_PREFIX %+ _aesni_gcm_decrypt %xdefine _aesni_gcm_encrypt _ %+ BORINGSSL_PREFIX %+ _aesni_gcm_encrypt +%xdefine _asn1_bit_string_length _ %+ BORINGSSL_PREFIX %+ _asn1_bit_string_length %xdefine _asn1_do_adb _ %+ BORINGSSL_PREFIX %+ _asn1_do_adb %xdefine _asn1_enc_free _ %+ BORINGSSL_PREFIX %+ _asn1_enc_free %xdefine _asn1_enc_init _ %+ BORINGSSL_PREFIX %+ _asn1_enc_init @@ -2211,6 +2237,8 @@ %xdefine _asn1_generalizedtime_to_tm _ %+ BORINGSSL_PREFIX %+ _asn1_generalizedtime_to_tm %xdefine _asn1_get_choice_selector _ %+ BORINGSSL_PREFIX %+ _asn1_get_choice_selector %xdefine _asn1_get_field_ptr _ %+ BORINGSSL_PREFIX %+ _asn1_get_field_ptr +%xdefine _asn1_get_string_table_for_testing _ %+ BORINGSSL_PREFIX %+ _asn1_get_string_table_for_testing +%xdefine _asn1_is_printable _ %+ BORINGSSL_PREFIX %+ _asn1_is_printable %xdefine _asn1_item_combine_free _ %+ BORINGSSL_PREFIX %+ _asn1_item_combine_free %xdefine _asn1_refcount_dec_and_test_zero _ %+ BORINGSSL_PREFIX %+ _asn1_refcount_dec_and_test_zero %xdefine _asn1_refcount_set_one _ %+ BORINGSSL_PREFIX %+ _asn1_refcount_set_one @@ -2225,6 +2253,7 @@ %xdefine _bio_socket_nbio _ %+ BORINGSSL_PREFIX %+ _bio_socket_nbio %xdefine _bn_abs_sub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_abs_sub_consttime %xdefine _bn_add_words _ %+ BORINGSSL_PREFIX %+ _bn_add_words +%xdefine _bn_big_endian_to_words _ %+ BORINGSSL_PREFIX %+ _bn_big_endian_to_words %xdefine _bn_copy_words _ %+ BORINGSSL_PREFIX %+ _bn_copy_words %xdefine _bn_div_consttime _ %+ BORINGSSL_PREFIX %+ _bn_div_consttime %xdefine _bn_expand _ %+ BORINGSSL_PREFIX %+ _bn_expand @@ -2293,7 +2322,10 @@ %xdefine _bn_uadd_consttime _ %+ BORINGSSL_PREFIX %+ _bn_uadd_consttime %xdefine _bn_usub_consttime _ %+ BORINGSSL_PREFIX %+ _bn_usub_consttime %xdefine _bn_wexpand _ %+ BORINGSSL_PREFIX %+ _bn_wexpand -%xdefine _boringssl_fips_self_test _ %+ BORINGSSL_PREFIX %+ _boringssl_fips_self_test +%xdefine _bn_words_to_big_endian _ %+ BORINGSSL_PREFIX %+ _bn_words_to_big_endian +%xdefine _boringssl_self_test_hmac_sha256 _ %+ BORINGSSL_PREFIX %+ _boringssl_self_test_hmac_sha256 +%xdefine _boringssl_self_test_sha256 _ %+ BORINGSSL_PREFIX %+ _boringssl_self_test_sha256 +%xdefine _boringssl_self_test_sha512 _ %+ BORINGSSL_PREFIX %+ _boringssl_self_test_sha512 %xdefine _c2i_ASN1_BIT_STRING _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_BIT_STRING %xdefine _c2i_ASN1_INTEGER _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER %xdefine _c2i_ASN1_OBJECT _ %+ BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT @@ -2429,6 +2461,7 @@ %xdefine _d2i_X509_VAL _ %+ BORINGSSL_PREFIX %+ _d2i_X509_VAL %xdefine _d2i_X509_bio _ %+ BORINGSSL_PREFIX %+ _d2i_X509_bio %xdefine _d2i_X509_fp _ %+ BORINGSSL_PREFIX %+ _d2i_X509_fp +%xdefine _dh_compute_key_padded_no_self_test _ %+ BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test %xdefine _dsa_asn1_meth _ %+ BORINGSSL_PREFIX %+ _dsa_asn1_meth %xdefine _dsa_check_parameters _ %+ BORINGSSL_PREFIX %+ _dsa_check_parameters %xdefine _ec_GFp_mont_add _ %+ BORINGSSL_PREFIX %+ _ec_GFp_mont_add @@ -2488,6 +2521,7 @@ %xdefine _ec_jacobian_to_affine_batch _ %+ BORINGSSL_PREFIX %+ _ec_jacobian_to_affine_batch %xdefine _ec_pkey_meth _ %+ BORINGSSL_PREFIX %+ _ec_pkey_meth %xdefine _ec_point_from_uncompressed _ %+ BORINGSSL_PREFIX %+ _ec_point_from_uncompressed +%xdefine _ec_point_mul_no_self_test _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_no_self_test %xdefine _ec_point_mul_scalar _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar %xdefine _ec_point_mul_scalar_base _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_base %xdefine _ec_point_mul_scalar_batch _ %+ BORINGSSL_PREFIX %+ _ec_point_mul_scalar_batch @@ -2516,8 +2550,13 @@ %xdefine _ec_set_to_safe_point _ %+ BORINGSSL_PREFIX %+ _ec_set_to_safe_point %xdefine _ec_simple_scalar_inv0_montgomery _ %+ BORINGSSL_PREFIX %+ _ec_simple_scalar_inv0_montgomery %xdefine _ec_simple_scalar_to_montgomery_inv_vartime _ %+ BORINGSSL_PREFIX %+ _ec_simple_scalar_to_montgomery_inv_vartime +%xdefine _ecdsa_do_verify_no_self_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_do_verify_no_self_test %xdefine _ecdsa_sign_with_nonce_for_known_answer_test _ %+ BORINGSSL_PREFIX %+ _ecdsa_sign_with_nonce_for_known_answer_test %xdefine _ecp_nistz256_avx2_select_w7 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_avx2_select_w7 +%xdefine _ecp_nistz256_div_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2 +%xdefine _ecp_nistz256_from_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_from_mont +%xdefine _ecp_nistz256_mul_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2 +%xdefine _ecp_nistz256_mul_by_3 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3 %xdefine _ecp_nistz256_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont %xdefine _ecp_nistz256_neg _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_neg %xdefine _ecp_nistz256_ord_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont @@ -2528,6 +2567,8 @@ %xdefine _ecp_nistz256_select_w5 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5 %xdefine _ecp_nistz256_select_w7 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7 %xdefine _ecp_nistz256_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont +%xdefine _ecp_nistz256_sub _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sub +%xdefine _ecp_nistz256_to_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_to_mont %xdefine _ed25519_asn1_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_asn1_meth %xdefine _ed25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _ed25519_pkey_meth %xdefine _gcm_ghash_avx _ %+ BORINGSSL_PREFIX %+ _gcm_ghash_avx @@ -2705,7 +2746,7 @@ %xdefine _pkcs12_iterations_acceptable _ %+ BORINGSSL_PREFIX %+ _pkcs12_iterations_acceptable %xdefine _pkcs12_key_gen _ %+ BORINGSSL_PREFIX %+ _pkcs12_key_gen %xdefine _pkcs12_pbe_encrypt_init _ %+ BORINGSSL_PREFIX %+ _pkcs12_pbe_encrypt_init -%xdefine _pkcs7_bundle _ %+ BORINGSSL_PREFIX %+ _pkcs7_bundle +%xdefine _pkcs7_add_signed_data _ %+ BORINGSSL_PREFIX %+ _pkcs7_add_signed_data %xdefine _pkcs7_parse_header _ %+ BORINGSSL_PREFIX %+ _pkcs7_parse_header %xdefine _pkcs8_pbe_decrypt _ %+ BORINGSSL_PREFIX %+ _pkcs8_pbe_decrypt %xdefine _pmbtoken_exp1_blind _ %+ BORINGSSL_PREFIX %+ _pmbtoken_exp1_blind @@ -2742,6 +2783,9 @@ %xdefine _rsa_default_sign_raw _ %+ BORINGSSL_PREFIX %+ _rsa_default_sign_raw %xdefine _rsa_default_size _ %+ BORINGSSL_PREFIX %+ _rsa_default_size %xdefine _rsa_pkey_meth _ %+ BORINGSSL_PREFIX %+ _rsa_pkey_meth +%xdefine _rsa_sign_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_sign_no_self_test +%xdefine _rsa_verify_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_verify_no_self_test +%xdefine _rsa_verify_raw_no_self_test _ %+ BORINGSSL_PREFIX %+ _rsa_verify_raw_no_self_test %xdefine _rsaz_1024_gather5_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_gather5_avx2 %xdefine _rsaz_1024_mul_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_mul_avx2 %xdefine _rsaz_1024_norm2red_avx2 _ %+ BORINGSSL_PREFIX %+ _rsaz_1024_norm2red_avx2 @@ -2830,6 +2874,7 @@ %xdefine _x25519_ge_tobytes _ %+ BORINGSSL_PREFIX %+ _x25519_ge_tobytes %xdefine _x25519_pkey_meth _ %+ BORINGSSL_PREFIX %+ _x25519_pkey_meth %xdefine _x25519_sc_reduce _ %+ BORINGSSL_PREFIX %+ _x25519_sc_reduce +%xdefine _x509V3_add_value_asn1_string _ %+ BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string %xdefine _x509_digest_sign_algorithm _ %+ BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm %xdefine _x509_digest_verify_init _ %+ BORINGSSL_PREFIX %+ _x509_digest_verify_init %xdefine _x509_print_rsa_pss_params _ %+ BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params @@ -2874,9 +2919,11 @@ %xdefine ASN1_BOOLEAN_it BORINGSSL_PREFIX %+ _ASN1_BOOLEAN_it %xdefine ASN1_ENUMERATED_free BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_free %xdefine ASN1_ENUMERATED_get BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get +%xdefine ASN1_ENUMERATED_get_uint64 BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_get_uint64 %xdefine ASN1_ENUMERATED_it BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_it %xdefine ASN1_ENUMERATED_new BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_new %xdefine ASN1_ENUMERATED_set BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set +%xdefine ASN1_ENUMERATED_set_uint64 BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_set_uint64 %xdefine ASN1_ENUMERATED_to_BN BORINGSSL_PREFIX %+ _ASN1_ENUMERATED_to_BN %xdefine ASN1_FBOOLEAN_it BORINGSSL_PREFIX %+ _ASN1_FBOOLEAN_it %xdefine ASN1_GENERALIZEDTIME_adj BORINGSSL_PREFIX %+ _ASN1_GENERALIZEDTIME_adj @@ -2897,6 +2944,7 @@ %xdefine ASN1_INTEGER_dup BORINGSSL_PREFIX %+ _ASN1_INTEGER_dup %xdefine ASN1_INTEGER_free BORINGSSL_PREFIX %+ _ASN1_INTEGER_free %xdefine ASN1_INTEGER_get BORINGSSL_PREFIX %+ _ASN1_INTEGER_get +%xdefine ASN1_INTEGER_get_uint64 BORINGSSL_PREFIX %+ _ASN1_INTEGER_get_uint64 %xdefine ASN1_INTEGER_it BORINGSSL_PREFIX %+ _ASN1_INTEGER_it %xdefine ASN1_INTEGER_new BORINGSSL_PREFIX %+ _ASN1_INTEGER_new %xdefine ASN1_INTEGER_set BORINGSSL_PREFIX %+ _ASN1_INTEGER_set @@ -2927,7 +2975,6 @@ %xdefine ASN1_SET_ANY_it BORINGSSL_PREFIX %+ _ASN1_SET_ANY_it %xdefine ASN1_STRING_TABLE_add BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_add %xdefine ASN1_STRING_TABLE_cleanup BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_cleanup -%xdefine ASN1_STRING_TABLE_get BORINGSSL_PREFIX %+ _ASN1_STRING_TABLE_get %xdefine ASN1_STRING_cmp BORINGSSL_PREFIX %+ _ASN1_STRING_cmp %xdefine ASN1_STRING_copy BORINGSSL_PREFIX %+ _ASN1_STRING_copy %xdefine ASN1_STRING_data BORINGSSL_PREFIX %+ _ASN1_STRING_data @@ -2987,7 +3034,6 @@ %xdefine ASN1_VISIBLESTRING_it BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_it %xdefine ASN1_VISIBLESTRING_new BORINGSSL_PREFIX %+ _ASN1_VISIBLESTRING_new %xdefine ASN1_digest BORINGSSL_PREFIX %+ _ASN1_digest -%xdefine ASN1_generate_nconf BORINGSSL_PREFIX %+ _ASN1_generate_nconf %xdefine ASN1_generate_v3 BORINGSSL_PREFIX %+ _ASN1_generate_v3 %xdefine ASN1_get_object BORINGSSL_PREFIX %+ _ASN1_get_object %xdefine ASN1_item_d2i BORINGSSL_PREFIX %+ _ASN1_item_d2i @@ -3094,6 +3140,7 @@ %xdefine BIO_s_file BORINGSSL_PREFIX %+ _BIO_s_file %xdefine BIO_s_mem BORINGSSL_PREFIX %+ _BIO_s_mem %xdefine BIO_s_socket BORINGSSL_PREFIX %+ _BIO_s_socket +%xdefine BIO_seek BORINGSSL_PREFIX %+ _BIO_seek %xdefine BIO_set_close BORINGSSL_PREFIX %+ _BIO_set_close %xdefine BIO_set_conn_hostname BORINGSSL_PREFIX %+ _BIO_set_conn_hostname %xdefine BIO_set_conn_int_port BORINGSSL_PREFIX %+ _BIO_set_conn_int_port @@ -3118,6 +3165,7 @@ %xdefine BIO_should_write BORINGSSL_PREFIX %+ _BIO_should_write %xdefine BIO_shutdown_wr BORINGSSL_PREFIX %+ _BIO_shutdown_wr %xdefine BIO_snprintf BORINGSSL_PREFIX %+ _BIO_snprintf +%xdefine BIO_tell BORINGSSL_PREFIX %+ _BIO_tell %xdefine BIO_test_flags BORINGSSL_PREFIX %+ _BIO_test_flags %xdefine BIO_up_ref BORINGSSL_PREFIX %+ _BIO_up_ref %xdefine BIO_vfree BORINGSSL_PREFIX %+ _BIO_vfree @@ -3141,6 +3189,8 @@ %xdefine BN_CTX_new BORINGSSL_PREFIX %+ _BN_CTX_new %xdefine BN_CTX_start BORINGSSL_PREFIX %+ _BN_CTX_start %xdefine BN_GENCB_call BORINGSSL_PREFIX %+ _BN_GENCB_call +%xdefine BN_GENCB_free BORINGSSL_PREFIX %+ _BN_GENCB_free +%xdefine BN_GENCB_new BORINGSSL_PREFIX %+ _BN_GENCB_new %xdefine BN_GENCB_set BORINGSSL_PREFIX %+ _BN_GENCB_set %xdefine BN_MONT_CTX_copy BORINGSSL_PREFIX %+ _BN_MONT_CTX_copy %xdefine BN_MONT_CTX_free BORINGSSL_PREFIX %+ _BN_MONT_CTX_free @@ -3290,6 +3340,7 @@ %xdefine CBB_add_u64le BORINGSSL_PREFIX %+ _CBB_add_u64le %xdefine CBB_add_u8 BORINGSSL_PREFIX %+ _CBB_add_u8 %xdefine CBB_add_u8_length_prefixed BORINGSSL_PREFIX %+ _CBB_add_u8_length_prefixed +%xdefine CBB_add_zeros BORINGSSL_PREFIX %+ _CBB_add_zeros %xdefine CBB_cleanup BORINGSSL_PREFIX %+ _CBB_cleanup %xdefine CBB_data BORINGSSL_PREFIX %+ _CBB_data %xdefine CBB_did_write BORINGSSL_PREFIX %+ _CBB_did_write @@ -3335,6 +3386,7 @@ %xdefine CBS_get_u64le BORINGSSL_PREFIX %+ _CBS_get_u64le %xdefine CBS_get_u8 BORINGSSL_PREFIX %+ _CBS_get_u8 %xdefine CBS_get_u8_length_prefixed BORINGSSL_PREFIX %+ _CBS_get_u8_length_prefixed +%xdefine CBS_get_until_first BORINGSSL_PREFIX %+ _CBS_get_until_first %xdefine CBS_init BORINGSSL_PREFIX %+ _CBS_init %xdefine CBS_is_unsigned_asn1_integer BORINGSSL_PREFIX %+ _CBS_is_unsigned_asn1_integer %xdefine CBS_is_valid_asn1_bitstring BORINGSSL_PREFIX %+ _CBS_is_valid_asn1_bitstring @@ -3371,6 +3423,7 @@ %xdefine CRYPTO_BUFFER_len BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_len %xdefine CRYPTO_BUFFER_new BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new %xdefine CRYPTO_BUFFER_new_from_CBS BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_CBS +%xdefine CRYPTO_BUFFER_new_from_static_data_unsafe BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_new_from_static_data_unsafe %xdefine CRYPTO_BUFFER_up_ref BORINGSSL_PREFIX %+ _CRYPTO_BUFFER_up_ref %xdefine CRYPTO_MUTEX_cleanup BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_cleanup %xdefine CRYPTO_MUTEX_init BORINGSSL_PREFIX %+ _CRYPTO_MUTEX_init @@ -3399,6 +3452,7 @@ %xdefine CRYPTO_ctr128_encrypt BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt %xdefine CRYPTO_ctr128_encrypt_ctr32 BORINGSSL_PREFIX %+ _CRYPTO_ctr128_encrypt_ctr32 %xdefine CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing BORINGSSL_PREFIX %+ _CRYPTO_fork_detect_ignore_madv_wipeonfork_for_testing +%xdefine CRYPTO_free BORINGSSL_PREFIX %+ _CRYPTO_free %xdefine CRYPTO_free_ex_data BORINGSSL_PREFIX %+ _CRYPTO_free_ex_data %xdefine CRYPTO_gcm128_aad BORINGSSL_PREFIX %+ _CRYPTO_gcm128_aad %xdefine CRYPTO_gcm128_decrypt BORINGSSL_PREFIX %+ _CRYPTO_gcm128_decrypt @@ -3427,6 +3481,7 @@ %xdefine CRYPTO_is_NEON_capable_at_runtime BORINGSSL_PREFIX %+ _CRYPTO_is_NEON_capable_at_runtime %xdefine CRYPTO_is_confidential_build BORINGSSL_PREFIX %+ _CRYPTO_is_confidential_build %xdefine CRYPTO_library_init BORINGSSL_PREFIX %+ _CRYPTO_library_init +%xdefine CRYPTO_malloc BORINGSSL_PREFIX %+ _CRYPTO_malloc %xdefine CRYPTO_malloc_init BORINGSSL_PREFIX %+ _CRYPTO_malloc_init %xdefine CRYPTO_memcmp BORINGSSL_PREFIX %+ _CRYPTO_memcmp %xdefine CRYPTO_new_ex_data BORINGSSL_PREFIX %+ _CRYPTO_new_ex_data @@ -3439,6 +3494,7 @@ %xdefine CRYPTO_pre_sandbox_init BORINGSSL_PREFIX %+ _CRYPTO_pre_sandbox_init %xdefine CRYPTO_rdrand BORINGSSL_PREFIX %+ _CRYPTO_rdrand %xdefine CRYPTO_rdrand_multiple8_buf BORINGSSL_PREFIX %+ _CRYPTO_rdrand_multiple8_buf +%xdefine CRYPTO_realloc BORINGSSL_PREFIX %+ _CRYPTO_realloc %xdefine CRYPTO_refcount_dec_and_test_zero BORINGSSL_PREFIX %+ _CRYPTO_refcount_dec_and_test_zero %xdefine CRYPTO_refcount_inc BORINGSSL_PREFIX %+ _CRYPTO_refcount_inc %xdefine CRYPTO_set_add_lock_callback BORINGSSL_PREFIX %+ _CRYPTO_set_add_lock_callback @@ -3508,9 +3564,11 @@ %xdefine DIST_POINT_new BORINGSSL_PREFIX %+ _DIST_POINT_new %xdefine DIST_POINT_set_dpname BORINGSSL_PREFIX %+ _DIST_POINT_set_dpname %xdefine DSA_SIG_free BORINGSSL_PREFIX %+ _DSA_SIG_free +%xdefine DSA_SIG_get0 BORINGSSL_PREFIX %+ _DSA_SIG_get0 %xdefine DSA_SIG_marshal BORINGSSL_PREFIX %+ _DSA_SIG_marshal %xdefine DSA_SIG_new BORINGSSL_PREFIX %+ _DSA_SIG_new %xdefine DSA_SIG_parse BORINGSSL_PREFIX %+ _DSA_SIG_parse +%xdefine DSA_SIG_set0 BORINGSSL_PREFIX %+ _DSA_SIG_set0 %xdefine DSA_check_signature BORINGSSL_PREFIX %+ _DSA_check_signature %xdefine DSA_do_check_signature BORINGSSL_PREFIX %+ _DSA_do_check_signature %xdefine DSA_do_sign BORINGSSL_PREFIX %+ _DSA_do_sign @@ -3691,6 +3749,7 @@ %xdefine ERR_remove_thread_state BORINGSSL_PREFIX %+ _ERR_remove_thread_state %xdefine ERR_restore_state BORINGSSL_PREFIX %+ _ERR_restore_state %xdefine ERR_save_state BORINGSSL_PREFIX %+ _ERR_save_state +%xdefine ERR_set_error_data BORINGSSL_PREFIX %+ _ERR_set_error_data %xdefine ERR_set_mark BORINGSSL_PREFIX %+ _ERR_set_mark %xdefine EVP_AEAD_CTX_aead BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_aead %xdefine EVP_AEAD_CTX_cleanup BORINGSSL_PREFIX %+ _EVP_AEAD_CTX_cleanup @@ -3737,6 +3796,7 @@ %xdefine EVP_CIPHER_mode BORINGSSL_PREFIX %+ _EVP_CIPHER_mode %xdefine EVP_CIPHER_nid BORINGSSL_PREFIX %+ _EVP_CIPHER_nid %xdefine EVP_Cipher BORINGSSL_PREFIX %+ _EVP_Cipher +%xdefine EVP_CipherFinal BORINGSSL_PREFIX %+ _EVP_CipherFinal %xdefine EVP_CipherFinal_ex BORINGSSL_PREFIX %+ _EVP_CipherFinal_ex %xdefine EVP_CipherInit BORINGSSL_PREFIX %+ _EVP_CipherInit %xdefine EVP_CipherInit_ex BORINGSSL_PREFIX %+ _EVP_CipherInit_ex @@ -3747,6 +3807,7 @@ %xdefine EVP_DecodeInit BORINGSSL_PREFIX %+ _EVP_DecodeInit %xdefine EVP_DecodeUpdate BORINGSSL_PREFIX %+ _EVP_DecodeUpdate %xdefine EVP_DecodedLength BORINGSSL_PREFIX %+ _EVP_DecodedLength +%xdefine EVP_DecryptFinal BORINGSSL_PREFIX %+ _EVP_DecryptFinal %xdefine EVP_DecryptFinal_ex BORINGSSL_PREFIX %+ _EVP_DecryptFinal_ex %xdefine EVP_DecryptInit BORINGSSL_PREFIX %+ _EVP_DecryptInit %xdefine EVP_DecryptInit_ex BORINGSSL_PREFIX %+ _EVP_DecryptInit_ex @@ -3766,11 +3827,14 @@ %xdefine EVP_DigestVerifyFinal BORINGSSL_PREFIX %+ _EVP_DigestVerifyFinal %xdefine EVP_DigestVerifyInit BORINGSSL_PREFIX %+ _EVP_DigestVerifyInit %xdefine EVP_DigestVerifyUpdate BORINGSSL_PREFIX %+ _EVP_DigestVerifyUpdate +%xdefine EVP_ENCODE_CTX_free BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_free +%xdefine EVP_ENCODE_CTX_new BORINGSSL_PREFIX %+ _EVP_ENCODE_CTX_new %xdefine EVP_EncodeBlock BORINGSSL_PREFIX %+ _EVP_EncodeBlock %xdefine EVP_EncodeFinal BORINGSSL_PREFIX %+ _EVP_EncodeFinal %xdefine EVP_EncodeInit BORINGSSL_PREFIX %+ _EVP_EncodeInit %xdefine EVP_EncodeUpdate BORINGSSL_PREFIX %+ _EVP_EncodeUpdate %xdefine EVP_EncodedLength BORINGSSL_PREFIX %+ _EVP_EncodedLength +%xdefine EVP_EncryptFinal BORINGSSL_PREFIX %+ _EVP_EncryptFinal %xdefine EVP_EncryptFinal_ex BORINGSSL_PREFIX %+ _EVP_EncryptFinal_ex %xdefine EVP_EncryptInit BORINGSSL_PREFIX %+ _EVP_EncryptInit %xdefine EVP_EncryptInit_ex BORINGSSL_PREFIX %+ _EVP_EncryptInit_ex @@ -3803,6 +3867,7 @@ %xdefine EVP_HPKE_KEY_public_key BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_public_key %xdefine EVP_HPKE_KEY_zero BORINGSSL_PREFIX %+ _EVP_HPKE_KEY_zero %xdefine EVP_MD_CTX_block_size BORINGSSL_PREFIX %+ _EVP_MD_CTX_block_size +%xdefine EVP_MD_CTX_cleanse BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanse %xdefine EVP_MD_CTX_cleanup BORINGSSL_PREFIX %+ _EVP_MD_CTX_cleanup %xdefine EVP_MD_CTX_copy BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy %xdefine EVP_MD_CTX_copy_ex BORINGSSL_PREFIX %+ _EVP_MD_CTX_copy_ex @@ -4005,7 +4070,10 @@ %xdefine EXTENDED_KEY_USAGE_new BORINGSSL_PREFIX %+ _EXTENDED_KEY_USAGE_new %xdefine FIPS_mode BORINGSSL_PREFIX %+ _FIPS_mode %xdefine FIPS_mode_set BORINGSSL_PREFIX %+ _FIPS_mode_set +%xdefine FIPS_module_name BORINGSSL_PREFIX %+ _FIPS_module_name +%xdefine FIPS_query_algorithm_status BORINGSSL_PREFIX %+ _FIPS_query_algorithm_status %xdefine FIPS_read_counter BORINGSSL_PREFIX %+ _FIPS_read_counter +%xdefine FIPS_version BORINGSSL_PREFIX %+ _FIPS_version %xdefine GENERAL_NAMES_free BORINGSSL_PREFIX %+ _GENERAL_NAMES_free %xdefine GENERAL_NAMES_it BORINGSSL_PREFIX %+ _GENERAL_NAMES_it %xdefine GENERAL_NAMES_new BORINGSSL_PREFIX %+ _GENERAL_NAMES_new @@ -4026,6 +4094,7 @@ %xdefine HKDF_expand BORINGSSL_PREFIX %+ _HKDF_expand %xdefine HKDF_extract BORINGSSL_PREFIX %+ _HKDF_extract %xdefine HMAC BORINGSSL_PREFIX %+ _HMAC +%xdefine HMAC_CTX_cleanse BORINGSSL_PREFIX %+ _HMAC_CTX_cleanse %xdefine HMAC_CTX_cleanup BORINGSSL_PREFIX %+ _HMAC_CTX_cleanup %xdefine HMAC_CTX_copy BORINGSSL_PREFIX %+ _HMAC_CTX_copy %xdefine HMAC_CTX_copy_ex BORINGSSL_PREFIX %+ _HMAC_CTX_copy_ex @@ -4259,6 +4328,7 @@ %xdefine PKCS5_pbe2_encrypt_init BORINGSSL_PREFIX %+ _PKCS5_pbe2_encrypt_init %xdefine PKCS7_bundle_CRLs BORINGSSL_PREFIX %+ _PKCS7_bundle_CRLs %xdefine PKCS7_bundle_certificates BORINGSSL_PREFIX %+ _PKCS7_bundle_certificates +%xdefine PKCS7_bundle_raw_certificates BORINGSSL_PREFIX %+ _PKCS7_bundle_raw_certificates %xdefine PKCS7_free BORINGSSL_PREFIX %+ _PKCS7_free %xdefine PKCS7_get_CRLs BORINGSSL_PREFIX %+ _PKCS7_get_CRLs %xdefine PKCS7_get_PEM_CRLs BORINGSSL_PREFIX %+ _PKCS7_get_PEM_CRLs @@ -4346,6 +4416,7 @@ %xdefine RSA_get0_key BORINGSSL_PREFIX %+ _RSA_get0_key %xdefine RSA_get0_n BORINGSSL_PREFIX %+ _RSA_get0_n %xdefine RSA_get0_p BORINGSSL_PREFIX %+ _RSA_get0_p +%xdefine RSA_get0_pss_params BORINGSSL_PREFIX %+ _RSA_get0_pss_params %xdefine RSA_get0_q BORINGSSL_PREFIX %+ _RSA_get0_q %xdefine RSA_get_ex_data BORINGSSL_PREFIX %+ _RSA_get_ex_data %xdefine RSA_get_ex_new_index BORINGSSL_PREFIX %+ _RSA_get_ex_new_index @@ -4382,6 +4453,7 @@ %xdefine RSA_sign_pss_mgf1 BORINGSSL_PREFIX %+ _RSA_sign_pss_mgf1 %xdefine RSA_sign_raw BORINGSSL_PREFIX %+ _RSA_sign_raw %xdefine RSA_size BORINGSSL_PREFIX %+ _RSA_size +%xdefine RSA_test_flags BORINGSSL_PREFIX %+ _RSA_test_flags %xdefine RSA_up_ref BORINGSSL_PREFIX %+ _RSA_up_ref %xdefine RSA_verify BORINGSSL_PREFIX %+ _RSA_verify %xdefine RSA_verify_PKCS1_PSS_mgf1 BORINGSSL_PREFIX %+ _RSA_verify_PKCS1_PSS_mgf1 @@ -4788,7 +4860,6 @@ %xdefine X509_STORE_get_verify_cb BORINGSSL_PREFIX %+ _X509_STORE_get_verify_cb %xdefine X509_STORE_load_locations BORINGSSL_PREFIX %+ _X509_STORE_load_locations %xdefine X509_STORE_new BORINGSSL_PREFIX %+ _X509_STORE_new -%xdefine X509_STORE_set0_additional_untrusted BORINGSSL_PREFIX %+ _X509_STORE_set0_additional_untrusted %xdefine X509_STORE_set1_param BORINGSSL_PREFIX %+ _X509_STORE_set1_param %xdefine X509_STORE_set_cert_crl BORINGSSL_PREFIX %+ _X509_STORE_set_cert_crl %xdefine X509_STORE_set_check_crl BORINGSSL_PREFIX %+ _X509_STORE_set_check_crl @@ -4816,7 +4887,6 @@ %xdefine X509_TRUST_get_flags BORINGSSL_PREFIX %+ _X509_TRUST_get_flags %xdefine X509_TRUST_get_trust BORINGSSL_PREFIX %+ _X509_TRUST_get_trust %xdefine X509_TRUST_set BORINGSSL_PREFIX %+ _X509_TRUST_set -%xdefine X509_TRUST_set_default BORINGSSL_PREFIX %+ _X509_TRUST_set_default %xdefine X509_VAL_free BORINGSSL_PREFIX %+ _X509_VAL_free %xdefine X509_VAL_it BORINGSSL_PREFIX %+ _X509_VAL_it %xdefine X509_VAL_new BORINGSSL_PREFIX %+ _X509_VAL_new @@ -5031,6 +5101,7 @@ %xdefine aesgcmsiv_polyval_horner BORINGSSL_PREFIX %+ _aesgcmsiv_polyval_horner %xdefine aesni_gcm_decrypt BORINGSSL_PREFIX %+ _aesni_gcm_decrypt %xdefine aesni_gcm_encrypt BORINGSSL_PREFIX %+ _aesni_gcm_encrypt +%xdefine asn1_bit_string_length BORINGSSL_PREFIX %+ _asn1_bit_string_length %xdefine asn1_do_adb BORINGSSL_PREFIX %+ _asn1_do_adb %xdefine asn1_enc_free BORINGSSL_PREFIX %+ _asn1_enc_free %xdefine asn1_enc_init BORINGSSL_PREFIX %+ _asn1_enc_init @@ -5039,6 +5110,8 @@ %xdefine asn1_generalizedtime_to_tm BORINGSSL_PREFIX %+ _asn1_generalizedtime_to_tm %xdefine asn1_get_choice_selector BORINGSSL_PREFIX %+ _asn1_get_choice_selector %xdefine asn1_get_field_ptr BORINGSSL_PREFIX %+ _asn1_get_field_ptr +%xdefine asn1_get_string_table_for_testing BORINGSSL_PREFIX %+ _asn1_get_string_table_for_testing +%xdefine asn1_is_printable BORINGSSL_PREFIX %+ _asn1_is_printable %xdefine asn1_item_combine_free BORINGSSL_PREFIX %+ _asn1_item_combine_free %xdefine asn1_refcount_dec_and_test_zero BORINGSSL_PREFIX %+ _asn1_refcount_dec_and_test_zero %xdefine asn1_refcount_set_one BORINGSSL_PREFIX %+ _asn1_refcount_set_one @@ -5053,6 +5126,7 @@ %xdefine bio_socket_nbio BORINGSSL_PREFIX %+ _bio_socket_nbio %xdefine bn_abs_sub_consttime BORINGSSL_PREFIX %+ _bn_abs_sub_consttime %xdefine bn_add_words BORINGSSL_PREFIX %+ _bn_add_words +%xdefine bn_big_endian_to_words BORINGSSL_PREFIX %+ _bn_big_endian_to_words %xdefine bn_copy_words BORINGSSL_PREFIX %+ _bn_copy_words %xdefine bn_div_consttime BORINGSSL_PREFIX %+ _bn_div_consttime %xdefine bn_expand BORINGSSL_PREFIX %+ _bn_expand @@ -5121,7 +5195,10 @@ %xdefine bn_uadd_consttime BORINGSSL_PREFIX %+ _bn_uadd_consttime %xdefine bn_usub_consttime BORINGSSL_PREFIX %+ _bn_usub_consttime %xdefine bn_wexpand BORINGSSL_PREFIX %+ _bn_wexpand -%xdefine boringssl_fips_self_test BORINGSSL_PREFIX %+ _boringssl_fips_self_test +%xdefine bn_words_to_big_endian BORINGSSL_PREFIX %+ _bn_words_to_big_endian +%xdefine boringssl_self_test_hmac_sha256 BORINGSSL_PREFIX %+ _boringssl_self_test_hmac_sha256 +%xdefine boringssl_self_test_sha256 BORINGSSL_PREFIX %+ _boringssl_self_test_sha256 +%xdefine boringssl_self_test_sha512 BORINGSSL_PREFIX %+ _boringssl_self_test_sha512 %xdefine c2i_ASN1_BIT_STRING BORINGSSL_PREFIX %+ _c2i_ASN1_BIT_STRING %xdefine c2i_ASN1_INTEGER BORINGSSL_PREFIX %+ _c2i_ASN1_INTEGER %xdefine c2i_ASN1_OBJECT BORINGSSL_PREFIX %+ _c2i_ASN1_OBJECT @@ -5257,6 +5334,7 @@ %xdefine d2i_X509_VAL BORINGSSL_PREFIX %+ _d2i_X509_VAL %xdefine d2i_X509_bio BORINGSSL_PREFIX %+ _d2i_X509_bio %xdefine d2i_X509_fp BORINGSSL_PREFIX %+ _d2i_X509_fp +%xdefine dh_compute_key_padded_no_self_test BORINGSSL_PREFIX %+ _dh_compute_key_padded_no_self_test %xdefine dsa_asn1_meth BORINGSSL_PREFIX %+ _dsa_asn1_meth %xdefine dsa_check_parameters BORINGSSL_PREFIX %+ _dsa_check_parameters %xdefine ec_GFp_mont_add BORINGSSL_PREFIX %+ _ec_GFp_mont_add @@ -5316,6 +5394,7 @@ %xdefine ec_jacobian_to_affine_batch BORINGSSL_PREFIX %+ _ec_jacobian_to_affine_batch %xdefine ec_pkey_meth BORINGSSL_PREFIX %+ _ec_pkey_meth %xdefine ec_point_from_uncompressed BORINGSSL_PREFIX %+ _ec_point_from_uncompressed +%xdefine ec_point_mul_no_self_test BORINGSSL_PREFIX %+ _ec_point_mul_no_self_test %xdefine ec_point_mul_scalar BORINGSSL_PREFIX %+ _ec_point_mul_scalar %xdefine ec_point_mul_scalar_base BORINGSSL_PREFIX %+ _ec_point_mul_scalar_base %xdefine ec_point_mul_scalar_batch BORINGSSL_PREFIX %+ _ec_point_mul_scalar_batch @@ -5344,8 +5423,13 @@ %xdefine ec_set_to_safe_point BORINGSSL_PREFIX %+ _ec_set_to_safe_point %xdefine ec_simple_scalar_inv0_montgomery BORINGSSL_PREFIX %+ _ec_simple_scalar_inv0_montgomery %xdefine ec_simple_scalar_to_montgomery_inv_vartime BORINGSSL_PREFIX %+ _ec_simple_scalar_to_montgomery_inv_vartime +%xdefine ecdsa_do_verify_no_self_test BORINGSSL_PREFIX %+ _ecdsa_do_verify_no_self_test %xdefine ecdsa_sign_with_nonce_for_known_answer_test BORINGSSL_PREFIX %+ _ecdsa_sign_with_nonce_for_known_answer_test %xdefine ecp_nistz256_avx2_select_w7 BORINGSSL_PREFIX %+ _ecp_nistz256_avx2_select_w7 +%xdefine ecp_nistz256_div_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2 +%xdefine ecp_nistz256_from_mont BORINGSSL_PREFIX %+ _ecp_nistz256_from_mont +%xdefine ecp_nistz256_mul_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2 +%xdefine ecp_nistz256_mul_by_3 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3 %xdefine ecp_nistz256_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont %xdefine ecp_nistz256_neg BORINGSSL_PREFIX %+ _ecp_nistz256_neg %xdefine ecp_nistz256_ord_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont @@ -5356,6 +5440,8 @@ %xdefine ecp_nistz256_select_w5 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5 %xdefine ecp_nistz256_select_w7 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7 %xdefine ecp_nistz256_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont +%xdefine ecp_nistz256_sub BORINGSSL_PREFIX %+ _ecp_nistz256_sub +%xdefine ecp_nistz256_to_mont BORINGSSL_PREFIX %+ _ecp_nistz256_to_mont %xdefine ed25519_asn1_meth BORINGSSL_PREFIX %+ _ed25519_asn1_meth %xdefine ed25519_pkey_meth BORINGSSL_PREFIX %+ _ed25519_pkey_meth %xdefine gcm_ghash_avx BORINGSSL_PREFIX %+ _gcm_ghash_avx @@ -5533,7 +5619,7 @@ %xdefine pkcs12_iterations_acceptable BORINGSSL_PREFIX %+ _pkcs12_iterations_acceptable %xdefine pkcs12_key_gen BORINGSSL_PREFIX %+ _pkcs12_key_gen %xdefine pkcs12_pbe_encrypt_init BORINGSSL_PREFIX %+ _pkcs12_pbe_encrypt_init -%xdefine pkcs7_bundle BORINGSSL_PREFIX %+ _pkcs7_bundle +%xdefine pkcs7_add_signed_data BORINGSSL_PREFIX %+ _pkcs7_add_signed_data %xdefine pkcs7_parse_header BORINGSSL_PREFIX %+ _pkcs7_parse_header %xdefine pkcs8_pbe_decrypt BORINGSSL_PREFIX %+ _pkcs8_pbe_decrypt %xdefine pmbtoken_exp1_blind BORINGSSL_PREFIX %+ _pmbtoken_exp1_blind @@ -5570,6 +5656,9 @@ %xdefine rsa_default_sign_raw BORINGSSL_PREFIX %+ _rsa_default_sign_raw %xdefine rsa_default_size BORINGSSL_PREFIX %+ _rsa_default_size %xdefine rsa_pkey_meth BORINGSSL_PREFIX %+ _rsa_pkey_meth +%xdefine rsa_sign_no_self_test BORINGSSL_PREFIX %+ _rsa_sign_no_self_test +%xdefine rsa_verify_no_self_test BORINGSSL_PREFIX %+ _rsa_verify_no_self_test +%xdefine rsa_verify_raw_no_self_test BORINGSSL_PREFIX %+ _rsa_verify_raw_no_self_test %xdefine rsaz_1024_gather5_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_gather5_avx2 %xdefine rsaz_1024_mul_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_mul_avx2 %xdefine rsaz_1024_norm2red_avx2 BORINGSSL_PREFIX %+ _rsaz_1024_norm2red_avx2 @@ -5658,6 +5747,7 @@ %xdefine x25519_ge_tobytes BORINGSSL_PREFIX %+ _x25519_ge_tobytes %xdefine x25519_pkey_meth BORINGSSL_PREFIX %+ _x25519_pkey_meth %xdefine x25519_sc_reduce BORINGSSL_PREFIX %+ _x25519_sc_reduce +%xdefine x509V3_add_value_asn1_string BORINGSSL_PREFIX %+ _x509V3_add_value_asn1_string %xdefine x509_digest_sign_algorithm BORINGSSL_PREFIX %+ _x509_digest_sign_algorithm %xdefine x509_digest_verify_init BORINGSSL_PREFIX %+ _x509_digest_verify_init %xdefine x509_print_rsa_pss_params BORINGSSL_PREFIX %+ _x509_print_rsa_pss_params diff --git a/Sources/CJWTKitBoringSSL/include/module.modulemap b/Sources/CJWTKitBoringSSL/include/module.modulemap new file mode 100644 index 00000000..954a2295 --- /dev/null +++ b/Sources/CJWTKitBoringSSL/include/module.modulemap @@ -0,0 +1,4 @@ +module CJWTKitBoringSSL { + header "CJWTKitBoringSSL.h" + export * +} diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_32.h b/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_32.h index 7b78d00d..cb83c606 100644 --- a/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_32.h +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_32.h @@ -1,24 +1,51 @@ -/* Autogenerated: src/ExtractionOCaml/unsaturated_solinas --static 25519 10 '2^255 - 19' 32 carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */ +/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 32 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */ /* curve description: 25519 */ -/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */ -/* n = 10 (from "10") */ -/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* machine_wordsize = 32 (from "32") */ - +/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */ +/* n = 10 (from "(auto)") */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* tight_bounds_multiplier = 1 (from "") */ +/* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* carry_chain = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1] */ +/* eval z = z[0] + (z[1] << 26) + (z[2] << 51) + (z[3] << 77) + (z[4] << 102) + (z[5] << 128) + (z[6] << 153) + (z[7] << 179) + (z[8] << 204) + (z[9] << 230) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0x7ffffda, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe, 0x7fffffe, 0x3fffffe] */ #include typedef unsigned char fiat_25519_uint1; typedef signed char fiat_25519_int1; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_25519_FIAT_INLINE __inline__ +#else +# define FIAT_25519_FIAT_INLINE +#endif + +/* The type fiat_25519_loose_field_element is a field element with loose bounds. */ +/* Bounds: [[0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000], [0x0 ~> 0xc000000], [0x0 ~> 0x6000000]] */ +typedef uint32_t fiat_25519_loose_field_element[10]; + +/* The type fiat_25519_tight_field_element is a field element with tight bounds. */ +/* Bounds: [[0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000], [0x0 ~> 0x4000000], [0x0 ~> 0x2000000]] */ +typedef uint32_t fiat_25519_tight_field_element[10]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t fiat_25519_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_25519_value_barrier_u32(x) (x) +#endif + /* * The function fiat_25519_addcarryx_u26 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^26 * out2 = ⌊(arg1 + arg2 + arg3) / 2^26⌋ @@ -31,16 +58,20 @@ typedef signed char fiat_25519_int1; * out1: [0x0 ~> 0x3ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - uint32_t x1 = ((arg1 + arg2) + arg3); - uint32_t x2 = (x1 & UINT32_C(0x3ffffff)); - fiat_25519_uint1 x3 = (fiat_25519_uint1)(x1 >> 26); +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + uint32_t x1; + uint32_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT32_C(0x3ffffff)); + x3 = (fiat_25519_uint1)(x1 >> 26); *out1 = x2; *out2 = x3; } /* * The function fiat_25519_subborrowx_u26 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^26 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^26⌋ @@ -53,16 +84,20 @@ static void fiat_25519_addcarryx_u26(uint32_t* out1, fiat_25519_uint1* out2, fia * out1: [0x0 ~> 0x3ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - int32_t x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); - fiat_25519_int1 x2 = (fiat_25519_int1)(x1 >> 26); - uint32_t x3 = (x1 & UINT32_C(0x3ffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + int32_t x1; + fiat_25519_int1 x2; + uint32_t x3; + x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 26); + x3 = (x1 & UINT32_C(0x3ffffff)); *out1 = x3; *out2 = (fiat_25519_uint1)(0x0 - x2); } /* * The function fiat_25519_addcarryx_u25 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^25 * out2 = ⌊(arg1 + arg2 + arg3) / 2^25⌋ @@ -75,16 +110,20 @@ static void fiat_25519_subborrowx_u26(uint32_t* out1, fiat_25519_uint1* out2, fi * out1: [0x0 ~> 0x1ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - uint32_t x1 = ((arg1 + arg2) + arg3); - uint32_t x2 = (x1 & UINT32_C(0x1ffffff)); - fiat_25519_uint1 x3 = (fiat_25519_uint1)(x1 >> 25); +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + uint32_t x1; + uint32_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT32_C(0x1ffffff)); + x3 = (fiat_25519_uint1)(x1 >> 25); *out1 = x2; *out2 = x3; } /* * The function fiat_25519_subborrowx_u25 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^25 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^25⌋ @@ -97,16 +136,20 @@ static void fiat_25519_addcarryx_u25(uint32_t* out1, fiat_25519_uint1* out2, fia * out1: [0x0 ~> 0x1ffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - int32_t x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); - fiat_25519_int1 x2 = (fiat_25519_int1)(x1 >> 25); - uint32_t x3 = (x1 & UINT32_C(0x1ffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + int32_t x1; + fiat_25519_int1 x2; + uint32_t x3; + x1 = ((int32_t)(arg2 - arg1) - (int32_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 25); + x3 = (x1 & UINT32_C(0x1ffffff)); *out1 = x3; *out2 = (fiat_25519_uint1)(0x0 - x2); } /* * The function fiat_25519_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -117,178 +160,318 @@ static void fiat_25519_subborrowx_u25(uint32_t* out1, fiat_25519_uint1* out2, fi * Output Bounds: * out1: [0x0 ~> 0xffffffff] */ -static void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { - fiat_25519_uint1 x1 = (!(!arg1)); - uint32_t x2 = ((fiat_25519_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint32_t x3 = ((value_barrier_u32(x2) & arg3) | (value_barrier_u32(~x2) & arg2)); +static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u32(uint32_t* out1, fiat_25519_uint1 arg1, uint32_t arg2, uint32_t arg3) { + fiat_25519_uint1 x1; + uint32_t x2; + uint32_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_25519_int1)(0x0 - x1) & UINT32_C(0xffffffff)); + x3 = ((fiat_25519_value_barrier_u32(x2) & arg3) | (fiat_25519_value_barrier_u32((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * arg2: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) { - uint64_t x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26))); - uint64_t x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26))); - uint64_t x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13))); - uint64_t x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26))); - uint64_t x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13))); - uint64_t x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13))); - uint64_t x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13))); - uint64_t x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13))); - uint64_t x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26))); - uint64_t x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26))); - uint64_t x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13))); - uint64_t x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13))); - uint64_t x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13))); - uint64_t x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26))); - uint64_t x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13))); - uint64_t x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13))); - uint64_t x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26))); - uint64_t x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13))); - uint64_t x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13))); - uint64_t x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26))); - uint64_t x46 = ((uint64_t)(arg1[9]) * (arg2[0])); - uint64_t x47 = ((uint64_t)(arg1[8]) * (arg2[1])); - uint64_t x48 = ((uint64_t)(arg1[8]) * (arg2[0])); - uint64_t x49 = ((uint64_t)(arg1[7]) * (arg2[2])); - uint64_t x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2)); - uint64_t x51 = ((uint64_t)(arg1[7]) * (arg2[0])); - uint64_t x52 = ((uint64_t)(arg1[6]) * (arg2[3])); - uint64_t x53 = ((uint64_t)(arg1[6]) * (arg2[2])); - uint64_t x54 = ((uint64_t)(arg1[6]) * (arg2[1])); - uint64_t x55 = ((uint64_t)(arg1[6]) * (arg2[0])); - uint64_t x56 = ((uint64_t)(arg1[5]) * (arg2[4])); - uint64_t x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2)); - uint64_t x58 = ((uint64_t)(arg1[5]) * (arg2[2])); - uint64_t x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2)); - uint64_t x60 = ((uint64_t)(arg1[5]) * (arg2[0])); - uint64_t x61 = ((uint64_t)(arg1[4]) * (arg2[5])); - uint64_t x62 = ((uint64_t)(arg1[4]) * (arg2[4])); - uint64_t x63 = ((uint64_t)(arg1[4]) * (arg2[3])); - uint64_t x64 = ((uint64_t)(arg1[4]) * (arg2[2])); - uint64_t x65 = ((uint64_t)(arg1[4]) * (arg2[1])); - uint64_t x66 = ((uint64_t)(arg1[4]) * (arg2[0])); - uint64_t x67 = ((uint64_t)(arg1[3]) * (arg2[6])); - uint64_t x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2)); - uint64_t x69 = ((uint64_t)(arg1[3]) * (arg2[4])); - uint64_t x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2)); - uint64_t x71 = ((uint64_t)(arg1[3]) * (arg2[2])); - uint64_t x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2)); - uint64_t x73 = ((uint64_t)(arg1[3]) * (arg2[0])); - uint64_t x74 = ((uint64_t)(arg1[2]) * (arg2[7])); - uint64_t x75 = ((uint64_t)(arg1[2]) * (arg2[6])); - uint64_t x76 = ((uint64_t)(arg1[2]) * (arg2[5])); - uint64_t x77 = ((uint64_t)(arg1[2]) * (arg2[4])); - uint64_t x78 = ((uint64_t)(arg1[2]) * (arg2[3])); - uint64_t x79 = ((uint64_t)(arg1[2]) * (arg2[2])); - uint64_t x80 = ((uint64_t)(arg1[2]) * (arg2[1])); - uint64_t x81 = ((uint64_t)(arg1[2]) * (arg2[0])); - uint64_t x82 = ((uint64_t)(arg1[1]) * (arg2[8])); - uint64_t x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2)); - uint64_t x84 = ((uint64_t)(arg1[1]) * (arg2[6])); - uint64_t x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2)); - uint64_t x86 = ((uint64_t)(arg1[1]) * (arg2[4])); - uint64_t x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2)); - uint64_t x88 = ((uint64_t)(arg1[1]) * (arg2[2])); - uint64_t x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2)); - uint64_t x90 = ((uint64_t)(arg1[1]) * (arg2[0])); - uint64_t x91 = ((uint64_t)(arg1[0]) * (arg2[9])); - uint64_t x92 = ((uint64_t)(arg1[0]) * (arg2[8])); - uint64_t x93 = ((uint64_t)(arg1[0]) * (arg2[7])); - uint64_t x94 = ((uint64_t)(arg1[0]) * (arg2[6])); - uint64_t x95 = ((uint64_t)(arg1[0]) * (arg2[5])); - uint64_t x96 = ((uint64_t)(arg1[0]) * (arg2[4])); - uint64_t x97 = ((uint64_t)(arg1[0]) * (arg2[3])); - uint64_t x98 = ((uint64_t)(arg1[0]) * (arg2[2])); - uint64_t x99 = ((uint64_t)(arg1[0]) * (arg2[1])); - uint64_t x100 = ((uint64_t)(arg1[0]) * (arg2[0])); - uint64_t x101 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9))))))))); - uint64_t x102 = (x101 >> 26); - uint32_t x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); - uint64_t x104 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46))))))))); - uint64_t x105 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1))))))))); - uint64_t x106 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2))))))))); - uint64_t x107 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3))))))))); - uint64_t x108 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4))))))))); - uint64_t x109 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5))))))))); - uint64_t x110 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6))))))))); - uint64_t x111 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7))))))))); - uint64_t x112 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8))))))))); - uint64_t x113 = (x102 + x112); - uint64_t x114 = (x113 >> 25); - uint32_t x115 = (uint32_t)(x113 & UINT32_C(0x1ffffff)); - uint64_t x116 = (x114 + x111); - uint64_t x117 = (x116 >> 26); - uint32_t x118 = (uint32_t)(x116 & UINT32_C(0x3ffffff)); - uint64_t x119 = (x117 + x110); - uint64_t x120 = (x119 >> 25); - uint32_t x121 = (uint32_t)(x119 & UINT32_C(0x1ffffff)); - uint64_t x122 = (x120 + x109); - uint64_t x123 = (x122 >> 26); - uint32_t x124 = (uint32_t)(x122 & UINT32_C(0x3ffffff)); - uint64_t x125 = (x123 + x108); - uint64_t x126 = (x125 >> 25); - uint32_t x127 = (uint32_t)(x125 & UINT32_C(0x1ffffff)); - uint64_t x128 = (x126 + x107); - uint64_t x129 = (x128 >> 26); - uint32_t x130 = (uint32_t)(x128 & UINT32_C(0x3ffffff)); - uint64_t x131 = (x129 + x106); - uint64_t x132 = (x131 >> 25); - uint32_t x133 = (uint32_t)(x131 & UINT32_C(0x1ffffff)); - uint64_t x134 = (x132 + x105); - uint64_t x135 = (x134 >> 26); - uint32_t x136 = (uint32_t)(x134 & UINT32_C(0x3ffffff)); - uint64_t x137 = (x135 + x104); - uint64_t x138 = (x137 >> 25); - uint32_t x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff)); - uint64_t x140 = (x138 * UINT8_C(0x13)); - uint64_t x141 = (x103 + x140); - uint32_t x142 = (uint32_t)(x141 >> 26); - uint32_t x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff)); - uint32_t x144 = (x142 + x115); - fiat_25519_uint1 x145 = (fiat_25519_uint1)(x144 >> 25); - uint32_t x146 = (x144 & UINT32_C(0x1ffffff)); - uint32_t x147 = (x145 + x118); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + uint64_t x74; + uint64_t x75; + uint64_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint64_t x88; + uint64_t x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + uint64_t x93; + uint64_t x94; + uint64_t x95; + uint64_t x96; + uint64_t x97; + uint64_t x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint32_t x103; + uint64_t x104; + uint64_t x105; + uint64_t x106; + uint64_t x107; + uint64_t x108; + uint64_t x109; + uint64_t x110; + uint64_t x111; + uint64_t x112; + uint64_t x113; + uint64_t x114; + uint32_t x115; + uint64_t x116; + uint64_t x117; + uint32_t x118; + uint64_t x119; + uint64_t x120; + uint32_t x121; + uint64_t x122; + uint64_t x123; + uint32_t x124; + uint64_t x125; + uint64_t x126; + uint32_t x127; + uint64_t x128; + uint64_t x129; + uint32_t x130; + uint64_t x131; + uint64_t x132; + uint32_t x133; + uint64_t x134; + uint64_t x135; + uint32_t x136; + uint64_t x137; + uint64_t x138; + uint32_t x139; + uint64_t x140; + uint64_t x141; + uint32_t x142; + uint32_t x143; + uint32_t x144; + fiat_25519_uint1 x145; + uint32_t x146; + uint32_t x147; + x1 = ((uint64_t)(arg1[9]) * ((arg2[9]) * UINT8_C(0x26))); + x2 = ((uint64_t)(arg1[9]) * ((arg2[8]) * UINT8_C(0x13))); + x3 = ((uint64_t)(arg1[9]) * ((arg2[7]) * UINT8_C(0x26))); + x4 = ((uint64_t)(arg1[9]) * ((arg2[6]) * UINT8_C(0x13))); + x5 = ((uint64_t)(arg1[9]) * ((arg2[5]) * UINT8_C(0x26))); + x6 = ((uint64_t)(arg1[9]) * ((arg2[4]) * UINT8_C(0x13))); + x7 = ((uint64_t)(arg1[9]) * ((arg2[3]) * UINT8_C(0x26))); + x8 = ((uint64_t)(arg1[9]) * ((arg2[2]) * UINT8_C(0x13))); + x9 = ((uint64_t)(arg1[9]) * ((arg2[1]) * UINT8_C(0x26))); + x10 = ((uint64_t)(arg1[8]) * ((arg2[9]) * UINT8_C(0x13))); + x11 = ((uint64_t)(arg1[8]) * ((arg2[8]) * UINT8_C(0x13))); + x12 = ((uint64_t)(arg1[8]) * ((arg2[7]) * UINT8_C(0x13))); + x13 = ((uint64_t)(arg1[8]) * ((arg2[6]) * UINT8_C(0x13))); + x14 = ((uint64_t)(arg1[8]) * ((arg2[5]) * UINT8_C(0x13))); + x15 = ((uint64_t)(arg1[8]) * ((arg2[4]) * UINT8_C(0x13))); + x16 = ((uint64_t)(arg1[8]) * ((arg2[3]) * UINT8_C(0x13))); + x17 = ((uint64_t)(arg1[8]) * ((arg2[2]) * UINT8_C(0x13))); + x18 = ((uint64_t)(arg1[7]) * ((arg2[9]) * UINT8_C(0x26))); + x19 = ((uint64_t)(arg1[7]) * ((arg2[8]) * UINT8_C(0x13))); + x20 = ((uint64_t)(arg1[7]) * ((arg2[7]) * UINT8_C(0x26))); + x21 = ((uint64_t)(arg1[7]) * ((arg2[6]) * UINT8_C(0x13))); + x22 = ((uint64_t)(arg1[7]) * ((arg2[5]) * UINT8_C(0x26))); + x23 = ((uint64_t)(arg1[7]) * ((arg2[4]) * UINT8_C(0x13))); + x24 = ((uint64_t)(arg1[7]) * ((arg2[3]) * UINT8_C(0x26))); + x25 = ((uint64_t)(arg1[6]) * ((arg2[9]) * UINT8_C(0x13))); + x26 = ((uint64_t)(arg1[6]) * ((arg2[8]) * UINT8_C(0x13))); + x27 = ((uint64_t)(arg1[6]) * ((arg2[7]) * UINT8_C(0x13))); + x28 = ((uint64_t)(arg1[6]) * ((arg2[6]) * UINT8_C(0x13))); + x29 = ((uint64_t)(arg1[6]) * ((arg2[5]) * UINT8_C(0x13))); + x30 = ((uint64_t)(arg1[6]) * ((arg2[4]) * UINT8_C(0x13))); + x31 = ((uint64_t)(arg1[5]) * ((arg2[9]) * UINT8_C(0x26))); + x32 = ((uint64_t)(arg1[5]) * ((arg2[8]) * UINT8_C(0x13))); + x33 = ((uint64_t)(arg1[5]) * ((arg2[7]) * UINT8_C(0x26))); + x34 = ((uint64_t)(arg1[5]) * ((arg2[6]) * UINT8_C(0x13))); + x35 = ((uint64_t)(arg1[5]) * ((arg2[5]) * UINT8_C(0x26))); + x36 = ((uint64_t)(arg1[4]) * ((arg2[9]) * UINT8_C(0x13))); + x37 = ((uint64_t)(arg1[4]) * ((arg2[8]) * UINT8_C(0x13))); + x38 = ((uint64_t)(arg1[4]) * ((arg2[7]) * UINT8_C(0x13))); + x39 = ((uint64_t)(arg1[4]) * ((arg2[6]) * UINT8_C(0x13))); + x40 = ((uint64_t)(arg1[3]) * ((arg2[9]) * UINT8_C(0x26))); + x41 = ((uint64_t)(arg1[3]) * ((arg2[8]) * UINT8_C(0x13))); + x42 = ((uint64_t)(arg1[3]) * ((arg2[7]) * UINT8_C(0x26))); + x43 = ((uint64_t)(arg1[2]) * ((arg2[9]) * UINT8_C(0x13))); + x44 = ((uint64_t)(arg1[2]) * ((arg2[8]) * UINT8_C(0x13))); + x45 = ((uint64_t)(arg1[1]) * ((arg2[9]) * UINT8_C(0x26))); + x46 = ((uint64_t)(arg1[9]) * (arg2[0])); + x47 = ((uint64_t)(arg1[8]) * (arg2[1])); + x48 = ((uint64_t)(arg1[8]) * (arg2[0])); + x49 = ((uint64_t)(arg1[7]) * (arg2[2])); + x50 = ((uint64_t)(arg1[7]) * ((arg2[1]) * 0x2)); + x51 = ((uint64_t)(arg1[7]) * (arg2[0])); + x52 = ((uint64_t)(arg1[6]) * (arg2[3])); + x53 = ((uint64_t)(arg1[6]) * (arg2[2])); + x54 = ((uint64_t)(arg1[6]) * (arg2[1])); + x55 = ((uint64_t)(arg1[6]) * (arg2[0])); + x56 = ((uint64_t)(arg1[5]) * (arg2[4])); + x57 = ((uint64_t)(arg1[5]) * ((arg2[3]) * 0x2)); + x58 = ((uint64_t)(arg1[5]) * (arg2[2])); + x59 = ((uint64_t)(arg1[5]) * ((arg2[1]) * 0x2)); + x60 = ((uint64_t)(arg1[5]) * (arg2[0])); + x61 = ((uint64_t)(arg1[4]) * (arg2[5])); + x62 = ((uint64_t)(arg1[4]) * (arg2[4])); + x63 = ((uint64_t)(arg1[4]) * (arg2[3])); + x64 = ((uint64_t)(arg1[4]) * (arg2[2])); + x65 = ((uint64_t)(arg1[4]) * (arg2[1])); + x66 = ((uint64_t)(arg1[4]) * (arg2[0])); + x67 = ((uint64_t)(arg1[3]) * (arg2[6])); + x68 = ((uint64_t)(arg1[3]) * ((arg2[5]) * 0x2)); + x69 = ((uint64_t)(arg1[3]) * (arg2[4])); + x70 = ((uint64_t)(arg1[3]) * ((arg2[3]) * 0x2)); + x71 = ((uint64_t)(arg1[3]) * (arg2[2])); + x72 = ((uint64_t)(arg1[3]) * ((arg2[1]) * 0x2)); + x73 = ((uint64_t)(arg1[3]) * (arg2[0])); + x74 = ((uint64_t)(arg1[2]) * (arg2[7])); + x75 = ((uint64_t)(arg1[2]) * (arg2[6])); + x76 = ((uint64_t)(arg1[2]) * (arg2[5])); + x77 = ((uint64_t)(arg1[2]) * (arg2[4])); + x78 = ((uint64_t)(arg1[2]) * (arg2[3])); + x79 = ((uint64_t)(arg1[2]) * (arg2[2])); + x80 = ((uint64_t)(arg1[2]) * (arg2[1])); + x81 = ((uint64_t)(arg1[2]) * (arg2[0])); + x82 = ((uint64_t)(arg1[1]) * (arg2[8])); + x83 = ((uint64_t)(arg1[1]) * ((arg2[7]) * 0x2)); + x84 = ((uint64_t)(arg1[1]) * (arg2[6])); + x85 = ((uint64_t)(arg1[1]) * ((arg2[5]) * 0x2)); + x86 = ((uint64_t)(arg1[1]) * (arg2[4])); + x87 = ((uint64_t)(arg1[1]) * ((arg2[3]) * 0x2)); + x88 = ((uint64_t)(arg1[1]) * (arg2[2])); + x89 = ((uint64_t)(arg1[1]) * ((arg2[1]) * 0x2)); + x90 = ((uint64_t)(arg1[1]) * (arg2[0])); + x91 = ((uint64_t)(arg1[0]) * (arg2[9])); + x92 = ((uint64_t)(arg1[0]) * (arg2[8])); + x93 = ((uint64_t)(arg1[0]) * (arg2[7])); + x94 = ((uint64_t)(arg1[0]) * (arg2[6])); + x95 = ((uint64_t)(arg1[0]) * (arg2[5])); + x96 = ((uint64_t)(arg1[0]) * (arg2[4])); + x97 = ((uint64_t)(arg1[0]) * (arg2[3])); + x98 = ((uint64_t)(arg1[0]) * (arg2[2])); + x99 = ((uint64_t)(arg1[0]) * (arg2[1])); + x100 = ((uint64_t)(arg1[0]) * (arg2[0])); + x101 = (x100 + (x45 + (x44 + (x42 + (x39 + (x35 + (x30 + (x24 + (x17 + x9))))))))); + x102 = (x101 >> 26); + x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); + x104 = (x91 + (x82 + (x74 + (x67 + (x61 + (x56 + (x52 + (x49 + (x47 + x46))))))))); + x105 = (x92 + (x83 + (x75 + (x68 + (x62 + (x57 + (x53 + (x50 + (x48 + x1))))))))); + x106 = (x93 + (x84 + (x76 + (x69 + (x63 + (x58 + (x54 + (x51 + (x10 + x2))))))))); + x107 = (x94 + (x85 + (x77 + (x70 + (x64 + (x59 + (x55 + (x18 + (x11 + x3))))))))); + x108 = (x95 + (x86 + (x78 + (x71 + (x65 + (x60 + (x25 + (x19 + (x12 + x4))))))))); + x109 = (x96 + (x87 + (x79 + (x72 + (x66 + (x31 + (x26 + (x20 + (x13 + x5))))))))); + x110 = (x97 + (x88 + (x80 + (x73 + (x36 + (x32 + (x27 + (x21 + (x14 + x6))))))))); + x111 = (x98 + (x89 + (x81 + (x40 + (x37 + (x33 + (x28 + (x22 + (x15 + x7))))))))); + x112 = (x99 + (x90 + (x43 + (x41 + (x38 + (x34 + (x29 + (x23 + (x16 + x8))))))))); + x113 = (x102 + x112); + x114 = (x113 >> 25); + x115 = (uint32_t)(x113 & UINT32_C(0x1ffffff)); + x116 = (x114 + x111); + x117 = (x116 >> 26); + x118 = (uint32_t)(x116 & UINT32_C(0x3ffffff)); + x119 = (x117 + x110); + x120 = (x119 >> 25); + x121 = (uint32_t)(x119 & UINT32_C(0x1ffffff)); + x122 = (x120 + x109); + x123 = (x122 >> 26); + x124 = (uint32_t)(x122 & UINT32_C(0x3ffffff)); + x125 = (x123 + x108); + x126 = (x125 >> 25); + x127 = (uint32_t)(x125 & UINT32_C(0x1ffffff)); + x128 = (x126 + x107); + x129 = (x128 >> 26); + x130 = (uint32_t)(x128 & UINT32_C(0x3ffffff)); + x131 = (x129 + x106); + x132 = (x131 >> 25); + x133 = (uint32_t)(x131 & UINT32_C(0x1ffffff)); + x134 = (x132 + x105); + x135 = (x134 >> 26); + x136 = (uint32_t)(x134 & UINT32_C(0x3ffffff)); + x137 = (x135 + x104); + x138 = (x137 >> 25); + x139 = (uint32_t)(x137 & UINT32_C(0x1ffffff)); + x140 = (x138 * UINT8_C(0x13)); + x141 = (x103 + x140); + x142 = (uint32_t)(x141 >> 26); + x143 = (uint32_t)(x141 & UINT32_C(0x3ffffff)); + x144 = (x142 + x115); + x145 = (fiat_25519_uint1)(x144 >> 25); + x146 = (x144 & UINT32_C(0x1ffffff)); + x147 = (x145 + x118); out1[0] = x143; out1[1] = x146; out1[2] = x147; @@ -303,135 +486,252 @@ static void fiat_25519_carry_mul(uint32_t out1[10], const uint32_t arg1[10], con /* * The function fiat_25519_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) { - uint32_t x1 = ((arg1[9]) * UINT8_C(0x13)); - uint32_t x2 = (x1 * 0x2); - uint32_t x3 = ((arg1[9]) * 0x2); - uint32_t x4 = ((arg1[8]) * UINT8_C(0x13)); - uint64_t x5 = ((uint64_t)x4 * 0x2); - uint32_t x6 = ((arg1[8]) * 0x2); - uint32_t x7 = ((arg1[7]) * UINT8_C(0x13)); - uint32_t x8 = (x7 * 0x2); - uint32_t x9 = ((arg1[7]) * 0x2); - uint32_t x10 = ((arg1[6]) * UINT8_C(0x13)); - uint64_t x11 = ((uint64_t)x10 * 0x2); - uint32_t x12 = ((arg1[6]) * 0x2); - uint32_t x13 = ((arg1[5]) * UINT8_C(0x13)); - uint32_t x14 = ((arg1[5]) * 0x2); - uint32_t x15 = ((arg1[4]) * 0x2); - uint32_t x16 = ((arg1[3]) * 0x2); - uint32_t x17 = ((arg1[2]) * 0x2); - uint32_t x18 = ((arg1[1]) * 0x2); - uint64_t x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2)); - uint64_t x20 = ((uint64_t)(arg1[8]) * x2); - uint64_t x21 = ((uint64_t)(arg1[8]) * x4); - uint64_t x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2)); - uint64_t x23 = ((arg1[7]) * x5); - uint64_t x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2)); - uint64_t x25 = ((uint64_t)(arg1[6]) * x2); - uint64_t x26 = ((arg1[6]) * x5); - uint64_t x27 = ((uint64_t)(arg1[6]) * x8); - uint64_t x28 = ((uint64_t)(arg1[6]) * x10); - uint64_t x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2)); - uint64_t x30 = ((arg1[5]) * x5); - uint64_t x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2)); - uint64_t x32 = ((arg1[5]) * x11); - uint64_t x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2)); - uint64_t x34 = ((uint64_t)(arg1[4]) * x2); - uint64_t x35 = ((arg1[4]) * x5); - uint64_t x36 = ((uint64_t)(arg1[4]) * x8); - uint64_t x37 = ((arg1[4]) * x11); - uint64_t x38 = ((uint64_t)(arg1[4]) * x14); - uint64_t x39 = ((uint64_t)(arg1[4]) * (arg1[4])); - uint64_t x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2)); - uint64_t x41 = ((arg1[3]) * x5); - uint64_t x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2)); - uint64_t x43 = ((uint64_t)(arg1[3]) * x12); - uint64_t x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2)); - uint64_t x45 = ((uint64_t)(arg1[3]) * x15); - uint64_t x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2)); - uint64_t x47 = ((uint64_t)(arg1[2]) * x2); - uint64_t x48 = ((arg1[2]) * x5); - uint64_t x49 = ((uint64_t)(arg1[2]) * x9); - uint64_t x50 = ((uint64_t)(arg1[2]) * x12); - uint64_t x51 = ((uint64_t)(arg1[2]) * x14); - uint64_t x52 = ((uint64_t)(arg1[2]) * x15); - uint64_t x53 = ((uint64_t)(arg1[2]) * x16); - uint64_t x54 = ((uint64_t)(arg1[2]) * (arg1[2])); - uint64_t x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2)); - uint64_t x56 = ((uint64_t)(arg1[1]) * x6); - uint64_t x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2)); - uint64_t x58 = ((uint64_t)(arg1[1]) * x12); - uint64_t x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2)); - uint64_t x60 = ((uint64_t)(arg1[1]) * x15); - uint64_t x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2)); - uint64_t x62 = ((uint64_t)(arg1[1]) * x17); - uint64_t x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2)); - uint64_t x64 = ((uint64_t)(arg1[0]) * x3); - uint64_t x65 = ((uint64_t)(arg1[0]) * x6); - uint64_t x66 = ((uint64_t)(arg1[0]) * x9); - uint64_t x67 = ((uint64_t)(arg1[0]) * x12); - uint64_t x68 = ((uint64_t)(arg1[0]) * x14); - uint64_t x69 = ((uint64_t)(arg1[0]) * x15); - uint64_t x70 = ((uint64_t)(arg1[0]) * x16); - uint64_t x71 = ((uint64_t)(arg1[0]) * x17); - uint64_t x72 = ((uint64_t)(arg1[0]) * x18); - uint64_t x73 = ((uint64_t)(arg1[0]) * (arg1[0])); - uint64_t x74 = (x73 + (x55 + (x48 + (x42 + (x37 + x33))))); - uint64_t x75 = (x74 >> 26); - uint32_t x76 = (uint32_t)(x74 & UINT32_C(0x3ffffff)); - uint64_t x77 = (x64 + (x56 + (x49 + (x43 + x38)))); - uint64_t x78 = (x65 + (x57 + (x50 + (x44 + (x39 + x19))))); - uint64_t x79 = (x66 + (x58 + (x51 + (x45 + x20)))); - uint64_t x80 = (x67 + (x59 + (x52 + (x46 + (x22 + x21))))); - uint64_t x81 = (x68 + (x60 + (x53 + (x25 + x23)))); - uint64_t x82 = (x69 + (x61 + (x54 + (x29 + (x26 + x24))))); - uint64_t x83 = (x70 + (x62 + (x34 + (x30 + x27)))); - uint64_t x84 = (x71 + (x63 + (x40 + (x35 + (x31 + x28))))); - uint64_t x85 = (x72 + (x47 + (x41 + (x36 + x32)))); - uint64_t x86 = (x75 + x85); - uint64_t x87 = (x86 >> 25); - uint32_t x88 = (uint32_t)(x86 & UINT32_C(0x1ffffff)); - uint64_t x89 = (x87 + x84); - uint64_t x90 = (x89 >> 26); - uint32_t x91 = (uint32_t)(x89 & UINT32_C(0x3ffffff)); - uint64_t x92 = (x90 + x83); - uint64_t x93 = (x92 >> 25); - uint32_t x94 = (uint32_t)(x92 & UINT32_C(0x1ffffff)); - uint64_t x95 = (x93 + x82); - uint64_t x96 = (x95 >> 26); - uint32_t x97 = (uint32_t)(x95 & UINT32_C(0x3ffffff)); - uint64_t x98 = (x96 + x81); - uint64_t x99 = (x98 >> 25); - uint32_t x100 = (uint32_t)(x98 & UINT32_C(0x1ffffff)); - uint64_t x101 = (x99 + x80); - uint64_t x102 = (x101 >> 26); - uint32_t x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); - uint64_t x104 = (x102 + x79); - uint64_t x105 = (x104 >> 25); - uint32_t x106 = (uint32_t)(x104 & UINT32_C(0x1ffffff)); - uint64_t x107 = (x105 + x78); - uint64_t x108 = (x107 >> 26); - uint32_t x109 = (uint32_t)(x107 & UINT32_C(0x3ffffff)); - uint64_t x110 = (x108 + x77); - uint64_t x111 = (x110 >> 25); - uint32_t x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff)); - uint64_t x113 = (x111 * UINT8_C(0x13)); - uint64_t x114 = (x76 + x113); - uint32_t x115 = (uint32_t)(x114 >> 26); - uint32_t x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff)); - uint32_t x117 = (x115 + x88); - fiat_25519_uint1 x118 = (fiat_25519_uint1)(x117 >> 25); - uint32_t x119 = (x117 & UINT32_C(0x1ffffff)); - uint32_t x120 = (x118 + x91); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint64_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint64_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + uint32_t x17; + uint32_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint64_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + uint64_t x74; + uint64_t x75; + uint32_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + uint64_t x86; + uint64_t x87; + uint32_t x88; + uint64_t x89; + uint64_t x90; + uint32_t x91; + uint64_t x92; + uint64_t x93; + uint32_t x94; + uint64_t x95; + uint64_t x96; + uint32_t x97; + uint64_t x98; + uint64_t x99; + uint32_t x100; + uint64_t x101; + uint64_t x102; + uint32_t x103; + uint64_t x104; + uint64_t x105; + uint32_t x106; + uint64_t x107; + uint64_t x108; + uint32_t x109; + uint64_t x110; + uint64_t x111; + uint32_t x112; + uint64_t x113; + uint64_t x114; + uint32_t x115; + uint32_t x116; + uint32_t x117; + fiat_25519_uint1 x118; + uint32_t x119; + uint32_t x120; + x1 = ((arg1[9]) * UINT8_C(0x13)); + x2 = (x1 * 0x2); + x3 = ((arg1[9]) * 0x2); + x4 = ((arg1[8]) * UINT8_C(0x13)); + x5 = ((uint64_t)x4 * 0x2); + x6 = ((arg1[8]) * 0x2); + x7 = ((arg1[7]) * UINT8_C(0x13)); + x8 = (x7 * 0x2); + x9 = ((arg1[7]) * 0x2); + x10 = ((arg1[6]) * UINT8_C(0x13)); + x11 = ((uint64_t)x10 * 0x2); + x12 = ((arg1[6]) * 0x2); + x13 = ((arg1[5]) * UINT8_C(0x13)); + x14 = ((arg1[5]) * 0x2); + x15 = ((arg1[4]) * 0x2); + x16 = ((arg1[3]) * 0x2); + x17 = ((arg1[2]) * 0x2); + x18 = ((arg1[1]) * 0x2); + x19 = ((uint64_t)(arg1[9]) * (x1 * 0x2)); + x20 = ((uint64_t)(arg1[8]) * x2); + x21 = ((uint64_t)(arg1[8]) * x4); + x22 = ((arg1[7]) * ((uint64_t)x2 * 0x2)); + x23 = ((arg1[7]) * x5); + x24 = ((uint64_t)(arg1[7]) * (x7 * 0x2)); + x25 = ((uint64_t)(arg1[6]) * x2); + x26 = ((arg1[6]) * x5); + x27 = ((uint64_t)(arg1[6]) * x8); + x28 = ((uint64_t)(arg1[6]) * x10); + x29 = ((arg1[5]) * ((uint64_t)x2 * 0x2)); + x30 = ((arg1[5]) * x5); + x31 = ((arg1[5]) * ((uint64_t)x8 * 0x2)); + x32 = ((arg1[5]) * x11); + x33 = ((uint64_t)(arg1[5]) * (x13 * 0x2)); + x34 = ((uint64_t)(arg1[4]) * x2); + x35 = ((arg1[4]) * x5); + x36 = ((uint64_t)(arg1[4]) * x8); + x37 = ((arg1[4]) * x11); + x38 = ((uint64_t)(arg1[4]) * x14); + x39 = ((uint64_t)(arg1[4]) * (arg1[4])); + x40 = ((arg1[3]) * ((uint64_t)x2 * 0x2)); + x41 = ((arg1[3]) * x5); + x42 = ((arg1[3]) * ((uint64_t)x8 * 0x2)); + x43 = ((uint64_t)(arg1[3]) * x12); + x44 = ((uint64_t)(arg1[3]) * (x14 * 0x2)); + x45 = ((uint64_t)(arg1[3]) * x15); + x46 = ((uint64_t)(arg1[3]) * ((arg1[3]) * 0x2)); + x47 = ((uint64_t)(arg1[2]) * x2); + x48 = ((arg1[2]) * x5); + x49 = ((uint64_t)(arg1[2]) * x9); + x50 = ((uint64_t)(arg1[2]) * x12); + x51 = ((uint64_t)(arg1[2]) * x14); + x52 = ((uint64_t)(arg1[2]) * x15); + x53 = ((uint64_t)(arg1[2]) * x16); + x54 = ((uint64_t)(arg1[2]) * (arg1[2])); + x55 = ((arg1[1]) * ((uint64_t)x2 * 0x2)); + x56 = ((uint64_t)(arg1[1]) * x6); + x57 = ((uint64_t)(arg1[1]) * (x9 * 0x2)); + x58 = ((uint64_t)(arg1[1]) * x12); + x59 = ((uint64_t)(arg1[1]) * (x14 * 0x2)); + x60 = ((uint64_t)(arg1[1]) * x15); + x61 = ((uint64_t)(arg1[1]) * (x16 * 0x2)); + x62 = ((uint64_t)(arg1[1]) * x17); + x63 = ((uint64_t)(arg1[1]) * ((arg1[1]) * 0x2)); + x64 = ((uint64_t)(arg1[0]) * x3); + x65 = ((uint64_t)(arg1[0]) * x6); + x66 = ((uint64_t)(arg1[0]) * x9); + x67 = ((uint64_t)(arg1[0]) * x12); + x68 = ((uint64_t)(arg1[0]) * x14); + x69 = ((uint64_t)(arg1[0]) * x15); + x70 = ((uint64_t)(arg1[0]) * x16); + x71 = ((uint64_t)(arg1[0]) * x17); + x72 = ((uint64_t)(arg1[0]) * x18); + x73 = ((uint64_t)(arg1[0]) * (arg1[0])); + x74 = (x73 + (x55 + (x48 + (x42 + (x37 + x33))))); + x75 = (x74 >> 26); + x76 = (uint32_t)(x74 & UINT32_C(0x3ffffff)); + x77 = (x64 + (x56 + (x49 + (x43 + x38)))); + x78 = (x65 + (x57 + (x50 + (x44 + (x39 + x19))))); + x79 = (x66 + (x58 + (x51 + (x45 + x20)))); + x80 = (x67 + (x59 + (x52 + (x46 + (x22 + x21))))); + x81 = (x68 + (x60 + (x53 + (x25 + x23)))); + x82 = (x69 + (x61 + (x54 + (x29 + (x26 + x24))))); + x83 = (x70 + (x62 + (x34 + (x30 + x27)))); + x84 = (x71 + (x63 + (x40 + (x35 + (x31 + x28))))); + x85 = (x72 + (x47 + (x41 + (x36 + x32)))); + x86 = (x75 + x85); + x87 = (x86 >> 25); + x88 = (uint32_t)(x86 & UINT32_C(0x1ffffff)); + x89 = (x87 + x84); + x90 = (x89 >> 26); + x91 = (uint32_t)(x89 & UINT32_C(0x3ffffff)); + x92 = (x90 + x83); + x93 = (x92 >> 25); + x94 = (uint32_t)(x92 & UINT32_C(0x1ffffff)); + x95 = (x93 + x82); + x96 = (x95 >> 26); + x97 = (uint32_t)(x95 & UINT32_C(0x3ffffff)); + x98 = (x96 + x81); + x99 = (x98 >> 25); + x100 = (uint32_t)(x98 & UINT32_C(0x1ffffff)); + x101 = (x99 + x80); + x102 = (x101 >> 26); + x103 = (uint32_t)(x101 & UINT32_C(0x3ffffff)); + x104 = (x102 + x79); + x105 = (x104 >> 25); + x106 = (uint32_t)(x104 & UINT32_C(0x1ffffff)); + x107 = (x105 + x78); + x108 = (x107 >> 26); + x109 = (uint32_t)(x107 & UINT32_C(0x3ffffff)); + x110 = (x108 + x77); + x111 = (x110 >> 25); + x112 = (uint32_t)(x110 & UINT32_C(0x1ffffff)); + x113 = (x111 * UINT8_C(0x13)); + x114 = (x76 + x113); + x115 = (uint32_t)(x114 >> 26); + x116 = (uint32_t)(x114 & UINT32_C(0x3ffffff)); + x117 = (x115 + x88); + x118 = (fiat_25519_uint1)(x117 >> 25); + x119 = (x117 & UINT32_C(0x1ffffff)); + x120 = (x118 + x91); out1[0] = x116; out1[1] = x119; out1[2] = x120; @@ -446,37 +746,56 @@ static void fiat_25519_carry_square(uint32_t out1[10], const uint32_t arg1[10]) /* * The function fiat_25519_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) { - uint32_t x1 = (arg1[0]); - uint32_t x2 = ((x1 >> 26) + (arg1[1])); - uint32_t x3 = ((x2 >> 25) + (arg1[2])); - uint32_t x4 = ((x3 >> 26) + (arg1[3])); - uint32_t x5 = ((x4 >> 25) + (arg1[4])); - uint32_t x6 = ((x5 >> 26) + (arg1[5])); - uint32_t x7 = ((x6 >> 25) + (arg1[6])); - uint32_t x8 = ((x7 >> 26) + (arg1[7])); - uint32_t x9 = ((x8 >> 25) + (arg1[8])); - uint32_t x10 = ((x9 >> 26) + (arg1[9])); - uint32_t x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13))); - uint32_t x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff))); - uint32_t x13 = (x11 & UINT32_C(0x3ffffff)); - uint32_t x14 = (x12 & UINT32_C(0x1ffffff)); - uint32_t x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff))); - uint32_t x16 = (x4 & UINT32_C(0x1ffffff)); - uint32_t x17 = (x5 & UINT32_C(0x3ffffff)); - uint32_t x18 = (x6 & UINT32_C(0x1ffffff)); - uint32_t x19 = (x7 & UINT32_C(0x3ffffff)); - uint32_t x20 = (x8 & UINT32_C(0x1ffffff)); - uint32_t x21 = (x9 & UINT32_C(0x3ffffff)); - uint32_t x22 = (x10 & UINT32_C(0x1ffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint32_t x20; + uint32_t x21; + uint32_t x22; + x1 = (arg1[0]); + x2 = ((x1 >> 26) + (arg1[1])); + x3 = ((x2 >> 25) + (arg1[2])); + x4 = ((x3 >> 26) + (arg1[3])); + x5 = ((x4 >> 25) + (arg1[4])); + x6 = ((x5 >> 26) + (arg1[5])); + x7 = ((x6 >> 25) + (arg1[6])); + x8 = ((x7 >> 26) + (arg1[7])); + x9 = ((x8 >> 25) + (arg1[8])); + x10 = ((x9 >> 26) + (arg1[9])); + x11 = ((x1 & UINT32_C(0x3ffffff)) + ((x10 >> 25) * UINT8_C(0x13))); + x12 = ((fiat_25519_uint1)(x11 >> 26) + (x2 & UINT32_C(0x1ffffff))); + x13 = (x11 & UINT32_C(0x3ffffff)); + x14 = (x12 & UINT32_C(0x1ffffff)); + x15 = ((fiat_25519_uint1)(x12 >> 25) + (x3 & UINT32_C(0x3ffffff))); + x16 = (x4 & UINT32_C(0x1ffffff)); + x17 = (x5 & UINT32_C(0x3ffffff)); + x18 = (x6 & UINT32_C(0x1ffffff)); + x19 = (x7 & UINT32_C(0x3ffffff)); + x20 = (x8 & UINT32_C(0x1ffffff)); + x21 = (x9 & UINT32_C(0x3ffffff)); + x22 = (x10 & UINT32_C(0x1ffffff)); out1[0] = x13; out1[1] = x14; out1[2] = x15; @@ -491,26 +810,32 @@ static void fiat_25519_carry(uint32_t out1[10], const uint32_t arg1[10]) { /* * The function fiat_25519_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * arg2: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * Output Bounds: - * out1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] */ -static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) { - uint32_t x1 = ((arg1[0]) + (arg2[0])); - uint32_t x2 = ((arg1[1]) + (arg2[1])); - uint32_t x3 = ((arg1[2]) + (arg2[2])); - uint32_t x4 = ((arg1[3]) + (arg2[3])); - uint32_t x5 = ((arg1[4]) + (arg2[4])); - uint32_t x6 = ((arg1[5]) + (arg2[5])); - uint32_t x7 = ((arg1[6]) + (arg2[6])); - uint32_t x8 = ((arg1[7]) + (arg2[7])); - uint32_t x9 = ((arg1[8]) + (arg2[8])); - uint32_t x10 = ((arg1[9]) + (arg2[9])); +static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = ((arg1[0]) + (arg2[0])); + x2 = ((arg1[1]) + (arg2[1])); + x3 = ((arg1[2]) + (arg2[2])); + x4 = ((arg1[3]) + (arg2[3])); + x5 = ((arg1[4]) + (arg2[4])); + x6 = ((arg1[5]) + (arg2[5])); + x7 = ((arg1[6]) + (arg2[6])); + x8 = ((arg1[7]) + (arg2[7])); + x9 = ((arg1[8]) + (arg2[8])); + x10 = ((arg1[9]) + (arg2[9])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -525,26 +850,32 @@ static void fiat_25519_add(uint32_t out1[10], const uint32_t arg1[10], const uin /* * The function fiat_25519_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * arg2: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * Output Bounds: - * out1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] */ -static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uint32_t arg2[10]) { - uint32_t x1 = ((UINT32_C(0x7ffffda) + (arg1[0])) - (arg2[0])); - uint32_t x2 = ((UINT32_C(0x3fffffe) + (arg1[1])) - (arg2[1])); - uint32_t x3 = ((UINT32_C(0x7fffffe) + (arg1[2])) - (arg2[2])); - uint32_t x4 = ((UINT32_C(0x3fffffe) + (arg1[3])) - (arg2[3])); - uint32_t x5 = ((UINT32_C(0x7fffffe) + (arg1[4])) - (arg2[4])); - uint32_t x6 = ((UINT32_C(0x3fffffe) + (arg1[5])) - (arg2[5])); - uint32_t x7 = ((UINT32_C(0x7fffffe) + (arg1[6])) - (arg2[6])); - uint32_t x8 = ((UINT32_C(0x3fffffe) + (arg1[7])) - (arg2[7])); - uint32_t x9 = ((UINT32_C(0x7fffffe) + (arg1[8])) - (arg2[8])); - uint32_t x10 = ((UINT32_C(0x3fffffe) + (arg1[9])) - (arg2[9])); +static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = ((UINT32_C(0x7ffffda) + (arg1[0])) - (arg2[0])); + x2 = ((UINT32_C(0x3fffffe) + (arg1[1])) - (arg2[1])); + x3 = ((UINT32_C(0x7fffffe) + (arg1[2])) - (arg2[2])); + x4 = ((UINT32_C(0x3fffffe) + (arg1[3])) - (arg2[3])); + x5 = ((UINT32_C(0x7fffffe) + (arg1[4])) - (arg2[4])); + x6 = ((UINT32_C(0x3fffffe) + (arg1[5])) - (arg2[5])); + x7 = ((UINT32_C(0x7fffffe) + (arg1[6])) - (arg2[6])); + x8 = ((UINT32_C(0x3fffffe) + (arg1[7])) - (arg2[7])); + x9 = ((UINT32_C(0x7fffffe) + (arg1[8])) - (arg2[8])); + x10 = ((UINT32_C(0x3fffffe) + (arg1[9])) - (arg2[9])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -559,25 +890,32 @@ static void fiat_25519_sub(uint32_t out1[10], const uint32_t arg1[10], const uin /* * The function fiat_25519_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] - * Output Bounds: - * out1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] */ -static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { - uint32_t x1 = (UINT32_C(0x7ffffda) - (arg1[0])); - uint32_t x2 = (UINT32_C(0x3fffffe) - (arg1[1])); - uint32_t x3 = (UINT32_C(0x7fffffe) - (arg1[2])); - uint32_t x4 = (UINT32_C(0x3fffffe) - (arg1[3])); - uint32_t x5 = (UINT32_C(0x7fffffe) - (arg1[4])); - uint32_t x6 = (UINT32_C(0x3fffffe) - (arg1[5])); - uint32_t x7 = (UINT32_C(0x7fffffe) - (arg1[6])); - uint32_t x8 = (UINT32_C(0x3fffffe) - (arg1[7])); - uint32_t x9 = (UINT32_C(0x7fffffe) - (arg1[8])); - uint32_t x10 = (UINT32_C(0x3fffffe) - (arg1[9])); +static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = (UINT32_C(0x7ffffda) - (arg1[0])); + x2 = (UINT32_C(0x3fffffe) - (arg1[1])); + x3 = (UINT32_C(0x7fffffe) - (arg1[2])); + x4 = (UINT32_C(0x3fffffe) - (arg1[3])); + x5 = (UINT32_C(0x7fffffe) - (arg1[4])); + x6 = (UINT32_C(0x3fffffe) - (arg1[5])); + x7 = (UINT32_C(0x7fffffe) - (arg1[6])); + x8 = (UINT32_C(0x3fffffe) - (arg1[7])); + x9 = (UINT32_C(0x7fffffe) - (arg1[8])); + x10 = (UINT32_C(0x3fffffe) - (arg1[9])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -592,6 +930,7 @@ static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { /* * The function fiat_25519_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -602,26 +941,26 @@ static void fiat_25519_opp(uint32_t out1[10], const uint32_t arg1[10]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const uint32_t arg2[10], const uint32_t arg3[10]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const uint32_t arg2[10], const uint32_t arg3[10]) { uint32_t x1; - fiat_25519_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); uint32_t x2; - fiat_25519_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); uint32_t x3; - fiat_25519_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); uint32_t x4; - fiat_25519_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); uint32_t x5; - fiat_25519_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); uint32_t x6; - fiat_25519_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); uint32_t x7; - fiat_25519_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); uint32_t x8; - fiat_25519_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); uint32_t x9; - fiat_25519_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); uint32_t x10; + fiat_25519_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_25519_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_25519_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_25519_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); + fiat_25519_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); + fiat_25519_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); + fiat_25519_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); + fiat_25519_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); + fiat_25519_cmovznz_u32(&x9, arg1, (arg2[8]), (arg3[8])); fiat_25519_cmovznz_u32(&x10, arg1, (arg2[9]), (arg3[9])); out1[0] = x1; out1[1] = x2; @@ -637,336 +976,582 @@ static void fiat_25519_selectznz(uint32_t out1[10], fiat_25519_uint1 arg1, const /* * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * - * Input Bounds: - * arg1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] */ -static void fiat_25519_to_bytes(uint8_t out1[32], const uint32_t arg1[10]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) { uint32_t x1; fiat_25519_uint1 x2; - fiat_25519_subborrowx_u26(&x1, &x2, 0x0, (arg1[0]), UINT32_C(0x3ffffed)); uint32_t x3; fiat_25519_uint1 x4; - fiat_25519_subborrowx_u25(&x3, &x4, x2, (arg1[1]), UINT32_C(0x1ffffff)); uint32_t x5; fiat_25519_uint1 x6; - fiat_25519_subborrowx_u26(&x5, &x6, x4, (arg1[2]), UINT32_C(0x3ffffff)); uint32_t x7; fiat_25519_uint1 x8; - fiat_25519_subborrowx_u25(&x7, &x8, x6, (arg1[3]), UINT32_C(0x1ffffff)); uint32_t x9; fiat_25519_uint1 x10; - fiat_25519_subborrowx_u26(&x9, &x10, x8, (arg1[4]), UINT32_C(0x3ffffff)); uint32_t x11; fiat_25519_uint1 x12; - fiat_25519_subborrowx_u25(&x11, &x12, x10, (arg1[5]), UINT32_C(0x1ffffff)); uint32_t x13; fiat_25519_uint1 x14; - fiat_25519_subborrowx_u26(&x13, &x14, x12, (arg1[6]), UINT32_C(0x3ffffff)); uint32_t x15; fiat_25519_uint1 x16; - fiat_25519_subborrowx_u25(&x15, &x16, x14, (arg1[7]), UINT32_C(0x1ffffff)); uint32_t x17; fiat_25519_uint1 x18; - fiat_25519_subborrowx_u26(&x17, &x18, x16, (arg1[8]), UINT32_C(0x3ffffff)); uint32_t x19; fiat_25519_uint1 x20; - fiat_25519_subborrowx_u25(&x19, &x20, x18, (arg1[9]), UINT32_C(0x1ffffff)); uint32_t x21; - fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff)); uint32_t x22; fiat_25519_uint1 x23; - fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed))); uint32_t x24; fiat_25519_uint1 x25; - fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff))); uint32_t x26; fiat_25519_uint1 x27; - fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff))); uint32_t x28; fiat_25519_uint1 x29; - fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff))); uint32_t x30; fiat_25519_uint1 x31; - fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff))); uint32_t x32; fiat_25519_uint1 x33; - fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff))); uint32_t x34; fiat_25519_uint1 x35; - fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff))); uint32_t x36; fiat_25519_uint1 x37; - fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff))); uint32_t x38; fiat_25519_uint1 x39; - fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff))); uint32_t x40; fiat_25519_uint1 x41; + uint32_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint32_t x47; + uint32_t x48; + uint32_t x49; + uint8_t x50; + uint32_t x51; + uint8_t x52; + uint32_t x53; + uint8_t x54; + uint8_t x55; + uint32_t x56; + uint8_t x57; + uint32_t x58; + uint8_t x59; + uint32_t x60; + uint8_t x61; + uint8_t x62; + uint32_t x63; + uint8_t x64; + uint32_t x65; + uint8_t x66; + uint32_t x67; + uint8_t x68; + uint8_t x69; + uint32_t x70; + uint8_t x71; + uint32_t x72; + uint8_t x73; + uint32_t x74; + uint8_t x75; + uint8_t x76; + uint32_t x77; + uint8_t x78; + uint32_t x79; + uint8_t x80; + uint32_t x81; + uint8_t x82; + uint8_t x83; + uint8_t x84; + uint32_t x85; + uint8_t x86; + uint32_t x87; + uint8_t x88; + fiat_25519_uint1 x89; + uint32_t x90; + uint8_t x91; + uint32_t x92; + uint8_t x93; + uint32_t x94; + uint8_t x95; + uint8_t x96; + uint32_t x97; + uint8_t x98; + uint32_t x99; + uint8_t x100; + uint32_t x101; + uint8_t x102; + uint8_t x103; + uint32_t x104; + uint8_t x105; + uint32_t x106; + uint8_t x107; + uint32_t x108; + uint8_t x109; + uint8_t x110; + uint32_t x111; + uint8_t x112; + uint32_t x113; + uint8_t x114; + uint32_t x115; + uint8_t x116; + uint8_t x117; + fiat_25519_subborrowx_u26(&x1, &x2, 0x0, (arg1[0]), UINT32_C(0x3ffffed)); + fiat_25519_subborrowx_u25(&x3, &x4, x2, (arg1[1]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x5, &x6, x4, (arg1[2]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x7, &x8, x6, (arg1[3]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x9, &x10, x8, (arg1[4]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x11, &x12, x10, (arg1[5]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x13, &x14, x12, (arg1[6]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x15, &x16, x14, (arg1[7]), UINT32_C(0x1ffffff)); + fiat_25519_subborrowx_u26(&x17, &x18, x16, (arg1[8]), UINT32_C(0x3ffffff)); + fiat_25519_subborrowx_u25(&x19, &x20, x18, (arg1[9]), UINT32_C(0x1ffffff)); + fiat_25519_cmovznz_u32(&x21, x20, 0x0, UINT32_C(0xffffffff)); + fiat_25519_addcarryx_u26(&x22, &x23, 0x0, x1, (x21 & UINT32_C(0x3ffffed))); + fiat_25519_addcarryx_u25(&x24, &x25, x23, x3, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x26, &x27, x25, x5, (x21 & UINT32_C(0x3ffffff))); + fiat_25519_addcarryx_u25(&x28, &x29, x27, x7, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x30, &x31, x29, x9, (x21 & UINT32_C(0x3ffffff))); + fiat_25519_addcarryx_u25(&x32, &x33, x31, x11, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x34, &x35, x33, x13, (x21 & UINT32_C(0x3ffffff))); + fiat_25519_addcarryx_u25(&x36, &x37, x35, x15, (x21 & UINT32_C(0x1ffffff))); + fiat_25519_addcarryx_u26(&x38, &x39, x37, x17, (x21 & UINT32_C(0x3ffffff))); fiat_25519_addcarryx_u25(&x40, &x41, x39, x19, (x21 & UINT32_C(0x1ffffff))); - uint32_t x42 = (x40 << 6); - uint32_t x43 = (x38 << 4); - uint32_t x44 = (x36 << 3); - uint32_t x45 = (x34 * (uint32_t)0x2); - uint32_t x46 = (x30 << 6); - uint32_t x47 = (x28 << 5); - uint32_t x48 = (x26 << 3); - uint32_t x49 = (x24 << 2); - uint32_t x50 = (x22 >> 8); - uint8_t x51 = (uint8_t)(x22 & UINT8_C(0xff)); - uint32_t x52 = (x50 >> 8); - uint8_t x53 = (uint8_t)(x50 & UINT8_C(0xff)); - uint8_t x54 = (uint8_t)(x52 >> 8); - uint8_t x55 = (uint8_t)(x52 & UINT8_C(0xff)); - uint32_t x56 = (x54 + x49); - uint32_t x57 = (x56 >> 8); - uint8_t x58 = (uint8_t)(x56 & UINT8_C(0xff)); - uint32_t x59 = (x57 >> 8); - uint8_t x60 = (uint8_t)(x57 & UINT8_C(0xff)); - uint8_t x61 = (uint8_t)(x59 >> 8); - uint8_t x62 = (uint8_t)(x59 & UINT8_C(0xff)); - uint32_t x63 = (x61 + x48); - uint32_t x64 = (x63 >> 8); - uint8_t x65 = (uint8_t)(x63 & UINT8_C(0xff)); - uint32_t x66 = (x64 >> 8); - uint8_t x67 = (uint8_t)(x64 & UINT8_C(0xff)); - uint8_t x68 = (uint8_t)(x66 >> 8); - uint8_t x69 = (uint8_t)(x66 & UINT8_C(0xff)); - uint32_t x70 = (x68 + x47); - uint32_t x71 = (x70 >> 8); - uint8_t x72 = (uint8_t)(x70 & UINT8_C(0xff)); - uint32_t x73 = (x71 >> 8); - uint8_t x74 = (uint8_t)(x71 & UINT8_C(0xff)); - uint8_t x75 = (uint8_t)(x73 >> 8); - uint8_t x76 = (uint8_t)(x73 & UINT8_C(0xff)); - uint32_t x77 = (x75 + x46); - uint32_t x78 = (x77 >> 8); - uint8_t x79 = (uint8_t)(x77 & UINT8_C(0xff)); - uint32_t x80 = (x78 >> 8); - uint8_t x81 = (uint8_t)(x78 & UINT8_C(0xff)); - uint8_t x82 = (uint8_t)(x80 >> 8); - uint8_t x83 = (uint8_t)(x80 & UINT8_C(0xff)); - uint8_t x84 = (uint8_t)(x82 & UINT8_C(0xff)); - uint32_t x85 = (x32 >> 8); - uint8_t x86 = (uint8_t)(x32 & UINT8_C(0xff)); - uint32_t x87 = (x85 >> 8); - uint8_t x88 = (uint8_t)(x85 & UINT8_C(0xff)); - fiat_25519_uint1 x89 = (fiat_25519_uint1)(x87 >> 8); - uint8_t x90 = (uint8_t)(x87 & UINT8_C(0xff)); - uint32_t x91 = (x89 + x45); - uint32_t x92 = (x91 >> 8); - uint8_t x93 = (uint8_t)(x91 & UINT8_C(0xff)); - uint32_t x94 = (x92 >> 8); - uint8_t x95 = (uint8_t)(x92 & UINT8_C(0xff)); - uint8_t x96 = (uint8_t)(x94 >> 8); - uint8_t x97 = (uint8_t)(x94 & UINT8_C(0xff)); - uint32_t x98 = (x96 + x44); - uint32_t x99 = (x98 >> 8); - uint8_t x100 = (uint8_t)(x98 & UINT8_C(0xff)); - uint32_t x101 = (x99 >> 8); - uint8_t x102 = (uint8_t)(x99 & UINT8_C(0xff)); - uint8_t x103 = (uint8_t)(x101 >> 8); - uint8_t x104 = (uint8_t)(x101 & UINT8_C(0xff)); - uint32_t x105 = (x103 + x43); - uint32_t x106 = (x105 >> 8); - uint8_t x107 = (uint8_t)(x105 & UINT8_C(0xff)); - uint32_t x108 = (x106 >> 8); - uint8_t x109 = (uint8_t)(x106 & UINT8_C(0xff)); - uint8_t x110 = (uint8_t)(x108 >> 8); - uint8_t x111 = (uint8_t)(x108 & UINT8_C(0xff)); - uint32_t x112 = (x110 + x42); - uint32_t x113 = (x112 >> 8); - uint8_t x114 = (uint8_t)(x112 & UINT8_C(0xff)); - uint32_t x115 = (x113 >> 8); - uint8_t x116 = (uint8_t)(x113 & UINT8_C(0xff)); - uint8_t x117 = (uint8_t)(x115 >> 8); - uint8_t x118 = (uint8_t)(x115 & UINT8_C(0xff)); - out1[0] = x51; - out1[1] = x53; - out1[2] = x55; - out1[3] = x58; - out1[4] = x60; - out1[5] = x62; - out1[6] = x65; - out1[7] = x67; - out1[8] = x69; - out1[9] = x72; - out1[10] = x74; - out1[11] = x76; - out1[12] = x79; - out1[13] = x81; - out1[14] = x83; - out1[15] = x84; - out1[16] = x86; - out1[17] = x88; - out1[18] = x90; - out1[19] = x93; - out1[20] = x95; - out1[21] = x97; - out1[22] = x100; - out1[23] = x102; - out1[24] = x104; - out1[25] = x107; - out1[26] = x109; - out1[27] = x111; - out1[28] = x114; - out1[29] = x116; - out1[30] = x118; + x42 = (x40 << 6); + x43 = (x38 << 4); + x44 = (x36 << 3); + x45 = (x34 * (uint32_t)0x2); + x46 = (x30 << 6); + x47 = (x28 << 5); + x48 = (x26 << 3); + x49 = (x24 << 2); + x50 = (uint8_t)(x22 & UINT8_C(0xff)); + x51 = (x22 >> 8); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (uint8_t)(x53 >> 8); + x56 = (x49 + (uint32_t)x55); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (x56 >> 8); + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (x58 >> 8); + x61 = (uint8_t)(x60 & UINT8_C(0xff)); + x62 = (uint8_t)(x60 >> 8); + x63 = (x48 + (uint32_t)x62); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (x63 >> 8); + x66 = (uint8_t)(x65 & UINT8_C(0xff)); + x67 = (x65 >> 8); + x68 = (uint8_t)(x67 & UINT8_C(0xff)); + x69 = (uint8_t)(x67 >> 8); + x70 = (x47 + (uint32_t)x69); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (uint8_t)(x74 >> 8); + x77 = (x46 + (uint32_t)x76); + x78 = (uint8_t)(x77 & UINT8_C(0xff)); + x79 = (x77 >> 8); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (uint8_t)(x81 >> 8); + x84 = (uint8_t)(x32 & UINT8_C(0xff)); + x85 = (x32 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (fiat_25519_uint1)(x87 >> 8); + x90 = (x45 + (uint32_t)x89); + x91 = (uint8_t)(x90 & UINT8_C(0xff)); + x92 = (x90 >> 8); + x93 = (uint8_t)(x92 & UINT8_C(0xff)); + x94 = (x92 >> 8); + x95 = (uint8_t)(x94 & UINT8_C(0xff)); + x96 = (uint8_t)(x94 >> 8); + x97 = (x44 + (uint32_t)x96); + x98 = (uint8_t)(x97 & UINT8_C(0xff)); + x99 = (x97 >> 8); + x100 = (uint8_t)(x99 & UINT8_C(0xff)); + x101 = (x99 >> 8); + x102 = (uint8_t)(x101 & UINT8_C(0xff)); + x103 = (uint8_t)(x101 >> 8); + x104 = (x43 + (uint32_t)x103); + x105 = (uint8_t)(x104 & UINT8_C(0xff)); + x106 = (x104 >> 8); + x107 = (uint8_t)(x106 & UINT8_C(0xff)); + x108 = (x106 >> 8); + x109 = (uint8_t)(x108 & UINT8_C(0xff)); + x110 = (uint8_t)(x108 >> 8); + x111 = (x42 + (uint32_t)x110); + x112 = (uint8_t)(x111 & UINT8_C(0xff)); + x113 = (x111 >> 8); + x114 = (uint8_t)(x113 & UINT8_C(0xff)); + x115 = (x113 >> 8); + x116 = (uint8_t)(x115 & UINT8_C(0xff)); + x117 = (uint8_t)(x115 >> 8); + out1[0] = x50; + out1[1] = x52; + out1[2] = x54; + out1[3] = x57; + out1[4] = x59; + out1[5] = x61; + out1[6] = x64; + out1[7] = x66; + out1[8] = x68; + out1[9] = x71; + out1[10] = x73; + out1[11] = x75; + out1[12] = x78; + out1[13] = x80; + out1[14] = x82; + out1[15] = x83; + out1[16] = x84; + out1[17] = x86; + out1[18] = x88; + out1[19] = x91; + out1[20] = x93; + out1[21] = x95; + out1[22] = x98; + out1[23] = x100; + out1[24] = x102; + out1[25] = x105; + out1[26] = x107; + out1[27] = x109; + out1[28] = x112; + out1[29] = x114; + out1[30] = x116; out1[31] = x117; } /* * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_from_bytes(uint32_t out1[10], const uint8_t arg1[32]) { - uint32_t x1 = ((uint32_t)(arg1[31]) << 18); - uint32_t x2 = ((uint32_t)(arg1[30]) << 10); - uint32_t x3 = ((uint32_t)(arg1[29]) << 2); - uint32_t x4 = ((uint32_t)(arg1[28]) << 20); - uint32_t x5 = ((uint32_t)(arg1[27]) << 12); - uint32_t x6 = ((uint32_t)(arg1[26]) << 4); - uint32_t x7 = ((uint32_t)(arg1[25]) << 21); - uint32_t x8 = ((uint32_t)(arg1[24]) << 13); - uint32_t x9 = ((uint32_t)(arg1[23]) << 5); - uint32_t x10 = ((uint32_t)(arg1[22]) << 23); - uint32_t x11 = ((uint32_t)(arg1[21]) << 15); - uint32_t x12 = ((uint32_t)(arg1[20]) << 7); - uint32_t x13 = ((uint32_t)(arg1[19]) << 24); - uint32_t x14 = ((uint32_t)(arg1[18]) << 16); - uint32_t x15 = ((uint32_t)(arg1[17]) << 8); - uint8_t x16 = (arg1[16]); - uint32_t x17 = ((uint32_t)(arg1[15]) << 18); - uint32_t x18 = ((uint32_t)(arg1[14]) << 10); - uint32_t x19 = ((uint32_t)(arg1[13]) << 2); - uint32_t x20 = ((uint32_t)(arg1[12]) << 19); - uint32_t x21 = ((uint32_t)(arg1[11]) << 11); - uint32_t x22 = ((uint32_t)(arg1[10]) << 3); - uint32_t x23 = ((uint32_t)(arg1[9]) << 21); - uint32_t x24 = ((uint32_t)(arg1[8]) << 13); - uint32_t x25 = ((uint32_t)(arg1[7]) << 5); - uint32_t x26 = ((uint32_t)(arg1[6]) << 22); - uint32_t x27 = ((uint32_t)(arg1[5]) << 14); - uint32_t x28 = ((uint32_t)(arg1[4]) << 6); - uint32_t x29 = ((uint32_t)(arg1[3]) << 24); - uint32_t x30 = ((uint32_t)(arg1[2]) << 16); - uint32_t x31 = ((uint32_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint32_t x33 = (x32 + (x31 + (x30 + x29))); - uint8_t x34 = (uint8_t)(x33 >> 26); - uint32_t x35 = (x33 & UINT32_C(0x3ffffff)); - uint32_t x36 = (x3 + (x2 + x1)); - uint32_t x37 = (x6 + (x5 + x4)); - uint32_t x38 = (x9 + (x8 + x7)); - uint32_t x39 = (x12 + (x11 + x10)); - uint32_t x40 = (x16 + (x15 + (x14 + x13))); - uint32_t x41 = (x19 + (x18 + x17)); - uint32_t x42 = (x22 + (x21 + x20)); - uint32_t x43 = (x25 + (x24 + x23)); - uint32_t x44 = (x28 + (x27 + x26)); - uint32_t x45 = (x34 + x44); - uint8_t x46 = (uint8_t)(x45 >> 25); - uint32_t x47 = (x45 & UINT32_C(0x1ffffff)); - uint32_t x48 = (x46 + x43); - uint8_t x49 = (uint8_t)(x48 >> 26); - uint32_t x50 = (x48 & UINT32_C(0x3ffffff)); - uint32_t x51 = (x49 + x42); - uint8_t x52 = (uint8_t)(x51 >> 25); - uint32_t x53 = (x51 & UINT32_C(0x1ffffff)); - uint32_t x54 = (x52 + x41); - uint32_t x55 = (x54 & UINT32_C(0x3ffffff)); - uint8_t x56 = (uint8_t)(x40 >> 25); - uint32_t x57 = (x40 & UINT32_C(0x1ffffff)); - uint32_t x58 = (x56 + x39); - uint8_t x59 = (uint8_t)(x58 >> 26); - uint32_t x60 = (x58 & UINT32_C(0x3ffffff)); - uint32_t x61 = (x59 + x38); - uint8_t x62 = (uint8_t)(x61 >> 25); - uint32_t x63 = (x61 & UINT32_C(0x1ffffff)); - uint32_t x64 = (x62 + x37); - uint8_t x65 = (uint8_t)(x64 >> 26); - uint32_t x66 = (x64 & UINT32_C(0x3ffffff)); - uint32_t x67 = (x65 + x36); - out1[0] = x35; - out1[1] = x47; - out1[2] = x50; - out1[3] = x53; +static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint8_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint32_t x20; + uint32_t x21; + uint32_t x22; + uint32_t x23; + uint32_t x24; + uint32_t x25; + uint32_t x26; + uint32_t x27; + uint32_t x28; + uint32_t x29; + uint32_t x30; + uint32_t x31; + uint8_t x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint8_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint8_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint8_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint8_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; + uint32_t x57; + uint32_t x58; + uint32_t x59; + uint8_t x60; + uint32_t x61; + uint32_t x62; + uint32_t x63; + uint32_t x64; + uint8_t x65; + uint32_t x66; + uint32_t x67; + uint32_t x68; + uint32_t x69; + uint8_t x70; + uint32_t x71; + uint32_t x72; + uint32_t x73; + uint32_t x74; + uint8_t x75; + uint32_t x76; + uint32_t x77; + uint32_t x78; + x1 = ((uint32_t)(arg1[31]) << 18); + x2 = ((uint32_t)(arg1[30]) << 10); + x3 = ((uint32_t)(arg1[29]) << 2); + x4 = ((uint32_t)(arg1[28]) << 20); + x5 = ((uint32_t)(arg1[27]) << 12); + x6 = ((uint32_t)(arg1[26]) << 4); + x7 = ((uint32_t)(arg1[25]) << 21); + x8 = ((uint32_t)(arg1[24]) << 13); + x9 = ((uint32_t)(arg1[23]) << 5); + x10 = ((uint32_t)(arg1[22]) << 23); + x11 = ((uint32_t)(arg1[21]) << 15); + x12 = ((uint32_t)(arg1[20]) << 7); + x13 = ((uint32_t)(arg1[19]) << 24); + x14 = ((uint32_t)(arg1[18]) << 16); + x15 = ((uint32_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint32_t)(arg1[15]) << 18); + x18 = ((uint32_t)(arg1[14]) << 10); + x19 = ((uint32_t)(arg1[13]) << 2); + x20 = ((uint32_t)(arg1[12]) << 19); + x21 = ((uint32_t)(arg1[11]) << 11); + x22 = ((uint32_t)(arg1[10]) << 3); + x23 = ((uint32_t)(arg1[9]) << 21); + x24 = ((uint32_t)(arg1[8]) << 13); + x25 = ((uint32_t)(arg1[7]) << 5); + x26 = ((uint32_t)(arg1[6]) << 22); + x27 = ((uint32_t)(arg1[5]) << 14); + x28 = ((uint32_t)(arg1[4]) << 6); + x29 = ((uint32_t)(arg1[3]) << 24); + x30 = ((uint32_t)(arg1[2]) << 16); + x31 = ((uint32_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x35 & UINT32_C(0x3ffffff)); + x37 = (uint8_t)(x35 >> 26); + x38 = (x28 + (uint32_t)x37); + x39 = (x27 + x38); + x40 = (x26 + x39); + x41 = (x40 & UINT32_C(0x1ffffff)); + x42 = (uint8_t)(x40 >> 25); + x43 = (x25 + (uint32_t)x42); + x44 = (x24 + x43); + x45 = (x23 + x44); + x46 = (x45 & UINT32_C(0x3ffffff)); + x47 = (uint8_t)(x45 >> 26); + x48 = (x22 + (uint32_t)x47); + x49 = (x21 + x48); + x50 = (x20 + x49); + x51 = (x50 & UINT32_C(0x1ffffff)); + x52 = (uint8_t)(x50 >> 25); + x53 = (x19 + (uint32_t)x52); + x54 = (x18 + x53); + x55 = (x17 + x54); + x56 = (x15 + (uint32_t)x16); + x57 = (x14 + x56); + x58 = (x13 + x57); + x59 = (x58 & UINT32_C(0x1ffffff)); + x60 = (uint8_t)(x58 >> 25); + x61 = (x12 + (uint32_t)x60); + x62 = (x11 + x61); + x63 = (x10 + x62); + x64 = (x63 & UINT32_C(0x3ffffff)); + x65 = (uint8_t)(x63 >> 26); + x66 = (x9 + (uint32_t)x65); + x67 = (x8 + x66); + x68 = (x7 + x67); + x69 = (x68 & UINT32_C(0x1ffffff)); + x70 = (uint8_t)(x68 >> 25); + x71 = (x6 + (uint32_t)x70); + x72 = (x5 + x71); + x73 = (x4 + x72); + x74 = (x73 & UINT32_C(0x3ffffff)); + x75 = (uint8_t)(x73 >> 26); + x76 = (x3 + (uint32_t)x75); + x77 = (x2 + x76); + x78 = (x1 + x77); + out1[0] = x36; + out1[1] = x41; + out1[2] = x46; + out1[3] = x51; out1[4] = x55; - out1[5] = x57; - out1[6] = x60; - out1[7] = x63; - out1[8] = x66; - out1[9] = x67; + out1[5] = x59; + out1[6] = x64; + out1[7] = x69; + out1[8] = x74; + out1[9] = x78; +} + +/* + * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements. + * + * Postconditions: + * out1 = arg1 + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + x1 = (arg1[0]); + x2 = (arg1[1]); + x3 = (arg1[2]); + x4 = (arg1[3]); + x5 = (arg1[4]); + x6 = (arg1[5]); + x7 = (arg1[6]); + x8 = (arg1[7]); + x9 = (arg1[8]); + x10 = (arg1[9]); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; + out1[5] = x6; + out1[6] = x7; + out1[7] = x8; + out1[8] = x9; + out1[9] = x10; } /* * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * * Postconditions: * eval out1 mod m = (121666 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], [0x0 ~> 0xd333332], [0x0 ~> 0x6999999]] - * Output Bounds: - * out1: [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], [0x0 ~> 0x4666666], [0x0 ~> 0x2333333]] */ -static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1[10]) { - uint64_t x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9])); - uint64_t x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8])); - uint64_t x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7])); - uint64_t x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6])); - uint64_t x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5])); - uint64_t x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4])); - uint64_t x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3])); - uint64_t x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2])); - uint64_t x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1])); - uint64_t x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0])); - uint32_t x11 = (uint32_t)(x10 >> 26); - uint32_t x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff)); - uint64_t x13 = (x11 + x9); - uint32_t x14 = (uint32_t)(x13 >> 25); - uint32_t x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff)); - uint64_t x16 = (x14 + x8); - uint32_t x17 = (uint32_t)(x16 >> 26); - uint32_t x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff)); - uint64_t x19 = (x17 + x7); - uint32_t x20 = (uint32_t)(x19 >> 25); - uint32_t x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff)); - uint64_t x22 = (x20 + x6); - uint32_t x23 = (uint32_t)(x22 >> 26); - uint32_t x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff)); - uint64_t x25 = (x23 + x5); - uint32_t x26 = (uint32_t)(x25 >> 25); - uint32_t x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff)); - uint64_t x28 = (x26 + x4); - uint32_t x29 = (uint32_t)(x28 >> 26); - uint32_t x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff)); - uint64_t x31 = (x29 + x3); - uint32_t x32 = (uint32_t)(x31 >> 25); - uint32_t x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff)); - uint64_t x34 = (x32 + x2); - uint32_t x35 = (uint32_t)(x34 >> 26); - uint32_t x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff)); - uint64_t x37 = (x35 + x1); - uint32_t x38 = (uint32_t)(x37 >> 25); - uint32_t x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff)); - uint32_t x40 = (x38 * UINT8_C(0x13)); - uint32_t x41 = (x12 + x40); - fiat_25519_uint1 x42 = (fiat_25519_uint1)(x41 >> 26); - uint32_t x43 = (x41 & UINT32_C(0x3ffffff)); - uint32_t x44 = (x42 + x15); - fiat_25519_uint1 x45 = (fiat_25519_uint1)(x44 >> 25); - uint32_t x46 = (x44 & UINT32_C(0x1ffffff)); - uint32_t x47 = (x45 + x18); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint32_t x11; + uint32_t x12; + uint64_t x13; + uint32_t x14; + uint32_t x15; + uint64_t x16; + uint32_t x17; + uint32_t x18; + uint64_t x19; + uint32_t x20; + uint32_t x21; + uint64_t x22; + uint32_t x23; + uint32_t x24; + uint64_t x25; + uint32_t x26; + uint32_t x27; + uint64_t x28; + uint32_t x29; + uint32_t x30; + uint64_t x31; + uint32_t x32; + uint32_t x33; + uint64_t x34; + uint32_t x35; + uint32_t x36; + uint64_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + fiat_25519_uint1 x42; + uint32_t x43; + uint32_t x44; + fiat_25519_uint1 x45; + uint32_t x46; + uint32_t x47; + x1 = ((uint64_t)UINT32_C(0x1db42) * (arg1[9])); + x2 = ((uint64_t)UINT32_C(0x1db42) * (arg1[8])); + x3 = ((uint64_t)UINT32_C(0x1db42) * (arg1[7])); + x4 = ((uint64_t)UINT32_C(0x1db42) * (arg1[6])); + x5 = ((uint64_t)UINT32_C(0x1db42) * (arg1[5])); + x6 = ((uint64_t)UINT32_C(0x1db42) * (arg1[4])); + x7 = ((uint64_t)UINT32_C(0x1db42) * (arg1[3])); + x8 = ((uint64_t)UINT32_C(0x1db42) * (arg1[2])); + x9 = ((uint64_t)UINT32_C(0x1db42) * (arg1[1])); + x10 = ((uint64_t)UINT32_C(0x1db42) * (arg1[0])); + x11 = (uint32_t)(x10 >> 26); + x12 = (uint32_t)(x10 & UINT32_C(0x3ffffff)); + x13 = (x11 + x9); + x14 = (uint32_t)(x13 >> 25); + x15 = (uint32_t)(x13 & UINT32_C(0x1ffffff)); + x16 = (x14 + x8); + x17 = (uint32_t)(x16 >> 26); + x18 = (uint32_t)(x16 & UINT32_C(0x3ffffff)); + x19 = (x17 + x7); + x20 = (uint32_t)(x19 >> 25); + x21 = (uint32_t)(x19 & UINT32_C(0x1ffffff)); + x22 = (x20 + x6); + x23 = (uint32_t)(x22 >> 26); + x24 = (uint32_t)(x22 & UINT32_C(0x3ffffff)); + x25 = (x23 + x5); + x26 = (uint32_t)(x25 >> 25); + x27 = (uint32_t)(x25 & UINT32_C(0x1ffffff)); + x28 = (x26 + x4); + x29 = (uint32_t)(x28 >> 26); + x30 = (uint32_t)(x28 & UINT32_C(0x3ffffff)); + x31 = (x29 + x3); + x32 = (uint32_t)(x31 >> 25); + x33 = (uint32_t)(x31 & UINT32_C(0x1ffffff)); + x34 = (x32 + x2); + x35 = (uint32_t)(x34 >> 26); + x36 = (uint32_t)(x34 & UINT32_C(0x3ffffff)); + x37 = (x35 + x1); + x38 = (uint32_t)(x37 >> 25); + x39 = (uint32_t)(x37 & UINT32_C(0x1ffffff)); + x40 = (x38 * UINT8_C(0x13)); + x41 = (x12 + x40); + x42 = (fiat_25519_uint1)(x41 >> 26); + x43 = (x41 & UINT32_C(0x3ffffff)); + x44 = (x42 + x15); + x45 = (fiat_25519_uint1)(x44 >> 25); + x46 = (x44 & UINT32_C(0x1ffffff)); + x47 = (x45 + x18); out1[0] = x43; out1[1] = x46; out1[2] = x47; @@ -978,4 +1563,3 @@ static void fiat_25519_carry_scmul_121666(uint32_t out1[10], const uint32_t arg1 out1[8] = x36; out1[9] = x39; } - diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64.h b/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64.h index 02679bbb..faed049d 100644 --- a/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64.h +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/curve25519_64.h @@ -1,26 +1,56 @@ -/* Autogenerated: src/ExtractionOCaml/unsaturated_solinas --static 25519 5 '2^255 - 19' 64 carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes carry_scmul121666 */ +/* Autogenerated: 'src/ExtractionOCaml/unsaturated_solinas' --inline --static --use-value-barrier 25519 64 '(auto)' '2^255 - 19' carry_mul carry_square carry add sub opp selectznz to_bytes from_bytes relax carry_scmul121666 */ /* curve description: 25519 */ -/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, carry_scmul121666 */ -/* n = 5 (from "5") */ -/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ /* machine_wordsize = 64 (from "64") */ - +/* requested operations: carry_mul, carry_square, carry, add, sub, opp, selectznz, to_bytes, from_bytes, relax, carry_scmul121666 */ +/* n = 5 (from "(auto)") */ +/* s-c = 2^255 - [(1, 19)] (from "2^255 - 19") */ +/* tight_bounds_multiplier = 1 (from "") */ +/* */ /* Computed values: */ -/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* carry_chain = [0, 1, 2, 3, 4, 0, 1] */ +/* eval z = z[0] + (z[1] << 51) + (z[2] << 102) + (z[3] << 153) + (z[4] << 204) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* balance = [0xfffffffffffda, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe, 0xffffffffffffe] */ #include typedef unsigned char fiat_25519_uint1; typedef signed char fiat_25519_int1; -typedef signed __int128 fiat_25519_int128; -typedef unsigned __int128 fiat_25519_uint128; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_25519_FIAT_EXTENSION __extension__ +# define FIAT_25519_FIAT_INLINE __inline__ +#else +# define FIAT_25519_FIAT_EXTENSION +# define FIAT_25519_FIAT_INLINE +#endif + +FIAT_25519_FIAT_EXTENSION typedef signed __int128 fiat_25519_int128; +FIAT_25519_FIAT_EXTENSION typedef unsigned __int128 fiat_25519_uint128; + +/* The type fiat_25519_loose_field_element is a field element with loose bounds. */ +/* Bounds: [[0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000], [0x0 ~> 0x18000000000000]] */ +typedef uint64_t fiat_25519_loose_field_element[5]; + +/* The type fiat_25519_tight_field_element is a field element with tight bounds. */ +/* Bounds: [[0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000], [0x0 ~> 0x8000000000000]] */ +typedef uint64_t fiat_25519_tight_field_element[5]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_25519_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t fiat_25519_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_25519_value_barrier_u64(x) (x) +#endif + /* * The function fiat_25519_addcarryx_u51 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^51 * out2 = ⌊(arg1 + arg2 + arg3) / 2^51⌋ @@ -33,16 +63,20 @@ typedef unsigned __int128 fiat_25519_uint128; * out1: [0x0 ~> 0x7ffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - uint64_t x1 = ((arg1 + arg2) + arg3); - uint64_t x2 = (x1 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint1 x3 = (fiat_25519_uint1)(x1 >> 51); +static FIAT_25519_FIAT_INLINE void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + uint64_t x1; + uint64_t x2; + fiat_25519_uint1 x3; + x1 = ((arg1 + arg2) + arg3); + x2 = (x1 & UINT64_C(0x7ffffffffffff)); + x3 = (fiat_25519_uint1)(x1 >> 51); *out1 = x2; *out2 = x3; } /* * The function fiat_25519_subborrowx_u51 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^51 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^51⌋ @@ -55,16 +89,20 @@ static void fiat_25519_addcarryx_u51(uint64_t* out1, fiat_25519_uint1* out2, fia * out1: [0x0 ~> 0x7ffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - int64_t x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); - fiat_25519_int1 x2 = (fiat_25519_int1)(x1 >> 51); - uint64_t x3 = (x1 & UINT64_C(0x7ffffffffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + int64_t x1; + fiat_25519_int1 x2; + uint64_t x3; + x1 = ((int64_t)(arg2 - (int64_t)arg1) - (int64_t)arg3); + x2 = (fiat_25519_int1)(x1 >> 51); + x3 = (x1 & UINT64_C(0x7ffffffffffff)); *out1 = x3; *out2 = (fiat_25519_uint1)(0x0 - x2); } /* * The function fiat_25519_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -75,83 +113,128 @@ static void fiat_25519_subborrowx_u51(uint64_t* out1, fiat_25519_uint1* out2, fi * Output Bounds: * out1: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_25519_uint1 x1 = (!(!arg1)); - uint64_t x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint64_t x3 = ((value_barrier_u64(x2) & arg3) | (value_barrier_u64(~x2) & arg2)); +static FIAT_25519_FIAT_INLINE void fiat_25519_cmovznz_u64(uint64_t* out1, fiat_25519_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_25519_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_25519_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_25519_value_barrier_u64(x2) & arg3) | (fiat_25519_value_barrier_u64((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_25519_carry_mul multiplies two field elements and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * arg2: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry_mul(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { - fiat_25519_uint128 x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13))); - fiat_25519_uint128 x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13))); - fiat_25519_uint128 x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13))); - fiat_25519_uint128 x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13))); - fiat_25519_uint128 x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13))); - fiat_25519_uint128 x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13))); - fiat_25519_uint128 x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13))); - fiat_25519_uint128 x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0])); - fiat_25519_uint128 x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1])); - fiat_25519_uint128 x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0])); - fiat_25519_uint128 x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2])); - fiat_25519_uint128 x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1])); - fiat_25519_uint128 x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0])); - fiat_25519_uint128 x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3])); - fiat_25519_uint128 x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2])); - fiat_25519_uint128 x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1])); - fiat_25519_uint128 x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0])); - fiat_25519_uint128 x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4])); - fiat_25519_uint128 x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3])); - fiat_25519_uint128 x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2])); - fiat_25519_uint128 x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1])); - fiat_25519_uint128 x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0])); - fiat_25519_uint128 x26 = (x25 + (x10 + (x9 + (x7 + x4)))); - uint64_t x27 = (uint64_t)(x26 >> 51); - uint64_t x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x29 = (x21 + (x17 + (x14 + (x12 + x11)))); - fiat_25519_uint128 x30 = (x22 + (x18 + (x15 + (x13 + x1)))); - fiat_25519_uint128 x31 = (x23 + (x19 + (x16 + (x5 + x2)))); - fiat_25519_uint128 x32 = (x24 + (x20 + (x8 + (x6 + x3)))); - fiat_25519_uint128 x33 = (x27 + x32); - uint64_t x34 = (uint64_t)(x33 >> 51); - uint64_t x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x36 = (x34 + x31); - uint64_t x37 = (uint64_t)(x36 >> 51); - uint64_t x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x39 = (x37 + x30); - uint64_t x40 = (uint64_t)(x39 >> 51); - uint64_t x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x42 = (x40 + x29); - uint64_t x43 = (uint64_t)(x42 >> 51); - uint64_t x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff)); - uint64_t x45 = (x43 * UINT8_C(0x13)); - uint64_t x46 = (x28 + x45); - uint64_t x47 = (x46 >> 51); - uint64_t x48 = (x46 & UINT64_C(0x7ffffffffffff)); - uint64_t x49 = (x47 + x35); - fiat_25519_uint1 x50 = (fiat_25519_uint1)(x49 >> 51); - uint64_t x51 = (x49 & UINT64_C(0x7ffffffffffff)); - uint64_t x52 = (x50 + x38); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_mul(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1, const fiat_25519_loose_field_element arg2) { + fiat_25519_uint128 x1; + fiat_25519_uint128 x2; + fiat_25519_uint128 x3; + fiat_25519_uint128 x4; + fiat_25519_uint128 x5; + fiat_25519_uint128 x6; + fiat_25519_uint128 x7; + fiat_25519_uint128 x8; + fiat_25519_uint128 x9; + fiat_25519_uint128 x10; + fiat_25519_uint128 x11; + fiat_25519_uint128 x12; + fiat_25519_uint128 x13; + fiat_25519_uint128 x14; + fiat_25519_uint128 x15; + fiat_25519_uint128 x16; + fiat_25519_uint128 x17; + fiat_25519_uint128 x18; + fiat_25519_uint128 x19; + fiat_25519_uint128 x20; + fiat_25519_uint128 x21; + fiat_25519_uint128 x22; + fiat_25519_uint128 x23; + fiat_25519_uint128 x24; + fiat_25519_uint128 x25; + fiat_25519_uint128 x26; + uint64_t x27; + uint64_t x28; + fiat_25519_uint128 x29; + fiat_25519_uint128 x30; + fiat_25519_uint128 x31; + fiat_25519_uint128 x32; + fiat_25519_uint128 x33; + uint64_t x34; + uint64_t x35; + fiat_25519_uint128 x36; + uint64_t x37; + uint64_t x38; + fiat_25519_uint128 x39; + uint64_t x40; + uint64_t x41; + fiat_25519_uint128 x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + fiat_25519_uint1 x50; + uint64_t x51; + uint64_t x52; + x1 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[4]) * UINT8_C(0x13))); + x2 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[3]) * UINT8_C(0x13))); + x3 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[2]) * UINT8_C(0x13))); + x4 = ((fiat_25519_uint128)(arg1[4]) * ((arg2[1]) * UINT8_C(0x13))); + x5 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[4]) * UINT8_C(0x13))); + x6 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[3]) * UINT8_C(0x13))); + x7 = ((fiat_25519_uint128)(arg1[3]) * ((arg2[2]) * UINT8_C(0x13))); + x8 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[4]) * UINT8_C(0x13))); + x9 = ((fiat_25519_uint128)(arg1[2]) * ((arg2[3]) * UINT8_C(0x13))); + x10 = ((fiat_25519_uint128)(arg1[1]) * ((arg2[4]) * UINT8_C(0x13))); + x11 = ((fiat_25519_uint128)(arg1[4]) * (arg2[0])); + x12 = ((fiat_25519_uint128)(arg1[3]) * (arg2[1])); + x13 = ((fiat_25519_uint128)(arg1[3]) * (arg2[0])); + x14 = ((fiat_25519_uint128)(arg1[2]) * (arg2[2])); + x15 = ((fiat_25519_uint128)(arg1[2]) * (arg2[1])); + x16 = ((fiat_25519_uint128)(arg1[2]) * (arg2[0])); + x17 = ((fiat_25519_uint128)(arg1[1]) * (arg2[3])); + x18 = ((fiat_25519_uint128)(arg1[1]) * (arg2[2])); + x19 = ((fiat_25519_uint128)(arg1[1]) * (arg2[1])); + x20 = ((fiat_25519_uint128)(arg1[1]) * (arg2[0])); + x21 = ((fiat_25519_uint128)(arg1[0]) * (arg2[4])); + x22 = ((fiat_25519_uint128)(arg1[0]) * (arg2[3])); + x23 = ((fiat_25519_uint128)(arg1[0]) * (arg2[2])); + x24 = ((fiat_25519_uint128)(arg1[0]) * (arg2[1])); + x25 = ((fiat_25519_uint128)(arg1[0]) * (arg2[0])); + x26 = (x25 + (x10 + (x9 + (x7 + x4)))); + x27 = (uint64_t)(x26 >> 51); + x28 = (uint64_t)(x26 & UINT64_C(0x7ffffffffffff)); + x29 = (x21 + (x17 + (x14 + (x12 + x11)))); + x30 = (x22 + (x18 + (x15 + (x13 + x1)))); + x31 = (x23 + (x19 + (x16 + (x5 + x2)))); + x32 = (x24 + (x20 + (x8 + (x6 + x3)))); + x33 = (x27 + x32); + x34 = (uint64_t)(x33 >> 51); + x35 = (uint64_t)(x33 & UINT64_C(0x7ffffffffffff)); + x36 = (x34 + x31); + x37 = (uint64_t)(x36 >> 51); + x38 = (uint64_t)(x36 & UINT64_C(0x7ffffffffffff)); + x39 = (x37 + x30); + x40 = (uint64_t)(x39 >> 51); + x41 = (uint64_t)(x39 & UINT64_C(0x7ffffffffffff)); + x42 = (x40 + x29); + x43 = (uint64_t)(x42 >> 51); + x44 = (uint64_t)(x42 & UINT64_C(0x7ffffffffffff)); + x45 = (x43 * UINT8_C(0x13)); + x46 = (x28 + x45); + x47 = (x46 >> 51); + x48 = (x46 & UINT64_C(0x7ffffffffffff)); + x49 = (x47 + x35); + x50 = (fiat_25519_uint1)(x49 >> 51); + x51 = (x49 & UINT64_C(0x7ffffffffffff)); + x52 = (x50 + x38); out1[0] = x48; out1[1] = x51; out1[2] = x52; @@ -161,65 +244,112 @@ static void fiat_25519_carry_mul(uint64_t out1[5], const uint64_t arg1[5], const /* * The function fiat_25519_carry_square squares a field element and reduces the result. + * * Postconditions: * eval out1 mod m = (eval arg1 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry_square(uint64_t out1[5], const uint64_t arg1[5]) { - uint64_t x1 = ((arg1[4]) * UINT8_C(0x13)); - uint64_t x2 = (x1 * 0x2); - uint64_t x3 = ((arg1[4]) * 0x2); - uint64_t x4 = ((arg1[3]) * UINT8_C(0x13)); - uint64_t x5 = (x4 * 0x2); - uint64_t x6 = ((arg1[3]) * 0x2); - uint64_t x7 = ((arg1[2]) * 0x2); - uint64_t x8 = ((arg1[1]) * 0x2); - fiat_25519_uint128 x9 = ((fiat_25519_uint128)(arg1[4]) * x1); - fiat_25519_uint128 x10 = ((fiat_25519_uint128)(arg1[3]) * x2); - fiat_25519_uint128 x11 = ((fiat_25519_uint128)(arg1[3]) * x4); - fiat_25519_uint128 x12 = ((fiat_25519_uint128)(arg1[2]) * x2); - fiat_25519_uint128 x13 = ((fiat_25519_uint128)(arg1[2]) * x5); - fiat_25519_uint128 x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2])); - fiat_25519_uint128 x15 = ((fiat_25519_uint128)(arg1[1]) * x2); - fiat_25519_uint128 