mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-18 15:55:36 +00:00
Bug 1420060 - land NSS ff7594d3dc94 UPGRADE_NSS_RELEASE, r=me
MozReview-Commit-ID: HHsghX4dI4v --HG-- extra : rebase_source : 69b01777bfd8d43f4c46fb07638f58dd5b1a496c
This commit is contained in:
parent
4da30e3721
commit
792a2a70b1
@ -1935,7 +1935,7 @@ MOZ_ARG_WITH_BOOL(system-nss,
|
||||
_USE_SYSTEM_NSS=1 )
|
||||
|
||||
if test -n "$_USE_SYSTEM_NSS"; then
|
||||
AM_PATH_NSS(3.34, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
|
||||
AM_PATH_NSS(3.35, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])])
|
||||
fi
|
||||
|
||||
if test -n "$MOZ_SYSTEM_NSS"; then
|
||||
|
@ -51,6 +51,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0x32, 0xE1, 0xBD, 0x24, 0x93, 0xFF, 0xC6, 0xD9, 0x20, 0x6D, 0x11, 0xBC, 0xD6, 0x77, 0x07, 0x39 },
|
||||
52 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* TrustCor_RootCert_CA_2 */
|
||||
{ 0x07, 0x53, 0xE9, 0x40, 0x37, 0x8C, 0x1B, 0xD5, 0xE3, 0x83, 0x6E, 0x39, 0x5D, 0xAE, 0xA5, 0xCB,
|
||||
0x83, 0x9E, 0x50, 0x46, 0xF1, 0xBD, 0x0E, 0xAE, 0x19, 0x51, 0xCF, 0x10, 0xFE, 0xC7, 0xC9, 0x65 },
|
||||
191 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* AddTrust_Public_CA_Root */
|
||||
{ 0x07, 0x91, 0xCA, 0x07, 0x49, 0xB2, 0x07, 0x82, 0xAA, 0xD3, 0xC7, 0xD7, 0xBD, 0x0C, 0xDF, 0xC9,
|
||||
@ -165,6 +171,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0x5A, 0x65, 0xE2, 0xBC, 0x6E, 0x55, 0xB5, 0xAF, 0x7E, 0x78, 0x99, 0xC8, 0xA2, 0x66, 0xD9, 0x2E },
|
||||
47 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* SSL_com_EV_Root_Certification_Authority_ECC */
|
||||
{ 0x22, 0xA2, 0xC1, 0xF7, 0xBD, 0xED, 0x70, 0x4C, 0xC1, 0xE7, 0x01, 0xB5, 0xF4, 0x08, 0xC3, 0x10,
|
||||
0x88, 0x0F, 0xE9, 0x56, 0xB5, 0xDE, 0x2A, 0x4A, 0x44, 0xF9, 0x9C, 0x87, 0x3A, 0x25, 0xA7, 0xC8 },
|
||||
196 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* VeriSign_Universal_Root_Certification_Authority */
|
||||
{ 0x23, 0x99, 0x56, 0x11, 0x27, 0xA5, 0x71, 0x25, 0xDE, 0x8C, 0xEF, 0xEA, 0x61, 0x0D, 0xDF, 0x2F,
|
||||
@ -201,6 +213,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0xA5, 0x80, 0x26, 0xEF, 0x1F, 0xCC, 0x0A, 0x5F, 0xB3, 0xD9, 0xDC, 0x01, 0x2F, 0x60, 0x0D, 0x19 },
|
||||
85 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* SSL_com_EV_Root_Certification_Authority_RSA_R2 */
|
||||
{ 0x2E, 0x7B, 0xF1, 0x6C, 0xC2, 0x24, 0x85, 0xA7, 0xBB, 0xE2, 0xAA, 0x86, 0x96, 0x75, 0x07, 0x61,
|
||||
0xB0, 0xAE, 0x39, 0xBE, 0x3B, 0x2F, 0xE9, 0xD0, 0xCC, 0x6D, 0x4E, 0xF7, 0x34, 0x91, 0x42, 0x5C },
|
||||
195 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* IdenTrust_Public_Sector_Root_CA_1 */
|
||||
{ 0x30, 0xD0, 0x89, 0x5A, 0x9A, 0x44, 0x8A, 0x26, 0x20, 0x91, 0x63, 0x55, 0x22, 0xD1, 0xF5, 0x20,
|
||||
@ -219,6 +237,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0xA4, 0x77, 0x6E, 0xFD, 0xAE, 0x2F, 0xDF, 0x6D, 0x01, 0x68, 0xEA, 0x1C, 0x4F, 0x55, 0x67, 0xD0 },
|
||||
70 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* SSL_com_Root_Certification_Authority_ECC */
|
||||
{ 0x34, 0x17, 0xBB, 0x06, 0xCC, 0x60, 0x07, 0xDA, 0x1B, 0x96, 0x1C, 0x92, 0x0B, 0x8A, 0xB4, 0xCE,
|
||||
0x3F, 0xAD, 0x82, 0x0E, 0x4A, 0xA3, 0x0B, 0x9A, 0xCB, 0xC4, 0xA7, 0x4E, 0xBD, 0xCE, 0xBC, 0x65 },
|
||||
194 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* EBG_Elektronik_Sertifika_Hizmet_Sa_lay_c_s_ */
|
||||
{ 0x35, 0xAE, 0x5B, 0xDD, 0xD8, 0xF7, 0xAE, 0x63, 0x5C, 0xFF, 0xBA, 0x56, 0x82, 0xA8, 0xF0, 0x0B,
|
||||
@ -405,6 +429,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0x5A, 0x5B, 0x2B, 0x45, 0x7D, 0x81, 0xF3, 0x69, 0x2B, 0x61, 0x0A, 0x98, 0x67, 0x2F, 0x0E, 0x1B },
|
||||
139 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* TrustCor_ECA_1 */
|
||||
{ 0x5A, 0x88, 0x5D, 0xB1, 0x9C, 0x01, 0xD9, 0x12, 0xC5, 0x75, 0x93, 0x88, 0x93, 0x8C, 0xAF, 0xBB,
|
||||
0xDF, 0x03, 0x1A, 0xB2, 0xD4, 0x8E, 0x91, 0xEE, 0x15, 0x58, 0x9B, 0x42, 0x97, 0x1D, 0x03, 0x9C },
|
||||
192 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* Certum_Trusted_Network_CA */
|
||||
{ 0x5C, 0x58, 0x46, 0x8D, 0x55, 0xF5, 0x8E, 0x49, 0x7E, 0x74, 0x39, 0x82, 0xD2, 0xB5, 0x00, 0x10,
|
||||
@ -579,6 +609,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0x95, 0x43, 0x1E, 0xDA, 0x37, 0xCC, 0x5E, 0x36, 0x43, 0x0E, 0x79, 0xC7, 0xA8, 0x88, 0x63, 0x8B },
|
||||
5 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* SSL_com_Root_Certification_Authority_RSA */
|
||||
{ 0x85, 0x66, 0x6A, 0x56, 0x2E, 0xE0, 0xBE, 0x5C, 0xE9, 0x25, 0xC1, 0xD8, 0x89, 0x0A, 0x6F, 0x76,
|
||||
0xA8, 0x7E, 0xC1, 0x6D, 0x4D, 0x7D, 0x5F, 0x29, 0xEA, 0x74, 0x19, 0xCF, 0x20, 0x12, 0x3B, 0x69 },
|
||||
193 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* QuoVadis_Root_CA_2 */
|
||||
{ 0x85, 0xA0, 0xDD, 0x7D, 0xD7, 0x20, 0xAD, 0xB7, 0xFF, 0x05, 0xF8, 0x3D, 0x54, 0x2B, 0x20, 0x9D,
|
||||
@ -861,6 +897,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0xE9, 0xBA, 0xD1, 0xA6, 0xB9, 0xBD, 0x51, 0x5E, 0xDC, 0x5C, 0x6D, 0x5B, 0x87, 0x11, 0xAC, 0x44 },
|
||||
117 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* GDCA_TrustAUTH_R5_ROOT */
|
||||
{ 0xBF, 0xFF, 0x8F, 0xD0, 0x44, 0x33, 0x48, 0x7D, 0x6A, 0x8A, 0xA6, 0x0C, 0x1A, 0x29, 0x76, 0x7A,
|
||||
0x9F, 0xC2, 0xBB, 0xB0, 0x5E, 0x42, 0x0F, 0x71, 0x3A, 0x13, 0xB9, 0x92, 0x89, 0x1D, 0x38, 0x93 },
|
||||
189 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* OU_ePKI_Root_Certification_Authority_O__Chunghwa_Telecom_Co___Ltd___C_TW */
|
||||
{ 0xC0, 0xA6, 0xF4, 0xDC, 0x63, 0xA2, 0x4B, 0xFD, 0xCF, 0x54, 0xEF, 0x2A, 0x6A, 0x08, 0x2A, 0x0A,
|
||||
@ -933,6 +975,12 @@ static const struct CertAuthorityHash ROOT_TABLE[] = {
|
||||
0x51, 0x0C, 0x42, 0x75, 0xB0, 0xE5, 0xF9, 0x4F, 0x40, 0xBB, 0xAE, 0x86, 0x5E, 0x19, 0xF6, 0x73 },
|
||||
13 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* TrustCor_RootCert_CA_1 */
|
||||
{ 0xD4, 0x0E, 0x9C, 0x86, 0xCD, 0x8F, 0xE4, 0x68, 0xC1, 0x77, 0x69, 0x59, 0xF4, 0x9E, 0xA7, 0x74,
|
||||
0xFA, 0x54, 0x86, 0x84, 0xB6, 0xC4, 0x06, 0xF3, 0x90, 0x92, 0x61, 0xF4, 0xDC, 0xE2, 0x57, 0x5C },
|
||||
190 /* Bin Number */
|
||||
},
|
||||
{
|
||||
/* Staat_der_Nederlanden_Root_CA */
|
||||
{ 0xD4, 0x1D, 0x82, 0x9E, 0x8C, 0x16, 0x59, 0x82, 0x2A, 0xF9, 0x3F, 0xCE, 0x62, 0xBF, 0xFC, 0xDE,
|
||||
|
@ -948,7 +948,47 @@
|
||||
"label": "TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi___Surum_1",
|
||||
"binNumber": 188,
|
||||
"sha256Fingerprint": "Ru3DaJBG1TpFP7MQSrgNyuxliyZg6hYp3X6GeZBkhxY="
|
||||
},
|
||||
{
|
||||
"label": "GDCA_TrustAUTH_R5_ROOT",
|
||||
"binNumber": 189,
|
||||
"sha256Fingerprint": "v/+P0EQzSH1qiqYMGil2ep/Cu7BeQg9xOhO5kokdOJM="
|
||||
},
|
||||
{
|
||||
"label": "TrustCor_RootCert_CA_1",
|
||||
"binNumber": 190,
|
||||
"sha256Fingerprint": "1A6chs2P5GjBd2lZ9J6ndPpUhoS2xAbzkJJh9NziV1w="
|
||||
},
|
||||
{
|
||||
"label": "TrustCor_RootCert_CA_2",
|
||||
"binNumber": 191,
|
||||
"sha256Fingerprint": "B1PpQDeMG9Xjg245Xa6ly4OeUEbxvQ6uGVHPEP7HyWU="
|
||||
},
|
||||
{
|
||||
"label": "TrustCor_ECA_1",
|
||||
"binNumber": 192,
|
||||
"sha256Fingerprint": "WohdsZwB2RLFdZOIk4yvu98DGrLUjpHuFVibQpcdA5w="
|
||||
},
|
||||
{
|
||||
"label": "SSL_com_Root_Certification_Authority_RSA",
|
||||
"binNumber": 193,
|
||||
"sha256Fingerprint": "hWZqVi7gvlzpJcHYiQpvdqh+wW1NfV8p6nQZzyASO2k="
|
||||
},
|
||||
{
|
||||
"label": "SSL_com_Root_Certification_Authority_ECC",
|
||||
"binNumber": 194,
|
||||
"sha256Fingerprint": "NBe7BsxgB9oblhySC4q0zj+tgg5Kowuay8SnTr3OvGU="
|
||||
},
|
||||
{
|
||||
"label": "SSL_com_EV_Root_Certification_Authority_RSA_R2",
|
||||
"binNumber": 195,
|
||||
"sha256Fingerprint": "LnvxbMIkhae74qqGlnUHYbCuOb47L+nQzG1O9zSRQlw="
|
||||
},
|
||||
{
|
||||
"label": "SSL_com_EV_Root_Certification_Authority_ECC",
|
||||
"binNumber": 196,
|
||||
"sha256Fingerprint": "IqLB973tcEzB5wG19AjDEIgP6Va13ipKRPmchzolp8g="
|
||||
}
|
||||
],
|
||||
"maxBin": 188
|
||||
"maxBin": 196
|
||||
}
|
@ -1 +1 @@
|
||||
NSS_3_34_BETA5
|
||||
ff7594d3dc94
|
||||
|
@ -1,11 +0,0 @@
|
||||
Functions changes summary: 0 Removed, 0 Changed, 4 Added functions
|
||||
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
|
||||
|
||||
4 Added functions:
|
||||
|
||||
'function SECItem* SEC_CreateSignatureAlgorithmParameters(SECItem*, SECOidTag, SECOidTag, const SECItem*, const SECKEYPrivateKey*)' {SEC_CreateSignatureAlgorithmParameters@@NSS_3.34}
|
||||
'function SECStatus SEC_DerSignDataWithAlgorithmID(SECItem*, const unsigned char*, int, SECKEYPrivateKey*, SECAlgorithmID*)' {SEC_DerSignDataWithAlgorithmID@@NSS_3.34}
|
||||
'function SECStatus SEC_SignDataWithAlgorithmID(SECItem*, const unsigned char*, int, SECKEYPrivateKey*, SECAlgorithmID*)' {SEC_SignDataWithAlgorithmID@@NSS_3.34}
|
||||
'function void SGN_NewContextWithAlgorithmID(SECAlgorithmID*, SECKEYPrivateKey*)' {SGN_NewContextWithAlgorithmID@@NSS_3.34}
|
||||
|
||||
|
@ -1,15 +0,0 @@
|
||||
Functions changes summary: 0 Removed, 1 Changed, 0 Added function
|
||||
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
|
||||
|
||||
1 function with some indirect sub-type change:
|
||||
|
||||
[C]'function SECStatus SSL_GetChannelInfo(SSLChannelInfo*, PRUintn)' at sslinfo.c:26:1 has some indirect sub-type changes:
|
||||
parameter 1 of type 'SSLChannelInfo*' has sub-type changes:
|
||||
in pointed to type 'typedef SSLChannelInfo' at sslt.h:288:1:
|
||||
underlying type 'struct SSLChannelInfoStr' at sslt.h:229:1 changed:
|
||||
type size changed from 896 to 960 bits
|
||||
2 data member insertions:
|
||||
'SSLNamedGroup SSLChannelInfoStr::originalKeaGroup', at offset 864 (in bits) at sslt.h:281:1
|
||||
'PRBool SSLChannelInfoStr::resumed', at offset 896 (in bits) at sslt.h:284:1
|
||||
|
||||
|
@ -1 +1 @@
|
||||
NSS_3_33_BRANCH
|
||||
NSS_3_34_BRANCH
|
||||
|
@ -4,18 +4,16 @@ MAINTAINER Franziskus Kiefer <franziskuskiefer@gmail.com>
|
||||
# Based on the HACL* image from Benjamin Beurdouche and
|
||||
# the original F* formula with Daniel Fabian
|
||||
|
||||
# Pinned versions of HaCl* (F* and KreMLin are pinned as submodules)
|
||||
# Pinned versions of HACL* (F* and KreMLin are pinned as submodules)
|
||||
ENV haclrepo https://github.com/mitls/hacl-star.git
|
||||
|
||||
# Define versions of dependencies
|
||||
ENV opamv 4.04.2
|
||||
ENV z3v 4.5.1.1f29cebd4df6-x64-ubuntu-14.04
|
||||
ENV haclversion 0030539598cde15d1a0e5f93b32e121f7b7b5a1c
|
||||
ENV haclbranch production-nss
|
||||
ENV haclversion daa7e159f0adf252b5e6962967bc0f27dbac243b
|
||||
|
||||
# Install required packages and set versions
|
||||
RUN apt-get -qq update
|
||||
RUN apt-get install --yes sudo libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf
|
||||
RUN apt-get install --yes sudo libssl-dev libsqlite3-dev g++-5 gcc-5 m4 make opam pkg-config python libgmp3-dev cmake curl libtool-bin autoconf wget
|
||||
RUN update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 200
|
||||
RUN update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
|
||||
|
||||
@ -29,13 +27,6 @@ ADD bin /home/worker/bin
|
||||
RUN chmod +x /home/worker/bin/*
|
||||
USER worker
|
||||
|
||||
# Add "known-good" version of Z3
|
||||
RUN curl -LO https://github.com/FStarLang/binaries/raw/master/z3-tested/z3-${z3v}.zip
|
||||
RUN unzip z3-${z3v}.zip
|
||||
RUN rm z3-${z3v}.zip
|
||||
RUN mv z3-${z3v} z3
|
||||
ENV PATH "/home/worker/z3/bin:$PATH"
|
||||
|
||||
# Prepare build (OCaml packages)
|
||||
ENV OPAMYES true
|
||||
RUN opam init
|
||||
@ -43,14 +34,19 @@ RUN echo ". /home/worker/.opam/opam-init/init.sh > /dev/null 2> /dev/null || tru
|
||||
RUN opam switch -v ${opamv}
|
||||
RUN opam install ocamlfind batteries sqlite3 fileutils yojson ppx_deriving_yojson zarith pprint menhir ulex process fix wasm stdint
|
||||
|
||||
# Get the HaCl* code
|
||||
# Get the HACL* code
|
||||
RUN git clone ${haclrepo} hacl-star
|
||||
RUN git -C hacl-star checkout ${haclversion}
|
||||
|
||||
# Prepare submodules, and build, verify, test, and extract c code
|
||||
# This caches the extracted c code (pins the HaCl* version). All we need to do
|
||||
# This caches the extracted c code (pins the HACL* version). All we need to do
|
||||
# on CI now is comparing the code in this docker image with the one in NSS.
|
||||
RUN opam config exec -- make -C hacl-star nss -j$(nproc)
|
||||
RUN opam config exec -- make -C hacl-star prepare -j$(nproc)
|
||||
ENV PATH "/home/worker/hacl-star/dependencies/z3/bin:$PATH"
|
||||
RUN make -C hacl-star verify-nss -j$(nproc)
|
||||
RUN make -C hacl-star -f Makefile.build snapshots/nss -j$(nproc)
|
||||
RUN KOPTS="-funroll-loops 5" make -C hacl-star/code/curve25519 test -j$(nproc)
|
||||
RUN make -C hacl-star/code/salsa-family test -j$(nproc)
|
||||
|
||||
# Get clang-format-3.9
|
||||
RUN curl -LO http://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
|
||||
@ -65,6 +61,7 @@ RUN rm *.tar.xz*
|
||||
|
||||
# Cleanup
|
||||
RUN rm -rf ~/.ccache ~/.cache
|
||||
RUN rm -rf /home/worker/hacl-star/dependencies
|
||||
RUN sudo apt-get autoremove -y
|
||||
RUN sudo apt-get clean
|
||||
RUN sudo apt-get autoclean
|
||||
|
@ -13,7 +13,7 @@ set -e -x -v
|
||||
# successfully executed.
|
||||
|
||||
# Format the extracted C code.
|
||||
cd ~/hacl-star/snapshots/nss-production
|
||||
cd ~/hacl-star/snapshots/nss
|
||||
cp ~/nss/.clang-format .
|
||||
find . -type f -name '*.[ch]' -exec clang-format -i {} \+
|
||||
|
||||
@ -22,3 +22,10 @@ files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]'))
|
||||
for f in "${files[@]}"; do
|
||||
diff $f $(basename "$f")
|
||||
done
|
||||
|
||||
# Check that the specs didn't change either.
|
||||
cd ~/hacl-star/specs
|
||||
files=($(find ~/nss/lib/freebl/verified/specs -type f))
|
||||
for f in "${files[@]}"; do
|
||||
diff $f $(basename "$f")
|
||||
done
|
||||
|
@ -1,10 +1,10 @@
|
||||
[
|
||||
{
|
||||
"version": "Visual Studio 2015 Update 3 14.0.25425.01 / SDK 10.0.14393.0",
|
||||
"size": 326656969,
|
||||
"digest": "babc414ffc0457d27f5a1ed24a8e4873afbe2f1c1a4075469a27c005e1babc3b2a788f643f825efedff95b79686664c67ec4340ed535487168a3482e68559bc7",
|
||||
"version": "Visual Studio 2017 15.4.2 / SDK 10.0.15063.0",
|
||||
"size": 303146863,
|
||||
"digest": "18700889e6b5e81613b9cf57ce4e0d46a6ee45bb4c5c33bae2604a5275326128775b8a032a1eb178c5db973746d565340c4e36d98375789e1d5bd836ab16ba58",
|
||||
"algorithm": "sha512",
|
||||
"filename": "vs2015u3.zip",
|
||||
"filename": "vs2017_15.4.2.zip",
|
||||
"unpack": true
|
||||
},
|
||||
{
|
||||
|
@ -2,12 +2,12 @@
|
||||
|
||||
set -v -e -x
|
||||
|
||||
export VSPATH="$(pwd)/vs2015u3"
|
||||
export VSPATH="$(pwd)/vs2017_15.4.2"
|
||||
export NINJA_PATH="$(pwd)/ninja/bin"
|
||||
|
||||
export WINDOWSSDKDIR="${VSPATH}/SDK"
|
||||
export VS90COMNTOOLS="${VSPATH}/VC"
|
||||
export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.14393.0/ucrt:${VSPATH}/SDK/Include/10.0.14393.0/shared:${VSPATH}/SDK/Include/10.0.14393.0/um"
|
||||
export INCLUDE="${VSPATH}/VC/include:${VSPATH}/SDK/Include/10.0.15063.0/ucrt:${VSPATH}/SDK/Include/10.0.15063.0/shared:${VSPATH}/SDK/Include/10.0.15063.0/um"
|
||||
|
||||
# Usage: hg_clone repo dir [revision=@]
|
||||
hg_clone() {
|
||||
|
@ -4,7 +4,7 @@ set -v -e -x
|
||||
|
||||
source $(dirname $0)/setup.sh
|
||||
|
||||
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC140.CRT"
|
||||
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT"
|
||||
export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x86"
|
||||
export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/amd64_x86:${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x86:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x86/Microsoft.VC140.CRT:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
|
||||
export LIB="${VSPATH}/VC/lib:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.14393.0/um/x86"
|
||||
export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x86:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x86/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x86:${PATH}"
|
||||
export LIB="${VSPATH}/VC/lib/x86:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x86:${VSPATH}/SDK/lib/10.0.15063.0/um/x86"
|
||||
|
@ -4,7 +4,7 @@ set -v -e -x
|
||||
|
||||
source $(dirname $0)/setup.sh
|
||||
|
||||
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT"
|
||||
export WIN32_REDIST_DIR="${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT"
|
||||
export WIN_UCRT_REDIST_DIR="${VSPATH}/SDK/Redist/ucrt/DLLs/x64"
|
||||
export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/amd64:${VSPATH}/VC/bin:${VSPATH}/SDK/bin/x64:${VSPATH}/VC/redist/x64/Microsoft.VC140.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
|
||||
export LIB="${VSPATH}/VC/lib/amd64:${VSPATH}/SDK/lib/10.0.14393.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.14393.0/um/x64"
|
||||
export PATH="${NINJA_PATH}:${VSPATH}/VC/bin/Hostx64/x64:${VSPATH}/VC/bin/Hostx86/x86:${VSPATH}/SDK/bin/10.0.15063.0/x64:${VSPATH}/VC/redist/x64/Microsoft.VC141.CRT:${VSPATH}/SDK/Redist/ucrt/DLLs/x64:${PATH}"
|
||||
export LIB="${VSPATH}/VC/lib/x64:${VSPATH}/SDK/lib/10.0.15063.0/ucrt/x64:${VSPATH}/SDK/lib/10.0.15063.0/um/x64"
|
||||
|
@ -68,6 +68,7 @@ fi
|
||||
while [ $# -gt 0 ]; do
|
||||
case $1 in
|
||||
-c) clean=1 ;;
|
||||
-cc) clean_only=1 ;;
|
||||
--gyp|-g) rebuild_gyp=1 ;;
|
||||
--nspr) nspr_clean; rebuild_nspr=1 ;;
|
||||
-j) ninja_params+=(-j "$2"); shift ;;
|
||||
@ -124,10 +125,15 @@ dist_dir=$(mkdir -p "$dist_dir"; cd "$dist_dir"; pwd -P)
|
||||
gyp_params+=(-Dnss_dist_dir="$dist_dir")
|
||||
|
||||
# -c = clean first
|
||||
if [ "$clean" = 1 ]; then
|
||||
if [ "$clean" = 1 -o "$clean_only" = 1 ]; then
|
||||
nspr_clean
|
||||
rm -rf "$cwd"/out
|
||||
rm -rf "$dist_dir"
|
||||
# -cc = only clean, don't build
|
||||
if [ "$clean_only" = 1 ]; then
|
||||
echo "Cleaned"
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
|
||||
# This saves a canonical representation of arguments that we are passing to gyp
|
||||
|
@ -7,9 +7,6 @@
|
||||
TESTDIR=${1-.}
|
||||
COMMAND=${2-run}
|
||||
TESTS="aes aesgcm dsa ecdsa hmac tls rng rsa sha tdea"
|
||||
if [ ${NSS_ENABLE_ECC}x = 1x ]; then
|
||||
TESTS=${TESTS} ecdsa
|
||||
fi
|
||||
for i in $TESTS
|
||||
do
|
||||
echo "********************Running $i tests"
|
||||
|
@ -240,7 +240,8 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
|
||||
sprintf(prompt,
|
||||
"Press Enter, then enter PIN for \"%s\" on external device.\n",
|
||||
PK11_GetTokenName(slot));
|
||||
(void)SECU_GetPasswordString(NULL, prompt);
|
||||
char *pw = SECU_GetPasswordString(NULL, prompt);
|
||||
PORT_Free(pw);
|
||||
/* Fall Through */
|
||||
case PW_PLAINTEXT:
|
||||
return PL_strdup(pwdata->data);
|
||||
@ -1192,7 +1193,7 @@ secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
|
||||
SECU_Indent(out, level + 1);
|
||||
fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
|
||||
} else {
|
||||
SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1);
|
||||
SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1);
|
||||
}
|
||||
} else {
|
||||
SECU_Indent(out, level + 1);
|
||||
|
@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile, char *newpwFile)
|
||||
ret = BAD_PW_ERR;
|
||||
goto loser;
|
||||
}
|
||||
} else {
|
||||
} else if (PK11_NeedLogin(slot)) {
|
||||
for (matching = PR_FALSE; !matching;) {
|
||||
oldpw = SECU_GetPasswordString(NULL, "Enter old password: ");
|
||||
if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) {
|
||||
|
@ -216,7 +216,7 @@ rsaKeysAreEqual(PK11ObjectType srcType, void *src,
|
||||
printf("Could read source key\n");
|
||||
return PR_FALSE;
|
||||
}
|
||||
readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES);
|
||||
rv = readKey(destType, dest, destTemplate, 0, RSA_ATTRIBUTES);
|
||||
if (rv != SECSuccess) {
|
||||
printf("Could read dest key\n");
|
||||
return PR_FALSE;
|
||||
|
@ -2549,6 +2549,14 @@ main(int argc, char **argv)
|
||||
tmp = PR_GetEnvSecure("TMPDIR");
|
||||
if (!tmp)
|
||||
tmp = PR_GetEnvSecure("TEMP");
|
||||
|
||||
/* Call the NSS initialization routines */
|
||||
rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
|
||||
if (rv != SECSuccess) {
|
||||
fputs("NSS_Init failed.\n", stderr);
|
||||
exit(8);
|
||||
}
|
||||
|
||||
if (envString) {
|
||||
/* we're one of the children in a multi-process server. */
|
||||
listen_sock = PR_GetInheritedFD(inheritableSockName);
|
||||
@ -2603,13 +2611,6 @@ main(int argc, char **argv)
|
||||
/* set our password function */
|
||||
PK11_SetPasswordFunc(SECU_GetModulePassword);
|
||||
|
||||
/* Call the NSS initialization routines */
|
||||
rv = NSS_Initialize(dir, certPrefix, certPrefix, SECMOD_DB, NSS_INIT_READONLY);
|
||||
if (rv != SECSuccess) {
|
||||
fputs("NSS_Init failed.\n", stderr);
|
||||
exit(8);
|
||||
}
|
||||
|
||||
/* all SSL3 cipher suites are enabled by default. */
|
||||
if (cipherString) {
|
||||
char *cstringSaved = cipherString;
|
||||
|
@ -10,4 +10,3 @@
|
||||
*/
|
||||
|
||||
#error "Do not include this header file."
