mirrors/cosmopolitan
1
0
Fork 0
mirror of https://github.com/jart/cosmopolitan.git synced 2025-07-06 03:08:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Make numerous improvements

Browse source 
- Python static hello world now 1.8mb
- Python static fully loaded now 10mb
- Python HTTPS client now uses MbedTLS
- Python REPL now completes import stmts
- Increase stack size for Python for now
- Begin synthesizing posixpath and ntpath
- Restore Python \N{UNICODE NAME} support
- Restore Python NFKD symbol normalization
- Add optimized code path for Intel SHA-NI
- Get more Python unit tests passing faster
- Get Python help() pagination working on NT
- Python hashlib now supports MbedTLS PBKDF2
- Make memcpy/memmove/memcmp/bcmp/etc. faster
- Add Mersenne Twister and Vigna to LIBC_RAND
- Provide privileged __printf() for error code
- Fix zipos opendir() so that it reports ENOTDIR
- Add basic chmod() implementation for Windows NT
- Add Cosmo's best functions to Python cosmo module
- Pin function trace indent depth to that of caller
- Show memory diagram on invalid access in MODE=dbg
- Differentiate stack overflow on crash in MODE=dbg
- Add stb_truetype and tools for analyzing font files
- Upgrade to UNICODE 13 and reduce its binary footprint
- COMPILE.COM now logs resource usage of build commands
- Start implementing basic poll() support on bare metal
- Set getauxval(AT_EXECFN) to GetModuleFileName() on NT
- Add descriptions to strerror() in non-TINY build modes
- Add COUNTBRANCH() macro to help with micro-optimizations
- Make error / backtrace / asan / memory code more unbreakable
- Add fast perfect C implementation of μ-Law and a-Law audio codecs
- Make strtol() functions consistent with other libc implementations
- Improve Linenoise implementation (see also github.com/jart/bestline)
- COMPILE.COM now suppresses stdout/stderr of successful build commands
This commit is contained in:
Justine Tunney 2021-09-27 22:58:51 -07:00
parent fa7b4f5bd1
commit 39bf41f4eb
806 changed files with 77494 additions and 63859 deletions
Download patch file Download diff file Expand all files Collapse all files

228
third_party/mbedtls/aes.c vendored
View file

File diff suppressed because it is too large Load diff

4
third_party/mbedtls/asn1.h vendored
View file

@ -98,11 +98,11 @@
*/
#define MBEDTLS_OID_CMP(oid_str, oid_buf) \
( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf)->len ) || \
memcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
timingsafe_bcmp( (oid_str), (oid_buf)->p, (oid_buf)->len) != 0 )
#define MBEDTLS_OID_CMP_RAW(oid_str, oid_buf, oid_buf_len) \
( ( MBEDTLS_OID_SIZE(oid_str) != (oid_buf_len) ) || \
memcmp( (oid_str), (oid_buf), (oid_buf_len) ) != 0 )
timingsafe_bcmp( (oid_str), (oid_buf), (oid_buf_len) ) != 0 )
#ifdef __cplusplus
extern "C" {

2
third_party/mbedtls/asn1parse.c vendored
View file

@ -379,7 +379,7 @@ mbedtls_asn1_find_named_data(mbedtls_asn1_named_data *list,
while( list )
{
if( list->oid.len == len &&
memcmp( list->oid.p, oid, len ) == 0 )
timingsafe_bcmp( list->oid.p, oid, len ) == 0 )
{
break;
}

2
third_party/mbedtls/asn1write.c vendored
View file

@ -576,7 +576,7 @@ static mbedtls_asn1_named_data *asn1_find_named_data(
while( list )
{
if( list->oid.len == len &&
memcmp( list->oid.p, oid, len ) == 0 )
timingsafe_bcmp( list->oid.p, oid, len ) == 0 )
{
break;
}

4
third_party/mbedtls/base64.c vendored
View file

@ -280,7 +280,7 @@ int mbedtls_base64_self_test( int verbose )
mbedtls_printf( " Base64 encoding test: " );
src = base64_test_dec;
if( mbedtls_base64_encode( buffer, sizeof( buffer ), &len, src, 64 ) != 0 ||
memcmp( base64_test_enc, buffer, 88 ) != 0 )
timingsafe_bcmp( base64_test_enc, buffer, 88 ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
@ -290,7 +290,7 @@ int mbedtls_base64_self_test( int verbose )
mbedtls_printf( "passed\n Base64 decoding test: " );
src = base64_test_enc;
if( mbedtls_base64_decode( buffer, sizeof( buffer ), &len, src, 88 ) != 0 ||
memcmp( base64_test_dec, buffer, 64 ) != 0 )
timingsafe_bcmp( base64_test_dec, buffer, 64 ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );

8
third_party/mbedtls/bigshift.c vendored
View file

@ -88,8 +88,8 @@ int mbedtls_mpi_shift_l(mbedtls_mpi *X, size_t k)
}
else if (m)
{
memmove_pure(X->p + m, X->p, (X->n - m) * ciL);
mbedtls_platform_zeroize(X->p, m * ciL);
memmove(X->p + m, X->p, (X->n - m) * ciL);
explicit_bzero(X->p, m * ciL);
}
return 0;
}
@ -118,8 +118,8 @@ int mbedtls_mpi_shift_r(mbedtls_mpi *X, size_t k)
}
else if (n)
{
memmove_pure(X->p, X->p + n, (X->n - n) * ciL);
mbedtls_platform_zeroize(X->p + X->n - n, n * ciL);
memmove(X->p, X->p + n, (X->n - n) * ciL);
explicit_bzero(X->p + X->n - n, n * ciL);
}
return 0;
}

6
third_party/mbedtls/ccm.c vendored
View file

@ -673,8 +673,8 @@ int mbedtls_ccm_self_test( int verbose )
tag_len_test_data[i] );
if( ret != 0 ||
memcmp( ciphertext, res_test_data[i],
msg_len_test_data[i] + tag_len_test_data[i] ) != 0 )
timingsafe_bcmp( ciphertext, res_test_data[i],
msg_len_test_data[i] + tag_len_test_data[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
@ -691,7 +691,7 @@ int mbedtls_ccm_self_test( int verbose )
tag_len_test_data[i] );
if( ret != 0 ||
memcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 )
timingsafe_bcmp( plaintext, msg_test_data, msg_len_test_data[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );

2
third_party/mbedtls/chacha20.c vendored
View file

@ -612,7 +612,7 @@ int mbedtls_chacha20_self_test( int verbose )
ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ),
ASSERT( 0 == timingsafe_bcmp( output, test_output[i], test_lengths[i] ),
( "failed (output)\n" ) );
if( verbose != 0 )

4
third_party/mbedtls/chachapoly.c vendored
View file

@ -477,9 +477,9 @@ int mbedtls_chachapoly_self_test( int verbose )
output,
mac );
ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
ASSERT( 0 == timingsafe_bcmp( output, test_output[i], test_input_len[i] ),
( "failure (wrong output)\n" ) );
ASSERT( 0 == memcmp( mac, test_mac[i], 16U ),
ASSERT( 0 == timingsafe_bcmp( mac, test_mac[i], 16U ),
( "failure (wrong MAC)\n" ) );
mbedtls_chachapoly_free( &ctx );
if( verbose != 0 )

25
third_party/mbedtls/cipher.c vendored
View file

@ -40,27 +40,6 @@ asm(".include \"libc/disclaimer.inc\"");
#define CIPHER_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
#if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CHACHAPOLY_C)
/* Compare the contents of two buffers in constant time.
* Returns 0 if the contents are bitwise identical, otherwise returns
* a non-zero value.
* This is currently only used by GCM and ChaCha20+Poly1305.
*/
static int mbedtls_constant_time_memcmp( const void *v1, const void *v2,
size_t len )
{
const unsigned char *p1 = (const unsigned char*) v1;
const unsigned char *p2 = (const unsigned char*) v2;
size_t i;
unsigned char diff;
for( diff = 0, i = 0; i < len; i++ )
diff |= p1[i] ^ p2[i];
return( (int)diff );
}
#endif /* MBEDTLS_GCM_C || MBEDTLS_CHACHAPOLY_C */
static int supported_init = 0;
const int *mbedtls_cipher_list( void )
@ -1116,7 +1095,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
}
/* Check the tag in "constant-time" */
if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
if( timingsafe_bcmp( tag, check_tag, tag_len ) != 0 )
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
return( 0 );
@ -1138,7 +1117,7 @@ int mbedtls_cipher_check_tag( mbedtls_cipher_context_t *ctx,
}
/* Check the tag in "constant-time" */
if( mbedtls_constant_time_memcmp( tag, check_tag, tag_len ) != 0 )
if( timingsafe_bcmp( tag, check_tag, tag_len ) != 0 )
return( MBEDTLS_ERR_CIPHER_AUTH_FAILED );
return( 0 );