x16 = ((fiat_25519_uint128)(arg1[1]) * x6); - fiat_25519_uint128 x17 = ((fiat_25519_uint128)(arg1[1]) * x7); - fiat_25519_uint128 x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1])); - fiat_25519_uint128 x19 = ((fiat_25519_uint128)(arg1[0]) * x3); - fiat_25519_uint128 x20 = ((fiat_25519_uint128)(arg1[0]) * x6); - fiat_25519_uint128 x21 = ((fiat_25519_uint128)(arg1[0]) * x7); - fiat_25519_uint128 x22 = ((fiat_25519_uint128)(arg1[0]) * x8); - fiat_25519_uint128 x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0])); - fiat_25519_uint128 x24 = (x23 + (x15 + x13)); - uint64_t x25 = (uint64_t)(x24 >> 51); - uint64_t x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x27 = (x19 + (x16 + x14)); - fiat_25519_uint128 x28 = (x20 + (x17 + x9)); - fiat_25519_uint128 x29 = (x21 + (x18 + x10)); - fiat_25519_uint128 x30 = (x22 + (x12 + x11)); - fiat_25519_uint128 x31 = (x25 + x30); - uint64_t x32 = (uint64_t)(x31 >> 51); - uint64_t x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x34 = (x32 + x29); - uint64_t x35 = (uint64_t)(x34 >> 51); - uint64_t x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x37 = (x35 + x28); - uint64_t x38 = (uint64_t)(x37 >> 51); - uint64_t x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x40 = (x38 + x27); - uint64_t x41 = (uint64_t)(x40 >> 51); - uint64_t x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff)); - uint64_t x43 = (x41 * UINT8_C(0x13)); - uint64_t x44 = (x26 + x43); - uint64_t x45 = (x44 >> 51); - uint64_t x46 = (x44 & UINT64_C(0x7ffffffffffff)); - uint64_t x47 = (x45 + x33); - fiat_25519_uint1 x48 = (fiat_25519_uint1)(x47 >> 51); - uint64_t x49 = (x47 & UINT64_C(0x7ffffffffffff)); - uint64_t x50 = (x48 + x36); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_square(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + fiat_25519_uint128 x9; + fiat_25519_uint128 x10; + fiat_25519_uint128 x11; + fiat_25519_uint128 x12; + fiat_25519_uint128 x13; + fiat_25519_uint128 x14; + fiat_25519_uint128 x15; + fiat_25519_uint128 x16; + fiat_25519_uint128 x17; + fiat_25519_uint128 x18; + fiat_25519_uint128 x19; + fiat_25519_uint128 x20; + fiat_25519_uint128 x21; + fiat_25519_uint128 x22; + fiat_25519_uint128 x23; + fiat_25519_uint128 x24; + uint64_t x25; + uint64_t x26; + fiat_25519_uint128 x27; + fiat_25519_uint128 x28; + fiat_25519_uint128 x29; + fiat_25519_uint128 x30; + fiat_25519_uint128 x31; + uint64_t x32; + uint64_t x33; + fiat_25519_uint128 x34; + uint64_t x35; + uint64_t x36; + fiat_25519_uint128 x37; + uint64_t x38; + uint64_t x39; + fiat_25519_uint128 x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + fiat_25519_uint1 x48; + uint64_t x49; + uint64_t x50; + x1 = ((arg1[4]) * UINT8_C(0x13)); + x2 = (x1 * 0x2); + x3 = ((arg1[4]) * 0x2); + x4 = ((arg1[3]) * UINT8_C(0x13)); + x5 = (x4 * 0x2); + x6 = ((arg1[3]) * 0x2); + x7 = ((arg1[2]) * 0x2); + x8 = ((arg1[1]) * 0x2); + x9 = ((fiat_25519_uint128)(arg1[4]) * x1); + x10 = ((fiat_25519_uint128)(arg1[3]) * x2); + x11 = ((fiat_25519_uint128)(arg1[3]) * x4); + x12 = ((fiat_25519_uint128)(arg1[2]) * x2); + x13 = ((fiat_25519_uint128)(arg1[2]) * x5); + x14 = ((fiat_25519_uint128)(arg1[2]) * (arg1[2])); + x15 = ((fiat_25519_uint128)(arg1[1]) * x2); + x16 = ((fiat_25519_uint128)(arg1[1]) * x6); + x17 = ((fiat_25519_uint128)(arg1[1]) * x7); + x18 = ((fiat_25519_uint128)(arg1[1]) * (arg1[1])); + x19 = ((fiat_25519_uint128)(arg1[0]) * x3); + x20 = ((fiat_25519_uint128)(arg1[0]) * x6); + x21 = ((fiat_25519_uint128)(arg1[0]) * x7); + x22 = ((fiat_25519_uint128)(arg1[0]) * x8); + x23 = ((fiat_25519_uint128)(arg1[0]) * (arg1[0])); + x24 = (x23 + (x15 + x13)); + x25 = (uint64_t)(x24 >> 51); + x26 = (uint64_t)(x24 & UINT64_C(0x7ffffffffffff)); + x27 = (x19 + (x16 + x14)); + x28 = (x20 + (x17 + x9)); + x29 = (x21 + (x18 + x10)); + x30 = (x22 + (x12 + x11)); + x31 = (x25 + x30); + x32 = (uint64_t)(x31 >> 51); + x33 = (uint64_t)(x31 & UINT64_C(0x7ffffffffffff)); + x34 = (x32 + x29); + x35 = (uint64_t)(x34 >> 51); + x36 = (uint64_t)(x34 & UINT64_C(0x7ffffffffffff)); + x37 = (x35 + x28); + x38 = (uint64_t)(x37 >> 51); + x39 = (uint64_t)(x37 & UINT64_C(0x7ffffffffffff)); + x40 = (x38 + x27); + x41 = (uint64_t)(x40 >> 51); + x42 = (uint64_t)(x40 & UINT64_C(0x7ffffffffffff)); + x43 = (x41 * UINT8_C(0x13)); + x44 = (x26 + x43); + x45 = (x44 >> 51); + x46 = (x44 & UINT64_C(0x7ffffffffffff)); + x47 = (x45 + x33); + x48 = (fiat_25519_uint1)(x47 >> 51); + x49 = (x47 & UINT64_C(0x7ffffffffffff)); + x50 = (x48 + x36); out1[0] = x46; out1[1] = x49; out1[2] = x50; @@ -229,27 +359,36 @@ static void fiat_25519_carry_square(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_carry reduces a field element. + * * Postconditions: * eval out1 mod m = eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry(uint64_t out1[5], const uint64_t arg1[5]) { - uint64_t x1 = (arg1[0]); - uint64_t x2 = ((x1 >> 51) + (arg1[1])); - uint64_t x3 = ((x2 >> 51) + (arg1[2])); - uint64_t x4 = ((x3 >> 51) + (arg1[3])); - uint64_t x5 = ((x4 >> 51) + (arg1[4])); - uint64_t x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13))); - uint64_t x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff))); - uint64_t x8 = (x6 & UINT64_C(0x7ffffffffffff)); - uint64_t x9 = (x7 & UINT64_C(0x7ffffffffffff)); - uint64_t x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff))); - uint64_t x11 = (x4 & UINT64_C(0x7ffffffffffff)); - uint64_t x12 = (x5 & UINT64_C(0x7ffffffffffff)); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + x1 = (arg1[0]); + x2 = ((x1 >> 51) + (arg1[1])); + x3 = ((x2 >> 51) + (arg1[2])); + x4 = ((x3 >> 51) + (arg1[3])); + x5 = ((x4 >> 51) + (arg1[4])); + x6 = ((x1 & UINT64_C(0x7ffffffffffff)) + ((x5 >> 51) * UINT8_C(0x13))); + x7 = ((fiat_25519_uint1)(x6 >> 51) + (x2 & UINT64_C(0x7ffffffffffff))); + x8 = (x6 & UINT64_C(0x7ffffffffffff)); + x9 = (x7 & UINT64_C(0x7ffffffffffff)); + x10 = ((fiat_25519_uint1)(x7 >> 51) + (x3 & UINT64_C(0x7ffffffffffff))); + x11 = (x4 & UINT64_C(0x7ffffffffffff)); + x12 = (x5 & UINT64_C(0x7ffffffffffff)); out1[0] = x8; out1[1] = x9; out1[2] = x10; @@ -259,21 +398,22 @@ static void fiat_25519_carry(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_add adds two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 + eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * Output Bounds: - * out1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] */ -static void fiat_25519_add(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { - uint64_t x1 = ((arg1[0]) + (arg2[0])); - uint64_t x2 = ((arg1[1]) + (arg2[1])); - uint64_t x3 = ((arg1[2]) + (arg2[2])); - uint64_t x4 = ((arg1[3]) + (arg2[3])); - uint64_t x5 = ((arg1[4]) + (arg2[4])); +static FIAT_25519_FIAT_INLINE void fiat_25519_add(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = ((arg1[0]) + (arg2[0])); + x2 = ((arg1[1]) + (arg2[1])); + x3 = ((arg1[2]) + (arg2[2])); + x4 = ((arg1[3]) + (arg2[3])); + x5 = ((arg1[4]) + (arg2[4])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -283,21 +423,22 @@ static void fiat_25519_add(uint64_t out1[5], const uint64_t arg1[5], const uint6 /* * The function fiat_25519_sub subtracts two field elements. + * * Postconditions: * eval out1 mod m = (eval arg1 - eval arg2) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * arg2: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * Output Bounds: - * out1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] */ -static void fiat_25519_sub(uint64_t out1[5], const uint64_t arg1[5], const uint64_t arg2[5]) { - uint64_t x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0])); - uint64_t x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1])); - uint64_t x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2])); - uint64_t x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3])); - uint64_t x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4])); +static FIAT_25519_FIAT_INLINE void fiat_25519_sub(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1, const fiat_25519_tight_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = ((UINT64_C(0xfffffffffffda) + (arg1[0])) - (arg2[0])); + x2 = ((UINT64_C(0xffffffffffffe) + (arg1[1])) - (arg2[1])); + x3 = ((UINT64_C(0xffffffffffffe) + (arg1[2])) - (arg2[2])); + x4 = ((UINT64_C(0xffffffffffffe) + (arg1[3])) - (arg2[3])); + x5 = ((UINT64_C(0xffffffffffffe) + (arg1[4])) - (arg2[4])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -307,20 +448,22 @@ static void fiat_25519_sub(uint64_t out1[5], const uint64_t arg1[5], const uint6 /* * The function fiat_25519_opp negates a field element. + * * Postconditions: * eval out1 mod m = -eval arg1 mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] - * Output Bounds: - * out1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] */ -static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { - uint64_t x1 = (UINT64_C(0xfffffffffffda) - (arg1[0])); - uint64_t x2 = (UINT64_C(0xffffffffffffe) - (arg1[1])); - uint64_t x3 = (UINT64_C(0xffffffffffffe) - (arg1[2])); - uint64_t x4 = (UINT64_C(0xffffffffffffe) - (arg1[3])); - uint64_t x5 = (UINT64_C(0xffffffffffffe) - (arg1[4])); +static FIAT_25519_FIAT_INLINE void fiat_25519_opp(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = (UINT64_C(0xfffffffffffda) - (arg1[0])); + x2 = (UINT64_C(0xffffffffffffe) - (arg1[1])); + x3 = (UINT64_C(0xffffffffffffe) - (arg1[2])); + x4 = (UINT64_C(0xffffffffffffe) - (arg1[3])); + x5 = (UINT64_C(0xffffffffffffe) - (arg1[4])); out1[0] = x1; out1[1] = x2; out1[2] = x3; @@ -330,6 +473,7 @@ static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { /* * The function fiat_25519_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -340,16 +484,16 @@ static void fiat_25519_opp(uint64_t out1[5], const uint64_t arg1[5]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const uint64_t arg2[5], const uint64_t arg3[5]) { uint64_t x1; - fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); uint64_t x2; - fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); uint64_t x3; - fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); uint64_t x4; - fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); uint64_t x5; + fiat_25519_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_25519_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_25519_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_25519_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); fiat_25519_cmovznz_u64(&x5, arg1, (arg2[4]), (arg3[4])); out1[0] = x1; out1[1] = x2; @@ -360,260 +504,469 @@ static void fiat_25519_selectznz(uint64_t out1[5], fiat_25519_uint1 arg1, const /* * The function fiat_25519_to_bytes serializes a field element to bytes in little-endian order. + * * Postconditions: * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] * - * Input Bounds: - * arg1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] */ -static void fiat_25519_to_bytes(uint8_t out1[32], const uint64_t arg1[5]) { +static FIAT_25519_FIAT_INLINE void fiat_25519_to_bytes(uint8_t out1[32], const fiat_25519_tight_field_element arg1) { uint64_t x1; fiat_25519_uint1 x2; - fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed)); uint64_t x3; fiat_25519_uint1 x4; - fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff)); uint64_t x5; fiat_25519_uint1 x6; - fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff)); uint64_t x7; fiat_25519_uint1 x8; - fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff)); uint64_t x9; fiat_25519_uint1 x10; - fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff)); uint64_t x11; - fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff)); uint64_t x12; fiat_25519_uint1 x13; - fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed))); uint64_t x14; fiat_25519_uint1 x15; - fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff))); uint64_t x16; fiat_25519_uint1 x17; - fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff))); uint64_t x18; fiat_25519_uint1 x19; - fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff))); uint64_t x20; fiat_25519_uint1 x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint8_t x26; + uint64_t x27; + uint8_t x28; + uint64_t x29; + uint8_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint8_t x34; + uint64_t x35; + uint8_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint64_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; + uint8_t x50; + uint64_t x51; + uint8_t x52; + uint64_t x53; + uint8_t x54; + uint64_t x55; + uint8_t x56; + uint64_t x57; + uint8_t x58; + uint64_t x59; + uint8_t x60; + uint64_t x61; + uint8_t x62; + uint64_t x63; + uint8_t x64; + fiat_25519_uint1 x65; + uint64_t x66; + uint8_t x67; + uint64_t x68; + uint8_t x69; + uint64_t x70; + uint8_t x71; + uint64_t x72; + uint8_t x73; + uint64_t x74; + uint8_t x75; + uint64_t x76; + uint8_t x77; + uint8_t x78; + uint64_t x79; + uint8_t x80; + uint64_t x81; + uint8_t x82; + uint64_t x83; + uint8_t x84; + uint64_t x85; + uint8_t x86; + uint64_t x87; + uint8_t x88; + uint64_t x89; + uint8_t x90; + uint8_t x91; + fiat_25519_subborrowx_u51(&x1, &x2, 0x0, (arg1[0]), UINT64_C(0x7ffffffffffed)); + fiat_25519_subborrowx_u51(&x3, &x4, x2, (arg1[1]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x5, &x6, x4, (arg1[2]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x7, &x8, x6, (arg1[3]), UINT64_C(0x7ffffffffffff)); + fiat_25519_subborrowx_u51(&x9, &x10, x8, (arg1[4]), UINT64_C(0x7ffffffffffff)); + fiat_25519_cmovznz_u64(&x11, x10, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_25519_addcarryx_u51(&x12, &x13, 0x0, x1, (x11 & UINT64_C(0x7ffffffffffed))); + fiat_25519_addcarryx_u51(&x14, &x15, x13, x3, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x16, &x17, x15, x5, (x11 & UINT64_C(0x7ffffffffffff))); + fiat_25519_addcarryx_u51(&x18, &x19, x17, x7, (x11 & UINT64_C(0x7ffffffffffff))); fiat_25519_addcarryx_u51(&x20, &x21, x19, x9, (x11 & UINT64_C(0x7ffffffffffff))); - uint64_t x22 = (x20 << 4); - uint64_t x23 = (x18 * (uint64_t)0x2); - uint64_t x24 = (x16 << 6); - uint64_t x25 = (x14 << 3); - uint64_t x26 = (x12 >> 8); - uint8_t x27 = (uint8_t)(x12 & UINT8_C(0xff)); - uint64_t x28 = (x26 >> 8); - uint8_t x29 = (uint8_t)(x26 & UINT8_C(0xff)); - uint64_t x30 = (x28 >> 8); - uint8_t x31 = (uint8_t)(x28 & UINT8_C(0xff)); - uint64_t x32 = (x30 >> 8); - uint8_t x33 = (uint8_t)(x30 & UINT8_C(0xff)); - uint64_t x34 = (x32 >> 8); - uint8_t x35 = (uint8_t)(x32 & UINT8_C(0xff)); - uint8_t x36 = (uint8_t)(x34 >> 8); - uint8_t x37 = (uint8_t)(x34 & UINT8_C(0xff)); - uint64_t x38 = (x36 + x25); - uint64_t x39 = (x38 >> 8); - uint8_t x40 = (uint8_t)(x38 & UINT8_C(0xff)); - uint64_t x41 = (x39 >> 8); - uint8_t x42 = (uint8_t)(x39 & UINT8_C(0xff)); - uint64_t x43 = (x41 >> 8); - uint8_t x44 = (uint8_t)(x41 & UINT8_C(0xff)); - uint64_t x45 = (x43 >> 8); - uint8_t x46 = (uint8_t)(x43 & UINT8_C(0xff)); - uint64_t x47 = (x45 >> 8); - uint8_t x48 = (uint8_t)(x45 & UINT8_C(0xff)); - uint8_t x49 = (uint8_t)(x47 >> 8); - uint8_t x50 = (uint8_t)(x47 & UINT8_C(0xff)); - uint64_t x51 = (x49 + x24); - uint64_t x52 = (x51 >> 8); - uint8_t x53 = (uint8_t)(x51 & UINT8_C(0xff)); - uint64_t x54 = (x52 >> 8); - uint8_t x55 = (uint8_t)(x52 & UINT8_C(0xff)); - uint64_t x56 = (x54 >> 8); - uint8_t x57 = (uint8_t)(x54 & UINT8_C(0xff)); - uint64_t x58 = (x56 >> 8); - uint8_t x59 = (uint8_t)(x56 & UINT8_C(0xff)); - uint64_t x60 = (x58 >> 8); - uint8_t x61 = (uint8_t)(x58 & UINT8_C(0xff)); - uint64_t x62 = (x60 >> 8); - uint8_t x63 = (uint8_t)(x60 & UINT8_C(0xff)); - fiat_25519_uint1 x64 = (fiat_25519_uint1)(x62 >> 8); - uint8_t x65 = (uint8_t)(x62 & UINT8_C(0xff)); - uint64_t x66 = (x64 + x23); - uint64_t x67 = (x66 >> 8); - uint8_t x68 = (uint8_t)(x66 & UINT8_C(0xff)); - uint64_t x69 = (x67 >> 8); - uint8_t x70 = (uint8_t)(x67 & UINT8_C(0xff)); - uint64_t x71 = (x69 >> 8); - uint8_t x72 = (uint8_t)(x69 & UINT8_C(0xff)); - uint64_t x73 = (x71 >> 8); - uint8_t x74 = (uint8_t)(x71 & UINT8_C(0xff)); - uint64_t x75 = (x73 >> 8); - uint8_t x76 = (uint8_t)(x73 & UINT8_C(0xff)); - uint8_t x77 = (uint8_t)(x75 >> 8); - uint8_t x78 = (uint8_t)(x75 & UINT8_C(0xff)); - uint64_t x79 = (x77 + x22); - uint64_t x80 = (x79 >> 8); - uint8_t x81 = (uint8_t)(x79 & UINT8_C(0xff)); - uint64_t x82 = (x80 >> 8); - uint8_t x83 = (uint8_t)(x80 & UINT8_C(0xff)); - uint64_t x84 = (x82 >> 8); - uint8_t x85 = (uint8_t)(x82 & UINT8_C(0xff)); - uint64_t x86 = (x84 >> 8); - uint8_t x87 = (uint8_t)(x84 & UINT8_C(0xff)); - uint64_t x88 = (x86 >> 8); - uint8_t x89 = (uint8_t)(x86 & UINT8_C(0xff)); - uint8_t x90 = (uint8_t)(x88 >> 8); - uint8_t x91 = (uint8_t)(x88 & UINT8_C(0xff)); - out1[0] = x27; - out1[1] = x29; - out1[2] = x31; - out1[3] = x33; - out1[4] = x35; - out1[5] = x37; - out1[6] = x40; - out1[7] = x42; - out1[8] = x44; - out1[9] = x46; - out1[10] = x48; - out1[11] = x50; - out1[12] = x53; - out1[13] = x55; - out1[14] = x57; - out1[15] = x59; - out1[16] = x61; - out1[17] = x63; - out1[18] = x65; - out1[19] = x68; - out1[20] = x70; - out1[21] = x72; - out1[22] = x74; - out1[23] = x76; - out1[24] = x78; - out1[25] = x81; - out1[26] = x83; - out1[27] = x85; - out1[28] = x87; - out1[29] = x89; - out1[30] = x91; - out1[31] = x90; + x22 = (x20 << 4); + x23 = (x18 * (uint64_t)0x2); + x24 = (x16 << 6); + x25 = (x14 << 3); + x26 = (uint8_t)(x12 & UINT8_C(0xff)); + x27 = (x12 >> 8); + x28 = (uint8_t)(x27 & UINT8_C(0xff)); + x29 = (x27 >> 8); + x30 = (uint8_t)(x29 & UINT8_C(0xff)); + x31 = (x29 >> 8); + x32 = (uint8_t)(x31 & UINT8_C(0xff)); + x33 = (x31 >> 8); + x34 = (uint8_t)(x33 & UINT8_C(0xff)); + x35 = (x33 >> 8); + x36 = (uint8_t)(x35 & UINT8_C(0xff)); + x37 = (uint8_t)(x35 >> 8); + x38 = (x25 + (uint64_t)x37); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (x44 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (x24 + (uint64_t)x50); + x52 = (uint8_t)(x51 & UINT8_C(0xff)); + x53 = (x51 >> 8); + x54 = (uint8_t)(x53 & UINT8_C(0xff)); + x55 = (x53 >> 8); + x56 = (uint8_t)(x55 & UINT8_C(0xff)); + x57 = (x55 >> 8); + x58 = (uint8_t)(x57 & UINT8_C(0xff)); + x59 = (x57 >> 8); + x60 = (uint8_t)(x59 & UINT8_C(0xff)); + x61 = (x59 >> 8); + x62 = (uint8_t)(x61 & UINT8_C(0xff)); + x63 = (x61 >> 8); + x64 = (uint8_t)(x63 & UINT8_C(0xff)); + x65 = (fiat_25519_uint1)(x63 >> 8); + x66 = (x23 + (uint64_t)x65); + x67 = (uint8_t)(x66 & UINT8_C(0xff)); + x68 = (x66 >> 8); + x69 = (uint8_t)(x68 & UINT8_C(0xff)); + x70 = (x68 >> 8); + x71 = (uint8_t)(x70 & UINT8_C(0xff)); + x72 = (x70 >> 8); + x73 = (uint8_t)(x72 & UINT8_C(0xff)); + x74 = (x72 >> 8); + x75 = (uint8_t)(x74 & UINT8_C(0xff)); + x76 = (x74 >> 8); + x77 = (uint8_t)(x76 & UINT8_C(0xff)); + x78 = (uint8_t)(x76 >> 8); + x79 = (x22 + (uint64_t)x78); + x80 = (uint8_t)(x79 & UINT8_C(0xff)); + x81 = (x79 >> 8); + x82 = (uint8_t)(x81 & UINT8_C(0xff)); + x83 = (x81 >> 8); + x84 = (uint8_t)(x83 & UINT8_C(0xff)); + x85 = (x83 >> 8); + x86 = (uint8_t)(x85 & UINT8_C(0xff)); + x87 = (x85 >> 8); + x88 = (uint8_t)(x87 & UINT8_C(0xff)); + x89 = (x87 >> 8); + x90 = (uint8_t)(x89 & UINT8_C(0xff)); + x91 = (uint8_t)(x89 >> 8); + out1[0] = x26; + out1[1] = x28; + out1[2] = x30; + out1[3] = x32; + out1[4] = x34; + out1[5] = x36; + out1[6] = x39; + out1[7] = x41; + out1[8] = x43; + out1[9] = x45; + out1[10] = x47; + out1[11] = x49; + out1[12] = x52; + out1[13] = x54; + out1[14] = x56; + out1[15] = x58; + out1[16] = x60; + out1[17] = x62; + out1[18] = x64; + out1[19] = x67; + out1[20] = x69; + out1[21] = x71; + out1[22] = x73; + out1[23] = x75; + out1[24] = x77; + out1[25] = x80; + out1[26] = x82; + out1[27] = x84; + out1[28] = x86; + out1[29] = x88; + out1[30] = x90; + out1[31] = x91; } /* * The function fiat_25519_from_bytes deserializes a field element from bytes in little-endian order. + * * Postconditions: * eval out1 mod m = bytes_eval arg1 mod m * * Input Bounds: * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0x7f]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_from_bytes(uint64_t out1[5], const uint8_t arg1[32]) { - uint64_t x1 = ((uint64_t)(arg1[31]) << 44); - uint64_t x2 = ((uint64_t)(arg1[30]) << 36); - uint64_t x3 = ((uint64_t)(arg1[29]) << 28); - uint64_t x4 = ((uint64_t)(arg1[28]) << 20); - uint64_t x5 = ((uint64_t)(arg1[27]) << 12); - uint64_t x6 = ((uint64_t)(arg1[26]) << 4); - uint64_t x7 = ((uint64_t)(arg1[25]) << 47); - uint64_t x8 = ((uint64_t)(arg1[24]) << 39); - uint64_t x9 = ((uint64_t)(arg1[23]) << 31); - uint64_t x10 = ((uint64_t)(arg1[22]) << 23); - uint64_t x11 = ((uint64_t)(arg1[21]) << 15); - uint64_t x12 = ((uint64_t)(arg1[20]) << 7); - uint64_t x13 = ((uint64_t)(arg1[19]) << 50); - uint64_t x14 = ((uint64_t)(arg1[18]) << 42); - uint64_t x15 = ((uint64_t)(arg1[17]) << 34); - uint64_t x16 = ((uint64_t)(arg1[16]) << 26); - uint64_t x17 = ((uint64_t)(arg1[15]) << 18); - uint64_t x18 = ((uint64_t)(arg1[14]) << 10); - uint64_t x19 = ((uint64_t)(arg1[13]) << 2); - uint64_t x20 = ((uint64_t)(arg1[12]) << 45); - uint64_t x21 = ((uint64_t)(arg1[11]) << 37); - uint64_t x22 = ((uint64_t)(arg1[10]) << 29); - uint64_t x23 = ((uint64_t)(arg1[9]) << 21); - uint64_t x24 = ((uint64_t)(arg1[8]) << 13); - uint64_t x25 = ((uint64_t)(arg1[7]) << 5); - uint64_t x26 = ((uint64_t)(arg1[6]) << 48); - uint64_t x27 = ((uint64_t)(arg1[5]) << 40); - uint64_t x28 = ((uint64_t)(arg1[4]) << 32); - uint64_t x29 = ((uint64_t)(arg1[3]) << 24); - uint64_t x30 = ((uint64_t)(arg1[2]) << 16); - uint64_t x31 = ((uint64_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint64_t x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + x26)))))); - uint8_t x34 = (uint8_t)(x33 >> 51); - uint64_t x35 = (x33 & UINT64_C(0x7ffffffffffff)); - uint64_t x36 = (x6 + (x5 + (x4 + (x3 + (x2 + x1))))); - uint64_t x37 = (x12 + (x11 + (x10 + (x9 + (x8 + x7))))); - uint64_t x38 = (x19 + (x18 + (x17 + (x16 + (x15 + (x14 + x13)))))); - uint64_t x39 = (x25 + (x24 + (x23 + (x22 + (x21 + x20))))); - uint64_t x40 = (x34 + x39); - uint8_t x41 = (uint8_t)(x40 >> 51); - uint64_t x42 = (x40 & UINT64_C(0x7ffffffffffff)); - uint64_t x43 = (x41 + x38); - uint8_t x44 = (uint8_t)(x43 >> 51); - uint64_t x45 = (x43 & UINT64_C(0x7ffffffffffff)); - uint64_t x46 = (x44 + x37); - uint8_t x47 = (uint8_t)(x46 >> 51); - uint64_t x48 = (x46 & UINT64_C(0x7ffffffffffff)); - uint64_t x49 = (x47 + x36); - out1[0] = x35; - out1[1] = x42; - out1[2] = x45; - out1[3] = x48; - out1[4] = x49; +static FIAT_25519_FIAT_INLINE void fiat_25519_from_bytes(fiat_25519_tight_field_element out1, const uint8_t arg1[32]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint64_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint8_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint8_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint8_t x65; + uint64_t x66; + uint64_t x67; + uint64_t x68; + uint64_t x69; + uint64_t x70; + uint64_t x71; + x1 = ((uint64_t)(arg1[31]) << 44); + x2 = ((uint64_t)(arg1[30]) << 36); + x3 = ((uint64_t)(arg1[29]) << 28); + x4 = ((uint64_t)(arg1[28]) << 20); + x5 = ((uint64_t)(arg1[27]) << 12); + x6 = ((uint64_t)(arg1[26]) << 4); + x7 = ((uint64_t)(arg1[25]) << 47); + x8 = ((uint64_t)(arg1[24]) << 39); + x9 = ((uint64_t)(arg1[23]) << 31); + x10 = ((uint64_t)(arg1[22]) << 23); + x11 = ((uint64_t)(arg1[21]) << 15); + x12 = ((uint64_t)(arg1[20]) << 7); + x13 = ((uint64_t)(arg1[19]) << 50); + x14 = ((uint64_t)(arg1[18]) << 42); + x15 = ((uint64_t)(arg1[17]) << 34); + x16 = ((uint64_t)(arg1[16]) << 26); + x17 = ((uint64_t)(arg1[15]) << 18); + x18 = ((uint64_t)(arg1[14]) << 10); + x19 = ((uint64_t)(arg1[13]) << 2); + x20 = ((uint64_t)(arg1[12]) << 45); + x21 = ((uint64_t)(arg1[11]) << 37); + x22 = ((uint64_t)(arg1[10]) << 29); + x23 = ((uint64_t)(arg1[9]) << 21); + x24 = ((uint64_t)(arg1[8]) << 13); + x25 = ((uint64_t)(arg1[7]) << 5); + x26 = ((uint64_t)(arg1[6]) << 48); + x27 = ((uint64_t)(arg1[5]) << 40); + x28 = ((uint64_t)(arg1[4]) << 32); + x29 = ((uint64_t)(arg1[3]) << 24); + x30 = ((uint64_t)(arg1[2]) << 16); + x31 = ((uint64_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x38 & UINT64_C(0x7ffffffffffff)); + x40 = (uint8_t)(x38 >> 51); + x41 = (x25 + (uint64_t)x40); + x42 = (x24 + x41); + x43 = (x23 + x42); + x44 = (x22 + x43); + x45 = (x21 + x44); + x46 = (x20 + x45); + x47 = (x46 & UINT64_C(0x7ffffffffffff)); + x48 = (uint8_t)(x46 >> 51); + x49 = (x19 + (uint64_t)x48); + x50 = (x18 + x49); + x51 = (x17 + x50); + x52 = (x16 + x51); + x53 = (x15 + x52); + x54 = (x14 + x53); + x55 = (x13 + x54); + x56 = (x55 & UINT64_C(0x7ffffffffffff)); + x57 = (uint8_t)(x55 >> 51); + x58 = (x12 + (uint64_t)x57); + x59 = (x11 + x58); + x60 = (x10 + x59); + x61 = (x9 + x60); + x62 = (x8 + x61); + x63 = (x7 + x62); + x64 = (x63 & UINT64_C(0x7ffffffffffff)); + x65 = (uint8_t)(x63 >> 51); + x66 = (x6 + (uint64_t)x65); + x67 = (x5 + x66); + x68 = (x4 + x67); + x69 = (x3 + x68); + x70 = (x2 + x69); + x71 = (x1 + x70); + out1[0] = x39; + out1[1] = x47; + out1[2] = x56; + out1[3] = x64; + out1[4] = x71; +} + +/* + * The function fiat_25519_relax is the identity function converting from tight field elements to loose field elements. + * + * Postconditions: + * out1 = arg1 + * + */ +static FIAT_25519_FIAT_INLINE void fiat_25519_relax(fiat_25519_loose_field_element out1, const fiat_25519_tight_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + x1 = (arg1[0]); + x2 = (arg1[1]); + x3 = (arg1[2]); + x4 = (arg1[3]); + x5 = (arg1[4]); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; } /* * The function fiat_25519_carry_scmul_121666 multiplies a field element by 121666 and reduces the result. + * * Postconditions: * eval out1 mod m = (121666 * eval arg1) mod m * - * Input Bounds: - * arg1: [[0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664], [0x0 ~> 0x1a666666666664]] - * Output Bounds: - * out1: [[0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc], [0x0 ~> 0x8cccccccccccc]] */ -static void fiat_25519_carry_scmul_121666(uint64_t out1[5], const uint64_t arg1[5]) { - fiat_25519_uint128 x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4])); - fiat_25519_uint128 x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3])); - fiat_25519_uint128 x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2])); - fiat_25519_uint128 x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1])); - fiat_25519_uint128 x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0])); - uint64_t x6 = (uint64_t)(x5 >> 51); - uint64_t x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x8 = (x6 + x4); - uint64_t x9 = (uint64_t)(x8 >> 51); - uint64_t x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x11 = (x9 + x3); - uint64_t x12 = (uint64_t)(x11 >> 51); - uint64_t x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x14 = (x12 + x2); - uint64_t x15 = (uint64_t)(x14 >> 51); - uint64_t x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff)); - fiat_25519_uint128 x17 = (x15 + x1); - uint64_t x18 = (uint64_t)(x17 >> 51); - uint64_t x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff)); - uint64_t x20 = (x18 * UINT8_C(0x13)); - uint64_t x21 = (x7 + x20); - fiat_25519_uint1 x22 = (fiat_25519_uint1)(x21 >> 51); - uint64_t x23 = (x21 & UINT64_C(0x7ffffffffffff)); - uint64_t x24 = (x22 + x10); - fiat_25519_uint1 x25 = (fiat_25519_uint1)(x24 >> 51); - uint64_t x26 = (x24 & UINT64_C(0x7ffffffffffff)); - uint64_t x27 = (x25 + x13); +static FIAT_25519_FIAT_INLINE void fiat_25519_carry_scmul_121666(fiat_25519_tight_field_element out1, const fiat_25519_loose_field_element arg1) { + fiat_25519_uint128 x1; + fiat_25519_uint128 x2; + fiat_25519_uint128 x3; + fiat_25519_uint128 x4; + fiat_25519_uint128 x5; + uint64_t x6; + uint64_t x7; + fiat_25519_uint128 x8; + uint64_t x9; + uint64_t x10; + fiat_25519_uint128 x11; + uint64_t x12; + uint64_t x13; + fiat_25519_uint128 x14; + uint64_t x15; + uint64_t x16; + fiat_25519_uint128 x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + fiat_25519_uint1 x22; + uint64_t x23; + uint64_t x24; + fiat_25519_uint1 x25; + uint64_t x26; + uint64_t x27; + x1 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[4])); + x2 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[3])); + x3 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[2])); + x4 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[1])); + x5 = ((fiat_25519_uint128)UINT32_C(0x1db42) * (arg1[0])); + x6 = (uint64_t)(x5 >> 51); + x7 = (uint64_t)(x5 & UINT64_C(0x7ffffffffffff)); + x8 = (x6 + x4); + x9 = (uint64_t)(x8 >> 51); + x10 = (uint64_t)(x8 & UINT64_C(0x7ffffffffffff)); + x11 = (x9 + x3); + x12 = (uint64_t)(x11 >> 51); + x13 = (uint64_t)(x11 & UINT64_C(0x7ffffffffffff)); + x14 = (x12 + x2); + x15 = (uint64_t)(x14 >> 51); + x16 = (uint64_t)(x14 & UINT64_C(0x7ffffffffffff)); + x17 = (x15 + x1); + x18 = (uint64_t)(x17 >> 51); + x19 = (uint64_t)(x17 & UINT64_C(0x7ffffffffffff)); + x20 = (x18 * UINT8_C(0x13)); + x21 = (x7 + x20); + x22 = (fiat_25519_uint1)(x21 >> 51); + x23 = (x21 & UINT64_C(0x7ffffffffffff)); + x24 = (x22 + x10); + x25 = (fiat_25519_uint1)(x24 >> 51); + x26 = (x24 & UINT64_C(0x7ffffffffffff)); + x27 = (x25 + x13); out1[0] = x23; out1[1] = x26; out1[2] = x27; out1[3] = x16; out1[4] = x19; } - diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/p256_32.h b/Sources/CJWTKitBoringSSL/third_party/fiat/p256_32.h index 504da42d..3812d8ce 100644 --- a/Sources/CJWTKitBoringSSL/third_party/fiat/p256_32.h +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/p256_32.h @@ -1,8 +1,8 @@ -/* Autogenerated: src/ExtractionOCaml/word_by_word_montgomery --static p256 '2^256 - 2^224 + 2^192 + 2^96 - 1' 32 mul square add sub opp from_montgomery nonzero selectznz to_bytes from_bytes */ +/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 32 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ /* curve description: p256 */ -/* requested operations: mul, square, add, sub, opp, from_montgomery, nonzero, selectznz, to_bytes, from_bytes */ -/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* machine_wordsize = 32 (from "32") */ +/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */ +/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* */ /* NOTE: In addition to the bounds specified above each function, all */ /* functions synthesized for this Montgomery arithmetic require the */ @@ -10,18 +10,47 @@ /* require the input to be in the unique saturated representation. */ /* All functions also ensure that these two properties are true of */ /* return values. */ +/* */ +/* Computed values: */ +/* eval z = z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 32) + (z[2] << 64) + (z[3] << 96) + (z[4] << 128) + (z[5] << 160) + (z[6] << 192) + (z[7] << 224) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_p256_uint1; typedef signed char fiat_p256_int1; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_P256_FIAT_INLINE __inline__ +#else +# define FIAT_P256_FIAT_INLINE +#endif + +/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ +typedef uint32_t fiat_p256_montgomery_domain_field_element[8]; + +/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ +typedef uint32_t fiat_p256_non_montgomery_domain_field_element[8]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_P256_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint32_t fiat_p256_value_barrier_u32(uint32_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_p256_value_barrier_u32(x) (x) +#endif + /* * The function fiat_p256_addcarryx_u32 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^32 * out2 = ⌊(arg1 + arg2 + arg3) / 2^32⌋ @@ -34,16 +63,20 @@ typedef signed char fiat_p256_int1; * out1: [0x0 ~> 0xffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { - uint64_t x1 = ((arg1 + (uint64_t)arg2) + arg3); - uint32_t x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - fiat_p256_uint1 x3 = (fiat_p256_uint1)(x1 >> 32); +static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { + uint64_t x1; + uint32_t x2; + fiat_p256_uint1 x3; + x1 = ((arg1 + (uint64_t)arg2) + arg3); + x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); + x3 = (fiat_p256_uint1)(x1 >> 32); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_subborrowx_u32 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^32 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^32⌋ @@ -56,16 +89,20 @@ static void fiat_p256_addcarryx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_ * out1: [0x0 ~> 0xffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { - int64_t x1 = ((arg2 - (int64_t)arg1) - arg3); - fiat_p256_int1 x2 = (fiat_p256_int1)(x1 >> 32); - uint32_t x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); +static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { + int64_t x1; + fiat_p256_int1 x2; + uint32_t x3; + x1 = ((arg2 - (int64_t)arg1) - arg3); + x2 = (fiat_p256_int1)(x1 >> 32); + x3 = (uint32_t)(x1 & UINT32_C(0xffffffff)); *out1 = x3; *out2 = (fiat_p256_uint1)(0x0 - x2); } /* * The function fiat_p256_mulx_u32 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^32 * out2 = ⌊arg1 * arg2 / 2^32⌋ @@ -77,16 +114,20 @@ static void fiat_p256_subborrowx_u32(uint32_t* out1, fiat_p256_uint1* out2, fiat * out1: [0x0 ~> 0xffffffff] * out2: [0x0 ~> 0xffffffff] */ -static void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) { - uint64_t x1 = ((uint64_t)arg1 * arg2); - uint32_t x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); - uint32_t x3 = (uint32_t)(x1 >> 32); +static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, uint32_t arg2) { + uint64_t x1; + uint32_t x2; + uint32_t x3; + x1 = ((uint64_t)arg1 * arg2); + x2 = (uint32_t)(x1 & UINT32_C(0xffffffff)); + x3 = (uint32_t)(x1 >> 32); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_cmovznz_u32 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -97,21 +138,19 @@ static void fiat_p256_mulx_u32(uint32_t* out1, uint32_t* out2, uint32_t arg1, ui * Output Bounds: * out1: [0x0 ~> 0xffffffff] */ -static void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { - fiat_p256_uint1 x1 = (!(!arg1)); - uint32_t x2 = ((fiat_p256_int1)(0x0 - x1) & UINT32_C(0xffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint32_t x3 = ((value_barrier_u32(x2) & arg3) | (value_barrier_u32(~x2) & arg2)); +static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t arg2, uint32_t arg3) { + fiat_p256_uint1 x1; + uint32_t x2; + uint32_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_p256_int1)(0x0 - x1) & UINT32_C(0xffffffff)); + x3 = ((fiat_p256_value_barrier_u32(x2) & arg3) | (fiat_p256_value_barrier_u32((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -119,2002 +158,1021 @@ static void fiat_p256_cmovznz_u32(uint32_t* out1, fiat_p256_uint1 arg1, uint32_t * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_mul(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) { - uint32_t x1 = (arg1[1]); - uint32_t x2 = (arg1[2]); - uint32_t x3 = (arg1[3]); - uint32_t x4 = (arg1[4]); - uint32_t x5 = (arg1[5]); - uint32_t x6 = (arg1[6]); - uint32_t x7 = (arg1[7]); - uint32_t x8 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; uint32_t x9; uint32_t x10; - fiat_p256_mulx_u32(&x9, &x10, x8, (arg2[7])); uint32_t x11; uint32_t x12; - fiat_p256_mulx_u32(&x11, &x12, x8, (arg2[6])); uint32_t x13; uint32_t x14; - fiat_p256_mulx_u32(&x13, &x14, x8, (arg2[5])); uint32_t x15; uint32_t x16; - fiat_p256_mulx_u32(&x15, &x16, x8, (arg2[4])); uint32_t x17; uint32_t x18; - fiat_p256_mulx_u32(&x17, &x18, x8, (arg2[3])); uint32_t x19; uint32_t x20; - fiat_p256_mulx_u32(&x19, &x20, x8, (arg2[2])); uint32_t x21; uint32_t x22; - fiat_p256_mulx_u32(&x21, &x22, x8, (arg2[1])); uint32_t x23; uint32_t x24; - fiat_p256_mulx_u32(&x23, &x24, x8, (arg2[0])); uint32_t x25; fiat_p256_uint1 x26; - fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); uint32_t x27; fiat_p256_uint1 x28; - fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); uint32_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); uint32_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); uint32_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); uint32_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); uint32_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); - uint32_t x39 = (x38 + x10); + uint32_t x39; uint32_t x40; uint32_t x41; - fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); uint32_t x42; uint32_t x43; - fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); uint32_t x44; uint32_t x45; - fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); uint32_t x46; uint32_t x47; - fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); uint32_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); uint32_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); - uint32_t x52 = (x51 + x43); + uint32_t x52; uint32_t x53; fiat_p256_uint1 x54; - fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); uint32_t x55; fiat_p256_uint1 x56; - fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); uint32_t x57; fiat_p256_uint1 x58; - fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); uint32_t x59; fiat_p256_uint1 x60; - fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); uint32_t x61; fiat_p256_uint1 x62; - fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); uint32_t x63; fiat_p256_uint1 x64; - fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); uint32_t x65; fiat_p256_uint1 x66; - fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); uint32_t x67; fiat_p256_uint1 x68; - fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); uint32_t x69; fiat_p256_uint1 x70; - fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); uint32_t x71; uint32_t x72; - fiat_p256_mulx_u32(&x71, &x72, x1, (arg2[7])); uint32_t x73; uint32_t x74; - fiat_p256_mulx_u32(&x73, &x74, x1, (arg2[6])); uint32_t x75; uint32_t x76; - fiat_p256_mulx_u32(&x75, &x76, x1, (arg2[5])); uint32_t x77; uint32_t x78; - fiat_p256_mulx_u32(&x77, &x78, x1, (arg2[4])); uint32_t x79; uint32_t x80; - fiat_p256_mulx_u32(&x79, &x80, x1, (arg2[3])); uint32_t x81; uint32_t x82; - fiat_p256_mulx_u32(&x81, &x82, x1, (arg2[2])); uint32_t x83; uint32_t x84; - fiat_p256_mulx_u32(&x83, &x84, x1, (arg2[1])); uint32_t x85; uint32_t x86; - fiat_p256_mulx_u32(&x85, &x86, x1, (arg2[0])); uint32_t x87; fiat_p256_uint1 x88; - fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); uint32_t x89; fiat_p256_uint1 x90; - fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); uint32_t x91; fiat_p256_uint1 x92; - fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); uint32_t x93; fiat_p256_uint1 x94; - fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); uint32_t x95; fiat_p256_uint1 x96; - fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); uint32_t x97; fiat_p256_uint1 x98; - fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); uint32_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); - uint32_t x101 = (x100 + x72); + uint32_t x101; uint32_t x102; fiat_p256_uint1 x103; - fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); uint32_t x104; fiat_p256_uint1 x105; - fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); uint32_t x106; fiat_p256_uint1 x107; - fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); uint32_t x108; fiat_p256_uint1 x109; - fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); uint32_t x110; fiat_p256_uint1 x111; - fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); uint32_t x112; fiat_p256_uint1 x113; - fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); uint32_t x114; fiat_p256_uint1 x115; - fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); uint32_t x116; fiat_p256_uint1 x117; - fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); uint32_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); uint32_t x120; uint32_t x121; - fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); uint32_t x122; uint32_t x123; - fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); uint32_t x124; uint32_t x125; - fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); uint32_t x126; uint32_t x127; - fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); uint32_t x128; fiat_p256_uint1 x129; - fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); uint32_t x130; fiat_p256_uint1 x131; - fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); - uint32_t x132 = (x131 + x123); + uint32_t x132; uint32_t x133; fiat_p256_uint1 x134; - fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); uint32_t x135; fiat_p256_uint1 x136; - fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); uint32_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); uint32_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); uint32_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); uint32_t x143; fiat_p256_uint1 x144; - fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); uint32_t x145; fiat_p256_uint1 x146; - fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); uint32_t x147; fiat_p256_uint1 x148; - fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); uint32_t x149; fiat_p256_uint1 x150; - fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); - uint32_t x151 = ((uint32_t)x150 + x119); + uint32_t x151; uint32_t x152; uint32_t x153; - fiat_p256_mulx_u32(&x152, &x153, x2, (arg2[7])); uint32_t x154; uint32_t x155; - fiat_p256_mulx_u32(&x154, &x155, x2, (arg2[6])); uint32_t x156; uint32_t x157; - fiat_p256_mulx_u32(&x156, &x157, x2, (arg2[5])); uint32_t x158; uint32_t x159; - fiat_p256_mulx_u32(&x158, &x159, x2, (arg2[4])); uint32_t x160; uint32_t x161; - fiat_p256_mulx_u32(&x160, &x161, x2, (arg2[3])); uint32_t x162; uint32_t x163; - fiat_p256_mulx_u32(&x162, &x163, x2, (arg2[2])); uint32_t x164; uint32_t x165; - fiat_p256_mulx_u32(&x164, &x165, x2, (arg2[1])); uint32_t x166; uint32_t x167; - fiat_p256_mulx_u32(&x166, &x167, x2, (arg2[0])); uint32_t x168; fiat_p256_uint1 x169; - fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); uint32_t x170; fiat_p256_uint1 x171; - fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); uint32_t x172; fiat_p256_uint1 x173; - fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); uint32_t x174; fiat_p256_uint1 x175; - fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); uint32_t x176; fiat_p256_uint1 x177; - fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); uint32_t x178; fiat_p256_uint1 x179; - fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); uint32_t x180; fiat_p256_uint1 x181; - fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); - uint32_t x182 = (x181 + x153); + uint32_t x182; uint32_t x183; fiat_p256_uint1 x184; - fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); uint32_t x185; fiat_p256_uint1 x186; - fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); uint32_t x187; fiat_p256_uint1 x188; - fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); uint32_t x189; fiat_p256_uint1 x190; - fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); uint32_t x191; fiat_p256_uint1 x192; - fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); uint32_t x193; fiat_p256_uint1 x194; - fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); uint32_t x195; fiat_p256_uint1 x196; - fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); uint32_t x197; fiat_p256_uint1 x198; - fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); uint32_t x199; fiat_p256_uint1 x200; - fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); uint32_t x201; uint32_t x202; - fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); uint32_t x203; uint32_t x204; - fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); uint32_t x205; uint32_t x206; - fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); uint32_t x207; uint32_t x208; - fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); uint32_t x209; fiat_p256_uint1 x210; - fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); uint32_t x211; fiat_p256_uint1 x212; - fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); - uint32_t x213 = (x212 + x204); + uint32_t x213; uint32_t x214; fiat_p256_uint1 x215; - fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); uint32_t x216; fiat_p256_uint1 x217; - fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); uint32_t x218; fiat_p256_uint1 x219; - fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); uint32_t x220; fiat_p256_uint1 x221; - fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); uint32_t x222; fiat_p256_uint1 x223; - fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); uint32_t x224; fiat_p256_uint1 x225; - fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); uint32_t x226; fiat_p256_uint1 x227; - fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); uint32_t x228; fiat_p256_uint1 x229; - fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); uint32_t x230; fiat_p256_uint1 x231; - fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); - uint32_t x232 = ((uint32_t)x231 + x200); + uint32_t x232; uint32_t x233; uint32_t x234; - fiat_p256_mulx_u32(&x233, &x234, x3, (arg2[7])); uint32_t x235; uint32_t x236; - fiat_p256_mulx_u32(&x235, &x236, x3, (arg2[6])); uint32_t x237; uint32_t x238; - fiat_p256_mulx_u32(&x237, &x238, x3, (arg2[5])); uint32_t x239; uint32_t x240; - fiat_p256_mulx_u32(&x239, &x240, x3, (arg2[4])); uint32_t x241; uint32_t x242; - fiat_p256_mulx_u32(&x241, &x242, x3, (arg2[3])); uint32_t x243; uint32_t x244; - fiat_p256_mulx_u32(&x243, &x244, x3, (arg2[2])); uint32_t x245; uint32_t x246; - fiat_p256_mulx_u32(&x245, &x246, x3, (arg2[1])); uint32_t x247; uint32_t x248; - fiat_p256_mulx_u32(&x247, &x248, x3, (arg2[0])); uint32_t x249; fiat_p256_uint1 x250; - fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); uint32_t x251; fiat_p256_uint1 x252; - fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); uint32_t x253; fiat_p256_uint1 x254; - fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); uint32_t x255; fiat_p256_uint1 x256; - fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); uint32_t x257; fiat_p256_uint1 x258; - fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); uint32_t x259; fiat_p256_uint1 x260; - fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); uint32_t x261; fiat_p256_uint1 x262; - fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); - uint32_t x263 = (x262 + x234); + uint32_t x263; uint32_t x264; fiat_p256_uint1 x265; - fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); uint32_t x266; fiat_p256_uint1 x267; - fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); uint32_t x268; fiat_p256_uint1 x269; - fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); uint32_t x270; fiat_p256_uint1 x271; - fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); uint32_t x272; fiat_p256_uint1 x273; - fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); uint32_t x274; fiat_p256_uint1 x275; - fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); uint32_t x276; fiat_p256_uint1 x277; - fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); uint32_t x278; fiat_p256_uint1 x279; - fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); uint32_t x280; fiat_p256_uint1 x281; - fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); uint32_t x282; uint32_t x283; - fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); uint32_t x284; uint32_t x285; - fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); uint32_t x286; uint32_t x287; - fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); uint32_t x288; uint32_t x289; - fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); uint32_t x290; fiat_p256_uint1 x291; - fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); uint32_t x292; fiat_p256_uint1 x293; - fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); - uint32_t x294 = (x293 + x285); + uint32_t x294; uint32_t x295; fiat_p256_uint1 x296; - fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); uint32_t x297; fiat_p256_uint1 x298; - fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); uint32_t x299; fiat_p256_uint1 x300; - fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); uint32_t x301; fiat_p256_uint1 x302; - fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); uint32_t x303; fiat_p256_uint1 x304; - fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); uint32_t x305; fiat_p256_uint1 x306; - fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); uint32_t x307; fiat_p256_uint1 x308; - fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); uint32_t x309; fiat_p256_uint1 x310; - fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); uint32_t x311; fiat_p256_uint1 x312; - fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); - uint32_t x313 = ((uint32_t)x312 + x281); + uint32_t x313; uint32_t x314; uint32_t x315; - fiat_p256_mulx_u32(&x314, &x315, x4, (arg2[7])); uint32_t x316; uint32_t x317; - fiat_p256_mulx_u32(&x316, &x317, x4, (arg2[6])); uint32_t x318; uint32_t x319; - fiat_p256_mulx_u32(&x318, &x319, x4, (arg2[5])); uint32_t x320; uint32_t x321; - fiat_p256_mulx_u32(&x320, &x321, x4, (arg2[4])); uint32_t x322; uint32_t x323; - fiat_p256_mulx_u32(&x322, &x323, x4, (arg2[3])); uint32_t x324; uint32_t x325; - fiat_p256_mulx_u32(&x324, &x325, x4, (arg2[2])); uint32_t x326; uint32_t x327; - fiat_p256_mulx_u32(&x326, &x327, x4, (arg2[1])); uint32_t x328; uint32_t x329; - fiat_p256_mulx_u32(&x328, &x329, x4, (arg2[0])); uint32_t x330; fiat_p256_uint1 x331; - fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); uint32_t x332; fiat_p256_uint1 x333; - fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); uint32_t x334; fiat_p256_uint1 x335; - fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); uint32_t x336; fiat_p256_uint1 x337; - fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); uint32_t x338; fiat_p256_uint1 x339; - fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); uint32_t x340; fiat_p256_uint1 x341; - fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); uint32_t x342; fiat_p256_uint1 x343; - fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); - uint32_t x344 = (x343 + x315); + uint32_t x344; uint32_t x345; fiat_p256_uint1 x346; - fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); uint32_t x347; fiat_p256_uint1 x348; - fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); uint32_t x349; fiat_p256_uint1 x350; - fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); uint32_t x351; fiat_p256_uint1 x352; - fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); uint32_t x353; fiat_p256_uint1 x354; - fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); uint32_t x355; fiat_p256_uint1 x356; - fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); uint32_t x357; fiat_p256_uint1 x358; - fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); uint32_t x359; fiat_p256_uint1 x360; - fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); uint32_t x361; fiat_p256_uint1 x362; - fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); uint32_t x363; uint32_t x364; - fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); uint32_t x365; uint32_t x366; - fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); uint32_t x367; uint32_t x368; - fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); uint32_t x369; uint32_t x370; - fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); uint32_t x371; fiat_p256_uint1 x372; - fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); uint32_t x373; fiat_p256_uint1 x374; - fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); - uint32_t x375 = (x374 + x366); + uint32_t x375; uint32_t x376; fiat_p256_uint1 x377; - fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); uint32_t x378; fiat_p256_uint1 x379; - fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); uint32_t x380; fiat_p256_uint1 x381; - fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); uint32_t x382; fiat_p256_uint1 x383; - fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); uint32_t x384; fiat_p256_uint1 x385; - fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); uint32_t x386; fiat_p256_uint1 x387; - fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); uint32_t x388; fiat_p256_uint1 x389; - fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); uint32_t x390; fiat_p256_uint1 x391; - fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); uint32_t x392; fiat_p256_uint1 x393; - fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); - uint32_t x394 = ((uint32_t)x393 + x362); + uint32_t x394; uint32_t x395; uint32_t x396; - fiat_p256_mulx_u32(&x395, &x396, x5, (arg2[7])); uint32_t x397; uint32_t x398; - fiat_p256_mulx_u32(&x397, &x398, x5, (arg2[6])); uint32_t x399; uint32_t x400; - fiat_p256_mulx_u32(&x399, &x400, x5, (arg2[5])); uint32_t x401; uint32_t x402; - fiat_p256_mulx_u32(&x401, &x402, x5, (arg2[4])); uint32_t x403; uint32_t x404; - fiat_p256_mulx_u32(&x403, &x404, x5, (arg2[3])); uint32_t x405; uint32_t x406; - fiat_p256_mulx_u32(&x405, &x406, x5, (arg2[2])); uint32_t x407; uint32_t x408; - fiat_p256_mulx_u32(&x407, &x408, x5, (arg2[1])); uint32_t x409; uint32_t x410; - fiat_p256_mulx_u32(&x409, &x410, x5, (arg2[0])); uint32_t x411; fiat_p256_uint1 x412; - fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); uint32_t x413; fiat_p256_uint1 x414; - fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); uint32_t x415; fiat_p256_uint1 x416; - fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); uint32_t x417; fiat_p256_uint1 x418; - fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); uint32_t x419; fiat_p256_uint1 x420; - fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); uint32_t x421; fiat_p256_uint1 x422; - fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); uint32_t x423; fiat_p256_uint1 x424; - fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); - uint32_t x425 = (x424 + x396); + uint32_t x425; uint32_t x426; fiat_p256_uint1 x427; - fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); uint32_t x428; fiat_p256_uint1 