|
||||
|
||||
|
@ -10,7 +10,7 @@
|
||||
#include <cassert>
|
||||
#include <vector>
|
||||
|
||||
std::vector<uint8_t> hex_string_to_bytes(std::string s) {
|
||||
static inline std::vector<uint8_t> hex_string_to_bytes(std::string s) {
|
||||
std::vector<uint8_t> bytes;
|
||||
for (size_t i = 0; i < s.length(); i += 2) {
|
||||
bytes.push_back(std::stoul(s.substr(i, 2), nullptr, 16));
|
||||
|
@ -33,6 +33,7 @@
|
||||
'dh_unittest.cc',
|
||||
'ecl_unittest.cc',
|
||||
'ghash_unittest.cc',
|
||||
'rsa_unittest.cc',
|
||||
'<(DEPTH)/gtests/common/gtests.cc'
|
||||
],
|
||||
'dependencies': [
|
||||
|
57
security/nss/gtests/freebl_gtest/rsa_unittest.cc
Normal file
57
security/nss/gtests/freebl_gtest/rsa_unittest.cc
Normal file
@ -0,0 +1,57 @@
|
||||
// This Source Code Form is subject to the terms of the Mozilla Public
|
||||
// License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
// You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
#include "gtest/gtest.h"
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#include "blapi.h"
|
||||
#include "secitem.h"
|
||||
|
||||
template <class T>
|
||||
struct ScopedDelete {
|
||||
void operator()(T* ptr) {
|
||||
if (ptr) {
|
||||
PORT_FreeArena(ptr->arena, PR_TRUE);
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
typedef std::unique_ptr<RSAPrivateKey, ScopedDelete<RSAPrivateKey>>
|
||||
ScopedRSAPrivateKey;
|
||||
|
||||
class RSANewKeyTest : public ::testing::Test {
|
||||
protected:
|
||||
RSAPrivateKey* CreateKeyWithExponent(int keySizeInBits,
|
||||
unsigned char publicExponent) {
|
||||
SECItem exp = {siBuffer, 0, 0};
|
||||
unsigned char pubExp[1] = {publicExponent};
|
||||
exp.data = pubExp;
|
||||
exp.len = 1;
|
||||
|
||||
return RSA_NewKey(keySizeInBits, &exp);
|
||||
}
|
||||
};
|
||||
|
||||
TEST_F(RSANewKeyTest, expOneTest) {
|
||||
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x01));
|
||||
ASSERT_TRUE(key == nullptr);
|
||||
}
|
||||
TEST_F(RSANewKeyTest, expTwoTest) {
|
||||
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x02));
|
||||
ASSERT_TRUE(key == nullptr);
|
||||
}
|
||||
TEST_F(RSANewKeyTest, expFourTest) {
|
||||
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x04));
|
||||
ASSERT_TRUE(key == nullptr);
|
||||
}
|
||||
TEST_F(RSANewKeyTest, WrongKeysizeTest) {
|
||||
ScopedRSAPrivateKey key(CreateKeyWithExponent(2047, 0x03));
|
||||
ASSERT_TRUE(key == nullptr);
|
||||
}
|
||||
|
||||
TEST_F(RSANewKeyTest, expThreeTest) {
|
||||
ScopedRSAPrivateKey key(CreateKeyWithExponent(2048, 0x03));
|
||||
ASSERT_TRUE(key != nullptr);
|
||||
}
|
@ -11,6 +11,7 @@ CPPSRCS = \
|
||||
pk11_chacha20poly1305_unittest.cc \
|
||||
pk11_curve25519_unittest.cc \
|
||||
pk11_ecdsa_unittest.cc \
|
||||
pk11_encrypt_derive_unittest.cc \
|
||||
pk11_export_unittest.cc \
|
||||
pk11_pbkdf2_unittest.cc \
|
||||
pk11_prf_unittest.cc \
|
||||
|
210
security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
Normal file
210
security/nss/gtests/pk11_gtest/pk11_encrypt_derive_unittest.cc
Normal file
@ -0,0 +1,210 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "pk11pub.h"
|
||||
#include "nssutil.h"
|
||||
#include <stdio.h>
|
||||
#include "prerror.h"
|
||||
#include "nss.h"
|
||||
#include "gtest/gtest.h"
|
||||
#include "scoped_ptrs.h"
|
||||
#include "cpputil.h"
|
||||
#include "databuffer.h"
|
||||
#include "util.h"
|
||||
|
||||
#define MAX_KEY_SIZE 24
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
static const uint8_t kIv[] = {0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
|
||||
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
|
||||
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77};
|
||||
static const uint8_t kInput[] = {
|
||||
0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00, 0xff, 0xee, 0xdd, 0xcc,
|
||||
0xbb, 0xaa, 0x99, 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11, 0x00};
|
||||
|
||||
class EncryptDeriveTest
|
||||
: public ::testing::Test,
|
||||
public ::testing::WithParamInterface<CK_MECHANISM_TYPE> {
|
||||
public:
|
||||
void TestEncryptDerive() {
|
||||
ScopedPK11SymKey derived_key(PK11_Derive(key_.get(), derive_mech(),
|
||||
derive_param(), encrypt_mech(),
|
||||
CKA_DECRYPT, keysize()));
|
||||
ASSERT_TRUE(derived_key);
|
||||
|
||||
uint8_t derived_key_data[MAX_KEY_SIZE];
|
||||
ASSERT_GE(sizeof(derived_key_data), keysize());
|
||||
GetKeyData(derived_key, derived_key_data, keysize());
|
||||
RemoveChecksum(derived_key_data);
|
||||
|
||||
uint8_t reference_key_data[MAX_KEY_SIZE];
|
||||
unsigned int reference_len = 0;
|
||||
SECStatus rv = PK11_Encrypt(key_.get(), encrypt_mech(), encrypt_param(),
|
||||
reference_key_data, &reference_len, keysize(),
|
||||
kInput, keysize());
|
||||
ASSERT_EQ(SECSuccess, rv);
|
||||
ASSERT_EQ(keysize(), static_cast<size_t>(reference_len));
|
||||
RemoveChecksum(reference_key_data);
|
||||
|
||||
EXPECT_EQ(DataBuffer(reference_key_data, keysize()),
|
||||
DataBuffer(derived_key_data, keysize()));
|
||||
}
|
||||
|
||||
protected:
|
||||
unsigned int keysize() const { return 16; }
|
||||
|
||||
private:
|
||||
CK_MECHANISM_TYPE encrypt_mech() const { return GetParam(); }
|
||||
|
||||
CK_MECHANISM_TYPE derive_mech() const {
|
||||
switch (encrypt_mech()) {
|
||||
case CKM_DES3_ECB:
|
||||
return CKM_DES3_ECB_ENCRYPT_DATA;
|
||||
case CKM_DES3_CBC:
|
||||
return CKM_DES3_CBC_ENCRYPT_DATA;
|
||||
case CKM_AES_ECB:
|
||||
return CKM_AES_ECB_ENCRYPT_DATA;
|
||||
case CKM_AES_CBC:
|
||||
return CKM_AES_CBC_ENCRYPT_DATA;
|
||||
case CKM_CAMELLIA_ECB:
|
||||
return CKM_CAMELLIA_ECB_ENCRYPT_DATA;
|
||||
case CKM_CAMELLIA_CBC:
|
||||
return CKM_CAMELLIA_CBC_ENCRYPT_DATA;
|
||||
case CKM_SEED_ECB:
|
||||
return CKM_SEED_ECB_ENCRYPT_DATA;
|
||||
case CKM_SEED_CBC:
|
||||
return CKM_SEED_CBC_ENCRYPT_DATA;
|
||||
default:
|
||||
ADD_FAILURE() << "Unknown mechanism";
|
||||
break;
|
||||
}
|
||||
return CKM_INVALID_MECHANISM;
|
||||
}
|
||||
|
||||
SECItem* derive_param() const {
|
||||
static CK_AES_CBC_ENCRYPT_DATA_PARAMS aes_data;
|
||||
static CK_DES_CBC_ENCRYPT_DATA_PARAMS des_data;
|
||||
static CK_KEY_DERIVATION_STRING_DATA string_data;
|
||||
static SECItem param = {siBuffer, NULL, 0};
|
||||
|
||||
switch (encrypt_mech()) {
|
||||
case CKM_DES3_ECB:
|
||||
case CKM_AES_ECB:
|
||||
case CKM_CAMELLIA_ECB:
|
||||
case CKM_SEED_ECB:
|
||||
string_data.pData = toUcharPtr(kInput);
|
||||
string_data.ulLen = keysize();
|
||||
param.data = reinterpret_cast<uint8_t*>(&string_data);
|
||||
param.len = sizeof(string_data);
|
||||
break;
|
||||
|
||||
case CKM_DES3_CBC:
|
||||
des_data.pData = toUcharPtr(kInput);
|
||||
des_data.length = keysize();
|
||||
PORT_Memcpy(des_data.iv, kIv, 8);
|
||||
param.data = reinterpret_cast<uint8_t*>(&des_data);
|
||||
param.len = sizeof(des_data);
|
||||
break;
|
||||
|
||||
case CKM_AES_CBC:
|
||||
case CKM_CAMELLIA_CBC:
|
||||
case CKM_SEED_CBC:
|
||||
aes_data.pData = toUcharPtr(kInput);
|
||||
aes_data.length = keysize();
|
||||
PORT_Memcpy(aes_data.iv, kIv, keysize());
|
||||
param.data = reinterpret_cast<uint8_t*>(&aes_data);
|
||||
param.len = sizeof(aes_data);
|
||||
break;
|
||||
|
||||
default:
|
||||
ADD_FAILURE() << "Unknown mechanism";
|
||||
break;
|
||||
}
|
||||
return ¶m;
|
||||
}
|
||||
|
||||
SECItem* encrypt_param() const {
|
||||
static SECItem param = {siBuffer, NULL, 0};
|
||||
|
||||
switch (encrypt_mech()) {
|
||||
case CKM_DES3_ECB:
|
||||
case CKM_AES_ECB:
|
||||
case CKM_CAMELLIA_ECB:
|
||||
case CKM_SEED_ECB:
|
||||
// No parameter needed here.
|
||||
break;
|
||||
|
||||
case CKM_DES3_CBC:
|
||||
case CKM_AES_CBC:
|
||||
case CKM_CAMELLIA_CBC:
|
||||
case CKM_SEED_CBC:
|
||||
param.data = toUcharPtr(kIv);
|
||||
param.len = keysize();
|
||||
break;
|
||||
|
||||
default:
|
||||
ADD_FAILURE() << "Unknown mechanism";
|
||||
break;
|
||||
}
|
||||
return ¶m;
|
||||
}
|
||||
|
||||
virtual void SetUp() {
|
||||
slot_.reset(PK11_GetBestSlot(derive_mech(), NULL));
|
||||
ASSERT_TRUE(slot_);
|
||||
|
||||
key_.reset(PK11_TokenKeyGenWithFlags(slot_.get(), encrypt_mech(), NULL,
|
||||
keysize(), NULL,
|
||||
CKF_ENCRYPT | CKF_DERIVE, 0, NULL));
|
||||
ASSERT_TRUE(key_);
|
||||
}
|
||||
|
||||
void GetKeyData(ScopedPK11SymKey& key, uint8_t* buf, size_t max_len) const {
|
||||
ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(key.get()));
|
||||
SECItem* data = PK11_GetKeyData(key.get());
|
||||
ASSERT_TRUE(data);
|
||||
ASSERT_EQ(max_len, static_cast<size_t>(data->len));
|
||||
PORT_Memcpy(buf, data->data, data->len);
|
||||
}
|
||||
|
||||
// Remove checksum if the key is a 3DES key.
|
||||
void RemoveChecksum(uint8_t* key_data) const {
|
||||
if (encrypt_mech() != CKM_DES3_CBC && encrypt_mech() != CKM_DES3_ECB) {
|
||||
return;
|
||||
}
|
||||
for (size_t i = 0; i < keysize(); ++i) {
|
||||
key_data[i] &= 0xfe;
|
||||
}
|
||||
}
|
||||
|
||||
ScopedPK11SlotInfo slot_;
|
||||
ScopedPK11SymKey key_;
|
||||
};
|
||||
|
||||
TEST_P(EncryptDeriveTest, Test) { TestEncryptDerive(); }
|
||||
|
||||
static const CK_MECHANISM_TYPE kEncryptDeriveMechanisms[] = {
|
||||
CKM_DES3_ECB, CKM_DES3_CBC, CKM_AES_ECB, CKM_AES_ECB, CKM_AES_CBC,
|
||||
CKM_CAMELLIA_ECB, CKM_CAMELLIA_CBC, CKM_SEED_ECB, CKM_SEED_CBC};
|
||||
|
||||
INSTANTIATE_TEST_CASE_P(EncryptDeriveTests, EncryptDeriveTest,
|
||||
::testing::ValuesIn(kEncryptDeriveMechanisms));
|
||||
|
||||
// This class handles the case where 3DES takes a 192-bit key
|
||||
// where all 24 octets will be used.
|
||||
class EncryptDerive3Test : public EncryptDeriveTest {
|
||||
protected:
|
||||
unsigned int keysize() const { return 24; }
|
||||
};
|
||||
|
||||
TEST_P(EncryptDerive3Test, Test) { TestEncryptDerive(); }
|
||||
|
||||
static const CK_MECHANISM_TYPE kDES3EncryptDeriveMechanisms[] = {CKM_DES3_ECB,
|
||||
CKM_DES3_CBC};
|
||||
|
||||
INSTANTIATE_TEST_CASE_P(Encrypt3DeriveTests, EncryptDerive3Test,
|
||||
::testing::ValuesIn(kDES3EncryptDeriveMechanisms));
|
||||
|
||||
} // namespace nss_test
|
@ -16,6 +16,7 @@
|
||||
'pk11_chacha20poly1305_unittest.cc',
|
||||
'pk11_curve25519_unittest.cc',
|
||||
'pk11_ecdsa_unittest.cc',
|
||||
'pk11_encrypt_derive_unittest.cc',
|
||||
'pk11_pbkdf2_unittest.cc',
|
||||
'pk11_prf_unittest.cc',
|
||||
'pk11_prng_unittest.cc',
|
||||
|
@ -1,4 +1,4 @@
|
||||
Usage: build.sh [-hcv] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
|
||||
Usage: build.sh [-hcv] [-cc] [-j <n>] [--nspr] [--gyp|-g] [--opt|-o] [-m32]
|
||||
[--test] [--pprof] [--scan-build[=output]] [--ct-verif]
|
||||
[--asan] [--ubsan] [--msan] [--sancov[=edge|bb|func|...]]
|
||||
[--disable-tests] [--fuzz[=tls|oss]] [--system-sqlite]
|
||||
@ -14,6 +14,7 @@ NSS build tool options:
|
||||
|
||||
-h display this help and exit
|
||||
-c clean before build
|
||||
-cc clean without building
|
||||
-v verbose build
|
||||
-j <n> run at most <n> concurrent jobs
|
||||
--nspr force a rebuild of NSPR
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -46,8 +46,8 @@
|
||||
* It's recommend to switch back to 0 after having reached version 98/99.
|
||||
*/
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 18
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.18"
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 20
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.20"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
||||
|
@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_PSS_PARAMS *mech,
|
||||
mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */
|
||||
}
|
||||
|
||||
rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
if (params->saltLength.data) {
|
||||
rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength);
|
||||
if (rv != SECSuccess) {
|
||||
return rv;
|
||||
}
|
||||
} else {
|
||||
saltLength = 20; /* default, 20 */
|
||||
}
|
||||
mech->sLen = saltLength;
|
||||
|
||||
|
@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena,
|
||||
SECKEYRSAPSSParams pssParams;
|
||||
int modBytes, hashLength;
|
||||
unsigned long saltLength;
|
||||
PRBool defaultSHA1 = PR_FALSE;
|
||||
SECStatus rv;
|
||||
|
||||
if (key->keyType != rsaKey && key->keyType != rsaPssKey) {
|
||||
@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena,
|
||||
if (rv != SECSuccess) {
|
||||
return NULL;
|
||||
}
|
||||
defaultSHA1 = PR_TRUE;
|
||||
}
|
||||
|
||||
if (pssParams.trailerField.data) {
|
||||
@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena,
|
||||
/* Determine the hash algorithm to use, based on hashAlgTag and
|
||||
* pssParams.hashAlg; there are four cases */
|
||||
if (hashAlgTag != SEC_OID_UNKNOWN) {
|
||||
SECOidTag tag = SEC_OID_UNKNOWN;
|
||||
|
||||
if (pssParams.hashAlg) {
|
||||
if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return NULL;
|
||||
}
|
||||
tag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
|
||||
} else if (defaultSHA1) {
|
||||
tag = SEC_OID_SHA1;
|
||||
}
|
||||
|
||||
if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return NULL;
|
||||
}
|
||||
} else if (hashAlgTag == SEC_OID_UNKNOWN) {
|
||||
if (pssParams.hashAlg) {
|
||||
hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg);
|
||||
} else if (defaultSHA1) {
|
||||
hashAlgTag = SEC_OID_SHA1;
|
||||
} else {
|
||||
/* Find a suitable hash algorithm based on the NIST recommendation */
|
||||
if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */
|
||||
@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena,
|
||||
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||
return NULL;
|
||||
}
|
||||
} else if (defaultSHA1) {
|
||||
if (hashAlgTag != SEC_OID_SHA1) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
|
||||
hashLength = HASH_ResultLenByOidTag(hashAlgTag);
|
||||
@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool *arena,
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return NULL;
|
||||
}
|
||||
} else if (defaultSHA1) {
|
||||
saltLength = 20;
|
||||
}
|
||||
|
||||
/* Fill in the parameters */
|
||||
|
@ -510,6 +510,10 @@ ifdef USE_64
|
||||
endif
|
||||
endif
|
||||
|
||||
ifndef HAVE_INT128_SUPPORT
|
||||
DEFINES += -DKRML_NOUINT128
|
||||
endif
|
||||
|
||||
ifndef NSS_DISABLE_CHACHAPOLY
|
||||
ifeq ($(CPU_ARCH),x86_64)
|
||||
ifdef HAVE_INT128_SUPPORT
|
||||
@ -520,20 +524,22 @@ ifndef NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
ifneq (1,$(CC_IS_GCC))
|
||||
EXTRA_SRCS += chacha20.c
|
||||
VERIFIED_SRCS += Hacl_Chacha20.c
|
||||
else
|
||||
EXTRA_SRCS += chacha20_vec.c
|
||||
endif
|
||||
else
|
||||
EXTRA_SRCS += poly1305.c
|
||||
EXTRA_SRCS += chacha20.c
|
||||
VERIFIED_SRCS += Hacl_Chacha20.c
|
||||
endif # x86_64
|
||||
endif # NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
|
||||
ifeq (,$(filter-out i386 x386 x86 x86_64 aarch64,$(CPU_ARCH)))
|
||||
# All intel architectures get the 64 bit version
|
||||
# With custom uint128 if necessary (faster than generic 32 bit version).
|
||||
ECL_SRCS += curve25519_64.c
|
||||
VERIFIED_SRCS += hacl_curve25519_64.c
|
||||
VERIFIED_SRCS += Hacl_Curve25519.c FStar.c
|
||||
else
|
||||
# All non intel architectures get the generic 32 bit implementation (slow!)
|
||||
ECL_SRCS += curve25519_32.c
|
||||
@ -586,11 +592,6 @@ ECL_OBJS += $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(ECL_USERS:.c=$(OBJ_SUFFIX)))
|
||||
|
||||
$(ECL_OBJS): $(ECL_HDRS)
|
||||
|
||||
VERIFIED_OBJS = $(addprefix $(OBJDIR)/$(PROG_PREFIX), $(VERIFIED_SRCS:.c=$(OBJ_SUFFIX)))
|
||||
|
||||
$(VERIFIED_OBJS): $(VERIFIED_HDRS)
|
||||
|
||||
|
||||
$(OBJDIR)/sysrand$(OBJ_SUFFIX): sysrand.c unix_rand.c win_rand.c
|
||||
|
||||
$(OBJDIR)/$(PROG_PREFIX)mpprime$(OBJ_SUFFIX): primes.c
|
||||
|
@ -7,113 +7,13 @@
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include "prtypes.h"
|
||||
#include "secport.h"
|
||||
#include "chacha20.h"
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
#pragma intrinsic(_lrotl)
|
||||
#define ROTL32(x, n) _lrotl(x, n)
|
||||
#else
|
||||
#define ROTL32(x, n) ((x << n) | (x >> ((8 * sizeof x) - n)))
|
||||
#endif
|
||||
|
||||
#define ROTATE(v, c) ROTL32((v), (c))
|
||||
|
||||
#define U32TO8_LITTLE(p, v) \
|
||||
{ \
|
||||
(p)[0] = ((v)) & 0xff; \
|
||||
(p)[1] = ((v) >> 8) & 0xff; \
|
||||
(p)[2] = ((v) >> 16) & 0xff; \
|
||||
(p)[3] = ((v) >> 24) & 0xff; \
|
||||
}
|
||||
#define U8TO32_LITTLE(p) \
|
||||
(((PRUint32)((p)[0])) | ((PRUint32)((p)[1]) << 8) | \
|
||||
((PRUint32)((p)[2]) << 16) | ((PRUint32)((p)[3]) << 24))
|
||||
|
||||
#define QUARTERROUND(x, a, b, c, d) \
|
||||
x[a] = x[a] + x[b]; \
|
||||
x[d] = ROTATE(x[d] ^ x[a], 16); \
|
||||
x[c] = x[c] + x[d]; \
|
||||
x[b] = ROTATE(x[b] ^ x[c], 12); \
|
||||
x[a] = x[a] + x[b]; \
|
||||
x[d] = ROTATE(x[d] ^ x[a], 8); \
|
||||
x[c] = x[c] + x[d]; \
|
||||
x[b] = ROTATE(x[b] ^ x[c], 7);
|
||||
|
||||
static void
|
||||
ChaChaCore(unsigned char output[64], const PRUint32 input[16], int num_rounds)
|
||||
{
|
||||
PRUint32 x[16];
|
||||
int i;
|
||||
|
||||
PORT_Memcpy(x, input, sizeof(PRUint32) * 16);
|
||||
for (i = num_rounds; i > 0; i -= 2) {
|
||||
QUARTERROUND(x, 0, 4, 8, 12)
|
||||
QUARTERROUND(x, 1, 5, 9, 13)
|
||||
QUARTERROUND(x, 2, 6, 10, 14)
|
||||
QUARTERROUND(x, 3, 7, 11, 15)
|
||||
QUARTERROUND(x, 0, 5, 10, 15)
|
||||
QUARTERROUND(x, 1, 6, 11, 12)
|
||||
QUARTERROUND(x, 2, 7, 8, 13)
|
||||
QUARTERROUND(x, 3, 4, 9, 14)
|
||||
}
|
||||
|
||||
for (i = 0; i < 16; ++i) {
|
||||
x[i] = x[i] + input[i];
|
||||
}
|
||||
for (i = 0; i < 16; ++i) {
|
||||
U32TO8_LITTLE(output + 4 * i, x[i]);
|
||||
}
|
||||
}
|
||||
|
||||
static const unsigned char sigma[16] = "expand 32-byte k";
|
||||
#include "verified/Hacl_Chacha20.h"
|
||||
|
||||
void
|
||||
ChaCha20XOR(unsigned char *out, const unsigned char *in, unsigned int inLen,
|
||||
const unsigned char key[32], const unsigned char nonce[12],
|
||||
uint32_t counter)
|
||||
{
|
||||
unsigned char block[64];
|
||||
PRUint32 input[16];
|
||||
unsigned int i;
|
||||
|
||||
input[4] = U8TO32_LITTLE(key + 0);
|
||||
input[5] = U8TO32_LITTLE(key + 4);
|
||||
input[6] = U8TO32_LITTLE(key + 8);
|
||||
input[7] = U8TO32_LITTLE(key + 12);
|
||||
|
||||
input[8] = U8TO32_LITTLE(key + 16);
|
||||
input[9] = U8TO32_LITTLE(key + 20);
|
||||
input[10] = U8TO32_LITTLE(key + 24);
|
||||
input[11] = U8TO32_LITTLE(key + 28);
|
||||
|
||||
input[0] = U8TO32_LITTLE(sigma + 0);
|
||||
input[1] = U8TO32_LITTLE(sigma + 4);
|
||||
input[2] = U8TO32_LITTLE(sigma + 8);
|
||||
input[3] = U8TO32_LITTLE(sigma + 12);
|
||||
|
||||
input[12] = counter;
|
||||
input[13] = U8TO32_LITTLE(nonce + 0);
|
||||
input[14] = U8TO32_LITTLE(nonce + 4);
|
||||
input[15] = U8TO32_LITTLE(nonce + 8);
|
||||
|
||||
while (inLen >= 64) {
|
||||
ChaChaCore(block, input, 20);
|
||||
for (i = 0; i < 64; i++) {
|
||||
out[i] = in[i] ^ block[i];
|
||||
}
|
||||
|
||||
input[12]++;
|
||||
inLen -= 64;
|
||||
in += 64;
|
||||
out += 64;
|
||||
}
|
||||
|
||||
if (inLen > 0) {
|
||||
ChaChaCore(block, input, 20);
|
||||
for (i = 0; i < inLen; i++) {
|
||||
out[i] = in[i] ^ block[i];
|
||||
}
|
||||
}
|
||||
Hacl_Chacha20_chacha20(out, (uint8_t *)in, inLen, (uint8_t *)key, (uint8_t *)nonce, counter);
|
||||
}
|
||||
|
@ -3,12 +3,12 @@
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "ecl-priv.h"
|
||||
#include "../verified/hacl_curve25519_64.h"
|
||||
#include "../verified/Hacl_Curve25519.h"
|
||||
|
||||
SECStatus
|
||||
ec_Curve25519_mul(uint8_t *mypublic, const uint8_t *secret, const uint8_t *basepoint)
|
||||
{
|
||||
// Note: this cast is safe because HaCl* state has a post-condition that only "mypublic" changed.