9
third_party/mbedtls/config.h vendored
View file

@ -19,12 +19,10 @@
#endif
/* hash functions */
#define MBEDTLS_MD5_C
#define MBEDTLS_SHA1_C
#define MBEDTLS_SHA256_C
#define MBEDTLS_SHA512_C
#ifdef MBEDTLS_SSL_PROTO_TLS1
#define MBEDTLS_MD5_C
#endif
/* random numbers */
#define ENTROPY_HAVE_STRONG
@ -203,6 +201,11 @@
*/
#define MBEDTLS_ENTROPY_HARDWARE_ALT
/**
* Enables PKCS#5 functions, e.g. PBKDF2.
*/
#define MBEDTLS_PKCS5_C
/**
* \def MBEDTLS_CIPHER_PADDING_PKCS7
*

23
third_party/mbedtls/ctr_drbg.c vendored
View file

@ -492,8 +492,8 @@ int mbedtls_ctr_drbg_seed( mbedtls_ctr_drbg_context *ctx,
* ctx contains new_working_state
*/
int mbedtls_ctr_drbg_random_with_add( void *p_rng,
unsigned char *output, size_t output_len,
const unsigned char *additional, size_t add_len )
unsigned char *output, size_t output_len,
const unsigned char *additional, size_t add_len )
{
int ret = 0;
mbedtls_ctr_drbg_context *ctx = (mbedtls_ctr_drbg_context *) p_rng;
@ -568,6 +568,21 @@ exit:
return( ret );
}
/**
* \brief This function uses CTR_DRBG to generate random data.
*
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
*
* \param p_rng The CTR_DRBG context. This must be a pointer to a
* #mbedtls_ctr_drbg_context structure.
* \param output The buffer to fill.
* \param output_len The length of the buffer in bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
*/
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output,
size_t output_len )
{
@ -822,7 +837,7 @@ int mbedtls_ctr_drbg_self_test( int verbose )
mbedtls_ctr_drbg_set_prediction_resistance( &ctx, MBEDTLS_CTR_DRBG_PR_ON );
CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_pr ) ) );
CHK( memcmp( buf, result_pr, sizeof( result_pr ) ) );
CHK( timingsafe_bcmp( buf, result_pr, sizeof( result_pr ) ) );
mbedtls_ctr_drbg_free( &ctx );
@ -847,7 +862,7 @@ int mbedtls_ctr_drbg_self_test( int verbose )
CHK( mbedtls_ctr_drbg_reseed( &ctx, NULL, 0 ) );
CHK( mbedtls_ctr_drbg_random( &ctx, buf, SELF_TEST_OUPUT_DISCARD_LENGTH ) );
CHK( mbedtls_ctr_drbg_random( &ctx, buf, sizeof( result_nopr ) ) );
CHK( memcmp( buf, result_nopr, sizeof( result_nopr ) ) );
CHK( timingsafe_bcmp( buf, result_nopr, sizeof( result_nopr ) ) );
mbedtls_ctr_drbg_free( &ctx );

28
third_party/mbedtls/ctr_drbg.h vendored
View file

@ -269,7 +269,7 @@ void mbedtls_ctr_drbg_free( mbedtls_ctr_drbg_context *ctx );
* \param resistance #MBEDTLS_CTR_DRBG_PR_ON or #MBEDTLS_CTR_DRBG_PR_OFF.
*/
void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
int resistance );
int resistance );
/**
* \brief This function sets the amount of entropy grabbed on each
@ -296,7 +296,7 @@ void mbedtls_ctr_drbg_set_prediction_resistance( mbedtls_ctr_drbg_context *ctx,
* entropy function that is set in the context.
*/
void mbedtls_ctr_drbg_set_entropy_len( mbedtls_ctr_drbg_context *ctx,
size_t len );
size_t len );
/**
* \brief This function sets the amount of entropy grabbed
@ -333,7 +333,7 @@ int mbedtls_ctr_drbg_set_nonce_len( mbedtls_ctr_drbg_context *ctx,
* \param interval The reseed interval.
*/
void mbedtls_ctr_drbg_set_reseed_interval( mbedtls_ctr_drbg_context *ctx,
int interval );
int interval );
/**
* \brief This function reseeds the CTR_DRBG context, that is
@ -414,26 +414,10 @@ int mbedtls_ctr_drbg_update_ret( mbedtls_ctr_drbg_context *ctx,
* #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
*/
int mbedtls_ctr_drbg_random_with_add( void *p_rng,
unsigned char *output, size_t output_len,
const unsigned char *additional, size_t add_len );
unsigned char *output, size_t output_len,
const unsigned char *additional, size_t add_len );
/**
* \brief This function uses CTR_DRBG to generate random data.
*
* This function automatically reseeds if the reseed counter is exceeded
* or prediction resistance is enabled.
*
* \param p_rng The CTR_DRBG context. This must be a pointer to a
* #mbedtls_ctr_drbg_context structure.
* \param output The buffer to fill.
* \param output_len The length of the buffer in bytes.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED or
* #MBEDTLS_ERR_CTR_DRBG_REQUEST_TOO_BIG on failure.
*/
int mbedtls_ctr_drbg_random( void *p_rng,
unsigned char *output, size_t output_len );
int mbedtls_ctr_drbg_random( void *p_rng, unsigned char *output, size_t output_len );
/**

13
third_party/mbedtls/des.c vendored
View file

@ -364,7 +364,6 @@ static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE]
{ 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE },
{ 0x1F, 0x1F, 0x1F, 0x1F, 0x0E, 0x0E, 0x0E, 0x0E },
{ 0xE0, 0xE0, 0xE0, 0xE0, 0xF1, 0xF1, 0xF1, 0xF1 },
{ 0x01, 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E },
{ 0x1F, 0x01, 0x1F, 0x01, 0x0E, 0x01, 0x0E, 0x01 },
{ 0x01, 0xE0, 0x01, 0xE0, 0x01, 0xF1, 0x01, 0xF1 },
@ -382,11 +381,9 @@ static const unsigned char weak_key_table[WEAK_KEY_COUNT][MBEDTLS_DES_KEY_SIZE]
int mbedtls_des_key_check_weak( const unsigned char key[MBEDTLS_DES_KEY_SIZE] )
{
int i;
for( i = 0; i < WEAK_KEY_COUNT; i++ )
if( memcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
if( timingsafe_bcmp( weak_key_table[i], key, MBEDTLS_DES_KEY_SIZE) == 0 )
return( 1 );
return( 0 );
}
@ -902,9 +899,9 @@ int mbedtls_des_self_test( int verbose )
}
if( ( v == MBEDTLS_DES_DECRYPT &&
memcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
timingsafe_bcmp( buf, des3_test_ecb_dec[u], 8 ) != 0 ) ||
( v != MBEDTLS_DES_DECRYPT &&
memcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
timingsafe_bcmp( buf, des3_test_ecb_enc[u], 8 ) != 0 ) )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
@ -998,9 +995,9 @@ int mbedtls_des_self_test( int verbose )
}
if( ( v == MBEDTLS_DES_DECRYPT &&
memcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
timingsafe_bcmp( buf, des3_test_cbc_dec[u], 8 ) != 0 ) ||
( v != MBEDTLS_DES_DECRYPT &&
memcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
timingsafe_bcmp( buf, des3_test_cbc_enc[u], 8 ) != 0 ) )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );

8
third_party/mbedtls/ecdh_everest.c vendored
View file

@ -101,7 +101,7 @@ int mbedtls_everest_make_params(mbedtls_ecdh_context_everest *ctx, size_t *olen,
*buf++ = KEYSIZE;
curve25519(buf, ctx->our_secret, base);
base[0] = 0;
if (!timingsafe_memcmp(buf, base, KEYSIZE))
if (!timingsafe_bcmp(buf, base, KEYSIZE))
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
return 0;
}
@ -202,7 +202,7 @@ int mbedtls_everest_make_public(mbedtls_ecdh_context_everest *ctx, size_t *olen,
*buf++ = KEYSIZE;
curve25519(buf, ctx->our_secret, base);
base[0] = 0;
if (!timingsafe_memcmp(buf, base, KEYSIZE))
if (!timingsafe_bcmp(buf, base, KEYSIZE))
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
return ret;
}
@ -265,10 +265,10 @@ int mbedtls_everest_calc_secret(mbedtls_ecdh_context_everest *ctx, size_t *olen,
*olen = KEYSIZE;
if (blen < *olen) return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
curve25519(buf, ctx->our_secret, ctx->peer_point);
if (!timingsafe_memcmp(buf, ctx->our_secret, KEYSIZE)) goto wut;
if (!timingsafe_bcmp(buf, ctx->our_secret, KEYSIZE)) goto wut;
/* Wipe the DH secret and don't let the peer chose a small subgroup point */
mbedtls_platform_zeroize(ctx->our_secret, KEYSIZE);
if (!timingsafe_memcmp(buf, ctx->our_secret, KEYSIZE)) goto wut;
if (!timingsafe_bcmp(buf, ctx->our_secret, KEYSIZE)) goto wut;
return 0;
wut:
mbedtls_platform_zeroize(buf, KEYSIZE);