x429; - fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); uint32_t x430; fiat_p256_uint1 x431; - fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); uint32_t x432; fiat_p256_uint1 x433; - fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); uint32_t x434; fiat_p256_uint1 x435; - fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); uint32_t x436; fiat_p256_uint1 x437; - fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); uint32_t x438; fiat_p256_uint1 x439; - fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); uint32_t x440; fiat_p256_uint1 x441; - fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); uint32_t x442; fiat_p256_uint1 x443; - fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); uint32_t x444; uint32_t x445; - fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); uint32_t x446; uint32_t x447; - fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); uint32_t x448; uint32_t x449; - fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); uint32_t x450; uint32_t x451; - fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); uint32_t x452; fiat_p256_uint1 x453; - fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); uint32_t x454; fiat_p256_uint1 x455; - fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); - uint32_t x456 = (x455 + x447); + uint32_t x456; uint32_t x457; fiat_p256_uint1 x458; - fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); uint32_t x459; fiat_p256_uint1 x460; - fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); uint32_t x461; fiat_p256_uint1 x462; - fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); uint32_t x463; fiat_p256_uint1 x464; - fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); uint32_t x465; fiat_p256_uint1 x466; - fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); uint32_t x467; fiat_p256_uint1 x468; - fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); uint32_t x469; fiat_p256_uint1 x470; - fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); uint32_t x471; fiat_p256_uint1 x472; - fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); uint32_t x473; fiat_p256_uint1 x474; - fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); - uint32_t x475 = ((uint32_t)x474 + x443); + uint32_t x475; uint32_t x476; uint32_t x477; - fiat_p256_mulx_u32(&x476, &x477, x6, (arg2[7])); uint32_t x478; uint32_t x479; - fiat_p256_mulx_u32(&x478, &x479, x6, (arg2[6])); uint32_t x480; uint32_t x481; - fiat_p256_mulx_u32(&x480, &x481, x6, (arg2[5])); uint32_t x482; uint32_t x483; - fiat_p256_mulx_u32(&x482, &x483, x6, (arg2[4])); uint32_t x484; uint32_t x485; - fiat_p256_mulx_u32(&x484, &x485, x6, (arg2[3])); uint32_t x486; uint32_t x487; - fiat_p256_mulx_u32(&x486, &x487, x6, (arg2[2])); uint32_t x488; uint32_t x489; - fiat_p256_mulx_u32(&x488, &x489, x6, (arg2[1])); uint32_t x490; uint32_t x491; - fiat_p256_mulx_u32(&x490, &x491, x6, (arg2[0])); uint32_t x492; fiat_p256_uint1 x493; - fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); uint32_t x494; fiat_p256_uint1 x495; - fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); uint32_t x496; fiat_p256_uint1 x497; - fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); uint32_t x498; fiat_p256_uint1 x499; - fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); uint32_t x500; fiat_p256_uint1 x501; - fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); uint32_t x502; fiat_p256_uint1 x503; - fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); uint32_t x504; fiat_p256_uint1 x505; - fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); - uint32_t x506 = (x505 + x477); + uint32_t x506; uint32_t x507; fiat_p256_uint1 x508; - fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); uint32_t x509; fiat_p256_uint1 x510; - fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); uint32_t x511; fiat_p256_uint1 x512; - fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); uint32_t x513; fiat_p256_uint1 x514; - fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); uint32_t x515; fiat_p256_uint1 x516; - fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); uint32_t x517; fiat_p256_uint1 x518; - fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); uint32_t x519; fiat_p256_uint1 x520; - fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); uint32_t x521; fiat_p256_uint1 x522; - fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); uint32_t x523; fiat_p256_uint1 x524; - fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); uint32_t x525; uint32_t x526; - fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); uint32_t x527; uint32_t x528; - fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); uint32_t x529; uint32_t x530; - fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); uint32_t x531; uint32_t x532; - fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); uint32_t x533; fiat_p256_uint1 x534; - fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); uint32_t x535; fiat_p256_uint1 x536; - fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); - uint32_t x537 = (x536 + x528); + uint32_t x537; uint32_t x538; fiat_p256_uint1 x539; - fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); uint32_t x540; fiat_p256_uint1 x541; - fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); uint32_t x542; fiat_p256_uint1 x543; - fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); uint32_t x544; fiat_p256_uint1 x545; - fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); uint32_t x546; fiat_p256_uint1 x547; - fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); uint32_t x548; fiat_p256_uint1 x549; - fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); uint32_t x550; fiat_p256_uint1 x551; - fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); uint32_t x552; fiat_p256_uint1 x553; - fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); uint32_t x554; fiat_p256_uint1 x555; - fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); - uint32_t x556 = ((uint32_t)x555 + x524); + uint32_t x556; uint32_t x557; uint32_t x558; - fiat_p256_mulx_u32(&x557, &x558, x7, (arg2[7])); uint32_t x559; uint32_t x560; - fiat_p256_mulx_u32(&x559, &x560, x7, (arg2[6])); uint32_t x561; uint32_t x562; - fiat_p256_mulx_u32(&x561, &x562, x7, (arg2[5])); uint32_t x563; uint32_t x564; - fiat_p256_mulx_u32(&x563, &x564, x7, (arg2[4])); uint32_t x565; uint32_t x566; - fiat_p256_mulx_u32(&x565, &x566, x7, (arg2[3])); uint32_t x567; uint32_t x568; - fiat_p256_mulx_u32(&x567, &x568, x7, (arg2[2])); uint32_t x569; uint32_t x570; - fiat_p256_mulx_u32(&x569, &x570, x7, (arg2[1])); uint32_t x571; uint32_t x572; - fiat_p256_mulx_u32(&x571, &x572, x7, (arg2[0])); uint32_t x573; fiat_p256_uint1 x574; - fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); uint32_t x575; fiat_p256_uint1 x576; - fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); uint32_t x577; fiat_p256_uint1 x578; - fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); uint32_t x579; fiat_p256_uint1 x580; - fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); uint32_t x581; fiat_p256_uint1 x582; - fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); uint32_t x583; fiat_p256_uint1 x584; - fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); uint32_t x585; fiat_p256_uint1 x586; - fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); - uint32_t x587 = (x586 + x558); + uint32_t x587; uint32_t x588; fiat_p256_uint1 x589; - fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); uint32_t x590; fiat_p256_uint1 x591; - fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); uint32_t x592; fiat_p256_uint1 x593; - fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); uint32_t x594; fiat_p256_uint1 x595; - fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); uint32_t x596; fiat_p256_uint1 x597; - fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); uint32_t x598; fiat_p256_uint1 x599; - fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); uint32_t x600; fiat_p256_uint1 x601; - fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); uint32_t x602; fiat_p256_uint1 x603; - fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); uint32_t x604; fiat_p256_uint1 x605; - fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); uint32_t x606; uint32_t x607; - fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); uint32_t x608; uint32_t x609; - fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); uint32_t x610; uint32_t x611; - fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); uint32_t x612; uint32_t x613; - fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); uint32_t x614; fiat_p256_uint1 x615; - fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); uint32_t x616; fiat_p256_uint1 x617; - fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); - uint32_t x618 = (x617 + x609); + uint32_t x618; uint32_t x619; fiat_p256_uint1 x620; - fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); uint32_t x621; fiat_p256_uint1 x622; - fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); uint32_t x623; fiat_p256_uint1 x624; - fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); uint32_t x625; fiat_p256_uint1 x626; - fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); uint32_t x627; fiat_p256_uint1 x628; - fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); uint32_t x629; fiat_p256_uint1 x630; - fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); uint32_t x631; fiat_p256_uint1 x632; - fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); uint32_t x633; fiat_p256_uint1 x634; - fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); uint32_t x635; fiat_p256_uint1 x636; - fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); - uint32_t x637 = ((uint32_t)x636 + x605); + uint32_t x637; uint32_t x638; fiat_p256_uint1 x639; - fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); uint32_t x640; fiat_p256_uint1 x641; - fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); uint32_t x642; fiat_p256_uint1 x643; - fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); uint32_t x644; fiat_p256_uint1 x645; - fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); uint32_t x646; fiat_p256_uint1 x647; - fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); uint32_t x648; fiat_p256_uint1 x649; - fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); uint32_t x650; fiat_p256_uint1 x651; - fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); uint32_t x652; fiat_p256_uint1 x653; - fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); uint32_t x654; fiat_p256_uint1 x655; - fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); uint32_t x656; - fiat_p256_cmovznz_u32(&x656, x655, x638, x621); uint32_t x657; - fiat_p256_cmovznz_u32(&x657, x655, x640, x623); uint32_t x658; - fiat_p256_cmovznz_u32(&x658, x655, x642, x625); uint32_t x659; - fiat_p256_cmovznz_u32(&x659, x655, x644, x627); uint32_t x660; - fiat_p256_cmovznz_u32(&x660, x655, x646, x629); uint32_t x661; - fiat_p256_cmovznz_u32(&x661, x655, x648, x631); uint32_t x662; - fiat_p256_cmovznz_u32(&x662, x655, x650, x633); uint32_t x663; - fiat_p256_cmovznz_u32(&x663, x655, x652, x635); - out1[0] = x656; - out1[1] = x657; - out1[2] = x658; - out1[3] = x659; - out1[4] = x660; - out1[5] = x661; - out1[6] = x662; - out1[7] = x663; -} - -/* - * The function fiat_p256_square squares a field element in the Montgomery domain. - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m - * 0 ≤ eval out1 < m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) { - uint32_t x1 = (arg1[1]); - uint32_t x2 = (arg1[2]); - uint32_t x3 = (arg1[3]); - uint32_t x4 = (arg1[4]); - uint32_t x5 = (arg1[5]); - uint32_t x6 = (arg1[6]); - uint32_t x7 = (arg1[7]); - uint32_t x8 = (arg1[0]); - uint32_t x9; - uint32_t x10; - fiat_p256_mulx_u32(&x9, &x10, x8, (arg1[7])); - uint32_t x11; - uint32_t x12; - fiat_p256_mulx_u32(&x11, &x12, x8, (arg1[6])); - uint32_t x13; - uint32_t x14; - fiat_p256_mulx_u32(&x13, &x14, x8, (arg1[5])); - uint32_t x15; - uint32_t x16; - fiat_p256_mulx_u32(&x15, &x16, x8, (arg1[4])); - uint32_t x17; - uint32_t x18; - fiat_p256_mulx_u32(&x17, &x18, x8, (arg1[3])); - uint32_t x19; - uint32_t x20; - fiat_p256_mulx_u32(&x19, &x20, x8, (arg1[2])); - uint32_t x21; - uint32_t x22; - fiat_p256_mulx_u32(&x21, &x22, x8, (arg1[1])); - uint32_t x23; - uint32_t x24; - fiat_p256_mulx_u32(&x23, &x24, x8, (arg1[0])); - uint32_t x25; - fiat_p256_uint1 x26; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[4]); + x5 = (arg1[5]); + x6 = (arg1[6]); + x7 = (arg1[7]); + x8 = (arg1[0]); + fiat_p256_mulx_u32(&x9, &x10, x8, (arg2[7])); + fiat_p256_mulx_u32(&x11, &x12, x8, (arg2[6])); + fiat_p256_mulx_u32(&x13, &x14, x8, (arg2[5])); + fiat_p256_mulx_u32(&x15, &x16, x8, (arg2[4])); + fiat_p256_mulx_u32(&x17, &x18, x8, (arg2[3])); + fiat_p256_mulx_u32(&x19, &x20, x8, (arg2[2])); + fiat_p256_mulx_u32(&x21, &x22, x8, (arg2[1])); + fiat_p256_mulx_u32(&x23, &x24, x8, (arg2[0])); fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); - uint32_t x27; - fiat_p256_uint1 x28; fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); - uint32_t x29; - fiat_p256_uint1 x30; fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); - uint32_t x31; - fiat_p256_uint1 x32; fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); - uint32_t x33; - fiat_p256_uint1 x34; fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); - uint32_t x35; - fiat_p256_uint1 x36; fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); - uint32_t x37; - fiat_p256_uint1 x38; fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); - uint32_t x39 = (x38 + x10); - uint32_t x40; - uint32_t x41; + x39 = (x38 + x10); fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); - uint32_t x42; - uint32_t x43; fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); - uint32_t x44; - uint32_t x45; fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); - uint32_t x46; - uint32_t x47; fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); - uint32_t x48; - fiat_p256_uint1 x49; fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); - uint32_t x50; - fiat_p256_uint1 x51; fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); - uint32_t x52 = (x51 + x43); - uint32_t x53; - fiat_p256_uint1 x54; + x52 = (x51 + x43); fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); - uint32_t x55; - fiat_p256_uint1 x56; fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); - uint32_t x57; - fiat_p256_uint1 x58; fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); - uint32_t x59; - fiat_p256_uint1 x60; fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); - uint32_t x61; - fiat_p256_uint1 x62; fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); - uint32_t x63; - fiat_p256_uint1 x64; fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); - uint32_t x65; - fiat_p256_uint1 x66; fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); - uint32_t x67; - fiat_p256_uint1 x68; fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); - uint32_t x69; - fiat_p256_uint1 x70; fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); - uint32_t x71; - uint32_t x72; - fiat_p256_mulx_u32(&x71, &x72, x1, (arg1[7])); - uint32_t x73; - uint32_t x74; - fiat_p256_mulx_u32(&x73, &x74, x1, (arg1[6])); - uint32_t x75; - uint32_t x76; - fiat_p256_mulx_u32(&x75, &x76, x1, (arg1[5])); - uint32_t x77; - uint32_t x78; - fiat_p256_mulx_u32(&x77, &x78, x1, (arg1[4])); - uint32_t x79; - uint32_t x80; - fiat_p256_mulx_u32(&x79, &x80, x1, (arg1[3])); - uint32_t x81; - uint32_t x82; - fiat_p256_mulx_u32(&x81, &x82, x1, (arg1[2])); - uint32_t x83; - uint32_t x84; - fiat_p256_mulx_u32(&x83, &x84, x1, (arg1[1])); - uint32_t x85; - uint32_t x86; - fiat_p256_mulx_u32(&x85, &x86, x1, (arg1[0])); - uint32_t x87; - fiat_p256_uint1 x88; + fiat_p256_mulx_u32(&x71, &x72, x1, (arg2[7])); + fiat_p256_mulx_u32(&x73, &x74, x1, (arg2[6])); + fiat_p256_mulx_u32(&x75, &x76, x1, (arg2[5])); + fiat_p256_mulx_u32(&x77, &x78, x1, (arg2[4])); + fiat_p256_mulx_u32(&x79, &x80, x1, (arg2[3])); + fiat_p256_mulx_u32(&x81, &x82, x1, (arg2[2])); + fiat_p256_mulx_u32(&x83, &x84, x1, (arg2[1])); + fiat_p256_mulx_u32(&x85, &x86, x1, (arg2[0])); fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); - uint32_t x89; - fiat_p256_uint1 x90; fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); - uint32_t x91; - fiat_p256_uint1 x92; fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); - uint32_t x93; - fiat_p256_uint1 x94; fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); - uint32_t x95; - fiat_p256_uint1 x96; fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); - uint32_t x97; - fiat_p256_uint1 x98; fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); - uint32_t x99; - fiat_p256_uint1 x100; fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); - uint32_t x101 = (x100 + x72); - uint32_t x102; - fiat_p256_uint1 x103; + x101 = (x100 + x72); fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); - uint32_t x104; - fiat_p256_uint1 x105; fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); - uint32_t x106; - fiat_p256_uint1 x107; fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); - uint32_t x108; - fiat_p256_uint1 x109; fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); - uint32_t x110; - fiat_p256_uint1 x111; fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); - uint32_t x112; - fiat_p256_uint1 x113; fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); - uint32_t x114; - fiat_p256_uint1 x115; fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); - uint32_t x116; - fiat_p256_uint1 x117; fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); - uint32_t x118; - fiat_p256_uint1 x119; fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); - uint32_t x120; - uint32_t x121; fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); - uint32_t x122; - uint32_t x123; fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); - uint32_t x124; - uint32_t x125; fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); - uint32_t x126; - uint32_t x127; fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); - uint32_t x128; - fiat_p256_uint1 x129; fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); - uint32_t x130; - fiat_p256_uint1 x131; fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); - uint32_t x132 = (x131 + x123); - uint32_t x133; - fiat_p256_uint1 x134; + x132 = (x131 + x123); fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); - uint32_t x135; - fiat_p256_uint1 x136; fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); - uint32_t x137; - fiat_p256_uint1 x138; fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); - uint32_t x139; - fiat_p256_uint1 x140; fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); - uint32_t x141; - fiat_p256_uint1 x142; fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); - uint32_t x143; - fiat_p256_uint1 x144; fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); - uint32_t x145; - fiat_p256_uint1 x146; fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); - uint32_t x147; - fiat_p256_uint1 x148; fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); - uint32_t x149; - fiat_p256_uint1 x150; fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); - uint32_t x151 = ((uint32_t)x150 + x119); - uint32_t x152; - uint32_t x153; - fiat_p256_mulx_u32(&x152, &x153, x2, (arg1[7])); - uint32_t x154; - uint32_t x155; - fiat_p256_mulx_u32(&x154, &x155, x2, (arg1[6])); - uint32_t x156; - uint32_t x157; - fiat_p256_mulx_u32(&x156, &x157, x2, (arg1[5])); - uint32_t x158; - uint32_t x159; - fiat_p256_mulx_u32(&x158, &x159, x2, (arg1[4])); - uint32_t x160; - uint32_t x161; - fiat_p256_mulx_u32(&x160, &x161, x2, (arg1[3])); - uint32_t x162; - uint32_t x163; - fiat_p256_mulx_u32(&x162, &x163, x2, (arg1[2])); - uint32_t x164; - uint32_t x165; - fiat_p256_mulx_u32(&x164, &x165, x2, (arg1[1])); - uint32_t x166; - uint32_t x167; - fiat_p256_mulx_u32(&x166, &x167, x2, (arg1[0])); - uint32_t x168; - fiat_p256_uint1 x169; + x151 = ((uint32_t)x150 + x119); + fiat_p256_mulx_u32(&x152, &x153, x2, (arg2[7])); + fiat_p256_mulx_u32(&x154, &x155, x2, (arg2[6])); + fiat_p256_mulx_u32(&x156, &x157, x2, (arg2[5])); + fiat_p256_mulx_u32(&x158, &x159, x2, (arg2[4])); + fiat_p256_mulx_u32(&x160, &x161, x2, (arg2[3])); + fiat_p256_mulx_u32(&x162, &x163, x2, (arg2[2])); + fiat_p256_mulx_u32(&x164, &x165, x2, (arg2[1])); + fiat_p256_mulx_u32(&x166, &x167, x2, (arg2[0])); fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); - uint32_t x170; - fiat_p256_uint1 x171; fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); - uint32_t x172; - fiat_p256_uint1 x173; fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); - uint32_t x174; - fiat_p256_uint1 x175; fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); - uint32_t x176; - fiat_p256_uint1 x177; fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); - uint32_t x178; - fiat_p256_uint1 x179; fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); - uint32_t x180; - fiat_p256_uint1 x181; fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); - uint32_t x182 = (x181 + x153); - uint32_t x183; - fiat_p256_uint1 x184; + x182 = (x181 + x153); fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); - uint32_t x185; - fiat_p256_uint1 x186; fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); - uint32_t x187; - fiat_p256_uint1 x188; fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); - uint32_t x189; - fiat_p256_uint1 x190; fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); - uint32_t x191; - fiat_p256_uint1 x192; fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); - uint32_t x193; - fiat_p256_uint1 x194; fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); - uint32_t x195; - fiat_p256_uint1 x196; fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); - uint32_t x197; - fiat_p256_uint1 x198; fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); - uint32_t x199; - fiat_p256_uint1 x200; fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); - uint32_t x201; - uint32_t x202; fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); - uint32_t x203; - uint32_t x204; fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); - uint32_t x205; - uint32_t x206; fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); - uint32_t x207; - uint32_t x208; fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); - uint32_t x209; - fiat_p256_uint1 x210; fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); - uint32_t x211; - fiat_p256_uint1 x212; fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); - uint32_t x213 = (x212 + x204); - uint32_t x214; - fiat_p256_uint1 x215; + x213 = (x212 + x204); fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); - uint32_t x216; - fiat_p256_uint1 x217; fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); - uint32_t x218; - fiat_p256_uint1 x219; fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); - uint32_t x220; - fiat_p256_uint1 x221; fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); - uint32_t x222; - fiat_p256_uint1 x223; fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); - uint32_t x224; - fiat_p256_uint1 x225; fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); - uint32_t x226; - fiat_p256_uint1 x227; fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); - uint32_t x228; - fiat_p256_uint1 x229; fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); - uint32_t x230; - fiat_p256_uint1 x231; fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); - uint32_t x232 = ((uint32_t)x231 + x200); - uint32_t x233; - uint32_t x234; - fiat_p256_mulx_u32(&x233, &x234, x3, (arg1[7])); - uint32_t x235; - uint32_t x236; - fiat_p256_mulx_u32(&x235, &x236, x3, (arg1[6])); - uint32_t x237; - uint32_t x238; - fiat_p256_mulx_u32(&x237, &x238, x3, (arg1[5])); - uint32_t x239; - uint32_t x240; - fiat_p256_mulx_u32(&x239, &x240, x3, (arg1[4])); - uint32_t x241; - uint32_t x242; - fiat_p256_mulx_u32(&x241, &x242, x3, (arg1[3])); - uint32_t x243; - uint32_t x244; - fiat_p256_mulx_u32(&x243, &x244, x3, (arg1[2])); - uint32_t x245; - uint32_t x246; - fiat_p256_mulx_u32(&x245, &x246, x3, (arg1[1])); - uint32_t x247; - uint32_t x248; - fiat_p256_mulx_u32(&x247, &x248, x3, (arg1[0])); - uint32_t x249; - fiat_p256_uint1 x250; + x232 = ((uint32_t)x231 + x200); + fiat_p256_mulx_u32(&x233, &x234, x3, (arg2[7])); + fiat_p256_mulx_u32(&x235, &x236, x3, (arg2[6])); + fiat_p256_mulx_u32(&x237, &x238, x3, (arg2[5])); + fiat_p256_mulx_u32(&x239, &x240, x3, (arg2[4])); + fiat_p256_mulx_u32(&x241, &x242, x3, (arg2[3])); + fiat_p256_mulx_u32(&x243, &x244, x3, (arg2[2])); + fiat_p256_mulx_u32(&x245, &x246, x3, (arg2[1])); + fiat_p256_mulx_u32(&x247, &x248, x3, (arg2[0])); fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); - uint32_t x251; - fiat_p256_uint1 x252; fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); - uint32_t x253; - fiat_p256_uint1 x254; fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); - uint32_t x255; - fiat_p256_uint1 x256; fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); - uint32_t x257; - fiat_p256_uint1 x258; fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); - uint32_t x259; - fiat_p256_uint1 x260; fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); - uint32_t x261; - fiat_p256_uint1 x262; fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); - uint32_t x263 = (x262 + x234); - uint32_t x264; - fiat_p256_uint1 x265; + x263 = (x262 + x234); fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); - uint32_t x266; - fiat_p256_uint1 x267; fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); - uint32_t x268; - fiat_p256_uint1 x269; fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); - uint32_t x270; - fiat_p256_uint1 x271; fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); - uint32_t x272; - fiat_p256_uint1 x273; fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); - uint32_t x274; - fiat_p256_uint1 x275; fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); - uint32_t x276; - fiat_p256_uint1 x277; fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); - uint32_t x278; - fiat_p256_uint1 x279; fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); - uint32_t x280; - fiat_p256_uint1 x281; fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); - uint32_t x282; - uint32_t x283; fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); - uint32_t x284; - uint32_t x285; fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); - uint32_t x286; - uint32_t x287; fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); - uint32_t x288; - uint32_t x289; fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); - uint32_t x290; - fiat_p256_uint1 x291; fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); - uint32_t x292; - fiat_p256_uint1 x293; fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); - uint32_t x294 = (x293 + x285); - uint32_t x295; - fiat_p256_uint1 x296; + x294 = (x293 + x285); fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); - uint32_t x297; - fiat_p256_uint1 x298; fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); - uint32_t x299; - fiat_p256_uint1 x300; fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); - uint32_t x301; - fiat_p256_uint1 x302; fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); - uint32_t x303; - fiat_p256_uint1 x304; fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); - uint32_t x305; - fiat_p256_uint1 x306; fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); - uint32_t x307; - fiat_p256_uint1 x308; fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); - uint32_t x309; - fiat_p256_uint1 x310; fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); - uint32_t x311; - fiat_p256_uint1 x312; fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); - uint32_t x313 = ((uint32_t)x312 + x281); - uint32_t x314; - uint32_t x315; - fiat_p256_mulx_u32(&x314, &x315, x4, (arg1[7])); - uint32_t x316; - uint32_t x317; - fiat_p256_mulx_u32(&x316, &x317, x4, (arg1[6])); - uint32_t x318; - uint32_t x319; - fiat_p256_mulx_u32(&x318, &x319, x4, (arg1[5])); - uint32_t x320; - uint32_t x321; - fiat_p256_mulx_u32(&x320, &x321, x4, (arg1[4])); - uint32_t x322; - uint32_t x323; - fiat_p256_mulx_u32(&x322, &x323, x4, (arg1[3])); - uint32_t x324; - uint32_t x325; - fiat_p256_mulx_u32(&x324, &x325, x4, (arg1[2])); - uint32_t x326; - uint32_t x327; - fiat_p256_mulx_u32(&x326, &x327, x4, (arg1[1])); - uint32_t x328; - uint32_t x329; - fiat_p256_mulx_u32(&x328, &x329, x4, (arg1[0])); - uint32_t x330; - fiat_p256_uint1 x331; - fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); - uint32_t x332; - fiat_p256_uint1 x333; + x313 = ((uint32_t)x312 + x281); + fiat_p256_mulx_u32(&x314, &x315, x4, (arg2[7])); + fiat_p256_mulx_u32(&x316, &x317, x4, (arg2[6])); + fiat_p256_mulx_u32(&x318, &x319, x4, (arg2[5])); + fiat_p256_mulx_u32(&x320, &x321, x4, (arg2[4])); + fiat_p256_mulx_u32(&x322, &x323, x4, (arg2[3])); + fiat_p256_mulx_u32(&x324, &x325, x4, (arg2[2])); + fiat_p256_mulx_u32(&x326, &x327, x4, (arg2[1])); + fiat_p256_mulx_u32(&x328, &x329, x4, (arg2[0])); + fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); - uint32_t x334; - fiat_p256_uint1 x335; fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); - uint32_t x336; - fiat_p256_uint1 x337; fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); - uint32_t x338; - fiat_p256_uint1 x339; fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); - uint32_t x340; - fiat_p256_uint1 x341; fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); - uint32_t x342; - fiat_p256_uint1 x343; fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); - uint32_t x344 = (x343 + x315); - uint32_t x345; - fiat_p256_uint1 x346; + x344 = (x343 + x315); fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); - uint32_t x347; - fiat_p256_uint1 x348; fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); - uint32_t x349; - fiat_p256_uint1 x350; fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); - uint32_t x351; - fiat_p256_uint1 x352; fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); - uint32_t x353; - fiat_p256_uint1 x354; fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); - uint32_t x355; - fiat_p256_uint1 x356; fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); - uint32_t x357; - fiat_p256_uint1 x358; fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); - uint32_t x359; - fiat_p256_uint1 x360; fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); - uint32_t x361; - fiat_p256_uint1 x362; fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); - uint32_t x363; - uint32_t x364; fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); - uint32_t x365; - uint32_t x366; fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); - uint32_t x367; - uint32_t x368; fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); - uint32_t x369; - uint32_t x370; fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); - uint32_t x371; - fiat_p256_uint1 x372; fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); - uint32_t x373; - fiat_p256_uint1 x374; fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); - uint32_t x375 = (x374 + x366); - uint32_t x376; - fiat_p256_uint1 x377; + x375 = (x374 + x366); fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); - uint32_t x378; - fiat_p256_uint1 x379; fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); - uint32_t x380; - fiat_p256_uint1 x381; fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); - uint32_t x382; - fiat_p256_uint1 x383; fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); - uint32_t x384; - fiat_p256_uint1 x385; fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); - uint32_t x386; - fiat_p256_uint1 x387; fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); - uint32_t x388; - fiat_p256_uint1 x389; fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); - uint32_t x390; - fiat_p256_uint1 x391; fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); - uint32_t x392; - fiat_p256_uint1 x393; fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); - uint32_t x394 = ((uint32_t)x393 + x362); - uint32_t x395; - uint32_t x396; - fiat_p256_mulx_u32(&x395, &x396, x5, (arg1[7])); - uint32_t x397; - uint32_t x398; - fiat_p256_mulx_u32(&x397, &x398, x5, (arg1[6])); - uint32_t x399; - uint32_t x400; - fiat_p256_mulx_u32(&x399, &x400, x5, (arg1[5])); - uint32_t x401; - uint32_t x402; - fiat_p256_mulx_u32(&x401, &x402, x5, (arg1[4])); - uint32_t x403; - uint32_t x404; - fiat_p256_mulx_u32(&x403, &x404, x5, (arg1[3])); - uint32_t x405; - uint32_t x406; - fiat_p256_mulx_u32(&x405, &x406, x5, (arg1[2])); - uint32_t x407; - uint32_t x408; - fiat_p256_mulx_u32(&x407, &x408, x5, (arg1[1])); - uint32_t x409; - uint32_t x410; - fiat_p256_mulx_u32(&x409, &x410, x5, (arg1[0])); - uint32_t x411; - fiat_p256_uint1 x412; + x394 = ((uint32_t)x393 + x362); + fiat_p256_mulx_u32(&x395, &x396, x5, (arg2[7])); + fiat_p256_mulx_u32(&x397, &x398, x5, (arg2[6])); + fiat_p256_mulx_u32(&x399, &x400, x5, (arg2[5])); + fiat_p256_mulx_u32(&x401, &x402, x5, (arg2[4])); + fiat_p256_mulx_u32(&x403, &x404, x5, (arg2[3])); + fiat_p256_mulx_u32(&x405, &x406, x5, (arg2[2])); + fiat_p256_mulx_u32(&x407, &x408, x5, (arg2[1])); + fiat_p256_mulx_u32(&x409, &x410, x5, (arg2[0])); fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); - uint32_t x413; - fiat_p256_uint1 x414; fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); - uint32_t x415; - fiat_p256_uint1 x416; fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); - uint32_t x417; - fiat_p256_uint1 x418; fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); - uint32_t x419; - fiat_p256_uint1 x420; fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); - uint32_t x421; - fiat_p256_uint1 x422; fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); - uint32_t x423; - fiat_p256_uint1 x424; fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); - uint32_t x425 = (x424 + x396); - uint32_t x426; - fiat_p256_uint1 x427; + x425 = (x424 + x396); fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); - uint32_t x428; - fiat_p256_uint1 x429; fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); - uint32_t x430; - fiat_p256_uint1 x431; fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); - uint32_t x432; - fiat_p256_uint1 x433; fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); - uint32_t x434; - fiat_p256_uint1 x435; fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); - uint32_t x436; - fiat_p256_uint1 x437; fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); - uint32_t x438; - fiat_p256_uint1 x439; fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); - uint32_t x440; - fiat_p256_uint1 x441; fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); - uint32_t x442; - fiat_p256_uint1 x443; fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); - uint32_t x444; - uint32_t x445; fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); - uint32_t x446; - uint32_t x447; fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); - uint32_t x448; - uint32_t x449; fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); - uint32_t x450; - uint32_t x451; fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); - uint32_t x452; - fiat_p256_uint1 x453; fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); - uint32_t x454; - fiat_p256_uint1 x455; fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); - uint32_t x456 = (x455 + x447); - uint32_t x457; - fiat_p256_uint1 x458; + x456 = (x455 + x447); fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); - uint32_t x459; - fiat_p256_uint1 x460; fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); - uint32_t x461; - fiat_p256_uint1 x462; fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); - uint32_t x463; - fiat_p256_uint1 x464; fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); - uint32_t x465; - fiat_p256_uint1 x466; fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); - uint32_t x467; - fiat_p256_uint1 x468; fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); - uint32_t x469; - fiat_p256_uint1 x470; fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); - uint32_t x471; - fiat_p256_uint1 x472; fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); - uint32_t x473; - fiat_p256_uint1 x474; fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); - uint32_t x475 = ((uint32_t)x474 + x443); - uint32_t x476; - uint32_t x477; - fiat_p256_mulx_u32(&x476, &x477, x6, (arg1[7])); - uint32_t x478; - uint32_t x479; - fiat_p256_mulx_u32(&x478, &x479, x6, (arg1[6])); - uint32_t x480; - uint32_t x481; - fiat_p256_mulx_u32(&x480, &x481, x6, (arg1[5])); - uint32_t x482; - uint32_t x483; - fiat_p256_mulx_u32(&x482, &x483, x6, (arg1[4])); - uint32_t x484; - uint32_t x485; - fiat_p256_mulx_u32(&x484, &x485, x6, (arg1[3])); - uint32_t x486; - uint32_t x487; - fiat_p256_mulx_u32(&x486, &x487, x6, (arg1[2])); - uint32_t x488; - uint32_t x489; - fiat_p256_mulx_u32(&x488, &x489, x6, (arg1[1])); - uint32_t x490; - uint32_t x491; - fiat_p256_mulx_u32(&x490, &x491, x6, (arg1[0])); - uint32_t x492; - fiat_p256_uint1 x493; + x475 = ((uint32_t)x474 + x443); + fiat_p256_mulx_u32(&x476, &x477, x6, (arg2[7])); + fiat_p256_mulx_u32(&x478, &x479, x6, (arg2[6])); + fiat_p256_mulx_u32(&x480, &x481, x6, (arg2[5])); + fiat_p256_mulx_u32(&x482, &x483, x6, (arg2[4])); + fiat_p256_mulx_u32(&x484, &x485, x6, (arg2[3])); + fiat_p256_mulx_u32(&x486, &x487, x6, (arg2[2])); + fiat_p256_mulx_u32(&x488, &x489, x6, (arg2[1])); + fiat_p256_mulx_u32(&x490, &x491, x6, (arg2[0])); fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); - uint32_t x494; - fiat_p256_uint1 x495; fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); - uint32_t x496; - fiat_p256_uint1 x497; fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); - uint32_t x498; - fiat_p256_uint1 x499; fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); - uint32_t x500; - fiat_p256_uint1 x501; fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); - uint32_t x502; - fiat_p256_uint1 x503; fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); - uint32_t x504; - fiat_p256_uint1 x505; fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); - uint32_t x506 = (x505 + x477); - uint32_t x507; - fiat_p256_uint1 x508; + x506 = (x505 + x477); fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); - uint32_t x509; - fiat_p256_uint1 x510; fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); - uint32_t x511; - fiat_p256_uint1 x512; fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); - uint32_t x513; - fiat_p256_uint1 x514; fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); - uint32_t x515; - fiat_p256_uint1 x516; fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); - uint32_t x517; - fiat_p256_uint1 x518; fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); - uint32_t x519; - fiat_p256_uint1 x520; fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); - uint32_t x521; - fiat_p256_uint1 x522; fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); - uint32_t x523; - fiat_p256_uint1 x524; fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); - uint32_t x525; - uint32_t x526; fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); - uint32_t x527; - uint32_t x528; fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); - uint32_t x529; - uint32_t x530; fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); - uint32_t x531; - uint32_t x532; fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); - uint32_t x533; - fiat_p256_uint1 x534; fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); - uint32_t x535; - fiat_p256_uint1 x536; fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); - uint32_t x537 = (x536 + x528); - uint32_t x538; - fiat_p256_uint1 x539; + x537 = (x536 + x528); fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); - uint32_t x540; - fiat_p256_uint1 x541; fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); - uint32_t x542; - fiat_p256_uint1 x543; fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); - uint32_t x544; - fiat_p256_uint1 x545; fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); - uint32_t x546; - fiat_p256_uint1 x547; fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); - uint32_t x548; - fiat_p256_uint1 x549; fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); - uint32_t x550; - fiat_p256_uint1 x551; fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); - uint32_t x552; - fiat_p256_uint1 x553; fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); - uint32_t x554; - fiat_p256_uint1 x555; fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); - uint32_t x556 = ((uint32_t)x555 + x524); - uint32_t x557; - uint32_t x558; - fiat_p256_mulx_u32(&x557, &x558, x7, (arg1[7])); - uint32_t x559; - uint32_t x560; - fiat_p256_mulx_u32(&x559, &x560, x7, (arg1[6])); - uint32_t x561; - uint32_t x562; - fiat_p256_mulx_u32(&x561, &x562, x7, (arg1[5])); - uint32_t x563; - uint32_t x564; - fiat_p256_mulx_u32(&x563, &x564, x7, (arg1[4])); - uint32_t x565; - uint32_t x566; - fiat_p256_mulx_u32(&x565, &x566, x7, (arg1[3])); - uint32_t x567; - uint32_t x568; - fiat_p256_mulx_u32(&x567, &x568, x7, (arg1[2])); - uint32_t x569; - uint32_t x570; - fiat_p256_mulx_u32(&x569, &x570, x7, (arg1[1])); - uint32_t x571; - uint32_t x572; - fiat_p256_mulx_u32(&x571, &x572, x7, (arg1[0])); - uint32_t x573; - fiat_p256_uint1 x574; + x556 = ((uint32_t)x555 + x524); + fiat_p256_mulx_u32(&x557, &x558, x7, (arg2[7])); + fiat_p256_mulx_u32(&x559, &x560, x7, (arg2[6])); + fiat_p256_mulx_u32(&x561, &x562, x7, (arg2[5])); + fiat_p256_mulx_u32(&x563, &x564, x7, (arg2[4])); + fiat_p256_mulx_u32(&x565, &x566, x7, (arg2[3])); + fiat_p256_mulx_u32(&x567, &x568, x7, (arg2[2])); + fiat_p256_mulx_u32(&x569, &x570, x7, (arg2[1])); + fiat_p256_mulx_u32(&x571, &x572, x7, (arg2[0])); fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); - uint32_t x575; - fiat_p256_uint1 x576; fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); - uint32_t x577; - fiat_p256_uint1 x578; fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); - uint32_t x579; - fiat_p256_uint1 x580; fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); - uint32_t x581; - fiat_p256_uint1 x582; fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); - uint32_t x583; - fiat_p256_uint1 x584; fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); - uint32_t x585; - fiat_p256_uint1 x586; fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); - uint32_t x587 = (x586 + x558); - uint32_t x588; - fiat_p256_uint1 x589; + x587 = (x586 + x558); fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); - uint32_t x590; - fiat_p256_uint1 x591; fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); - uint32_t x592; - fiat_p256_uint1 x593; fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); - uint32_t x594; - fiat_p256_uint1 x595; fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); - uint32_t x596; - fiat_p256_uint1 x597; fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); - uint32_t x598; - fiat_p256_uint1 x599; fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); - uint32_t x600; - fiat_p256_uint1 x601; fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); - uint32_t x602; - fiat_p256_uint1 x603; fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); - uint32_t x604; - fiat_p256_uint1 x605; fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); - uint32_t x606; - uint32_t x607; fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); - uint32_t x608; - uint32_t x609; fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); - uint32_t x610; - uint32_t x611; fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); - uint32_t x612; - uint32_t x613; fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); - uint32_t x614; - fiat_p256_uint1 x615; fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); - uint32_t x616; - fiat_p256_uint1 x617; fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); - uint32_t x618 = (x617 + x609); - uint32_t x619; - fiat_p256_uint1 x620; + x618 = (x617 + x609); fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); - uint32_t x621; - fiat_p256_uint1 x622; fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); - uint32_t x623; - fiat_p256_uint1 x624; fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); - uint32_t x625; - fiat_p256_uint1 x626; fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); - uint32_t x627; - fiat_p256_uint1 x628; fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); - uint32_t x629; - fiat_p256_uint1 x630; fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); - uint32_t x631; - fiat_p256_uint1 x632; fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); - uint32_t x633; - fiat_p256_uint1 x634; fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); - uint32_t x635; - fiat_p256_uint1 x636; fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); - uint32_t x637 = ((uint32_t)x636 + x605); - uint32_t x638; - fiat_p256_uint1 x639; + x637 = ((uint32_t)x636 + x605); fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); - uint32_t x640; - fiat_p256_uint1 x641; fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); - uint32_t x642; - fiat_p256_uint1 x643; fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); - uint32_t x644; - fiat_p256_uint1 x645; fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); - uint32_t x646; - fiat_p256_uint1 x647; fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); - uint32_t x648; - fiat_p256_uint1 x649; fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); - uint32_t x650; - fiat_p256_uint1 x651; fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); - uint32_t x652; - fiat_p256_uint1 x653; fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); - uint32_t x654; - fiat_p256_uint1 x655; fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); - uint32_t x656; fiat_p256_cmovznz_u32(&x656, x655, x638, x621); - uint32_t x657; fiat_p256_cmovznz_u32(&x657, x655, x640, x623); - uint32_t x658; fiat_p256_cmovznz_u32(&x658, x655, x642, x625); - uint32_t x659; fiat_p256_cmovznz_u32(&x659, x655, x644, x627); - uint32_t x660; fiat_p256_cmovznz_u32(&x660, x655, x646, x629); - uint32_t x661; fiat_p256_cmovznz_u32(&x661, x655, x648, x631); - uint32_t x662; fiat_p256_cmovznz_u32(&x662, x655, x650, x633); - uint32_t x663; fiat_p256_cmovznz_u32(&x663, x655, x652, x635); out1[0] = x656; out1[1] = x657; @@ -2127,1021 +1185,3576 @@ static void fiat_p256_square(uint32_t out1[8], const uint32_t arg1[8]) { } /* - * The function fiat_p256_add adds two field elements in the Montgomery domain. + * The function fiat_p256_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_add(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { uint32_t x1; - fiat_p256_uint1 x2; - fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + uint32_t x2; uint32_t x3; - fiat_p256_uint1 x4; - fiat_p256_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); + uint32_t x4; uint32_t x5; - fiat_p256_uint1 x6; - fiat_p256_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); + uint32_t x6; uint32_t x7; - fiat_p256_uint1 x8; - fiat_p256_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); + uint32_t x8; uint32_t x9; - fiat_p256_uint1 x10; - fiat_p256_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); + uint32_t x10; uint32_t x11; - fiat_p256_uint1 x12; - fiat_p256_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); + uint32_t x12; uint32_t x13; - fiat_p256_uint1 x14; - fiat_p256_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); + uint32_t x14; uint32_t x15; - fiat_p256_uint1 x16; - fiat_p256_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); + uint32_t x16; uint32_t x17; - fiat_p256_uint1 x18; - fiat_p256_subborrowx_u32(&x17, &x18, 0x0, x1, UINT32_C(0xffffffff)); + uint32_t x18; uint32_t x19; - fiat_p256_uint1 x20; - fiat_p256_subborrowx_u32(&x19, &x20, x18, x3, UINT32_C(0xffffffff)); + uint32_t x20; uint32_t x21; - fiat_p256_uint1 x22; - fiat_p256_subborrowx_u32(&x21, &x22, x20, x5, UINT32_C(0xffffffff)); + uint32_t x22; uint32_t x23; - fiat_p256_uint1 x24; - fiat_p256_subborrowx_u32(&x23, &x24, x22, x7, 0x0); + uint32_t x24; uint32_t x25; fiat_p256_uint1 x26; - fiat_p256_subborrowx_u32(&x25, &x26, x24, x9, 0x0); uint32_t x27; fiat_p256_uint1 x28; - fiat_p256_subborrowx_u32(&x27, &x28, x26, x11, 0x0); uint32_t x29; fiat_p256_uint1 x30; - fiat_p256_subborrowx_u32(&x29, &x30, x28, x13, 0x1); uint32_t x31; fiat_p256_uint1 x32; - fiat_p256_subborrowx_u32(&x31, &x32, x30, x15, UINT32_C(0xffffffff)); uint32_t x33; fiat_p256_uint1 x34; - fiat_p256_subborrowx_u32(&x33, &x34, x32, x16, 0x0); uint32_t x35; - fiat_p256_cmovznz_u32(&x35, x34, x17, x1); - uint32_t x36; - fiat_p256_cmovznz_u32(&x36, x34, x19, x3); + fiat_p256_uint1 x36; uint32_t x37; - fiat_p256_cmovznz_u32(&x37, x34, x21, x5); - uint32_t x38; - fiat_p256_cmovznz_u32(&x38, x34, x23, x7); + fiat_p256_uint1 x38; uint32_t x39; - fiat_p256_cmovznz_u32(&x39, x34, x25, x9); uint32_t x40; - fiat_p256_cmovznz_u32(&x40, x34, x27, x11); uint32_t x41; - fiat_p256_cmovznz_u32(&x41, x34, x29, x13); uint32_t x42; - fiat_p256_cmovznz_u32(&x42, x34, x31, x15); - out1[0] = x35; - out1[1] = x36; - out1[2] = x37; - out1[3] = x38; - out1[4] = x39; - out1[5] = x40; - out1[6] = x41; - out1[7] = x42; -} - -/* - * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. - * Preconditions: - * 0 ≤ eval arg1 < m - * 0 ≤ eval arg2 < m - * Postconditions: - * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m - * 0 ≤ eval out1 < m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void fiat_p256_sub(uint32_t out1[8], const uint32_t arg1[8], const uint32_t arg2[8]) { - uint32_t x1; - fiat_p256_uint1 x2; - fiat_p256_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); - uint32_t x3; - fiat_p256_uint1 x4; - fiat_p256_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); - uint32_t x5; - fiat_p256_uint1 x6; - fiat_p256_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); - uint32_t x7; - fiat_p256_uint1 x8; - fiat_p256_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); - uint32_t x9; - fiat_p256_uint1 x10; - fiat_p256_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); - uint32_t x11; - fiat_p256_uint1 x12; - fiat_p256_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); - uint32_t x13; - fiat_p256_uint1 x14; - fiat_p256_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); - uint32_t x15; - fiat_p256_uint1 x16; - fiat_p256_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); - uint32_t x17; - fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); - uint32_t x18; - fiat_p256_uint1 x19; - fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, (x17 & UINT32_C(0xffffffff))); - uint32_t x20; - fiat_p256_uint1 x21; - fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, (x17 & UINT32_C(0xffffffff))); - uint32_t x22; - fiat_p256_uint1 x23; - fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, (x17 & UINT32_C(0xffffffff))); - uint32_t x24; - fiat_p256_uint1 x25; - fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); - uint32_t x26; - fiat_p256_uint1 x27; - fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); - uint32_t x28; - fiat_p256_uint1 x29; - fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); - uint32_t x30; - fiat_p256_uint1 x31; - fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); - uint32_t x32; - fiat_p256_uint1 x33; - fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, (x17 & UINT32_C(0xffffffff))); - out1[0] = x18; - out1[1] = x20; - out1[2] = x22; - out1[3] = x24; - out1[4] = x26; - out1[5] = x28; - out1[6] = x30; - out1[7] = x32; -} - -/* - * The function fiat_p256_opp negates a field element in the Montgomery domain. - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m - * 0 ≤ eval out1 < m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void fiat_p256_opp(uint32_t out1[8], const uint32_t arg1[8]) { - uint32_t x1; - fiat_p256_uint1 x2; - fiat_p256_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); - uint32_t x3; - fiat_p256_uint1 x4; - fiat_p256_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); - uint32_t x5; - fiat_p256_uint1 x6; - fiat_p256_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); - uint32_t x7; - fiat_p256_uint1 x8; - fiat_p256_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); - uint32_t x9; - fiat_p256_uint1 x10; - fiat_p256_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); - uint32_t x11; - fiat_p256_uint1 x12; - fiat_p256_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); - uint32_t x13; - fiat_p256_uint1 x14; - fiat_p256_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); - uint32_t x15; - fiat_p256_uint1 x16; - fiat_p256_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); - uint32_t x17; - fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); - uint32_t x18; - fiat_p256_uint1 x19; - fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, (x17 & UINT32_C(0xffffffff))); - uint32_t x20; - fiat_p256_uint1 x21; - fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, (x17 & UINT32_C(0xffffffff))); - uint32_t x22; - fiat_p256_uint1 x23; - fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, (x17 & UINT32_C(0xffffffff))); - uint32_t x24; - fiat_p256_uint1 x25; - fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); - uint32_t x26; - fiat_p256_uint1 x27; - fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); - uint32_t x28; - fiat_p256_uint1 x29; - fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); - uint32_t x30; - fiat_p256_uint1 x31; - fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); - uint32_t x32; - fiat_p256_uint1 