|
||||
Curve25519_crypto_scalarmult(mypublic, (uint8_t *)secret, (uint8_t *)basepoint);
|
||||
Hacl_Curve25519_crypto_scalarmult(mypublic, (uint8_t *)secret, (uint8_t *)basepoint);
|
||||
return 0;
|
||||
}
|
||||
|
@ -16,9 +16,7 @@
|
||||
#include "secerr.h"
|
||||
#include "prtypes.h"
|
||||
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
#include "ec.h" /* Required for ECDSA */
|
||||
#endif
|
||||
|
||||
/*
|
||||
* different platforms have different ways of calling and initial entry point
|
||||
@ -1078,8 +1076,6 @@ rsa_loser:
|
||||
return (SECFailure);
|
||||
}
|
||||
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
|
||||
static SECStatus
|
||||
freebl_fips_ECDSA_Test(ECParams *ecparams,
|
||||
const PRUint8 *knownSignature,
|
||||
@ -1276,8 +1272,6 @@ freebl_fips_ECDSA_PowerUpSelfTest()
|
||||
return (SECSuccess);
|
||||
}
|
||||
|
||||
#endif /* NSS_ENABLE_ECC */
|
||||
|
||||
static SECStatus
|
||||
freebl_fips_DSA_PowerUpSelfTest(void)
|
||||
{
|
||||
@ -1560,13 +1554,11 @@ freebl_fipsPowerUpSelfTest(unsigned int tests)
|
||||
if (rv != SECSuccess)
|
||||
return rv;
|
||||
|
||||
#ifdef NSS_ENABLE_ECC
|
||||
/* ECDSA Power-Up SelfTest(s). */
|
||||
rv = freebl_fips_ECDSA_PowerUpSelfTest();
|
||||
|
||||
if (rv != SECSuccess)
|
||||
return rv;
|
||||
#endif
|
||||
}
|
||||
/* Passed Power-Up SelfTest(s). */
|
||||
return (SECSuccess);
|
||||
|
@ -255,8 +255,16 @@
|
||||
# The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
'HAVE_INT128_SUPPORT',
|
||||
],
|
||||
}, {
|
||||
'defines': [
|
||||
'KRML_NOUINT128',
|
||||
],
|
||||
}],
|
||||
],
|
||||
}, {
|
||||
'defines': [
|
||||
'KRML_NOUINT128',
|
||||
],
|
||||
}],
|
||||
[ 'OS=="linux"', {
|
||||
'defines': [
|
||||
|
@ -130,15 +130,16 @@
|
||||
}],
|
||||
],
|
||||
}],
|
||||
['target_arch=="ia32" or target_arch=="x64"', {
|
||||
['target_arch=="ia32" or target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'sources': [
|
||||
# All intel architectures get the 64 bit version
|
||||
# All intel and 64-bit ARM architectures get the 64 bit version.
|
||||
'ecl/curve25519_64.c',
|
||||
'verified/hacl_curve25519_64.c',
|
||||
'verified/Hacl_Curve25519.c',
|
||||
'verified/FStar.c',
|
||||
],
|
||||
}, {
|
||||
'sources': [
|
||||
# All non intel architectures get the generic 32 bit implementation (slow!)
|
||||
# All other architectures get the generic 32 bit implementation (slow!)
|
||||
'ecl/curve25519_32.c',
|
||||
],
|
||||
}],
|
||||
@ -153,6 +154,7 @@
|
||||
# not x64
|
||||
'sources': [
|
||||
'chacha20.c',
|
||||
'verified/Hacl_Chacha20.c',
|
||||
'poly1305.c',
|
||||
],
|
||||
}],
|
||||
|
@ -53,7 +53,7 @@ to change are:
|
||||
single digit. This is just a printf() format string, so you
|
||||
can adjust it appropriately.
|
||||
|
||||
(3) The macros DIGIT_MAX and MP_WORD_MAX, which specify the
|
||||
(3) The macros DIGIT_MAX and MP_WORD_MAX, which specify the
|
||||
largest value expressible in an mp_digit and an mp_word,
|
||||
respectively.
|
||||
|
||||
@ -345,7 +345,7 @@ returns values of x and y satisfying Bezout's identity. This is used
|
||||
by mp_invmod() to find modular inverses. However, if you do not need
|
||||
these values, you will find that mp_gcd() is MUCH more efficient,
|
||||
since it doesn't need all the intermediate values that mp_xgcd()
|
||||
requires in order to compute x and y.
|
||||
requires in order to compute x and y.
|
||||
|
||||
The mp_gcd() (and mp_xgcd()) functions use the binary (extended) GCD
|
||||
algorithm due to Josef Stein.
|
||||
@ -361,7 +361,7 @@ mp_read_radix(mp, str, r) - convert a string in radix r to an mp_int
|
||||
mp_read_raw(mp, s, len) - convert a string of bytes to an mp_int
|
||||
mp_radix_size(mp, r) - return length of buffer needed by mp_toradix()
|
||||
mp_raw_size(mp) - return length of buffer needed by mp_toraw()
|
||||
mp_toradix(mp, str, r) - convert an mp_int to a string of radix r
|
||||
mp_toradix(mp, str, r) - convert an mp_int to a string of radix r
|
||||
digits
|
||||
mp_toraw(mp, str) - convert an mp_int to a string of bytes
|
||||
mp_tovalue(ch, r) - convert ch to its value when taken as
|
||||
@ -387,7 +387,7 @@ The mp_read_radix() and mp_toradix() functions support bases from 2 to
|
||||
than this, you will need to write them yourself (that's why mp_div_d()
|
||||
is provided, after all).
|
||||
|
||||
Note: mp_read_radix() will accept as digits either capital or
|
||||
Note: mp_read_radix() will accept as digits either capital or
|
||||
---- lower-case letters. However, the current implementation of
|
||||
mp_toradix() only outputs upper-case letters, when writing
|
||||
bases betwee 10 and 36. The underlying code supports using
|
||||
@ -448,14 +448,14 @@ Note: The mpp_random() and mpp_random_size() functions use the C
|
||||
to change.
|
||||
|
||||
mpp_divis_vector(a, v, s, w) - is a divisible by any of the s digits
|
||||
in v? If so, let w be the index of
|
||||
in v? If so, let w be the index of
|
||||
that digit
|
||||
|
||||
mpp_divis_primes(a, np) - is a divisible by any of the first np
|
||||
primes? If so, set np to the prime
|
||||
primes? If so, set np to the prime
|
||||
which divided a.
|
||||
|
||||
mpp_fermat(a, d) - test if w^a = w (mod a). If so,
|
||||
mpp_fermat(a, d) - test if w^a = w (mod a). If so,
|
||||
returns MP_YES, otherwise MP_NO.
|
||||
|
||||
mpp_pprime(a, nt) - perform nt iterations of the Rabin-
|
||||
@ -486,7 +486,7 @@ The file 'mpi-config.h' defines several configurable parameters for
|
||||
the library, which you can adjust to suit your application. At the
|
||||
time of this writing, the available options are:
|
||||
|
||||
MP_IOFUNC - Define true to include the mp_print() function,
|
||||
MP_IOFUNC - Define true to include the mp_print() function,
|
||||
which is moderately useful for debugging. This
|
||||
implicitly includes <stdio.h>.
|
||||
|
||||
@ -502,21 +502,14 @@ MP_LOGTAB - If true, the file "logtab.h" is included, which
|
||||
the library includes <math.h> and uses log(). This
|
||||
typically forces you to link against math libraries.
|
||||
|
||||
MP_MEMSET - If true, use memset() to zero buffers. If you run
|
||||
into weird alignment related bugs, set this to zero
|
||||
and an explicit loop will be used.
|
||||
|
||||
MP_MEMCPY - If true, use memcpy() to copy buffers. If you run
|
||||
into weird alignment bugs, set this to zero and an
|
||||
explicit loop will be used.
|
||||
|
||||
MP_ARGCHK - Set to 0, 1, or 2. This defines how the argument
|
||||
checking macro, ARGCHK(), gets expanded. If this
|
||||
is set to zero, ARGCHK() expands to nothing; no
|
||||
checking macro, ARGCHK(), gets expanded. If this
|
||||
is set to zero, ARGCHK() expands to nothing; no
|
||||
argument checks are performed. If this is 1, the
|
||||
ARGCHK() macro expands to code that returns MP_BADARG
|
||||
or similar at runtime. If it is 2, ARGCHK() expands
|
||||
to an assert() call that aborts the program on a
|
||||
or similar at runtime. If it is 2, ARGCHK() expands
|
||||
to an assert() call that aborts the program on a
|
||||
bad input.
|
||||
|
||||
MP_DEBUG - Turns on debugging output. This is probably not at
|
||||
@ -528,14 +521,14 @@ MP_DEFPREC - The default precision of a newly-created mp_int, in
|
||||
the mp_set_prec() function, but this is its initial
|
||||
value.
|
||||
|
||||
MP_SQUARE - If this is set to a nonzero value, the mp_sqr()
|
||||
MP_SQUARE - If this is set to a nonzero value, the mp_sqr()
|
||||
function will use an alternate algorithm that takes
|
||||
advantage of the redundant inner product computation
|
||||
when both multiplicands are identical. Unfortunately,
|
||||
with some compilers this is actually SLOWER than just
|
||||
calling mp_mul() with the same argument twice. So
|
||||
if you set MP_SQUARE to zero, mp_sqr() will be expan-
|
||||
ded into a call to mp_mul(). This applies to all
|
||||
ded into a call to mp_mul(). This applies to all
|
||||
the uses of mp_sqr(), including mp_sqrmod() and the
|
||||
internal calls to s_mp_sqr() inside mpi.c
|
||||
|
||||
@ -568,7 +561,7 @@ CFLAGS=-ansi -pedantic -Wall -O2
|
||||
|
||||
If all goes well, the library should compile without warnings using
|
||||
this combination. You should, of course, make whatever adjustments
|
||||
you find necessary.
|
||||
you find necessary.
|
||||
|
||||
The MPI library distribution comes with several additional programs
|
||||
which are intended to demonstrate the use of the library, and provide
|
||||
@ -580,7 +573,7 @@ directory) for manipulating large numbers. These include:
|
||||
basecvt.c A radix-conversion program, supporting bases from
|
||||
2 to 64 inclusive.
|
||||
|
||||
bbsrand.c A BBS (quadratic residue) pseudo-random number
|
||||
bbsrand.c A BBS (quadratic residue) pseudo-random number
|
||||
generator. The file 'bbsrand.c' is just the driver
|
||||
for the program; the real code lives in the files
|
||||
'bbs_rand.h' and 'bbs_rand.c'
|
||||
@ -626,7 +619,7 @@ Acknowledgements:
|
||||
----------------
|
||||
|
||||
The algorithms used in this library were drawn primarily from Volume
|
||||
2 of Donald Knuth's magnum opus, _The Art of Computer Programming_,
|
||||
2 of Donald Knuth's magnum opus, _The Art of Computer Programming_,
|
||||
"Semi-Numerical Methods". Barrett's algorithm for modular reduction
|
||||
came from Menezes, Oorschot, and Vanstone's _Handbook of Applied
|
||||
Cryptography_, Chapter 14.
|
||||
|
@ -28,14 +28,6 @@
|
||||
#define MP_LOGTAB 1 /* use table of logs instead of log()? */
|
||||
#endif
|
||||
|
||||
#ifndef MP_MEMSET
|
||||
#define MP_MEMSET 1 /* use memset() to zero buffers? */
|
||||
#endif
|
||||
|
||||
#ifndef MP_MEMCPY
|
||||
#define MP_MEMCPY 1 /* use memcpy() to copy buffers? */
|
||||
#endif
|
||||
|
||||
#ifndef MP_ARGCHK
|
||||
/*
|
||||
0 = no parameter checks
|
||||
|
@ -2782,15 +2782,7 @@ s_mp_pad(mp_int *mp, mp_size min)
|
||||
void
|
||||
s_mp_setz(mp_digit *dp, mp_size count)
|
||||
{
|
||||
#if MP_MEMSET == 0
|
||||
int ix;
|
||||
|
||||
for (ix = 0; ix < count; ix++)
|
||||
dp[ix] = 0;
|
||||
#else
|
||||
memset(dp, 0, count * sizeof(mp_digit));
|
||||
#endif
|
||||
|
||||
} /* end s_mp_setz() */
|
||||
|
||||
/* }}} */
|
||||
@ -2801,14 +2793,7 @@ s_mp_setz(mp_digit *dp, mp_size count)
|
||||
void
|
||||
s_mp_copy(const mp_digit *sp, mp_digit *dp, mp_size count)
|
||||
{
|
||||
#if MP_MEMCPY == 0
|
||||
int ix;
|
||||
|
||||
for (ix = 0; ix < count; ix++)
|
||||
dp[ix] = sp[ix];
|
||||
#else
|
||||
memcpy(dp, sp, count * sizeof(mp_digit));
|
||||
#endif
|
||||
} /* end s_mp_copy() */
|
||||
|
||||
/* }}} */
|
||||
|
@ -8,6 +8,8 @@
|
||||
#ifndef FREEBL_POLY1305_H_
|
||||
#define FREEBL_POLY1305_H_
|
||||
|
||||
#include "stddef.h"
|
||||
|
||||
typedef unsigned char poly1305_state[512];
|
||||
|
||||
/* Poly1305Init sets up |state| so that it can be used to calculate an
|
||||
|
@ -276,7 +276,10 @@ RSAPrivateKey *
|
||||
RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
|
||||
{
|
||||
unsigned int primeLen;
|
||||
mp_int p, q, e, d;
|
||||
mp_int p = { 0, 0, 0, NULL };
|
||||
mp_int q = { 0, 0, 0, NULL };
|
||||
mp_int e = { 0, 0, 0, NULL };
|
||||
mp_int d = { 0, 0, 0, NULL };
|
||||
int kiter;
|
||||
int max_attempts;
|
||||
mp_err err = MP_OKAY;
|
||||
@ -290,41 +293,46 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return NULL;
|
||||
}
|
||||
/* 1. Allocate arena & key */
|
||||
/* 1. Set the public exponent and check if it's uneven and greater than 2.*/
|
||||
MP_DIGITS(&e) = 0;
|
||||
CHECK_MPI_OK(mp_init(&e));
|
||||
SECITEM_TO_MPINT(*publicExponent, &e);
|
||||
if (mp_iseven(&e) || !(mp_cmp_d(&e, 2) > 0)) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
goto cleanup;
|
||||
}
|
||||
#ifndef NSS_FIPS_DISABLED
|
||||
/* Check that the exponent is not smaller than 65537 */
|
||||
if (mp_cmp_d(&e, 0x10001) < 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
goto cleanup;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* 2. Allocate arena & key */
|
||||
arena = PORT_NewArena(NSS_FREEBL_DEFAULT_CHUNKSIZE);
|
||||
if (!arena) {
|
||||
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
return NULL;
|
||||
goto cleanup;
|
||||
}
|
||||
key = PORT_ArenaZNew(arena, RSAPrivateKey);
|
||||
if (!key) {
|
||||
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
PORT_FreeArena(arena, PR_TRUE);
|
||||
return NULL;
|
||||
goto cleanup;
|
||||
}
|
||||
key->arena = arena;
|
||||
/* length of primes p and q (in bytes) */
|
||||
primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE);
|
||||
MP_DIGITS(&p) = 0;
|
||||
MP_DIGITS(&q) = 0;
|
||||
MP_DIGITS(&e) = 0;
|
||||
MP_DIGITS(&d) = 0;
|
||||
CHECK_MPI_OK(mp_init(&p));
|
||||
CHECK_MPI_OK(mp_init(&q));
|
||||
CHECK_MPI_OK(mp_init(&e));
|
||||
CHECK_MPI_OK(mp_init(&d));
|
||||
/* 2. Set the version number (PKCS1 v1.5 says it should be zero) */
|
||||
/* 3. Set the version number (PKCS1 v1.5 says it should be zero) */
|
||||
SECITEM_AllocItem(arena, &key->version, 1);
|
||||
key->version.data[0] = 0;
|
||||
/* 3. Set the public exponent */
|
||||
SECITEM_TO_MPINT(*publicExponent, &e);
|
||||
#ifndef NSS_FIPS_DISABLED
|
||||
/* check the exponent size we */
|
||||
if (mp_cmp_d(&e, 0x10001) < 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
goto cleanup;
|
||||
}
|
||||
#endif
|
||||
|
||||
kiter = 0;
|
||||
max_attempts = 5 * (keySizeInBits / 2); /* FIPS 186-4 B.3.3 steps 4.7 and 5.8 */
|
||||
do {
|
||||
|
@ -1,51 +1,35 @@
|
||||
// Copyright 2016-2017 Microsoft Corporation
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
/* This file was auto-generated by KreMLin! */
|
||||
|
||||
#ifndef __FStar_UInt128_H
|
||||
#define __FStar_UInt128_H
|
||||
#include "FStar.h"
|
||||
|
||||
typedef struct
|
||||
{
|
||||
uint64_t low;
|
||||
uint64_t high;
|
||||
} FStar_UInt128_uint128;
|
||||
|
||||
typedef FStar_UInt128_uint128 FStar_UInt128_t;
|
||||
|
||||
typedef struct
|
||||
{
|
||||
uint64_t fst;
|
||||
uint64_t snd;
|
||||
uint64_t thd;
|
||||
uint64_t f3;
|
||||
} K___uint64_t_uint64_t_uint64_t_uint64_t;
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_constant_time_carry(uint64_t a, uint64_t b)
|
||||
{
|
||||
return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63;
|
||||
return (a ^ ((a ^ b) | ((a - b) ^ b))) >> (uint32_t)63U;
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_carry(uint64_t a, uint64_t b)
|
||||
{
|
||||
return FStar_UInt128_constant_time_carry(a, b);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return (
|
||||
@ -54,7 +38,7 @@ FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return (
|
||||
@ -63,7 +47,7 @@ FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
.high = a.high + b.high + FStar_UInt128_carry(a.low + b.low, b.low) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return (
|
||||
@ -72,7 +56,7 @@ FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
static FStar_UInt128_uint128
|
||||
FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return (
|
||||
@ -81,54 +65,54 @@ FStar_UInt128_sub_mod_impl(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
.high = a.high - b.high - FStar_UInt128_carry(a.low, a.low - b.low) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return FStar_UInt128_sub_mod_impl(a, b);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = a.low & b.low, .high = a.high & b.high });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = a.low ^ b.low, .high = a.high ^ b.high });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = a.low | b.low, .high = a.high | b.high });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_lognot(FStar_UInt128_uint128 a)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = ~a.low, .high = ~a.high });
|
||||
}
|
||||
|
||||
static uint32_t FStar_UInt128_u32_64 = (uint32_t)64;
|
||||
static uint32_t FStar_UInt128_u32_64 = (uint32_t)64U;
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_add_u64_shift_left(uint64_t hi, uint64_t lo, uint32_t s)
|
||||
{
|
||||
return (hi << s) + (lo >> (FStar_UInt128_u32_64 - s));
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_add_u64_shift_left_respec(uint64_t hi, uint64_t lo, uint32_t s)
|
||||
{
|
||||
return FStar_UInt128_add_u64_shift_left(hi, lo, s);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
static FStar_UInt128_uint128
|
||||
FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
|
||||
{
|
||||
if (s == (uint32_t)0)
|
||||
if (s == (uint32_t)0U)
|
||||
return a;
|
||||
else
|
||||
return (
|
||||
@ -137,13 +121,13 @@ FStar_UInt128_shift_left_small(FStar_UInt128_uint128 a, uint32_t s)
|
||||
.high = FStar_UInt128_add_u64_shift_left_respec(a.high, a.low, s) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
static FStar_UInt128_uint128
|
||||
FStar_UInt128_shift_left_large(FStar_UInt128_uint128 a, uint32_t s)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = (uint64_t)0, .high = a.low << (s - FStar_UInt128_u32_64) });
|
||||
return ((FStar_UInt128_uint128){.low = (uint64_t)0U, .high = a.low << (s - FStar_UInt128_u32_64) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
|
||||
{
|
||||
if (s < FStar_UInt128_u32_64)
|
||||
@ -152,22 +136,22 @@ FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s)
|
||||
return FStar_UInt128_shift_left_large(a, s);
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_add_u64_shift_right(uint64_t hi, uint64_t lo, uint32_t s)
|
||||
{
|
||||
return (lo >> s) + (hi << (FStar_UInt128_u32_64 - s));
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_add_u64_shift_right_respec(uint64_t hi, uint64_t lo, uint32_t s)
|
||||
{
|
||||
return FStar_UInt128_add_u64_shift_right(hi, lo, s);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
static FStar_UInt128_uint128
|
||||
FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
|
||||
{
|
||||
if (s == (uint32_t)0)
|
||||
if (s == (uint32_t)0U)
|
||||
return a;
|
||||
else
|
||||
return (
|
||||
@ -176,13 +160,13 @@ FStar_UInt128_shift_right_small(FStar_UInt128_uint128 a, uint32_t s)
|
||||
.high = a.high >> s });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
static FStar_UInt128_uint128
|
||||
FStar_UInt128_shift_right_large(FStar_UInt128_uint128 a, uint32_t s)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0 });
|
||||
return ((FStar_UInt128_uint128){.low = a.high >> (s - FStar_UInt128_u32_64), .high = (uint64_t)0U });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
|
||||
{
|
||||
if (s < FStar_UInt128_u32_64)
|
||||
@ -191,7 +175,7 @@ FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s)
|
||||
return FStar_UInt128_shift_right_large(a, s);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return (
|
||||
@ -200,44 +184,38 @@ FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
.high = FStar_UInt64_eq_mask(a.low, b.low) & FStar_UInt64_eq_mask(a.high, b.high) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b)
|
||||
{
|
||||
return (
|
||||
(FStar_UInt128_uint128){
|
||||
.low = (FStar_UInt64_gte_mask(a.high,
|
||||
b.high) &
|
||||
~FStar_UInt64_eq_mask(a.high, b.high)) |
|
||||
(FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)),
|
||||
.high = (FStar_UInt64_gte_mask(a.high,
|
||||
b.high) &
|
||||
~FStar_UInt64_eq_mask(a.high, b.high)) |
|
||||
(FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)) });
|
||||
.low = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)),
|
||||
.high = (FStar_UInt64_gte_mask(a.high, b.high) & ~FStar_UInt64_eq_mask(a.high, b.high)) | (FStar_UInt64_eq_mask(a.high, b.high) & FStar_UInt64_gte_mask(a.low, b.low)) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_uint64_to_uint128(uint64_t a)
|
||||
{
|
||||
return ((FStar_UInt128_uint128){.low = a, .high = (uint64_t)0 });
|
||||
return ((FStar_UInt128_uint128){.low = a, .high = (uint64_t)0U });
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
uint64_t
|
||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a)
|
||||
{
|
||||
return a.low;
|
||||
}
|
||||
|
||||
static uint64_t FStar_UInt128_u64_l32_mask = (uint64_t)0xffffffff;
|
||||
static uint64_t FStar_UInt128_u64_l32_mask = (uint64_t)0xffffffffU;
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_u64_mod_32(uint64_t a)
|
||||
{
|
||||
return a & FStar_UInt128_u64_l32_mask;
|
||||
}
|
||||
|
||||
static uint32_t FStar_UInt128_u32_32 = (uint32_t)32;
|
||||
static uint32_t FStar_UInt128_u32_32 = (uint32_t)32U;
|
||||
|
||||
static inline K___uint64_t_uint64_t_uint64_t_uint64_t
|
||||
static K___uint64_t_uint64_t_uint64_t_uint64_t
|
||||
FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
|
||||
{
|
||||
return (
|
||||
@ -248,13 +226,13 @@ FStar_UInt128_mul_wide_impl_t_(uint64_t x, uint64_t y)
|
||||
.f3 = (x >> FStar_UInt128_u32_32) * FStar_UInt128_u64_mod_32(y) + (FStar_UInt128_u64_mod_32(x) * FStar_UInt128_u64_mod_32(y) >> FStar_UInt128_u32_32) });
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
static uint64_t
|
||||
FStar_UInt128_u32_combine_(uint64_t hi, uint64_t lo)
|
||||
{
|
||||
return lo + (hi << FStar_UInt128_u32_32);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
static FStar_UInt128_uint128
|
||||
FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
|
||||
{
|
||||
K___uint64_t_uint64_t_uint64_t_uint64_t scrut = FStar_UInt128_mul_wide_impl_t_(x, y);
|
||||
@ -270,22 +248,8 @@ FStar_UInt128_mul_wide_impl(uint64_t x, uint64_t y)
|
||||
((u1 * (y >> FStar_UInt128_u32_32) + FStar_UInt128_u64_mod_32(t_)) >> FStar_UInt128_u32_32) });
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_UInt128_uint128
|
||||
FStar_UInt128_mul_wide(uint64_t x, uint64_t y)
|
||||
{
|
||||
return FStar_UInt128_mul_wide_impl(x, y);
|
||||
}
|
||||
|
||||
static inline FStar_UInt128_uint128
|
||||
FStar_Int_Cast_Full_uint64_to_uint128(uint64_t a)
|
||||
{
|
||||
return FStar_UInt128_uint64_to_uint128(a);
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
FStar_Int_Cast_Full_uint128_to_uint64(FStar_UInt128_uint128 a)
|
||||
{
|
||||
return FStar_UInt128_uint128_to_uint64(a);
|
||||
}
|
||||
|
||||
#endif
|
69
security/nss/lib/freebl/verified/FStar.h
Normal file
69
security/nss/lib/freebl/verified/FStar.h
Normal file