68
third_party/mbedtls/ecp384.c vendored
View file

@ -16,6 +16,8 @@
TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.
*/
#include "libc/dce.h"
#include "libc/intrin/asan.internal.h"
#include "libc/log/check.h"
#include "libc/nexgen32e/x86feature.h"
#include "libc/runtime/gc.internal.h"
@ -57,21 +59,21 @@ static int
mbedtls_p384_cmp( const uint64_t a[7],
const uint64_t b[7] )
{
if ( (int64_t)a[6] < (int64_t)b[6] ) return -1;
if ( (int64_t)a[6] > (int64_t)b[6] ) return +1;
if ( a[5] < b[5] ) return -1;
if ( a[5] > b[5] ) return +1;
if ( a[4] < b[4] ) return -1;
if ( a[4] > b[4] ) return +1;
if ( a[3] < b[3] ) return -1;
if ( a[3] > b[3] ) return +1;
if ( a[2] < b[2] ) return -1;
if ( a[2] > b[2] ) return +1;
if ( a[1] < b[1] ) return -1;
if ( a[1] > b[1] ) return +1;
if ( a[0] < b[0] ) return -1;
if ( a[0] > b[0] ) return +1;
return 0;
if( (int64_t)a[6] < (int64_t)b[6] ) return( -1 );
if( (int64_t)a[6] > (int64_t)b[6] ) return( +1 );
if( a[5] < b[5] ) return( -1 );
if( a[5] > b[5] ) return( +1 );
if( a[4] < b[4] ) return( -1 );
if( a[4] > b[4] ) return( +1 );
if( a[3] < b[3] ) return( -1 );
if( a[3] > b[3] ) return( +1 );
if( a[2] < b[2] ) return( -1 );
if( a[2] > b[2] ) return( +1 );
if( a[1] < b[1] ) return( -1 );
if( a[1] > b[1] ) return( +1 );
if( a[0] < b[0] ) return( -1 );
if( a[0] > b[0] ) return( +1 );
return( 0 );
}
static inline void
@ -178,11 +180,13 @@ mbedtls_p384_mul( uint64_t X[12],
const uint64_t B[6], size_t m )
{
if( n == 6 && m == 6 && X86_HAVE(ADX) && X86_HAVE(BMI2) )
{
Mul6x6Adx( X, A, B );
}
else
{
if (A == X) A = gc(memcpy(malloc(6 * 8), A, 6 * 8));
if (B == X) B = gc(memcpy(malloc(6 * 8), B, 6 * 8));
if( A == X ) A = gc( memcpy( malloc( 6 * 8 ), A, 6 * 8 ) );
if( B == X ) B = gc( memcpy( malloc( 6 * 8 ), B, 6 * 8 ) );
Mul( X, A, n, B, m );
mbedtls_platform_zeroize( X + n + m, (12 - n - m) * 8 );
}
@ -387,10 +391,10 @@ static int
mbedtls_p384_dim( mbedtls_ecp_point *R )
{
int ret;
if( R->X.n < 6 && ( ret = mbedtls_mpi_grow( &R->X, 6 ) ) ) return ret;
if( R->Y.n < 6 && ( ret = mbedtls_mpi_grow( &R->Y, 6 ) ) ) return ret;
if( R->Z.n < 6 && ( ret = mbedtls_mpi_grow( &R->Z, 6 ) ) ) return ret;
return 0;
if( R->X.n < 6 && ( ret = mbedtls_mpi_grow( &R->X, 6 ) ) ) return( ret );
if( R->Y.n < 6 && ( ret = mbedtls_mpi_grow( &R->Y, 6 ) ) ) return( ret );
if( R->Z.n < 6 && ( ret = mbedtls_mpi_grow( &R->Z, 6 ) ) ) return( ret );
return( 0 );
}
int mbedtls_p384_double_jac( const mbedtls_ecp_group *G,
@ -399,8 +403,10 @@ int mbedtls_p384_double_jac( const mbedtls_ecp_group *G,
{
int ret;
uint64_t T[4][12];
if ( ( ret = mbedtls_p384_dim( R ) ) ) return ret;
if ( ( ret = mbedtls_p384_dim( P ) ) ) return ret;
if( IsAsan() ) __asan_verify( P, sizeof( *P ) );
if( IsAsan() ) __asan_verify( R, sizeof( *R ) );
if( ( ret = mbedtls_p384_dim( R ) ) ) return( ret );
if( ( ret = mbedtls_p384_dim( P ) ) ) return( ret );
mbedtls_platform_zeroize( T, sizeof( T ) );
mbedtls_p384_mul( T[1], P->Z.p, 6, P->Z.p, 6 );
mbedtls_p384_add( T[2], P->X.p, T[1] );
@ -425,7 +431,7 @@ int mbedtls_p384_double_jac( const mbedtls_ecp_group *G,
mbedtls_p384_cop( R->X.p, T[2] );
mbedtls_p384_cop( R->Y.p, T[1] );
mbedtls_p384_cop( R->Z.p, T[3] );
return 0;
return( 0 );
}
int mbedtls_p384_add_mixed( const mbedtls_ecp_group *G,
@ -439,7 +445,11 @@ int mbedtls_p384_add_mixed( const mbedtls_ecp_group *G,
uint64_t T1[12], T2[12], T3[12], T4[12];
size_t Xn, Yn, Zn, QXn, QYn;
} s;
if( ( ret = mbedtls_p384_dim( R ) ) ) return ret;
if( IsAsan() ) __asan_verify( G, sizeof( *G ) );
if( IsAsan() ) __asan_verify( P, sizeof( *P ) );
if( IsAsan() ) __asan_verify( Q, sizeof( *Q ) );
if( IsAsan() ) __asan_verify( R, sizeof( *R ) );
if( ( ret = mbedtls_p384_dim( R ) ) ) return( ret );
mbedtls_platform_zeroize( &s, sizeof( s ) );
s.Xn = mbedtls_mpi_limbs( &P->X );
s.Yn = mbedtls_mpi_limbs( &P->Y );
@ -463,9 +473,9 @@ int mbedtls_p384_add_mixed( const mbedtls_ecp_group *G,
if( mbedtls_p384_isz( s.T1 ) )
{
if( mbedtls_p384_isz( s.T2 ) )
return mbedtls_p384_double_jac( G, P, R );
return( mbedtls_p384_double_jac( G, P, R ) );
else
return mbedtls_ecp_set_zero( R );
return( mbedtls_ecp_set_zero( R ) );
}
mbedtls_p384_mul( s.Z, s.Z, s.Zn, s.T1, 6 );
mbedtls_p384_mul( s.T3, s.T1, 6, s.T1, 6 );
@ -484,7 +494,7 @@ int mbedtls_p384_add_mixed( const mbedtls_ecp_group *G,
mbedtls_p384_cop( R->Y.p, s.Y );
mbedtls_p384_cop( R->Z.p, s.Z );
mbedtls_platform_zeroize( &s, sizeof( s ) );
return 0;
return( 0 );
}
static void
@ -540,7 +550,7 @@ int mbedtls_p384_normalize_jac( const mbedtls_ecp_group *grp,
{
int ret;
uint64_t t[12], Zi[12], ZZi[12];
if ((ret = mbedtls_p384_dim(pt))) return ret;
if(( ret = mbedtls_p384_dim(pt)) ) return( ret );
mbedtls_p384_inv( Zi, pt->Z.p, grp->P.p );
mbedtls_p384_mul( ZZi, Zi, 6, Zi, 6 );
mbedtls_p384_mul( t, pt->X.p, 6, ZZi, 6 );

2
third_party/mbedtls/entropy.c vendored
View file

@ -614,7 +614,7 @@ int mbedtls_entropy_source_self_test( int verbose )
/* Make sure that the entropy source is not returning values in a
* pattern */
ret = memcmp( buf0, buf1, sizeof( buf0 ) ) == 0;
ret = timingsafe_bcmp( buf0, buf1, sizeof( buf0 ) ) == 0;
cleanup:
if( verbose != 0 )