x33; - fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, (x17 & UINT32_C(0xffffffff))); - out1[0] = x18; - out1[1] = x20; - out1[2] = x22; - out1[3] = x24; - out1[4] = x26; - out1[5] = x28; - out1[6] = x30; - out1[7] = x32; -} - -/* - * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. - * Preconditions: - * 0 ≤ eval arg1 < m - * Postconditions: - * eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m - * 0 ≤ eval out1 < m - * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - */ -static void fiat_p256_from_montgomery(uint32_t out1[8], const uint32_t arg1[8]) { - uint32_t x1 = (arg1[0]); - uint32_t x2; - uint32_t x3; - fiat_p256_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); - uint32_t x4; - uint32_t x5; - fiat_p256_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); - uint32_t x6; - uint32_t x7; - fiat_p256_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); - uint32_t x8; - uint32_t x9; - fiat_p256_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); - uint32_t x10; - fiat_p256_uint1 x11; - fiat_p256_addcarryx_u32(&x10, &x11, 0x0, x9, x6); - uint32_t x12; - fiat_p256_uint1 x13; - fiat_p256_addcarryx_u32(&x12, &x13, x11, x7, x4); - uint32_t x14; - fiat_p256_uint1 x15; - fiat_p256_addcarryx_u32(&x14, &x15, 0x0, x1, x8); - uint32_t x16; - fiat_p256_uint1 x17; - fiat_p256_addcarryx_u32(&x16, &x17, x15, 0x0, x10); - uint32_t x18; - fiat_p256_uint1 x19; - fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, x12); - uint32_t x20; - fiat_p256_uint1 x21; - fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (x13 + x5)); - uint32_t x22; - fiat_p256_uint1 x23; - fiat_p256_addcarryx_u32(&x22, &x23, 0x0, x16, (arg1[1])); - uint32_t x24; - fiat_p256_uint1 x25; - fiat_p256_addcarryx_u32(&x24, &x25, x23, x18, 0x0); - uint32_t x26; - fiat_p256_uint1 x27; - fiat_p256_addcarryx_u32(&x26, &x27, x25, x20, 0x0); - uint32_t x28; - uint32_t x29; - fiat_p256_mulx_u32(&x28, &x29, x22, UINT32_C(0xffffffff)); - uint32_t x30; - uint32_t x31; - fiat_p256_mulx_u32(&x30, &x31, x22, UINT32_C(0xffffffff)); - uint32_t x32; - uint32_t x33; - fiat_p256_mulx_u32(&x32, &x33, x22, UINT32_C(0xffffffff)); - uint32_t x34; - uint32_t x35; - fiat_p256_mulx_u32(&x34, &x35, x22, UINT32_C(0xffffffff)); - uint32_t x36; - fiat_p256_uint1 x37; - fiat_p256_addcarryx_u32(&x36, &x37, 0x0, x35, x32); - uint32_t x38; - fiat_p256_uint1 x39; - fiat_p256_addcarryx_u32(&x38, &x39, x37, x33, x30); - uint32_t x40; - fiat_p256_uint1 x41; - fiat_p256_addcarryx_u32(&x40, &x41, 0x0, x22, x34); - uint32_t x42; - fiat_p256_uint1 x43; - fiat_p256_addcarryx_u32(&x42, &x43, x41, x24, x36); + uint32_t x43; uint32_t x44; - fiat_p256_uint1 x45; - fiat_p256_addcarryx_u32(&x44, &x45, x43, x26, x38); + uint32_t x45; uint32_t x46; - fiat_p256_uint1 x47; - fiat_p256_addcarryx_u32(&x46, &x47, x45, ((uint32_t)x27 + x21), (x39 + x31)); + uint32_t x47; uint32_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x2, x22); uint32_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u32(&x50, &x51, x49, x3, x28); uint32_t x52; - fiat_p256_uint1 x53; - fiat_p256_addcarryx_u32(&x52, &x53, 0x0, x42, (arg1[2])); - uint32_t x54; - fiat_p256_uint1 x55; - fiat_p256_addcarryx_u32(&x54, &x55, x53, x44, 0x0); - uint32_t x56; - fiat_p256_uint1 x57; - fiat_p256_addcarryx_u32(&x56, &x57, x55, x46, 0x0); - uint32_t x58; + uint32_t x53; + fiat_p256_uint1 x54; + uint32_t x55; + fiat_p256_uint1 x56; + uint32_t x57; + fiat_p256_uint1 x58; uint32_t x59; - fiat_p256_mulx_u32(&x58, &x59, x52, UINT32_C(0xffffffff)); - uint32_t x60; + fiat_p256_uint1 x60; uint32_t x61; - fiat_p256_mulx_u32(&x60, &x61, x52, UINT32_C(0xffffffff)); - uint32_t x62; + fiat_p256_uint1 x62; uint32_t x63; - fiat_p256_mulx_u32(&x62, &x63, x52, UINT32_C(0xffffffff)); - uint32_t x64; + fiat_p256_uint1 x64; uint32_t x65; - fiat_p256_mulx_u32(&x64, &x65, x52, UINT32_C(0xffffffff)); - uint32_t x66; - fiat_p256_uint1 x67; - fiat_p256_addcarryx_u32(&x66, &x67, 0x0, x65, x62); - uint32_t x68; - fiat_p256_uint1 x69; - fiat_p256_addcarryx_u32(&x68, &x69, x67, x63, x60); - uint32_t x70; - fiat_p256_uint1 x71; - fiat_p256_addcarryx_u32(&x70, &x71, 0x0, x52, x64); + fiat_p256_uint1 x66; + uint32_t x67; + fiat_p256_uint1 x68; + uint32_t x69; + fiat_p256_uint1 x70; + uint32_t x71; uint32_t x72; - fiat_p256_uint1 x73; - fiat_p256_addcarryx_u32(&x72, &x73, x71, x54, x66); + uint32_t x73; uint32_t x74; - fiat_p256_uint1 x75; - fiat_p256_addcarryx_u32(&x74, &x75, x73, x56, x68); + uint32_t x75; uint32_t x76; - fiat_p256_uint1 x77; - fiat_p256_addcarryx_u32(&x76, &x77, x75, ((uint32_t)x57 + x47), (x69 + x61)); + uint32_t x77; uint32_t x78; - fiat_p256_uint1 x79; - fiat_p256_addcarryx_u32(&x78, &x79, x77, x1, 0x0); + uint32_t x79; uint32_t x80; - fiat_p256_uint1 x81; - fiat_p256_addcarryx_u32(&x80, &x81, x79, x48, 0x0); + uint32_t x81; uint32_t x82; - fiat_p256_uint1 x83; - fiat_p256_addcarryx_u32(&x82, &x83, x81, x50, x52); + uint32_t x83; uint32_t x84; - fiat_p256_uint1 x85; - fiat_p256_addcarryx_u32(&x84, &x85, x83, (x51 + x29), x58); + uint32_t x85; uint32_t x86; - fiat_p256_uint1 x87; - fiat_p256_addcarryx_u32(&x86, &x87, 0x0, x72, (arg1[3])); - uint32_t x88; - fiat_p256_uint1 x89; - fiat_p256_addcarryx_u32(&x88, &x89, x87, x74, 0x0); - uint32_t x90; - fiat_p256_uint1 x91; - fiat_p256_addcarryx_u32(&x90, &x91, x89, x76, 0x0); - uint32_t x92; - fiat_p256_uint1 x93; - fiat_p256_addcarryx_u32(&x92, &x93, x91, x78, 0x0); - uint32_t x94; - fiat_p256_uint1 x95; - fiat_p256_addcarryx_u32(&x94, &x95, x93, x80, 0x0); - uint32_t x96; - fiat_p256_uint1 x97; - fiat_p256_addcarryx_u32(&x96, &x97, x95, x82, 0x0); - uint32_t x98; - fiat_p256_uint1 x99; - fiat_p256_addcarryx_u32(&x98, &x99, x97, x84, 0x0); - uint32_t x100; - fiat_p256_uint1 x101; - fiat_p256_addcarryx_u32(&x100, &x101, x99, (x85 + x59), 0x0); - uint32_t x102; - uint32_t x103; - fiat_p256_mulx_u32(&x102, &x103, x86, UINT32_C(0xffffffff)); - uint32_t x104; - uint32_t x105; - fiat_p256_mulx_u32(&x104, &x105, x86, UINT32_C(0xffffffff)); - uint32_t x106; - uint32_t x107; - fiat_p256_mulx_u32(&x106, &x107, x86, UINT32_C(0xffffffff)); + uint32_t x87; + fiat_p256_uint1 x88; + uint32_t x89; + fiat_p256_uint1 x90; + uint32_t x91; + fiat_p256_uint1 x92; + uint32_t x93; + fiat_p256_uint1 x94; + uint32_t x95; + fiat_p256_uint1 x96; + uint32_t x97; + fiat_p256_uint1 x98; + uint32_t x99; + fiat_p256_uint1 x100; + uint32_t x101; + uint32_t x102; + fiat_p256_uint1 x103; + uint32_t x104; + fiat_p256_uint1 x105; + uint32_t x106; + fiat_p256_uint1 x107; uint32_t x108; - uint32_t x109; - fiat_p256_mulx_u32(&x108, &x109, x86, UINT32_C(0xffffffff)); + fiat_p256_uint1 x109; uint32_t x110; fiat_p256_uint1 x111; - fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x109, x106); uint32_t x112; fiat_p256_uint1 x113; - fiat_p256_addcarryx_u32(&x112, &x113, x111, x107, x104); uint32_t x114; fiat_p256_uint1 x115; - fiat_p256_addcarryx_u32(&x114, &x115, 0x0, x86, x108); uint32_t x116; fiat_p256_uint1 x117; - fiat_p256_addcarryx_u32(&x116, &x117, x115, x88, x110); uint32_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u32(&x118, &x119, x117, x90, x112); uint32_t x120; - fiat_p256_uint1 x121; - fiat_p256_addcarryx_u32(&x120, &x121, x119, x92, (x113 + x105)); + uint32_t x121; uint32_t x122; - fiat_p256_uint1 x123; - fiat_p256_addcarryx_u32(&x122, &x123, x121, x94, 0x0); + uint32_t x123; uint32_t x124; - fiat_p256_uint1 x125; - fiat_p256_addcarryx_u32(&x124, &x125, x123, x96, 0x0); + uint32_t x125; uint32_t x126; - fiat_p256_uint1 x127; - fiat_p256_addcarryx_u32(&x126, &x127, x125, x98, x86); + uint32_t x127; uint32_t x128; fiat_p256_uint1 x129; - fiat_p256_addcarryx_u32(&x128, &x129, x127, x100, x102); uint32_t x130; fiat_p256_uint1 x131; - fiat_p256_addcarryx_u32(&x130, &x131, x129, x101, x103); uint32_t x132; - fiat_p256_uint1 x133; - fiat_p256_addcarryx_u32(&x132, &x133, 0x0, x116, (arg1[4])); - uint32_t x134; - fiat_p256_uint1 x135; - fiat_p256_addcarryx_u32(&x134, &x135, x133, x118, 0x0); - uint32_t x136; - fiat_p256_uint1 x137; - fiat_p256_addcarryx_u32(&x136, &x137, x135, x120, 0x0); - uint32_t x138; - fiat_p256_uint1 x139; - fiat_p256_addcarryx_u32(&x138, &x139, x137, x122, 0x0); - uint32_t x140; - fiat_p256_uint1 x141; - fiat_p256_addcarryx_u32(&x140, &x141, x139, x124, 0x0); - uint32_t x142; - fiat_p256_uint1 x143; - fiat_p256_addcarryx_u32(&x142, &x143, x141, x126, 0x0); - uint32_t x144; - fiat_p256_uint1 x145; - fiat_p256_addcarryx_u32(&x144, &x145, x143, x128, 0x0); - uint32_t x146; - fiat_p256_uint1 x147; - fiat_p256_addcarryx_u32(&x146, &x147, x145, x130, 0x0); - uint32_t x148; + uint32_t x133; + fiat_p256_uint1 x134; + uint32_t x135; + fiat_p256_uint1 x136; + uint32_t x137; + fiat_p256_uint1 x138; + uint32_t x139; + fiat_p256_uint1 x140; + uint32_t x141; + fiat_p256_uint1 x142; + uint32_t x143; + fiat_p256_uint1 x144; + uint32_t x145; + fiat_p256_uint1 x146; + uint32_t x147; + fiat_p256_uint1 x148; uint32_t x149; - fiat_p256_mulx_u32(&x148, &x149, x132, UINT32_C(0xffffffff)); - uint32_t x150; + fiat_p256_uint1 x150; uint32_t x151; - fiat_p256_mulx_u32(&x150, &x151, x132, UINT32_C(0xffffffff)); uint32_t x152; uint32_t x153; - fiat_p256_mulx_u32(&x152, &x153, x132, UINT32_C(0xffffffff)); uint32_t x154; uint32_t x155; - fiat_p256_mulx_u32(&x154, &x155, x132, UINT32_C(0xffffffff)); uint32_t x156; - fiat_p256_uint1 x157; - fiat_p256_addcarryx_u32(&x156, &x157, 0x0, x155, x152); + uint32_t x157; uint32_t x158; - fiat_p256_uint1 x159; - fiat_p256_addcarryx_u32(&x158, &x159, x157, x153, x150); + uint32_t x159; uint32_t x160; - fiat_p256_uint1 x161; - fiat_p256_addcarryx_u32(&x160, &x161, 0x0, x132, x154); + uint32_t x161; uint32_t x162; - fiat_p256_uint1 x163; - fiat_p256_addcarryx_u32(&x162, &x163, x161, x134, x156); + uint32_t x163; uint32_t x164; - fiat_p256_uint1 x165; - fiat_p256_addcarryx_u32(&x164, &x165, x163, x136, x158); + uint32_t x165; uint32_t x166; - fiat_p256_uint1 x167; - fiat_p256_addcarryx_u32(&x166, &x167, x165, x138, (x159 + x151)); + uint32_t x167; uint32_t x168; fiat_p256_uint1 x169; - fiat_p256_addcarryx_u32(&x168, &x169, x167, x140, 0x0); uint32_t x170; fiat_p256_uint1 x171; - fiat_p256_addcarryx_u32(&x170, &x171, x169, x142, 0x0); uint32_t x172; fiat_p256_uint1 x173; - fiat_p256_addcarryx_u32(&x172, &x173, x171, x144, x132); uint32_t x174; fiat_p256_uint1 x175; - fiat_p256_addcarryx_u32(&x174, &x175, x173, x146, x148); uint32_t x176; fiat_p256_uint1 x177; - fiat_p256_addcarryx_u32(&x176, &x177, x175, ((uint32_t)x147 + x131), x149); uint32_t x178; fiat_p256_uint1 x179; - fiat_p256_addcarryx_u32(&x178, &x179, 0x0, x162, (arg1[5])); uint32_t x180; fiat_p256_uint1 x181; - fiat_p256_addcarryx_u32(&x180, &x181, x179, x164, 0x0); uint32_t x182; - fiat_p256_uint1 x183; - fiat_p256_addcarryx_u32(&x182, &x183, x181, x166, 0x0); - uint32_t x184; - fiat_p256_uint1 x185; - fiat_p256_addcarryx_u32(&x184, &x185, x183, x168, 0x0); - uint32_t x186; - fiat_p256_uint1 x187; - fiat_p256_addcarryx_u32(&x186, &x187, x185, x170, 0x0); - uint32_t x188; - fiat_p256_uint1 x189; - fiat_p256_addcarryx_u32(&x188, &x189, x187, x172, 0x0); - uint32_t x190; - fiat_p256_uint1 x191; - fiat_p256_addcarryx_u32(&x190, &x191, x189, x174, 0x0); - uint32_t x192; - fiat_p256_uint1 x193; - fiat_p256_addcarryx_u32(&x192, &x193, x191, x176, 0x0); - uint32_t x194; + uint32_t x183; + fiat_p256_uint1 x184; + uint32_t x185; + fiat_p256_uint1 x186; + uint32_t x187; + fiat_p256_uint1 x188; + uint32_t x189; + fiat_p256_uint1 x190; + uint32_t x191; + fiat_p256_uint1 x192; + uint32_t x193; + fiat_p256_uint1 x194; uint32_t x195; - fiat_p256_mulx_u32(&x194, &x195, x178, UINT32_C(0xffffffff)); - uint32_t x196; + fiat_p256_uint1 x196; uint32_t x197; - fiat_p256_mulx_u32(&x196, &x197, x178, UINT32_C(0xffffffff)); - uint32_t x198; + fiat_p256_uint1 x198; uint32_t x199; - fiat_p256_mulx_u32(&x198, &x199, x178, UINT32_C(0xffffffff)); - uint32_t x200; + fiat_p256_uint1 x200; uint32_t x201; - fiat_p256_mulx_u32(&x200, &x201, x178, UINT32_C(0xffffffff)); uint32_t x202; - fiat_p256_uint1 x203; - fiat_p256_addcarryx_u32(&x202, &x203, 0x0, x201, x198); + uint32_t x203; uint32_t x204; - fiat_p256_uint1 x205; - fiat_p256_addcarryx_u32(&x204, &x205, x203, x199, x196); + uint32_t x205; uint32_t x206; - fiat_p256_uint1 x207; - fiat_p256_addcarryx_u32(&x206, &x207, 0x0, x178, x200); + uint32_t x207; uint32_t x208; - fiat_p256_uint1 x209; - fiat_p256_addcarryx_u32(&x208, &x209, x207, x180, x202); - uint32_t x210; - fiat_p256_uint1 x211; - fiat_p256_addcarryx_u32(&x210, &x211, x209, x182, x204); - uint32_t x212; - fiat_p256_uint1 x213; - fiat_p256_addcarryx_u32(&x212, &x213, x211, x184, (x205 + x197)); + uint32_t x209; + fiat_p256_uint1 x210; + uint32_t x211; + fiat_p256_uint1 x212; + uint32_t x213; uint32_t x214; fiat_p256_uint1 x215; - fiat_p256_addcarryx_u32(&x214, &x215, x213, x186, 0x0); uint32_t x216; fiat_p256_uint1 x217; - fiat_p256_addcarryx_u32(&x216, &x217, x215, x188, 0x0); uint32_t x218; fiat_p256_uint1 x219; - fiat_p256_addcarryx_u32(&x218, &x219, x217, x190, x178); uint32_t x220; fiat_p256_uint1 x221; - fiat_p256_addcarryx_u32(&x220, &x221, x219, x192, x194); uint32_t x222; fiat_p256_uint1 x223; - fiat_p256_addcarryx_u32(&x222, &x223, x221, ((uint32_t)x193 + x177), x195); uint32_t x224; fiat_p256_uint1 x225; - fiat_p256_addcarryx_u32(&x224, &x225, 0x0, x208, (arg1[6])); uint32_t x226; fiat_p256_uint1 x227; - fiat_p256_addcarryx_u32(&x226, &x227, x225, x210, 0x0); uint32_t x228; fiat_p256_uint1 x229; - fiat_p256_addcarryx_u32(&x228, &x229, x227, x212, 0x0); uint32_t x230; fiat_p256_uint1 x231; - fiat_p256_addcarryx_u32(&x230, &x231, x229, x214, 0x0); uint32_t x232; - fiat_p256_uint1 x233; - fiat_p256_addcarryx_u32(&x232, &x233, x231, x216, 0x0); + uint32_t x233; uint32_t x234; - fiat_p256_uint1 x235; - fiat_p256_addcarryx_u32(&x234, &x235, x233, x218, 0x0); + uint32_t x235; uint32_t x236; - fiat_p256_uint1 x237; - fiat_p256_addcarryx_u32(&x236, &x237, x235, x220, 0x0); + uint32_t x237; uint32_t x238; - fiat_p256_uint1 x239; - fiat_p256_addcarryx_u32(&x238, &x239, x237, x222, 0x0); + uint32_t x239; uint32_t x240; uint32_t x241; - fiat_p256_mulx_u32(&x240, &x241, x224, UINT32_C(0xffffffff)); uint32_t x242; uint32_t x243; - fiat_p256_mulx_u32(&x242, &x243, x224, UINT32_C(0xffffffff)); uint32_t x244; uint32_t x245; - fiat_p256_mulx_u32(&x244, &x245, x224, UINT32_C(0xffffffff)); uint32_t x246; uint32_t x247; - fiat_p256_mulx_u32(&x246, &x247, x224, UINT32_C(0xffffffff)); uint32_t x248; - fiat_p256_uint1 x249; - fiat_p256_addcarryx_u32(&x248, &x249, 0x0, x247, x244); - uint32_t x250; - fiat_p256_uint1 x251; - fiat_p256_addcarryx_u32(&x250, &x251, x249, x245, x242); - uint32_t x252; - fiat_p256_uint1 x253; - fiat_p256_addcarryx_u32(&x252, &x253, 0x0, x224, x246); - uint32_t x254; - fiat_p256_uint1 x255; - fiat_p256_addcarryx_u32(&x254, &x255, x253, x226, x248); - uint32_t x256; - fiat_p256_uint1 x257; - fiat_p256_addcarryx_u32(&x256, &x257, x255, x228, x250); - uint32_t x258; - fiat_p256_uint1 x259; - fiat_p256_addcarryx_u32(&x258, &x259, x257, x230, (x251 + x243)); - uint32_t x260; - fiat_p256_uint1 x261; - fiat_p256_addcarryx_u32(&x260, &x261, x259, x232, 0x0); - uint32_t x262; - fiat_p256_uint1 x263; - fiat_p256_addcarryx_u32(&x262, &x263, x261, x234, 0x0); + uint32_t x249; + fiat_p256_uint1 x250; + uint32_t x251; + fiat_p256_uint1 x252; + uint32_t x253; + fiat_p256_uint1 x254; + uint32_t x255; + fiat_p256_uint1 x256; + uint32_t x257; + fiat_p256_uint1 x258; + uint32_t x259; + fiat_p256_uint1 x260; + uint32_t x261; + fiat_p256_uint1 x262; + uint32_t x263; uint32_t x264; fiat_p256_uint1 x265; - fiat_p256_addcarryx_u32(&x264, &x265, x263, x236, x224); uint32_t x266; fiat_p256_uint1 x267; - fiat_p256_addcarryx_u32(&x266, &x267, x265, x238, x240); uint32_t x268; fiat_p256_uint1 x269; - fiat_p256_addcarryx_u32(&x268, &x269, x267, ((uint32_t)x239 + x223), x241); uint32_t x270; fiat_p256_uint1 x271; - fiat_p256_addcarryx_u32(&x270, &x271, 0x0, x254, (arg1[7])); uint32_t x272; fiat_p256_uint1 x273; - fiat_p256_addcarryx_u32(&x272, &x273, x271, x256, 0x0); uint32_t x274; fiat_p256_uint1 x275; - fiat_p256_addcarryx_u32(&x274, &x275, x273, x258, 0x0); uint32_t x276; fiat_p256_uint1 x277; - fiat_p256_addcarryx_u32(&x276, &x277, x275, x260, 0x0); uint32_t x278; fiat_p256_uint1 x279; - fiat_p256_addcarryx_u32(&x278, &x279, x277, x262, 0x0); uint32_t x280; fiat_p256_uint1 x281; - fiat_p256_addcarryx_u32(&x280, &x281, x279, x264, 0x0); uint32_t x282; - fiat_p256_uint1 x283; - fiat_p256_addcarryx_u32(&x282, &x283, x281, x266, 0x0); + uint32_t x283; uint32_t x284; - fiat_p256_uint1 x285; - fiat_p256_addcarryx_u32(&x284, &x285, x283, x268, 0x0); + uint32_t x285; uint32_t x286; uint32_t x287; - fiat_p256_mulx_u32(&x286, &x287, x270, UINT32_C(0xffffffff)); uint32_t x288; uint32_t x289; - fiat_p256_mulx_u32(&x288, &x289, x270, UINT32_C(0xffffffff)); uint32_t x290; - uint32_t x291; - fiat_p256_mulx_u32(&x290, &x291, x270, UINT32_C(0xffffffff)); + fiat_p256_uint1 x291; uint32_t x292; - uint32_t x293; - fiat_p256_mulx_u32(&x292, &x293, x270, UINT32_C(0xffffffff)); + fiat_p256_uint1 x293; uint32_t x294; - fiat_p256_uint1 x295; - fiat_p256_addcarryx_u32(&x294, &x295, 0x0, x293, x290); - uint32_t x296; - fiat_p256_uint1 x297; - fiat_p256_addcarryx_u32(&x296, &x297, x295, x291, x288); - uint32_t x298; - fiat_p256_uint1 x299; - fiat_p256_addcarryx_u32(&x298, &x299, 0x0, x270, x292); - uint32_t x300; - fiat_p256_uint1 x301; - fiat_p256_addcarryx_u32(&x300, &x301, x299, x272, x294); - uint32_t x302; - fiat_p256_uint1 x303; - fiat_p256_addcarryx_u32(&x302, &x303, x301, x274, x296); - uint32_t x304; - fiat_p256_uint1 x305; - fiat_p256_addcarryx_u32(&x304, &x305, x303, x276, (x297 + x289)); - uint32_t x306; - fiat_p256_uint1 x307; - fiat_p256_addcarryx_u32(&x306, &x307, x305, x278, 0x0); - uint32_t x308; - fiat_p256_uint1 x309; - fiat_p256_addcarryx_u32(&x308, &x309, x307, x280, 0x0); - uint32_t x310; - fiat_p256_uint1 x311; - fiat_p256_addcarryx_u32(&x310, &x311, x309, x282, x270); - uint32_t x312; - fiat_p256_uint1 x313; - fiat_p256_addcarryx_u32(&x312, &x313, x311, x284, x286); + uint32_t x295; + fiat_p256_uint1 x296; + uint32_t x297; + fiat_p256_uint1 x298; + uint32_t x299; + fiat_p256_uint1 x300; + uint32_t x301; + fiat_p256_uint1 x302; + uint32_t x303; + fiat_p256_uint1 x304; + uint32_t x305; + fiat_p256_uint1 x306; + uint32_t x307; + fiat_p256_uint1 x308; + uint32_t x309; + fiat_p256_uint1 x310; + uint32_t x311; + fiat_p256_uint1 x312; + uint32_t x313; uint32_t x314; - fiat_p256_uint1 x315; - fiat_p256_addcarryx_u32(&x314, &x315, x313, ((uint32_t)x285 + x269), x287); + uint32_t x315; uint32_t x316; - fiat_p256_uint1 x317; - fiat_p256_subborrowx_u32(&x316, &x317, 0x0, x300, UINT32_C(0xffffffff)); + uint32_t x317; uint32_t x318; - fiat_p256_uint1 x319; - fiat_p256_subborrowx_u32(&x318, &x319, x317, x302, UINT32_C(0xffffffff)); + uint32_t x319; uint32_t x320; - fiat_p256_uint1 x321; - fiat_p256_subborrowx_u32(&x320, &x321, x319, x304, UINT32_C(0xffffffff)); + uint32_t x321; uint32_t x322; - fiat_p256_uint1 x323; - fiat_p256_subborrowx_u32(&x322, &x323, x321, x306, 0x0); + uint32_t x323; uint32_t x324; - fiat_p256_uint1 x325; - fiat_p256_subborrowx_u32(&x324, &x325, x323, x308, 0x0); + uint32_t x325; uint32_t x326; - fiat_p256_uint1 x327; - fiat_p256_subborrowx_u32(&x326, &x327, x325, x310, 0x0); + uint32_t x327; uint32_t x328; - fiat_p256_uint1 x329; - fiat_p256_subborrowx_u32(&x328, &x329, x327, x312, 0x1); + uint32_t x329; uint32_t x330; fiat_p256_uint1 x331; - fiat_p256_subborrowx_u32(&x330, &x331, x329, x314, UINT32_C(0xffffffff)); uint32_t x332; fiat_p256_uint1 x333; - fiat_p256_subborrowx_u32(&x332, &x333, x331, x315, 0x0); uint32_t x334; - fiat_p256_cmovznz_u32(&x334, x333, x316, x300); - uint32_t x335; - fiat_p256_cmovznz_u32(&x335, x333, x318, x302); + fiat_p256_uint1 x335; uint32_t x336; - fiat_p256_cmovznz_u32(&x336, x333, x320, x304); - uint32_t x337; - fiat_p256_cmovznz_u32(&x337, x333, x322, x306); + fiat_p256_uint1 x337; uint32_t x338; - fiat_p256_cmovznz_u32(&x338, x333, x324, x308); - uint32_t x339; - fiat_p256_cmovznz_u32(&x339, x333, x326, x310); + fiat_p256_uint1 x339; uint32_t x340; - fiat_p256_cmovznz_u32(&x340, x333, x328, x312); - uint32_t x341; - fiat_p256_cmovznz_u32(&x341, x333, x330, x314); - out1[0] = x334; - out1[1] = x335; - out1[2] = x336; - out1[3] = x337; - out1[4] = x338; - out1[5] = x339; - out1[6] = x340; - out1[7] = x341; + fiat_p256_uint1 x341; + uint32_t x342; + fiat_p256_uint1 x343; + uint32_t x344; + uint32_t x345; + fiat_p256_uint1 x346; + uint32_t x347; + fiat_p256_uint1 x348; + uint32_t x349; + fiat_p256_uint1 x350; + uint32_t x351; + fiat_p256_uint1 x352; + uint32_t x353; + fiat_p256_uint1 x354; + uint32_t x355; + fiat_p256_uint1 x356; + uint32_t x357; + fiat_p256_uint1 x358; + uint32_t x359; + fiat_p256_uint1 x360; + uint32_t x361; + fiat_p256_uint1 x362; + uint32_t x363; + uint32_t x364; + uint32_t x365; + uint32_t x366; + uint32_t x367; + uint32_t x368; + uint32_t x369; + uint32_t x370; + uint32_t x371; + fiat_p256_uint1 x372; + uint32_t x373; + fiat_p256_uint1 x374; + uint32_t x375; + uint32_t x376; + fiat_p256_uint1 x377; + uint32_t x378; + fiat_p256_uint1 x379; + uint32_t x380; + fiat_p256_uint1 x381; + uint32_t x382; + fiat_p256_uint1 x383; + uint32_t x384; + fiat_p256_uint1 x385; + uint32_t x386; + fiat_p256_uint1 x387; + uint32_t x388; + fiat_p256_uint1 x389; + uint32_t x390; + fiat_p256_uint1 x391; + uint32_t x392; + fiat_p256_uint1 x393; + uint32_t x394; + uint32_t x395; + uint32_t x396; + uint32_t x397; + uint32_t x398; + uint32_t x399; + uint32_t x400; + uint32_t x401; + uint32_t x402; + uint32_t x403; + uint32_t x404; + uint32_t x405; + uint32_t x406; + uint32_t x407; + uint32_t x408; + uint32_t x409; + uint32_t x410; + uint32_t x411; + fiat_p256_uint1 x412; + uint32_t x413; + fiat_p256_uint1 x414; + uint32_t x415; + fiat_p256_uint1 x416; + uint32_t x417; + fiat_p256_uint1 x418; + uint32_t x419; + fiat_p256_uint1 x420; + uint32_t x421; + fiat_p256_uint1 x422; + uint32_t x423; + fiat_p256_uint1 x424; + uint32_t x425; + uint32_t x426; + fiat_p256_uint1 x427; + uint32_t x428; + fiat_p256_uint1 x429; + uint32_t x430; + fiat_p256_uint1 x431; + uint32_t x432; + fiat_p256_uint1 x433; + uint32_t x434; + fiat_p256_uint1 x435; + uint32_t x436; + fiat_p256_uint1 x437; + uint32_t x438; + fiat_p256_uint1 x439; + uint32_t x440; + fiat_p256_uint1 x441; + uint32_t x442; + fiat_p256_uint1 x443; + uint32_t x444; + uint32_t x445; + uint32_t x446; + uint32_t x447; + uint32_t x448; + uint32_t x449; + uint32_t x450; + uint32_t x451; + uint32_t x452; + fiat_p256_uint1 x453; + uint32_t x454; + fiat_p256_uint1 x455; + uint32_t x456; + uint32_t x457; + fiat_p256_uint1 x458; + uint32_t x459; + fiat_p256_uint1 x460; + uint32_t x461; + fiat_p256_uint1 x462; + uint32_t x463; + fiat_p256_uint1 x464; + uint32_t x465; + fiat_p256_uint1 x466; + uint32_t x467; + fiat_p256_uint1 x468; + uint32_t x469; + fiat_p256_uint1 x470; + uint32_t x471; + fiat_p256_uint1 x472; + uint32_t x473; + fiat_p256_uint1 x474; + uint32_t x475; + uint32_t x476; + uint32_t x477; + uint32_t x478; + uint32_t x479; + uint32_t x480; + uint32_t x481; + uint32_t x482; + uint32_t x483; + uint32_t x484; + uint32_t x485; + uint32_t x486; + uint32_t x487; + uint32_t x488; + uint32_t x489; + uint32_t x490; + uint32_t x491; + uint32_t x492; + fiat_p256_uint1 x493; + uint32_t x494; + fiat_p256_uint1 x495; + uint32_t x496; + fiat_p256_uint1 x497; + uint32_t x498; + fiat_p256_uint1 x499; + uint32_t x500; + fiat_p256_uint1 x501; + uint32_t x502; + fiat_p256_uint1 x503; + uint32_t x504; + fiat_p256_uint1 x505; + uint32_t x506; + uint32_t x507; + fiat_p256_uint1 x508; + uint32_t x509; + fiat_p256_uint1 x510; + uint32_t x511; + fiat_p256_uint1 x512; + uint32_t x513; + fiat_p256_uint1 x514; + uint32_t x515; + fiat_p256_uint1 x516; + uint32_t x517; + fiat_p256_uint1 x518; + uint32_t x519; + fiat_p256_uint1 x520; + uint32_t x521; + fiat_p256_uint1 x522; + uint32_t x523; + fiat_p256_uint1 x524; + uint32_t x525; + uint32_t x526; + uint32_t x527; + uint32_t x528; + uint32_t x529; + uint32_t x530; + uint32_t x531; + uint32_t x532; + uint32_t x533; + fiat_p256_uint1 x534; + uint32_t x535; + fiat_p256_uint1 x536; + uint32_t x537; + uint32_t x538; + fiat_p256_uint1 x539; + uint32_t x540; + fiat_p256_uint1 x541; + uint32_t x542; + fiat_p256_uint1 x543; + uint32_t x544; + fiat_p256_uint1 x545; + uint32_t x546; + fiat_p256_uint1 x547; + uint32_t x548; + fiat_p256_uint1 x549; + uint32_t x550; + fiat_p256_uint1 x551; + uint32_t x552; + fiat_p256_uint1 x553; + uint32_t x554; + fiat_p256_uint1 x555; + uint32_t x556; + uint32_t x557; + uint32_t x558; + uint32_t x559; + uint32_t x560; + uint32_t x561; + uint32_t x562; + uint32_t x563; + uint32_t x564; + uint32_t x565; + uint32_t x566; + uint32_t x567; + uint32_t x568; + uint32_t x569; + uint32_t x570; + uint32_t x571; + uint32_t x572; + uint32_t x573; + fiat_p256_uint1 x574; + uint32_t x575; + fiat_p256_uint1 x576; + uint32_t x577; + fiat_p256_uint1 x578; + uint32_t x579; + fiat_p256_uint1 x580; + uint32_t x581; + fiat_p256_uint1 x582; + uint32_t x583; + fiat_p256_uint1 x584; + uint32_t x585; + fiat_p256_uint1 x586; + uint32_t x587; + uint32_t x588; + fiat_p256_uint1 x589; + uint32_t x590; + fiat_p256_uint1 x591; + uint32_t x592; + fiat_p256_uint1 x593; + uint32_t x594; + fiat_p256_uint1 x595; + uint32_t x596; + fiat_p256_uint1 x597; + uint32_t x598; + fiat_p256_uint1 x599; + uint32_t x600; + fiat_p256_uint1 x601; + uint32_t x602; + fiat_p256_uint1 x603; + uint32_t x604; + fiat_p256_uint1 x605; + uint32_t x606; + uint32_t x607; + uint32_t x608; + uint32_t x609; + uint32_t x610; + uint32_t x611; + uint32_t x612; + uint32_t x613; + uint32_t x614; + fiat_p256_uint1 x615; + uint32_t x616; + fiat_p256_uint1 x617; + uint32_t x618; + uint32_t x619; + fiat_p256_uint1 x620; + uint32_t x621; + fiat_p256_uint1 x622; + uint32_t x623; + fiat_p256_uint1 x624; + uint32_t x625; + fiat_p256_uint1 x626; + uint32_t x627; + fiat_p256_uint1 x628; + uint32_t x629; + fiat_p256_uint1 x630; + uint32_t x631; + fiat_p256_uint1 x632; + uint32_t x633; + fiat_p256_uint1 x634; + uint32_t x635; + fiat_p256_uint1 x636; + uint32_t x637; + uint32_t x638; + fiat_p256_uint1 x639; + uint32_t x640; + fiat_p256_uint1 x641; + uint32_t x642; + fiat_p256_uint1 x643; + uint32_t x644; + fiat_p256_uint1 x645; + uint32_t x646; + fiat_p256_uint1 x647; + uint32_t x648; + fiat_p256_uint1 x649; + uint32_t x650; + fiat_p256_uint1 x651; + uint32_t x652; + fiat_p256_uint1 x653; + uint32_t x654; + fiat_p256_uint1 x655; + uint32_t x656; + uint32_t x657; + uint32_t x658; + uint32_t x659; + uint32_t x660; + uint32_t x661; + uint32_t x662; + uint32_t x663; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[4]); + x5 = (arg1[5]); + x6 = (arg1[6]); + x7 = (arg1[7]); + x8 = (arg1[0]); + fiat_p256_mulx_u32(&x9, &x10, x8, (arg1[7])); + fiat_p256_mulx_u32(&x11, &x12, x8, (arg1[6])); + fiat_p256_mulx_u32(&x13, &x14, x8, (arg1[5])); + fiat_p256_mulx_u32(&x15, &x16, x8, (arg1[4])); + fiat_p256_mulx_u32(&x17, &x18, x8, (arg1[3])); + fiat_p256_mulx_u32(&x19, &x20, x8, (arg1[2])); + fiat_p256_mulx_u32(&x21, &x22, x8, (arg1[1])); + fiat_p256_mulx_u32(&x23, &x24, x8, (arg1[0])); + fiat_p256_addcarryx_u32(&x25, &x26, 0x0, x24, x21); + fiat_p256_addcarryx_u32(&x27, &x28, x26, x22, x19); + fiat_p256_addcarryx_u32(&x29, &x30, x28, x20, x17); + fiat_p256_addcarryx_u32(&x31, &x32, x30, x18, x15); + fiat_p256_addcarryx_u32(&x33, &x34, x32, x16, x13); + fiat_p256_addcarryx_u32(&x35, &x36, x34, x14, x11); + fiat_p256_addcarryx_u32(&x37, &x38, x36, x12, x9); + x39 = (x38 + x10); + fiat_p256_mulx_u32(&x40, &x41, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x42, &x43, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x44, &x45, x23, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x46, &x47, x23, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x47, x44); + fiat_p256_addcarryx_u32(&x50, &x51, x49, x45, x42); + x52 = (x51 + x43); + fiat_p256_addcarryx_u32(&x53, &x54, 0x0, x23, x46); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x25, x48); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x27, x50); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x29, x52); + fiat_p256_addcarryx_u32(&x61, &x62, x60, x31, 0x0); + fiat_p256_addcarryx_u32(&x63, &x64, x62, x33, 0x0); + fiat_p256_addcarryx_u32(&x65, &x66, x64, x35, x23); + fiat_p256_addcarryx_u32(&x67, &x68, x66, x37, x40); + fiat_p256_addcarryx_u32(&x69, &x70, x68, x39, x41); + fiat_p256_mulx_u32(&x71, &x72, x1, (arg1[7])); + fiat_p256_mulx_u32(&x73, &x74, x1, (arg1[6])); + fiat_p256_mulx_u32(&x75, &x76, x1, (arg1[5])); + fiat_p256_mulx_u32(&x77, &x78, x1, (arg1[4])); + fiat_p256_mulx_u32(&x79, &x80, x1, (arg1[3])); + fiat_p256_mulx_u32(&x81, &x82, x1, (arg1[2])); + fiat_p256_mulx_u32(&x83, &x84, x1, (arg1[1])); + fiat_p256_mulx_u32(&x85, &x86, x1, (arg1[0])); + fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x86, x83); + fiat_p256_addcarryx_u32(&x89, &x90, x88, x84, x81); + fiat_p256_addcarryx_u32(&x91, &x92, x90, x82, x79); + fiat_p256_addcarryx_u32(&x93, &x94, x92, x80, x77); + fiat_p256_addcarryx_u32(&x95, &x96, x94, x78, x75); + fiat_p256_addcarryx_u32(&x97, &x98, x96, x76, x73); + fiat_p256_addcarryx_u32(&x99, &x100, x98, x74, x71); + x101 = (x100 + x72); + fiat_p256_addcarryx_u32(&x102, &x103, 0x0, x55, x85); + fiat_p256_addcarryx_u32(&x104, &x105, x103, x57, x87); + fiat_p256_addcarryx_u32(&x106, &x107, x105, x59, x89); + fiat_p256_addcarryx_u32(&x108, &x109, x107, x61, x91); + fiat_p256_addcarryx_u32(&x110, &x111, x109, x63, x93); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x65, x95); + fiat_p256_addcarryx_u32(&x114, &x115, x113, x67, x97); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x69, x99); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x70, x101); + fiat_p256_mulx_u32(&x120, &x121, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x122, &x123, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x124, &x125, x102, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x126, &x127, x102, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x128, &x129, 0x0, x127, x124); + fiat_p256_addcarryx_u32(&x130, &x131, x129, x125, x122); + x132 = (x131 + x123); + fiat_p256_addcarryx_u32(&x133, &x134, 0x0, x102, x126); + fiat_p256_addcarryx_u32(&x135, &x136, x134, x104, x128); + fiat_p256_addcarryx_u32(&x137, &x138, x136, x106, x130); + fiat_p256_addcarryx_u32(&x139, &x140, x138, x108, x132); + fiat_p256_addcarryx_u32(&x141, &x142, x140, x110, 0x0); + fiat_p256_addcarryx_u32(&x143, &x144, x142, x112, 0x0); + fiat_p256_addcarryx_u32(&x145, &x146, x144, x114, x102); + fiat_p256_addcarryx_u32(&x147, &x148, x146, x116, x120); + fiat_p256_addcarryx_u32(&x149, &x150, x148, x118, x121); + x151 = ((uint32_t)x150 + x119); + fiat_p256_mulx_u32(&x152, &x153, x2, (arg1[7])); + fiat_p256_mulx_u32(&x154, &x155, x2, (arg1[6])); + fiat_p256_mulx_u32(&x156, &x157, x2, (arg1[5])); + fiat_p256_mulx_u32(&x158, &x159, x2, (arg1[4])); + fiat_p256_mulx_u32(&x160, &x161, x2, (arg1[3])); + fiat_p256_mulx_u32(&x162, &x163, x2, (arg1[2])); + fiat_p256_mulx_u32(&x164, &x165, x2, (arg1[1])); + fiat_p256_mulx_u32(&x166, &x167, x2, (arg1[0])); + fiat_p256_addcarryx_u32(&x168, &x169, 0x0, x167, x164); + fiat_p256_addcarryx_u32(&x170, &x171, x169, x165, x162); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x163, x160); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x161, x158); + fiat_p256_addcarryx_u32(&x176, &x177, x175, x159, x156); + fiat_p256_addcarryx_u32(&x178, &x179, x177, x157, x154); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x155, x152); + x182 = (x181 + x153); + fiat_p256_addcarryx_u32(&x183, &x184, 0x0, x135, x166); + fiat_p256_addcarryx_u32(&x185, &x186, x184, x137, x168); + fiat_p256_addcarryx_u32(&x187, &x188, x186, x139, x170); + fiat_p256_addcarryx_u32(&x189, &x190, x188, x141, x172); + fiat_p256_addcarryx_u32(&x191, &x192, x190, x143, x174); + fiat_p256_addcarryx_u32(&x193, &x194, x192, x145, x176); + fiat_p256_addcarryx_u32(&x195, &x196, x194, x147, x178); + fiat_p256_addcarryx_u32(&x197, &x198, x196, x149, x180); + fiat_p256_addcarryx_u32(&x199, &x200, x198, x151, x182); + fiat_p256_mulx_u32(&x201, &x202, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x203, &x204, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x205, &x206, x183, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x207, &x208, x183, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x209, &x210, 0x0, x208, x205); + fiat_p256_addcarryx_u32(&x211, &x212, x210, x206, x203); + x213 = (x212 + x204); + fiat_p256_addcarryx_u32(&x214, &x215, 0x0, x183, x207); + fiat_p256_addcarryx_u32(&x216, &x217, x215, x185, x209); + fiat_p256_addcarryx_u32(&x218, &x219, x217, x187, x211); + fiat_p256_addcarryx_u32(&x220, &x221, x219, x189, x213); + fiat_p256_addcarryx_u32(&x222, &x223, x221, x191, 0x0); + fiat_p256_addcarryx_u32(&x224, &x225, x223, x193, 0x0); + fiat_p256_addcarryx_u32(&x226, &x227, x225, x195, x183); + fiat_p256_addcarryx_u32(&x228, &x229, x227, x197, x201); + fiat_p256_addcarryx_u32(&x230, &x231, x229, x199, x202); + x232 = ((uint32_t)x231 + x200); + fiat_p256_mulx_u32(&x233, &x234, x3, (arg1[7])); + fiat_p256_mulx_u32(&x235, &x236, x3, (arg1[6])); + fiat_p256_mulx_u32(&x237, &x238, x3, (arg1[5])); + fiat_p256_mulx_u32(&x239, &x240, x3, (arg1[4])); + fiat_p256_mulx_u32(&x241, &x242, x3, (arg1[3])); + fiat_p256_mulx_u32(&x243, &x244, x3, (arg1[2])); + fiat_p256_mulx_u32(&x245, &x246, x3, (arg1[1])); + fiat_p256_mulx_u32(&x247, &x248, x3, (arg1[0])); + fiat_p256_addcarryx_u32(&x249, &x250, 0x0, x248, x245); + fiat_p256_addcarryx_u32(&x251, &x252, x250, x246, x243); + fiat_p256_addcarryx_u32(&x253, &x254, x252, x244, x241); + fiat_p256_addcarryx_u32(&x255, &x256, x254, x242, x239); + fiat_p256_addcarryx_u32(&x257, &x258, x256, x240, x237); + fiat_p256_addcarryx_u32(&x259, &x260, x258, x238, x235); + fiat_p256_addcarryx_u32(&x261, &x262, x260, x236, x233); + x263 = (x262 + x234); + fiat_p256_addcarryx_u32(&x264, &x265, 0x0, x216, x247); + fiat_p256_addcarryx_u32(&x266, &x267, x265, x218, x249); + fiat_p256_addcarryx_u32(&x268, &x269, x267, x220, x251); + fiat_p256_addcarryx_u32(&x270, &x271, x269, x222, x253); + fiat_p256_addcarryx_u32(&x272, &x273, x271, x224, x255); + fiat_p256_addcarryx_u32(&x274, &x275, x273, x226, x257); + fiat_p256_addcarryx_u32(&x276, &x277, x275, x228, x259); + fiat_p256_addcarryx_u32(&x278, &x279, x277, x230, x261); + fiat_p256_addcarryx_u32(&x280, &x281, x279, x232, x263); + fiat_p256_mulx_u32(&x282, &x283, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x284, &x285, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x286, &x287, x264, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x288, &x289, x264, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x290, &x291, 0x0, x289, x286); + fiat_p256_addcarryx_u32(&x292, &x293, x291, x287, x284); + x294 = (x293 + x285); + fiat_p256_addcarryx_u32(&x295, &x296, 0x0, x264, x288); + fiat_p256_addcarryx_u32(&x297, &x298, x296, x266, x290); + fiat_p256_addcarryx_u32(&x299, &x300, x298, x268, x292); + fiat_p256_addcarryx_u32(&x301, &x302, x300, x270, x294); + fiat_p256_addcarryx_u32(&x303, &x304, x302, x272, 0x0); + fiat_p256_addcarryx_u32(&x305, &x306, x304, x274, 0x0); + fiat_p256_addcarryx_u32(&x307, &x308, x306, x276, x264); + fiat_p256_addcarryx_u32(&x309, &x310, x308, x278, x282); + fiat_p256_addcarryx_u32(&x311, &x312, x310, x280, x283); + x313 = ((uint32_t)x312 + x281); + fiat_p256_mulx_u32(&x314, &x315, x4, (arg1[7])); + fiat_p256_mulx_u32(&x316, &x317, x4, (arg1[6])); + fiat_p256_mulx_u32(&x318, &x319, x4, (arg1[5])); + fiat_p256_mulx_u32(&x320, &x321, x4, (arg1[4])); + fiat_p256_mulx_u32(&x322, &x323, x4, (arg1[3])); + fiat_p256_mulx_u32(&x324, &x325, x4, (arg1[2])); + fiat_p256_mulx_u32(&x326, &x327, x4, (arg1[1])); + fiat_p256_mulx_u32(&x328, &x329, x4, (arg1[0])); + fiat_p256_addcarryx_u32(&x330, &x331, 0x0, x329, x326); + fiat_p256_addcarryx_u32(&x332, &x333, x331, x327, x324); + fiat_p256_addcarryx_u32(&x334, &x335, x333, x325, x322); + fiat_p256_addcarryx_u32(&x336, &x337, x335, x323, x320); + fiat_p256_addcarryx_u32(&x338, &x339, x337, x321, x318); + fiat_p256_addcarryx_u32(&x340, &x341, x339, x319, x316); + fiat_p256_addcarryx_u32(&x342, &x343, x341, x317, x314); + x344 = (x343 + x315); + fiat_p256_addcarryx_u32(&x345, &x346, 0x0, x297, x328); + fiat_p256_addcarryx_u32(&x347, &x348, x346, x299, x330); + fiat_p256_addcarryx_u32(&x349, &x350, x348, x301, x332); + fiat_p256_addcarryx_u32(&x351, &x352, x350, x303, x334); + fiat_p256_addcarryx_u32(&x353, &x354, x352, x305, x336); + fiat_p256_addcarryx_u32(&x355, &x356, x354, x307, x338); + fiat_p256_addcarryx_u32(&x357, &x358, x356, x309, x340); + fiat_p256_addcarryx_u32(&x359, &x360, x358, x311, x342); + fiat_p256_addcarryx_u32(&x361, &x362, x360, x313, x344); + fiat_p256_mulx_u32(&x363, &x364, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x365, &x366, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x367, &x368, x345, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x369, &x370, x345, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x371, &x372, 0x0, x370, x367); + fiat_p256_addcarryx_u32(&x373, &x374, x372, x368, x365); + x375 = (x374 + x366); + fiat_p256_addcarryx_u32(&x376, &x377, 0x0, x345, x369); + fiat_p256_addcarryx_u32(&x378, &x379, x377, x347, x371); + fiat_p256_addcarryx_u32(&x380, &x381, x379, x349, x373); + fiat_p256_addcarryx_u32(&x382, &x383, x381, x351, x375); + fiat_p256_addcarryx_u32(&x384, &x385, x383, x353, 0x0); + fiat_p256_addcarryx_u32(&x386, &x387, x385, x355, 0x0); + fiat_p256_addcarryx_u32(&x388, &x389, x387, x357, x345); + fiat_p256_addcarryx_u32(&x390, &x391, x389, x359, x363); + fiat_p256_addcarryx_u32(&x392, &x393, x391, x361, x364); + x394 = ((uint32_t)x393 + x362); + fiat_p256_mulx_u32(&x395, &x396, x5, (arg1[7])); + fiat_p256_mulx_u32(&x397, &x398, x5, (arg1[6])); + fiat_p256_mulx_u32(&x399, &x400, x5, (arg1[5])); + fiat_p256_mulx_u32(&x401, &x402, x5, (arg1[4])); + fiat_p256_mulx_u32(&x403, &x404, x5, (arg1[3])); + fiat_p256_mulx_u32(&x405, &x406, x5, (arg1[2])); + fiat_p256_mulx_u32(&x407, &x408, x5, (arg1[1])); + fiat_p256_mulx_u32(&x409, &x410, x5, (arg1[0])); + fiat_p256_addcarryx_u32(&x411, &x412, 0x0, x410, x407); + fiat_p256_addcarryx_u32(&x413, &x414, x412, x408, x405); + fiat_p256_addcarryx_u32(&x415, &x416, x414, x406, x403); + fiat_p256_addcarryx_u32(&x417, &x418, x416, x404, x401); + fiat_p256_addcarryx_u32(&x419, &x420, x418, x402, x399); + fiat_p256_addcarryx_u32(&x421, &x422, x420, x400, x397); + fiat_p256_addcarryx_u32(&x423, &x424, x422, x398, x395); + x425 = (x424 + x396); + fiat_p256_addcarryx_u32(&x426, &x427, 0x0, x378, x409); + fiat_p256_addcarryx_u32(&x428, &x429, x427, x380, x411); + fiat_p256_addcarryx_u32(&x430, &x431, x429, x382, x413); + fiat_p256_addcarryx_u32(&x432, &x433, x431, x384, x415); + fiat_p256_addcarryx_u32(&x434, &x435, x433, x386, x417); + fiat_p256_addcarryx_u32(&x436, &x437, x435, x388, x419); + fiat_p256_addcarryx_u32(&x438, &x439, x437, x390, x421); + fiat_p256_addcarryx_u32(&x440, &x441, x439, x392, x423); + fiat_p256_addcarryx_u32(&x442, &x443, x441, x394, x425); + fiat_p256_mulx_u32(&x444, &x445, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x446, &x447, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x448, &x449, x426, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x450, &x451, x426, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x452, &x453, 0x0, x451, x448); + fiat_p256_addcarryx_u32(&x454, &x455, x453, x449, x446); + x456 = (x455 + x447); + fiat_p256_addcarryx_u32(&x457, &x458, 0x0, x426, x450); + fiat_p256_addcarryx_u32(&x459, &x460, x458, x428, x452); + fiat_p256_addcarryx_u32(&x461, &x462, x460, x430, x454); + fiat_p256_addcarryx_u32(&x463, &x464, x462, x432, x456); + fiat_p256_addcarryx_u32(&x465, &x466, x464, x434, 0x0); + fiat_p256_addcarryx_u32(&x467, &x468, x466, x436, 0x0); + fiat_p256_addcarryx_u32(&x469, &x470, x468, x438, x426); + fiat_p256_addcarryx_u32(&x471, &x472, x470, x440, x444); + fiat_p256_addcarryx_u32(&x473, &x474, x472, x442, x445); + x475 = ((uint32_t)x474 + x443); + fiat_p256_mulx_u32(&x476, &x477, x6, (arg1[7])); + fiat_p256_mulx_u32(&x478, &x479, x6, (arg1[6])); + fiat_p256_mulx_u32(&x480, &x481, x6, (arg1[5])); + fiat_p256_mulx_u32(&x482, &x483, x6, (arg1[4])); + fiat_p256_mulx_u32(&x484, &x485, x6, (arg1[3])); + fiat_p256_mulx_u32(&x486, &x487, x6, (arg1[2])); + fiat_p256_mulx_u32(&x488, &x489, x6, (arg1[1])); + fiat_p256_mulx_u32(&x490, &x491, x6, (arg1[0])); + fiat_p256_addcarryx_u32(&x492, &x493, 0x0, x491, x488); + fiat_p256_addcarryx_u32(&x494, &x495, x493, x489, x486); + fiat_p256_addcarryx_u32(&x496, &x497, x495, x487, x484); + fiat_p256_addcarryx_u32(&x498, &x499, x497, x485, x482); + fiat_p256_addcarryx_u32(&x500, &x501, x499, x483, x480); + fiat_p256_addcarryx_u32(&x502, &x503, x501, x481, x478); + fiat_p256_addcarryx_u32(&x504, &x505, x503, x479, x476); + x506 = (x505 + x477); + fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x459, x490); + fiat_p256_addcarryx_u32(&x509, &x510, x508, x461, x492); + fiat_p256_addcarryx_u32(&x511, &x512, x510, x463, x494); + fiat_p256_addcarryx_u32(&x513, &x514, x512, x465, x496); + fiat_p256_addcarryx_u32(&x515, &x516, x514, x467, x498); + fiat_p256_addcarryx_u32(&x517, &x518, x516, x469, x500); + fiat_p256_addcarryx_u32(&x519, &x520, x518, x471, x502); + fiat_p256_addcarryx_u32(&x521, &x522, x520, x473, x504); + fiat_p256_addcarryx_u32(&x523, &x524, x522, x475, x506); + fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x531, &x532, x507, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x533, &x534, 0x0, x532, x529); + fiat_p256_addcarryx_u32(&x535, &x536, x534, x530, x527); + x537 = (x536 + x528); + fiat_p256_addcarryx_u32(&x538, &x539, 0x0, x507, x531); + fiat_p256_addcarryx_u32(&x540, &x541, x539, x509, x533); + fiat_p256_addcarryx_u32(&x542, &x543, x541, x511, x535); + fiat_p256_addcarryx_u32(&x544, &x545, x543, x513, x537); + fiat_p256_addcarryx_u32(&x546, &x547, x545, x515, 0x0); + fiat_p256_addcarryx_u32(&x548, &x549, x547, x517, 0x0); + fiat_p256_addcarryx_u32(&x550, &x551, x549, x519, x507); + fiat_p256_addcarryx_u32(&x552, &x553, x551, x521, x525); + fiat_p256_addcarryx_u32(&x554, &x555, x553, x523, x526); + x556 = ((uint32_t)x555 + x524); + fiat_p256_mulx_u32(&x557, &x558, x7, (arg1[7])); + fiat_p256_mulx_u32(&x559, &x560, x7, (arg1[6])); + fiat_p256_mulx_u32(&x561, &x562, x7, (arg1[5])); + fiat_p256_mulx_u32(&x563, &x564, x7, (arg1[4])); + fiat_p256_mulx_u32(&x565, &x566, x7, (arg1[3])); + fiat_p256_mulx_u32(&x567, &x568, x7, (arg1[2])); + fiat_p256_mulx_u32(&x569, &x570, x7, (arg1[1])); + fiat_p256_mulx_u32(&x571, &x572, x7, (arg1[0])); + fiat_p256_addcarryx_u32(&x573, &x574, 0x0, x572, x569); + fiat_p256_addcarryx_u32(&x575, &x576, x574, x570, x567); + fiat_p256_addcarryx_u32(&x577, &x578, x576, x568, x565); + fiat_p256_addcarryx_u32(&x579, &x580, x578, x566, x563); + fiat_p256_addcarryx_u32(&x581, &x582, x580, x564, x561); + fiat_p256_addcarryx_u32(&x583, &x584, x582, x562, x559); + fiat_p256_addcarryx_u32(&x585, &x586, x584, x560, x557); + x587 = (x586 + x558); + fiat_p256_addcarryx_u32(&x588, &x589, 0x0, x540, x571); + fiat_p256_addcarryx_u32(&x590, &x591, x589, x542, x573); + fiat_p256_addcarryx_u32(&x592, &x593, x591, x544, x575); + fiat_p256_addcarryx_u32(&x594, &x595, x593, x546, x577); + fiat_p256_addcarryx_u32(&x596, &x597, x595, x548, x579); + fiat_p256_addcarryx_u32(&x598, &x599, x597, x550, x581); + fiat_p256_addcarryx_u32(&x600, &x601, x599, x552, x583); + fiat_p256_addcarryx_u32(&x602, &x603, x601, x554, x585); + fiat_p256_addcarryx_u32(&x604, &x605, x603, x556, x587); + fiat_p256_mulx_u32(&x606, &x607, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x608, &x609, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x610, &x611, x588, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x612, &x613, x588, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x614, &x615, 0x0, x613, x610); + fiat_p256_addcarryx_u32(&x616, &x617, x615, x611, x608); + x618 = (x617 + x609); + fiat_p256_addcarryx_u32(&x619, &x620, 0x0, x588, x612); + fiat_p256_addcarryx_u32(&x621, &x622, x620, x590, x614); + fiat_p256_addcarryx_u32(&x623, &x624, x622, x592, x616); + fiat_p256_addcarryx_u32(&x625, &x626, x624, x594, x618); + fiat_p256_addcarryx_u32(&x627, &x628, x626, x596, 0x0); + fiat_p256_addcarryx_u32(&x629, &x630, x628, x598, 0x0); + fiat_p256_addcarryx_u32(&x631, &x632, x630, x600, x588); + fiat_p256_addcarryx_u32(&x633, &x634, x632, x602, x606); + fiat_p256_addcarryx_u32(&x635, &x636, x634, x604, x607); + x637 = ((uint32_t)x636 + x605); + fiat_p256_subborrowx_u32(&x638, &x639, 0x0, x621, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x640, &x641, x639, x623, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x642, &x643, x641, x625, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x644, &x645, x643, x627, 0x0); + fiat_p256_subborrowx_u32(&x646, &x647, x645, x629, 0x0); + fiat_p256_subborrowx_u32(&x648, &x649, x647, x631, 0x0); + fiat_p256_subborrowx_u32(&x650, &x651, x649, x633, 0x1); + fiat_p256_subborrowx_u32(&x652, &x653, x651, x635, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x654, &x655, x653, x637, 0x0); + fiat_p256_cmovznz_u32(&x656, x655, x638, x621); + fiat_p256_cmovznz_u32(&x657, x655, x640, x623); + fiat_p256_cmovznz_u32(&x658, x655, x642, x625); + fiat_p256_cmovznz_u32(&x659, x655, x644, x627); + fiat_p256_cmovznz_u32(&x660, x655, x646, x629); + fiat_p256_cmovznz_u32(&x661, x655, x648, x631); + fiat_p256_cmovznz_u32(&x662, x655, x650, x633); + fiat_p256_cmovznz_u32(&x663, x655, x652, x635); + out1[0] = x656; + out1[1] = x657; + out1[2] = x658; + out1[3] = x659; + out1[4] = x660; + out1[5] = x661; + out1[6] = x662; + out1[7] = x663; +} + +/* + * The function fiat_p256_add adds two field elements in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * 0 ≤ eval arg2 < m + * Postconditions: + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint32_t x1; + fiat_p256_uint1 x2; + uint32_t x3; + fiat_p256_uint1 x4; + uint32_t x5; + fiat_p256_uint1 x6; + uint32_t x7; + fiat_p256_uint1 x8; + uint32_t x9; + fiat_p256_uint1 x10; + uint32_t x11; + fiat_p256_uint1 x12; + uint32_t x13; + fiat_p256_uint1 x14; + uint32_t x15; + fiat_p256_uint1 x16; + uint32_t x17; + fiat_p256_uint1 x18; + uint32_t x19; + fiat_p256_uint1 x20; + uint32_t x21; + fiat_p256_uint1 x22; + uint32_t x23; + fiat_p256_uint1 x24; + uint32_t x25; + fiat_p256_uint1 x26; + uint32_t x27; + fiat_p256_uint1 x28; + uint32_t x29; + fiat_p256_uint1 x30; + uint32_t x31; + fiat_p256_uint1 x32; + uint32_t x33; + fiat_p256_uint1 x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint32_t x42; + fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_addcarryx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_addcarryx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_addcarryx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_addcarryx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); + fiat_p256_addcarryx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); + fiat_p256_addcarryx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); + fiat_p256_addcarryx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); + fiat_p256_subborrowx_u32(&x17, &x18, 0x0, x1, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x19, &x20, x18, x3, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x21, &x22, x20, x5, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x23, &x24, x22, x7, 0x0); + fiat_p256_subborrowx_u32(&x25, &x26, x24, x9, 0x0); + fiat_p256_subborrowx_u32(&x27, &x28, x26, x11, 0x0); + fiat_p256_subborrowx_u32(&x29, &x30, x28, x13, 0x1); + fiat_p256_subborrowx_u32(&x31, &x32, x30, x15, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x33, &x34, x32, x16, 0x0); + fiat_p256_cmovznz_u32(&x35, x34, x17, x1); + fiat_p256_cmovznz_u32(&x36, x34, x19, x3); + fiat_p256_cmovznz_u32(&x37, x34, x21, x5); + fiat_p256_cmovznz_u32(&x38, x34, x23, x7); + fiat_p256_cmovznz_u32(&x39, x34, x25, x9); + fiat_p256_cmovznz_u32(&x40, x34, x27, x11); + fiat_p256_cmovznz_u32(&x41, x34, x29, x13); + fiat_p256_cmovznz_u32(&x42, x34, x31, x15); + out1[0] = x35; + out1[1] = x36; + out1[2] = x37; + out1[3] = x38; + out1[4] = x39; + out1[5] = x40; + out1[6] = x41; + out1[7] = x42; +} + +/* + * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * 0 ≤ eval arg2 < m + * Postconditions: + * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint32_t x1; + fiat_p256_uint1 x2; + uint32_t x3; + fiat_p256_uint1 x4; + uint32_t x5; + fiat_p256_uint1 x6; + uint32_t x7; + fiat_p256_uint1 x8; + uint32_t x9; + fiat_p256_uint1 x10; + uint32_t x11; + fiat_p256_uint1 x12; + uint32_t x13; + fiat_p256_uint1 x14; + uint32_t x15; + fiat_p256_uint1 x16; + uint32_t x17; + uint32_t x18; + fiat_p256_uint1 x19; + uint32_t x20; + fiat_p256_uint1 x21; + uint32_t x22; + fiat_p256_uint1 x23; + uint32_t x24; + fiat_p256_uint1 x25; + uint32_t x26; + fiat_p256_uint1 x27; + uint32_t x28; + fiat_p256_uint1 x29; + uint32_t x30; + fiat_p256_uint1 x31; + uint32_t x32; + fiat_p256_uint1 x33; + fiat_p256_subborrowx_u32(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_subborrowx_u32(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_subborrowx_u32(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_subborrowx_u32(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_subborrowx_u32(&x9, &x10, x8, (arg1[4]), (arg2[4])); + fiat_p256_subborrowx_u32(&x11, &x12, x10, (arg1[5]), (arg2[5])); + fiat_p256_subborrowx_u32(&x13, &x14, x12, (arg1[6]), (arg2[6])); + fiat_p256_subborrowx_u32(&x15, &x16, x14, (arg1[7]), (arg2[7])); + fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, x17); + fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, x17); + fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, x17); + fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); + fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); + fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); + fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); + fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, x17); + out1[0] = x18; + out1[1] = x20; + out1[2] = x22; + out1[3] = x24; + out1[4] = x26; + out1[5] = x28; + out1[6] = x30; + out1[7] = x32; +} + +/* + * The function fiat_p256_opp negates a field element in the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint32_t x1; + fiat_p256_uint1 x2; + uint32_t x3; + fiat_p256_uint1 x4; + uint32_t x5; + fiat_p256_uint1 x6; + uint32_t x7; + fiat_p256_uint1 x8; + uint32_t x9; + fiat_p256_uint1 x10; + uint32_t x11; + fiat_p256_uint1 x12; + uint32_t x13; + fiat_p256_uint1 x14; + uint32_t x15; + fiat_p256_uint1 x16; + uint32_t x17; + uint32_t x18; + fiat_p256_uint1 x19; + uint32_t x20; + fiat_p256_uint1 x21; + uint32_t x22; + fiat_p256_uint1 x23; + uint32_t x24; + fiat_p256_uint1 x25; + uint32_t x26; + fiat_p256_uint1 x27; + uint32_t x28; + fiat_p256_uint1 x29; + uint32_t x30; + fiat_p256_uint1 x31; + uint32_t x32; + fiat_p256_uint1 x33; + fiat_p256_subborrowx_u32(&x1, &x2, 0x0, 0x0, (arg1[0])); + fiat_p256_subborrowx_u32(&x3, &x4, x2, 0x0, (arg1[1])); + fiat_p256_subborrowx_u32(&x5, &x6, x4, 0x0, (arg1[2])); + fiat_p256_subborrowx_u32(&x7, &x8, x6, 0x0, (arg1[3])); + fiat_p256_subborrowx_u32(&x9, &x10, x8, 0x0, (arg1[4])); + fiat_p256_subborrowx_u32(&x11, &x12, x10, 0x0, (arg1[5])); + fiat_p256_subborrowx_u32(&x13, &x14, x12, 0x0, (arg1[6])); + fiat_p256_subborrowx_u32(&x15, &x16, x14, 0x0, (arg1[7])); + fiat_p256_cmovznz_u32(&x17, x16, 0x0, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x18, &x19, 0x0, x1, x17); + fiat_p256_addcarryx_u32(&x20, &x21, x19, x3, x17); + fiat_p256_addcarryx_u32(&x22, &x23, x21, x5, x17); + fiat_p256_addcarryx_u32(&x24, &x25, x23, x7, 0x0); + fiat_p256_addcarryx_u32(&x26, &x27, x25, x9, 0x0); + fiat_p256_addcarryx_u32(&x28, &x29, x27, x11, 0x0); + fiat_p256_addcarryx_u32(&x30, &x31, x29, x13, (fiat_p256_uint1)(x17 & 0x1)); + fiat_p256_addcarryx_u32(&x32, &x33, x31, x15, x17); + out1[0] = x18; + out1[1] = x20; + out1[2] = x22; + out1[3] = x24; + out1[4] = x26; + out1[5] = x28; + out1[6] = x30; + out1[7] = x32; +} + +/* + * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval out1 mod m = (eval arg1 * ((2^32)⁻¹ mod m)^8) mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + fiat_p256_uint1 x11; + uint32_t x12; + fiat_p256_uint1 x13; + uint32_t x14; + fiat_p256_uint1 x15; + uint32_t x16; + fiat_p256_uint1 x17; + uint32_t x18; + fiat_p256_uint1 x19; + uint32_t x20; + fiat_p256_uint1 x21; + uint32_t x22; + fiat_p256_uint1 x23; + uint32_t x24; + fiat_p256_uint1 x25; + uint32_t x26; + fiat_p256_uint1 x27; + uint32_t x28; + uint32_t x29; + uint32_t x30; + uint32_t x31; + uint32_t x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + fiat_p256_uint1 x37; + uint32_t x38; + fiat_p256_uint1 x39; + uint32_t x40; + fiat_p256_uint1 x41; + uint32_t x42; + fiat_p256_uint1 x43; + uint32_t x44; + fiat_p256_uint1 x45; + uint32_t x46; + fiat_p256_uint1 x47; + uint32_t x48; + fiat_p256_uint1 x49; + uint32_t x50; + fiat_p256_uint1 x51; + uint32_t x52; + fiat_p256_uint1 x53; + uint32_t x54; + fiat_p256_uint1 x55; + uint32_t x56; + fiat_p256_uint1 x57; + uint32_t x58; + uint32_t x59; + uint32_t x60; + uint32_t x61; + uint32_t x62; + uint32_t x63; + uint32_t x64; + uint32_t x65; + uint32_t x66; + fiat_p256_uint1 x67; + uint32_t x68; + fiat_p256_uint1 x69; + uint32_t x70; + fiat_p256_uint1 x71; + uint32_t x72; + fiat_p256_uint1 x73; + uint32_t x74; + fiat_p256_uint1 x75; + uint32_t x76; + fiat_p256_uint1 x77; + uint32_t x78; + fiat_p256_uint1 x79; + uint32_t