@ -0,0 +1,69 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
/* This file was auto-generated by KreMLin! */
|
||||
#ifndef __FStar_H
|
||||
#define __FStar_H
|
||||
|
||||
#include "kremlib_base.h"
|
||||
|
||||
typedef struct
|
||||
{
|
||||
uint64_t low;
|
||||
uint64_t high;
|
||||
} FStar_UInt128_uint128;
|
||||
|
||||
typedef FStar_UInt128_uint128 FStar_UInt128_t;
|
||||
|
||||
extern void FStar_UInt128_constant_time_carry_ok(uint64_t x0, uint64_t x1);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_add(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_add_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_sub(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_sub_mod(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_logand(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_logxor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_logor(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_lognot(FStar_UInt128_uint128 a);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_shift_left(FStar_UInt128_uint128 a, uint32_t s);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_shift_right(FStar_UInt128_uint128 a, uint32_t s);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_eq_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_gte_mask(FStar_UInt128_uint128 a, FStar_UInt128_uint128 b);
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_uint64_to_uint128(uint64_t a);
|
||||
|
||||
uint64_t FStar_UInt128_uint128_to_uint64(FStar_UInt128_uint128 a);
|
||||
|
||||
typedef struct
|
||||
{
|
||||
uint64_t fst;
|
||||
uint64_t snd;
|
||||
uint64_t thd;
|
||||
uint64_t f3;
|
||||
} K___uint64_t_uint64_t_uint64_t_uint64_t;
|
||||
|
||||
FStar_UInt128_uint128 FStar_UInt128_mul_wide(uint64_t x, uint64_t y);
|
||||
#endif
|
255
security/nss/lib/freebl/verified/Hacl_Chacha20.c
Normal file
255
security/nss/lib/freebl/verified/Hacl_Chacha20.c
Normal file
@ -0,0 +1,255 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "Hacl_Chacha20.h"
|
||||
|
||||
static void
|
||||
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(uint32_t *output, uint8_t *input, uint32_t len)
|
||||
{
|
||||
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
|
||||
uint8_t *x0 = input + (uint32_t)4U * i;
|
||||
uint32_t inputi = load32_le(x0);
|
||||
output[i] = inputi;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(uint8_t *output, uint32_t *input, uint32_t len)
|
||||
{
|
||||
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
|
||||
uint32_t hd1 = input[i];
|
||||
uint8_t *x0 = output + (uint32_t)4U * i;
|
||||
store32_le(x0, hd1);
|
||||
}
|
||||
}
|
||||
|
||||
inline static uint32_t
|
||||
Hacl_Impl_Chacha20_rotate_left(uint32_t a, uint32_t s)
|
||||
{
|
||||
return a << s | a >> ((uint32_t)32U - s);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_setup(uint32_t *st, uint8_t *k, uint8_t *n1, uint32_t c)
|
||||
{
|
||||
uint32_t *stcst = st;
|
||||
uint32_t *stk = st + (uint32_t)4U;
|
||||
uint32_t *stc = st + (uint32_t)12U;
|
||||
uint32_t *stn = st + (uint32_t)13U;
|
||||
stcst[0U] = (uint32_t)0x61707865U;
|
||||
stcst[1U] = (uint32_t)0x3320646eU;
|
||||
stcst[2U] = (uint32_t)0x79622d32U;
|
||||
stcst[3U] = (uint32_t)0x6b206574U;
|
||||
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stk, k, (uint32_t)8U);
|
||||
stc[0U] = c;
|
||||
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(stn, n1, (uint32_t)3U);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_quarter_round(uint32_t *st, uint32_t a, uint32_t b, uint32_t c, uint32_t d)
|
||||
{
|
||||
uint32_t sa = st[a];
|
||||
uint32_t sb0 = st[b];
|
||||
st[a] = sa + sb0;
|
||||
uint32_t sd = st[d];
|
||||
uint32_t sa10 = st[a];
|
||||
uint32_t sda = sd ^ sa10;
|
||||
st[d] = Hacl_Impl_Chacha20_rotate_left(sda, (uint32_t)16U);
|
||||
uint32_t sa0 = st[c];
|
||||
uint32_t sb1 = st[d];
|
||||
st[c] = sa0 + sb1;
|
||||
uint32_t sd0 = st[b];
|
||||
uint32_t sa11 = st[c];
|
||||
uint32_t sda0 = sd0 ^ sa11;
|
||||
st[b] = Hacl_Impl_Chacha20_rotate_left(sda0, (uint32_t)12U);
|
||||
uint32_t sa2 = st[a];
|
||||
uint32_t sb2 = st[b];
|
||||
st[a] = sa2 + sb2;
|
||||
uint32_t sd1 = st[d];
|
||||
uint32_t sa12 = st[a];
|
||||
uint32_t sda1 = sd1 ^ sa12;
|
||||
st[d] = Hacl_Impl_Chacha20_rotate_left(sda1, (uint32_t)8U);
|
||||
uint32_t sa3 = st[c];
|
||||
uint32_t sb = st[d];
|
||||
st[c] = sa3 + sb;
|
||||
uint32_t sd2 = st[b];
|
||||
uint32_t sa1 = st[c];
|
||||
uint32_t sda2 = sd2 ^ sa1;
|
||||
st[b] = Hacl_Impl_Chacha20_rotate_left(sda2, (uint32_t)7U);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_double_round(uint32_t *st)
|
||||
{
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)4U, (uint32_t)8U, (uint32_t)12U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)5U, (uint32_t)9U, (uint32_t)13U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)6U, (uint32_t)10U, (uint32_t)14U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)7U, (uint32_t)11U, (uint32_t)15U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)0U, (uint32_t)5U, (uint32_t)10U, (uint32_t)15U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)1U, (uint32_t)6U, (uint32_t)11U, (uint32_t)12U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)2U, (uint32_t)7U, (uint32_t)8U, (uint32_t)13U);
|
||||
Hacl_Impl_Chacha20_quarter_round(st, (uint32_t)3U, (uint32_t)4U, (uint32_t)9U, (uint32_t)14U);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_rounds(uint32_t *st)
|
||||
{
|
||||
for (uint32_t i = (uint32_t)0U; i < (uint32_t)10U; i = i + (uint32_t)1U)
|
||||
Hacl_Impl_Chacha20_double_round(st);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_sum_states(uint32_t *st, uint32_t *st_)
|
||||
{
|
||||
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
|
||||
uint32_t xi = st[i];
|
||||
uint32_t yi = st_[i];
|
||||
st[i] = xi + yi;
|
||||
}
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_copy_state(uint32_t *st, uint32_t *st_)
|
||||
{
|
||||
memcpy(st, st_, (uint32_t)16U * sizeof st_[0U]);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_chacha20_core(uint32_t *k, uint32_t *st, uint32_t ctr)
|
||||
{
|
||||
st[12U] = ctr;
|
||||
Hacl_Impl_Chacha20_copy_state(k, st);
|
||||
Hacl_Impl_Chacha20_rounds(k);
|
||||
Hacl_Impl_Chacha20_sum_states(k, st);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_chacha20_block(uint8_t *stream_block, uint32_t *st, uint32_t ctr)
|
||||
{
|
||||
uint32_t st_[16U] = { 0U };
|
||||
Hacl_Impl_Chacha20_chacha20_core(st_, st, ctr);
|
||||
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(stream_block, st_, (uint32_t)16U);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Impl_Chacha20_init(uint32_t *st, uint8_t *k, uint8_t *n1)
|
||||
{
|
||||
Hacl_Impl_Chacha20_setup(st, k, n1, (uint32_t)0U);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_update(uint8_t *output, uint8_t *plain, uint32_t *st, uint32_t ctr)
|
||||
{
|
||||
uint32_t b[48U] = { 0U };
|
||||
uint32_t *k = b;
|
||||
uint32_t *ib = b + (uint32_t)16U;
|
||||
uint32_t *ob = b + (uint32_t)32U;
|
||||
Hacl_Impl_Chacha20_chacha20_core(k, st, ctr);
|
||||
Hacl_Lib_LoadStore32_uint32s_from_le_bytes(ib, plain, (uint32_t)16U);
|
||||
for (uint32_t i = (uint32_t)0U; i < (uint32_t)16U; i = i + (uint32_t)1U) {
|
||||
uint32_t xi = ib[i];
|
||||
uint32_t yi = k[i];
|
||||
ob[i] = xi ^ yi;
|
||||
}
|
||||
Hacl_Lib_LoadStore32_uint32s_to_le_bytes(output, ob, (uint32_t)16U);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_update_last(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint32_t *st,
|
||||
uint32_t ctr)
|
||||
{
|
||||
uint8_t block[64U] = { 0U };
|
||||
Hacl_Impl_Chacha20_chacha20_block(block, st, ctr);
|
||||
uint8_t *mask = block;
|
||||
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
|
||||
uint8_t xi = plain[i];
|
||||
uint8_t yi = mask[i];
|
||||
output[i] = xi ^ yi;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint32_t *st,
|
||||
uint32_t ctr)
|
||||
{
|
||||
for (uint32_t i = (uint32_t)0U; i < len; i = i + (uint32_t)1U) {
|
||||
uint8_t *b = plain + (uint32_t)64U * i;
|
||||
uint8_t *o = output + (uint32_t)64U * i;
|
||||
Hacl_Impl_Chacha20_update(o, b, st, ctr + i);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_chacha20_counter_mode(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint32_t *st,
|
||||
uint32_t ctr)
|
||||
{
|
||||
uint32_t blocks_len = len >> (uint32_t)6U;
|
||||
uint32_t part_len = len & (uint32_t)0x3fU;
|
||||
uint8_t *output_ = output;
|
||||
uint8_t *plain_ = plain;
|
||||
uint8_t *output__ = output + (uint32_t)64U * blocks_len;
|
||||
uint8_t *plain__ = plain + (uint32_t)64U * blocks_len;
|
||||
Hacl_Impl_Chacha20_chacha20_counter_mode_blocks(output_, plain_, blocks_len, st, ctr);
|
||||
if (part_len > (uint32_t)0U)
|
||||
Hacl_Impl_Chacha20_update_last(output__, plain__, part_len, st, ctr + blocks_len);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Impl_Chacha20_chacha20(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint8_t *k,
|
||||
uint8_t *n1,
|
||||
uint32_t ctr)
|
||||
{
|
||||
uint32_t buf[16U] = { 0U };
|
||||
uint32_t *st = buf;
|
||||
Hacl_Impl_Chacha20_init(st, k, n1);
|
||||
Hacl_Impl_Chacha20_chacha20_counter_mode(output, plain, len, st, ctr);
|
||||
}
|
||||
|
||||
void
|
||||
Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr)
|
||||
{
|
||||
uint32_t buf[16U] = { 0U };
|
||||
uint32_t *st = buf;
|
||||
Hacl_Impl_Chacha20_init(st, k, n1);
|
||||
Hacl_Impl_Chacha20_chacha20_block(block, st, ctr);
|
||||
}
|
||||
|
||||
void
|
||||
Hacl_Chacha20_chacha20(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint8_t *k,
|
||||
uint8_t *n1,
|
||||
uint32_t ctr)
|
||||
{
|
||||
Hacl_Impl_Chacha20_chacha20(output, plain, len, k, n1, ctr);
|
||||
}
|
60
security/nss/lib/freebl/verified/Hacl_Chacha20.h
Normal file
60
security/nss/lib/freebl/verified/Hacl_Chacha20.h
Normal file
@ -0,0 +1,60 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "kremlib.h"
|
||||
#ifndef __Hacl_Chacha20_H
|
||||
#define __Hacl_Chacha20_H
|
||||
|
||||
typedef uint32_t Hacl_Impl_Xor_Lemmas_u32;
|
||||
|
||||
typedef uint8_t Hacl_Impl_Xor_Lemmas_u8;
|
||||
|
||||
typedef uint8_t *Hacl_Lib_LoadStore32_uint8_p;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_u32;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_h32;
|
||||
|
||||
typedef uint8_t *Hacl_Impl_Chacha20_uint8_p;
|
||||
|
||||
typedef uint32_t *Hacl_Impl_Chacha20_state;
|
||||
|
||||
typedef uint32_t Hacl_Impl_Chacha20_idx;
|
||||
|
||||
typedef struct
|
||||
{
|
||||
void *k;
|
||||
void *n;
|
||||
} Hacl_Impl_Chacha20_log_t_;
|
||||
|
||||
typedef void *Hacl_Impl_Chacha20_log_t;
|
||||
|
||||
typedef uint32_t Hacl_Lib_Create_h32;
|
||||
|
||||
typedef uint8_t *Hacl_Chacha20_uint8_p;
|
||||
|
||||
typedef uint32_t Hacl_Chacha20_uint32_t;
|
||||
|
||||
void Hacl_Chacha20_chacha20_key_block(uint8_t *block, uint8_t *k, uint8_t *n1, uint32_t ctr);
|
||||
|
||||
void
|
||||
Hacl_Chacha20_chacha20(
|
||||
uint8_t *output,
|
||||
uint8_t *plain,
|
||||
uint32_t len,
|
||||
uint8_t *k,
|
||||
uint8_t *n1,
|
||||
uint32_t ctr);
|
||||
#endif
|
845
security/nss/lib/freebl/verified/Hacl_Curve25519.c
Normal file
845
security/nss/lib/freebl/verified/Hacl_Curve25519.c
Normal file
@ -0,0 +1,845 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "Hacl_Curve25519.h"
|
||||
|
||||
static void
|
||||
Hacl_Bignum_Modulo_carry_top(uint64_t *b)
|
||||
{
|
||||
uint64_t b4 = b[4U];
|
||||
uint64_t b0 = b[0U];
|
||||
uint64_t b4_ = b4 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t b0_ = b0 + (uint64_t)19U * (b4 >> (uint32_t)51U);
|
||||
b[4U] = b4_;
|
||||
b[0U] = b0_;
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fproduct_copy_from_wide_(uint64_t *output, FStar_UInt128_t *input)
|
||||
{
|
||||
{
|
||||
FStar_UInt128_t xi = input[0U];
|
||||
output[0U] = FStar_UInt128_uint128_to_uint64(xi);
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = input[1U];
|
||||
output[1U] = FStar_UInt128_uint128_to_uint64(xi);
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = input[2U];
|
||||
output[2U] = FStar_UInt128_uint128_to_uint64(xi);
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = input[3U];
|
||||
output[3U] = FStar_UInt128_uint128_to_uint64(xi);
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = input[4U];
|
||||
output[4U] = FStar_UInt128_uint128_to_uint64(xi);
|
||||
}
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(
|
||||
FStar_UInt128_t *output,
|
||||
uint64_t *input,
|
||||
uint64_t s)
|
||||
{
|
||||
{
|
||||
FStar_UInt128_t xi = output[0U];
|
||||
uint64_t yi = input[0U];
|
||||
output[0U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = output[1U];
|
||||
uint64_t yi = input[1U];
|
||||
output[1U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = output[2U];
|
||||
uint64_t yi = input[2U];
|
||||
output[2U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = output[3U];
|
||||
uint64_t yi = input[3U];
|
||||
output[3U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
|
||||
}
|
||||
{
|
||||
FStar_UInt128_t xi = output[4U];
|
||||
uint64_t yi = input[4U];
|
||||
output[4U] = FStar_UInt128_add_mod(xi, FStar_UInt128_mul_wide(yi, s));
|
||||
}
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fproduct_carry_wide_(FStar_UInt128_t *tmp)
|
||||
{
|
||||
{
|
||||
uint32_t ctr = (uint32_t)0U;
|
||||
FStar_UInt128_t tctr = tmp[ctr];
|
||||
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
|
||||
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
|
||||
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
|
||||
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
|
||||
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
|
||||
}
|
||||
{
|
||||
uint32_t ctr = (uint32_t)1U;
|
||||
FStar_UInt128_t tctr = tmp[ctr];
|
||||
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
|
||||
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
|
||||
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
|
||||
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
|
||||
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
|
||||
}
|
||||
{
|
||||
uint32_t ctr = (uint32_t)2U;
|
||||
FStar_UInt128_t tctr = tmp[ctr];
|
||||
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
|
||||
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
|
||||
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
|
||||
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
|
||||
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
|
||||
}
|
||||
{
|
||||
uint32_t ctr = (uint32_t)3U;
|
||||
FStar_UInt128_t tctr = tmp[ctr];
|
||||
FStar_UInt128_t tctrp1 = tmp[ctr + (uint32_t)1U];
|
||||
uint64_t r0 = FStar_UInt128_uint128_to_uint64(tctr) & (uint64_t)0x7ffffffffffffU;
|
||||
FStar_UInt128_t c = FStar_UInt128_shift_right(tctr, (uint32_t)51U);
|
||||
tmp[ctr] = FStar_UInt128_uint64_to_uint128(r0);
|
||||
tmp[ctr + (uint32_t)1U] = FStar_UInt128_add(tctrp1, c);
|
||||
}
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
|
||||
{
|
||||
uint64_t tmp = output[4U];
|
||||
{
|
||||
uint32_t ctr = (uint32_t)5U - (uint32_t)0U - (uint32_t)1U;
|
||||
uint64_t z = output[ctr - (uint32_t)1U];
|
||||
output[ctr] = z;
|
||||
}
|
||||
{
|
||||
uint32_t ctr = (uint32_t)5U - (uint32_t)1U - (uint32_t)1U;
|
||||
uint64_t z = output[ctr - (uint32_t)1U];
|
||||
output[ctr] = z;
|
||||
}
|
||||
{
|
||||
uint32_t ctr = (uint32_t)5U - (uint32_t)2U - (uint32_t)1U;
|
||||
uint64_t z = output[ctr - (uint32_t)1U];
|
||||
output[ctr] = z;
|
||||
}
|
||||
{
|
||||
uint32_t ctr = (uint32_t)5U - (uint32_t)3U - (uint32_t)1U;
|
||||
uint64_t z = output[ctr - (uint32_t)1U];
|
||||
output[ctr] = z;
|
||||
}
|
||||
output[0U] = tmp;
|
||||
uint64_t b0 = output[0U];
|
||||
output[0U] = (uint64_t)19U * b0;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Bignum_Fmul_mul_shift_reduce_(FStar_UInt128_t *output, uint64_t *input, uint64_t *input21)
|
||||
{
|
||||
{
|
||||
uint64_t input2i = input21[0U];
|
||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
||||
Hacl_Bignum_Fmul_shift_reduce(input);
|
||||
}
|
||||
{
|
||||
uint64_t input2i = input21[1U];
|
||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
||||
Hacl_Bignum_Fmul_shift_reduce(input);
|
||||
}
|
||||
{
|
||||
uint64_t input2i = input21[2U];
|
||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
||||
Hacl_Bignum_Fmul_shift_reduce(input);
|
||||
}
|
||||
{
|
||||
uint64_t input2i = input21[3U];
|
||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
||||
Hacl_Bignum_Fmul_shift_reduce(input);
|
||||
}
|
||||
uint32_t i = (uint32_t)4U;
|
||||
uint64_t input2i = input21[i];
|
||||
Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fmul_fmul(uint64_t *output, uint64_t *input, uint64_t *input21)
|
||||
{
|
||||
uint64_t tmp[5U] = { 0U };
|
||||
memcpy(tmp, input, (uint32_t)5U * sizeof input[0U]);
|
||||
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
|
||||
FStar_UInt128_t t[5U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
|
||||
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
||||
Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21);
|
||||
Hacl_Bignum_Fproduct_carry_wide_(t);
|
||||
FStar_UInt128_t b4 = t[4U];
|
||||
FStar_UInt128_t b0 = t[0U];
|
||||
FStar_UInt128_t
|
||||
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
|
||||
FStar_UInt128_t
|
||||
b0_ =
|
||||
FStar_UInt128_add(b0,
|
||||
FStar_UInt128_mul_wide((uint64_t)19U,
|
||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
|
||||
t[4U] = b4_;
|
||||
t[0U] = b0_;
|
||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, t);
|
||||
uint64_t i0 = output[0U];
|
||||
uint64_t i1 = output[1U];
|
||||
uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
|
||||
output[0U] = i0_;
|
||||
output[1U] = i1_;
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fsquare_fsquare__(FStar_UInt128_t *tmp, uint64_t *output)
|
||||
{
|
||||
uint64_t r0 = output[0U];
|
||||
uint64_t r1 = output[1U];
|
||||
uint64_t r2 = output[2U];
|
||||
uint64_t r3 = output[3U];
|
||||
uint64_t r4 = output[4U];
|
||||
uint64_t d0 = r0 * (uint64_t)2U;
|
||||
uint64_t d1 = r1 * (uint64_t)2U;
|
||||
uint64_t d2 = r2 * (uint64_t)2U * (uint64_t)19U;
|
||||
uint64_t d419 = r4 * (uint64_t)19U;
|
||||
uint64_t d4 = d419 * (uint64_t)2U;
|
||||
FStar_UInt128_t
|
||||
s0 =
|
||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(r0, r0),
|
||||
FStar_UInt128_mul_wide(d4, r1)),
|
||||
FStar_UInt128_mul_wide(d2, r3));
|
||||
FStar_UInt128_t
|
||||
s1 =
|
||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r1),
|
||||
FStar_UInt128_mul_wide(d4, r2)),
|
||||
FStar_UInt128_mul_wide(r3 * (uint64_t)19U, r3));
|
||||
FStar_UInt128_t
|
||||
s2 =
|
||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r2),
|
||||
FStar_UInt128_mul_wide(r1, r1)),
|
||||
FStar_UInt128_mul_wide(d4, r3));
|
||||
FStar_UInt128_t
|
||||
s3 =
|
||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r3),
|
||||
FStar_UInt128_mul_wide(d1, r2)),
|
||||
FStar_UInt128_mul_wide(r4, d419));
|
||||
FStar_UInt128_t
|
||||
s4 =
|
||||
FStar_UInt128_add(FStar_UInt128_add(FStar_UInt128_mul_wide(d0, r4),
|
||||
FStar_UInt128_mul_wide(d1, r3)),
|
||||
FStar_UInt128_mul_wide(r2, r2));
|
||||
tmp[0U] = s0;
|
||||
tmp[1U] = s1;
|
||||
tmp[2U] = s2;
|
||||
tmp[3U] = s3;
|
||||
tmp[4U] = s4;
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output)
|
||||
{
|
||||
Hacl_Bignum_Fsquare_fsquare__(tmp, output);
|
||||
Hacl_Bignum_Fproduct_carry_wide_(tmp);
|
||||
FStar_UInt128_t b4 = tmp[4U];
|
||||
FStar_UInt128_t b0 = tmp[0U];
|
||||
FStar_UInt128_t
|
||||
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
|
||||
FStar_UInt128_t
|
||||
b0_ =
|
||||
FStar_UInt128_add(b0,
|
||||
FStar_UInt128_mul_wide((uint64_t)19U,
|
||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
|
||||
tmp[4U] = b4_;
|
||||
tmp[0U] = b0_;
|
||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
|
||||
uint64_t i0 = output[0U];
|
||||
uint64_t i1 = output[1U];
|
||||
uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
|
||||
output[0U] = i0_;
|
||||
output[1U] = i1_;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1)
|
||||
{
|
||||
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
|
||||
for (uint32_t i = (uint32_t)1U; i < count1; i = i + (uint32_t)1U)
|
||||
Hacl_Bignum_Fsquare_fsquare_(tmp, input);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fsquare_fsquare_times(uint64_t *output, uint64_t *input, uint32_t count1)
|
||||
{
|
||||
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
|
||||
FStar_UInt128_t t[5U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
|
||||
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
||||
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
|
||||
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
|
||||
{
|
||||
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
|
||||
FStar_UInt128_t t[5U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
|
||||
t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
||||
Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_Crecip_crecip(uint64_t *out, uint64_t *z)
|
||||
{
|
||||
uint64_t buf[20U] = { 0U };
|
||||
uint64_t *a = buf;
|
||||
uint64_t *t00 = buf + (uint32_t)5U;
|
||||
uint64_t *b0 = buf + (uint32_t)10U;
|
||||
Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U);
|
||||
Hacl_Bignum_Fmul_fmul(b0, t00, z);
|
||||
Hacl_Bignum_Fmul_fmul(a, b0, a);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U);
|
||||
Hacl_Bignum_Fmul_fmul(b0, t00, b0);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
|
||||
uint64_t *t01 = buf + (uint32_t)5U;
|
||||
uint64_t *b1 = buf + (uint32_t)10U;
|
||||
uint64_t *c0 = buf + (uint32_t)15U;
|
||||
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
|
||||
Hacl_Bignum_Fmul_fmul(c0, t01, b1);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t01, c0, (uint32_t)20U);
|
||||
Hacl_Bignum_Fmul_fmul(t01, t01, c0);
|
||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
|
||||
Hacl_Bignum_Fmul_fmul(b1, t01, b1);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
|
||||
uint64_t *a0 = buf;
|
||||
uint64_t *t0 = buf + (uint32_t)5U;
|
||||
uint64_t *b = buf + (uint32_t)10U;