24
third_party/mbedtls/gcm.c vendored
View file

@ -924,9 +924,9 @@ int mbedtls_gcm_self_test( int verbose )
if( ret != 0 )
goto exit;
if ( memcmp( buf, ct_test_data[j * 6 + i],
pt_len_test_data[i] ) != 0 ||
memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
if ( timingsafe_bcmp( buf, ct_test_data[j * 6 + i],
pt_len_test_data[i] ) != 0 ||
timingsafe_bcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
{
ret = 1;
goto exit;
@ -960,9 +960,9 @@ int mbedtls_gcm_self_test( int verbose )
if( ret != 0 )
goto exit;
if( memcmp( buf, pt_test_data[pt_index_test_data[i]],
pt_len_test_data[i] ) != 0 ||
memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
if( timingsafe_bcmp( buf, pt_test_data[pt_index_test_data[i]],
pt_len_test_data[i] ) != 0 ||
timingsafe_bcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
{
ret = 1;
goto exit;
@ -1021,9 +1021,9 @@ int mbedtls_gcm_self_test( int verbose )
if( ret != 0 )
goto exit;
if( memcmp( buf, ct_test_data[j * 6 + i],
pt_len_test_data[i] ) != 0 ||
memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
if( timingsafe_bcmp( buf, ct_test_data[j * 6 + i],
pt_len_test_data[i] ) != 0 ||
timingsafe_bcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
{
ret = 1;
goto exit;
@ -1081,9 +1081,9 @@ int mbedtls_gcm_self_test( int verbose )
if( ret != 0 )
goto exit;
if( memcmp( buf, pt_test_data[pt_index_test_data[i]],
pt_len_test_data[i] ) != 0 ||
memcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
if( timingsafe_bcmp( buf, pt_test_data[pt_index_test_data[i]],
pt_len_test_data[i] ) != 0 ||
timingsafe_bcmp( tag_buf, tag_test_data[j * 6 + i], 16 ) != 0 )
{
ret = 1;
goto exit;

171
third_party/mbedtls/hkdf.c vendored
View file

@ -26,27 +26,35 @@ Mbed TLS (Apache 2.0)\\n\
Copyright ARM Limited\\n\
Copyright Mbed TLS Contributors\"");
asm(".include \"libc/disclaimer.inc\"");
/* clang-format off */
/*
* HKDF implementation -- RFC 5869
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
/**
* @fileoverview HKDF implementation (RFC 5869)
*/
/**
* \brief HMAC-based Extract-and-Expand Key Derivation Function
*
* \param md A hash function; md.size denotes the length of the hash
* function output in bytes.
* \param salt An optional salt value (a non-secret random value);
* if the salt is not provided, a string of all zeros of
* md.size length is used as the salt.
* \param salt_len The length in bytes of the optional \p salt.
* \param ikm The input keying material.
* \param ikm_len The length in bytes of \p ikm.
* \param info An optional context and application specific information
* string. This can be a zero-length string.
* \param info_len The length of \p info in bytes.
* \param okm The output keying material of \p okm_len bytes.
* \param okm_len The length of the output keying material in bytes. This
* must be less than or equal to 255 * md.size bytes.
*
* \return 0 on success.
* \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
* \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
* MD layer.
*/
int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
size_t salt_len, const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
@ -54,50 +62,91 @@ int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
{
int ret = MBEDTLS_ERR_THIS_CORRUPTION;
unsigned char prk[MBEDTLS_MD_MAX_SIZE];
ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, prk );
if( ret == 0 )
{
ret = mbedtls_hkdf_expand( md, prk, mbedtls_md_get_size( md ),
info, info_len, okm, okm_len );
}
mbedtls_platform_zeroize( prk, sizeof( prk ) );
return( ret );
}
/**
* \brief Takes input keying material \p ikm and extract from it a
* fixed-length pseudorandom key \p prk.
*
* \warning This function should only be used if the security of it has been
* studied and established in that particular context (eg. TLS 1.3
* key schedule). For standard HKDF security guarantees use
* \c mbedtls_hkdf instead.
*
* \param md A hash function; md.size denotes the length of the
* hash function output in bytes.
* \param salt An optional salt value (a non-secret random value);
* if the salt is not provided, a string of all zeros
* of md.size length is used as the salt.
* \param salt_len The length in bytes of the optional \p salt.
* \param ikm The input keying material.
* \param ikm_len The length in bytes of \p ikm.
* \param[out] prk A pseudorandom key of at least md.size bytes.
*
* \return 0 on success.
* \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
* \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
* MD layer.
*/
int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
unsigned char *prk )
{
unsigned char null_salt[MBEDTLS_MD_MAX_SIZE] = { '\0' };
if( salt == NULL )
{
size_t hash_len;
if( salt_len != 0 )
{
return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
}
hash_len = mbedtls_md_get_size( md );
if( hash_len == 0 )
{
return MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
}
salt = null_salt;
salt_len = hash_len;
}
return( mbedtls_md_hmac( md, salt, salt_len, ikm, ikm_len, prk ) );
}
/**
* \brief Expand the supplied \p prk into several additional
* pseudorandom keys, which is the output of the HKDF.
*
* \param md A hash function; md.size denotes the length of the hash
* function output in bytes.
* \param prk A pseudorandom key of at least md.size bytes. \p prk is
* usually the output from the HKDF extract step.
* \param prk_len The length in bytes of \p prk.
* \param info An optional context and application specific information
* string. This can be a zero-length string.
* \param info_len The length of \p info in bytes.
* \param okm The output keying material of \p okm_len bytes.
* \param okm_len The length of the output keying material in bytes. This
* must be less than or equal to 255 * md.size bytes.
*
* \return 0 on success
* \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the
* parameters are invalid.
* \return An MBEDTLS_ERR_MD_* error for errors returned from
* the underlying MD layer.
*
* \warning This function should only be used if its security has
* been studied and established in that particular context
* (eg. TLS 1.3 key schedule). For standard HKDF security
* guarantees use \c mbedtls_hkdf instead.
*/
int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
size_t prk_len, const unsigned char *info,
size_t info_len, unsigned char *okm, size_t okm_len )
@ -110,50 +159,30 @@ int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
int ret = 0;
mbedtls_md_context_t ctx;
unsigned char t[MBEDTLS_MD_MAX_SIZE];
if( okm == NULL )
{
return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
}
if( !okm ) return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
hash_len = mbedtls_md_get_size( md );
if( prk_len < hash_len || hash_len == 0 )
{
return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
}
if( info == NULL )
{
info = (const unsigned char *) "";
info_len = 0;
}
n = okm_len / hash_len;
if( okm_len % hash_len != 0 )
{
n++;
}
/*
* Per RFC 5869 Section 2.3, okm_len must not exceed
* 255 times the hash length
*/
if( n > 255 )
{
return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
}
if( n > 255 ) return( MBEDTLS_ERR_HKDF_BAD_INPUT_DATA );
mbedtls_md_init( &ctx );
if( ( ret = mbedtls_md_setup( &ctx, md, 1 ) ) != 0 )
{
goto exit;
}
if(( ret = mbedtls_md_setup( &ctx, md, 1 ) )) goto exit;
mbedtls_platform_zeroize( t, hash_len );
/*
* Compute T = T(1) | T(2) | T(3) | ... | T(N)
* Where T(N) is defined in RFC 5869 Section 2.3
@ -162,48 +191,18 @@ int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
{
size_t num_to_copy;
unsigned char c = i & 0xff;
ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len );
if( ret != 0 )
{
goto exit;
}
ret = mbedtls_md_hmac_update( &ctx, t, t_len );
if( ret != 0 )
{
goto exit;
}
ret = mbedtls_md_hmac_update( &ctx, info, info_len );
if( ret != 0 )
{
goto exit;
}
/* The constant concatenated to the end of each T(n) is a single octet.
* */
ret = mbedtls_md_hmac_update( &ctx, &c, 1 );
if( ret != 0 )
{
goto exit;
}
ret = mbedtls_md_hmac_finish( &ctx, t );
if( ret != 0 )
{
goto exit;
}
if(( ret = mbedtls_md_hmac_starts( &ctx, prk, prk_len ) )) goto exit;
if(( ret = mbedtls_md_hmac_update( &ctx, t, t_len ) )) goto exit;
if(( ret = mbedtls_md_hmac_update( &ctx, info, info_len ) )) goto exit;
if(( ret = mbedtls_md_hmac_update( &ctx, &c, 1 ) )) goto exit;
if(( ret = mbedtls_md_hmac_finish( &ctx, t ) )) goto exit;
num_to_copy = i != n ? hash_len : okm_len - where;
memcpy( okm + where, t, num_to_copy );
where += hash_len;
t_len = hash_len;
}
exit:
mbedtls_md_free( &ctx );
mbedtls_platform_zeroize( t, sizeof( t ) );
return( ret );
}