x80; + fiat_p256_uint1 x81; + uint32_t x82; + fiat_p256_uint1 x83; + uint32_t x84; + fiat_p256_uint1 x85; + uint32_t x86; + fiat_p256_uint1 x87; + uint32_t x88; + fiat_p256_uint1 x89; + uint32_t x90; + fiat_p256_uint1 x91; + uint32_t x92; + fiat_p256_uint1 x93; + uint32_t x94; + fiat_p256_uint1 x95; + uint32_t x96; + fiat_p256_uint1 x97; + uint32_t x98; + fiat_p256_uint1 x99; + uint32_t x100; + fiat_p256_uint1 x101; + uint32_t x102; + uint32_t x103; + uint32_t x104; + uint32_t x105; + uint32_t x106; + uint32_t x107; + uint32_t x108; + uint32_t x109; + uint32_t x110; + fiat_p256_uint1 x111; + uint32_t x112; + fiat_p256_uint1 x113; + uint32_t x114; + fiat_p256_uint1 x115; + uint32_t x116; + fiat_p256_uint1 x117; + uint32_t x118; + fiat_p256_uint1 x119; + uint32_t x120; + fiat_p256_uint1 x121; + uint32_t x122; + fiat_p256_uint1 x123; + uint32_t x124; + fiat_p256_uint1 x125; + uint32_t x126; + fiat_p256_uint1 x127; + uint32_t x128; + fiat_p256_uint1 x129; + uint32_t x130; + fiat_p256_uint1 x131; + uint32_t x132; + fiat_p256_uint1 x133; + uint32_t x134; + fiat_p256_uint1 x135; + uint32_t x136; + fiat_p256_uint1 x137; + uint32_t x138; + fiat_p256_uint1 x139; + uint32_t x140; + fiat_p256_uint1 x141; + uint32_t x142; + fiat_p256_uint1 x143; + uint32_t x144; + fiat_p256_uint1 x145; + uint32_t x146; + fiat_p256_uint1 x147; + uint32_t x148; + uint32_t x149; + uint32_t x150; + uint32_t x151; + uint32_t x152; + uint32_t x153; + uint32_t x154; + uint32_t x155; + uint32_t x156; + fiat_p256_uint1 x157; + uint32_t x158; + fiat_p256_uint1 x159; + uint32_t x160; + fiat_p256_uint1 x161; + uint32_t x162; + fiat_p256_uint1 x163; + uint32_t x164; + fiat_p256_uint1 x165; + uint32_t x166; + fiat_p256_uint1 x167; + uint32_t x168; + fiat_p256_uint1 x169; + uint32_t x170; + fiat_p256_uint1 x171; + uint32_t x172; + fiat_p256_uint1 x173; + uint32_t x174; + fiat_p256_uint1 x175; + uint32_t x176; + fiat_p256_uint1 x177; + uint32_t x178; + fiat_p256_uint1 x179; + uint32_t x180; + fiat_p256_uint1 x181; + uint32_t x182; + fiat_p256_uint1 x183; + uint32_t x184; + fiat_p256_uint1 x185; + uint32_t x186; + fiat_p256_uint1 x187; + uint32_t x188; + fiat_p256_uint1 x189; + uint32_t x190; + fiat_p256_uint1 x191; + uint32_t x192; + fiat_p256_uint1 x193; + uint32_t x194; + uint32_t x195; + uint32_t x196; + uint32_t x197; + uint32_t x198; + uint32_t x199; + uint32_t x200; + uint32_t x201; + uint32_t x202; + fiat_p256_uint1 x203; + uint32_t x204; + fiat_p256_uint1 x205; + uint32_t x206; + fiat_p256_uint1 x207; + uint32_t x208; + fiat_p256_uint1 x209; + uint32_t x210; + fiat_p256_uint1 x211; + uint32_t x212; + fiat_p256_uint1 x213; + uint32_t x214; + fiat_p256_uint1 x215; + uint32_t x216; + fiat_p256_uint1 x217; + uint32_t x218; + fiat_p256_uint1 x219; + uint32_t x220; + fiat_p256_uint1 x221; + uint32_t x222; + fiat_p256_uint1 x223; + uint32_t x224; + fiat_p256_uint1 x225; + uint32_t x226; + fiat_p256_uint1 x227; + uint32_t x228; + fiat_p256_uint1 x229; + uint32_t x230; + fiat_p256_uint1 x231; + uint32_t x232; + fiat_p256_uint1 x233; + uint32_t x234; + fiat_p256_uint1 x235; + uint32_t x236; + fiat_p256_uint1 x237; + uint32_t x238; + fiat_p256_uint1 x239; + uint32_t x240; + uint32_t x241; + uint32_t x242; + uint32_t x243; + uint32_t x244; + uint32_t x245; + uint32_t x246; + uint32_t x247; + uint32_t x248; + fiat_p256_uint1 x249; + uint32_t x250; + fiat_p256_uint1 x251; + uint32_t x252; + fiat_p256_uint1 x253; + uint32_t x254; + fiat_p256_uint1 x255; + uint32_t x256; + fiat_p256_uint1 x257; + uint32_t x258; + fiat_p256_uint1 x259; + uint32_t x260; + fiat_p256_uint1 x261; + uint32_t x262; + fiat_p256_uint1 x263; + uint32_t x264; + fiat_p256_uint1 x265; + uint32_t x266; + fiat_p256_uint1 x267; + uint32_t x268; + fiat_p256_uint1 x269; + uint32_t x270; + fiat_p256_uint1 x271; + uint32_t x272; + fiat_p256_uint1 x273; + uint32_t x274; + fiat_p256_uint1 x275; + uint32_t x276; + fiat_p256_uint1 x277; + uint32_t x278; + fiat_p256_uint1 x279; + uint32_t x280; + fiat_p256_uint1 x281; + uint32_t x282; + fiat_p256_uint1 x283; + uint32_t x284; + fiat_p256_uint1 x285; + uint32_t x286; + uint32_t x287; + uint32_t x288; + uint32_t x289; + uint32_t x290; + uint32_t x291; + uint32_t x292; + uint32_t x293; + uint32_t x294; + fiat_p256_uint1 x295; + uint32_t x296; + fiat_p256_uint1 x297; + uint32_t x298; + fiat_p256_uint1 x299; + uint32_t x300; + fiat_p256_uint1 x301; + uint32_t x302; + fiat_p256_uint1 x303; + uint32_t x304; + fiat_p256_uint1 x305; + uint32_t x306; + fiat_p256_uint1 x307; + uint32_t x308; + fiat_p256_uint1 x309; + uint32_t x310; + fiat_p256_uint1 x311; + uint32_t x312; + fiat_p256_uint1 x313; + uint32_t x314; + fiat_p256_uint1 x315; + uint32_t x316; + fiat_p256_uint1 x317; + uint32_t x318; + fiat_p256_uint1 x319; + uint32_t x320; + fiat_p256_uint1 x321; + uint32_t x322; + fiat_p256_uint1 x323; + uint32_t x324; + fiat_p256_uint1 x325; + uint32_t x326; + fiat_p256_uint1 x327; + uint32_t x328; + fiat_p256_uint1 x329; + uint32_t x330; + fiat_p256_uint1 x331; + uint32_t x332; + fiat_p256_uint1 x333; + uint32_t x334; + uint32_t x335; + uint32_t x336; + uint32_t x337; + uint32_t x338; + uint32_t x339; + uint32_t x340; + uint32_t x341; + x1 = (arg1[0]); + fiat_p256_mulx_u32(&x2, &x3, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x4, &x5, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x6, &x7, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x8, &x9, x1, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x10, &x11, 0x0, x9, x6); + fiat_p256_addcarryx_u32(&x12, &x13, x11, x7, x4); + fiat_p256_addcarryx_u32(&x14, &x15, 0x0, x1, x8); + fiat_p256_addcarryx_u32(&x16, &x17, x15, 0x0, x10); + fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, x12); + fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (x13 + x5)); + fiat_p256_addcarryx_u32(&x22, &x23, 0x0, x16, (arg1[1])); + fiat_p256_addcarryx_u32(&x24, &x25, x23, x18, 0x0); + fiat_p256_addcarryx_u32(&x26, &x27, x25, x20, 0x0); + fiat_p256_mulx_u32(&x28, &x29, x22, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x30, &x31, x22, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x32, &x33, x22, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x34, &x35, x22, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x36, &x37, 0x0, x35, x32); + fiat_p256_addcarryx_u32(&x38, &x39, x37, x33, x30); + fiat_p256_addcarryx_u32(&x40, &x41, 0x0, x22, x34); + fiat_p256_addcarryx_u32(&x42, &x43, x41, x24, x36); + fiat_p256_addcarryx_u32(&x44, &x45, x43, x26, x38); + fiat_p256_addcarryx_u32(&x46, &x47, x45, ((uint32_t)x27 + x21), (x39 + x31)); + fiat_p256_addcarryx_u32(&x48, &x49, 0x0, x2, x22); + fiat_p256_addcarryx_u32(&x50, &x51, x49, x3, x28); + fiat_p256_addcarryx_u32(&x52, &x53, 0x0, x42, (arg1[2])); + fiat_p256_addcarryx_u32(&x54, &x55, x53, x44, 0x0); + fiat_p256_addcarryx_u32(&x56, &x57, x55, x46, 0x0); + fiat_p256_mulx_u32(&x58, &x59, x52, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x60, &x61, x52, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x62, &x63, x52, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x64, &x65, x52, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x66, &x67, 0x0, x65, x62); + fiat_p256_addcarryx_u32(&x68, &x69, x67, x63, x60); + fiat_p256_addcarryx_u32(&x70, &x71, 0x0, x52, x64); + fiat_p256_addcarryx_u32(&x72, &x73, x71, x54, x66); + fiat_p256_addcarryx_u32(&x74, &x75, x73, x56, x68); + fiat_p256_addcarryx_u32(&x76, &x77, x75, ((uint32_t)x57 + x47), (x69 + x61)); + fiat_p256_addcarryx_u32(&x78, &x79, x77, x1, 0x0); + fiat_p256_addcarryx_u32(&x80, &x81, x79, x48, 0x0); + fiat_p256_addcarryx_u32(&x82, &x83, x81, x50, x52); + fiat_p256_addcarryx_u32(&x84, &x85, x83, (x51 + x29), x58); + fiat_p256_addcarryx_u32(&x86, &x87, 0x0, x72, (arg1[3])); + fiat_p256_addcarryx_u32(&x88, &x89, x87, x74, 0x0); + fiat_p256_addcarryx_u32(&x90, &x91, x89, x76, 0x0); + fiat_p256_addcarryx_u32(&x92, &x93, x91, x78, 0x0); + fiat_p256_addcarryx_u32(&x94, &x95, x93, x80, 0x0); + fiat_p256_addcarryx_u32(&x96, &x97, x95, x82, 0x0); + fiat_p256_addcarryx_u32(&x98, &x99, x97, x84, 0x0); + fiat_p256_addcarryx_u32(&x100, &x101, x99, (x85 + x59), 0x0); + fiat_p256_mulx_u32(&x102, &x103, x86, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x104, &x105, x86, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x106, &x107, x86, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x108, &x109, x86, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x109, x106); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x107, x104); + fiat_p256_addcarryx_u32(&x114, &x115, 0x0, x86, x108); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x88, x110); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x90, x112); + fiat_p256_addcarryx_u32(&x120, &x121, x119, x92, (x113 + x105)); + fiat_p256_addcarryx_u32(&x122, &x123, x121, x94, 0x0); + fiat_p256_addcarryx_u32(&x124, &x125, x123, x96, 0x0); + fiat_p256_addcarryx_u32(&x126, &x127, x125, x98, x86); + fiat_p256_addcarryx_u32(&x128, &x129, x127, x100, x102); + fiat_p256_addcarryx_u32(&x130, &x131, x129, x101, x103); + fiat_p256_addcarryx_u32(&x132, &x133, 0x0, x116, (arg1[4])); + fiat_p256_addcarryx_u32(&x134, &x135, x133, x118, 0x0); + fiat_p256_addcarryx_u32(&x136, &x137, x135, x120, 0x0); + fiat_p256_addcarryx_u32(&x138, &x139, x137, x122, 0x0); + fiat_p256_addcarryx_u32(&x140, &x141, x139, x124, 0x0); + fiat_p256_addcarryx_u32(&x142, &x143, x141, x126, 0x0); + fiat_p256_addcarryx_u32(&x144, &x145, x143, x128, 0x0); + fiat_p256_addcarryx_u32(&x146, &x147, x145, x130, 0x0); + fiat_p256_mulx_u32(&x148, &x149, x132, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x150, &x151, x132, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x152, &x153, x132, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x154, &x155, x132, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x156, &x157, 0x0, x155, x152); + fiat_p256_addcarryx_u32(&x158, &x159, x157, x153, x150); + fiat_p256_addcarryx_u32(&x160, &x161, 0x0, x132, x154); + fiat_p256_addcarryx_u32(&x162, &x163, x161, x134, x156); + fiat_p256_addcarryx_u32(&x164, &x165, x163, x136, x158); + fiat_p256_addcarryx_u32(&x166, &x167, x165, x138, (x159 + x151)); + fiat_p256_addcarryx_u32(&x168, &x169, x167, x140, 0x0); + fiat_p256_addcarryx_u32(&x170, &x171, x169, x142, 0x0); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x144, x132); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x146, x148); + fiat_p256_addcarryx_u32(&x176, &x177, x175, ((uint32_t)x147 + x131), x149); + fiat_p256_addcarryx_u32(&x178, &x179, 0x0, x162, (arg1[5])); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x164, 0x0); + fiat_p256_addcarryx_u32(&x182, &x183, x181, x166, 0x0); + fiat_p256_addcarryx_u32(&x184, &x185, x183, x168, 0x0); + fiat_p256_addcarryx_u32(&x186, &x187, x185, x170, 0x0); + fiat_p256_addcarryx_u32(&x188, &x189, x187, x172, 0x0); + fiat_p256_addcarryx_u32(&x190, &x191, x189, x174, 0x0); + fiat_p256_addcarryx_u32(&x192, &x193, x191, x176, 0x0); + fiat_p256_mulx_u32(&x194, &x195, x178, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x196, &x197, x178, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x198, &x199, x178, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x200, &x201, x178, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x202, &x203, 0x0, x201, x198); + fiat_p256_addcarryx_u32(&x204, &x205, x203, x199, x196); + fiat_p256_addcarryx_u32(&x206, &x207, 0x0, x178, x200); + fiat_p256_addcarryx_u32(&x208, &x209, x207, x180, x202); + fiat_p256_addcarryx_u32(&x210, &x211, x209, x182, x204); + fiat_p256_addcarryx_u32(&x212, &x213, x211, x184, (x205 + x197)); + fiat_p256_addcarryx_u32(&x214, &x215, x213, x186, 0x0); + fiat_p256_addcarryx_u32(&x216, &x217, x215, x188, 0x0); + fiat_p256_addcarryx_u32(&x218, &x219, x217, x190, x178); + fiat_p256_addcarryx_u32(&x220, &x221, x219, x192, x194); + fiat_p256_addcarryx_u32(&x222, &x223, x221, ((uint32_t)x193 + x177), x195); + fiat_p256_addcarryx_u32(&x224, &x225, 0x0, x208, (arg1[6])); + fiat_p256_addcarryx_u32(&x226, &x227, x225, x210, 0x0); + fiat_p256_addcarryx_u32(&x228, &x229, x227, x212, 0x0); + fiat_p256_addcarryx_u32(&x230, &x231, x229, x214, 0x0); + fiat_p256_addcarryx_u32(&x232, &x233, x231, x216, 0x0); + fiat_p256_addcarryx_u32(&x234, &x235, x233, x218, 0x0); + fiat_p256_addcarryx_u32(&x236, &x237, x235, x220, 0x0); + fiat_p256_addcarryx_u32(&x238, &x239, x237, x222, 0x0); + fiat_p256_mulx_u32(&x240, &x241, x224, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x242, &x243, x224, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x244, &x245, x224, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x246, &x247, x224, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x248, &x249, 0x0, x247, x244); + fiat_p256_addcarryx_u32(&x250, &x251, x249, x245, x242); + fiat_p256_addcarryx_u32(&x252, &x253, 0x0, x224, x246); + fiat_p256_addcarryx_u32(&x254, &x255, x253, x226, x248); + fiat_p256_addcarryx_u32(&x256, &x257, x255, x228, x250); + fiat_p256_addcarryx_u32(&x258, &x259, x257, x230, (x251 + x243)); + fiat_p256_addcarryx_u32(&x260, &x261, x259, x232, 0x0); + fiat_p256_addcarryx_u32(&x262, &x263, x261, x234, 0x0); + fiat_p256_addcarryx_u32(&x264, &x265, x263, x236, x224); + fiat_p256_addcarryx_u32(&x266, &x267, x265, x238, x240); + fiat_p256_addcarryx_u32(&x268, &x269, x267, ((uint32_t)x239 + x223), x241); + fiat_p256_addcarryx_u32(&x270, &x271, 0x0, x254, (arg1[7])); + fiat_p256_addcarryx_u32(&x272, &x273, x271, x256, 0x0); + fiat_p256_addcarryx_u32(&x274, &x275, x273, x258, 0x0); + fiat_p256_addcarryx_u32(&x276, &x277, x275, x260, 0x0); + fiat_p256_addcarryx_u32(&x278, &x279, x277, x262, 0x0); + fiat_p256_addcarryx_u32(&x280, &x281, x279, x264, 0x0); + fiat_p256_addcarryx_u32(&x282, &x283, x281, x266, 0x0); + fiat_p256_addcarryx_u32(&x284, &x285, x283, x268, 0x0); + fiat_p256_mulx_u32(&x286, &x287, x270, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x288, &x289, x270, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x290, &x291, x270, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x292, &x293, x270, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x294, &x295, 0x0, x293, x290); + fiat_p256_addcarryx_u32(&x296, &x297, x295, x291, x288); + fiat_p256_addcarryx_u32(&x298, &x299, 0x0, x270, x292); + fiat_p256_addcarryx_u32(&x300, &x301, x299, x272, x294); + fiat_p256_addcarryx_u32(&x302, &x303, x301, x274, x296); + fiat_p256_addcarryx_u32(&x304, &x305, x303, x276, (x297 + x289)); + fiat_p256_addcarryx_u32(&x306, &x307, x305, x278, 0x0); + fiat_p256_addcarryx_u32(&x308, &x309, x307, x280, 0x0); + fiat_p256_addcarryx_u32(&x310, &x311, x309, x282, x270); + fiat_p256_addcarryx_u32(&x312, &x313, x311, x284, x286); + fiat_p256_addcarryx_u32(&x314, &x315, x313, ((uint32_t)x285 + x269), x287); + fiat_p256_subborrowx_u32(&x316, &x317, 0x0, x300, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x318, &x319, x317, x302, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x320, &x321, x319, x304, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x322, &x323, x321, x306, 0x0); + fiat_p256_subborrowx_u32(&x324, &x325, x323, x308, 0x0); + fiat_p256_subborrowx_u32(&x326, &x327, x325, x310, 0x0); + fiat_p256_subborrowx_u32(&x328, &x329, x327, x312, 0x1); + fiat_p256_subborrowx_u32(&x330, &x331, x329, x314, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x332, &x333, x331, x315, 0x0); + fiat_p256_cmovznz_u32(&x334, x333, x316, x300); + fiat_p256_cmovznz_u32(&x335, x333, x318, x302); + fiat_p256_cmovznz_u32(&x336, x333, x320, x304); + fiat_p256_cmovznz_u32(&x337, x333, x322, x306); + fiat_p256_cmovznz_u32(&x338, x333, x324, x308); + fiat_p256_cmovznz_u32(&x339, x333, x326, x310); + fiat_p256_cmovznz_u32(&x340, x333, x328, x312); + fiat_p256_cmovznz_u32(&x341, x333, x330, x314); + out1[0] = x334; + out1[1] = x335; + out1[2] = x336; + out1[3] = x337; + out1[4] = x338; + out1[5] = x339; + out1[6] = x340; + out1[7] = x341; +} + +/* + * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = eval arg1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint32_t x20; + uint32_t x21; + uint32_t x22; + uint32_t x23; + fiat_p256_uint1 x24; + uint32_t x25; + fiat_p256_uint1 x26; + uint32_t x27; + fiat_p256_uint1 x28; + uint32_t x29; + fiat_p256_uint1 x30; + uint32_t x31; + fiat_p256_uint1 x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + fiat_p256_uint1 x42; + uint32_t x43; + fiat_p256_uint1 x44; + uint32_t x45; + fiat_p256_uint1 x46; + uint32_t x47; + fiat_p256_uint1 x48; + uint32_t x49; + fiat_p256_uint1 x50; + uint32_t x51; + fiat_p256_uint1 x52; + uint32_t x53; + fiat_p256_uint1 x54; + uint32_t x55; + fiat_p256_uint1 x56; + uint32_t x57; + fiat_p256_uint1 x58; + uint32_t x59; + fiat_p256_uint1 x60; + uint32_t x61; + fiat_p256_uint1 x62; + uint32_t x63; + uint32_t x64; + uint32_t x65; + uint32_t x66; + uint32_t x67; + uint32_t x68; + uint32_t x69; + uint32_t x70; + uint32_t x71; + uint32_t x72; + uint32_t x73; + uint32_t x74; + uint32_t x75; + uint32_t x76; + uint32_t x77; + fiat_p256_uint1 x78; + uint32_t x79; + fiat_p256_uint1 x80; + uint32_t x81; + fiat_p256_uint1 x82; + uint32_t x83; + fiat_p256_uint1 x84; + uint32_t x85; + fiat_p256_uint1 x86; + uint32_t x87; + fiat_p256_uint1 x88; + uint32_t x89; + fiat_p256_uint1 x90; + uint32_t x91; + fiat_p256_uint1 x92; + uint32_t x93; + fiat_p256_uint1 x94; + uint32_t x95; + fiat_p256_uint1 x96; + uint32_t x97; + fiat_p256_uint1 x98; + uint32_t x99; + fiat_p256_uint1 x100; + uint32_t x101; + fiat_p256_uint1 x102; + uint32_t x103; + uint32_t x104; + uint32_t x105; + uint32_t x106; + uint32_t x107; + uint32_t x108; + uint32_t x109; + uint32_t x110; + uint32_t x111; + fiat_p256_uint1 x112; + uint32_t x113; + fiat_p256_uint1 x114; + uint32_t x115; + fiat_p256_uint1 x116; + uint32_t x117; + fiat_p256_uint1 x118; + uint32_t x119; + fiat_p256_uint1 x120; + uint32_t x121; + fiat_p256_uint1 x122; + uint32_t x123; + fiat_p256_uint1 x124; + uint32_t x125; + fiat_p256_uint1 x126; + uint32_t x127; + fiat_p256_uint1 x128; + uint32_t x129; + fiat_p256_uint1 x130; + uint32_t x131; + fiat_p256_uint1 x132; + uint32_t x133; + uint32_t x134; + uint32_t x135; + uint32_t x136; + uint32_t x137; + uint32_t x138; + uint32_t x139; + uint32_t x140; + uint32_t x141; + uint32_t x142; + uint32_t x143; + uint32_t x144; + uint32_t x145; + uint32_t x146; + uint32_t x147; + fiat_p256_uint1 x148; + uint32_t x149; + fiat_p256_uint1 x150; + uint32_t x151; + fiat_p256_uint1 x152; + uint32_t x153; + fiat_p256_uint1 x154; + uint32_t x155; + fiat_p256_uint1 x156; + uint32_t x157; + fiat_p256_uint1 x158; + uint32_t x159; + fiat_p256_uint1 x160; + uint32_t x161; + fiat_p256_uint1 x162; + uint32_t x163; + fiat_p256_uint1 x164; + uint32_t x165; + fiat_p256_uint1 x166; + uint32_t x167; + fiat_p256_uint1 x168; + uint32_t x169; + fiat_p256_uint1 x170; + uint32_t x171; + fiat_p256_uint1 x172; + uint32_t x173; + uint32_t x174; + uint32_t x175; + uint32_t x176; + uint32_t x177; + uint32_t x178; + uint32_t x179; + uint32_t x180; + uint32_t x181; + fiat_p256_uint1 x182; + uint32_t x183; + fiat_p256_uint1 x184; + uint32_t x185; + fiat_p256_uint1 x186; + uint32_t x187; + fiat_p256_uint1 x188; + uint32_t x189; + fiat_p256_uint1 x190; + uint32_t x191; + fiat_p256_uint1 x192; + uint32_t x193; + fiat_p256_uint1 x194; + uint32_t x195; + fiat_p256_uint1 x196; + uint32_t x197; + fiat_p256_uint1 x198; + uint32_t x199; + fiat_p256_uint1 x200; + uint32_t x201; + fiat_p256_uint1 x202; + uint32_t x203; + uint32_t x204; + uint32_t x205; + uint32_t x206; + uint32_t x207; + uint32_t x208; + uint32_t x209; + uint32_t x210; + uint32_t x211; + uint32_t x212; + uint32_t x213; + uint32_t x214; + uint32_t x215; + uint32_t x216; + uint32_t x217; + fiat_p256_uint1 x218; + uint32_t x219; + fiat_p256_uint1 x220; + uint32_t x221; + fiat_p256_uint1 x222; + uint32_t x223; + fiat_p256_uint1 x224; + uint32_t x225; + fiat_p256_uint1 x226; + uint32_t x227; + fiat_p256_uint1 x228; + uint32_t x229; + fiat_p256_uint1 x230; + uint32_t x231; + fiat_p256_uint1 x232; + uint32_t x233; + fiat_p256_uint1 x234; + uint32_t x235; + fiat_p256_uint1 x236; + uint32_t x237; + fiat_p256_uint1 x238; + uint32_t x239; + fiat_p256_uint1 x240; + uint32_t x241; + fiat_p256_uint1 x242; + uint32_t x243; + uint32_t x244; + uint32_t x245; + uint32_t x246; + uint32_t x247; + uint32_t x248; + uint32_t x249; + uint32_t x250; + uint32_t x251; + fiat_p256_uint1 x252; + uint32_t x253; + fiat_p256_uint1 x254; + uint32_t x255; + fiat_p256_uint1 x256; + uint32_t x257; + fiat_p256_uint1 x258; + uint32_t x259; + fiat_p256_uint1 x260; + uint32_t x261; + fiat_p256_uint1 x262; + uint32_t x263; + fiat_p256_uint1 x264; + uint32_t x265; + fiat_p256_uint1 x266; + uint32_t x267; + fiat_p256_uint1 x268; + uint32_t x269; + fiat_p256_uint1 x270; + uint32_t x271; + fiat_p256_uint1 x272; + uint32_t x273; + uint32_t x274; + uint32_t x275; + uint32_t x276; + uint32_t x277; + uint32_t x278; + uint32_t x279; + uint32_t x280; + uint32_t x281; + uint32_t x282; + uint32_t x283; + uint32_t x284; + uint32_t x285; + uint32_t x286; + uint32_t x287; + fiat_p256_uint1 x288; + uint32_t x289; + fiat_p256_uint1 x290; + uint32_t x291; + fiat_p256_uint1 x292; + uint32_t x293; + fiat_p256_uint1 x294; + uint32_t x295; + fiat_p256_uint1 x296; + uint32_t x297; + fiat_p256_uint1 x298; + uint32_t x299; + fiat_p256_uint1 x300; + uint32_t x301; + fiat_p256_uint1 x302; + uint32_t x303; + fiat_p256_uint1 x304; + uint32_t x305; + fiat_p256_uint1 x306; + uint32_t x307; + fiat_p256_uint1 x308; + uint32_t x309; + fiat_p256_uint1 x310; + uint32_t x311; + fiat_p256_uint1 x312; + uint32_t x313; + uint32_t x314; + uint32_t x315; + uint32_t x316; + uint32_t x317; + uint32_t x318; + uint32_t x319; + uint32_t x320; + uint32_t x321; + fiat_p256_uint1 x322; + uint32_t x323; + fiat_p256_uint1 x324; + uint32_t x325; + fiat_p256_uint1 x326; + uint32_t x327; + fiat_p256_uint1 x328; + uint32_t x329; + fiat_p256_uint1 x330; + uint32_t x331; + fiat_p256_uint1 x332; + uint32_t x333; + fiat_p256_uint1 x334; + uint32_t x335; + fiat_p256_uint1 x336; + uint32_t x337; + fiat_p256_uint1 x338; + uint32_t x339; + fiat_p256_uint1 x340; + uint32_t x341; + fiat_p256_uint1 x342; + uint32_t x343; + uint32_t x344; + uint32_t x345; + uint32_t x346; + uint32_t x347; + uint32_t x348; + uint32_t x349; + uint32_t x350; + uint32_t x351; + uint32_t x352; + uint32_t x353; + uint32_t x354; + uint32_t x355; + uint32_t x356; + uint32_t x357; + fiat_p256_uint1 x358; + uint32_t x359; + fiat_p256_uint1 x360; + uint32_t x361; + fiat_p256_uint1 x362; + uint32_t x363; + fiat_p256_uint1 x364; + uint32_t x365; + fiat_p256_uint1 x366; + uint32_t x367; + fiat_p256_uint1 x368; + uint32_t x369; + fiat_p256_uint1 x370; + uint32_t x371; + fiat_p256_uint1 x372; + uint32_t x373; + fiat_p256_uint1 x374; + uint32_t x375; + fiat_p256_uint1 x376; + uint32_t x377; + fiat_p256_uint1 x378; + uint32_t x379; + fiat_p256_uint1 x380; + uint32_t x381; + fiat_p256_uint1 x382; + uint32_t x383; + uint32_t x384; + uint32_t x385; + uint32_t x386; + uint32_t x387; + uint32_t x388; + uint32_t x389; + uint32_t x390; + uint32_t x391; + fiat_p256_uint1 x392; + uint32_t x393; + fiat_p256_uint1 x394; + uint32_t x395; + fiat_p256_uint1 x396; + uint32_t x397; + fiat_p256_uint1 x398; + uint32_t x399; + fiat_p256_uint1 x400; + uint32_t x401; + fiat_p256_uint1 x402; + uint32_t x403; + fiat_p256_uint1 x404; + uint32_t x405; + fiat_p256_uint1 x406; + uint32_t x407; + fiat_p256_uint1 x408; + uint32_t x409; + fiat_p256_uint1 x410; + uint32_t x411; + fiat_p256_uint1 x412; + uint32_t x413; + uint32_t x414; + uint32_t x415; + uint32_t x416; + uint32_t x417; + uint32_t x418; + uint32_t x419; + uint32_t x420; + uint32_t x421; + uint32_t x422; + uint32_t x423; + uint32_t x424; + uint32_t x425; + uint32_t x426; + uint32_t x427; + fiat_p256_uint1 x428; + uint32_t x429; + fiat_p256_uint1 x430; + uint32_t x431; + fiat_p256_uint1 x432; + uint32_t x433; + fiat_p256_uint1 x434; + uint32_t x435; + fiat_p256_uint1 x436; + uint32_t x437; + fiat_p256_uint1 x438; + uint32_t x439; + fiat_p256_uint1 x440; + uint32_t x441; + fiat_p256_uint1 x442; + uint32_t x443; + fiat_p256_uint1 x444; + uint32_t x445; + fiat_p256_uint1 x446; + uint32_t x447; + fiat_p256_uint1 x448; + uint32_t x449; + fiat_p256_uint1 x450; + uint32_t x451; + fiat_p256_uint1 x452; + uint32_t x453; + uint32_t x454; + uint32_t x455; + uint32_t x456; + uint32_t x457; + uint32_t x458; + uint32_t x459; + uint32_t x460; + uint32_t x461; + fiat_p256_uint1 x462; + uint32_t x463; + fiat_p256_uint1 x464; + uint32_t x465; + fiat_p256_uint1 x466; + uint32_t x467; + fiat_p256_uint1 x468; + uint32_t x469; + fiat_p256_uint1 x470; + uint32_t x471; + fiat_p256_uint1 x472; + uint32_t x473; + fiat_p256_uint1 x474; + uint32_t x475; + fiat_p256_uint1 x476; + uint32_t x477; + fiat_p256_uint1 x478; + uint32_t x479; + fiat_p256_uint1 x480; + uint32_t x481; + fiat_p256_uint1 x482; + uint32_t x483; + uint32_t x484; + uint32_t x485; + uint32_t x486; + uint32_t x487; + uint32_t x488; + uint32_t x489; + uint32_t x490; + uint32_t x491; + uint32_t x492; + uint32_t x493; + uint32_t x494; + uint32_t x495; + uint32_t x496; + uint32_t x497; + fiat_p256_uint1 x498; + uint32_t x499; + fiat_p256_uint1 x500; + uint32_t x501; + fiat_p256_uint1 x502; + uint32_t x503; + fiat_p256_uint1 x504; + uint32_t x505; + fiat_p256_uint1 x506; + uint32_t x507; + fiat_p256_uint1 x508; + uint32_t x509; + fiat_p256_uint1 x510; + uint32_t x511; + fiat_p256_uint1 x512; + uint32_t x513; + fiat_p256_uint1 x514; + uint32_t x515; + fiat_p256_uint1 x516; + uint32_t x517; + fiat_p256_uint1 x518; + uint32_t x519; + fiat_p256_uint1 x520; + uint32_t x521; + fiat_p256_uint1 x522; + uint32_t x523; + uint32_t x524; + uint32_t x525; + uint32_t x526; + uint32_t x527; + uint32_t x528; + uint32_t x529; + uint32_t x530; + uint32_t x531; + fiat_p256_uint1 x532; + uint32_t x533; + fiat_p256_uint1 x534; + uint32_t x535; + fiat_p256_uint1 x536; + uint32_t x537; + fiat_p256_uint1 x538; + uint32_t x539; + fiat_p256_uint1 x540; + uint32_t x541; + fiat_p256_uint1 x542; + uint32_t x543; + fiat_p256_uint1 x544; + uint32_t x545; + fiat_p256_uint1 x546; + uint32_t x547; + fiat_p256_uint1 x548; + uint32_t x549; + fiat_p256_uint1 x550; + uint32_t x551; + fiat_p256_uint1 x552; + uint32_t x553; + fiat_p256_uint1 x554; + uint32_t x555; + fiat_p256_uint1 x556; + uint32_t x557; + fiat_p256_uint1 x558; + uint32_t x559; + fiat_p256_uint1 x560; + uint32_t x561; + fiat_p256_uint1 x562; + uint32_t x563; + fiat_p256_uint1 x564; + uint32_t x565; + fiat_p256_uint1 x566; + uint32_t x567; + fiat_p256_uint1 x568; + uint32_t x569; + fiat_p256_uint1 x570; + uint32_t x571; + uint32_t x572; + uint32_t x573; + uint32_t x574; + uint32_t x575; + uint32_t x576; + uint32_t x577; + uint32_t x578; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[4]); + x5 = (arg1[5]); + x6 = (arg1[6]); + x7 = (arg1[7]); + x8 = (arg1[0]); + fiat_p256_mulx_u32(&x9, &x10, x8, 0x4); + fiat_p256_mulx_u32(&x11, &x12, x8, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x13, &x14, x8, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x15, &x16, x8, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x17, &x18, x8, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x19, &x20, x8, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x21, &x22, x8, 0x3); + fiat_p256_addcarryx_u32(&x23, &x24, 0x0, x20, x17); + fiat_p256_addcarryx_u32(&x25, &x26, x24, x18, x15); + fiat_p256_addcarryx_u32(&x27, &x28, x26, x16, x13); + fiat_p256_addcarryx_u32(&x29, &x30, x28, x14, x11); + fiat_p256_addcarryx_u32(&x31, &x32, x30, x12, x9); + fiat_p256_mulx_u32(&x33, &x34, x21, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x35, &x36, x21, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x37, &x38, x21, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x39, &x40, x21, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x41, &x42, 0x0, x40, x37); + fiat_p256_addcarryx_u32(&x43, &x44, x42, x38, x35); + fiat_p256_addcarryx_u32(&x45, &x46, 0x0, x21, x39); + fiat_p256_addcarryx_u32(&x47, &x48, x46, x22, x41); + fiat_p256_addcarryx_u32(&x49, &x50, x48, x19, x43); + fiat_p256_addcarryx_u32(&x51, &x52, x50, x23, (x44 + x36)); + fiat_p256_addcarryx_u32(&x53, &x54, x52, x25, 0x0); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x27, 0x0); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x29, x21); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x31, x33); + fiat_p256_addcarryx_u32(&x61, &x62, x60, (x32 + x10), x34); + fiat_p256_mulx_u32(&x63, &x64, x1, 0x4); + fiat_p256_mulx_u32(&x65, &x66, x1, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x67, &x68, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x69, &x70, x1, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x71, &x72, x1, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x73, &x74, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x75, &x76, x1, 0x3); + fiat_p256_addcarryx_u32(&x77, &x78, 0x0, x74, x71); + fiat_p256_addcarryx_u32(&x79, &x80, x78, x72, x69); + fiat_p256_addcarryx_u32(&x81, &x82, x80, x70, x67); + fiat_p256_addcarryx_u32(&x83, &x84, x82, x68, x65); + fiat_p256_addcarryx_u32(&x85, &x86, x84, x66, x63); + fiat_p256_addcarryx_u32(&x87, &x88, 0x0, x47, x75); + fiat_p256_addcarryx_u32(&x89, &x90, x88, x49, x76); + fiat_p256_addcarryx_u32(&x91, &x92, x90, x51, x73); + fiat_p256_addcarryx_u32(&x93, &x94, x92, x53, x77); + fiat_p256_addcarryx_u32(&x95, &x96, x94, x55, x79); + fiat_p256_addcarryx_u32(&x97, &x98, x96, x57, x81); + fiat_p256_addcarryx_u32(&x99, &x100, x98, x59, x83); + fiat_p256_addcarryx_u32(&x101, &x102, x100, x61, x85); + fiat_p256_mulx_u32(&x103, &x104, x87, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x105, &x106, x87, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x107, &x108, x87, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x109, &x110, x87, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x111, &x112, 0x0, x110, x107); + fiat_p256_addcarryx_u32(&x113, &x114, x112, x108, x105); + fiat_p256_addcarryx_u32(&x115, &x116, 0x0, x87, x109); + fiat_p256_addcarryx_u32(&x117, &x118, x116, x89, x111); + fiat_p256_addcarryx_u32(&x119, &x120, x118, x91, x113); + fiat_p256_addcarryx_u32(&x121, &x122, x120, x93, (x114 + x106)); + fiat_p256_addcarryx_u32(&x123, &x124, x122, x95, 0x0); + fiat_p256_addcarryx_u32(&x125, &x126, x124, x97, 0x0); + fiat_p256_addcarryx_u32(&x127, &x128, x126, x99, x87); + fiat_p256_addcarryx_u32(&x129, &x130, x128, x101, x103); + fiat_p256_addcarryx_u32(&x131, &x132, x130, (((uint32_t)x102 + x62) + (x86 + x64)), x104); + fiat_p256_mulx_u32(&x133, &x134, x2, 0x4); + fiat_p256_mulx_u32(&x135, &x136, x2, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x137, &x138, x2, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x139, &x140, x2, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x141, &x142, x2, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x143, &x144, x2, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x145, &x146, x2, 0x3); + fiat_p256_addcarryx_u32(&x147, &x148, 0x0, x144, x141); + fiat_p256_addcarryx_u32(&x149, &x150, x148, x142, x139); + fiat_p256_addcarryx_u32(&x151, &x152, x150, x140, x137); + fiat_p256_addcarryx_u32(&x153, &x154, x152, x138, x135); + fiat_p256_addcarryx_u32(&x155, &x156, x154, x136, x133); + fiat_p256_addcarryx_u32(&x157, &x158, 0x0, x117, x145); + fiat_p256_addcarryx_u32(&x159, &x160, x158, x119, x146); + fiat_p256_addcarryx_u32(&x161, &x162, x160, x121, x143); + fiat_p256_addcarryx_u32(&x163, &x164, x162, x123, x147); + fiat_p256_addcarryx_u32(&x165, &x166, x164, x125, x149); + fiat_p256_addcarryx_u32(&x167, &x168, x166, x127, x151); + fiat_p256_addcarryx_u32(&x169, &x170, x168, x129, x153); + fiat_p256_addcarryx_u32(&x171, &x172, x170, x131, x155); + fiat_p256_mulx_u32(&x173, &x174, x157, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x175, &x176, x157, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x177, &x178, x157, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x179, &x180, x157, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x181, &x182, 0x0, x180, x177); + fiat_p256_addcarryx_u32(&x183, &x184, x182, x178, x175); + fiat_p256_addcarryx_u32(&x185, &x186, 0x0, x157, x179); + fiat_p256_addcarryx_u32(&x187, &x188, x186, x159, x181); + fiat_p256_addcarryx_u32(&x189, &x190, x188, x161, x183); + fiat_p256_addcarryx_u32(&x191, &x192, x190, x163, (x184 + x176)); + fiat_p256_addcarryx_u32(&x193, &x194, x192, x165, 0x0); + fiat_p256_addcarryx_u32(&x195, &x196, x194, x167, 0x0); + fiat_p256_addcarryx_u32(&x197, &x198, x196, x169, x157); + fiat_p256_addcarryx_u32(&x199, &x200, x198, x171, x173); + fiat_p256_addcarryx_u32(&x201, &x202, x200, (((uint32_t)x172 + x132) + (x156 + x134)), x174); + fiat_p256_mulx_u32(&x203, &x204, x3, 0x4); + fiat_p256_mulx_u32(&x205, &x206, x3, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x207, &x208, x3, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x209, &x210, x3, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x211, &x212, x3, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x213, &x214, x3, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x215, &x216, x3, 0x3); + fiat_p256_addcarryx_u32(&x217, &x218, 0x0, x214, x211); + fiat_p256_addcarryx_u32(&x219, &x220, x218, x212, x209); + fiat_p256_addcarryx_u32(&x221, &x222, x220, x210, x207); + fiat_p256_addcarryx_u32(&x223, &x224, x222, x208, x205); + fiat_p256_addcarryx_u32(&x225, &x226, x224, x206, x203); + fiat_p256_addcarryx_u32(&x227, &x228, 0x0, x187, x215); + fiat_p256_addcarryx_u32(&x229, &x230, x228, x189, x216); + fiat_p256_addcarryx_u32(&x231, &x232, x230, x191, x213); + fiat_p256_addcarryx_u32(&x233, &x234, x232, x193, x217); + fiat_p256_addcarryx_u32(&x235, &x236, x234, x195, x219); + fiat_p256_addcarryx_u32(&x237, &x238, x236, x197, x221); + fiat_p256_addcarryx_u32(&x239, &x240, x238, x199, x223); + fiat_p256_addcarryx_u32(&x241, &x242, x240, x201, x225); + fiat_p256_mulx_u32(&x243, &x244, x227, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x245, &x246, x227, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x247, &x248, x227, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x249, &x250, x227, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x251, &x252, 0x0, x250, x247); + fiat_p256_addcarryx_u32(&x253, &x254, x252, x248, x245); + fiat_p256_addcarryx_u32(&x255, &x256, 0x0, x227, x249); + fiat_p256_addcarryx_u32(&x257, &x258, x256, x229, x251); + fiat_p256_addcarryx_u32(&x259, &x260, x258, x231, x253); + fiat_p256_addcarryx_u32(&x261, &x262, x260, x233, (x254 + x246)); + fiat_p256_addcarryx_u32(&x263, &x264, x262, x235, 0x0); + fiat_p256_addcarryx_u32(&x265, &x266, x264, x237, 0x0); + fiat_p256_addcarryx_u32(&x267, &x268, x266, x239, x227); + fiat_p256_addcarryx_u32(&x269, &x270, x268, x241, x243); + fiat_p256_addcarryx_u32(&x271, &x272, x270, (((uint32_t)x242 + x202) + (x226 + x204)), x244); + fiat_p256_mulx_u32(&x273, &x274, x4, 0x4); + fiat_p256_mulx_u32(&x275, &x276, x4, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x277, &x278, x4, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x279, &x280, x4, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x281, &x282, x4, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x283, &x284, x4, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x285, &x286, x4, 0x3); + fiat_p256_addcarryx_u32(&x287, &x288, 0x0, x284, x281); + fiat_p256_addcarryx_u32(&x289, &x290, x288, x282, x279); + fiat_p256_addcarryx_u32(&x291, &x292, x290, x280, x277); + fiat_p256_addcarryx_u32(&x293, &x294, x292, x278, x275); + fiat_p256_addcarryx_u32(&x295, &x296, x294, x276, x273); + fiat_p256_addcarryx_u32(&x297, &x298, 0x0, x257, x285); + fiat_p256_addcarryx_u32(&x299, &x300, x298, x259, x286); + fiat_p256_addcarryx_u32(&x301, &x302, x300, x261, x283); + fiat_p256_addcarryx_u32(&x303, &x304, x302, x263, x287); + fiat_p256_addcarryx_u32(&x305, &x306, x304, x265, x289); + fiat_p256_addcarryx_u32(&x307, &x308, x306, x267, x291); + fiat_p256_addcarryx_u32(&x309, &x310, x308, x269, x293); + fiat_p256_addcarryx_u32(&x311, &x312, x310, x271, x295); + fiat_p256_mulx_u32(&x313, &x314, x297, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x315, &x316, x297, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x317, &x318, x297, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x319, &x320, x297, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x321, &x322, 0x0, x320, x317); + fiat_p256_addcarryx_u32(&x323, &x324, x322, x318, x315); + fiat_p256_addcarryx_u32(&x325, &x326, 0x0, x297, x319); + fiat_p256_addcarryx_u32(&x327, &x328, x326, x299, x321); + fiat_p256_addcarryx_u32(&x329, &x330, x328, x301, x323); + fiat_p256_addcarryx_u32(&x331, &x332, x330, x303, (x324 + x316)); + fiat_p256_addcarryx_u32(&x333, &x334, x332, x305, 0x0); + fiat_p256_addcarryx_u32(&x335, &x336, x334, x307, 0x0); + fiat_p256_addcarryx_u32(&x337, &x338, x336, x309, x297); + fiat_p256_addcarryx_u32(&x339, &x340, x338, x311, x313); + fiat_p256_addcarryx_u32(&x341, &x342, x340, (((uint32_t)x312 + x272) + (x296 + x274)), x314); + fiat_p256_mulx_u32(&x343, &x344, x5, 0x4); + fiat_p256_mulx_u32(&x345, &x346, x5, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x347, &x348, x5, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x349, &x350, x5, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x351, &x352, x5, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x353, &x354, x5, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x355, &x356, x5, 0x3); + fiat_p256_addcarryx_u32(&x357, &x358, 0x0, x354, x351); + fiat_p256_addcarryx_u32(&x359, &x360, x358, x352, x349); + fiat_p256_addcarryx_u32(&x361, &x362, x360, x350, x347); + fiat_p256_addcarryx_u32(&x363, &x364, x362, x348, x345); + fiat_p256_addcarryx_u32(&x365, &x366, x364, x346, x343); + fiat_p256_addcarryx_u32(&x367, &x368, 0x0, x327, x355); + fiat_p256_addcarryx_u32(&x369, &x370, x368, x329, x356); + fiat_p256_addcarryx_u32(&x371, &x372, x370, x331, x353); + fiat_p256_addcarryx_u32(&x373, &x374, x372, x333, x357); + fiat_p256_addcarryx_u32(&x375, &x376, x374, x335, x359); + fiat_p256_addcarryx_u32(&x377, &x378, x376, x337, x361); + fiat_p256_addcarryx_u32(&x379, &x380, x378, x339, x363); + fiat_p256_addcarryx_u32(&x381, &x382, x380, x341, x365); + fiat_p256_mulx_u32(&x383, &x384, x367, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x385, &x386, x367, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x387, &x388, x367, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x389, &x390, x367, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x391, &x392, 0x0, x390, x387); + fiat_p256_addcarryx_u32(&x393, &x394, x392, x388, x385); + fiat_p256_addcarryx_u32(&x395, &x396, 0x0, x367, x389); + fiat_p256_addcarryx_u32(&x397, &x398, x396, x369, x391); + fiat_p256_addcarryx_u32(&x399, &x400, x398, x371, x393); + fiat_p256_addcarryx_u32(&x401, &x402, x400, x373, (x394 + x386)); + fiat_p256_addcarryx_u32(&x403, &x404, x402, x375, 0x0); + fiat_p256_addcarryx_u32(&x405, &x406, x404, x377, 0x0); + fiat_p256_addcarryx_u32(&x407, &x408, x406, x379, x367); + fiat_p256_addcarryx_u32(&x409, &x410, x408, x381, x383); + fiat_p256_addcarryx_u32(&x411, &x412, x410, (((uint32_t)x382 + x342) + (x366 + x344)), x384); + fiat_p256_mulx_u32(&x413, &x414, x6, 0x4); + fiat_p256_mulx_u32(&x415, &x416, x6, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x417, &x418, x6, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x419, &x420, x6, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x421, &x422, x6, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x423, &x424, x6, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x425, &x426, x6, 0x3); + fiat_p256_addcarryx_u32(&x427, &x428, 0x0, x424, x421); + fiat_p256_addcarryx_u32(&x429, &x430, x428, x422, x419); + fiat_p256_addcarryx_u32(&x431, &x432, x430, x420, x417); + fiat_p256_addcarryx_u32(&x433, &x434, x432, x418, x415); + fiat_p256_addcarryx_u32(&x435, &x436, x434, x416, x413); + fiat_p256_addcarryx_u32(&x437, &x438, 0x0, x397, x425); + fiat_p256_addcarryx_u32(&x439, &x440, x438, x399, x426); + fiat_p256_addcarryx_u32(&x441, &x442, x440, x401, x423); + fiat_p256_addcarryx_u32(&x443, &x444, x442, x403, x427); + fiat_p256_addcarryx_u32(&x445, &x446, x444, x405, x429); + fiat_p256_addcarryx_u32(&x447, &x448, x446, x407, x431); + fiat_p256_addcarryx_u32(&x449, &x450, x448, x409, x433); + fiat_p256_addcarryx_u32(&x451, &x452, x450, x411, x435); + fiat_p256_mulx_u32(&x453, &x454, x437, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x455, &x456, x437, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x457, &x458, x437, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x459, &x460, x437, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x461, &x462, 0x0, x460, x457); + fiat_p256_addcarryx_u32(&x463, &x464, x462, x458, x455); + fiat_p256_addcarryx_u32(&x465, &x466, 0x0, x437, x459); + fiat_p256_addcarryx_u32(&x467, &x468, x466, x439, x461); + fiat_p256_addcarryx_u32(&x469, &x470, x468, x441, x463); + fiat_p256_addcarryx_u32(&x471, &x472, x470, x443, (x464 + x456)); + fiat_p256_addcarryx_u32(&x473, &x474, x472, x445, 0x0); + fiat_p256_addcarryx_u32(&x475, &x476, x474, x447, 0x0); + fiat_p256_addcarryx_u32(&x477, &x478, x476, x449, x437); + fiat_p256_addcarryx_u32(&x479, &x480, x478, x451, x453); + fiat_p256_addcarryx_u32(&x481, &x482, x480, (((uint32_t)x452 + x412) + (x436 + x414)), x454); + fiat_p256_mulx_u32(&x483, &x484, x7, 0x4); + fiat_p256_mulx_u32(&x485, &x486, x7, UINT32_C(0xfffffffd)); + fiat_p256_mulx_u32(&x487, &x488, x7, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x489, &x490, x7, UINT32_C(0xfffffffe)); + fiat_p256_mulx_u32(&x491, &x492, x7, UINT32_C(0xfffffffb)); + fiat_p256_mulx_u32(&x493, &x494, x7, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x495, &x496, x7, 0x3); + fiat_p256_addcarryx_u32(&x497, &x498, 0x0, x494, x491); + fiat_p256_addcarryx_u32(&x499, &x500, x498, x492, x489); + fiat_p256_addcarryx_u32(&x501, &x502, x500, x490, x487); + fiat_p256_addcarryx_u32(&x503, &x504, x502, x488, x485); + fiat_p256_addcarryx_u32(&x505, &x506, x504, x486, x483); + fiat_p256_addcarryx_u32(&x507, &x508, 0x0, x467, x495); + fiat_p256_addcarryx_u32(&x509, &x510, x508, x469, x496); + fiat_p256_addcarryx_u32(&x511, &x512, x510, x471, x493); + fiat_p256_addcarryx_u32(&x513, &x514, x512, x473, x497); + fiat_p256_addcarryx_u32(&x515, &x516, x514, x475, x499); + fiat_p256_addcarryx_u32(&x517, &x518, x516, x477, x501); + fiat_p256_addcarryx_u32(&x519, &x520, x518, x479, x503); + fiat_p256_addcarryx_u32(&x521, &x522, x520, x481, x505); + fiat_p256_mulx_u32(&x523, &x524, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x525, &x526, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x527, &x528, x507, UINT32_C(0xffffffff)); + fiat_p256_mulx_u32(&x529, &x530, x507, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x531, &x532, 0x0, x530, x527); + fiat_p256_addcarryx_u32(&x533, &x534, x532, x528, x525); + fiat_p256_addcarryx_u32(&x535, &x536, 0x0, x507, x529); + fiat_p256_addcarryx_u32(&x537, &x538, x536, x509, x531); + fiat_p256_addcarryx_u32(&x539, &x540, x538, x511, x533); + fiat_p256_addcarryx_u32(&x541, &x542, x540, x513, (x534 + x526)); + fiat_p256_addcarryx_u32(&x543, &x544, x542, x515, 0x0); + fiat_p256_addcarryx_u32(&x545, &x546, x544, x517, 0x0); + fiat_p256_addcarryx_u32(&x547, &x548, x546, x519, x507); + fiat_p256_addcarryx_u32(&x549, &x550, x548, x521, x523); + fiat_p256_addcarryx_u32(&x551, &x552, x550, (((uint32_t)x522 + x482) + (x506 + x484)), x524); + fiat_p256_subborrowx_u32(&x553, &x554, 0x0, x537, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x555, &x556, x554, x539, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x557, &x558, x556, x541, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x559, &x560, x558, x543, 0x0); + fiat_p256_subborrowx_u32(&x561, &x562, x560, x545, 0x0); + fiat_p256_subborrowx_u32(&x563, &x564, x562, x547, 0x0); + fiat_p256_subborrowx_u32(&x565, &x566, x564, x549, 0x1); + fiat_p256_subborrowx_u32(&x567, &x568, x566, x551, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x569, &x570, x568, x552, 0x0); + fiat_p256_cmovznz_u32(&x571, x570, x553, x537); + fiat_p256_cmovznz_u32(&x572, x570, x555, x539); + fiat_p256_cmovznz_u32(&x573, x570, x557, x541); + fiat_p256_cmovznz_u32(&x574, x570, x559, x543); + fiat_p256_cmovznz_u32(&x575, x570, x561, x545); + fiat_p256_cmovznz_u32(&x576, x570, x563, x547); + fiat_p256_cmovznz_u32(&x577, x570, x565, x549); + fiat_p256_cmovznz_u32(&x578, x570, x567, x551); + out1[0] = x571; + out1[1] = x572; + out1[2] = x573; + out1[3] = x574; + out1[4] = x575; + out1[5] = x576; + out1[6] = x577; + out1[7] = x578; +} + +/* + * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * Output Bounds: + * out1: [0x0 ~> 0xffffffff] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) { + uint32_t x1; + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | (arg1[7])))))))); + *out1 = x1; +} + +/* + * The function fiat_p256_selectznz is a multi-limb conditional select. + * + * Postconditions: + * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) + * + * Input Bounds: + * arg1: [0x0 ~> 0x1] + * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const uint32_t arg2[8], const uint32_t arg3[8]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + fiat_p256_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); + fiat_p256_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); + fiat_p256_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); + fiat_p256_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); + out1[0] = x1; + out1[1] = x2; + out1[2] = x3; + out1[3] = x4; + out1[4] = x5; + out1[5] = x6; + out1[6] = x7; + out1[7] = x8; +} + +/* + * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] + * + * Input Bounds: + * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * Output Bounds: + * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint32_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint8_t x9; + uint32_t x10; + uint8_t x11; + uint32_t x12; + uint8_t x13; + uint8_t x14; + uint8_t x15; + uint32_t x16; + uint8_t x17; + uint32_t x18; + uint8_t x19; + uint8_t x20; + uint8_t x21; + uint32_t x22; + uint8_t x23; + uint32_t x24; + uint8_t x25; + uint8_t x26; + uint8_t x27; + uint32_t x28; + uint8_t x29; + uint32_t x30; + uint8_t x31; + uint8_t x32; + uint8_t x33; + uint32_t x34; + uint8_t x35; + uint32_t x36; + uint8_t x37; + uint8_t x38; + uint8_t x39; + uint32_t x40; + uint8_t x41; + uint32_t x42; + uint8_t x43; + uint8_t x44; + uint8_t x45; + uint32_t x46; + uint8_t x47; + uint32_t x48; + uint8_t x49; + uint8_t x50; + uint8_t x51; + uint32_t x52; + uint8_t x53; + uint32_t x54; + uint8_t x55; + uint8_t x56; + x1 = (arg1[7]); + x2 = (arg1[6]); + x3 = (arg1[5]); + x4 = (arg1[4]); + x5 = (arg1[3]); + x6 = (arg1[2]); + x7 = (arg1[1]); + x8 = (arg1[0]); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (uint8_t)(x12 >> 8); + x15 = (uint8_t)(x7 & UINT8_C(0xff)); + x16 = (x7 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (x16 >> 8); + x19 = (uint8_t)(x18 & UINT8_C(0xff)); + x20 = (uint8_t)(x18 >> 8); + x21 = (uint8_t)(x6 & UINT8_C(0xff)); + x22 = (x6 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (uint8_t)(x24 >> 8); + x27 = (uint8_t)(x5 & UINT8_C(0xff)); + x28 = (x5 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x4 & UINT8_C(0xff)); + x34 = (x4 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (uint8_t)(x36 >> 8); + x39 = (uint8_t)(x3 & UINT8_C(0xff)); + x40 = (x3 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (uint8_t)(x42 >> 8); + x45 = (uint8_t)(x2 & UINT8_C(0xff)); + x46 = (x2 >> 8); + x47 = (uint8_t)(x46 & UINT8_C(0xff)); + x48 = (x46 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (uint8_t)(x48 >> 8); + x51 = (uint8_t)(x1 & UINT8_C(0xff)); + x52 = (x1 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (uint8_t)(x54 >> 8); + out1[0] = x9; + out1[1] = x11; + out1[2] = x13; + out1[3] = x14; + out1[4] = x15; + out1[5] = x17; + out1[6] = x19; + out1[7] = x20; + out1[8] = x21; + out1[9] = x23; + out1[10] = x25; + out1[11] = x26; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x38; + out1[20] = x39; + out1[21] = x41; + out1[22] = x43; + out1[23] = x44; + out1[24] = x45; + out1[25] = x47; + out1[26] = x49; + out1[27] = x50; + out1[28] = x51; + out1[29] = x53; + out1[30] = x55; + out1[31] = x56; +} + +/* + * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * + * Preconditions: + * 0 ≤ bytes_eval arg1 < m + * Postconditions: + * eval out1 mod m = bytes_eval arg1 mod m + * 0 ≤ eval out1 < m + * + * Input Bounds: + * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] + * Output Bounds: + * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) { + uint32_t x1; + uint32_t x2; + uint32_t x3; + uint8_t x4; + uint32_t x5; + uint32_t x6; + uint32_t x7; + uint8_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint8_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint8_t x16; + uint32_t x17; + uint32_t x18; + uint32_t x19; + uint8_t x20; + uint32_t x21; + uint32_t x22; + uint32_t x23; + uint8_t x24; + uint32_t x25; + uint32_t x26; + uint32_t x27; + uint8_t x28; + uint32_t x29; + uint32_t x30; + uint32_t x31; + uint8_t x32; + uint32_t x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint32_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + uint32_t x52; + uint32_t x53; + uint32_t x54; + uint32_t x55; + uint32_t x56; + x1 = ((uint32_t)(arg1[31]) << 24); + x2 = ((uint32_t)(arg1[30]) << 16); + x3 = ((uint32_t)(arg1[29]) << 8); + x4 = (arg1[28]); + x5 = ((uint32_t)(arg1[27]) << 24); + x6 = ((uint32_t)(arg1[26]) << 16); + x7 = ((uint32_t)(arg1[25]) << 8); + x8 = (arg1[24]); + x9 = ((uint32_t)(arg1[23]) << 24); + x10 = ((uint32_t)(arg1[22]) << 16); + x11 = ((uint32_t)(arg1[21]) << 8); + x12 = (arg1[20]); + x13 = ((uint32_t)(arg1[19]) << 24); + x14 = ((uint32_t)(arg1[18]) << 16); + x15 = ((uint32_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint32_t)(arg1[15]) << 24); + x18 = ((uint32_t)(arg1[14]) << 16); + x19 = ((uint32_t)(arg1[13]) << 8); + x20 = (arg1[12]); + x21 = ((uint32_t)(arg1[11]) << 24); + x22 = ((uint32_t)(arg1[10]) << 16); + x23 = ((uint32_t)(arg1[9]) << 8); + x24 = (arg1[8]); + x25 = ((uint32_t)(arg1[7]) << 24); + x26 = ((uint32_t)(arg1[6]) << 16); + x27 = ((uint32_t)(arg1[5]) << 8); + x28 = (arg1[4]); + x29 = ((uint32_t)(arg1[3]) << 24); + x30 = ((uint32_t)(arg1[2]) << 16); + x31 = ((uint32_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint32_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x27 + (uint32_t)x28); + x37 = (x26 + x36); + x38 = (x25 + x37); + x39 = (x23 + (uint32_t)x24); + x40 = (x22 + x39); + x41 = (x21 + x40); + x42 = (x19 + (uint32_t)x20); + x43 = (x18 + x42); + x44 = (x17 + x43); + x45 = (x15 + (uint32_t)x16); + x46 = (x14 + x45); + x47 = (x13 + x46); + x48 = (x11 + (uint32_t)x12); + x49 = (x10 + x48); + x50 = (x9 + x49); + x51 = (x7 + (uint32_t)x8); + x52 = (x6 + x51); + x53 = (x5 + x52); + x54 = (x3 + (uint32_t)x4); + x55 = (x2 + x54); + x56 = (x1 + x55); + out1[0] = x35; + out1[1] = x38; + out1[2] = x41; + out1[3] = x44; + out1[4] = x47; + out1[5] = x50; + out1[6] = x53; + out1[7] = x56; } /* - * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. - * Preconditions: - * 0 ≤ eval arg1 < m + * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * * Postconditions: - * out1 = 0 ↔ eval (from_montgomery arg1) mod m = 0 + * eval (from_montgomery out1) mod m = 1 mod m + * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * Output Bounds: - * out1: [0x0 ~> 0xffffffff] */ -static void fiat_p256_nonzero(uint32_t* out1, const uint32_t arg1[8]) { - uint32_t x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | ((arg1[4]) | ((arg1[5]) | ((arg1[6]) | ((arg1[7]) | (uint32_t)0x0)))))))); - *out1 = x1; +static FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) { + out1[0] = 0x1; + out1[1] = 0x0; + out1[2] = 0x0; + out1[3] = UINT32_C(0xffffffff); + out1[4] = UINT32_C(0xffffffff); + out1[5] = UINT32_C(0xffffffff); + out1[6] = UINT32_C(0xfffffffe); + out1[7] = 0x0; } /* - * The function fiat_p256_selectznz is a multi-limb conditional select. + * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * * Postconditions: - * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) + * twos_complement_eval out1 = m + * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [0x0 ~> 0x1] - * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] - * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] * Output Bounds: - * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_selectznz(uint32_t out1[8], fiat_p256_uint1 arg1, const uint32_t arg2[8], const uint32_t arg3[8]) { - uint32_t x1; - fiat_p256_cmovznz_u32(&x1, arg1, (arg2[0]), (arg3[0])); - uint32_t x2; - fiat_p256_cmovznz_u32(&x2, arg1, (arg2[1]), (arg3[1])); - uint32_t x3; - fiat_p256_cmovznz_u32(&x3, arg1, (arg2[2]), (arg3[2])); - uint32_t x4; - fiat_p256_cmovznz_u32(&x4, arg1, (arg2[3]), (arg3[3])); - uint32_t x5; - fiat_p256_cmovznz_u32(&x5, arg1, (arg2[4]), (arg3[4])); - uint32_t x6; - fiat_p256_cmovznz_u32(&x6, arg1, (arg2[5]), (arg3[5])); - uint32_t x7; - fiat_p256_cmovznz_u32(&x7, arg1, (arg2[6]), (arg3[6])); - uint32_t x8; - fiat_p256_cmovznz_u32(&x8, arg1, (arg2[7]), (arg3[7])); - out1[0] = x1; - out1[1] = x2; - out1[2] = x3; - out1[3] = x4; - out1[4] = x5; - out1[5] = x6; - out1[6] = x7; - out1[7] = x8; +static FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint32_t out1[9]) { + out1[0] = UINT32_C(0xffffffff); + out1[1] = UINT32_C(0xffffffff); + out1[2] = UINT32_C(0xffffffff); + out1[3] = 0x0; + out1[4] = 0x0; + out1[5] = 0x0; + out1[6] = 0x1; + out1[7] = UINT32_C(0xffffffff); + out1[8] = 0x0; } /* - * The function fiat_p256_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_p256_divstep