|
||||
uint64_t *c = buf + (uint32_t)15U;
|
||||
Hacl_Bignum_Fmul_fmul(c, t0, b);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
|
||||
Hacl_Bignum_Fmul_fmul(t0, t0, c);
|
||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)50U);
|
||||
Hacl_Bignum_Fmul_fmul(t0, t0, b);
|
||||
Hacl_Bignum_Fsquare_fsquare_times_inplace(t0, (uint32_t)5U);
|
||||
Hacl_Bignum_Fmul_fmul(out, t0, a0);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_fsum(uint64_t *a, uint64_t *b)
|
||||
{
|
||||
{
|
||||
uint64_t xi = a[0U];
|
||||
uint64_t yi = b[0U];
|
||||
a[0U] = xi + yi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[1U];
|
||||
uint64_t yi = b[1U];
|
||||
a[1U] = xi + yi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[2U];
|
||||
uint64_t yi = b[2U];
|
||||
a[2U] = xi + yi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[3U];
|
||||
uint64_t yi = b[3U];
|
||||
a[3U] = xi + yi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[4U];
|
||||
uint64_t yi = b[4U];
|
||||
a[4U] = xi + yi;
|
||||
}
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
|
||||
{
|
||||
uint64_t tmp[5U] = { 0U };
|
||||
memcpy(tmp, b, (uint32_t)5U * sizeof b[0U]);
|
||||
uint64_t b0 = tmp[0U];
|
||||
uint64_t b1 = tmp[1U];
|
||||
uint64_t b2 = tmp[2U];
|
||||
uint64_t b3 = tmp[3U];
|
||||
uint64_t b4 = tmp[4U];
|
||||
tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
|
||||
tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
|
||||
tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
|
||||
tmp[3U] = b3 + (uint64_t)0x3ffffffffffff8U;
|
||||
tmp[4U] = b4 + (uint64_t)0x3ffffffffffff8U;
|
||||
{
|
||||
uint64_t xi = a[0U];
|
||||
uint64_t yi = tmp[0U];
|
||||
a[0U] = yi - xi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[1U];
|
||||
uint64_t yi = tmp[1U];
|
||||
a[1U] = yi - xi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[2U];
|
||||
uint64_t yi = tmp[2U];
|
||||
a[2U] = yi - xi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[3U];
|
||||
uint64_t yi = tmp[3U];
|
||||
a[3U] = yi - xi;
|
||||
}
|
||||
{
|
||||
uint64_t xi = a[4U];
|
||||
uint64_t yi = tmp[4U];
|
||||
a[4U] = yi - xi;
|
||||
}
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
|
||||
{
|
||||
KRML_CHECK_SIZE(FStar_UInt128_uint64_to_uint128((uint64_t)0U), (uint32_t)5U);
|
||||
FStar_UInt128_t tmp[5U];
|
||||
for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
|
||||
tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
|
||||
{
|
||||
uint64_t xi = b[0U];
|
||||
tmp[0U] = FStar_UInt128_mul_wide(xi, s);
|
||||
}
|
||||
{
|
||||
uint64_t xi = b[1U];
|
||||
tmp[1U] = FStar_UInt128_mul_wide(xi, s);
|
||||
}
|
||||
{
|
||||
uint64_t xi = b[2U];
|
||||
tmp[2U] = FStar_UInt128_mul_wide(xi, s);
|
||||
}
|
||||
{
|
||||
uint64_t xi = b[3U];
|
||||
tmp[3U] = FStar_UInt128_mul_wide(xi, s);
|
||||
}
|
||||
{
|
||||
uint64_t xi = b[4U];
|
||||
tmp[4U] = FStar_UInt128_mul_wide(xi, s);
|
||||
}
|
||||
Hacl_Bignum_Fproduct_carry_wide_(tmp);
|
||||
FStar_UInt128_t b4 = tmp[4U];
|
||||
FStar_UInt128_t b0 = tmp[0U];
|
||||
FStar_UInt128_t
|
||||
b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
|
||||
FStar_UInt128_t
|
||||
b0_ =
|
||||
FStar_UInt128_add(b0,
|
||||
FStar_UInt128_mul_wide((uint64_t)19U,
|
||||
FStar_UInt128_uint128_to_uint64(FStar_UInt128_shift_right(b4, (uint32_t)51U))));
|
||||
tmp[4U] = b4_;
|
||||
tmp[0U] = b0_;
|
||||
Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_fmul(uint64_t *output, uint64_t *a, uint64_t *b)
|
||||
{
|
||||
Hacl_Bignum_Fmul_fmul(output, a, b);
|
||||
}
|
||||
|
||||
inline static void
|
||||
Hacl_Bignum_crecip(uint64_t *output, uint64_t *input)
|
||||
{
|
||||
Hacl_Bignum_Crecip_crecip(output, input);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Point_swap_conditional_step(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
|
||||
{
|
||||
uint32_t i = ctr - (uint32_t)1U;
|
||||
uint64_t ai = a[i];
|
||||
uint64_t bi = b[i];
|
||||
uint64_t x = swap1 & (ai ^ bi);
|
||||
uint64_t ai1 = ai ^ x;
|
||||
uint64_t bi1 = bi ^ x;
|
||||
a[i] = ai1;
|
||||
b[i] = bi1;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
|
||||
{
|
||||
if (!(ctr == (uint32_t)0U)) {
|
||||
Hacl_EC_Point_swap_conditional_step(a, b, swap1, ctr);
|
||||
uint32_t i = ctr - (uint32_t)1U;
|
||||
Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Point_swap_conditional(uint64_t *a, uint64_t *b, uint64_t iswap)
|
||||
{
|
||||
uint64_t swap1 = (uint64_t)0U - iswap;
|
||||
Hacl_EC_Point_swap_conditional_(a, b, swap1, (uint32_t)5U);
|
||||
Hacl_EC_Point_swap_conditional_(a + (uint32_t)5U, b + (uint32_t)5U, swap1, (uint32_t)5U);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Point_copy(uint64_t *output, uint64_t *input)
|
||||
{
|
||||
memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
|
||||
memcpy(output + (uint32_t)5U,
|
||||
input + (uint32_t)5U,
|
||||
(uint32_t)5U * sizeof(input + (uint32_t)5U)[0U]);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_AddAndDouble_fmonty(
|
||||
uint64_t *pp,
|
||||
uint64_t *ppq,
|
||||
uint64_t *p,
|
||||
uint64_t *pq,
|
||||
uint64_t *qmqp)
|
||||
{
|
||||
uint64_t *qx = qmqp;
|
||||
uint64_t *x2 = pp;
|
||||
uint64_t *z2 = pp + (uint32_t)5U;
|
||||
uint64_t *x3 = ppq;
|
||||
uint64_t *z3 = ppq + (uint32_t)5U;
|
||||
uint64_t *x = p;
|
||||
uint64_t *z = p + (uint32_t)5U;
|
||||
uint64_t *xprime = pq;
|
||||
uint64_t *zprime = pq + (uint32_t)5U;
|
||||
uint64_t buf[40U] = { 0U };
|
||||
uint64_t *origx = buf;
|
||||
uint64_t *origxprime = buf + (uint32_t)5U;
|
||||
uint64_t *xxprime0 = buf + (uint32_t)25U;
|
||||
uint64_t *zzprime0 = buf + (uint32_t)30U;
|
||||
memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
|
||||
Hacl_Bignum_fsum(x, z);
|
||||
Hacl_Bignum_fdifference(z, origx);
|
||||
memcpy(origxprime, xprime, (uint32_t)5U * sizeof xprime[0U]);
|
||||
Hacl_Bignum_fsum(xprime, zprime);
|
||||
Hacl_Bignum_fdifference(zprime, origxprime);
|
||||
Hacl_Bignum_fmul(xxprime0, xprime, z);
|
||||
Hacl_Bignum_fmul(zzprime0, x, zprime);
|
||||
uint64_t *origxprime0 = buf + (uint32_t)5U;
|
||||
uint64_t *xx0 = buf + (uint32_t)15U;
|
||||
uint64_t *zz0 = buf + (uint32_t)20U;
|
||||
uint64_t *xxprime = buf + (uint32_t)25U;
|
||||
uint64_t *zzprime = buf + (uint32_t)30U;
|
||||
uint64_t *zzzprime = buf + (uint32_t)35U;
|
||||
memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
|
||||
Hacl_Bignum_fsum(xxprime, zzprime);
|
||||
Hacl_Bignum_fdifference(zzprime, origxprime0);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(x3, xxprime, (uint32_t)1U);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(zzzprime, zzprime, (uint32_t)1U);
|
||||
Hacl_Bignum_fmul(z3, zzzprime, qx);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
|
||||
Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
|
||||
uint64_t *zzz = buf + (uint32_t)10U;
|
||||
uint64_t *xx = buf + (uint32_t)15U;
|
||||
uint64_t *zz = buf + (uint32_t)20U;
|
||||
Hacl_Bignum_fmul(x2, xx, zz);
|
||||
Hacl_Bignum_fdifference(zz, xx);
|
||||
uint64_t scalar = (uint64_t)121665U;
|
||||
Hacl_Bignum_fscalar(zzz, zz, scalar);
|
||||
Hacl_Bignum_fsum(zzz, xx);
|
||||
Hacl_Bignum_fmul(z2, zzz, zz);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(
|
||||
uint64_t *nq,
|
||||
uint64_t *nqpq,
|
||||
uint64_t *nq2,
|
||||
uint64_t *nqpq2,
|
||||
uint64_t *q,
|
||||
uint8_t byt)
|
||||
{
|
||||
uint64_t bit = (uint64_t)(byt >> (uint32_t)7U);
|
||||
Hacl_EC_Point_swap_conditional(nq, nqpq, bit);
|
||||
Hacl_EC_AddAndDouble_fmonty(nq2, nqpq2, nq, nqpq, q);
|
||||
uint64_t bit0 = (uint64_t)(byt >> (uint32_t)7U);
|
||||
Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(
|
||||
uint64_t *nq,
|
||||
uint64_t *nqpq,
|
||||
uint64_t *nq2,
|
||||
uint64_t *nqpq2,
|
||||
uint64_t *q,
|
||||
uint8_t byt)
|
||||
{
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq, nqpq, nq2, nqpq2, q, byt);
|
||||
uint8_t byt1 = byt << (uint32_t)1U;
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(
|
||||
uint64_t *nq,
|
||||
uint64_t *nqpq,
|
||||
uint64_t *nq2,
|
||||
uint64_t *nqpq2,
|
||||
uint64_t *q,
|
||||
uint8_t byt,
|
||||
uint32_t i)
|
||||
{
|
||||
if (!(i == (uint32_t)0U)) {
|
||||
uint32_t i_ = i - (uint32_t)1U;
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop_double_step(nq, nqpq, nq2, nqpq2, q, byt);
|
||||
uint8_t byt_ = byt << (uint32_t)2U;
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(
|
||||
uint8_t *n1,
|
||||
uint64_t *nq,
|
||||
uint64_t *nqpq,
|
||||
uint64_t *nq2,
|
||||
uint64_t *nqpq2,
|
||||
uint64_t *q,
|
||||
uint32_t i)
|
||||
{
|
||||
if (!(i == (uint32_t)0U)) {
|
||||
uint32_t i1 = i - (uint32_t)1U;
|
||||
uint8_t byte = n1[i1];
|
||||
Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byte, (uint32_t)4U);
|
||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, i1);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Ladder_cmult(uint64_t *result, uint8_t *n1, uint64_t *q)
|
||||
{
|
||||
uint64_t point_buf[40U] = { 0U };
|
||||
uint64_t *nq = point_buf;
|
||||
uint64_t *nqpq = point_buf + (uint32_t)10U;
|
||||
uint64_t *nq2 = point_buf + (uint32_t)20U;
|
||||
uint64_t *nqpq2 = point_buf + (uint32_t)30U;
|
||||
Hacl_EC_Point_copy(nqpq, q);
|
||||
nq[0U] = (uint64_t)1U;
|
||||
Hacl_EC_Ladder_BigLoop_cmult_big_loop(n1, nq, nqpq, nq2, nqpq2, q, (uint32_t)32U);
|
||||
Hacl_EC_Point_copy(result, nq);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fexpand(uint64_t *output, uint8_t *input)
|
||||
{
|
||||
uint64_t i0 = load64_le(input);
|
||||
uint8_t *x00 = input + (uint32_t)6U;
|
||||
uint64_t i1 = load64_le(x00);
|
||||
uint8_t *x01 = input + (uint32_t)12U;
|
||||
uint64_t i2 = load64_le(x01);
|
||||
uint8_t *x02 = input + (uint32_t)19U;
|
||||
uint64_t i3 = load64_le(x02);
|
||||
uint8_t *x0 = input + (uint32_t)24U;
|
||||
uint64_t i4 = load64_le(x0);
|
||||
uint64_t output0 = i0 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t output1 = i1 >> (uint32_t)3U & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t output2 = i2 >> (uint32_t)6U & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t output3 = i3 >> (uint32_t)1U & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t output4 = i4 >> (uint32_t)12U & (uint64_t)0x7ffffffffffffU;
|
||||
output[0U] = output0;
|
||||
output[1U] = output1;
|
||||
output[2U] = output2;
|
||||
output[3U] = output3;
|
||||
output[4U] = output4;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract_first_carry_pass(uint64_t *input)
|
||||
{
|
||||
uint64_t t0 = input[0U];
|
||||
uint64_t t1 = input[1U];
|
||||
uint64_t t2 = input[2U];
|
||||
uint64_t t3 = input[3U];
|
||||
uint64_t t4 = input[4U];
|
||||
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
|
||||
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
|
||||
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
|
||||
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
|
||||
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
|
||||
input[0U] = t0_;
|
||||
input[1U] = t1__;
|
||||
input[2U] = t2__;
|
||||
input[3U] = t3__;
|
||||
input[4U] = t4_;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract_first_carry_full(uint64_t *input)
|
||||
{
|
||||
Hacl_EC_Format_fcontract_first_carry_pass(input);
|
||||
Hacl_Bignum_Modulo_carry_top(input);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract_second_carry_pass(uint64_t *input)
|
||||
{
|
||||
uint64_t t0 = input[0U];
|
||||
uint64_t t1 = input[1U];
|
||||
uint64_t t2 = input[2U];
|
||||
uint64_t t3 = input[3U];
|
||||
uint64_t t4 = input[4U];
|
||||
uint64_t t1_ = t1 + (t0 >> (uint32_t)51U);
|
||||
uint64_t t0_ = t0 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t t2_ = t2 + (t1_ >> (uint32_t)51U);
|
||||
uint64_t t1__ = t1_ & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t t3_ = t3 + (t2_ >> (uint32_t)51U);
|
||||
uint64_t t2__ = t2_ & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t t4_ = t4 + (t3_ >> (uint32_t)51U);
|
||||
uint64_t t3__ = t3_ & (uint64_t)0x7ffffffffffffU;
|
||||
input[0U] = t0_;
|
||||
input[1U] = t1__;
|
||||
input[2U] = t2__;
|
||||
input[3U] = t3__;
|
||||
input[4U] = t4_;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
|
||||
{
|
||||
Hacl_EC_Format_fcontract_second_carry_pass(input);
|
||||
Hacl_Bignum_Modulo_carry_top(input);
|
||||
uint64_t i0 = input[0U];
|
||||
uint64_t i1 = input[1U];
|
||||
uint64_t i0_ = i0 & (uint64_t)0x7ffffffffffffU;
|
||||
uint64_t i1_ = i1 + (i0 >> (uint32_t)51U);
|
||||
input[0U] = i0_;
|
||||
input[1U] = i1_;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract_trim(uint64_t *input)
|
||||
{
|
||||
uint64_t a0 = input[0U];
|
||||
uint64_t a1 = input[1U];
|
||||
uint64_t a2 = input[2U];
|
||||
uint64_t a3 = input[3U];
|
||||
uint64_t a4 = input[4U];
|
||||
uint64_t mask0 = FStar_UInt64_gte_mask(a0, (uint64_t)0x7ffffffffffedU);
|
||||
uint64_t mask1 = FStar_UInt64_eq_mask(a1, (uint64_t)0x7ffffffffffffU);
|
||||
uint64_t mask2 = FStar_UInt64_eq_mask(a2, (uint64_t)0x7ffffffffffffU);
|
||||
uint64_t mask3 = FStar_UInt64_eq_mask(a3, (uint64_t)0x7ffffffffffffU);
|
||||
uint64_t mask4 = FStar_UInt64_eq_mask(a4, (uint64_t)0x7ffffffffffffU);
|
||||
uint64_t mask = (((mask0 & mask1) & mask2) & mask3) & mask4;
|
||||
uint64_t a0_ = a0 - ((uint64_t)0x7ffffffffffedU & mask);
|
||||
uint64_t a1_ = a1 - ((uint64_t)0x7ffffffffffffU & mask);
|
||||
uint64_t a2_ = a2 - ((uint64_t)0x7ffffffffffffU & mask);
|
||||
uint64_t a3_ = a3 - ((uint64_t)0x7ffffffffffffU & mask);
|
||||
uint64_t a4_ = a4 - ((uint64_t)0x7ffffffffffffU & mask);
|
||||
input[0U] = a0_;
|
||||
input[1U] = a1_;
|
||||
input[2U] = a2_;
|
||||
input[3U] = a3_;
|
||||
input[4U] = a4_;
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract_store(uint8_t *output, uint64_t *input)
|
||||
{
|
||||
uint64_t t0 = input[0U];
|
||||
uint64_t t1 = input[1U];
|
||||
uint64_t t2 = input[2U];
|
||||
uint64_t t3 = input[3U];
|
||||
uint64_t t4 = input[4U];
|
||||
uint64_t o0 = t1 << (uint32_t)51U | t0;
|
||||
uint64_t o1 = t2 << (uint32_t)38U | t1 >> (uint32_t)13U;
|
||||
uint64_t o2 = t3 << (uint32_t)25U | t2 >> (uint32_t)26U;
|
||||
uint64_t o3 = t4 << (uint32_t)12U | t3 >> (uint32_t)39U;
|
||||
uint8_t *b0 = output;
|
||||
uint8_t *b1 = output + (uint32_t)8U;
|
||||
uint8_t *b2 = output + (uint32_t)16U;
|
||||
uint8_t *b3 = output + (uint32_t)24U;
|
||||
store64_le(b0, o0);
|
||||
store64_le(b1, o1);
|
||||
store64_le(b2, o2);
|
||||
store64_le(b3, o3);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_fcontract(uint8_t *output, uint64_t *input)
|
||||
{
|
||||
Hacl_EC_Format_fcontract_first_carry_full(input);
|
||||
Hacl_EC_Format_fcontract_second_carry_full(input);
|
||||
Hacl_EC_Format_fcontract_trim(input);
|
||||
Hacl_EC_Format_fcontract_store(output, input);
|
||||
}
|
||||
|
||||
static void
|
||||
Hacl_EC_Format_scalar_of_point(uint8_t *scalar, uint64_t *point)
|
||||
{
|
||||
uint64_t *x = point;
|
||||
uint64_t *z = point + (uint32_t)5U;
|
||||
uint64_t buf[10U] = { 0U };
|
||||
uint64_t *zmone = buf;
|
||||
uint64_t *sc = buf + (uint32_t)5U;
|
||||
Hacl_Bignum_crecip(zmone, z);
|
||||
Hacl_Bignum_fmul(sc, x, zmone);
|
||||
Hacl_EC_Format_fcontract(scalar, sc);
|
||||
}
|
||||
|
||||
void
|
||||
Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
|
||||
{
|
||||
uint64_t buf0[10U] = { 0U };
|
||||
uint64_t *x0 = buf0;
|
||||
uint64_t *z = buf0 + (uint32_t)5U;
|
||||
Hacl_EC_Format_fexpand(x0, basepoint);
|
||||
z[0U] = (uint64_t)1U;
|
||||
uint64_t *q = buf0;
|
||||
uint8_t e[32U] = { 0U };
|
||||
memcpy(e, secret, (uint32_t)32U * sizeof secret[0U]);
|
||||
uint8_t e0 = e[0U];
|
||||
uint8_t e31 = e[31U];
|
||||
uint8_t e01 = e0 & (uint8_t)248U;
|
||||
uint8_t e311 = e31 & (uint8_t)127U;
|
||||
uint8_t e312 = e311 | (uint8_t)64U;
|
||||
e[0U] = e01;
|
||||
e[31U] = e312;
|
||||
uint8_t *scalar = e;
|
||||
uint64_t buf[15U] = { 0U };
|
||||
uint64_t *nq = buf;
|
||||
uint64_t *x = nq;
|
||||
x[0U] = (uint64_t)1U;
|
||||
Hacl_EC_Ladder_cmult(nq, scalar, q);
|
||||
Hacl_EC_Format_scalar_of_point(mypublic, nq);
|
||||
}
|
||||
|
||||
void
|
||||
Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint)
|
||||
{
|
||||
Hacl_EC_crypto_scalarmult(mypublic, secret, basepoint);
|
||||
}
|
@ -1,22 +1,21 @@
|
||||
// Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
/* This file was auto-generated by KreMLin! */
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include "kremlib.h"
|
||||
#ifndef __Hacl_Curve25519_64_H
|
||||
#define __Hacl_Curve25519_64_H
|
||||
#ifndef __Hacl_Curve25519_H
|
||||
#define __Hacl_Curve25519_H
|
||||
|
||||
typedef uint64_t Hacl_Bignum_Constants_limb;
|
||||
|
||||
@ -52,9 +51,7 @@ typedef uint8_t *Hacl_EC_Format_uint8_p;
|
||||
|
||||
void Hacl_EC_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
|
||||
|
||||
typedef uint8_t *Curve25519_uint8_p;
|
||||
typedef uint8_t *Hacl_Curve25519_uint8_p;
|
||||
|
||||
void *Curve25519_op_String_Access(FStar_Monotonic_HyperStack_mem h, uint8_t *b);
|
||||
|
||||
void Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
|
||||
void Hacl_Curve25519_crypto_scalarmult(uint8_t *mypublic, uint8_t *secret, uint8_t *basepoint);
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
@ -1,88 +1,191 @@
|
||||
// Copyright 2016-2017 Microsoft Corporation
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef __KREMLIB_H
|
||||
#define __KREMLIB_H
|
||||
|
||||
#include <inttypes.h>
|
||||
#include <stdlib.h>
|
||||
#include "kremlib_base.h"
|
||||
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
/* For tests only: we might need this function to be forward-declared, because
|
||||
* the dependency on WasmSupport appears very late, after SimplifyWasm, and
|
||||
* sadly, after the topological order has been done. */
|
||||
void WasmSupport_check_buffer_size(uint32_t s);
|
||||
|
||||
// Define __cdecl and friends when using GCC, so that we can safely compile code
|
||||
// that contains __cdecl on all platforms.
|
||||
#ifndef _MSC_VER
|
||||
// Use the gcc predefined macros if on a platform/architectures that set them.
|
||||
// Otherwise define them to be empty.
|
||||
#ifndef __cdecl
|
||||
#define __cdecl
|
||||
#endif
|
||||
#ifndef __stdcall
|
||||
#define __stdcall
|
||||
#endif
|
||||
#ifndef __fastcall
|
||||
#define __fastcall
|
||||
#endif
|
||||
/******************************************************************************/
|
||||
/* Stubs to ease compilation of non-Low* code */
|
||||
/******************************************************************************/
|
||||
|
||||
/* Some types that KreMLin has no special knowledge of; many of them appear in
|
||||
* signatures of ghost functions, meaning that it suffices to give them (any)
|
||||
* definition. */
|
||||
typedef void *FStar_Seq_Base_seq, *Prims_prop, *FStar_HyperStack_mem,
|
||||
*FStar_Set_set, *Prims_st_pre_h, *FStar_Heap_heap, *Prims_all_pre_h,
|
||||
*FStar_TSet_set, *Prims_list, *FStar_Map_t, *FStar_UInt63_t_,
|
||||
*FStar_Int63_t_, *FStar_UInt63_t, *FStar_Int63_t, *FStar_UInt_uint_t,
|
||||
*FStar_Int_int_t, *FStar_HyperStack_stackref, *FStar_Bytes_bytes,
|
||||
*FStar_HyperHeap_rid, *FStar_Heap_aref, *FStar_Monotonic_Heap_heap,
|
||||
*FStar_Monotonic_Heap_aref, *FStar_Monotonic_HyperHeap_rid,
|
||||
*FStar_Monotonic_HyperStack_mem, *FStar_Char_char_;
|
||||
|
||||
typedef const char *Prims_string;
|
||||
|
||||
/* For "bare" targets that do not have a C stdlib, the user might want to use
|
||||
* [-add-include '"mydefinitions.h"'] and override these. */
|
||||
#ifndef KRML_HOST_PRINTF
|
||||
#define KRML_HOST_PRINTF printf
|
||||
#endif
|
||||
|
||||
// GCC-specific attribute syntax; everyone else gets the standard C inline
|
||||
// attribute.
|
||||
#ifdef __GNU_C__
|
||||
#ifndef __clang__
|
||||
#define force_inline inline __attribute__((always_inline))
|
||||
#else
|
||||
#define force_inline inline
|
||||
#endif
|
||||
#else
|
||||
#define force_inline inline
|
||||
#ifndef KRML_HOST_EXIT
|
||||
#define KRML_HOST_EXIT exit
|
||||
#endif
|
||||
|
||||
// Uppercase issue; we have to define lowercase version of the C macros (as we
|
||||
// have no way to refer to an uppercase *variable* in F*).
|
||||
extern int exit_success;
|
||||
extern int exit_failure;
|
||||
#ifndef KRML_HOST_MALLOC
|
||||
#define KRML_HOST_MALLOC malloc
|
||||
#endif
|
||||
|
||||
// Some types that KreMLin has no special knowledge of; many of them appear in
|
||||
// signatures of ghost functions, meaning that it suffices to give them (any)
|
||||
// definition.
|
||||
typedef void *Prims_pos, *Prims_nat, *Prims_nonzero, *FStar_Seq_Base_seq,
|
||||
*Prims_int, *Prims_prop, *FStar_HyperStack_mem, *FStar_Set_set,
|
||||
*Prims_st_pre_h, *FStar_Heap_heap, *Prims_all_pre_h, *FStar_TSet_set,
|
||||
*Prims_string, *Prims_list, *FStar_Map_t, *FStar_UInt63_t_, *FStar_Int63_t_,
|
||||
*FStar_UInt63_t, *FStar_Int63_t, *FStar_UInt_uint_t, *FStar_Int_int_t,
|
||||
*FStar_HyperStack_stackref, *FStar_Bytes_bytes, *FStar_HyperHeap_rid,
|
||||
*FStar_Heap_aref, *FStar_Monotonic_Heap_heap,
|
||||
*FStar_Monotonic_HyperHeap_rid, *FStar_Monotonic_HyperStack_mem;
|
||||
/* In statement position, exiting is easy. */
|
||||
#define KRML_EXIT \
|
||||
do { \
|
||||
KRML_HOST_PRINTF("Unimplemented function at %s:%d\n", __FILE__, __LINE__); \
|
||||
KRML_HOST_EXIT(254); \
|
||||
} while (0)
|
||||
|
||||
#define KRML_CHECK_SIZE(elt, size) \
|
||||
if (((size_t)size) > SIZE_MAX / sizeof(elt)) { \
|
||||
printf("Maximum allocatable size exceeded, aborting before overflow at " \
|
||||
"%s:%d\n", \
|
||||
__FILE__, __LINE__); \
|
||||
exit(253); \
|
||||
/* In expression position, use the comma-operator and a malloc to return an
|
||||
* expression of the right size. KreMLin passes t as the parameter to the macro.
|
||||
*/
|
||||
#define KRML_EABORT(t, msg) \
|
||||
(KRML_HOST_PRINTF("KreMLin abort at %s:%d\n%s\n", __FILE__, __LINE__, msg), \
|
||||
KRML_HOST_EXIT(255), *((t *)KRML_HOST_MALLOC(sizeof(t))))
|
||||
|
||||
/* In FStar.Buffer.fst, the size of arrays is uint32_t, but it's a number of
|
||||
* *elements*. Do an ugly, run-time check (some of which KreMLin can eliminate).