122
third_party/mbedtls/hkdf.h vendored
View file

@ -1,110 +1,24 @@
#ifndef MBEDTLS_HKDF_H
#define MBEDTLS_HKDF_H
#ifndef COSMOPOLITAN_THIRD_PARTY_MBEDTLS_HKDF_H_
#define COSMOPOLITAN_THIRD_PARTY_MBEDTLS_HKDF_H_
#include "third_party/mbedtls/config.h"
#include "third_party/mbedtls/md.h"
#if !(__ASSEMBLER__ + __LINKER__ + 0)
COSMOPOLITAN_C_START_
/* clang-format off */
/**
* \name HKDF Error codes
* \{
*/
#define MBEDTLS_ERR_HKDF_BAD_INPUT_DATA -0x5F80 /**< Bad input parameters to function. */
/* \} name */
/* clang-format on */
#ifdef __cplusplus
extern "C" {
#endif
int mbedtls_hkdf(const mbedtls_md_info_t *, const unsigned char *, size_t,
const unsigned char *, size_t, const unsigned char *, size_t,
unsigned char *, size_t);
int mbedtls_hkdf_extract(const mbedtls_md_info_t *, const unsigned char *,
size_t, const unsigned char *, size_t,
unsigned char *);
int mbedtls_hkdf_expand(const mbedtls_md_info_t *, const unsigned char *,
size_t, const unsigned char *, size_t, unsigned char *,
size_t);
/**
* \brief This is the HMAC-based Extract-and-Expand Key Derivation Function
* (HKDF).
*
* \param md A hash function; md.size denotes the length of the hash
* function output in bytes.
* \param salt An optional salt value (a non-secret random value);
* if the salt is not provided, a string of all zeros of
* md.size length is used as the salt.
* \param salt_len The length in bytes of the optional \p salt.
* \param ikm The input keying material.
* \param ikm_len The length in bytes of \p ikm.
* \param info An optional context and application specific information
* string. This can be a zero-length string.
* \param info_len The length of \p info in bytes.
* \param okm The output keying material of \p okm_len bytes.
* \param okm_len The length of the output keying material in bytes. This
* must be less than or equal to 255 * md.size bytes.
*
* \return 0 on success.
* \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
* \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
* MD layer.
*/
int mbedtls_hkdf( const mbedtls_md_info_t *md, const unsigned char *salt,
size_t salt_len, const unsigned char *ikm, size_t ikm_len,
const unsigned char *info, size_t info_len,
unsigned char *okm, size_t okm_len );
/**
* \brief Take the input keying material \p ikm and extract from it a
* fixed-length pseudorandom key \p prk.
*
* \warning This function should only be used if the security of it has been
* studied and established in that particular context (eg. TLS 1.3
* key schedule). For standard HKDF security guarantees use
* \c mbedtls_hkdf instead.
*
* \param md A hash function; md.size denotes the length of the
* hash function output in bytes.
* \param salt An optional salt value (a non-secret random value);
* if the salt is not provided, a string of all zeros
* of md.size length is used as the salt.
* \param salt_len The length in bytes of the optional \p salt.
* \param ikm The input keying material.
* \param ikm_len The length in bytes of \p ikm.
* \param[out] prk A pseudorandom key of at least md.size bytes.
*
* \return 0 on success.
* \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
* \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
* MD layer.
*/
int mbedtls_hkdf_extract( const mbedtls_md_info_t *md,
const unsigned char *salt, size_t salt_len,
const unsigned char *ikm, size_t ikm_len,
unsigned char *prk );
/**
* \brief Expand the supplied \p prk into several additional pseudorandom
* keys, which is the output of the HKDF.
*
* \warning This function should only be used if the security of it has been
* studied and established in that particular context (eg. TLS 1.3
* key schedule). For standard HKDF security guarantees use
* \c mbedtls_hkdf instead.
*
* \param md A hash function; md.size denotes the length of the hash
* function output in bytes.
* \param prk A pseudorandom key of at least md.size bytes. \p prk is
* usually the output from the HKDF extract step.
* \param prk_len The length in bytes of \p prk.
* \param info An optional context and application specific information
* string. This can be a zero-length string.
* \param info_len The length of \p info in bytes.
* \param okm The output keying material of \p okm_len bytes.
* \param okm_len The length of the output keying material in bytes. This
* must be less than or equal to 255 * md.size bytes.
*
* \return 0 on success.
* \return #MBEDTLS_ERR_HKDF_BAD_INPUT_DATA when the parameters are invalid.
* \return An MBEDTLS_ERR_MD_* error for errors returned from the underlying
* MD layer.
*/
int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
size_t prk_len, const unsigned char *info,
size_t info_len, unsigned char *okm, size_t okm_len );
#ifdef __cplusplus
}
#endif
#endif /* hkdf.h */
COSMOPOLITAN_C_END_
#endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */
#endif /* COSMOPOLITAN_THIRD_PARTY_MBEDTLS_HKDF_H_ */

4
third_party/mbedtls/hmac_drbg.c vendored
View file

@ -758,7 +758,7 @@ int mbedtls_hmac_drbg_self_test( int verbose )
mbedtls_hmac_drbg_set_prediction_resistance( &ctx, MBEDTLS_HMAC_DRBG_PR_ON );
CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( memcmp( buf, result_pr, OUTPUT_LEN ) );
CHK( timingsafe_bcmp( buf, result_pr, OUTPUT_LEN ) );
mbedtls_hmac_drbg_free( &ctx );
mbedtls_hmac_drbg_free( &ctx );
@ -781,7 +781,7 @@ int mbedtls_hmac_drbg_self_test( int verbose )
CHK( mbedtls_hmac_drbg_reseed( &ctx, NULL, 0 ) );
CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( mbedtls_hmac_drbg_random( &ctx, buf, OUTPUT_LEN ) );
CHK( memcmp( buf, result_nopr, OUTPUT_LEN ) );
CHK( timingsafe_bcmp( buf, result_nopr, OUTPUT_LEN ) );
mbedtls_hmac_drbg_free( &ctx );
mbedtls_hmac_drbg_free( &ctx );

7
third_party/mbedtls/mbedtls.mk vendored
View file

@ -71,6 +71,13 @@ o/$(MODE)/third_party/mbedtls/shiftright2-avx.o: \
OVERRIDE_CFLAGS += \
-O3 -mavx
o/$(MODE)/third_party/mbedtls/zeroize.o: \
OVERRIDE_CFLAGS += \
-O3 \
-x-no-pg \
-fomit-frame-pointer \
-foptimize-sibling-calls
THIRD_PARTY_MBEDTLS_LIBS = $(foreach x,$(THIRD_PARTY_MBEDTLS_ARTIFACTS),$($(x)))
THIRD_PARTY_MBEDTLS_SRCS = $(foreach x,$(THIRD_PARTY_MBEDTLS_ARTIFACTS),$($(x)_SRCS))
THIRD_PARTY_MBEDTLS_HDRS = $(foreach x,$(THIRD_PARTY_MBEDTLS_ARTIFACTS),$($(x)_HDRS))

2
third_party/mbedtls/md.c vendored
View file

@ -333,7 +333,7 @@ int mbedtls_md_clone( mbedtls_md_context_t *dst,
#define ALLOC( type ) \
do { \
ctx->md_ctx = mbedtls_calloc( 1, sizeof( mbedtls_##type##_context ) ); \
if( !ctx->md_ctx ) \
if( !ctx->md_ctx ) \
return( MBEDTLS_ERR_MD_ALLOC_FAILED ); \
} \
while( 0 )

6
third_party/mbedtls/md.h vendored
View file

@ -50,7 +50,7 @@ typedef enum {
* Allows message digest functions to be called in a generic way.
*/
typedef struct mbedtls_md_info_t {
const char * name; /** Name of the message digest */
const char *name; /** Name of the message digest */
mbedtls_md_type_t type; /** Digest identifier */
unsigned char size; /** Output length of the digest function in bytes */
unsigned char block_size; /** Block length of the digest function in bytes */
@ -70,9 +70,9 @@ typedef struct mbedtls_md_context_t {
void *hmac_ctx; /** The HMAC part of the context. */
} mbedtls_md_context_t;
const uint8_t *mbedtls_md_list( void );
const mbedtls_md_info_t *mbedtls_md_info_from_string( const char * );
const mbedtls_md_info_t *mbedtls_md_info_from_type( mbedtls_md_type_t );
const uint8_t *mbedtls_md_list( void );
int mbedtls_md_clone( mbedtls_md_context_t *, const mbedtls_md_context_t * );
int mbedtls_md_setup( mbedtls_md_context_t *, const mbedtls_md_info_t *, int );
void mbedtls_md_free( mbedtls_md_context_t * );
@ -107,7 +107,7 @@ forceinline unsigned char mbedtls_md_get_block_size( const mbedtls_md_info_t *md
{
if( !md_info )
return( 0 );
return md_info->size;
return md_info->block_size;
}
/**

2
third_party/mbedtls/md5.c vendored
View file

@ -462,7 +462,7 @@ int mbedtls_md5_self_test( int verbose )
if( ret != 0 )
goto fail;
if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
if( timingsafe_bcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
{
ret = 1;
goto fail;