computes a divstep. + * * Preconditions: - * 0 ≤ eval arg1 < m + * 0 ≤ eval arg4 < m + * 0 ≤ eval arg5 < m * Postconditions: - * out1 = map (λ x, ⌊((eval arg1 mod m) mod 2^(8 * (x + 1))) / 2^(8 * x)⌋) [0..31] + * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) + * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) + * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) + * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) + * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) + * 0 ≤ eval out5 < m + * 0 ≤ eval out5 < m + * 0 ≤ eval out2 < m + * 0 ≤ eval out3 < m * * Input Bounds: - * arg1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg1: [0x0 ~> 0xffffffff] + * arg2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * arg5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] * Output Bounds: - * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] + * out1: [0x0 ~> 0xffffffff] + * out2: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out3: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out4: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] + * out5: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_to_bytes(uint8_t out1[32], const uint32_t arg1[8]) { - uint32_t x1 = (arg1[7]); - uint32_t x2 = (arg1[6]); - uint32_t x3 = (arg1[5]); - uint32_t x4 = (arg1[4]); - uint32_t x5 = (arg1[3]); - uint32_t x6 = (arg1[2]); - uint32_t x7 = (arg1[1]); - uint32_t x8 = (arg1[0]); - uint32_t x9 = (x8 >> 8); - uint8_t x10 = (uint8_t)(x8 & UINT8_C(0xff)); - uint32_t x11 = (x9 >> 8); - uint8_t x12 = (uint8_t)(x9 & UINT8_C(0xff)); - uint8_t x13 = (uint8_t)(x11 >> 8); - uint8_t x14 = (uint8_t)(x11 & UINT8_C(0xff)); - uint8_t x15 = (uint8_t)(x13 & UINT8_C(0xff)); - uint32_t x16 = (x7 >> 8); - uint8_t x17 = (uint8_t)(x7 & UINT8_C(0xff)); - uint32_t x18 = (x16 >> 8); - uint8_t x19 = (uint8_t)(x16 & UINT8_C(0xff)); - uint8_t x20 = (uint8_t)(x18 >> 8); - uint8_t x21 = (uint8_t)(x18 & UINT8_C(0xff)); - uint8_t x22 = (uint8_t)(x20 & UINT8_C(0xff)); - uint32_t x23 = (x6 >> 8); - uint8_t x24 = (uint8_t)(x6 & UINT8_C(0xff)); - uint32_t x25 = (x23 >> 8); - uint8_t x26 = (uint8_t)(x23 & UINT8_C(0xff)); - uint8_t x27 = (uint8_t)(x25 >> 8); - uint8_t x28 = (uint8_t)(x25 & UINT8_C(0xff)); - uint8_t x29 = (uint8_t)(x27 & UINT8_C(0xff)); - uint32_t x30 = (x5 >> 8); - uint8_t x31 = (uint8_t)(x5 & UINT8_C(0xff)); - uint32_t x32 = (x30 >> 8); - uint8_t x33 = (uint8_t)(x30 & UINT8_C(0xff)); - uint8_t x34 = (uint8_t)(x32 >> 8); - uint8_t x35 = (uint8_t)(x32 & UINT8_C(0xff)); - uint8_t x36 = (uint8_t)(x34 & UINT8_C(0xff)); - uint32_t x37 = (x4 >> 8); - uint8_t x38 = (uint8_t)(x4 & UINT8_C(0xff)); - uint32_t x39 = (x37 >> 8); - uint8_t x40 = (uint8_t)(x37 & UINT8_C(0xff)); - uint8_t x41 = (uint8_t)(x39 >> 8); - uint8_t x42 = (uint8_t)(x39 & UINT8_C(0xff)); - uint8_t x43 = (uint8_t)(x41 & UINT8_C(0xff)); - uint32_t x44 = (x3 >> 8); - uint8_t x45 = (uint8_t)(x3 & UINT8_C(0xff)); - uint32_t x46 = (x44 >> 8); - uint8_t x47 = (uint8_t)(x44 & UINT8_C(0xff)); - uint8_t x48 = (uint8_t)(x46 >> 8); - uint8_t x49 = (uint8_t)(x46 & UINT8_C(0xff)); - uint8_t x50 = (uint8_t)(x48 & UINT8_C(0xff)); - uint32_t x51 = (x2 >> 8); - uint8_t x52 = (uint8_t)(x2 & UINT8_C(0xff)); - uint32_t x53 = (x51 >> 8); - uint8_t x54 = (uint8_t)(x51 & UINT8_C(0xff)); - uint8_t x55 = (uint8_t)(x53 >> 8); - uint8_t x56 = (uint8_t)(x53 & UINT8_C(0xff)); - uint8_t x57 = (uint8_t)(x55 & UINT8_C(0xff)); - uint32_t x58 = (x1 >> 8); - uint8_t x59 = (uint8_t)(x1 & UINT8_C(0xff)); - uint32_t x60 = (x58 >> 8); - uint8_t x61 = (uint8_t)(x58 & UINT8_C(0xff)); - uint8_t x62 = (uint8_t)(x60 >> 8); - uint8_t x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x10; - out1[1] = x12; - out1[2] = x14; - out1[3] = x15; - out1[4] = x17; - out1[5] = x19; - out1[6] = x21; - out1[7] = x22; - out1[8] = x24; - out1[9] = x26; - out1[10] = x28; - out1[11] = x29; - out1[12] = x31; - out1[13] = x33; - out1[14] = x35; - out1[15] = x36; - out1[16] = x38; - out1[17] = x40; - out1[18] = x42; - out1[19] = x43; - out1[20] = x45; - out1[21] = x47; - out1[22] = x49; - out1[23] = x50; - out1[24] = x52; - out1[25] = x54; - out1[26] = x56; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint32_t* out1, uint32_t out2[9], uint32_t out3[9], uint32_t out4[8], uint32_t out5[8], uint32_t arg1, const uint32_t arg2[9], const uint32_t arg3[9], const uint32_t arg4[8], const uint32_t arg5[8]) { + uint32_t x1; + fiat_p256_uint1 x2; + fiat_p256_uint1 x3; + uint32_t x4; + fiat_p256_uint1 x5; + uint32_t x6; + uint32_t x7; + uint32_t x8; + uint32_t x9; + uint32_t x10; + uint32_t x11; + uint32_t x12; + uint32_t x13; + uint32_t x14; + uint32_t x15; + uint32_t x16; + fiat_p256_uint1 x17; + uint32_t x18; + fiat_p256_uint1 x19; + uint32_t x20; + fiat_p256_uint1 x21; + uint32_t x22; + fiat_p256_uint1 x23; + uint32_t x24; + fiat_p256_uint1 x25; + uint32_t x26; + fiat_p256_uint1 x27; + uint32_t x28; + fiat_p256_uint1 x29; + uint32_t x30; + fiat_p256_uint1 x31; + uint32_t x32; + fiat_p256_uint1 x33; + uint32_t x34; + uint32_t x35; + uint32_t x36; + uint32_t x37; + uint32_t x38; + uint32_t x39; + uint32_t x40; + uint32_t x41; + uint32_t x42; + uint32_t x43; + uint32_t x44; + uint32_t x45; + uint32_t x46; + uint32_t x47; + uint32_t x48; + uint32_t x49; + uint32_t x50; + uint32_t x51; + fiat_p256_uint1 x52; + uint32_t x53; + fiat_p256_uint1 x54; + uint32_t x55; + fiat_p256_uint1 x56; + uint32_t x57; + fiat_p256_uint1 x58; + uint32_t x59; + fiat_p256_uint1 x60; + uint32_t x61; + fiat_p256_uint1 x62; + uint32_t x63; + fiat_p256_uint1 x64; + uint32_t x65; + fiat_p256_uint1 x66; + uint32_t x67; + fiat_p256_uint1 x68; + uint32_t x69; + fiat_p256_uint1 x70; + uint32_t x71; + fiat_p256_uint1 x72; + uint32_t x73; + fiat_p256_uint1 x74; + uint32_t x75; + fiat_p256_uint1 x76; + uint32_t x77; + fiat_p256_uint1 x78; + uint32_t x79; + fiat_p256_uint1 x80; + uint32_t x81; + fiat_p256_uint1 x82; + uint32_t x83; + fiat_p256_uint1 x84; + uint32_t x85; + uint32_t x86; + uint32_t x87; + uint32_t x88; + uint32_t x89; + uint32_t x90; + uint32_t x91; + uint32_t x92; + uint32_t x93; + fiat_p256_uint1 x94; + uint32_t x95; + fiat_p256_uint1 x96; + uint32_t x97; + fiat_p256_uint1 x98; + uint32_t x99; + fiat_p256_uint1 x100; + uint32_t x101; + fiat_p256_uint1 x102; + uint32_t x103; + fiat_p256_uint1 x104; + uint32_t x105; + fiat_p256_uint1 x106; + uint32_t x107; + fiat_p256_uint1 x108; + uint32_t x109; + uint32_t x110; + fiat_p256_uint1 x111; + uint32_t x112; + fiat_p256_uint1 x113; + uint32_t x114; + fiat_p256_uint1 x115; + uint32_t x116; + fiat_p256_uint1 x117; + uint32_t x118; + fiat_p256_uint1 x119; + uint32_t x120; + fiat_p256_uint1 x121; + uint32_t x122; + fiat_p256_uint1 x123; + uint32_t x124; + fiat_p256_uint1 x125; + uint32_t x126; + uint32_t x127; + uint32_t x128; + uint32_t x129; + uint32_t x130; + uint32_t x131; + uint32_t x132; + uint32_t x133; + fiat_p256_uint1 x134; + uint32_t x135; + uint32_t x136; + uint32_t x137; + uint32_t x138; + uint32_t x139; + uint32_t x140; + uint32_t x141; + uint32_t x142; + uint32_t x143; + uint32_t x144; + fiat_p256_uint1 x145; + uint32_t x146; + fiat_p256_uint1 x147; + uint32_t x148; + fiat_p256_uint1 x149; + uint32_t x150; + fiat_p256_uint1 x151; + uint32_t x152; + fiat_p256_uint1 x153; + uint32_t x154; + fiat_p256_uint1 x155; + uint32_t x156; + fiat_p256_uint1 x157; + uint32_t x158; + fiat_p256_uint1 x159; + uint32_t x160; + fiat_p256_uint1 x161; + uint32_t x162; + uint32_t x163; + uint32_t x164; + uint32_t x165; + uint32_t x166; + uint32_t x167; + uint32_t x168; + uint32_t x169; + uint32_t x170; + fiat_p256_uint1 x171; + uint32_t x172; + fiat_p256_uint1 x173; + uint32_t x174; + fiat_p256_uint1 x175; + uint32_t x176; + fiat_p256_uint1 x177; + uint32_t x178; + fiat_p256_uint1 x179; + uint32_t x180; + fiat_p256_uint1 x181; + uint32_t x182; + fiat_p256_uint1 x183; + uint32_t x184; + fiat_p256_uint1 x185; + uint32_t x186; + fiat_p256_uint1 x187; + uint32_t x188; + fiat_p256_uint1 x189; + uint32_t x190; + fiat_p256_uint1 x191; + uint32_t x192; + fiat_p256_uint1 x193; + uint32_t x194; + fiat_p256_uint1 x195; + uint32_t x196; + fiat_p256_uint1 x197; + uint32_t x198; + fiat_p256_uint1 x199; + uint32_t x200; + fiat_p256_uint1 x201; + uint32_t x202; + fiat_p256_uint1 x203; + uint32_t x204; + fiat_p256_uint1 x205; + uint32_t x206; + uint32_t x207; + uint32_t x208; + uint32_t x209; + uint32_t x210; + uint32_t x211; + uint32_t x212; + uint32_t x213; + uint32_t x214; + uint32_t x215; + uint32_t x216; + uint32_t x217; + uint32_t x218; + uint32_t x219; + uint32_t x220; + uint32_t x221; + uint32_t x222; + uint32_t x223; + uint32_t x224; + uint32_t x225; + uint32_t x226; + uint32_t x227; + uint32_t x228; + uint32_t x229; + uint32_t x230; + fiat_p256_addcarryx_u32(&x1, &x2, 0x0, (~arg1), 0x1); + x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 31) & (fiat_p256_uint1)((arg3[0]) & 0x1)); + fiat_p256_addcarryx_u32(&x4, &x5, 0x0, (~arg1), 0x1); + fiat_p256_cmovznz_u32(&x6, x3, arg1, x4); + fiat_p256_cmovznz_u32(&x7, x3, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u32(&x8, x3, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u32(&x9, x3, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u32(&x10, x3, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u32(&x11, x3, (arg2[4]), (arg3[4])); + fiat_p256_cmovznz_u32(&x12, x3, (arg2[5]), (arg3[5])); + fiat_p256_cmovznz_u32(&x13, x3, (arg2[6]), (arg3[6])); + fiat_p256_cmovznz_u32(&x14, x3, (arg2[7]), (arg3[7])); + fiat_p256_cmovznz_u32(&x15, x3, (arg2[8]), (arg3[8])); + fiat_p256_addcarryx_u32(&x16, &x17, 0x0, 0x1, (~(arg2[0]))); + fiat_p256_addcarryx_u32(&x18, &x19, x17, 0x0, (~(arg2[1]))); + fiat_p256_addcarryx_u32(&x20, &x21, x19, 0x0, (~(arg2[2]))); + fiat_p256_addcarryx_u32(&x22, &x23, x21, 0x0, (~(arg2[3]))); + fiat_p256_addcarryx_u32(&x24, &x25, x23, 0x0, (~(arg2[4]))); + fiat_p256_addcarryx_u32(&x26, &x27, x25, 0x0, (~(arg2[5]))); + fiat_p256_addcarryx_u32(&x28, &x29, x27, 0x0, (~(arg2[6]))); + fiat_p256_addcarryx_u32(&x30, &x31, x29, 0x0, (~(arg2[7]))); + fiat_p256_addcarryx_u32(&x32, &x33, x31, 0x0, (~(arg2[8]))); + fiat_p256_cmovznz_u32(&x34, x3, (arg3[0]), x16); + fiat_p256_cmovznz_u32(&x35, x3, (arg3[1]), x18); + fiat_p256_cmovznz_u32(&x36, x3, (arg3[2]), x20); + fiat_p256_cmovznz_u32(&x37, x3, (arg3[3]), x22); + fiat_p256_cmovznz_u32(&x38, x3, (arg3[4]), x24); + fiat_p256_cmovznz_u32(&x39, x3, (arg3[5]), x26); + fiat_p256_cmovznz_u32(&x40, x3, (arg3[6]), x28); + fiat_p256_cmovznz_u32(&x41, x3, (arg3[7]), x30); + fiat_p256_cmovznz_u32(&x42, x3, (arg3[8]), x32); + fiat_p256_cmovznz_u32(&x43, x3, (arg4[0]), (arg5[0])); + fiat_p256_cmovznz_u32(&x44, x3, (arg4[1]), (arg5[1])); + fiat_p256_cmovznz_u32(&x45, x3, (arg4[2]), (arg5[2])); + fiat_p256_cmovznz_u32(&x46, x3, (arg4[3]), (arg5[3])); + fiat_p256_cmovznz_u32(&x47, x3, (arg4[4]), (arg5[4])); + fiat_p256_cmovznz_u32(&x48, x3, (arg4[5]), (arg5[5])); + fiat_p256_cmovznz_u32(&x49, x3, (arg4[6]), (arg5[6])); + fiat_p256_cmovznz_u32(&x50, x3, (arg4[7]), (arg5[7])); + fiat_p256_addcarryx_u32(&x51, &x52, 0x0, x43, x43); + fiat_p256_addcarryx_u32(&x53, &x54, x52, x44, x44); + fiat_p256_addcarryx_u32(&x55, &x56, x54, x45, x45); + fiat_p256_addcarryx_u32(&x57, &x58, x56, x46, x46); + fiat_p256_addcarryx_u32(&x59, &x60, x58, x47, x47); + fiat_p256_addcarryx_u32(&x61, &x62, x60, x48, x48); + fiat_p256_addcarryx_u32(&x63, &x64, x62, x49, x49); + fiat_p256_addcarryx_u32(&x65, &x66, x64, x50, x50); + fiat_p256_subborrowx_u32(&x67, &x68, 0x0, x51, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x69, &x70, x68, x53, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x71, &x72, x70, x55, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x73, &x74, x72, x57, 0x0); + fiat_p256_subborrowx_u32(&x75, &x76, x74, x59, 0x0); + fiat_p256_subborrowx_u32(&x77, &x78, x76, x61, 0x0); + fiat_p256_subborrowx_u32(&x79, &x80, x78, x63, 0x1); + fiat_p256_subborrowx_u32(&x81, &x82, x80, x65, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x83, &x84, x82, x66, 0x0); + x85 = (arg4[7]); + x86 = (arg4[6]); + x87 = (arg4[5]); + x88 = (arg4[4]); + x89 = (arg4[3]); + x90 = (arg4[2]); + x91 = (arg4[1]); + x92 = (arg4[0]); + fiat_p256_subborrowx_u32(&x93, &x94, 0x0, 0x0, x92); + fiat_p256_subborrowx_u32(&x95, &x96, x94, 0x0, x91); + fiat_p256_subborrowx_u32(&x97, &x98, x96, 0x0, x90); + fiat_p256_subborrowx_u32(&x99, &x100, x98, 0x0, x89); + fiat_p256_subborrowx_u32(&x101, &x102, x100, 0x0, x88); + fiat_p256_subborrowx_u32(&x103, &x104, x102, 0x0, x87); + fiat_p256_subborrowx_u32(&x105, &x106, x104, 0x0, x86); + fiat_p256_subborrowx_u32(&x107, &x108, x106, 0x0, x85); + fiat_p256_cmovznz_u32(&x109, x108, 0x0, UINT32_C(0xffffffff)); + fiat_p256_addcarryx_u32(&x110, &x111, 0x0, x93, x109); + fiat_p256_addcarryx_u32(&x112, &x113, x111, x95, x109); + fiat_p256_addcarryx_u32(&x114, &x115, x113, x97, x109); + fiat_p256_addcarryx_u32(&x116, &x117, x115, x99, 0x0); + fiat_p256_addcarryx_u32(&x118, &x119, x117, x101, 0x0); + fiat_p256_addcarryx_u32(&x120, &x121, x119, x103, 0x0); + fiat_p256_addcarryx_u32(&x122, &x123, x121, x105, (fiat_p256_uint1)(x109 & 0x1)); + fiat_p256_addcarryx_u32(&x124, &x125, x123, x107, x109); + fiat_p256_cmovznz_u32(&x126, x3, (arg5[0]), x110); + fiat_p256_cmovznz_u32(&x127, x3, (arg5[1]), x112); + fiat_p256_cmovznz_u32(&x128, x3, (arg5[2]), x114); + fiat_p256_cmovznz_u32(&x129, x3, (arg5[3]), x116); + fiat_p256_cmovznz_u32(&x130, x3, (arg5[4]), x118); + fiat_p256_cmovznz_u32(&x131, x3, (arg5[5]), x120); + fiat_p256_cmovznz_u32(&x132, x3, (arg5[6]), x122); + fiat_p256_cmovznz_u32(&x133, x3, (arg5[7]), x124); + x134 = (fiat_p256_uint1)(x34 & 0x1); + fiat_p256_cmovznz_u32(&x135, x134, 0x0, x7); + fiat_p256_cmovznz_u32(&x136, x134, 0x0, x8); + fiat_p256_cmovznz_u32(&x137, x134, 0x0, x9); + fiat_p256_cmovznz_u32(&x138, x134, 0x0, x10); + fiat_p256_cmovznz_u32(&x139, x134, 0x0, x11); + fiat_p256_cmovznz_u32(&x140, x134, 0x0, x12); + fiat_p256_cmovznz_u32(&x141, x134, 0x0, x13); + fiat_p256_cmovznz_u32(&x142, x134, 0x0, x14); + fiat_p256_cmovznz_u32(&x143, x134, 0x0, x15); + fiat_p256_addcarryx_u32(&x144, &x145, 0x0, x34, x135); + fiat_p256_addcarryx_u32(&x146, &x147, x145, x35, x136); + fiat_p256_addcarryx_u32(&x148, &x149, x147, x36, x137); + fiat_p256_addcarryx_u32(&x150, &x151, x149, x37, x138); + fiat_p256_addcarryx_u32(&x152, &x153, x151, x38, x139); + fiat_p256_addcarryx_u32(&x154, &x155, x153, x39, x140); + fiat_p256_addcarryx_u32(&x156, &x157, x155, x40, x141); + fiat_p256_addcarryx_u32(&x158, &x159, x157, x41, x142); + fiat_p256_addcarryx_u32(&x160, &x161, x159, x42, x143); + fiat_p256_cmovznz_u32(&x162, x134, 0x0, x43); + fiat_p256_cmovznz_u32(&x163, x134, 0x0, x44); + fiat_p256_cmovznz_u32(&x164, x134, 0x0, x45); + fiat_p256_cmovznz_u32(&x165, x134, 0x0, x46); + fiat_p256_cmovznz_u32(&x166, x134, 0x0, x47); + fiat_p256_cmovznz_u32(&x167, x134, 0x0, x48); + fiat_p256_cmovznz_u32(&x168, x134, 0x0, x49); + fiat_p256_cmovznz_u32(&x169, x134, 0x0, x50); + fiat_p256_addcarryx_u32(&x170, &x171, 0x0, x126, x162); + fiat_p256_addcarryx_u32(&x172, &x173, x171, x127, x163); + fiat_p256_addcarryx_u32(&x174, &x175, x173, x128, x164); + fiat_p256_addcarryx_u32(&x176, &x177, x175, x129, x165); + fiat_p256_addcarryx_u32(&x178, &x179, x177, x130, x166); + fiat_p256_addcarryx_u32(&x180, &x181, x179, x131, x167); + fiat_p256_addcarryx_u32(&x182, &x183, x181, x132, x168); + fiat_p256_addcarryx_u32(&x184, &x185, x183, x133, x169); + fiat_p256_subborrowx_u32(&x186, &x187, 0x0, x170, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x188, &x189, x187, x172, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x190, &x191, x189, x174, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x192, &x193, x191, x176, 0x0); + fiat_p256_subborrowx_u32(&x194, &x195, x193, x178, 0x0); + fiat_p256_subborrowx_u32(&x196, &x197, x195, x180, 0x0); + fiat_p256_subborrowx_u32(&x198, &x199, x197, x182, 0x1); + fiat_p256_subborrowx_u32(&x200, &x201, x199, x184, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u32(&x202, &x203, x201, x185, 0x0); + fiat_p256_addcarryx_u32(&x204, &x205, 0x0, x6, 0x1); + x206 = ((x144 >> 1) | ((x146 << 31) & UINT32_C(0xffffffff))); + x207 = ((x146 >> 1) | ((x148 << 31) & UINT32_C(0xffffffff))); + x208 = ((x148 >> 1) | ((x150 << 31) & UINT32_C(0xffffffff))); + x209 = ((x150 >> 1) | ((x152 << 31) & UINT32_C(0xffffffff))); + x210 = ((x152 >> 1) | ((x154 << 31) & UINT32_C(0xffffffff))); + x211 = ((x154 >> 1) | ((x156 << 31) & UINT32_C(0xffffffff))); + x212 = ((x156 >> 1) | ((x158 << 31) & UINT32_C(0xffffffff))); + x213 = ((x158 >> 1) | ((x160 << 31) & UINT32_C(0xffffffff))); + x214 = ((x160 & UINT32_C(0x80000000)) | (x160 >> 1)); + fiat_p256_cmovznz_u32(&x215, x84, x67, x51); + fiat_p256_cmovznz_u32(&x216, x84, x69, x53); + fiat_p256_cmovznz_u32(&x217, x84, x71, x55); + fiat_p256_cmovznz_u32(&x218, x84, x73, x57); + fiat_p256_cmovznz_u32(&x219, x84, x75, x59); + fiat_p256_cmovznz_u32(&x220, x84, x77, x61); + fiat_p256_cmovznz_u32(&x221, x84, x79, x63); + fiat_p256_cmovznz_u32(&x222, x84, x81, x65); + fiat_p256_cmovznz_u32(&x223, x203, x186, x170); + fiat_p256_cmovznz_u32(&x224, x203, x188, x172); + fiat_p256_cmovznz_u32(&x225, x203, x190, x174); + fiat_p256_cmovznz_u32(&x226, x203, x192, x176); + fiat_p256_cmovznz_u32(&x227, x203, x194, x178); + fiat_p256_cmovznz_u32(&x228, x203, x196, x180); + fiat_p256_cmovznz_u32(&x229, x203, x198, x182); + fiat_p256_cmovznz_u32(&x230, x203, x200, x184); + *out1 = x204; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out2[5] = x12; + out2[6] = x13; + out2[7] = x14; + out2[8] = x15; + out3[0] = x206; + out3[1] = x207; + out3[2] = x208; + out3[3] = x209; + out3[4] = x210; + out3[5] = x211; + out3[6] = x212; + out3[7] = x213; + out3[8] = x214; + out4[0] = x215; + out4[1] = x216; + out4[2] = x217; + out4[3] = x218; + out4[4] = x219; + out4[5] = x220; + out4[6] = x221; + out4[7] = x222; + out5[0] = x223; + out5[1] = x224; + out5[2] = x225; + out5[3] = x226; + out5[4] = x227; + out5[5] = x228; + out5[6] = x229; + out5[7] = x230; } /* - * The function fiat_p256_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. - * Preconditions: - * 0 ≤ bytes_eval arg1 < m + * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * * Postconditions: - * eval out1 mod m = bytes_eval arg1 mod m + * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋) * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] * Output Bounds: * out1: [[0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff], [0x0 ~> 0xffffffff]] */ -static void fiat_p256_from_bytes(uint32_t out1[8], const uint8_t arg1[32]) { - uint32_t x1 = ((uint32_t)(arg1[31]) << 24); - uint32_t x2 = ((uint32_t)(arg1[30]) << 16); - uint32_t x3 = ((uint32_t)(arg1[29]) << 8); - uint8_t x4 = (arg1[28]); - uint32_t x5 = ((uint32_t)(arg1[27]) << 24); - uint32_t x6 = ((uint32_t)(arg1[26]) << 16); - uint32_t x7 = ((uint32_t)(arg1[25]) << 8); - uint8_t x8 = (arg1[24]); - uint32_t x9 = ((uint32_t)(arg1[23]) << 24); - uint32_t x10 = ((uint32_t)(arg1[22]) << 16); - uint32_t x11 = ((uint32_t)(arg1[21]) << 8); - uint8_t x12 = (arg1[20]); - uint32_t x13 = ((uint32_t)(arg1[19]) << 24); - uint32_t x14 = ((uint32_t)(arg1[18]) << 16); - uint32_t x15 = ((uint32_t)(arg1[17]) << 8); - uint8_t x16 = (arg1[16]); - uint32_t x17 = ((uint32_t)(arg1[15]) << 24); - uint32_t x18 = ((uint32_t)(arg1[14]) << 16); - uint32_t x19 = ((uint32_t)(arg1[13]) << 8); - uint8_t x20 = (arg1[12]); - uint32_t x21 = ((uint32_t)(arg1[11]) << 24); - uint32_t x22 = ((uint32_t)(arg1[10]) << 16); - uint32_t x23 = ((uint32_t)(arg1[9]) << 8); - uint8_t x24 = (arg1[8]); - uint32_t x25 = ((uint32_t)(arg1[7]) << 24); - uint32_t x26 = ((uint32_t)(arg1[6]) << 16); - uint32_t x27 = ((uint32_t)(arg1[5]) << 8); - uint8_t x28 = (arg1[4]); - uint32_t x29 = ((uint32_t)(arg1[3]) << 24); - uint32_t x30 = ((uint32_t)(arg1[2]) << 16); - uint32_t x31 = ((uint32_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint32_t x33 = (x32 + (x31 + (x30 + x29))); - uint32_t x34 = (x33 & UINT32_C(0xffffffff)); - uint32_t x35 = (x4 + (x3 + (x2 + x1))); - uint32_t x36 = (x8 + (x7 + (x6 + x5))); - uint32_t x37 = (x12 + (x11 + (x10 + x9))); - uint32_t x38 = (x16 + (x15 + (x14 + x13))); - uint32_t x39 = (x20 + (x19 + (x18 + x17))); - uint32_t x40 = (x24 + (x23 + (x22 + x21))); - uint32_t x41 = (x28 + (x27 + (x26 + x25))); - uint32_t x42 = (x41 & UINT32_C(0xffffffff)); - uint32_t x43 = (x40 & UINT32_C(0xffffffff)); - uint32_t x44 = (x39 & UINT32_C(0xffffffff)); - uint32_t x45 = (x38 & UINT32_C(0xffffffff)); - uint32_t x46 = (x37 & UINT32_C(0xffffffff)); - uint32_t x47 = (x36 & UINT32_C(0xffffffff)); - out1[0] = x34; - out1[1] = x42; - out1[2] = x43; - out1[3] = x44; - out1[4] = x45; - out1[5] = x46; - out1[6] = x47; - out1[7] = x35; +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint32_t out1[8]) { + out1[0] = UINT32_C(0xb8000000); + out1[1] = UINT32_C(0x67ffffff); + out1[2] = UINT32_C(0x38000000); + out1[3] = UINT32_C(0xc0000000); + out1[4] = UINT32_C(0x7fffffff); + out1[5] = UINT32_C(0xd8000000); + out1[6] = UINT32_C(0xffffffff); + out1[7] = UINT32_C(0x2fffffff); } - diff --git a/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h b/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h index 773266a0..c7726384 100644 --- a/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h +++ b/Sources/CJWTKitBoringSSL/third_party/fiat/p256_64.h @@ -1,8 +1,8 @@ -/* Autogenerated: src/ExtractionOCaml/word_by_word_montgomery --static p256 '2^256 - 2^224 + 2^192 + 2^96 - 1' 64 mul square add sub opp from_montgomery nonzero selectznz to_bytes from_bytes */ +/* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ /* curve description: p256 */ -/* requested operations: mul, square, add, sub, opp, from_montgomery, nonzero, selectznz, to_bytes, from_bytes */ -/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* machine_wordsize = 64 (from "64") */ +/* requested operations: mul, square, add, sub, opp, from_montgomery, to_montgomery, nonzero, selectznz, to_bytes, from_bytes, one, msat, divstep, divstep_precomp */ +/* m = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff (from "2^256 - 2^224 + 2^192 + 2^96 - 1") */ /* */ /* NOTE: In addition to the bounds specified above each function, all */ /* functions synthesized for this Montgomery arithmetic require the */ @@ -10,20 +10,52 @@ /* require the input to be in the unique saturated representation. */ /* All functions also ensure that these two properties are true of */ /* return values. */ +/* */ +/* Computed values: */ +/* eval z = z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) */ +/* bytes_eval z = z[0] + (z[1] << 8) + (z[2] << 16) + (z[3] << 24) + (z[4] << 32) + (z[5] << 40) + (z[6] << 48) + (z[7] << 56) + (z[8] << 64) + (z[9] << 72) + (z[10] << 80) + (z[11] << 88) + (z[12] << 96) + (z[13] << 104) + (z[14] << 112) + (z[15] << 120) + (z[16] << 128) + (z[17] << 136) + (z[18] << 144) + (z[19] << 152) + (z[20] << 160) + (z[21] << 168) + (z[22] << 176) + (z[23] << 184) + (z[24] << 192) + (z[25] << 200) + (z[26] << 208) + (z[27] << 216) + (z[28] << 224) + (z[29] << 232) + (z[30] << 240) + (z[31] << 248) */ +/* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ +/* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ #include typedef unsigned char fiat_p256_uint1; typedef signed char fiat_p256_int1; -typedef signed __int128 fiat_p256_int128; -typedef unsigned __int128 fiat_p256_uint128; +#if defined(__GNUC__) || defined(__clang__) +# define FIAT_P256_FIAT_EXTENSION __extension__ +# define FIAT_P256_FIAT_INLINE __inline__ +#else +# define FIAT_P256_FIAT_EXTENSION +# define FIAT_P256_FIAT_INLINE +#endif + +FIAT_P256_FIAT_EXTENSION typedef signed __int128 fiat_p256_int128; +FIAT_P256_FIAT_EXTENSION typedef unsigned __int128 fiat_p256_uint128; + +/* The type fiat_p256_montgomery_domain_field_element is a field element in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ +typedef uint64_t fiat_p256_montgomery_domain_field_element[4]; + +/* The type fiat_p256_non_montgomery_domain_field_element is a field element NOT in the Montgomery domain. */ +/* Bounds: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ +typedef uint64_t fiat_p256_non_montgomery_domain_field_element[4]; #if (-1 & 3) != 3 #error "This code only works on a two's complement system" #endif +#if !defined(FIAT_P256_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) +static __inline__ uint64_t fiat_p256_value_barrier_u64(uint64_t a) { + __asm__("" : "+r"(a) : /* no inputs */); + return a; +} +#else +# define fiat_p256_value_barrier_u64(x) (x) +#endif + /* * The function fiat_p256_addcarryx_u64 is an addition with carry. + * * Postconditions: * out1 = (arg1 + arg2 + arg3) mod 2^64 * out2 = ⌊(arg1 + arg2 + arg3) / 2^64⌋ @@ -36,16 +68,20 @@ typedef unsigned __int128 fiat_p256_uint128; * out1: [0x0 ~> 0xffffffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p256_uint128 x1 = ((arg1 + (fiat_p256_uint128)arg2) + arg3); - uint64_t x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - fiat_p256_uint1 x3 = (fiat_p256_uint1)(x1 >> 64); +static FIAT_P256_FIAT_INLINE void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_uint128 x1; + uint64_t x2; + fiat_p256_uint1 x3; + x1 = ((arg1 + (fiat_p256_uint128)arg2) + arg3); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (fiat_p256_uint1)(x1 >> 64); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_subborrowx_u64 is a subtraction with borrow. + * * Postconditions: * out1 = (-arg1 + arg2 + -arg3) mod 2^64 * out2 = -⌊(-arg1 + arg2 + -arg3) / 2^64⌋ @@ -58,16 +94,20 @@ static void fiat_p256_addcarryx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_ * out1: [0x0 ~> 0xffffffffffffffff] * out2: [0x0 ~> 0x1] */ -static void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p256_int128 x1 = ((arg2 - (fiat_p256_int128)arg1) - arg3); - fiat_p256_int1 x2 = (fiat_p256_int1)(x1 >> 64); - uint64_t x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); +static FIAT_P256_FIAT_INLINE void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_int128 x1; + fiat_p256_int1 x2; + uint64_t x3; + x1 = ((arg2 - (fiat_p256_int128)arg1) - arg3); + x2 = (fiat_p256_int1)(x1 >> 64); + x3 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); *out1 = x3; *out2 = (fiat_p256_uint1)(0x0 - x2); } /* * The function fiat_p256_mulx_u64 is a multiplication, returning the full double-width result. + * * Postconditions: * out1 = (arg1 * arg2) mod 2^64 * out2 = ⌊arg1 * arg2 / 2^64⌋ @@ -79,16 +119,20 @@ static void fiat_p256_subborrowx_u64(uint64_t* out1, fiat_p256_uint1* out2, fiat * out1: [0x0 ~> 0xffffffffffffffff] * out2: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { - fiat_p256_uint128 x1 = ((fiat_p256_uint128)arg1 * arg2); - uint64_t x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); - uint64_t x3 = (uint64_t)(x1 >> 64); +static FIAT_P256_FIAT_INLINE void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, uint64_t arg2) { + fiat_p256_uint128 x1; + uint64_t x2; + uint64_t x3; + x1 = ((fiat_p256_uint128)arg1 * arg2); + x2 = (uint64_t)(x1 & UINT64_C(0xffffffffffffffff)); + x3 = (uint64_t)(x1 >> 64); *out1 = x2; *out2 = x3; } /* * The function fiat_p256_cmovznz_u64 is a single-word conditional move. + * * Postconditions: * out1 = (if arg1 = 0 then arg2 else arg3) * @@ -99,21 +143,19 @@ static void fiat_p256_mulx_u64(uint64_t* out1, uint64_t* out2, uint64_t arg1, ui * Output Bounds: * out1: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { - fiat_p256_uint1 x1 = (!(!arg1)); - uint64_t x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); - // Note this line has been patched from the synthesized code to add value - // barriers. - // - // Clang recognizes this pattern as a select. While it usually transforms it - // to a cmov, it sometimes further transforms it into a branch, which we do - // not want. - uint64_t x3 = ((value_barrier_u64(x2) & arg3) | (value_barrier_u64(~x2) & arg2)); +static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t arg2, uint64_t arg3) { + fiat_p256_uint1 x1; + uint64_t x2; + uint64_t x3; + x1 = (!(!arg1)); + x2 = ((fiat_p256_int1)(0x0 - x1) & UINT64_C(0xffffffffffffffff)); + x3 = ((fiat_p256_value_barrier_u64(x2) & arg3) | (fiat_p256_value_barrier_u64((~x2)) & arg2)); *out1 = x3; } /* * The function fiat_p256_mul multiplies two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -121,287 +163,297 @@ static void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p256_uint1 arg1, uint64_t * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { - uint64_t x1 = (arg1[1]); - uint64_t x2 = (arg1[2]); - uint64_t x3 = (arg1[3]); - uint64_t x4 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; uint64_t x5; uint64_t x6; - fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3])); uint64_t x7; uint64_t x8; - fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2])); uint64_t x9; uint64_t x10; - fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1])); uint64_t x11; uint64_t x12; - fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0])); uint64_t x13; fiat_p256_uint1 x14; - fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); uint64_t x15; fiat_p256_uint1 x16; - fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); uint64_t x17; fiat_p256_uint1 x18; - fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); - uint64_t x19 = (x18 + x6); + uint64_t x19; uint64_t x20; uint64_t x21; - fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); uint64_t x22; uint64_t x23; - fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); uint64_t x24; uint64_t x25; - fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); uint64_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); - uint64_t x28 = (x27 + x23); + uint64_t x28; uint64_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); uint64_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); uint64_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); uint64_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); uint64_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); uint64_t x39; uint64_t x40; - fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3])); uint64_t x41; uint64_t x42; - fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2])); uint64_t x43; uint64_t x44; - fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1])); uint64_t x45; uint64_t x46; - fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0])); uint64_t x47; fiat_p256_uint1 x48; - fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); uint64_t x49; fiat_p256_uint1 x50; - fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); uint64_t x51; fiat_p256_uint1 x52; - fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); - uint64_t x53 = (x52 + x40); + uint64_t x53; uint64_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); uint64_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); uint64_t x58; fiat_p256_uint1 x59; - fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); uint64_t x60; fiat_p256_uint1 x61; - fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); uint64_t x62; fiat_p256_uint1 x63; - fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); uint64_t x64; uint64_t x65; - fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); uint64_t x66; uint64_t x67; - fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); uint64_t x68; uint64_t x69; - fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); uint64_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); - uint64_t x72 = (x71 + x67); + uint64_t x72; uint64_t x73; fiat_p256_uint1 x74; - fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); uint64_t x75; fiat_p256_uint1 x76; - fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); uint64_t x77; fiat_p256_uint1 x78; - fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); uint64_t x79; fiat_p256_uint1 x80; - fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); uint64_t x81; fiat_p256_uint1 x82; - fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); - uint64_t x83 = ((uint64_t)x82 + x63); + uint64_t x83; uint64_t x84; uint64_t x85; - fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3])); uint64_t x86; uint64_t x87; - fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2])); uint64_t x88; uint64_t x89; - fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1])); uint64_t x90; uint64_t x91; - fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0])); uint64_t x92; fiat_p256_uint1 x93; - fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); uint64_t x94; fiat_p256_uint1 x95; - fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); uint64_t x96; fiat_p256_uint1 x97; - fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); - uint64_t x98 = (x97 + x85); + uint64_t x98; uint64_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); uint64_t x101; fiat_p256_uint1 x102; - fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); uint64_t x103; fiat_p256_uint1 x104; - fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); uint64_t x105; fiat_p256_uint1 x106; - fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); uint64_t x107; fiat_p256_uint1 x108; - fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); uint64_t x109; uint64_t x110; - fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); uint64_t x111; uint64_t x112; - fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); uint64_t x113; uint64_t x114; - fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); uint64_t x115; fiat_p256_uint1 x116; - fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); - uint64_t x117 = (x116 + x112); + uint64_t x117; uint64_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); uint64_t x120; fiat_p256_uint1 x121; - fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); uint64_t x122; fiat_p256_uint1 x123; - fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); uint64_t x124; fiat_p256_uint1 x125; - fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); uint64_t x126; fiat_p256_uint1 x127; - fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); - uint64_t x128 = ((uint64_t)x127 + x108); + uint64_t x128; uint64_t x129; uint64_t x130; - fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3])); uint64_t x131; uint64_t x132; - fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2])); uint64_t x133; uint64_t x134; - fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1])); uint64_t x135; uint64_t x136; - fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0])); uint64_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); uint64_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); uint64_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); - uint64_t x143 = (x142 + x130); + uint64_t x143; uint64_t x144; fiat_p256_uint1 x145; - fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); uint64_t x146; fiat_p256_uint1 x147; - fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); uint64_t x148; fiat_p256_uint1 x149; - fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); uint64_t x150; fiat_p256_uint1 x151; - fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); uint64_t x152; fiat_p256_uint1 x153; - fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); uint64_t x154; uint64_t x155; - fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); uint64_t x156; uint64_t x157; - fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); uint64_t x158; uint64_t x159; - fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); uint64_t x160; fiat_p256_uint1 x161; - fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); - uint64_t x162 = (x161 + x157); + uint64_t x162; uint64_t x163; fiat_p256_uint1 x164; - fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); uint64_t x165; fiat_p256_uint1 x166; - fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); uint64_t x167; fiat_p256_uint1 x168; - fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); uint64_t x169; fiat_p256_uint1 x170; - fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); uint64_t x171; fiat_p256_uint1 x172; - fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); - uint64_t x173 = ((uint64_t)x172 + x153); + uint64_t x173; uint64_t x174; fiat_p256_uint1 x175; - fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); uint64_t x176; fiat_p256_uint1 x177; - fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); uint64_t x178; fiat_p256_uint1 x179; - fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); uint64_t x180; fiat_p256_uint1 x181; - fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); uint64_t x182; fiat_p256_uint1 x183; - fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); uint64_t x184; - fiat_p256_cmovznz_u64(&x184, x183, x174, x165); uint64_t x185; - fiat_p256_cmovznz_u64(&x185, x183, x176, x167); uint64_t x186; - fiat_p256_cmovznz_u64(&x186, x183, x178, x169); uint64_t x187; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, (arg2[3])); + fiat_p256_mulx_u64(&x7, &x8, x4, (arg2[2])); + fiat_p256_mulx_u64(&x9, &x10, x4, (arg2[1])); + fiat_p256_mulx_u64(&x11, &x12, x4, (arg2[0])); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + x19 = (x18 + x6); + fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); + x28 = (x27 + x23); + fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); + fiat_p256_mulx_u64(&x39, &x40, x1, (arg2[3])); + fiat_p256_mulx_u64(&x41, &x42, x1, (arg2[2])); + fiat_p256_mulx_u64(&x43, &x44, x1, (arg2[1])); + fiat_p256_mulx_u64(&x45, &x46, x1, (arg2[0])); + fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); + fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); + x53 = (x52 + x40); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); + fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); + fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); + x72 = (x71 + x67); + fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); + fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); + fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); + fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); + fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); + x83 = ((uint64_t)x82 + x63); + fiat_p256_mulx_u64(&x84, &x85, x2, (arg2[3])); + fiat_p256_mulx_u64(&x86, &x87, x2, (arg2[2])); + fiat_p256_mulx_u64(&x88, &x89, x2, (arg2[1])); + fiat_p256_mulx_u64(&x90, &x91, x2, (arg2[0])); + fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); + fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); + x98 = (x97 + x85); + fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); + fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); + fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); + fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); + fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); + fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); + x117 = (x116 + x112); + fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); + fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); + fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); + fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); + fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); + x128 = ((uint64_t)x127 + x108); + fiat_p256_mulx_u64(&x129, &x130, x3, (arg2[3])); + fiat_p256_mulx_u64(&x131, &x132, x3, (arg2[2])); + fiat_p256_mulx_u64(&x133, &x134, x3, (arg2[1])); + fiat_p256_mulx_u64(&x135, &x136, x3, (arg2[0])); + fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); + fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); + fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); + x143 = (x142 + x130); + fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); + fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); + fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); + fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); + fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); + fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); + x162 = (x161 + x157); + fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); + fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); + fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); + fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); + fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); + x173 = ((uint64_t)x172 + x153); + fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); + fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); + fiat_p256_cmovznz_u64(&x184, x183, x174, x165); + fiat_p256_cmovznz_u64(&x185, x183, x176, x167); + fiat_p256_cmovznz_u64(&x186, x183, x178, x169); fiat_p256_cmovznz_u64(&x187, x183, x180, x171); out1[0] = x184; out1[1] = x185; @@ -411,292 +463,304 @@ static void fiat_p256_mul(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_square squares a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) * eval (from_montgomery arg1)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { - uint64_t x1 = (arg1[1]); - uint64_t x2 = (arg1[2]); - uint64_t x3 = (arg1[3]); - uint64_t x4 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; uint64_t x5; uint64_t x6; - fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3])); uint64_t x7; uint64_t x8; - fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2])); uint64_t x9; uint64_t x10; - fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1])); uint64_t x11; uint64_t x12; - fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0])); uint64_t x13; fiat_p256_uint1 x14; - fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); uint64_t x15; fiat_p256_uint1 x16; - fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); uint64_t x17; fiat_p256_uint1 x18; - fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); - uint64_t x19 = (x18 + x6); + uint64_t x19; uint64_t x20; uint64_t x21; - fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); uint64_t x22; uint64_t x23; - fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); uint64_t x24; uint64_t x25; - fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); uint64_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); - uint64_t x28 = (x27 + x23); + uint64_t x28; uint64_t x29; fiat_p256_uint1 x30; - fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); uint64_t x31; fiat_p256_uint1 x32; - fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); uint64_t x33; fiat_p256_uint1 x34; - fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); uint64_t x35; fiat_p256_uint1 x36; - fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); uint64_t x37; fiat_p256_uint1 x38; - fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); uint64_t x39; uint64_t x40; - fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3])); uint64_t x41; uint64_t x42; - fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2])); uint64_t x43; uint64_t x44; - fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1])); uint64_t x45; uint64_t x46; - fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0])); uint64_t x47; fiat_p256_uint1 x48; - fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); uint64_t x49; fiat_p256_uint1 x50; - fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); uint64_t x51; fiat_p256_uint1 x52; - fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); - uint64_t x53 = (x52 + x40); + uint64_t x53; uint64_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); uint64_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); uint64_t x58; fiat_p256_uint1 x59; - fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); uint64_t x60; fiat_p256_uint1 x61; - fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); uint64_t x62; fiat_p256_uint1 x63; - fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); uint64_t x64; uint64_t x65; - fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); uint64_t x66; uint64_t x67; - fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); uint64_t x68; uint64_t x69; - fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); uint64_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); - uint64_t x72 = (x71 + x67); + uint64_t x72; uint64_t x73; fiat_p256_uint1 x74; - fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); uint64_t x75; fiat_p256_uint1 x76; - fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); uint64_t x77; fiat_p256_uint1 x78; - fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); uint64_t x79; fiat_p256_uint1 x80; - fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); uint64_t x81; fiat_p256_uint1 x82; - fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); - uint64_t x83 = ((uint64_t)x82 + x63); + uint64_t x83; uint64_t x84; uint64_t x85; - fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3])); uint64_t x86; uint64_t x87; - fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2])); uint64_t x88; uint64_t x89; - fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1])); uint64_t x90; uint64_t x91; - fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0])); uint64_t x92; fiat_p256_uint1 x93; - fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); uint64_t x94; fiat_p256_uint1 x95; - fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); uint64_t x96; fiat_p256_uint1 x97; - fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); - uint64_t x98 = (x97 + x85); + uint64_t x98; uint64_t x99; fiat_p256_uint1 x100; - fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); uint64_t x101; fiat_p256_uint1 x102; - fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); uint64_t x103; fiat_p256_uint1 x104; - fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); uint64_t x105; fiat_p256_uint1 x106; - fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); uint64_t x107; fiat_p256_uint1 x108; - fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); uint64_t x109; uint64_t x110; - fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); uint64_t x111; uint64_t x112; - fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); uint64_t x113; uint64_t x114; - fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); uint64_t x115; fiat_p256_uint1 x116; - fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); - uint64_t x117 = (x116 + x112); + uint64_t x117; uint64_t x118; fiat_p256_uint1 x119; - fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); uint64_t x120; fiat_p256_uint1 x121; - fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); uint64_t x122; fiat_p256_uint1 x123; - fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); uint64_t x124; fiat_p256_uint1 x125; - fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); uint64_t x126; fiat_p256_uint1 x127; - fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); - uint64_t x128 = ((uint64_t)x127 + x108); + uint64_t x128; uint64_t x129; uint64_t x130; - fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3])); uint64_t x131; uint64_t x132; - fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2])); uint64_t x133; uint64_t x134; - fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1])); uint64_t x135; uint64_t x136; - fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0])); uint64_t x137; fiat_p256_uint1 x138; - fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); uint64_t x139; fiat_p256_uint1 x140; - fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); uint64_t x141; fiat_p256_uint1 x142; - fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); - uint64_t x143 = (x142 + x130); + uint64_t x143; uint64_t x144; fiat_p256_uint1 x145; - fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); uint64_t x146; fiat_p256_uint1 x147; - fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); uint64_t x148; fiat_p256_uint1 x149; - fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); uint64_t x150; fiat_p256_uint1 x151; - fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); uint64_t x152; fiat_p256_uint1 x153; - fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); uint64_t x154; uint64_t x155; - fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); uint64_t x156; uint64_t x157; - fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); uint64_t x158; uint64_t x159; - fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); uint64_t x160; fiat_p256_uint1 x161; - fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); - uint64_t x162 = (x161 + x157); + uint64_t x162; uint64_t x163; fiat_p256_uint1 x164; - fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); uint64_t x165; fiat_p256_uint1 x166; - fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); uint64_t x167; fiat_p256_uint1 x168; - fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); uint64_t x169; fiat_p256_uint1 x170; - fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); uint64_t x171; fiat_p256_uint1 x172; - fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); - uint64_t x173 = ((uint64_t)x172 + x153); + uint64_t x173; uint64_t x174; fiat_p256_uint1 x175; - fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); uint64_t x176; fiat_p256_uint1 x177; - fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); uint64_t x178; fiat_p256_uint1 x179; - fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); uint64_t x180; fiat_p256_uint1 x181; - fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); uint64_t x182; fiat_p256_uint1 x183; - fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); uint64_t x184; - fiat_p256_cmovznz_u64(&x184, x183, x174, x165); uint64_t x185; - fiat_p256_cmovznz_u64(&x185, x183, x176, x167); uint64_t x186; - fiat_p256_cmovznz_u64(&x186, x183, x178, x169); uint64_t x187; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, (arg1[3])); + fiat_p256_mulx_u64(&x7, &x8, x4, (arg1[2])); + fiat_p256_mulx_u64(&x9, &x10, x4, (arg1[1])); + fiat_p256_mulx_u64(&x11, &x12, x4, (arg1[0])); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + x19 = (x18 + x6); + fiat_p256_mulx_u64(&x20, &x21, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x22, &x23, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x24, &x25, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x26, &x27, 0x0, x25, x22); + x28 = (x27 + x23); + fiat_p256_addcarryx_u64(&x29, &x30, 0x0, x11, x24); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x13, x26); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x15, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x17, x20); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x19, x21); + fiat_p256_mulx_u64(&x39, &x40, x1, (arg1[3])); + fiat_p256_mulx_u64(&x41, &x42, x1, (arg1[2])); + fiat_p256_mulx_u64(&x43, &x44, x1, (arg1[1])); + fiat_p256_mulx_u64(&x45, &x46, x1, (arg1[0])); + fiat_p256_addcarryx_u64(&x47, &x48, 0x0, x46, x43); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x44, x41); + fiat_p256_addcarryx_u64(&x51, &x52, x50, x42, x39); + x53 = (x52 + x40); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x31, x45); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x33, x47); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x35, x49); + fiat_p256_addcarryx_u64(&x60, &x61, x59, x37, x51); + fiat_p256_addcarryx_u64(&x62, &x63, x61, x38, x53); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x66, &x67, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x68, &x69, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x70, &x71, 0x0, x69, x66); + x72 = (x71 + x67); + fiat_p256_addcarryx_u64(&x73, &x74, 0x0, x54, x68); + fiat_p256_addcarryx_u64(&x75, &x76, x74, x56, x70); + fiat_p256_addcarryx_u64(&x77, &x78, x76, x58, x72); + fiat_p256_addcarryx_u64(&x79, &x80, x78, x60, x64); + fiat_p256_addcarryx_u64(&x81, &x82, x80, x62, x65); + x83 = ((uint64_t)x82 + x63); + fiat_p256_mulx_u64(&x84, &x85, x2, (arg1[3])); + fiat_p256_mulx_u64(&x86, &x87, x2, (arg1[2])); + fiat_p256_mulx_u64(&x88, &x89, x2, (arg1[1])); + fiat_p256_mulx_u64(&x90, &x91, x2, (arg1[0])); + fiat_p256_addcarryx_u64(&x92, &x93, 0x0, x91, x88); + fiat_p256_addcarryx_u64(&x94, &x95, x93, x89, x86); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x87, x84); + x98 = (x97 + x85); + fiat_p256_addcarryx_u64(&x99, &x100, 0x0, x75, x90); + fiat_p256_addcarryx_u64(&x101, &x102, x100, x77, x92); + fiat_p256_addcarryx_u64(&x103, &x104, x102, x79, x94); + fiat_p256_addcarryx_u64(&x105, &x106, x104, x81, x96); + fiat_p256_addcarryx_u64(&x107, &x108, x106, x83, x98); + fiat_p256_mulx_u64(&x109, &x110, x99, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x111, &x112, x99, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x113, &x114, x99, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x115, &x116, 0x0, x114, x111); + x117 = (x116 + x112); + fiat_p256_addcarryx_u64(&x118, &x119, 0x0, x99, x113); + fiat_p256_addcarryx_u64(&x120, &x121, x119, x101, x115); + fiat_p256_addcarryx_u64(&x122, &x123, x121, x103, x117); + fiat_p256_addcarryx_u64(&x124, &x125, x123, x105, x109); + fiat_p256_addcarryx_u64(&x126, &x127, x125, x107, x110); + x128 = ((uint64_t)x127 + x108); + fiat_p256_mulx_u64(&x129, &x130, x3, (arg1[3])); + fiat_p256_mulx_u64(&x131, &x132, x3, (arg1[2])); + fiat_p256_mulx_u64(&x133, &x134, x3, (arg1[1])); + fiat_p256_mulx_u64(&x135, &x136, x3, (arg1[0])); + fiat_p256_addcarryx_u64(&x137, &x138, 0x0, x136, x133); + fiat_p256_addcarryx_u64(&x139, &x140, x138, x134, x131); + fiat_p256_addcarryx_u64(&x141, &x142, x140, x132, x129); + x143 = (x142 + x130); + fiat_p256_addcarryx_u64(&x144, &x145, 0x0, x120, x135); + fiat_p256_addcarryx_u64(&x146, &x147, x145, x122, x137); + fiat_p256_addcarryx_u64(&x148, &x149, x147, x124, x139); + fiat_p256_addcarryx_u64(&x150, &x151, x149, x126, x141); + fiat_p256_addcarryx_u64(&x152, &x153, x151, x128, x143); + fiat_p256_mulx_u64(&x154, &x155, x144, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x156, &x157, x144, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x158, &x159, x144, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x160, &x161, 0x0, x159, x156); + x162 = (x161 + x157); + fiat_p256_addcarryx_u64(&x163, &x164, 0x0, x144, x158); + fiat_p256_addcarryx_u64(&x165, &x166, x164, x146, x160); + fiat_p256_addcarryx_u64(&x167, &x168, x166, x148, x162); + fiat_p256_addcarryx_u64(&x169, &x170, x168, x150, x154); + fiat_p256_addcarryx_u64(&x171, &x172, x170, x152, x155); + x173 = ((uint64_t)x172 + x153); + fiat_p256_subborrowx_u64(&x174, &x175, 0x0, x165, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x176, &x177, x175, x167, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x178, &x179, x177, x169, 0x0); + fiat_p256_subborrowx_u64(&x180, &x181, x179, x171, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x182, &x183, x181, x173, 0x0); + fiat_p256_cmovznz_u64(&x184, x183, x174, x165); + fiat_p256_cmovznz_u64(&x185, x183, x176, x167); + fiat_p256_cmovznz_u64(&x186, x183, x178, x169); fiat_p256_cmovznz_u64(&x187, x183, x180, x171); out1[0] = x184; out1[1] = x185; @@ -706,6 +770,7 @@ static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_add adds two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -713,47 +778,42 @@ static void fiat_p256_square(uint64_t out1[4], const uint64_t arg1[4]) { * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) + eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_add(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { uint64_t x1; fiat_p256_uint1 x2; - fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); uint64_t x3; fiat_p256_uint1 x4; - fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); uint64_t x5; fiat_p256_uint1 x6; - fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); uint64_t x7; fiat_p256_uint1 x8; - fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); uint64_t x9; fiat_p256_uint1 x10; - fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff)); uint64_t x11; fiat_p256_uint1 x12; - fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff)); uint64_t x13; fiat_p256_uint1 x14; - fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0); uint64_t x15; fiat_p256_uint1 x16; - fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001)); uint64_t x17; fiat_p256_uint1 x18; - fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0); uint64_t x19; - fiat_p256_cmovznz_u64(&x19, x18, x9, x1); uint64_t x20; - fiat_p256_cmovznz_u64(&x20, x18, x11, x3); uint64_t x21; - fiat_p256_cmovznz_u64(&x21, x18, x13, x5); uint64_t x22; + fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_addcarryx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_addcarryx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_addcarryx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_subborrowx_u64(&x9, &x10, 0x0, x1, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x11, &x12, x10, x3, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x13, &x14, x12, x5, 0x0); + fiat_p256_subborrowx_u64(&x15, &x16, x14, x7, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x17, &x18, x16, x8, 0x0); + fiat_p256_cmovznz_u64(&x19, x18, x9, x1); + fiat_p256_cmovznz_u64(&x20, x18, x11, x3); + fiat_p256_cmovznz_u64(&x21, x18, x13, x5); fiat_p256_cmovznz_u64(&x22, x18, x15, x7); out1[0] = x19; out1[1] = x20; @@ -763,6 +823,7 @@ static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_sub subtracts two field elements in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * 0 ≤ eval arg2 < m @@ -770,38 +831,33 @@ static void fiat_p256_add(uint64_t out1[4], const uint64_t arg1[4], const uint64 * eval (from_montgomery out1) mod m = (eval (from_montgomery arg1) - eval (from_montgomery arg2)) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64_t arg2[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_sub(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { uint64_t x1; fiat_p256_uint1 x2; - fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); uint64_t x3; fiat_p256_uint1 x4; - fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); uint64_t x5; fiat_p256_uint1 x6; - fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); uint64_t x7; fiat_p256_uint1 x8; - fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); uint64_t x9; - fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); uint64_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, (x9 & UINT64_C(0xffffffffffffffff))); uint64_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); uint64_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); uint64_t x16; fiat_p256_uint1 x17; + fiat_p256_subborrowx_u64(&x1, &x2, 0x0, (arg1[0]), (arg2[0])); + fiat_p256_subborrowx_u64(&x3, &x4, x2, (arg1[1]), (arg2[1])); + fiat_p256_subborrowx_u64(&x5, &x6, x4, (arg1[2]), (arg2[2])); + fiat_p256_subborrowx_u64(&x7, &x8, x6, (arg1[3]), (arg2[3])); + fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001))); out1[0] = x10; out1[1] = x12; @@ -811,43 +867,40 @@ static void fiat_p256_sub(uint64_t out1[4], const uint64_t arg1[4], const uint64 /* * The function fiat_p256_opp negates a field element in the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval (from_montgomery out1) mod m = -eval (from_montgomery arg1) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_opp(uint64_t out1[4], const uint64_t arg1[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_opp(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { uint64_t x1; fiat_p256_uint1 x2; - fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); uint64_t x3; fiat_p256_uint1 x4; - fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); uint64_t x5; fiat_p256_uint1 x6; - fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); uint64_t x7; fiat_p256_uint1 x8; - fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); uint64_t x9; - fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); uint64_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, (x9 & UINT64_C(0xffffffffffffffff))); uint64_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); uint64_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); uint64_t x16; fiat_p256_uint1 x17; + fiat_p256_subborrowx_u64(&x1, &x2, 0x0, 0x0, (arg1[0])); + fiat_p256_subborrowx_u64(&x3, &x4, x2, 0x0, (arg1[1])); + fiat_p256_subborrowx_u64(&x5, &x6, x4, 0x0, (arg1[2])); + fiat_p256_subborrowx_u64(&x7, &x8, x6, 0x0, (arg1[3])); + fiat_p256_cmovznz_u64(&x9, x8, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x9); + fiat_p256_addcarryx_u64(&x12, &x13, x11, x3, (x9 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, x5, 0x0); fiat_p256_addcarryx_u64(&x16, &x17, x15, x7, (x9 & UINT64_C(0xffffffff00000001))); out1[0] = x10; out1[1] = x12; @@ -857,153 +910,152 @@ static void fiat_p256_opp(uint64_t out1[4], const uint64_t arg1[4]) { /* * The function fiat_p256_from_montgomery translates a field element out of the Montgomery domain. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: * eval out1 mod m = (eval arg1 * ((2^64)⁻¹ mod m)^4) mod m * 0 ≤ eval out1 < m * - * Input Bounds: - * arg1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] - * Output Bounds: - * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) { - uint64_t x1 = (arg1[0]); +static FIAT_P256_FIAT_INLINE void fiat_p256_from_montgomery(fiat_p256_non_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { + uint64_t x1; uint64_t x2; uint64_t x3; - fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001)); uint64_t x4; uint64_t x5; - fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff)); uint64_t x6; uint64_t x7; - fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff)); uint64_t x8; fiat_p256_uint1 x9; - fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4); uint64_t x10; fiat_p256_uint1 x11; - fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6); uint64_t x12; fiat_p256_uint1 x13; - fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8); uint64_t x14; fiat_p256_uint1 x15; - fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1])); uint64_t x16; uint64_t x17; - fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001)); uint64_t x18; uint64_t x19; - fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff)); uint64_t x20; uint64_t x21; - fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff)); uint64_t x22; fiat_p256_uint1 x23; - fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18); uint64_t x24; fiat_p256_uint1 x25; - fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20); uint64_t x26; fiat_p256_uint1 x27; - fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22); uint64_t x28; fiat_p256_uint1 x29; - fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19)); uint64_t x30; fiat_p256_uint1 x31; - fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16); uint64_t x32; fiat_p256_uint1 x33; - fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2])); uint64_t x34; fiat_p256_uint1 x35; - fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0); uint64_t x36; fiat_p256_uint1 x37; - fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0); uint64_t x38; uint64_t x39; - fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001)); uint64_t x40; uint64_t x41; - fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff)); uint64_t x42; uint64_t x43; - fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff)); uint64_t x44; fiat_p256_uint1 x45; - fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40); uint64_t x46; fiat_p256_uint1 x47; - fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42); uint64_t x48; fiat_p256_uint1 x49; - fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44); uint64_t x50; fiat_p256_uint1 x51; - fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41)); uint64_t x52; fiat_p256_uint1 x53; - fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38); uint64_t x54; fiat_p256_uint1 x55; - fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3])); uint64_t x56; fiat_p256_uint1 x57; - fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0); uint64_t x58; fiat_p256_uint1 x59; - fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0); uint64_t x60; uint64_t x61; - fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001)); uint64_t x62; uint64_t x63; - fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff)); uint64_t x64; uint64_t x65; - fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff)); uint64_t x66; fiat_p256_uint1 x67; - fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62); uint64_t x68; fiat_p256_uint1 x69; - fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64); uint64_t x70; fiat_p256_uint1 x71; - fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66); uint64_t x72; fiat_p256_uint1 x73; - fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63)); uint64_t x74; fiat_p256_uint1 x75; - fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60); - uint64_t x76 = (x75 + x61); + uint64_t x76; uint64_t x77; fiat_p256_uint1 x78; - fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff)); uint64_t x79; fiat_p256_uint1 x80; - fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff)); uint64_t x81; fiat_p256_uint1 x82; - fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0); uint64_t x83; fiat_p256_uint1 x84; - fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001)); uint64_t x85; fiat_p256_uint1 x86; - fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0); uint64_t x87; - fiat_p256_cmovznz_u64(&x87, x86, x77, x70); uint64_t x88; - fiat_p256_cmovznz_u64(&x88, x86, x79, x72); uint64_t x89; - fiat_p256_cmovznz_u64(&x89, x86, x81, x74); uint64_t x90; + x1 = (arg1[0]); + fiat_p256_mulx_u64(&x2, &x3, x1, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x4, &x5, x1, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x6, &x7, x1, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x8, &x9, 0x0, x7, x4); + fiat_p256_addcarryx_u64(&x10, &x11, 0x0, x1, x6); + fiat_p256_addcarryx_u64(&x12, &x13, x11, 0x0, x8); + fiat_p256_addcarryx_u64(&x14, &x15, 0x0, x12, (arg1[1])); + fiat_p256_mulx_u64(&x16, &x17, x14, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x18, &x19, x14, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x20, &x21, x14, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x22, &x23, 0x0, x21, x18); + fiat_p256_addcarryx_u64(&x24, &x25, 0x0, x14, x20); + fiat_p256_addcarryx_u64(&x26, &x27, x25, (x15 + (x13 + (x9 + x5))), x22); + fiat_p256_addcarryx_u64(&x28, &x29, x27, x2, (x23 + x19)); + fiat_p256_addcarryx_u64(&x30, &x31, x29, x3, x16); + fiat_p256_addcarryx_u64(&x32, &x33, 0x0, x26, (arg1[2])); + fiat_p256_addcarryx_u64(&x34, &x35, x33, x28, 0x0); + fiat_p256_addcarryx_u64(&x36, &x37, x35, x30, 0x0); + fiat_p256_mulx_u64(&x38, &x39, x32, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x40, &x41, x32, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x42, &x43, x32, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x44, &x45, 0x0, x43, x40); + fiat_p256_addcarryx_u64(&x46, &x47, 0x0, x32, x42); + fiat_p256_addcarryx_u64(&x48, &x49, x47, x34, x44); + fiat_p256_addcarryx_u64(&x50, &x51, x49, x36, (x45 + x41)); + fiat_p256_addcarryx_u64(&x52, &x53, x51, (x37 + (x31 + x17)), x38); + fiat_p256_addcarryx_u64(&x54, &x55, 0x0, x48, (arg1[3])); + fiat_p256_addcarryx_u64(&x56, &x57, x55, x50, 0x0); + fiat_p256_addcarryx_u64(&x58, &x59, x57, x52, 0x0); + fiat_p256_mulx_u64(&x60, &x61, x54, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x62, &x63, x54, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x64, &x65, x54, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x66, &x67, 0x0, x65, x62); + fiat_p256_addcarryx_u64(&x68, &x69, 0x0, x54, x64); + fiat_p256_addcarryx_u64(&x70, &x71, x69, x56, x66); + fiat_p256_addcarryx_u64(&x72, &x73, x71, x58, (x67 + x63)); + fiat_p256_addcarryx_u64(&x74, &x75, x73, (x59 + (x53 + x39)), x60); + x76 = (x75 + x61); + fiat_p256_subborrowx_u64(&x77, &x78, 0x0, x70, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x79, &x80, x78, x72, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x81, &x82, x80, x74, 0x0); + fiat_p256_subborrowx_u64(&x83, &x84, x82, x76, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x85, &x86, x84, 0x0, 0x0); + fiat_p256_cmovznz_u64(&x87, x86, x77, x70); + fiat_p256_cmovznz_u64(&x88, x86, x79, x72); + fiat_p256_cmovznz_u64(&x89, x86, x81, x74); fiat_p256_cmovznz_u64(&x90, x86, x83, x76); out1[0] = x87; out1[1] = x88; @@ -1011,8 +1063,285 @@ static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) out1[3] = x90; } +/* + * The function fiat_p256_to_montgomery translates a field element into the Montgomery domain. + * + * Preconditions: + * 0 ≤ eval arg1 < m + * Postconditions: + * eval (from_montgomery out1) mod m = eval arg1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_to_montgomery(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_non_montgomery_domain_field_element arg1) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + fiat_p256_uint1 x14; + uint64_t x15; + fiat_p256_uint1 x16; + uint64_t x17; + fiat_p256_uint1 x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + fiat_p256_uint1 x26; + uint64_t x27; + fiat_p256_uint1 x28; + uint64_t x29; + fiat_p256_uint1 x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + fiat_p256_uint1 x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + fiat_p256_uint1 x50; + uint64_t x51; + fiat_p256_uint1 x52; + uint64_t x53; + fiat_p256_uint1 x54; + uint64_t x55; + fiat_p256_uint1 x56; + uint64_t x57; + fiat_p256_uint1 x58; + uint64_t x59; + uint64_t x60; + uint64_t x61; + uint64_t x62; + uint64_t x63; + uint64_t x64; + uint64_t x65; + fiat_p256_uint1 x66; + uint64_t x67; + fiat_p256_uint1 x68; + uint64_t x69; + fiat_p256_uint1 x70; + uint64_t x71; + fiat_p256_uint1 x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + fiat_p256_uint1 x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + uint64_t x81; + uint64_t x82; + uint64_t x83; + uint64_t x84; + uint64_t x85; + fiat_p256_uint1 x86; + uint64_t x87; + fiat_p256_uint1 x88; + uint64_t x89; + fiat_p256_uint1 x90; + uint64_t x91; + fiat_p256_uint1 x92; + uint64_t x93; + fiat_p256_uint1 x94; + uint64_t x95; + fiat_p256_uint1 x96; + uint64_t x97; + fiat_p256_uint1 x98; + uint64_t x99; + uint64_t x100; + uint64_t x101; + uint64_t x102; + uint64_t x103; + uint64_t x104; + uint64_t x105; + fiat_p256_uint1 x106; + uint64_t x107; + fiat_p256_uint1 x108; + uint64_t x109; + fiat_p256_uint1 x110; + uint64_t x111; + fiat_p256_uint1 x112; + uint64_t x113; + fiat_p256_uint1 x114; + uint64_t x115; + fiat_p256_uint1 x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + fiat_p256_uint1 x126; + uint64_t x127; + fiat_p256_uint1 x128; + uint64_t x129; + fiat_p256_uint1 x130; + uint64_t x131; + fiat_p256_uint1 x132; + uint64_t x133; + fiat_p256_uint1 x134; + uint64_t x135; + fiat_p256_uint1 x136; + uint64_t x137; + fiat_p256_uint1 x138; + uint64_t x139; + uint64_t x140; + uint64_t x141; + uint64_t x142; + uint64_t x143; + uint64_t x144; + uint64_t x145; + fiat_p256_uint1 x146; + uint64_t x147; + fiat_p256_uint1 x148; + uint64_t x149; + fiat_p256_uint1 x150; + uint64_t x151; + fiat_p256_uint1 x152; + uint64_t x153; + fiat_p256_uint1 x154; + uint64_t x155; + fiat_p256_uint1 x156; + uint64_t x157; + fiat_p256_uint1 x158; + uint64_t x159; + fiat_p256_uint1 x160; + uint64_t x161; + fiat_p256_uint1 x162; + uint64_t x163; + fiat_p256_uint1 x164; + uint64_t x165; + fiat_p256_uint1 x166; + uint64_t x167; + uint64_t x168; + uint64_t x169; + uint64_t x170; + x1 = (arg1[1]); + x2 = (arg1[2]); + x3 = (arg1[3]); + x4 = (arg1[0]); + fiat_p256_mulx_u64(&x5, &x6, x4, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x7, &x8, x4, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x9, &x10, x4, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x11, &x12, x4, 0x3); + fiat_p256_addcarryx_u64(&x13, &x14, 0x0, x12, x9); + fiat_p256_addcarryx_u64(&x15, &x16, x14, x10, x7); + fiat_p256_addcarryx_u64(&x17, &x18, x16, x8, x5); + fiat_p256_mulx_u64(&x19, &x20, x11, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x21, &x22, x11, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x23, &x24, x11, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x25, &x26, 0x0, x24, x21); + fiat_p256_addcarryx_u64(&x27, &x28, 0x0, x11, x23); + fiat_p256_addcarryx_u64(&x29, &x30, x28, x13, x25); + fiat_p256_addcarryx_u64(&x31, &x32, x30, x15, (x26 + x22)); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x17, x19); + fiat_p256_addcarryx_u64(&x35, &x36, x34, (x18 + x6), x20); + fiat_p256_mulx_u64(&x37, &x38, x1, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x39, &x40, x1, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x41, &x42, x1, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x43, &x44, x1, 0x3); + fiat_p256_addcarryx_u64(&x45, &x46, 0x0, x44, x41); + fiat_p256_addcarryx_u64(&x47, &x48, x46, x42, x39); + fiat_p256_addcarryx_u64(&x49, &x50, x48, x40, x37); + fiat_p256_addcarryx_u64(&x51, &x52, 0x0, x29, x43); + fiat_p256_addcarryx_u64(&x53, &x54, x52, x31, x45); + fiat_p256_addcarryx_u64(&x55, &x56, x54, x33, x47); + fiat_p256_addcarryx_u64(&x57, &x58, x56, x35, x49); + fiat_p256_mulx_u64(&x59, &x60, x51, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x61, &x62, x51, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x63, &x64, x51, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x65, &x66, 0x0, x64, x61); + fiat_p256_addcarryx_u64(&x67, &x68, 0x0, x51, x63); + fiat_p256_addcarryx_u64(&x69, &x70, x68, x53, x65); + fiat_p256_addcarryx_u64(&x71, &x72, x70, x55, (x66 + x62)); + fiat_p256_addcarryx_u64(&x73, &x74, x72, x57, x59); + fiat_p256_addcarryx_u64(&x75, &x76, x74, (((uint64_t)x58 + x36) + (x50 + x38)), x60); + fiat_p256_mulx_u64(&x77, &x78, x2, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x79, &x80, x2, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x81, &x82, x2, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x83, &x84, x2, 0x3); + fiat_p256_addcarryx_u64(&x85, &x86, 0x0, x84, x81); + fiat_p256_addcarryx_u64(&x87, &x88, x86, x82, x79); + fiat_p256_addcarryx_u64(&x89, &x90, x88, x80, x77); + fiat_p256_addcarryx_u64(&x91, &x92, 0x0, x69, x83); + fiat_p256_addcarryx_u64(&x93, &x94, x92, x71, x85); + fiat_p256_addcarryx_u64(&x95, &x96, x94, x73, x87); + fiat_p256_addcarryx_u64(&x97, &x98, x96, x75, x89); + fiat_p256_mulx_u64(&x99, &x100, x91, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x101, &x102, x91, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x103, &x104, x91, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x105, &x106, 0x0, x104, x101); + fiat_p256_addcarryx_u64(&x107, &x108, 0x0, x91, x103); + fiat_p256_addcarryx_u64(&x109, &x110, x108, x93, x105); + fiat_p256_addcarryx_u64(&x111, &x112, x110, x95, (x106 + x102)); + fiat_p256_addcarryx_u64(&x113, &x114, x112, x97, x99); + fiat_p256_addcarryx_u64(&x115, &x116, x114, (((uint64_t)x98 + x76) + (x90 + x78)), x100); + fiat_p256_mulx_u64(&x117, &x118, x3, UINT64_C(0x4fffffffd)); + fiat_p256_mulx_u64(&x119, &x120, x3, UINT64_C(0xfffffffffffffffe)); + fiat_p256_mulx_u64(&x121, &x122, x3, UINT64_C(0xfffffffbffffffff)); + fiat_p256_mulx_u64(&x123, &x124, x3, 0x3); + fiat_p256_addcarryx_u64(&x125, &x126, 0x0, x124, x121); + fiat_p256_addcarryx_u64(&x127, &x128, x126, x122, x119); + fiat_p256_addcarryx_u64(&x129, &x130, x128, x120, x117); + fiat_p256_addcarryx_u64(&x131, &x132, 0x0, x109, x123); + fiat_p256_addcarryx_u64(&x133, &x134, x132, x111, x125); + fiat_p256_addcarryx_u64(&x135, &x136, x134, x113, x127); + fiat_p256_addcarryx_u64(&x137, &x138, x136, x115, x129); + fiat_p256_mulx_u64(&x139, &x140, x131, UINT64_C(0xffffffff00000001)); + fiat_p256_mulx_u64(&x141, &x142, x131, UINT32_C(0xffffffff)); + fiat_p256_mulx_u64(&x143, &x144, x131, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x145, &x146, 0x0, x144, x141); + fiat_p256_addcarryx_u64(&x147, &x148, 0x0, x131, x143); + fiat_p256_addcarryx_u64(&x149, &x150, x148, x133, x145); + fiat_p256_addcarryx_u64(&x151, &x152, x150, x135, (x146 + x142)); + fiat_p256_addcarryx_u64(&x153, &x154, x152, x137, x139); + fiat_p256_addcarryx_u64(&x155, &x156, x154, (((uint64_t)x138 + x116) + (x130 + x118)), x140); + fiat_p256_subborrowx_u64(&x157, &x158, 0x0, x149, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x159, &x160, x158, x151, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x161, &x162, x160, x153, 0x0); + fiat_p256_subborrowx_u64(&x163, &x164, x162, x155, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x165, &x166, x164, x156, 0x0); + fiat_p256_cmovznz_u64(&x167, x166, x157, x149); + fiat_p256_cmovznz_u64(&x168, x166, x159, x151); + fiat_p256_cmovznz_u64(&x169, x166, x161, x153); + fiat_p256_cmovznz_u64(&x170, x166, x163, x155); + out1[0] = x167; + out1[1] = x168; + out1[2] = x169; + out1[3] = x170; +} + /* * The function fiat_p256_nonzero outputs a single non-zero word if the input is non-zero and zero otherwise. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1023,13 +1352,15 @@ static void fiat_p256_from_montgomery(uint64_t out1[4], const uint64_t arg1[4]) * Output Bounds: * out1: [0x0 ~> 0xffffffffffffffff] */ -static void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { - uint64_t x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | ((arg1[3]) | (uint64_t)0x0)))); +static FIAT_P256_FIAT_INLINE void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { + uint64_t x1; + x1 = ((arg1[0]) | ((arg1[1]) | ((arg1[2]) | (arg1[3])))); *out1 = x1; } /* * The function fiat_p256_selectznz is a multi-limb conditional select. + * * Postconditions: * eval out1 = (if arg1 = 0 then eval arg2 else eval arg3) * @@ -1040,14 +1371,14 @@ static void fiat_p256_nonzero(uint64_t* out1, const uint64_t arg1[4]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) { +static FIAT_P256_FIAT_INLINE void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const uint64_t arg2[4], const uint64_t arg3[4]) { uint64_t x1; - fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); uint64_t x2; - fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); uint64_t x3; - fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); uint64_t x4; + fiat_p256_cmovznz_u64(&x1, arg1, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u64(&x2, arg1, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u64(&x3, arg1, (arg2[2]), (arg3[2])); fiat_p256_cmovznz_u64(&x4, arg1, (arg2[3]), (arg3[3])); out1[0] = x1; out1[1] = x2; @@ -1056,7 +1387,8 @@ static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const ui } /* - * The function fiat_p256_to_bytes serializes a field element in the Montgomery domain to bytes in little-endian order. + * The function fiat_p256_to_bytes serializes a field element NOT in the Montgomery domain to bytes in little-endian order. + * * Preconditions: * 0 ≤ eval arg1 < m * Postconditions: @@ -1067,106 +1399,164 @@ static void fiat_p256_selectznz(uint64_t out1[4], fiat_p256_uint1 arg1, const ui * Output Bounds: * out1: [[0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff], [0x0 ~> 0xff]] */ -static void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { - uint64_t x1 = (arg1[3]); - uint64_t x2 = (arg1[2]); - uint64_t x3 = (arg1[1]); - uint64_t x4 = (arg1[0]); - uint64_t x5 = (x4 >> 8); - uint8_t x6 = (uint8_t)(x4 & UINT8_C(0xff)); - uint64_t x7 = (x5 >> 8); - uint8_t x8 = (uint8_t)(x5 & UINT8_C(0xff)); - uint64_t x9 = (x7 >> 8); - uint8_t x10 = (uint8_t)(x7 & UINT8_C(0xff)); - uint64_t x11 = (x9 >> 8); - uint8_t x12 = (uint8_t)(x9 & UINT8_C(0xff)); - uint64_t x13 = (x11 >> 8); - uint8_t x14 = (uint8_t)(x11 & UINT8_C(0xff)); - uint64_t x15 = (x13 >> 8); - uint8_t x16 = (uint8_t)(x13 & UINT8_C(0xff)); - uint8_t x17 = (uint8_t)(x15 >> 8); - uint8_t x18 = (uint8_t)(x15 & UINT8_C(0xff)); - uint8_t x19 = (uint8_t)(x17 & UINT8_C(0xff)); - uint64_t x20 = (x3 >> 8); - uint8_t x21 = (uint8_t)(x3 & UINT8_C(0xff)); - uint64_t x22 = (x20 >> 8); - uint8_t x23 = (uint8_t)(x20 & UINT8_C(0xff)); - uint64_t x24 = (x22 >> 8); - uint8_t x25 = (uint8_t)(x22 & UINT8_C(0xff)); - uint64_t x26 = (x24 >> 8); - uint8_t x27 = (uint8_t)(x24 & UINT8_C(0xff)); - uint64_t x28 = (x26 >> 8); - uint8_t x29 = (uint8_t)(x26 & UINT8_C(0xff)); - uint64_t x30 = (x28 >> 8); - uint8_t x31 = (uint8_t)(x28 & UINT8_C(0xff)); - uint8_t x32 = (uint8_t)(x30 >> 8); - uint8_t x33 = (uint8_t)(x30 & UINT8_C(0xff)); - uint8_t x34 = (uint8_t)(x32 & UINT8_C(0xff)); - uint64_t x35 = (x2 >> 8); - uint8_t x36 = (uint8_t)(x2 & UINT8_C(0xff)); - uint64_t x37 = (x35 >> 8); - uint8_t x38 = (uint8_t)(x35 & UINT8_C(0xff)); - uint64_t x39 = (x37 >> 8); - uint8_t x40 = (uint8_t)(x37 & UINT8_C(0xff)); - uint64_t x41 = (x39 >> 8); - uint8_t x42 = (uint8_t)(x39 & UINT8_C(0xff)); - uint64_t x43 = (x41 >> 8); - uint8_t x44 = (uint8_t)(x41 & UINT8_C(0xff)); - uint64_t x45 = (x43 >> 8); - uint8_t x46 = (uint8_t)(x43 & UINT8_C(0xff)); - uint8_t x47 = (uint8_t)(x45 >> 8); - uint8_t x48 = (uint8_t)(x45 & UINT8_C(0xff)); - uint8_t x49 = (uint8_t)(x47 & UINT8_C(0xff)); - uint64_t x50 = (x1 >> 8); - uint8_t x51 = (uint8_t)(x1 & UINT8_C(0xff)); - uint64_t x52 = (x50 >> 8); - uint8_t x53 = (uint8_t)(x50 & UINT8_C(0xff)); - uint64_t x54 = (x52 >> 8); - uint8_t x55 = (uint8_t)(x52 & UINT8_C(0xff)); - uint64_t x56 = (x54 >> 8); - uint8_t x57 = (uint8_t)(x54 & UINT8_C(0xff)); - uint64_t x58 = (x56 >> 8); - uint8_t x59 = (uint8_t)(x56 & UINT8_C(0xff)); - uint64_t x60 = (x58 >> 8); - uint8_t x61 = (uint8_t)(x58 & UINT8_C(0xff)); - uint8_t x62 = (uint8_t)(x60 >> 8); - uint8_t x63 = (uint8_t)(x60 & UINT8_C(0xff)); - out1[0] = x6; - out1[1] = x8; - out1[2] = x10; - out1[3] = x12; - out1[4] = x14; - out1[5] = x16; - out1[6] = x18; - out1[7] = x19; - out1[8] = x21; - out1[9] = x23; - out1[10] = x25; - out1[11] = x27; - out1[12] = x29; - out1[13] = x31; - out1[14] = x33; - out1[15] = x34; - out1[16] = x36; - out1[17] = x38; - out1[18] = x40; - out1[19] = x42; - out1[20] = x44; - out1[21] = x46; - out1[22] = x48; - out1[23] = x49; - out1[24] = x51; - out1[25] = x53; - out1[26] = x55; - out1[27] = x57; - out1[28] = x59; - out1[29] = x61; - out1[30] = x63; - out1[31] = x62; +static FIAT_P256_FIAT_INLINE void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint8_t x5; + uint64_t x6; + uint8_t x7; + uint64_t x8; + uint8_t x9; + uint64_t x10; + uint8_t x11; + uint64_t x12; + uint8_t x13; + uint64_t x14; + uint8_t x15; + uint64_t x16; + uint8_t x17; + uint8_t x18; + uint8_t x19; + uint64_t x20; + uint8_t x21; + uint64_t x22; + uint8_t x23; + uint64_t x24; + uint8_t x25; + uint64_t x26; + uint8_t x27; + uint64_t x28; + uint8_t x29; + uint64_t x30; + uint8_t x31; + uint8_t x32; + uint8_t x33; + uint64_t x34; + uint8_t x35; + uint64_t x36; + uint8_t x37; + uint64_t x38; + uint8_t x39; + uint64_t x40; + uint8_t x41; + uint64_t x42; + uint8_t x43; + uint64_t x44; + uint8_t x45; + uint8_t x46; + uint8_t x47; + uint64_t x48; + uint8_t x49; + uint64_t x50; + uint8_t x51; + uint64_t x52; + uint8_t x53; + uint64_t x54; + uint8_t x55; + uint64_t x56; + uint8_t x57; + uint64_t x58; + uint8_t x59; + uint8_t x60; + x1 = (arg1[3]); + x2 = (arg1[2]); + x3 = (arg1[1]); + x4 = (arg1[0]); + x5 = (uint8_t)(x4 & UINT8_C(0xff)); + x6 = (x4 >> 8); + x7 = (uint8_t)(x6 & UINT8_C(0xff)); + x8 = (x6 >> 8); + x9 = (uint8_t)(x8 & UINT8_C(0xff)); + x10 = (x8 >> 8); + x11 = (uint8_t)(x10 & UINT8_C(0xff)); + x12 = (x10 >> 8); + x13 = (uint8_t)(x12 & UINT8_C(0xff)); + x14 = (x12 >> 8); + x15 = (uint8_t)(x14 & UINT8_C(0xff)); + x16 = (x14 >> 8); + x17 = (uint8_t)(x16 & UINT8_C(0xff)); + x18 = (uint8_t)(x16 >> 8); + x19 = (uint8_t)(x3 & UINT8_C(0xff)); + x20 = (x3 >> 8); + x21 = (uint8_t)(x20 & UINT8_C(0xff)); + x22 = (x20 >> 8); + x23 = (uint8_t)(x22 & UINT8_C(0xff)); + x24 = (x22 >> 8); + x25 = (uint8_t)(x24 & UINT8_C(0xff)); + x26 = (x24 >> 8); + x27 = (uint8_t)(x26 & UINT8_C(0xff)); + x28 = (x26 >> 8); + x29 = (uint8_t)(x28 & UINT8_C(0xff)); + x30 = (x28 >> 8); + x31 = (uint8_t)(x30 & UINT8_C(0xff)); + x32 = (uint8_t)(x30 >> 8); + x33 = (uint8_t)(x2 & UINT8_C(0xff)); + x34 = (x2 >> 8); + x35 = (uint8_t)(x34 & UINT8_C(0xff)); + x36 = (x34 >> 8); + x37 = (uint8_t)(x36 & UINT8_C(0xff)); + x38 = (x36 >> 8); + x39 = (uint8_t)(x38 & UINT8_C(0xff)); + x40 = (x38 >> 8); + x41 = (uint8_t)(x40 & UINT8_C(0xff)); + x42 = (x40 >> 8); + x43 = (uint8_t)(x42 & UINT8_C(0xff)); + x44 = (x42 >> 8); + x45 = (uint8_t)(x44 & UINT8_C(0xff)); + x46 = (uint8_t)(x44 >> 8); + x47 = (uint8_t)(x1 & UINT8_C(0xff)); + x48 = (x1 >> 8); + x49 = (uint8_t)(x48 & UINT8_C(0xff)); + x50 = (x48 >> 8); + x51 = (uint8_t)(x50 & UINT8_C(0xff)); + x52 = (x50 >> 8); + x53 = (uint8_t)(x52 & UINT8_C(0xff)); + x54 = (x52 >> 8); + x55 = (uint8_t)(x54 & UINT8_C(0xff)); + x56 = (x54 >> 8); + x57 = (uint8_t)(x56 & UINT8_C(0xff)); + x58 = (x56 >> 8); + x59 = (uint8_t)(x58 & UINT8_C(0xff)); + x60 = (uint8_t)(x58 >> 8); + out1[0] = x5; + out1[1] = x7; + out1[2] = x9; + out1[3] = x11; + out1[4] = x13; + out1[5] = x15; + out1[6] = x17; + out1[7] = x18; + out1[8] = x19; + out1[9] = x21; + out1[10] = x23; + out1[11] = x25; + out1[12] = x27; + out1[13] = x29; + out1[14] = x31; + out1[15] = x32; + out1[16] = x33; + out1[17] = x35; + out1[18] = x37; + out1[19] = x39; + out1[20] = x41; + out1[21] = x43; + out1[22] = x45; + out1[23] = x46; + out1[24] = x47; + out1[25] = x49; + out1[26] = x51; + out1[27] = x53; + out1[28] = x55; + out1[29] = x57; + out1[30] = x59; + out1[31] = x60; } /* - * The function fiat_p256_from_bytes deserializes a field element in the Montgomery domain from bytes in little-endian order. + * The function fiat_p256_from_bytes deserializes a field element NOT in the Montgomery domain from bytes in little-endian order. + * * Preconditions: * 0 ≤ bytes_eval arg1 < m * Postconditions: @@ -1178,49 +1568,444 @@ static void fiat_p256_to_bytes(uint8_t out1[32], const uint64_t arg1[4]) { * Output Bounds: * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] */ -static void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) { - uint64_t x1 = ((uint64_t)(arg1[31]) << 56); - uint64_t x2 = ((uint64_t)(arg1[30]) << 48); - uint64_t x3 = ((uint64_t)(arg1[29]) << 40); - uint64_t x4 = ((uint64_t)(arg1[28]) << 32); - uint64_t x5 = ((uint64_t)(arg1[27]) << 24); - uint64_t x6 = ((uint64_t)(arg1[26]) << 16); - uint64_t x7 = ((uint64_t)(arg1[25]) << 8); - uint8_t x8 = (arg1[24]); - uint64_t x9 = ((uint64_t)(arg1[23]) << 56); - uint64_t x10 = ((uint64_t)(arg1[22]) << 48); - uint64_t x11 = ((uint64_t)(arg1[21]) << 40); - uint64_t x12 = ((uint64_t)(arg1[20]) << 32); - uint64_t x13 = ((uint64_t)(arg1[19]) << 24); - uint64_t x14 = ((uint64_t)(arg1[18]) << 16); - uint64_t x15 = ((uint64_t)(arg1[17]) << 8); - uint8_t x16 = (arg1[16]); - uint64_t x17 = ((uint64_t)(arg1[15]) << 56); - uint64_t x18 = ((uint64_t)(arg1[14]) << 48); - uint64_t x19 = ((uint64_t)(arg1[13]) << 40); - uint64_t x20 = ((uint64_t)(arg1[12]) << 32); - uint64_t x21 = ((uint64_t)(arg1[11]) << 24); - uint64_t x22 = ((uint64_t)(arg1[10]) << 16); - uint64_t x23 = ((uint64_t)(arg1[9]) << 8); - uint8_t x24 = (arg1[8]); - uint64_t x25 = ((uint64_t)(arg1[7]) << 56); - uint64_t x26 = ((uint64_t)(arg1[6]) << 48); - uint64_t x27 = ((uint64_t)(arg1[5]) << 40); - uint64_t x28 = ((uint64_t)(arg1[4]) << 32); - uint64_t x29 = ((uint64_t)(arg1[3]) << 24); - uint64_t x30 = ((uint64_t)(arg1[2]) << 16); - uint64_t x31 = ((uint64_t)(arg1[1]) << 8); - uint8_t x32 = (arg1[0]); - uint64_t x33 = (x32 + (x31 + (x30 + (x29 + (x28 + (x27 + (x26 + x25))))))); - uint64_t x34 = (x33 & UINT64_C(0xffffffffffffffff)); - uint64_t x35 = (x8 + (x7 + (x6 + (x5 + (x4 + (x3 + (x2 + x1))))))); - uint64_t x36 = (x16 + (x15 + (x14 + (x13 + (x12 + (x11 + (x10 + x9))))))); - uint64_t x37 = (x24 + (x23 + (x22 + (x21 + (x20 + (x19 + (x18 + x17))))))); - uint64_t x38 = (x37 & UINT64_C(0xffffffffffffffff)); - uint64_t x39 = (x36 & UINT64_C(0xffffffffffffffff)); - out1[0] = x34; - out1[1] = x38; - out1[2] = x39; - out1[3] = x35; +static FIAT_P256_FIAT_INLINE void fiat_p256_from_bytes(uint64_t out1[4], const uint8_t arg1[32]) { + uint64_t x1; + uint64_t x2; + uint64_t x3; + uint64_t x4; + uint64_t x5; + uint64_t x6; + uint64_t x7; + uint8_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + uint64_t x13; + uint64_t x14; + uint64_t x15; + uint8_t x16; + uint64_t x17; + uint64_t x18; + uint64_t x19; + uint64_t x20; + uint64_t x21; + uint64_t x22; + uint64_t x23; + uint8_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + uint8_t x32; + uint64_t x33; + uint64_t x34; + uint64_t x35; + uint64_t x36; + uint64_t x37; + uint64_t x38; + uint64_t x39; + uint64_t x40; + uint64_t x41; + uint64_t x42; + uint64_t x43; + uint64_t x44; + uint64_t x45; + uint64_t x46; + uint64_t x47; + uint64_t x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + uint64_t x54; + uint64_t x55; + uint64_t x56; + uint64_t x57; + uint64_t x58; + uint64_t x59; + uint64_t x60; + x1 = ((uint64_t)(arg1[31]) << 56); + x2 = ((uint64_t)(arg1[30]) << 48); + x3 = ((uint64_t)(arg1[29]) << 40); + x4 = ((uint64_t)(arg1[28]) << 32); + x5 = ((uint64_t)(arg1[27]) << 24); + x6 = ((uint64_t)(arg1[26]) << 16); + x7 = ((uint64_t)(arg1[25]) << 8); + x8 = (arg1[24]); + x9 = ((uint64_t)(arg1[23]) << 56); + x10 = ((uint64_t)(arg1[22]) << 48); + x11 = ((uint64_t)(arg1[21]) << 40); + x12 = ((uint64_t)(arg1[20]) << 32); + x13 = ((uint64_t)(arg1[19]) << 24); + x14 = ((uint64_t)(arg1[18]) << 16); + x15 = ((uint64_t)(arg1[17]) << 8); + x16 = (arg1[16]); + x17 = ((uint64_t)(arg1[15]) << 56); + x18 = ((uint64_t)(arg1[14]) << 48); + x19 = ((uint64_t)(arg1[13]) << 40); + x20 = ((uint64_t)(arg1[12]) << 32); + x21 = ((uint64_t)(arg1[11]) << 24); + x22 = ((uint64_t)(arg1[10]) << 16); + x23 = ((uint64_t)(arg1[9]) << 8); + x24 = (arg1[8]); + x25 = ((uint64_t)(arg1[7]) << 56); + x26 = ((uint64_t)(arg1[6]) << 48); + x27 = ((uint64_t)(arg1[5]) << 40); + x28 = ((uint64_t)(arg1[4]) << 32); + x29 = ((uint64_t)(arg1[3]) << 24); + x30 = ((uint64_t)(arg1[2]) << 16); + x31 = ((uint64_t)(arg1[1]) << 8); + x32 = (arg1[0]); + x33 = (x31 + (uint64_t)x32); + x34 = (x30 + x33); + x35 = (x29 + x34); + x36 = (x28 + x35); + x37 = (x27 + x36); + x38 = (x26 + x37); + x39 = (x25 + x38); + x40 = (x23 + (uint64_t)x24); + x41 = (x22 + x40); + x42 = (x21 + x41); + x43 = (x20 + x42); + x44 = (x19 + x43); + x45 = (x18 + x44); + x46 = (x17 + x45); + x47 = (x15 + (uint64_t)x16); + x48 = (x14 + x47); + x49 = (x13 + x48); + x50 = (x12 + x49); + x51 = (x11 + x50); + x52 = (x10 + x51); + x53 = (x9 + x52); + x54 = (x7 + (uint64_t)x8); + x55 = (x6 + x54); + x56 = (x5 + x55); + x57 = (x4 + x56); + x58 = (x3 + x57); + x59 = (x2 + x58); + x60 = (x1 + x59); + out1[0] = x39; + out1[1] = x46; + out1[2] = x53; + out1[3] = x60; +} + +/* + * The function fiat_p256_set_one returns the field element one in the Montgomery domain. + * + * Postconditions: + * eval (from_montgomery out1) mod m = 1 mod m + * 0 ≤ eval out1 < m + * + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_set_one(fiat_p256_montgomery_domain_field_element out1) { + out1[0] = 0x1; + out1[1] = UINT64_C(0xffffffff00000000); + out1[2] = UINT64_C(0xffffffffffffffff); + out1[3] = UINT32_C(0xfffffffe); +} + +/* + * The function fiat_p256_msat returns the saturated representation of the prime modulus. + * + * Postconditions: + * twos_complement_eval out1 = m + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_msat(uint64_t out1[5]) { + out1[0] = UINT64_C(0xffffffffffffffff); + out1[1] = UINT32_C(0xffffffff); + out1[2] = 0x0; + out1[3] = UINT64_C(0xffffffff00000001); + out1[4] = 0x0; +} + +/* + * The function fiat_p256_divstep computes a divstep. + * + * Preconditions: + * 0 ≤ eval arg4 < m + * 0 ≤ eval arg5 < m + * Postconditions: + * out1 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then 1 - arg1 else 1 + arg1) + * twos_complement_eval out2 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then twos_complement_eval arg3 else twos_complement_eval arg2) + * twos_complement_eval out3 = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then ⌊(twos_complement_eval arg3 - twos_complement_eval arg2) / 2⌋ else ⌊(twos_complement_eval arg3 + (twos_complement_eval arg3 mod 2) * twos_complement_eval arg2) / 2⌋) + * eval (from_montgomery out4) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (2 * eval (from_montgomery arg5)) mod m else (2 * eval (from_montgomery arg4)) mod m) + * eval (from_montgomery out5) mod m = (if 0 < arg1 ∧ (twos_complement_eval arg3) is odd then (eval (from_montgomery arg4) - eval (from_montgomery arg4)) mod m else (eval (from_montgomery arg5) + (twos_complement_eval arg3 mod 2) * eval (from_montgomery arg4)) mod m) + * 0 ≤ eval out5 < m + * 0 ≤ eval out5 < m + * 0 ≤ eval out2 < m + * 0 ≤ eval out3 < m + * + * Input Bounds: + * arg1: [0x0 ~> 0xffffffffffffffff] + * arg2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * arg5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * Output Bounds: + * out1: [0x0 ~> 0xffffffffffffffff] + * out2: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out3: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out4: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + * out5: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep(uint64_t* out1, uint64_t out2[5], uint64_t out3[5], uint64_t out4[4], uint64_t out5[4], uint64_t arg1, const uint64_t arg2[5], const uint64_t arg3[5], const uint64_t arg4[4], const uint64_t arg5[4]) { + uint64_t x1; + fiat_p256_uint1 x2; + fiat_p256_uint1 x3; + uint64_t x4; + fiat_p256_uint1 x5; + uint64_t x6; + uint64_t x7; + uint64_t x8; + uint64_t x9; + uint64_t x10; + uint64_t x11; + uint64_t x12; + fiat_p256_uint1 x13; + uint64_t x14; + fiat_p256_uint1 x15; + uint64_t x16; + fiat_p256_uint1 x17; + uint64_t x18; + fiat_p256_uint1 x19; + uint64_t x20; + fiat_p256_uint1 x21; + uint64_t x22; + uint64_t x23; + uint64_t x24; + uint64_t x25; + uint64_t x26; + uint64_t x27; + uint64_t x28; + uint64_t x29; + uint64_t x30; + uint64_t x31; + fiat_p256_uint1 x32; + uint64_t x33; + fiat_p256_uint1 x34; + uint64_t x35; + fiat_p256_uint1 x36; + uint64_t x37; + fiat_p256_uint1 x38; + uint64_t x39; + fiat_p256_uint1 x40; + uint64_t x41; + fiat_p256_uint1 x42; + uint64_t x43; + fiat_p256_uint1 x44; + uint64_t x45; + fiat_p256_uint1 x46; + uint64_t x47; + fiat_p256_uint1 x48; + uint64_t x49; + uint64_t x50; + uint64_t x51; + uint64_t x52; + uint64_t x53; + fiat_p256_uint1 x54; + uint64_t x55; + fiat_p256_uint1 x56; + uint64_t x57; + fiat_p256_uint1 x58; + uint64_t x59; + fiat_p256_uint1 x60; + uint64_t x61; + uint64_t x62; + fiat_p256_uint1 x63; + uint64_t x64; + fiat_p256_uint1 x65; + uint64_t x66; + fiat_p256_uint1 x67; + uint64_t x68; + fiat_p256_uint1 x69; + uint64_t x70; + uint64_t x71; + uint64_t x72; + uint64_t x73; + fiat_p256_uint1 x74; + uint64_t x75; + uint64_t x76; + uint64_t x77; + uint64_t x78; + uint64_t x79; + uint64_t x80; + fiat_p256_uint1 x81; + uint64_t x82; + fiat_p256_uint1 x83; + uint64_t x84; + fiat_p256_uint1 x85; + uint64_t x86; + fiat_p256_uint1 x87; + uint64_t x88; + fiat_p256_uint1 x89; + uint64_t x90; + uint64_t x91; + uint64_t x92; + uint64_t x93; + uint64_t x94; + fiat_p256_uint1 x95; + uint64_t x96; + fiat_p256_uint1 x97; + uint64_t x98; + fiat_p256_uint1 x99; + uint64_t x100; + fiat_p256_uint1 x101; + uint64_t x102; + fiat_p256_uint1 x103; + uint64_t x104; + fiat_p256_uint1 x105; + uint64_t x106; + fiat_p256_uint1 x107; + uint64_t x108; + fiat_p256_uint1 x109; + uint64_t x110; + fiat_p256_uint1 x111; + uint64_t x112; + fiat_p256_uint1 x113; + uint64_t x114; + uint64_t x115; + uint64_t x116; + uint64_t x117; + uint64_t x118; + uint64_t x119; + uint64_t x120; + uint64_t x121; + uint64_t x122; + uint64_t x123; + uint64_t x124; + uint64_t x125; + uint64_t x126; + fiat_p256_addcarryx_u64(&x1, &x2, 0x0, (~arg1), 0x1); + x3 = (fiat_p256_uint1)((fiat_p256_uint1)(x1 >> 63) & (fiat_p256_uint1)((arg3[0]) & 0x1)); + fiat_p256_addcarryx_u64(&x4, &x5, 0x0, (~arg1), 0x1); + fiat_p256_cmovznz_u64(&x6, x3, arg1, x4); + fiat_p256_cmovznz_u64(&x7, x3, (arg2[0]), (arg3[0])); + fiat_p256_cmovznz_u64(&x8, x3, (arg2[1]), (arg3[1])); + fiat_p256_cmovznz_u64(&x9, x3, (arg2[2]), (arg3[2])); + fiat_p256_cmovznz_u64(&x10, x3, (arg2[3]), (arg3[3])); + fiat_p256_cmovznz_u64(&x11, x3, (arg2[4]), (arg3[4])); + fiat_p256_addcarryx_u64(&x12, &x13, 0x0, 0x1, (~(arg2[0]))); + fiat_p256_addcarryx_u64(&x14, &x15, x13, 0x0, (~(arg2[1]))); + fiat_p256_addcarryx_u64(&x16, &x17, x15, 0x0, (~(arg2[2]))); + fiat_p256_addcarryx_u64(&x18, &x19, x17, 0x0, (~(arg2[3]))); + fiat_p256_addcarryx_u64(&x20, &x21, x19, 0x0, (~(arg2[4]))); + fiat_p256_cmovznz_u64(&x22, x3, (arg3[0]), x12); + fiat_p256_cmovznz_u64(&x23, x3, (arg3[1]), x14); + fiat_p256_cmovznz_u64(&x24, x3, (arg3[2]), x16); + fiat_p256_cmovznz_u64(&x25, x3, (arg3[3]), x18); + fiat_p256_cmovznz_u64(&x26, x3, (arg3[4]), x20); + fiat_p256_cmovznz_u64(&x27, x3, (arg4[0]), (arg5[0])); + fiat_p256_cmovznz_u64(&x28, x3, (arg4[1]), (arg5[1])); + fiat_p256_cmovznz_u64(&x29, x3, (arg4[2]), (arg5[2])); + fiat_p256_cmovznz_u64(&x30, x3, (arg4[3]), (arg5[3])); + fiat_p256_addcarryx_u64(&x31, &x32, 0x0, x27, x27); + fiat_p256_addcarryx_u64(&x33, &x34, x32, x28, x28); + fiat_p256_addcarryx_u64(&x35, &x36, x34, x29, x29); + fiat_p256_addcarryx_u64(&x37, &x38, x36, x30, x30); + fiat_p256_subborrowx_u64(&x39, &x40, 0x0, x31, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x41, &x42, x40, x33, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x43, &x44, x42, x35, 0x0); + fiat_p256_subborrowx_u64(&x45, &x46, x44, x37, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x47, &x48, x46, x38, 0x0); + x49 = (arg4[3]); + x50 = (arg4[2]); + x51 = (arg4[1]); + x52 = (arg4[0]); + fiat_p256_subborrowx_u64(&x53, &x54, 0x0, 0x0, x52); + fiat_p256_subborrowx_u64(&x55, &x56, x54, 0x0, x51); + fiat_p256_subborrowx_u64(&x57, &x58, x56, 0x0, x50); + fiat_p256_subborrowx_u64(&x59, &x60, x58, 0x0, x49); + fiat_p256_cmovznz_u64(&x61, x60, 0x0, UINT64_C(0xffffffffffffffff)); + fiat_p256_addcarryx_u64(&x62, &x63, 0x0, x53, x61); + fiat_p256_addcarryx_u64(&x64, &x65, x63, x55, (x61 & UINT32_C(0xffffffff))); + fiat_p256_addcarryx_u64(&x66, &x67, x65, x57, 0x0); + fiat_p256_addcarryx_u64(&x68, &x69, x67, x59, (x61 & UINT64_C(0xffffffff00000001))); + fiat_p256_cmovznz_u64(&x70, x3, (arg5[0]), x62); + fiat_p256_cmovznz_u64(&x71, x3, (arg5[1]), x64); + fiat_p256_cmovznz_u64(&x72, x3, (arg5[2]), x66); + fiat_p256_cmovznz_u64(&x73, x3, (arg5[3]), x68); + x74 = (fiat_p256_uint1)(x22 & 0x1); + fiat_p256_cmovznz_u64(&x75, x74, 0x0, x7); + fiat_p256_cmovznz_u64(&x76, x74, 0x0, x8); + fiat_p256_cmovznz_u64(&x77, x74, 0x0, x9); + fiat_p256_cmovznz_u64(&x78, x74, 0x0, x10); + fiat_p256_cmovznz_u64(&x79, x74, 0x0, x11); + fiat_p256_addcarryx_u64(&x80, &x81, 0x0, x22, x75); + fiat_p256_addcarryx_u64(&x82, &x83, x81, x23, x76); + fiat_p256_addcarryx_u64(&x84, &x85, x83, x24, x77); + fiat_p256_addcarryx_u64(&x86, &x87, x85, x25, x78); + fiat_p256_addcarryx_u64(&x88, &x89, x87, x26, x79); + fiat_p256_cmovznz_u64(&x90, x74, 0x0, x27); + fiat_p256_cmovznz_u64(&x91, x74, 0x0, x28); + fiat_p256_cmovznz_u64(&x92, x74, 0x0, x29); + fiat_p256_cmovznz_u64(&x93, x74, 0x0, x30); + fiat_p256_addcarryx_u64(&x94, &x95, 0x0, x70, x90); + fiat_p256_addcarryx_u64(&x96, &x97, x95, x71, x91); + fiat_p256_addcarryx_u64(&x98, &x99, x97, x72, x92); + fiat_p256_addcarryx_u64(&x100, &x101, x99, x73, x93); + fiat_p256_subborrowx_u64(&x102, &x103, 0x0, x94, UINT64_C(0xffffffffffffffff)); + fiat_p256_subborrowx_u64(&x104, &x105, x103, x96, UINT32_C(0xffffffff)); + fiat_p256_subborrowx_u64(&x106, &x107, x105, x98, 0x0); + fiat_p256_subborrowx_u64(&x108, &x109, x107, x100, UINT64_C(0xffffffff00000001)); + fiat_p256_subborrowx_u64(&x110, &x111, x109, x101, 0x0); + fiat_p256_addcarryx_u64(&x112, &x113, 0x0, x6, 0x1); + x114 = ((x80 >> 1) | ((x82 << 63) & UINT64_C(0xffffffffffffffff))); + x115 = ((x82 >> 1) | ((x84 << 63) & UINT64_C(0xffffffffffffffff))); + x116 = ((x84 >> 1) | ((x86 << 63) & UINT64_C(0xffffffffffffffff))); + x117 = ((x86 >> 1) | ((x88 << 63) & UINT64_C(0xffffffffffffffff))); + x118 = ((x88 & UINT64_C(0x8000000000000000)) | (x88 >> 1)); + fiat_p256_cmovznz_u64(&x119, x48, x39, x31); + fiat_p256_cmovznz_u64(&x120, x48, x41, x33); + fiat_p256_cmovznz_u64(&x121, x48, x43, x35); + fiat_p256_cmovznz_u64(&x122, x48, x45, x37); + fiat_p256_cmovznz_u64(&x123, x111, x102, x94); + fiat_p256_cmovznz_u64(&x124, x111, x104, x96); + fiat_p256_cmovznz_u64(&x125, x111, x106, x98); + fiat_p256_cmovznz_u64(&x126, x111, x108, x100); + *out1 = x112; + out2[0] = x7; + out2[1] = x8; + out2[2] = x9; + out2[3] = x10; + out2[4] = x11; + out3[0] = x114; + out3[1] = x115; + out3[2] = x116; + out3[3] = x117; + out3[4] = x118; + out4[0] = x119; + out4[1] = x120; + out4[2] = x121; + out4[3] = x122; + out5[0] = x123; + out5[1] = x124; + out5[2] = x125; + out5[3] = x126; } +/* + * The function fiat_p256_divstep_precomp returns the precomputed value for Bernstein-Yang-inversion (in montgomery form). + * + * Postconditions: + * eval (from_montgomery out1) = ⌊(m - 1) / 2⌋^(if ⌊log2 m⌋ + 1 < 46 then ⌊(49 * (⌊log2 m⌋ + 1) + 80) / 17⌋ else ⌊(49 * (⌊log2 m⌋ + 1) + 57) / 17⌋) + * 0 ≤ eval out1 < m + * + * Output Bounds: + * out1: [[0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff], [0x0 ~> 0xffffffffffffffff]] + */ +static FIAT_P256_FIAT_INLINE void fiat_p256_divstep_precomp(uint64_t out1[4]) { + out1[0] = UINT64_C(0x67ffffffb8000000); + out1[1] = UINT64_C(0xc000000038000000); + out1[2] = UINT64_C(0xd80000007fffffff); + out1[3] = UINT64_C(0x2fffffffffffffff); +} diff --git a/scripts/build-asm.py b/scripts/build-asm.py index 1d9bca3e..7f847f00 100644 --- a/scripts/build-asm.py +++ b/scripts/build-asm.py @@ -202,11 +202,11 @@ def munge_file(pp_arch, pp_platform, source_lines, sink): """ Wraps a single assembly file in appropriate defines. """ - sink.write("#if defined(%s) && defined(%s)\n" % (pp_arch, pp_platform)) + sink.write(b"#if defined(%b) && defined(%b)\n" % (pp_arch.encode(), pp_platform.encode())) for line in source_lines: sink.write(line) - sink.write("#endif // defined(%s) && defined(%s)\n" % (pp_arch, pp_platform)) + sink.write(b"#endif // defined(%b) && defined(%b)\n" % (pp_arch.encode(), pp_platform.encode())) def munge_all_files(osname, arch, asms): @@ -231,10 +231,10 @@ def main(): # Now we need to bring over all the .S files, inserting our preprocessor # directives along the way. We do this to allow the C preprocessor to make # unneeded assembly files vanish. - for ((osname, arch), asm_files) in asm_outputs.iteritems(): + for ((osname, arch), asm_files) in asm_outputs.items(): munge_all_files(osname, arch, asm_files) - for ((osname, arch), asm_files) in NON_PERL_FILES.iteritems(): + for ((osname, arch), asm_files) in NON_PERL_FILES.items(): for asm_file in asm_files: with open(asm_file, 'rb') as f: lines = f.readlines() @@ -246,5 +246,4 @@ def main(): munge_file(pp_arch, pp_platform, lines, sink) if __name__ == '__main__': - main() - + main() \ No newline at end of file diff --git a/scripts/patch-1-inttypes.patch b/scripts/patch-1-inttypes.patch index ceba266b..1d74dbf7 100644 --- a/scripts/patch-1-inttypes.patch +++ b/scripts/patch-1-inttypes.patch @@ -14,11 +14,11 @@ diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h b/Sources/CJ index c86c1ef..7013140 100644 --- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h +++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_bn.h -@@ -126,7 +126,7 @@ +@@ -126,7 +126,8 @@ #include "CJWTKitBoringSSL_base.h" #include "CJWTKitBoringSSL_thread.h" --#include // for PRIu64 and friends + #include // for PRIu64 and friends +#include #include // for FILE* diff --git a/scripts/patch-2-arm-arch.patch b/scripts/patch-2-arm-arch.patch deleted file mode 100644 index 96ada5ec..00000000 --- a/scripts/patch-2-arm-arch.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h -index faa2655..0e76796 100644 ---- a/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h -+++ b/Sources/CJWTKitBoringSSL/include/CJWTKitBoringSSL_arm_arch.h -@@ -50,6 +50,7 @@ - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). */ - -+#if __arm__ || __arm64__ || __aarch64__ - #ifndef OPENSSL_HEADER_ARM_ARCH_H - #define OPENSSL_HEADER_ARM_ARCH_H - -@@ -171,3 +172,4 @@ - #endif /* defined __ASSEMBLER__ */ - - #endif // OPENSSL_HEADER_ARM_ARCH_H -+#endif // __arm__ || __arm64__ || __aarch64__ diff --git a/scripts/vendor-boringssl.sh b/scripts/vendor-boringssl.sh index 5c13328f..31b0e2b8 100755 --- a/scripts/vendor-boringssl.sh +++ b/scripts/vendor-boringssl.sh @@ -77,13 +77,12 @@ function mangle_symbols { ( # We need a .a: may as well get SwiftPM to give it to us. # Temporarily enable the product we need. - echo "Enabling mangled target in Package.swift" $sed -i -e 's/MANGLE_START/MANGLE_START*\//' -e 's/MANGLE_END/\/*MANGLE_END/' "${HERE}/Package.swift" export GOPATH="${TMPDIR}" # Begin by building for macOS. - swift build --product CJWTKitBoringSSL --enable-test-discovery + swift build --product CJWTKitBoringSSL ( cd "${SRCROOT}" go run "util/read_symbols.go" -out "${TMPDIR}/symbols-macOS.txt" "${HERE}/.build/debug/libCJWTKitBoringSSL.a" @@ -91,7 +90,6 @@ function mangle_symbols { # Now build for iOS. We use xcodebuild for this because SwiftPM doesn't # meaningfully support it. Unfortunately we must archive ourselves. - # This also builds for Apple Silicon xcodebuild -sdk iphoneos -scheme CJWTKitBoringSSL -derivedDataPath "${TMPDIR}/iphoneos-deriveddata" -destination generic/platform=iOS ar -r "${TMPDIR}/libCJWTKitBoringSSL-ios.a" "${TMPDIR}/iphoneos-deriveddata/Build/Products/Debug-iphoneos/CJWTKitBoringSSL.o" ( @@ -105,7 +103,7 @@ function mangle_symbols { # compilers for the architectures we care about. for cc_target in "${CROSS_COMPILE_TARGET_LOCATION}"/*"${CROSS_COMPILE_VERSION}"*.json; do echo "Cross compiling for ${cc_target}" - swift build --product CJWTKitBoringSSL --destination "${cc_target}" --enable-test-discovery + swift build --product CJWTKitBoringSSL --destination "${cc_target}" done; # Now we need to generate symbol mangles for Linux. We can do this in @@ -272,7 +270,7 @@ echo "RENAMING header files" rmdir "include/openssl" # Now change the imports from " to "", apply the same prefix to the 'boringssl_prefix_symbols' headers. - find . -name "*.[ch]" -or -name "*.cc" -or -name "*.S" | xargs $sed -i -e 's+include "$DSTROOT/include/CJWTKitBoringSSL.h" // // This source file is part of the Vapor open source project // -// Copyright (c) 2017-2020 Vapor project authors +// Copyright (c) 2022 Vapor project authors // Licensed under MIT // // See LICENSE for license information // -// SPDX-License-Identifier: Apache-2.0 +// SPDX-License-Identifier: MIT // //===----------------------------------------------------------------------===// #ifndef C_VAPORJWT_BORINGSSL_H #define C_VAPORJWT_BORINGSSL_H - #include "CJWTKitBoringSSL_aes.h" #include "CJWTKitBoringSSL_arm_arch.h" #include "CJWTKitBoringSSL_asn1_mac.h" @@ -337,7 +333,6 @@ cat << EOF > "$DSTROOT/include/CJWTKitBoringSSL.h" #include "CJWTKitBoringSSL_evp.h" #include "CJWTKitBoringSSL_hkdf.h" #include "CJWTKitBoringSSL_hmac.h" -#include "CJWTKitBoringSSL_hpke.h" #include "CJWTKitBoringSSL_hrss.h" #include "CJWTKitBoringSSL_md4.h" #include "CJWTKitBoringSSL_md5.h" @@ -357,14 +352,21 @@ cat << EOF > "$DSTROOT/include/CJWTKitBoringSSL.h" #include "CJWTKitBoringSSL_siphash.h" #include "CJWTKitBoringSSL_trust_token.h" #include "CJWTKitBoringSSL_x509v3.h" - #endif // C_VAPORJWT_BORINGSSL_H EOF +# modulemap is required by the cmake build +echo "CREATING modulemap" +cat << EOF > "$DSTROOT/include/module.modulemap" +module CJWTKitBoringSSL { + header "CJWTKitBoringSSL.h" + export * +} +EOF + echo "RECORDING BoringSSL revision" $sed -i -e "s/BoringSSL Commit: [0-9a-f]\+/BoringSSL Commit: ${BORINGSSL_REVISION}/" "$HERE/Package.swift" echo "This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision ${BORINGSSL_REVISION}" > "$DSTROOT/hash.txt" echo "CLEANING temporary directory" -rm -rf "${TMPDIR}" - +rm -rf "${TMPDIR}" \ No newline at end of file