|
||||
*/
|
||||
#define KRML_CHECK_SIZE(elt, size) \
|
||||
if (((size_t)size) > SIZE_MAX / sizeof(elt)) { \
|
||||
KRML_HOST_PRINTF( \
|
||||
"Maximum allocatable size exceeded, aborting before overflow at " \
|
||||
"%s:%d\n", \
|
||||
__FILE__, __LINE__); \
|
||||
KRML_HOST_EXIT(253); \
|
||||
}
|
||||
|
||||
// Endian-ness
|
||||
/* A series of GCC atrocities to trace function calls (kremlin's [-d c-calls]
|
||||
* option). Useful when trying to debug, say, Wasm, to compare traces. */
|
||||
/* clang-format off */
|
||||
#ifdef __GNUC__
|
||||
#define KRML_FORMAT(X) _Generic((X), \
|
||||
uint8_t : "0x%08" PRIx8, \
|
||||
uint16_t: "0x%08" PRIx16, \
|
||||
uint32_t: "0x%08" PRIx32, \
|
||||
uint64_t: "0x%08" PRIx64, \
|
||||
int8_t : "0x%08" PRIx8, \
|
||||
int16_t : "0x%08" PRIx16, \
|
||||
int32_t : "0x%08" PRIx32, \
|
||||
int64_t : "0x%08" PRIx64, \
|
||||
default : "%s")
|
||||
|
||||
// ... for Linux
|
||||
#define KRML_FORMAT_ARG(X) _Generic((X), \
|
||||
uint8_t : X, \
|
||||
uint16_t: X, \
|
||||
uint32_t: X, \
|
||||
uint64_t: X, \
|
||||
int8_t : X, \
|
||||
int16_t : X, \
|
||||
int32_t : X, \
|
||||
int64_t : X, \
|
||||
default : "unknown")
|
||||
/* clang-format on */
|
||||
|
||||
#define KRML_DEBUG_RETURN(X) \
|
||||
({ \
|
||||
__auto_type _ret = (X); \
|
||||
KRML_HOST_PRINTF("returning: "); \
|
||||
KRML_HOST_PRINTF(KRML_FORMAT(_ret), KRML_FORMAT_ARG(_ret)); \
|
||||
KRML_HOST_PRINTF(" \n"); \
|
||||
_ret; \
|
||||
})
|
||||
#endif
|
||||
|
||||
#define FStar_Buffer_eqb(b1, b2, n) \
|
||||
(memcmp((b1), (b2), (n) * sizeof((b1)[0])) == 0)
|
||||
|
||||
/* Stubs to make ST happy. Important note: you must generate a use of the macro
|
||||
* argument, otherwise, you may have FStar_ST_recall(f) as the only use of f;
|
||||
* KreMLin will think that this is a valid use, but then the C compiler, after
|
||||
* macro expansion, will error out. */
|
||||
#define FStar_HyperHeap_root 0
|
||||
#define FStar_Pervasives_Native_fst(x) (x).fst
|
||||
#define FStar_Pervasives_Native_snd(x) (x).snd
|
||||
#define FStar_Seq_Base_createEmpty(x) 0
|
||||
#define FStar_Seq_Base_create(len, init) 0
|
||||
#define FStar_Seq_Base_upd(s, i, e) 0
|
||||
#define FStar_Seq_Base_eq(l1, l2) 0
|
||||
#define FStar_Seq_Base_length(l1) 0
|
||||
#define FStar_Seq_Base_append(x, y) 0
|
||||
#define FStar_Seq_Base_slice(x, y, z) 0
|
||||
#define FStar_Seq_Properties_snoc(x, y) 0
|
||||
#define FStar_Seq_Properties_cons(x, y) 0
|
||||
#define FStar_Seq_Base_index(x, y) 0
|
||||
#define FStar_HyperStack_is_eternal_color(x) 0
|
||||
#define FStar_Monotonic_HyperHeap_root 0
|
||||
#define FStar_Buffer_to_seq_full(x) 0
|
||||
#define FStar_Buffer_recall(x)
|
||||
#define FStar_HyperStack_ST_op_Colon_Equals(x, v) KRML_EXIT
|
||||
#define FStar_HyperStack_ST_op_Bang(x) 0
|
||||
#define FStar_HyperStack_ST_salloc(x) 0
|
||||
#define FStar_HyperStack_ST_ralloc(x, y) 0
|
||||
#define FStar_HyperStack_ST_new_region(x) (0)
|
||||
#define FStar_Monotonic_RRef_m_alloc(x) \
|
||||
{ \
|
||||
0 \
|
||||
}
|
||||
|
||||
#define FStar_HyperStack_ST_recall(x) \
|
||||
do { \
|
||||
(void)(x); \
|
||||
} while (0)
|
||||
|
||||
#define FStar_HyperStack_ST_recall_region(x) \
|
||||
do { \
|
||||
(void)(x); \
|
||||
} while (0)
|
||||
|
||||
#define FStar_Monotonic_RRef_m_recall(x1, x2) \
|
||||
do { \
|
||||
(void)(x1); \
|
||||
(void)(x2); \
|
||||
} while (0)
|
||||
|
||||
#define FStar_Monotonic_RRef_m_write(x1, x2, x3, x4, x5) \
|
||||
do { \
|
||||
(void)(x1); \
|
||||
(void)(x2); \
|
||||
(void)(x3); \
|
||||
(void)(x4); \
|
||||
(void)(x5); \
|
||||
} while (0)
|
||||
|
||||
/******************************************************************************/
|
||||
/* Endian-ness macros that can only be implemented in C */
|
||||
/******************************************************************************/
|
||||
|
||||
/* ... for Linux */
|
||||
#if defined(__linux__) || defined(__CYGWIN__)
|
||||
#include <endian.h>
|
||||
|
||||
// ... for OSX
|
||||
/* ... for OSX */
|
||||
#elif defined(__APPLE__)
|
||||
#include <libkern/OSByteOrder.h>
|
||||
#define htole64(x) OSSwapHostToLittleInt64(x)
|
||||
@ -100,14 +203,33 @@ typedef void *Prims_pos, *Prims_nat, *Prims_nonzero, *FStar_Seq_Base_seq,
|
||||
#define htobe32(x) OSSwapHostToBigInt32(x)
|
||||
#define be32toh(x) OSSwapBigToHostInt32(x)
|
||||
|
||||
// ... for Windows
|
||||
#elif (defined(_WIN16) || defined(_WIN32) || defined(_WIN64)) && \
|
||||
!defined(__WINDOWS__)
|
||||
#include <windows.h>
|
||||
/* ... for Solaris */
|
||||
#elif defined(__sun__)
|
||||
#include <sys/byteorder.h>
|
||||
#define htole64(x) LE_64(x)
|
||||
#define le64toh(x) LE_IN64(x)
|
||||
#define htobe64(x) BE_64(x)
|
||||
#define be64toh(x) BE_IN64(x)
|
||||
|
||||
#if BYTE_ORDER == LITTLE_ENDIAN
|
||||
#define htole16(x) LE_16(x)
|
||||
#define le16toh(x) LE_IN16(x)
|
||||
#define htobe16(x) BE_16(x)
|
||||
#define be16toh(x) BE_IN16(x)
|
||||
|
||||
#define htole32(x) LE_32(x)
|
||||
#define le32toh(x) LE_IN32(x)
|
||||
#define htobe32(x) BE_32(x)
|
||||
#define be32toh(x) BE_IN32(x)
|
||||
|
||||
/* ... for the BSDs */
|
||||
#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__)
|
||||
#include <sys/endian.h>
|
||||
#elif defined(__OpenBSD__)
|
||||
#include <endian.h>
|
||||
|
||||
/* ... for Windows (MSVC)... not targeting XBOX 360! */
|
||||
#elif defined(_MSC_VER)
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
#include <stdlib.h>
|
||||
#define htobe16(x) _byteswap_ushort(x)
|
||||
#define htole16(x) (x)
|
||||
@ -124,7 +246,9 @@ typedef void *Prims_pos, *Prims_nat, *Prims_nonzero, *FStar_Seq_Base_seq,
|
||||
#define be64toh(x) _byteswap_uint64(x)
|
||||
#define le64toh(x) (x)
|
||||
|
||||
#elif defined(__GNUC__) || defined(__clang__)
|
||||
/* ... for Windows (GCC-like, e.g. mingw or clang) */
|
||||
#elif (defined(_WIN32) || defined(_WIN64)) && \
|
||||
(defined(__GNUC__) || defined(__clang__))
|
||||
|
||||
#define htobe16(x) __builtin_bswap16(x)
|
||||
#define htole16(x) (x)
|
||||
@ -140,14 +264,67 @@ typedef void *Prims_pos, *Prims_nat, *Prims_nonzero, *FStar_Seq_Base_seq,
|
||||
#define htole64(x) (x)
|
||||
#define be64toh(x) __builtin_bswap64(x)
|
||||
#define le64toh(x) (x)
|
||||
#endif
|
||||
|
||||
#endif
|
||||
/* ... generic big-endian fallback code */
|
||||
#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
|
||||
|
||||
#endif
|
||||
/* byte swapping code inspired by:
|
||||
* https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h
|
||||
* */
|
||||
|
||||
// Loads and stores. These avoid undefined behavior due to unaligned memory
|
||||
// accesses, via memcpy.
|
||||
#define htobe32(x) (x)
|
||||
#define be32toh(x) (x)
|
||||
#define htole32(x) \
|
||||
(__extension__({ \
|
||||
uint32_t _temp = (x); \
|
||||
((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \
|
||||
((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
|
||||
}))
|
||||
#define le32toh(x) (htole32((x)))
|
||||
|
||||
#define htobe64(x) (x)
|
||||
#define be64toh(x) (x)
|
||||
#define htole64(x) \
|
||||
(__extension__({ \
|
||||
uint64_t __temp = (x); \
|
||||
uint32_t __low = htobe32((uint32_t)__temp); \
|
||||
uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
|
||||
(((uint64_t)__low) << 32) | __high; \
|
||||
}))
|
||||
#define le64toh(x) (htole64((x)))
|
||||
|
||||
/* ... generic little-endian fallback code */
|
||||
#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__
|
||||
|
||||
#define htole32(x) (x)
|
||||
#define le32toh(x) (x)
|
||||
#define htobe32(x) \
|
||||
(__extension__({ \
|
||||
uint32_t _temp = (x); \
|
||||
((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \
|
||||
((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \
|
||||
}))
|
||||
#define be32toh(x) (htobe32((x)))
|
||||
|
||||
#define htole64(x) (x)
|
||||
#define le64toh(x) (x)
|
||||
#define htobe64(x) \
|
||||
(__extension__({ \
|
||||
uint64_t __temp = (x); \
|
||||
uint32_t __low = htobe32((uint32_t)__temp); \
|
||||
uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \
|
||||
(((uint64_t)__low) << 32) | __high; \
|
||||
}))
|
||||
#define be64toh(x) (htobe64((x)))
|
||||
|
||||
/* ... couldn't determine endian-ness of the target platform */
|
||||
#else
|
||||
#error "Please define __BYTE_ORDER__!"
|
||||
|
||||
#endif /* defined(__linux__) || ... */
|
||||
|
||||
/* Loads and stores. These avoid undefined behavior due to unaligned memory
|
||||
* accesses, via memcpy. */
|
||||
|
||||
inline static uint16_t
|
||||
load16(uint8_t *b)
|
||||
@ -206,101 +383,139 @@ store64(uint8_t *b, uint64_t i)
|
||||
#define load64_be(b) (be64toh(load64(b)))
|
||||
#define store64_be(b, i) (store64(b, htobe64(i)))
|
||||
|
||||
// Integer types
|
||||
typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_;
|
||||
typedef int64_t FStar_Int64_t, FStar_Int64_t_;
|
||||
typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_;
|
||||
typedef int32_t FStar_Int32_t, FStar_Int32_t_;
|
||||
typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_;
|
||||
typedef int16_t FStar_Int16_t, FStar_Int16_t_;
|
||||
typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_;
|
||||
typedef int8_t FStar_Int8_t, FStar_Int8_t_;
|
||||
/******************************************************************************/
|
||||
/* Checked integers to ease the compilation of non-Low* code */
|
||||
/******************************************************************************/
|
||||
|
||||
// Constant time comparisons
|
||||
static inline uint8_t
|
||||
FStar_UInt8_eq_mask(uint8_t x, uint8_t y)
|
||||
typedef int32_t Prims_pos, Prims_nat, Prims_nonzero, Prims_int,
|
||||
krml_checked_int_t;
|
||||
|
||||
inline static bool
|
||||
Prims_op_GreaterThanOrEqual(int32_t x, int32_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return (int8_t)x >> 7;
|
||||
return x >= y;
|
||||
}
|
||||
|
||||
static inline uint8_t
|
||||
FStar_UInt8_gte_mask(uint8_t x, uint8_t y)
|
||||
inline static bool
|
||||
Prims_op_LessThanOrEqual(int32_t x, int32_t y)
|
||||
{
|
||||
return ~(uint8_t)(((int32_t)x - y) >> 31);
|
||||
return x <= y;
|
||||
}
|
||||
|
||||
static inline uint16_t
|
||||
FStar_UInt16_eq_mask(uint16_t x, uint16_t y)
|
||||
inline static bool
|
||||
Prims_op_GreaterThan(int32_t x, int32_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 8;
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return (int16_t)x >> 15;
|
||||
return x > y;
|
||||
}
|
||||
|
||||
static inline uint16_t
|
||||
FStar_UInt16_gte_mask(uint16_t x, uint16_t y)
|
||||
inline static bool
|
||||
Prims_op_LessThan(int32_t x, int32_t y)
|
||||
{
|
||||
return ~(uint16_t)(((int32_t)x - y) >> 31);
|
||||
return x < y;
|
||||
}
|
||||
|
||||
static inline uint32_t
|
||||
FStar_UInt32_eq_mask(uint32_t x, uint32_t y)
|
||||
#define RETURN_OR(x) \
|
||||
do { \
|
||||
int64_t __ret = x; \
|
||||
if (__ret < INT32_MIN || INT32_MAX < __ret) { \
|
||||
KRML_HOST_PRINTF("Prims.{int,nat,pos} integer overflow at %s:%d\n", \
|
||||
__FILE__, __LINE__); \
|
||||
KRML_HOST_EXIT(252); \
|
||||
} \
|
||||
return (int32_t)__ret; \
|
||||
} while (0)
|
||||
|
||||
inline static int32_t
|
||||
Prims_pow2(int32_t x)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 16;
|
||||
x &= x << 8;
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return ((int32_t)x) >> 31;
|
||||
RETURN_OR((int64_t)1 << (int64_t)x);
|
||||
}
|
||||
|
||||
static inline uint32_t
|
||||
FStar_UInt32_gte_mask(uint32_t x, uint32_t y)
|
||||
inline static int32_t
|
||||
Prims_op_Multiply(int32_t x, int32_t y)
|
||||
{
|
||||
return ~((uint32_t)(((int64_t)x - y) >> 63));
|
||||
RETURN_OR((int64_t)x * (int64_t)y);
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
FStar_UInt64_eq_mask(uint64_t x, uint64_t y)
|
||||
inline static int32_t
|
||||
Prims_op_Addition(int32_t x, int32_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 32;
|
||||
x &= x << 16;
|
||||
x &= x << 8;
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return ((int64_t)x) >> 63;
|
||||
RETURN_OR((int64_t)x + (int64_t)y);
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
FStar_UInt64_gte_mask(uint64_t x, uint64_t y)
|
||||
inline static int32_t
|
||||
Prims_op_Subtraction(int32_t x, int32_t y)
|
||||
{
|
||||
uint64_t low63 =
|
||||
~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x7fffffffffffffff)) -
|
||||
(int64_t)(y & UINT64_C(0x7fffffffffffffff))) >>
|
||||
63));
|
||||
uint64_t high_bit =
|
||||
~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x8000000000000000)) -
|
||||
(int64_t)(y & UINT64_C(0x8000000000000000))) >>
|
||||
63));
|
||||
return low63 & high_bit;
|
||||
RETURN_OR((int64_t)x - (int64_t)y);
|
||||
}
|
||||
|
||||
// Platform-specific 128-bit arithmetic. These are static functions in a header,
|
||||
// so that each translation unit gets its own copy and the C compiler can
|
||||
// optimize.
|
||||
#ifdef HAVE_INT128_SUPPORT
|
||||
inline static int32_t
|
||||
Prims_op_Division(int32_t x, int32_t y)
|
||||
{
|
||||
RETURN_OR((int64_t)x / (int64_t)y);
|
||||
}
|
||||
|
||||
inline static int32_t
|
||||
Prims_op_Modulus(int32_t x, int32_t y)
|
||||
{
|
||||
RETURN_OR((int64_t)x % (int64_t)y);
|
||||
}
|
||||
|
||||
inline static int8_t
|
||||
FStar_UInt8_uint_to_t(int8_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
inline static int16_t
|
||||
FStar_UInt16_uint_to_t(int16_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
inline static int32_t
|
||||
FStar_UInt32_uint_to_t(int32_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
inline static int64_t
|
||||
FStar_UInt64_uint_to_t(int64_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
|
||||
inline static int8_t
|
||||
FStar_UInt8_v(int8_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
inline static int16_t
|
||||
FStar_UInt16_v(int16_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
inline static int32_t
|
||||
FStar_UInt32_v(int32_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
inline static int64_t
|
||||
FStar_UInt64_v(int64_t x)
|
||||
{
|
||||
return x;
|
||||
}
|
||||
|
||||
/* Platform-specific 128-bit arithmetic. These are static functions in a header,
|
||||
* so that each translation unit gets its own copy and the C compiler can
|
||||
* optimize. */
|
||||
#ifndef KRML_NOUINT128
|
||||
typedef unsigned __int128 FStar_UInt128_t, FStar_UInt128_t_, uint128_t;
|
||||
|
||||
static inline void
|
||||
print128(const char *where, uint128_t n)
|
||||
{
|
||||
KRML_HOST_PRINTF("%s: [%" PRIu64 ",%" PRIu64 "]\n", where,
|
||||
(uint64_t)(n >> 64), (uint64_t)n);
|
||||
}
|
||||
|
||||
static inline uint128_t
|
||||
load128_le(uint8_t *b)
|
||||
{
|
||||
@ -344,8 +559,6 @@ store128_be(uint8_t *b, uint128_t n)
|
||||
#define FStar_UInt128_shift_right(x, y) ((x) >> (y))
|
||||
#define FStar_UInt128_uint64_to_uint128(x) ((uint128_t)(x))
|
||||
#define FStar_UInt128_uint128_to_uint64(x) ((uint64_t)(x))
|
||||
#define FStar_Int_Cast_Full_uint64_to_uint128(x) ((uint128_t)(x))
|
||||
#define FStar_Int_Cast_Full_uint128_to_uint64(x) ((uint64_t)(x))
|
||||
#define FStar_UInt128_mul_wide(x, y) ((uint128_t)(x) * (y))
|
||||
#define FStar_UInt128_op_Hat_Hat(x, y) ((x) ^ (y))
|
||||
|
||||
@ -368,12 +581,20 @@ FStar_UInt128_gte_mask(uint128_t x, uint128_t y)
|
||||
return ((uint128_t)mask) << 64 | mask;
|
||||
}
|
||||
|
||||
#else // defined(HAVE_INT128_SUPPORT)
|
||||
#else /* !defined(KRML_NOUINT128) */
|
||||
|
||||
#include "fstar_uint128.h"
|
||||
/* This is a bad circular dependency... should fix it properly. */
|
||||
#include "FStar.h"
|
||||
|
||||
typedef FStar_UInt128_uint128 FStar_UInt128_t_, uint128_t;
|
||||
|
||||
/* A series of definitions written using pointers. */
|
||||
static inline void
|
||||
print128_(const char *where, uint128_t *n)
|
||||
{
|
||||
KRML_HOST_PRINTF("%s: [0x%08" PRIx64 ",0x%08" PRIx64 "]\n", where, n->high, n->low);
|
||||
}
|
||||
|
||||
static inline void
|
||||
load128_le_(uint8_t *b, uint128_t *r)
|
||||
{
|
||||
@ -402,11 +623,50 @@ store128_be_(uint8_t *b, uint128_t *n)
|
||||
store64_be(b + 8, n->low);
|
||||
}
|
||||
|
||||
/* #define print128 print128_ */
|
||||
#ifndef KRML_NOSTRUCT_PASSING
|
||||
|
||||
static inline void
|
||||
print128(const char *where, uint128_t n)
|
||||
{
|
||||
print128_(where, &n);
|
||||
}
|
||||
|
||||
static inline uint128_t
|
||||
load128_le(uint8_t *b)
|
||||
{
|
||||
uint128_t r;
|
||||
load128_le_(b, &r);
|
||||
return r;
|
||||
}
|
||||
|
||||
static inline void
|
||||
store128_le(uint8_t *b, uint128_t n)
|
||||
{
|
||||
store128_le_(b, &n);
|
||||
}
|
||||
|
||||
static inline uint128_t
|
||||
load128_be(uint8_t *b)
|
||||
{
|
||||
uint128_t r;
|
||||
load128_be_(b, &r);
|
||||
return r;
|
||||
}
|
||||
|
||||
static inline void
|
||||
store128_be(uint8_t *b, uint128_t n)
|
||||
{
|
||||
store128_be_(b, &n);
|
||||
}
|
||||
|
||||
#else /* !defined(KRML_STRUCT_PASSING) */
|
||||
|
||||
#define print128 print128_
|
||||
#define load128_le load128_le_
|
||||
#define store128_le store128_le_
|
||||
#define load128_be load128_be_
|
||||
#define store128_be store128_be_
|
||||
|
||||
#endif // HAVE_INT128_SUPPORT
|
||||
#endif // __KREMLIB_H
|
||||
#endif /* KRML_STRUCT_PASSING */
|
||||
#endif /* KRML_UINT128 */
|
||||
#endif /* __KREMLIB_H */
|
||||
|
191
security/nss/lib/freebl/verified/kremlib_base.h
Normal file
191
security/nss/lib/freebl/verified/kremlib_base.h
Normal file
@ -0,0 +1,191 @@
|
||||
/* Copyright 2016-2017 INRIA and Microsoft Corporation
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#ifndef __KREMLIB_BASE_H
|
||||
#define __KREMLIB_BASE_H
|
||||
|
||||
#include <inttypes.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <time.h>
|
||||
|
||||
/******************************************************************************/
|
||||
/* Some macros to ease compatibility */
|
||||
/******************************************************************************/
|
||||
|
||||
/* Define __cdecl and friends when using GCC, so that we can safely compile code
|
||||
* that contains __cdecl on all platforms. Note that this is in a separate
|
||||
* header so that Dafny-generated code can include just this file. */
|
||||
#ifndef _MSC_VER
|
||||
/* Use the gcc predefined macros if on a platform/architectures that set them.