32
third_party/mbedtls/nist_kw.c vendored
View file

@ -62,26 +62,6 @@ asm(".include \"libc/disclaimer.inc\"");
#define KW_SEMIBLOCK_LENGTH 8
#define MIN_SEMIBLOCKS_COUNT 3
/* constant-time buffer comparison */
static inline unsigned char mbedtls_nist_kw_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
{
/* Read volatile data in order before computing diff.
* This avoids IAR compiler warning:
* 'the order of volatile accesses is undefined ..' */
unsigned char x = A[i], y = B[i];
diff |= x ^ y;
}
return( diff );
}
/*! The 64-bit default integrity check value (ICV) for KW mode. */
static const unsigned char NIST_KW_ICV1[] = {0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6};
/*! The 32-bit default integrity check value (ICV) for KWP mode. */
@ -406,7 +386,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
goto cleanup;
/* Check ICV in "constant-time" */
diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
diff = timingsafe_bcmp( NIST_KW_ICV1, A, KW_SEMIBLOCK_LENGTH );
if( diff != 0 )
{
@ -455,7 +435,7 @@ int mbedtls_nist_kw_unwrap( mbedtls_nist_kw_context *ctx,
}
/* Check ICV in "constant-time" */
diff = mbedtls_nist_kw_safer_memcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
diff = timingsafe_bcmp( NIST_KW_ICV2, A, KW_SEMIBLOCK_LENGTH / 2 );
if( diff != 0 )
{
@ -636,7 +616,7 @@ int mbedtls_nist_kw_self_test( int verbose )
ret = mbedtls_nist_kw_wrap( &ctx, MBEDTLS_KW_MODE_KW, kw_msg[i],
kw_msg_len[i], out, &olen, sizeof( out ) );
if( ret != 0 || kw_out_len[i] != olen ||
memcmp( out, kw_res[i], kw_out_len[i] ) != 0 )
timingsafe_bcmp( out, kw_res[i], kw_out_len[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed. ");
@ -659,7 +639,7 @@ int mbedtls_nist_kw_self_test( int verbose )
out, olen, out, &olen, sizeof( out ) );
if( ret != 0 || olen != kw_msg_len[i] ||
memcmp( out, kw_msg[i], kw_msg_len[i] ) != 0 )
timingsafe_bcmp( out, kw_msg[i], kw_msg_len[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
@ -691,7 +671,7 @@ int mbedtls_nist_kw_self_test( int verbose )
kwp_msg_len[i], out, &olen, sizeof( out ) );
if( ret != 0 || kwp_out_len[i] != olen ||
memcmp( out, kwp_res[i], kwp_out_len[i] ) != 0 )
timingsafe_bcmp( out, kwp_res[i], kwp_out_len[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed. ");
@ -714,7 +694,7 @@ int mbedtls_nist_kw_self_test( int verbose )
olen, out, &olen, sizeof( out ) );
if( ret != 0 || olen != kwp_msg_len[i] ||
memcmp( out, kwp_msg[i], kwp_msg_len[i] ) != 0 )
timingsafe_bcmp( out, kwp_msg[i], kwp_msg_len[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed. ");

2
third_party/mbedtls/oid.c vendored
View file

@ -54,7 +54,7 @@ asm(".include \"libc/disclaimer.inc\"");
if( p == NULL || oid == NULL ) return( NULL ); \
while( cur->asn1 != NULL ) { \
if( cur->asn1_len == oid->len && \
memcmp( cur->asn1, oid->p, oid->len ) == 0 ) { \
timingsafe_bcmp( cur->asn1, oid->p, oid->len ) == 0 ) { \
return( p ); \
} \
p++; \

14
third_party/mbedtls/pem.c vendored
View file

@ -221,7 +221,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
if( *end == '\n' ) end++;
*use_len = end - data;
enc = 0;
if( s2 - s1 >= 22 && memcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
if( s2 - s1 >= 22 && timingsafe_bcmp( s1, "Proc-Type: 4,ENCRYPTED", 22 ) == 0 )
{
#if defined(MBEDTLS_MD5_C) && defined(MBEDTLS_CIPHER_MODE_CBC) && \
( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
@ -232,7 +232,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
else return( MBEDTLS_ERR_PEM_INVALID_DATA );
#if defined(MBEDTLS_DES_C)
if( s2 - s1 >= 23 && memcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
if( s2 - s1 >= 23 && timingsafe_bcmp( s1, "DEK-Info: DES-EDE3-CBC,", 23 ) == 0 )
{
enc_alg = MBEDTLS_CIPHER_DES_EDE3_CBC;
s1 += 23;
@ -240,7 +240,7 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
return( MBEDTLS_ERR_PEM_INVALID_ENC_IV );
s1 += 16;
}
else if( s2 - s1 >= 18 && memcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
else if( s2 - s1 >= 18 && timingsafe_bcmp( s1, "DEK-Info: DES-CBC,", 18 ) == 0 )
{
enc_alg = MBEDTLS_CIPHER_DES_CBC;
s1 += 18;
@ -250,15 +250,15 @@ int mbedtls_pem_read_buffer( mbedtls_pem_context *ctx, const char *header, const
}
#endif /* MBEDTLS_DES_C */
#if defined(MBEDTLS_AES_C)
if( s2 - s1 >= 14 && memcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
if( s2 - s1 >= 14 && timingsafe_bcmp( s1, "DEK-Info: AES-", 14 ) == 0 )
{
if( s2 - s1 < 22 )
return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );
else if( memcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
else if( timingsafe_bcmp( s1, "DEK-Info: AES-128-CBC,", 22 ) == 0 )
enc_alg = MBEDTLS_CIPHER_AES_128_CBC;
else if( memcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
else if( timingsafe_bcmp( s1, "DEK-Info: AES-192-CBC,", 22 ) == 0 )
enc_alg = MBEDTLS_CIPHER_AES_192_CBC;
else if( memcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
else if( timingsafe_bcmp( s1, "DEK-Info: AES-256-CBC,", 22 ) == 0 )
enc_alg = MBEDTLS_CIPHER_AES_256_CBC;
else
return( MBEDTLS_ERR_PEM_UNKNOWN_ENC_ALG );

266
third_party/mbedtls/pkcs5.c vendored
View file

@ -28,40 +28,18 @@ Mbed TLS (Apache 2.0)\\n\
Copyright ARM Limited\\n\
Copyright Mbed TLS Contributors\"");
asm(".include \"libc/disclaimer.inc\"");
/* clang-format off */
/**
* \file pkcs5.c
*
* \brief PKCS#5 functions
*
* \author Mathias Olsson <mathias@kompetensum.com>
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* PKCS#5 includes PBKDF2 and more
*
* http://tools.ietf.org/html/rfc2898 (Specification)
* http://tools.ietf.org/html/rfc6070 (Test vectors)
* @fileoverview PKCS#5 functions, e.g. PBKDF2
* @see http://tools.ietf.org/html/rfc2898 (Specification)
* @see http://tools.ietf.org/html/rfc6070 (Test vectors)
* @author Mathias Olsson <mathias@kompetensum.com>
*/
#if defined(MBEDTLS_PKCS5_C)
#if defined(MBEDTLS_ASN1_PARSE_C)
static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
mbedtls_asn1_buf *salt, int *iterations,
int *keylen, mbedtls_md_type_t *md_type )
@ -70,7 +48,6 @@ static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
mbedtls_asn1_buf prf_alg_oid;
unsigned char *p = params->p;
const unsigned char *end = params->p + params->len;
if( params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
@ -86,42 +63,46 @@ static int pkcs5_parse_pbkdf2_params( const mbedtls_asn1_buf *params,
if( ( ret = mbedtls_asn1_get_tag( &p, end, &salt->len,
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
salt->p = p;
p += salt->len;
if( ( ret = mbedtls_asn1_get_int( &p, end, iterations ) ) != 0 )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
if( p == end )
return( 0 );
if( ( ret = mbedtls_asn1_get_int( &p, end, keylen ) ) != 0 )
{
if( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
}
if( p == end )
return( 0 );
if( ( ret = mbedtls_asn1_get_alg_null( &p, end, &prf_alg_oid ) ) != 0 )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
if( mbedtls_oid_get_md_hmac( &prf_alg_oid, md_type ) != 0 )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
if( p != end )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
return( 0 );
}
/**
* \brief PKCS#5 PBES2 function
*
* \param pbe_params the ASN.1 algorithm parameters
* \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
* \param pwd password to use when generating key
* \param pwdlen length of password
* \param data data to process
* \param datalen length of data
* \param output output buffer
*
* \returns 0 on success, or MBEDTLS_ERR_XXX if verification fails.
*/
int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output )
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output )
{
int ret, iterations = 0, keylen = 0;
unsigned char *p, *end;
@ -135,10 +116,8 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
mbedtls_md_context_t md_ctx;
mbedtls_cipher_type_t cipher_alg;
mbedtls_cipher_context_t cipher_ctx;
p = pbe_params->p;
end = p + pbe_params->len;
/*
* PBES2-params ::= SEQUENCE {
* keyDerivationFunc AlgorithmIdentifier {{PBES2-KDFs}},
@ -148,93 +127,88 @@ int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
if( pbe_params->tag != ( MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT +
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
if( ( ret = mbedtls_asn1_get_alg( &p, end, &kdf_alg_oid,
&kdf_alg_params ) ) != 0 )
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
// Only PBKDF2 supported at the moment
//
/* Only PBKDF2 supported at the moment */
if( MBEDTLS_OID_CMP( MBEDTLS_OID_PKCS5_PBKDF2, &kdf_alg_oid ) != 0 )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
if( ( ret = pkcs5_parse_pbkdf2_params( &kdf_alg_params,
&salt, &iterations, &keylen,
&md_type ) ) != 0 )
{
return( ret );
}
md_info = mbedtls_md_info_from_type( md_type );
if( md_info == NULL )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
if( ( ret = mbedtls_asn1_get_alg( &p, end, &enc_scheme_oid,
&enc_scheme_params ) ) != 0 )
{
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT + ret );
}
if( mbedtls_oid_get_cipher_alg( &enc_scheme_oid, &cipher_alg ) != 0 )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
cipher_info = mbedtls_cipher_info_from_type( cipher_alg );
if( cipher_info == NULL )
return( MBEDTLS_ERR_PKCS5_FEATURE_UNAVAILABLE );
/*
* The value of keylen from pkcs5_parse_pbkdf2_params() is ignored
* since it is optional and we don't know if it was set or not
*/
keylen = cipher_info->key_bitlen / 8;
if( enc_scheme_params.tag != MBEDTLS_ASN1_OCTET_STRING ||
enc_scheme_params.len != cipher_info->iv_size )
{
return( MBEDTLS_ERR_PKCS5_INVALID_FORMAT );
}
mbedtls_md_init( &md_ctx );
mbedtls_cipher_init( &cipher_ctx );
memcpy( iv, enc_scheme_params.p, enc_scheme_params.len );
if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
goto exit;
if( ( ret = mbedtls_pkcs5_pbkdf2_hmac( &md_ctx, pwd, pwdlen, salt.p, salt.len,
iterations, keylen, key ) ) != 0 )
iterations, keylen, key ) ) != 0 )
{
goto exit;
}
if( ( ret = mbedtls_cipher_setup( &cipher_ctx, cipher_info ) ) != 0 )
goto exit;
if( ( ret = mbedtls_cipher_setkey( &cipher_ctx, key, 8 * keylen,
(mbedtls_operation_t) mode ) ) != 0 )
goto exit;
if( ( ret = mbedtls_cipher_crypt( &cipher_ctx, iv, enc_scheme_params.len,
data, datalen, output, &olen ) ) != 0 )
data, datalen, output, &olen ) ) != 0 )
ret = MBEDTLS_ERR_PKCS5_PASSWORD_MISMATCH;
exit:
mbedtls_md_free( &md_ctx );
mbedtls_cipher_free( &cipher_ctx );
return( ret );
}
#endif /* MBEDTLS_ASN1_PARSE_C */
/**
* \brief PKCS#5 PBKDF2 using HMAC
*
* \param ctx Generic HMAC context
* \param password Password to use when generating key
* \param plen Length of password
* \param salt Salt to use when generating key
* \param slen Length of salt
* \param c Iteration count
* \param dklen Length of generated key in bytes
* \param output Generated key. Must be at least as big as dklen
*
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
*/
int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx,
const unsigned char *password,
size_t plen, const unsigned char *salt, size_t slen,
unsigned int iteration_count,
uint32_t key_length, unsigned char *output )
const void *password, size_t plen,
const void *salt, size_t slen,
unsigned c, uint32_t dklen,
unsigned char *output )
{
int ret = MBEDTLS_ERR_THIS_CORRUPTION;
int j;
int ret = MBEDTLS_ERR_THIS_CORRUPTION;
unsigned int i;
unsigned char md1[MBEDTLS_MD_MAX_SIZE];
unsigned char work[MBEDTLS_MD_MAX_SIZE];
@ -242,191 +216,149 @@ int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx,
size_t use_len;
unsigned char *out_p = output;
unsigned char counter[4];
memset( counter, 0, 4 );
counter[3] = 1;
#if UINT_MAX > 0xFFFFFFFF
if( iteration_count > 0xFFFFFFFF )
if( c > 0xFFFFFFFF )
return( MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA );
#endif
if( ( ret = mbedtls_md_hmac_starts( ctx, password, plen ) ) != 0 )
return( ret );
while( key_length )
while( dklen )
{
// U1 ends up in work
//
if( ( ret = mbedtls_md_hmac_update( ctx, salt, slen ) ) != 0 )
goto cleanup;
if( ( ret = mbedtls_md_hmac_update( ctx, counter, 4 ) ) != 0 )
goto cleanup;
if( ( ret = mbedtls_md_hmac_finish( ctx, work ) ) != 0 )
goto cleanup;
if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 )
goto cleanup;
memcpy( md1, work, md_size );
for( i = 1; i < iteration_count; i++ )
for( i = 1; i < c; i++ )
{
// U2 ends up in md1
//
if( ( ret = mbedtls_md_hmac_update( ctx, md1, md_size ) ) != 0 )
goto cleanup;
if( ( ret = mbedtls_md_hmac_finish( ctx, md1 ) ) != 0 )
goto cleanup;
if( ( ret = mbedtls_md_hmac_reset( ctx ) ) != 0 )
goto cleanup;
// U1 xor U2
//
for( j = 0; j < md_size; j++ )
work[j] ^= md1[j];
}
use_len = ( key_length < md_size ) ? key_length : md_size;
use_len = ( dklen < md_size ) ? dklen : md_size;
memcpy( out_p, work, use_len );
key_length -= (uint32_t) use_len;
dklen -= (uint32_t) use_len;
out_p += use_len;
for( i = 4; i > 0; i-- )
if( ++counter[i - 1] != 0 )
break;
}
cleanup:
/* Zeroise buffers to clear sensitive data from memory. */
mbedtls_platform_zeroize( work, MBEDTLS_MD_MAX_SIZE );
mbedtls_platform_zeroize( md1, MBEDTLS_MD_MAX_SIZE );
return( ret );
}
#if defined(MBEDTLS_SELF_TEST)
#if !defined(MBEDTLS_SHA1_C)
int mbedtls_pkcs5_self_test( int verbose )
{
if( verbose != 0 )
mbedtls_printf( " PBKDF2 (SHA1): skipped\n\n" );
return( 0 );
}
#else
#define MAX_TESTS 6
static const size_t plen_test_data[MAX_TESTS] =
{ 8, 8, 8, 24, 9 };
static const unsigned char password_test_data[MAX_TESTS][32] =
{
"password",
"password",
"password",
"passwordPASSWORDpassword",
"pass\0word",
};
static const size_t slen_test_data[MAX_TESTS] =
{ 4, 4, 4, 36, 5 };
static const unsigned char salt_test_data[MAX_TESTS][40] =
{
"salt",
"salt",
"salt",
"saltSALTsaltSALTsaltSALTsaltSALTsalt",
"sa\0lt",
};
static const uint32_t it_cnt_test_data[MAX_TESTS] =
{ 1, 2, 4096, 4096, 4096 };
static const uint32_t key_len_test_data[MAX_TESTS] =
{ 20, 20, 20, 25, 16 };
static const unsigned char result_key_test_data[MAX_TESTS][32] =
{
{ 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
0x2f, 0xe0, 0x37, 0xa6 },
{ 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
0xd8, 0xde, 0x89, 0x57 },
{ 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
0x65, 0xa4, 0x29, 0xc1 },
{ 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
0x38 },
{ 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
};
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_SHA1_C)
#define MAX_TESTS 6
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_pkcs5_self_test( int verbose )
{
static const size_t plen_test_data[MAX_TESTS] =
{ 8, 8, 8, 24, 9 };
static const unsigned char password_test_data[MAX_TESTS][32] =
{
"password",
"password",
"password",
"passwordPASSWORDpassword",
"pass\0word",
};
static const size_t slen_test_data[MAX_TESTS] =
{ 4, 4, 4, 36, 5 };
static const unsigned char salt_test_data[MAX_TESTS][40] =
{
"salt",
"salt",
"salt",
"saltSALTsaltSALTsaltSALTsaltSALTsalt",
"sa\0lt",
};
static const uint32_t it_cnt_test_data[MAX_TESTS] =
{ 1, 2, 4096, 4096, 4096 };
static const uint32_t key_len_test_data[MAX_TESTS] =
{ 20, 20, 20, 25, 16 };
static const unsigned char result_key_test_data[MAX_TESTS][32] =
{
{ 0x0c, 0x60, 0xc8, 0x0f, 0x96, 0x1f, 0x0e, 0x71,
0xf3, 0xa9, 0xb5, 0x24, 0xaf, 0x60, 0x12, 0x06,
0x2f, 0xe0, 0x37, 0xa6 },
{ 0xea, 0x6c, 0x01, 0x4d, 0xc7, 0x2d, 0x6f, 0x8c,
0xcd, 0x1e, 0xd9, 0x2a, 0xce, 0x1d, 0x41, 0xf0,
0xd8, 0xde, 0x89, 0x57 },
{ 0x4b, 0x00, 0x79, 0x01, 0xb7, 0x65, 0x48, 0x9a,
0xbe, 0xad, 0x49, 0xd9, 0x26, 0xf7, 0x21, 0xd0,
0x65, 0xa4, 0x29, 0xc1 },
{ 0x3d, 0x2e, 0xec, 0x4f, 0xe4, 0x1c, 0x84, 0x9b,
0x80, 0xc8, 0xd8, 0x36, 0x62, 0xc0, 0xe4, 0x4a,
0x8b, 0x29, 0x1a, 0x96, 0x4c, 0xf2, 0xf0, 0x70,
0x38 },
{ 0x56, 0xfa, 0x6a, 0xa7, 0x55, 0x48, 0x09, 0x9d,
0xcc, 0x37, 0xd7, 0xf0, 0x34, 0x25, 0xe0, 0xc3 },
};
mbedtls_md_context_t sha1_ctx;
const mbedtls_md_info_t *info_sha1;
int ret, i;
unsigned char key[64];
mbedtls_md_init( &sha1_ctx );
info_sha1 = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 );
if( info_sha1 == NULL )
{
ret = 1;
goto exit;
}
if( ( ret = mbedtls_md_setup( &sha1_ctx, info_sha1, 1 ) ) != 0 )
{
ret = 1;
goto exit;
}
for( i = 0; i < MAX_TESTS; i++ )
{
if( verbose != 0 )
mbedtls_printf( " PBKDF2 (SHA1) #%d: ", i );
ret = mbedtls_pkcs5_pbkdf2_hmac( &sha1_ctx, password_test_data[i],
plen_test_data[i], salt_test_data[i],
slen_test_data[i], it_cnt_test_data[i],
key_len_test_data[i], key );
if( ret != 0 ||
memcmp( result_key_test_data[i], key, key_len_test_data[i] ) != 0 )
timingsafe_bcmp( result_key_test_data[i], key, key_len_test_data[i] ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
ret = 1;
goto exit;
}
if( verbose != 0 )
mbedtls_printf( "passed\n" );
}
if( verbose != 0 )
mbedtls_printf( "\n" );
exit:
mbedtls_md_free( &sha1_ctx );
return( ret );
}
#endif /* MBEDTLS_SHA1_C */
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_PKCS5_C */