|
||||
* Otherwise define them to be empty. */
|
||||
#ifndef __cdecl
|
||||
#define __cdecl
|
||||
#endif
|
||||
#ifndef __stdcall
|
||||
#define __stdcall
|
||||
#endif
|
||||
#ifndef __fastcall
|
||||
#define __fastcall
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef __GNUC__
|
||||
#define inline __inline__
|
||||
#endif
|
||||
|
||||
/* GCC-specific attribute syntax; everyone else gets the standard C inline
|
||||
* attribute. */
|
||||
#ifdef __GNU_C__
|
||||
#ifndef __clang__
|
||||
#define force_inline inline __attribute__((always_inline))
|
||||
#else
|
||||
#define force_inline inline
|
||||
#endif
|
||||
#else
|
||||
#define force_inline inline
|
||||
#endif
|
||||
|
||||
/******************************************************************************/
|
||||
/* Implementing C.fst */
|
||||
/******************************************************************************/
|
||||
|
||||
/* Uppercase issue; we have to define lowercase versions of the C macros (as we
|
||||
* have no way to refer to an uppercase *variable* in F*). */
|
||||
extern int exit_success;
|
||||
extern int exit_failure;
|
||||
|
||||
/* This one allows the user to write C.EXIT_SUCCESS. */
|
||||
typedef int exit_code;
|
||||
|
||||
void print_string(const char *s);
|
||||
void print_bytes(uint8_t *b, uint32_t len);
|
||||
|
||||
/* The universal null pointer defined in C.Nullity.fst */
|
||||
#define C_Nullity_null(X) 0
|
||||
|
||||
/* If some globals need to be initialized before the main, then kremlin will
|
||||
* generate and try to link last a function with this type: */
|
||||
void kremlinit_globals(void);
|
||||
|
||||
/******************************************************************************/
|
||||
/* Implementation of machine integers (possibly of 128-bit integers) */
|
||||
/******************************************************************************/
|
||||
|
||||
/* Integer types */
|
||||
typedef uint64_t FStar_UInt64_t, FStar_UInt64_t_;
|
||||
typedef int64_t FStar_Int64_t, FStar_Int64_t_;
|
||||
typedef uint32_t FStar_UInt32_t, FStar_UInt32_t_;
|
||||
typedef int32_t FStar_Int32_t, FStar_Int32_t_;
|
||||
typedef uint16_t FStar_UInt16_t, FStar_UInt16_t_;
|
||||
typedef int16_t FStar_Int16_t, FStar_Int16_t_;
|
||||
typedef uint8_t FStar_UInt8_t, FStar_UInt8_t_;
|
||||
typedef int8_t FStar_Int8_t, FStar_Int8_t_;
|
||||
|
||||
static inline uint32_t
|
||||
rotate32_left(uint32_t x, uint32_t n)
|
||||
{
|
||||
/* assert (n<32); */
|
||||
return (x << n) | (x >> (32 - n));
|
||||
}
|
||||
static inline uint32_t
|
||||
rotate32_right(uint32_t x, uint32_t n)
|
||||
{
|
||||
/* assert (n<32); */
|
||||
return (x >> n) | (x << (32 - n));
|
||||
}
|
||||
|
||||
/* Constant time comparisons */
|
||||
static inline uint8_t
|
||||
FStar_UInt8_eq_mask(uint8_t x, uint8_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return (int8_t)x >> 7;
|
||||
}
|
||||
|
||||
static inline uint8_t
|
||||
FStar_UInt8_gte_mask(uint8_t x, uint8_t y)
|
||||
{
|
||||
return ~(uint8_t)(((int32_t)x - y) >> 31);
|
||||
}
|
||||
|
||||
static inline uint16_t
|
||||
FStar_UInt16_eq_mask(uint16_t x, uint16_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 8;
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return (int16_t)x >> 15;
|
||||
}
|
||||
|
||||
static inline uint16_t
|
||||
FStar_UInt16_gte_mask(uint16_t x, uint16_t y)
|
||||
{
|
||||
return ~(uint16_t)(((int32_t)x - y) >> 31);
|
||||
}
|
||||
|
||||
static inline uint32_t
|
||||
FStar_UInt32_eq_mask(uint32_t x, uint32_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 16;
|
||||
x &= x << 8;
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return ((int32_t)x) >> 31;
|
||||
}
|
||||
|
||||
static inline uint32_t
|
||||
FStar_UInt32_gte_mask(uint32_t x, uint32_t y)
|
||||
{
|
||||
return ~((uint32_t)(((int64_t)x - y) >> 63));
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
FStar_UInt64_eq_mask(uint64_t x, uint64_t y)
|
||||
{
|
||||
x = ~(x ^ y);
|
||||
x &= x << 32;
|
||||
x &= x << 16;
|
||||
x &= x << 8;
|
||||
x &= x << 4;
|
||||
x &= x << 2;
|
||||
x &= x << 1;
|
||||
return ((int64_t)x) >> 63;
|
||||
}
|
||||
|
||||
static inline uint64_t
|
||||
FStar_UInt64_gte_mask(uint64_t x, uint64_t y)
|
||||
{
|
||||
uint64_t low63 =
|
||||
~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x7fffffffffffffff)) -
|
||||
(int64_t)(y & UINT64_C(0x7fffffffffffffff))) >>
|
||||
63));
|
||||
uint64_t high_bit =
|
||||
~((uint64_t)((int64_t)((int64_t)(x & UINT64_C(0x8000000000000000)) -
|
||||
(int64_t)(y & UINT64_C(0x8000000000000000))) >>
|
||||
63));
|
||||
return low63 & high_bit;
|
||||
}
|
||||
|
||||
#endif
|
83
security/nss/lib/freebl/verified/specs/Spec.CTR.fst
Normal file
83
security/nss/lib/freebl/verified/specs/Spec.CTR.fst
Normal file
@ -0,0 +1,83 @@
|
||||
module Spec.CTR
|
||||
|
||||
module ST = FStar.HyperStack.ST
|
||||
|
||||
open FStar.Mul
|
||||
open FStar.Seq
|
||||
open Spec.Lib
|
||||
|
||||
#reset-options "--initial_fuel 0 --max_fuel 0 --initial_ifuel 0 --max_ifuel 0"
|
||||
|
||||
type block_cipher_ctx = {
|
||||
keylen: nat ;
|
||||
blocklen: (x:nat{x>0});
|
||||
noncelen: nat;
|
||||
counterbits: nat;
|
||||
incr: pos}
|
||||
|
||||
type key (c:block_cipher_ctx) = lbytes c.keylen
|
||||
type nonce (c:block_cipher_ctx) = lbytes c.noncelen
|
||||
type block (c:block_cipher_ctx) = lbytes (c.blocklen*c.incr)
|
||||
type counter (c:block_cipher_ctx) = UInt.uint_t c.counterbits
|
||||
type block_cipher (c:block_cipher_ctx) = key c -> nonce c -> counter c -> block c
|
||||
|
||||
val xor: #len:nat -> x:lbytes len -> y:lbytes len -> Tot (lbytes len)
|
||||
let xor #len x y = map2 FStar.UInt8.(fun x y -> x ^^ y) x y
|
||||
|
||||
|
||||
val counter_mode_blocks:
|
||||
ctx: block_cipher_ctx ->
|
||||
bc: block_cipher ctx ->
|
||||
k:key ctx -> n:nonce ctx -> c:counter ctx ->
|
||||
plain:seq UInt8.t{c + ctx.incr * (length plain / ctx.blocklen) < pow2 ctx.counterbits /\
|
||||
length plain % (ctx.blocklen * ctx.incr) = 0} ->
|
||||
Tot (lbytes (length plain))
|
||||
(decreases (length plain))
|
||||
#reset-options "--z3rlimit 200 --max_fuel 0"
|
||||
let rec counter_mode_blocks ctx block_enc key nonce counter plain =
|
||||
let len = length plain in
|
||||
let len' = len / (ctx.blocklen * ctx.incr) in
|
||||
Math.Lemmas.lemma_div_mod len (ctx.blocklen * ctx.incr) ;
|
||||
if len = 0 then Seq.createEmpty #UInt8.t
|
||||
else (
|
||||
let prefix, block = split plain (len - ctx.blocklen * ctx.incr) in
|
||||
(* TODO: move to a single lemma for clarify *)
|
||||
Math.Lemmas.lemma_mod_plus (length prefix) 1 (ctx.blocklen * ctx.incr);
|
||||
Math.Lemmas.lemma_div_le (length prefix) len ctx.blocklen;
|
||||
Spec.CTR.Lemmas.lemma_div len (ctx.blocklen * ctx.incr);
|
||||
(* End TODO *)
|
||||
let cipher = counter_mode_blocks ctx block_enc key nonce counter prefix in
|
||||
let mask = block_enc key nonce (counter + (len / ctx.blocklen - 1) * ctx.incr) in
|
||||
let eb = xor block mask in
|
||||
cipher @| eb
|
||||
)
|
||||
|
||||
|
||||
val counter_mode:
|
||||
ctx: block_cipher_ctx ->
|
||||
bc: block_cipher ctx ->
|
||||
k:key ctx -> n:nonce ctx -> c:counter ctx ->
|
||||
plain:seq UInt8.t{c + ctx.incr * (length plain / ctx.blocklen) < pow2 ctx.counterbits} ->
|
||||
Tot (lbytes (length plain))
|
||||
(decreases (length plain))
|
||||
#reset-options "--z3rlimit 200 --max_fuel 0"
|
||||
let counter_mode ctx block_enc key nonce counter plain =
|
||||
let len = length plain in
|
||||
let blocks_len = (ctx.incr * ctx.blocklen) * (len / (ctx.blocklen * ctx.incr)) in
|
||||
let part_len = len % (ctx.blocklen * ctx.incr) in
|
||||
(* TODO: move to a single lemma for clarify *)
|
||||
Math.Lemmas.lemma_div_mod len (ctx.blocklen * ctx.incr);
|
||||
Math.Lemmas.multiple_modulo_lemma (len / (ctx.blocklen * ctx.incr)) (ctx.blocklen * ctx.incr);
|
||||
Math.Lemmas.lemma_div_le (blocks_len) len ctx.blocklen;
|
||||
(* End TODO *)
|
||||
let blocks, last_block = split plain blocks_len in
|
||||
let cipher_blocks = counter_mode_blocks ctx block_enc key nonce counter blocks in
|
||||
let cipher_last_block =
|
||||
if part_len > 0
|
||||
then (* encrypt final partial block(s) *)
|
||||
let mask = block_enc key nonce (counter+ctx.incr*(length plain / ctx.blocklen)) in
|
||||
let mask = slice mask 0 part_len in
|
||||
assert(length last_block = part_len);
|
||||
xor #part_len last_block mask
|
||||
else createEmpty in
|
||||
cipher_blocks @| cipher_last_block
|
154
security/nss/lib/freebl/verified/specs/Spec.Chacha20.fst
Normal file
154
security/nss/lib/freebl/verified/specs/Spec.Chacha20.fst
Normal file
@ -0,0 +1,154 @@
|
||||
module Spec.Chacha20
|
||||
|
||||
module ST = FStar.HyperStack.ST
|
||||
|
||||
open FStar.Mul
|
||||
open FStar.Seq
|
||||
open FStar.UInt32
|
||||
open FStar.Endianness
|
||||
open Spec.Lib
|
||||
open Spec.Chacha20.Lemmas
|
||||
open Seq.Create
|
||||
|
||||
#set-options "--max_fuel 0 --z3rlimit 100"
|
||||
|
||||
(* Constants *)
|
||||
let keylen = 32 (* in bytes *)
|
||||
let blocklen = 64 (* in bytes *)
|
||||
let noncelen = 12 (* in bytes *)
|
||||
|
||||
type key = lbytes keylen
|
||||
type block = lbytes blocklen
|
||||
type nonce = lbytes noncelen
|
||||
type counter = UInt.uint_t 32
|
||||
|
||||
// using @ as a functional substitute for ;
|
||||
// internally, blocks are represented as 16 x 4-byte integers
|
||||
type state = m:seq UInt32.t {length m = 16}
|
||||
type idx = n:nat{n < 16}
|
||||
type shuffle = state -> Tot state
|
||||
|
||||
let line (a:idx) (b:idx) (d:idx) (s:t{0 < v s /\ v s < 32}) (m:state) : Tot state =
|
||||
let m = m.[a] <- (m.[a] +%^ m.[b]) in
|
||||
let m = m.[d] <- ((m.[d] ^^ m.[a]) <<< s) in m
|
||||
|
||||
let quarter_round a b c d : shuffle =
|
||||
line a b d 16ul @
|
||||
line c d b 12ul @
|
||||
line a b d 8ul @
|
||||
line c d b 7ul
|
||||
|
||||
let column_round : shuffle =
|
||||
quarter_round 0 4 8 12 @
|
||||
quarter_round 1 5 9 13 @
|
||||
quarter_round 2 6 10 14 @
|
||||
quarter_round 3 7 11 15
|
||||
|
||||
let diagonal_round : shuffle =
|
||||
quarter_round 0 5 10 15 @
|
||||
quarter_round 1 6 11 12 @
|
||||
quarter_round 2 7 8 13 @
|
||||
quarter_round 3 4 9 14
|
||||
|
||||
let double_round: shuffle =
|
||||
column_round @ diagonal_round (* 2 rounds *)
|
||||
|
||||
let rounds : shuffle =
|
||||
iter 10 double_round (* 20 rounds *)
|
||||
|
||||
let chacha20_core (s:state) : Tot state =
|
||||
let s' = rounds s in
|
||||
Spec.Loops.seq_map2 (fun x y -> x +%^ y) s' s
|
||||
|
||||
(* state initialization *)
|
||||
let c0 = 0x61707865ul
|
||||
let c1 = 0x3320646eul
|
||||
let c2 = 0x79622d32ul
|
||||
let c3 = 0x6b206574ul
|
||||
|
||||
let setup (k:key) (n:nonce) (c:counter): Tot state =
|
||||
create_4 c0 c1 c2 c3 @|
|
||||
uint32s_from_le 8 k @|
|
||||
create_1 (UInt32.uint_to_t c) @|
|
||||
uint32s_from_le 3 n
|
||||
|
||||
let chacha20_block (k:key) (n:nonce) (c:counter): Tot block =
|
||||
let st = setup k n c in
|
||||
let st' = chacha20_core st in
|
||||
uint32s_to_le 16 st'
|
||||
|
||||
let chacha20_ctx: Spec.CTR.block_cipher_ctx =
|
||||
let open Spec.CTR in
|
||||
{
|
||||
keylen = keylen;
|
||||
blocklen = blocklen;
|
||||
noncelen = noncelen;
|
||||
counterbits = 32;
|
||||
incr = 1
|
||||
}
|
||||
|
||||
let chacha20_cipher: Spec.CTR.block_cipher chacha20_ctx = chacha20_block
|
||||
|
||||
let chacha20_encrypt_bytes key nonce counter m =
|
||||
Spec.CTR.counter_mode chacha20_ctx chacha20_cipher key nonce counter m
|
||||
|
||||
|
||||
unfold let test_plaintext = [
|
||||
0x4cuy; 0x61uy; 0x64uy; 0x69uy; 0x65uy; 0x73uy; 0x20uy; 0x61uy;
|
||||
0x6euy; 0x64uy; 0x20uy; 0x47uy; 0x65uy; 0x6euy; 0x74uy; 0x6cuy;
|
||||
0x65uy; 0x6duy; 0x65uy; 0x6euy; 0x20uy; 0x6fuy; 0x66uy; 0x20uy;
|
||||
0x74uy; 0x68uy; 0x65uy; 0x20uy; 0x63uy; 0x6cuy; 0x61uy; 0x73uy;
|
||||
0x73uy; 0x20uy; 0x6fuy; 0x66uy; 0x20uy; 0x27uy; 0x39uy; 0x39uy;
|
||||
0x3auy; 0x20uy; 0x49uy; 0x66uy; 0x20uy; 0x49uy; 0x20uy; 0x63uy;
|
||||
0x6fuy; 0x75uy; 0x6cuy; 0x64uy; 0x20uy; 0x6fuy; 0x66uy; 0x66uy;
|
||||
0x65uy; 0x72uy; 0x20uy; 0x79uy; 0x6fuy; 0x75uy; 0x20uy; 0x6fuy;
|
||||
0x6euy; 0x6cuy; 0x79uy; 0x20uy; 0x6fuy; 0x6euy; 0x65uy; 0x20uy;
|
||||
0x74uy; 0x69uy; 0x70uy; 0x20uy; 0x66uy; 0x6fuy; 0x72uy; 0x20uy;
|
||||
0x74uy; 0x68uy; 0x65uy; 0x20uy; 0x66uy; 0x75uy; 0x74uy; 0x75uy;
|
||||
0x72uy; 0x65uy; 0x2cuy; 0x20uy; 0x73uy; 0x75uy; 0x6euy; 0x73uy;
|
||||
0x63uy; 0x72uy; 0x65uy; 0x65uy; 0x6euy; 0x20uy; 0x77uy; 0x6fuy;
|
||||
0x75uy; 0x6cuy; 0x64uy; 0x20uy; 0x62uy; 0x65uy; 0x20uy; 0x69uy;
|
||||
0x74uy; 0x2euy
|
||||
]
|
||||
|
||||
unfold let test_ciphertext = [
|
||||
0x6euy; 0x2euy; 0x35uy; 0x9auy; 0x25uy; 0x68uy; 0xf9uy; 0x80uy;
|
||||
0x41uy; 0xbauy; 0x07uy; 0x28uy; 0xdduy; 0x0duy; 0x69uy; 0x81uy;
|
||||
0xe9uy; 0x7euy; 0x7auy; 0xecuy; 0x1duy; 0x43uy; 0x60uy; 0xc2uy;
|
||||
0x0auy; 0x27uy; 0xafuy; 0xccuy; 0xfduy; 0x9fuy; 0xaeuy; 0x0buy;
|
||||
0xf9uy; 0x1buy; 0x65uy; 0xc5uy; 0x52uy; 0x47uy; 0x33uy; 0xabuy;
|
||||
0x8fuy; 0x59uy; 0x3duy; 0xabuy; 0xcduy; 0x62uy; 0xb3uy; 0x57uy;
|
||||
0x16uy; 0x39uy; 0xd6uy; 0x24uy; 0xe6uy; 0x51uy; 0x52uy; 0xabuy;
|
||||
0x8fuy; 0x53uy; 0x0cuy; 0x35uy; 0x9fuy; 0x08uy; 0x61uy; 0xd8uy;
|
||||
0x07uy; 0xcauy; 0x0duy; 0xbfuy; 0x50uy; 0x0duy; 0x6auy; 0x61uy;
|
||||
0x56uy; 0xa3uy; 0x8euy; 0x08uy; 0x8auy; 0x22uy; 0xb6uy; 0x5euy;
|
||||
0x52uy; 0xbcuy; 0x51uy; 0x4duy; 0x16uy; 0xccuy; 0xf8uy; 0x06uy;
|
||||
0x81uy; 0x8cuy; 0xe9uy; 0x1auy; 0xb7uy; 0x79uy; 0x37uy; 0x36uy;
|
||||
0x5auy; 0xf9uy; 0x0buy; 0xbfuy; 0x74uy; 0xa3uy; 0x5buy; 0xe6uy;
|
||||
0xb4uy; 0x0buy; 0x8euy; 0xeduy; 0xf2uy; 0x78uy; 0x5euy; 0x42uy;
|
||||
0x87uy; 0x4duy
|
||||
]
|
||||
|
||||
unfold let test_key = [
|
||||
0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy;
|
||||
8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy;
|
||||
16uy; 17uy; 18uy; 19uy; 20uy; 21uy; 22uy; 23uy;
|
||||
24uy; 25uy; 26uy; 27uy; 28uy; 29uy; 30uy; 31uy
|
||||
]
|
||||
unfold let test_nonce = [
|
||||
0uy; 0uy; 0uy; 0uy; 0uy; 0uy; 0uy; 0x4auy; 0uy; 0uy; 0uy; 0uy
|
||||
]
|
||||
|
||||
unfold let test_counter = 1
|
||||
|
||||
let test() =
|
||||
assert_norm(List.Tot.length test_plaintext = 114);
|
||||
assert_norm(List.Tot.length test_ciphertext = 114);
|
||||
assert_norm(List.Tot.length test_key = 32);
|
||||
assert_norm(List.Tot.length test_nonce = 12);
|
||||
let test_plaintext = createL test_plaintext in
|
||||
let test_ciphertext = createL test_ciphertext in
|
||||
let test_key = createL test_key in
|
||||
let test_nonce = createL test_nonce in
|
||||
chacha20_encrypt_bytes test_key test_nonce test_counter test_plaintext
|
||||
= test_ciphertext
|
@ -22,9 +22,9 @@
|
||||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define NSS_VERSION "3.34" _NSS_CUSTOMIZED " Beta"
|
||||
#define NSS_VERSION "3.35" _NSS_CUSTOMIZED " Beta"
|
||||
#define NSS_VMAJOR 3
|
||||
#define NSS_VMINOR 34
|
||||
#define NSS_VMINOR 35
|
||||
#define NSS_VPATCH 0
|
||||
#define NSS_VBUILD 0
|
||||
#define NSS_BETA PR_TRUE
|
||||
|
@ -68,8 +68,11 @@ pk11_copyAttributes(PLArenaPool *arena,
|
||||
copyTemplate, copyTemplateCount);
|
||||
/* if we have missing attributes, just skip them and create the object */
|
||||
if (crv == CKR_ATTRIBUTE_TYPE_INVALID) {
|
||||
int i, j;
|
||||
CK_ULONG i, j;
|
||||
newTemplate = PORT_NewArray(CK_ATTRIBUTE, copyTemplateCount);
|
||||
if (!newTemplate) {
|
||||
return SECFailure;
|
||||
}
|
||||
/* remove the unknown attributes. If we don't have enough attributes
|
||||
* PK11_CreateNewObject() will fail */
|
||||
for (i = 0, j = 0; i < copyTemplateCount; i++) {
|
||||
|
@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
|
||||
cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId);
|
||||
|
||||
if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) {
|
||||
length = sec_pkcs5v2_aes_key_length(cipherAlg);
|
||||
/* Previously, the PKCS#12 files created with the old NSS
|
||||
* releases encoded the maximum key size of AES (that is 32)
|
||||
* in the keyLength field of PBKDF2-params. That resulted in
|
||||
* always performing AES-256 even if AES-128-CBC or
|
||||
* AES-192-CBC is specified in the encryptionScheme field of
|
||||
* PBES2-params. This is wrong, but for compatibility reasons,
|
||||
* check the keyLength field and use the value if it is 32.
|
||||
*/
|
||||
if (p5_param.keyLength.data != NULL) {
|
||||
length = DER_GetInteger(&p5_param.keyLength);
|
||||
}
|
||||
/* If the keyLength field is present and contains a value
|
||||
* other than 32, that means the file is created outside of
|
||||
* NSS, which we don't care about. Note that the following
|
||||
* also handles the case when the field is absent. */
|
||||
if (length != 32) {
|
||||
length = sec_pkcs5v2_aes_key_length(cipherAlg);
|
||||
}
|
||||
} else if (p5_param.keyLength.data != NULL) {
|
||||
length = DER_GetInteger(&p5_param.keyLength);
|
||||
} else {
|
||||
|
@ -437,6 +437,11 @@ SECMOD_DeleteInternalModule(const char *name)
|
||||
return rv;
|
||||
}
|
||||
|
||||
#ifdef NSS_FIPS_DISABLED
|
||||
PORT_SetError(PR_OPERATION_NOT_SUPPORTED_ERROR);
|
||||
return rv;
|
||||
#endif
|
||||
|
||||
SECMOD_GetWriteLock(moduleLock);
|
||||
for (mlpp = &modules, mlp = modules;
|
||||
mlp != NULL; mlpp = &mlp->next, mlp = *mlpp) {
|
||||
@ -955,7 +960,11 @@ SECMOD_DestroyModuleList(SECMODModuleList *list)
|
||||
PRBool
|
||||
SECMOD_CanDeleteInternalModule(void)
|
||||
{
|
||||
#ifdef NSS_FIPS_DISABLED
|
||||
return PR_FALSE;
|
||||
#else
|
||||
return (PRBool)(pendingModule == NULL);
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -18,7 +18,13 @@
|
||||
#include "secder.h"
|
||||
#include "secpkcs5.h"
|
||||
|
||||
const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */
|
||||
const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */
|
||||
#ifdef DEBUG
|
||||
10000
|
||||
#else
|
||||
1000000
|
||||
#endif
|
||||
;
|
||||
|
||||
static SECStatus
|
||||
sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp,
|
||||
|
@ -421,11 +421,20 @@ static const struct mechanismList mechanisms[] = {
|
||||
#endif
|
||||
/* --------------------- Secret Key Operations ------------------------ */
|
||||
{ CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE },
|
||||
{ CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_GENERATE }, PR_FALSE },
|
||||
{ CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE },
|
||||
{ CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_GENERATE }, PR_FALSE },
|
||||
{ CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE },
|
||||
{ CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
|
||||
|
||||
/* ---------------------- SSL Key Derivations ------------------------- */
|
||||
{ CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE },
|
||||
{ CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
|
||||
|
@ -1524,8 +1524,7 @@ NSC_DecryptUpdate(CK_SESSION_HANDLE hSession,
|
||||
maxout -= padoutlen;
|
||||
}
|
||||
/* now save the final block for the next decrypt or the final */
|
||||
PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen -
|
||||
context->blockSize],
|
||||
PORT_Memcpy(context->padBuf, &pEncryptedPart[ulEncryptedPartLen - context->blockSize],
|
||||
context->blockSize);
|
||||
context->padDataLength = context->blockSize;
|
||||
ulEncryptedPartLen -= context->padDataLength;
|
||||
@ -6241,6 +6240,43 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_ULONG key_len,
|
||||
return CKR_MECHANISM_INVALID;
|
||||
}
|
||||
|
||||
/*
|
||||
* Handle the derive from a block encryption cipher
|
||||
*/
|
||||
CK_RV
|
||||
sftk_DeriveEncrypt(SFTKCipher encrypt, void *cipherInfo,
|
||||
int blockSize, SFTKObject *key, CK_ULONG keySize,
|
||||
unsigned char *data, CK_ULONG len)
|
||||
{
|
||||
/* large enough for a 512-bit key */
|
||||
unsigned char tmpdata[SFTK_MAX_DERIVE_KEY_SIZE];
|
||||
SECStatus rv;
|
||||
unsigned int outLen;
|
||||
CK_RV crv;
|
||||
|
||||
if ((len % blockSize) != 0) {
|
||||
return CKR_MECHANISM_PARAM_INVALID;
|
||||
}
|
||||
if (len > SFTK_MAX_DERIVE_KEY_SIZE) {
|
||||
return CKR_MECHANISM_PARAM_INVALID;
|
||||
}
|
||||
if (keySize && (len < keySize)) {
|
||||
return CKR_MECHANISM_PARAM_INVALID;
|
||||
}
|
||||
if (keySize == 0) {
|
||||
keySize = len;
|
||||
}
|
||||
|
||||
rv = (*encrypt)(cipherInfo, &tmpdata, &outLen, len, data, len);
|
||||
if (rv != SECSuccess) {
|
||||
crv = sftk_MapCryptError(PORT_GetError());
|
||||
return crv;
|
||||
}
|
||||
|
||||
crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize);
|
||||
return crv;
|
||||
}
|
||||
|
||||
/*
|
||||
* SSL Key generation given pre master secret
|
||||
*/
|
||||
@ -6899,6 +6935,172 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
|
||||
break;
|
||||
}
|
||||
|
||||
case CKM_DES3_ECB_ENCRYPT_DATA:
|
||||
case CKM_DES3_CBC_ENCRYPT_DATA: {
|
||||
void *cipherInfo;
|
||||
unsigned char des3key[MAX_DES3_KEY_SIZE];
|
||||
CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
|
||||
int mode;
|
||||
unsigned char *iv;
|
||||
unsigned char *data;
|
||||
CK_ULONG len;
|
||||
|
||||
if (mechanism == CKM_DES3_ECB_ENCRYPT_DATA) {
|
||||
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
|
||||
pMechanism->pParameter;
|
||||
mode = NSS_DES_EDE3;
|
||||
iv = NULL;
|
||||
data = stringPtr->pData;
|
||||
len = stringPtr->ulLen;
|
||||
} else {
|
||||
mode = NSS_DES_EDE3_CBC;
|
||||
desEncryptPtr =
|
||||
(CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
|
||||
pMechanism->pParameter;
|
||||
iv = desEncryptPtr->iv;
|
||||
data = desEncryptPtr->pData;
|
||||
len = desEncryptPtr->length;
|
||||
}
|
||||
if (att->attrib.ulValueLen == 16) {
|
||||
PORT_Memcpy(des3key, att->attrib.pValue, 16);
|
||||
PORT_Memcpy(des3key + 16, des3key, 8);
|
||||
} else if (att->attrib.ulValueLen == 24) {
|
||||
PORT_Memcpy(des3key, att->attrib.pValue, 24);
|
||||
} else {
|
||||
crv = CKR_KEY_SIZE_RANGE;
|
||||
break;
|
||||
}
|
||||
cipherInfo = DES_CreateContext(des3key, iv, mode, PR_TRUE);
|
||||
PORT_Memset(des3key, 0, 24);
|
||||
if (cipherInfo == NULL) {
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt,
|
||||
cipherInfo, 8, key, keySize,
|
||||
data, len);
|
||||
DES_DestroyContext(cipherInfo, PR_TRUE);
|
||||
break;
|
||||
}
|
||||
|
||||
case CKM_AES_ECB_ENCRYPT_DATA:
|
||||
case CKM_AES_CBC_ENCRYPT_DATA: {
|
||||
void *cipherInfo;
|
||||
CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
|
||||
int mode;
|
||||
unsigned char *iv;
|
||||
unsigned char *data;
|
||||
CK_ULONG len;
|
||||
|
||||
if (mechanism == CKM_AES_ECB_ENCRYPT_DATA) {
|
||||
mode = NSS_AES;
|
||||
iv = NULL;
|
||||
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter;
|
||||
data = stringPtr->pData;
|
||||
len = stringPtr->ulLen;
|
||||
} else {
|
||||
aesEncryptPtr =
|
||||
(CK_AES_CBC_ENCRYPT_DATA_PARAMS *)pMechanism->pParameter;
|
||||
mode = NSS_AES_CBC;
|
||||
iv = aesEncryptPtr->iv;
|
||||
data = aesEncryptPtr->pData;
|
||||
len = aesEncryptPtr->length;
|
||||
}
|
||||
|
||||
cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue,
|
||||
iv, mode, PR_TRUE,
|
||||
att->attrib.ulValueLen, 16);
|
||||
if (cipherInfo == NULL) {
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
crv = sftk_DeriveEncrypt((SFTKCipher)AES_Encrypt,
|
||||
cipherInfo, 16, key, keySize,
|
||||
data, len);
|
||||
AES_DestroyContext(cipherInfo, PR_TRUE);
|
||||
break;
|
||||
}
|
||||
|
||||
case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
|
||||
case CKM_CAMELLIA_CBC_ENCRYPT_DATA: {
|
||||
void *cipherInfo;
|
||||
CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
|
||||
int mode;
|
||||
unsigned char *iv;
|
||||
unsigned char *data;
|
||||
CK_ULONG len;
|
||||
|
||||
if (mechanism == CKM_CAMELLIA_ECB_ENCRYPT_DATA) {
|
||||
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
|
||||
pMechanism->pParameter;
|
||||
aesEncryptPtr = NULL;
|
||||
mode = NSS_CAMELLIA;
|
||||
data = stringPtr->pData;
|
||||
len = stringPtr->ulLen;
|
||||
iv = NULL;
|
||||
} else {
|
||||
stringPtr = NULL;
|
||||
aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
|
||||
pMechanism->pParameter;
|
||||
mode = NSS_CAMELLIA_CBC;
|
||||
iv = aesEncryptPtr->iv;
|
||||
data = aesEncryptPtr->pData;
|
||||
len = aesEncryptPtr->length;
|
||||
}
|
||||
|
||||
cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue,
|
||||
iv, mode, PR_TRUE,
|
||||
att->attrib.ulValueLen);
|
||||
if (cipherInfo == NULL) {
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
crv = sftk_DeriveEncrypt((SFTKCipher)Camellia_Encrypt,
|
||||
cipherInfo, 16, key, keySize,
|
||||
data, len);
|
||||
Camellia_DestroyContext(cipherInfo, PR_TRUE);
|
||||
break;
|
||||
}
|
||||
|
||||
case CKM_SEED_ECB_ENCRYPT_DATA:
|
||||
case CKM_SEED_CBC_ENCRYPT_DATA: {
|
||||
void *cipherInfo;
|
||||
CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
|
||||
int mode;
|
||||
unsigned char *iv;
|
||||
unsigned char *data;
|
||||
CK_ULONG len;
|
||||
|
||||
if (mechanism == CKM_SEED_ECB_ENCRYPT_DATA) {
|
||||
mode = NSS_SEED;
|
||||
stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
|
||||
pMechanism->pParameter;
|
||||
aesEncryptPtr = NULL;
|
||||
data = stringPtr->pData;
|
||||
len = stringPtr->ulLen;
|
||||
iv = NULL;
|
||||
} else {
|
||||
mode = NSS_SEED_CBC;
|
||||
aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
|
||||
pMechanism->pParameter;
|
||||
iv = aesEncryptPtr->iv;
|
||||
data = aesEncryptPtr->pData;
|
||||
len = aesEncryptPtr->length;
|
||||
}
|
||||
|
||||
cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue,
|
||||
iv, mode, PR_TRUE);
|
||||
if (cipherInfo == NULL) {
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
crv = sftk_DeriveEncrypt((SFTKCipher)SEED_Encrypt,
|
||||
cipherInfo, 16, key, keySize,
|
||||
data, len);
|
||||
SEED_DestroyContext(cipherInfo, PR_TRUE);
|
||||
break;
|
||||
}
|
||||
|
||||
case CKM_CONCATENATE_BASE_AND_KEY: {
|
||||
SFTKObject *newKey;
|
||||
|
||||
|
@ -17,9 +17,9 @@
|
||||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
|
||||
*/
|
||||
#define SOFTOKEN_VERSION "3.34" SOFTOKEN_ECC_STRING " Beta"
|
||||
#define SOFTOKEN_VERSION "3.35" SOFTOKEN_ECC_STRING " Beta"
|
||||
#define SOFTOKEN_VMAJOR 3
|
||||
#define SOFTOKEN_VMINOR 34
|
||||
#define SOFTOKEN_VMINOR 35
|
||||
#define SOFTOKEN_VPATCH 0
|
||||
#define SOFTOKEN_VBUILD 0
|
||||
#define SOFTOKEN_BETA PR_TRUE
|
||||
|
@ -9,6 +9,9 @@
|
||||
#define _SOFTOKNT_H_
|
||||
|
||||
#define NSS_SOFTOKEN_DEFAULT_CHUNKSIZE 2048
|
||||
#define DES_BLOCK_SIZE 8 /* bytes */
|
||||
#define MAX_DES3_KEY_SIZE 24 /* DES_BLOCK_SIZE * 3 */
|
||||
#define SFTK_MAX_DERIVE_KEY_SIZE 64
|
||||
|
||||
/*
|
||||
* FIPS 140-2 auditing
|
||||
|
@ -4324,7 +4324,7 @@ ssl3_ConsumeHandshakeNumber(sslSocket *ss, PRUint32 *num, PRUint32 bytes,
|
||||
PRUint8 **b, PRUint32 *length)
|
||||
{
|
||||
PRUint8 *buf = *b;
|
||||
int i;
|
||||
PRUint32 i;
|
||||
|
||||
PORT_Assert(ss->opt.noLocks || ssl_HaveRecvBufLock(ss));
|
||||
PORT_Assert(ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss));
|
||||
@ -4946,7 +4946,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
|
||||
sslSessionID *sid;
|
||||
ssl3CipherSpec *cwSpec;
|
||||
SECStatus rv;
|
||||
int i;
|
||||
unsigned int i;
|
||||
int length;
|
||||
int num_suites;
|
||||
int actual_count = 0;
|
||||
@ -4954,7 +4954,7 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
|
||||
PRBool requestingResume = PR_FALSE, fallbackSCSV = PR_FALSE;
|
||||
PRInt32 total_exten_len = 0;
|
||||
unsigned numCompressionMethods;
|
||||
PRUint16 version;
|
||||
PRUint16 version = ss->vrange.max;
|
||||
PRInt32 flags;
|
||||
|
||||
SSL_TRC(3, ("%d: SSL3[%d]: send %s ClientHello handshake", SSL_GETPID(),
|
||||
@ -5102,8 +5102,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
|
||||
if (sid->version < ss->vrange.min ||
|
||||
sid->version > ss->vrange.max) {
|
||||
sidOK = PR_FALSE;
|
||||
} else {
|
||||
version = ss->vrange.max;
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -5137,8 +5135,6 @@ ssl3_SendClientHello(sslSocket *ss, sslClientHelloType type)
|
||||
*/
|
||||
if (ss->firstHsDone) {
|
||||
version = ss->clientHelloVersion;
|
||||
} else {
|
||||
version = ss->vrange.max;
|
||||
}
|
||||
|
||||
sid = ssl3_NewSessionID(ss, PR_FALSE);
|
||||
@ -6828,7 +6824,8 @@ ssl3_HandleServerHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
|
||||
expectedSidLen = 0;
|
||||
}
|
||||
if (sidBytes.len != expectedSidLen ||
|
||||
PORT_Memcmp(buf, sidBytes.data, expectedSidLen) != 0) {
|
||||
(expectedSidLen > 0 &&
|
||||
PORT_Memcmp(buf, sidBytes.data, expectedSidLen) != 0)) {
|
||||
desc = illegal_parameter;
|
||||
errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO;
|
||||
goto alert_loser;
|
||||
@ -7141,11 +7138,11 @@ ssl_HandleDHServerKeyExchange(sslSocket *ss, PRUint8 *b, PRUint32 length)
|
||||
}
|
||||
|
||||
rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
|
||||
if (rv != SECSuccess) {
|
||||
if (rv != SECSuccess || minDH <= 0) {
|
||||
minDH = SSL_DH_MIN_P_BITS;
|
||||
}
|
||||
dh_p_bits = SECKEY_BigIntegerBitLength(&dh_p);
|
||||
if (dh_p_bits < minDH) {
|
||||
if (dh_p_bits < (unsigned)minDH) {
|
||||
errCode = SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY;
|
||||
goto alert_loser;
|
||||
}
|
||||
@ -8082,8 +8079,8 @@ SECStatus
|
||||
ssl3_NegotiateCipherSuite(sslSocket *ss, const SECItem *suites,
|
||||
PRBool initHashes)
|
||||
{
|
||||
int j;
|
||||
int i;
|
||||
unsigned int j;
|
||||
unsigned int i;
|
||||
|
||||
for (j = 0; j < ssl_V3_SUITES_IMPLEMENTED; j++) {
|
||||
ssl3CipherSuiteCfg *suite = &ss->cipherSuites[j];
|
||||
@ -8683,15 +8680,6 @@ ssl3_HandleClientHello(sslSocket *ss, PRUint8 *b, PRUint32 length)
|
||||
ssl3_DisableNonDTLSSuites(ss);
|
||||
}
|
||||
|
||||
#ifdef PARANOID
|
||||
/* Look for a matching cipher suite. */
|
||||
j = ssl3_config_match_init(ss);
|
||||
if (j <= 0) { /* no ciphers are working/supported by PK11 */
|
||||
errCode = PORT_GetError(); /* error code is already set. */
|
||||
goto alert_loser;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
rv = tls13_HandleClientHelloPart2(ss, &suites, sid);
|
||||
} else {
|
||||
@ -8723,7 +8711,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
|
||||
SSL3AlertDescription desc = illegal_parameter;
|
||||
SECStatus rv;
|
||||
unsigned int i;
|
||||
int j;
|
||||
unsigned int j;
|
||||
|
||||
/* If we already have a session for this client, be sure to pick the
|
||||
** same cipher suite and compression method we picked before.
|
||||
@ -8755,7 +8743,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
|
||||
break;
|
||||
}
|
||||
PORT_Assert(j > 0);
|
||||
if (j <= 0)
|
||||
if (j == 0)
|
||||
break;
|
||||
#ifdef PARANOID
|
||||
/* Double check that the cached cipher suite is still enabled,
|
||||
@ -8792,8 +8780,7 @@ ssl3_HandleClientHelloPart2(sslSocket *ss,
|
||||
|
||||
#ifndef PARANOID
|
||||
/* Look for a matching cipher suite. */
|
||||
j = ssl3_config_match_init(ss);
|
||||
if (j <= 0) { /* no ciphers are working/supported by PK11 */
|
||||
if (ssl3_config_match_init(ss) <= 0) {
|
||||
desc = internal_error;
|
||||
errCode = PORT_GetError(); /* error code is already set. */
|
||||
goto alert_loser;
|
||||
@ -9695,12 +9682,12 @@ ssl3_SendCertificateRequest(sslSocket *ss)
|
||||
PRBool isTLS12;
|
||||
const PRUint8 *certTypes;
|
||||
SECStatus rv;
|
||||
int length;
|
||||
PRUint32 length;
|
||||
SECItem *names;
|
||||
unsigned int calen;
|
||||
unsigned int nnames;
|
||||
SECItem *name;
|
||||
int i;
|
||||
unsigned int i;
|
||||
int certTypesLength;
|
||||
PRUint8 sigAlgs[MAX_SIGNATURE_SCHEMES * 2];
|
||||
unsigned int sigAlgsLength = 0;
|
||||
@ -10918,7 +10905,8 @@ ssl3_AuthCertificate(sslSocket *ss)
|
||||
}
|
||||
if (pubKey) {
|
||||
KeyType pubKeyType;
|
||||
PRInt32 minKey;
|
||||
PRUint32 minKey;
|
||||
PRInt32 optval;
|
||||
/* This partly fixes Bug 124230 and may cause problems for
|
||||
* callers which depend on the old (wrong) behavior. */
|
||||
ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
|
||||
@ -10929,29 +10917,29 @@ ssl3_AuthCertificate(sslSocket *ss)
|
||||
case rsaPssKey:
|
||||
case rsaOaepKey:
|
||||
rv =
|
||||
NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minKey);
|
||||
if (rv !=
|
||||
SECSuccess) {
|
||||
minKey =
|
||||
SSL_RSA_MIN_MODULUS_BITS;
|
||||
NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
|
||||
if (rv == SECSuccess && optval > 0) {
|
||||
minKey = (PRUint32)optval;
|
||||
} else {
|
||||
minKey = SSL_RSA_MIN_MODULUS_BITS;
|
||||
}
|
||||
break;
|
||||
case dsaKey:
|
||||
rv =
|
||||
NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &minKey);
|
||||
if (rv !=
|
||||
SECSuccess) {
|
||||
minKey =
|
||||
SSL_DSA_MIN_P_BITS;
|
||||
NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
|
||||
if (rv == SECSuccess && optval > 0) {
|
||||
minKey = (PRUint32)optval;
|
||||
} else {
|
||||
minKey = SSL_DSA_MIN_P_BITS;
|
||||
}
|
||||
break;
|
||||
case dhKey:
|
||||
rv =
|
||||
NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minKey);
|
||||
if (rv !=
|
||||
SECSuccess) {
|
||||
minKey =
|
||||
SSL_DH_MIN_P_BITS;
|
||||
NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
|
||||
if (rv == SECSuccess && optval > 0) {
|
||||
minKey = (PRUint32)optval;
|
||||
} else {
|
||||
minKey = SSL_DH_MIN_P_BITS;
|
||||
}
|
||||
break;
|
||||
default:
|
||||
|
@ -53,7 +53,7 @@ ssl3_ConsumeFromItem(SECItem *item, unsigned char **buf, PRUint32 bytes)
|
||||
SECStatus
|
||||
ssl3_ConsumeNumberFromItem(SECItem *item, PRUint32 *num, PRUint32 bytes)
|
||||
{
|
||||
int i;
|
||||
unsigned int i;
|
||||
|
||||
if (bytes > item->len || bytes > sizeof(*num)) {
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
|
@ -21,6 +21,8 @@ SEC_BEGIN_PROTOS
|
||||
(SSL_GetExperimentalAPI(name) \
|
||||
? ((SECStatus(*) arglist)SSL_GetExperimentalAPI(name))args \
|
||||
: SECFailure)
|
||||
#define SSL_DEPRECATED_EXPERIMENTAL_API \
|
||||
(PR_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API, 0), SECFailure)
|
||||
|
||||
/* Make the TLS 1.3 handshake mimic TLS 1.2 session resumption.
|
||||
* This will either become part of the standard or be disabled
|
||||
|
@ -3127,7 +3127,7 @@ ssl_WriteV(PRFileDesc *fd, const PRIOVec *iov, PRInt32 vectors,
|
||||
}
|
||||
blocking = ssl_FdIsBlocking(fd);
|
||||
|
||||
#define K16 sizeof(buf)
|
||||
#define K16 ((int)sizeof(buf))
|
||||
#define KILL_VECTORS \
|
||||
while (vectors && !iov->iov_len) { \
|
||||
++iov; \
|
||||
|
@ -120,6 +120,8 @@ NSSRWLock_Destroy(NSSRWLock *rwlock)
|
||||
{
|
||||
PR_ASSERT(rwlock != NULL);
|
||||
PR_ASSERT(rwlock->rw_waiting_readers == 0);
|
||||
PR_ASSERT(rwlock->rw_writer_locks == 0);
|
||||
PR_ASSERT(rwlock->rw_reader_locks == 0);
|
||||
|
||||
/* XXX Shouldn't we lock the PZLock before destroying this?? */
|
||||
|
||||
|
@ -19,9 +19,9 @@
|
||||
* The format of the version string should be
|
||||
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
|
||||
*/
|
||||
#define NSSUTIL_VERSION "3.34 Beta"
|
||||
#define NSSUTIL_VERSION "3.35 Beta"
|
||||
#define NSSUTIL_VMAJOR 3
|
||||
#define NSSUTIL_VMINOR 34
|
||||
#define NSSUTIL_VMINOR 35
|
||||
#define NSSUTIL_VPATCH 0
|
||||
#define NSSUTIL_VBUILD 0
|
||||
#define NSSUTIL_BETA PR_TRUE
|
||||
|
@ -242,7 +242,7 @@ static int
|
||||
pk11uri_CompareByPosition(const char *a, const char *b,
|
||||
const char **attr_names, size_t num_attr_names)
|
||||
{
|
||||
int i, j;
|
||||
size_t i, j;
|
||||
|
||||
for (i = 0; i < num_attr_names; i++) {
|
||||
if (strcmp(a, attr_names[i]) == 0) {
|
||||
|
@ -789,7 +789,7 @@ unsigned int
|
||||
NSS_SecureMemcmpZero(const void *mem, size_t n)
|
||||
{
|
||||
PRUint8 zero = 0;
|
||||
int i;
|
||||
size_t i;
|
||||
for (i = 0; i < n; ++i) {
|
||||
zero |= *(PRUint8 *)((uintptr_t)mem + i);
|
||||
}
|
||||
|
@ -279,6 +279,16 @@ run_cycles()
|
||||
|
||||
############################## main code ###############################
|
||||
|
||||
SCRIPTNAME=all.sh
|
||||
CLEANUP="${SCRIPTNAME}"
|
||||
cd `dirname $0`
|
||||
|
||||
# all.sh should be the first one to try to source the init
|
||||
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
||||
cd common
|
||||
. ./init.sh
|
||||
fi
|
||||
|
||||
cycles="standard pkix upgradedb sharedb"
|
||||
CYCLES=${NSS_CYCLES:-$cycles}
|
||||
|
||||
@ -305,16 +315,6 @@ NSS_SSL_TESTS="${NSS_SSL_TESTS:-$nss_ssl_tests}"
|
||||
nss_ssl_run="cov auth stapling stress"
|
||||
NSS_SSL_RUN="${NSS_SSL_RUN:-$nss_ssl_run}"
|
||||
|
||||
SCRIPTNAME=all.sh
|
||||
CLEANUP="${SCRIPTNAME}"
|
||||
cd `dirname $0`
|
||||
|
||||
# all.sh should be the first one to try to source the init
|
||||
if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
|
||||
cd common
|
||||
. ./init.sh
|
||||
fi
|
||||
|
||||
# NOTE:
|
||||
# Lists of enabled tests and other settings are stored to ${ENV_BACKUP}
|
||||
# file and are are restored after every test cycle.
|
||||
|
@ -516,6 +516,9 @@ cert_all_CA()
|
||||
cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256
|
||||
rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
|
||||
|
||||
ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1
|
||||
rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert
|
||||
|
||||
#
|
||||
# Create EC version of TestCA
|
||||
@ -2054,7 +2057,7 @@ check_sign_algo()
|
||||
{
|
||||
certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \
|
||||
sed -n '/^ *Data:/,/^$/{
|
||||
/^ Signature Algorithm/,/^ *Salt Length/s/^ //p
|
||||
/^ Signature Algorithm/,/^ *Salt length/s/^ //p
|
||||
}' > ${TMP}/signalgo.txt
|
||||
|
||||
diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt
|
||||
@ -2088,6 +2091,12 @@ cert_test_rsapss()
|
||||
CU_ACTION="Verify RSA-PSS CA Cert"
|
||||
certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}"
|
||||
|
||||
CU_ACTION="Import RSA-PSS CA Cert (SHA1)"
|
||||
certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1
|
||||
|
||||
CERTSERIAL=200
|
||||
|
||||
# Subject certificate: RSA
|
||||
# Issuer certificate: RSA
|
||||
# Signature: RSA-PSS (explicit, with --pss-sign)
|
||||
@ -2098,7 +2107,7 @@ cert_test_rsapss()
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-256
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-256
|
||||
Salt Length: 32 (0x20)
|
||||
Salt length: 32 (0x20)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA
|
||||
# Issuer certificate: RSA
|
||||
# Signature: RSA-PSS (explict, with --pss-sign -Z SHA512)
|
||||
@ -2127,7 +2138,7 @@ EOF
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-512
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-512
|
||||
Salt Length: 64 (0x40)
|
||||
Salt length: 64 (0x40)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS
|
||||
@ -2156,7 +2169,7 @@ EOF
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2171,10 +2184,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-256
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-256
|
||||
Salt Length: 32 (0x20)
|
||||
Salt length: 32 (0x20)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA
|
||||
# Signature: RSA-PSS (explicit, with --pss-sign)
|
||||
@ -2185,7 +2200,7 @@ EOF
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2200,10 +2215,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-256
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-256
|
||||
Salt Length: 32 (0x20)
|
||||
Salt length: 32 (0x20)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS (explicit, with --pss-sign)
|
||||
@ -2214,7 +2231,7 @@ EOF
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2229,10 +2246,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-256
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-256
|
||||
Salt Length: 32 (0x20)
|
||||
Salt length: 32 (0x20)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS (implicit, without --pss-sign)
|
||||
@ -2243,7 +2262,8 @@ EOF
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \
|
||||
# Sign without --pss-sign nor -Z option
|
||||
certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2258,10 +2278,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-256
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-256
|
||||
Salt Length: 32 (0x20)
|
||||
Salt length: 32 (0x20)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS (with conflicting hash algorithm)
|
||||
@ -2273,10 +2295,12 @@ EOF
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
RETEXPECTED=255
|
||||
certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
RETEXPECTED=0
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS (with compatible hash algorithm)
|
||||
@ -2287,7 +2311,7 @@ EOF
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \
|
||||
certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
@ -2302,9 +2326,89 @@ Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Hash algorithm: SHA-256
|
||||
Mask algorithm: PKCS #1 MGF1 Mask Generation Function
|
||||
Mask hash algorithm: SHA-256
|
||||
Salt Length: 32 (0x20)
|
||||
Salt length: 32 (0x20)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA
|
||||
# Issuer certificate: RSA
|
||||
# Signature: RSA-PSS (explict, with --pss-sign -Z SHA1)
|
||||
CERTNAME="TestUser-rsa-pss9"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-i "${CERTNAME}.cert" 2>&1
|
||||
|
||||
CU_ACTION="Verify $CERTNAME's Cert"
|
||||
certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
|
||||
cat > ${TMP}/signalgo.exp <<EOF
|
||||
Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Parameters:
|
||||
Hash algorithm: default, SHA-1
|
||||
Mask algorithm: default, MGF1
|
||||
Mask hash algorithm: default, SHA-1
|
||||
Salt length: default, 20 (0x14)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS (implicit, without --pss-sign, default parameters)
|
||||
CERTNAME="TestUser-rsa-pss10"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
# Sign without --pss-sign nor -Z option
|
||||
certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
|
||||
CU_ACTION="Import $CERTNAME's Cert"
|
||||
certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \
|
||||
-i "${CERTNAME}.cert" 2>&1
|
||||
|
||||
CU_ACTION="Verify $CERTNAME's Cert"
|
||||
certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}"
|
||||
cat > ${TMP}/signalgo.exp <<EOF
|
||||
Signature Algorithm: PKCS #1 RSA-PSS Signature
|
||||
Parameters:
|
||||
Hash algorithm: default, SHA-1
|
||||
Mask algorithm: default, MGF1
|
||||
Mask hash algorithm: default, SHA-1
|
||||
Salt length: default, 20 (0x14)
|
||||
EOF
|
||||
check_sign_algo
|
||||
|
||||
CERTSERIAL=`expr $CERTSERIAL + 1`
|
||||
|
||||
# Subject certificate: RSA-PSS
|
||||
# Issuer certificate: RSA-PSS
|
||||
# Signature: RSA-PSS (with conflicting hash algorithm, default parameters)
|
||||
CERTNAME="TestUser-rsa-pss11"
|
||||
|
||||
CU_ACTION="Generate Cert Request for $CERTNAME"
|
||||
CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
|
||||
certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1
|
||||
|
||||
CU_ACTION="Sign ${CERTNAME}'s Request"
|
||||
RETEXPECTED=255
|
||||
certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \
|
||||
-i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1
|
||||
RETEXPECTED=0
|
||||
}
|
||||
|
||||
############################## cert_cleanup ############################
|
||||
|
@ -682,7 +682,8 @@ ssl_crl_ssl()
|
||||
setup_policy()
|
||||
{
|
||||
policy="$1"
|
||||
OUTFILE=${P_R_CLIENTDIR}/pkcs11.txt
|
||||
outdir="$2"
|
||||
OUTFILE="${outdir}/pkcs11.txt"
|
||||
cat > "$OUTFILE" << ++EOF++
|
||||
library=
|
||||
name=NSS Internal PKCS #11 Module
|
||||
@ -698,7 +699,7 @@ NSS=trustOrder=100
|
||||
++EOF++
|
||||
|
||||
echo "******************************Testing with: "
|
||||
cat ${P_R_CLIENTDIR}/pkcs11.txt
|
||||
cat "$OUTFILE"
|
||||
echo "******************************"
|
||||
}
|
||||
|
||||
@ -745,7 +746,7 @@ ssl_policy()
|
||||
|
||||
# load the policy
|
||||
policy=`echo ${policy} | sed -e 's;_; ;g'`
|
||||
setup_policy "$policy"
|
||||
setup_policy "$policy" ${P_R_CLIENTDIR}
|
||||
|
||||
echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
|
||||
echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
|
||||
@ -799,7 +800,7 @@ ssl_policy_listsuites()
|
||||
cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
|
||||
|
||||
# Disallow all explicitly
|
||||
setup_policy "disallow=all"
|
||||
setup_policy "disallow=all" ${P_R_CLIENTDIR}
|
||||
RET_EXP=1
|
||||
list_enabled_suites | grep '^TLS_'
|
||||
RET=$?
|
||||
@ -807,7 +808,7 @@ ssl_policy_listsuites()
|
||||
"produced a returncode of $RET, expected is $RET_EXP"
|
||||
|
||||
# Disallow RSA in key exchange explicitly
|
||||
setup_policy "disallow=rsa/ssl-key-exchange"
|
||||
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
|
||||
RET_EXP=1
|
||||
list_enabled_suites | grep '^TLS_RSA_'
|
||||
RET=$?
|
||||
@ -819,6 +820,55 @@ ssl_policy_listsuites()
|
||||
html "</TABLE><BR>"
|
||||
}
|
||||
|
||||
############################## ssl_policy_selfserv #####################
|
||||
# local shell function to perform SSL Policy tests, using selfserv
|
||||
########################################################################
|
||||
ssl_policy_selfserv()
|
||||
{
|
||||
#verbose="-v"
|
||||
html_head "SSL POLICY SELFSERV $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||
|
||||
testname=""
|
||||
sparam="$CIPHER_SUITES"
|
||||
|
||||
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
|
||||
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
|
||||
return 1;
|
||||
fi
|
||||
|
||||
echo "Saving pkcs11.txt"
|
||||
cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
|
||||
|
||||
# Disallow RSA in key exchange explicitly
|
||||
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
|
||||
|
||||
start_selfserv # Launch the server
|
||||
|
||||
VMIN="ssl3"
|
||||
VMAX="tls1.2"
|
||||
|
||||
# Try to connect to the server with a ciphersuite using RSA in key exchange
|
||||
echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\"
|
||||
echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}"
|
||||
|
||||
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
||||
RET_EXP=254
|
||||
${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \
|
||||
-d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \
|
||||
>${TMP}/$HOST.tmp.$$ 2>&1
|
||||
RET=$?
|
||||
cat ${TMP}/$HOST.tmp.$$
|
||||
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
|
||||
|
||||
html_msg $RET $RET_EXP "${testname}" \
|
||||
"produced a returncode of $RET, expected is $RET_EXP"
|
||||
|
||||
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
|
||||
|
||||
kill_selfserv
|
||||
html "</TABLE><BR>"
|
||||
}
|
||||
|
||||
############################# is_revoked ###############################
|
||||
# local shell function to check if certificate is revoked
|
||||
########################################################################
|
||||
@ -1206,6 +1256,7 @@ ssl_run_tests()
|
||||
"policy")
|
||||
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
ssl_policy_listsuites
|
||||
ssl_policy_selfserv
|
||||
ssl_policy
|
||||
fi
|
||||
;;
|
||||
|
@ -21,16 +21,17 @@
|
||||
|
||||
# Generate input to certutil
|
||||
certscript() {
|
||||
ca=n
|
||||
while [ $# -gt 0 ]; do
|
||||
case $1 in
|
||||
sign) echo 0 ;;
|
||||
kex) echo 2 ;;
|
||||
ca) echo 5;echo 6 ;;
|
||||
ca) echo 5;echo 6;ca=y ;;
|
||||
esac; shift
|
||||
done;
|
||||
echo 9
|
||||
echo n
|
||||
echo ${ca:-n}
|
||||
echo $ca
|
||||
echo
|
||||
echo n
|
||||
}
|
||||
@ -50,9 +51,9 @@ make_cert() {
|
||||
p256) type_args='-q nistp256';type=ec ;;
|
||||
p384) type_args='-q secp384r1';type=ec ;;
|
||||
p521) type_args='-q secp521r1';type=ec ;;
|
||||
rsa_ca) type_args='-g 1024';trust='CT,CT,CT';ca=y;type=rsa ;;
|
||||
rsa_ca) type_args='-g 1024';trust='CT,CT,CT';type=rsa ;;
|
||||
rsa_chain) type_args='-g 1024';sign='-c rsa_ca';type=rsa;;
|
||||
rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';ca=y;type=rsa ;;
|
||||
rsapss_ca) type_args='-g 1024 --pss';trust='CT,CT,CT';type=rsa ;;
|
||||
rsapss_chain) type_args='-g 1024';sign='-c rsa_pss_ca';type=rsa;;
|
||||
rsa_ca_rsapss_chain) type_args='-g 1024 --pss-sign';sign='-c rsa_ca';type=rsa;;
|
||||
ecdh_rsa) type_args='-q nistp256';sign='-c rsa_ca';type=ec ;;
|
||||
|
BIN
security/nss/tests/tools/TestOldAES128CA.p12
Normal file
BIN
security/nss/tests/tools/TestOldAES128CA.p12
Normal file
Binary file not shown.
@ -104,6 +104,7 @@ tools_init()
|
||||
cp ${QADIR}/tools/sign*.html ${TOOLSDIR}/html
|
||||
mkdir -p ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/TestOldCA.p12 ${TOOLSDIR}/data
|
||||
cp ${QADIR}/tools/TestOldAES128CA.p12 ${TOOLSDIR}/data
|
||||
|
||||
cd ${TOOLSDIR}
|
||||
}
|
||||
@ -421,11 +422,17 @@ tools_p12_export_list_import_with_default_ciphers()
|
||||
|
||||
tools_p12_import_old_files()
|
||||
{
|
||||
echo "$SCRIPTNAME: Importing CA cert & key created with NSS 3.21 --------------"
|
||||
echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
|
||||
echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
|
||||
${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
|
||||
ret=$?
|
||||
html_msg $ret 0 "Importing CA cert & key created with NSS 3.21"
|
||||
html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.21 (PBES2 with BMPString password)"
|
||||
check_tmpfile
|
||||
|
||||
echo "pk12util -i TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
|
||||
${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldAES128CA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
|
||||
ret=$?
|
||||
html_msg $ret 0 "Importing PKCS#12 file created with NSS 3.29.5 (PBES2 with incorrect AES-128-CBC algorithm ID)"
|
||||
check_tmpfile
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user