67
third_party/mbedtls/pkcs5.h vendored
View file

@ -3,6 +3,7 @@
#include "third_party/mbedtls/asn1.h"
#include "third_party/mbedtls/config.h"
#include "third_party/mbedtls/md.h"
COSMOPOLITAN_C_START_
/* clang-format off */
#define MBEDTLS_ERR_PKCS5_BAD_INPUT_DATA -0x2f80 /**< Bad input parameters to function. */
@ -13,64 +14,12 @@
#define MBEDTLS_PKCS5_DECRYPT 0
#define MBEDTLS_PKCS5_ENCRYPT 1
#ifdef __cplusplus
extern "C" {
#endif
#if defined(MBEDTLS_ASN1_PARSE_C)
/**
* \brief PKCS#5 PBES2 function
*
* \param pbe_params the ASN.1 algorithm parameters
* \param mode either MBEDTLS_PKCS5_DECRYPT or MBEDTLS_PKCS5_ENCRYPT
* \param pwd password to use when generating key
* \param pwdlen length of password
* \param data data to process
* \param datalen length of data
* \param output output buffer
*
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
*/
int mbedtls_pkcs5_pbes2( const mbedtls_asn1_buf *pbe_params, int mode,
const unsigned char *pwd, size_t pwdlen,
const unsigned char *data, size_t datalen,
unsigned char *output );
#endif /* MBEDTLS_ASN1_PARSE_C */
/**
* \brief PKCS#5 PBKDF2 using HMAC
*
* \param ctx Generic HMAC context
* \param password Password to use when generating key
* \param plen Length of password
* \param salt Salt to use when generating key
* \param slen Length of salt
* \param iteration_count Iteration count
* \param key_length Length of generated key in bytes
* \param output Generated key. Must be at least as big as key_length
*
* \returns 0 on success, or a MBEDTLS_ERR_XXX code if verification fails.
*/
int mbedtls_pkcs5_pbkdf2_hmac( mbedtls_md_context_t *ctx, const unsigned char *password,
size_t plen, const unsigned char *salt, size_t slen,
unsigned int iteration_count,
uint32_t key_length, unsigned char *output );
#if defined(MBEDTLS_SELF_TEST)
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_pkcs5_self_test( int verbose );
#endif /* MBEDTLS_SELF_TEST */
#ifdef __cplusplus
}
#endif
int mbedtls_pkcs5_pbes2(const mbedtls_asn1_buf *, int, const unsigned char *,
size_t, const unsigned char *, size_t, unsigned char *);
int mbedtls_pkcs5_pbkdf2_hmac(mbedtls_md_context_t *, const void *, size_t,
const void *, size_t, unsigned, uint32_t,
unsigned char *);
int mbedtls_pkcs5_self_test(int);
COSMOPOLITAN_C_END_
#endif /* pkcs5.h */

8
third_party/mbedtls/pkparse.c vendored
View file

@ -284,7 +284,7 @@ static int pk_group_from_specified( const mbedtls_asn1_buf *params, mbedtls_ecp_
if( ( ret = mbedtls_asn1_get_tag( &p, end_field, &len, MBEDTLS_ASN1_OID ) ) != 0 )
return( ret );
if( len != MBEDTLS_OID_SIZE( MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD ) ||
memcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
timingsafe_bcmp( p, MBEDTLS_OID_ANSI_X9_62_PRIME_FIELD, len ) != 0 )
{
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
}
@ -1082,9 +1082,9 @@ static int pk_parse_key_pkcs8_unencrypted_der(
*/
#if defined(MBEDTLS_PKCS12_C) || defined(MBEDTLS_PKCS5_C)
static int pk_parse_key_pkcs8_encrypted_der(
mbedtls_pk_context *pk,
unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen )
mbedtls_pk_context *pk,
unsigned char *key, size_t keylen,
const unsigned char *pwd, size_t pwdlen )
{
int ret, decrypted = 0;
size_t len;

2
third_party/mbedtls/poly1305.c vendored
View file

@ -550,7 +550,7 @@ int mbedtls_poly1305_self_test( int verbose )
mac );
ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
ASSERT( 0 == timingsafe_bcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
if( verbose != 0 )
mbedtls_printf( "passed\n" );

794
third_party/mbedtls/rsa.c vendored
View file

File diff suppressed because it is too large Load diff

232
third_party/mbedtls/rsa.h vendored
View file

@ -1,8 +1,10 @@
#ifndef MBEDTLS_RSA_H
#define MBEDTLS_RSA_H
#ifndef COSMOPOLITAN_THIRD_PARTY_MBEDTLS_RSA_H_
#define COSMOPOLITAN_THIRD_PARTY_MBEDTLS_RSA_H_
#include "third_party/mbedtls/bignum.h"
#include "third_party/mbedtls/config.h"
#include "third_party/mbedtls/md.h"
#if !(__ASSEMBLER__ + __LINKER__ + 0)
COSMOPOLITAN_C_START_
/* clang-format off */
/*
@ -44,14 +46,6 @@
* eg for alternative (PKCS#11) RSA implemenations in the PK layers.
*/
#ifdef __cplusplus
extern "C" {
#endif
#if !defined(MBEDTLS_RSA_ALT)
// Regular implementation
//
/**
* \brief The RSA context structure.
*
@ -96,10 +90,6 @@ typedef struct mbedtls_rsa_context
}
mbedtls_rsa_context;
#else /* MBEDTLS_RSA_ALT */
/* #include "third_party/mbedtls/rsa_alt.h" */
#endif /* MBEDTLS_RSA_ALT */
/**
* \brief This function initializes an RSA context.
*
@ -866,14 +856,13 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx,
* \return \c 0 if the signing operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
*/
int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng, int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig );
/**
* \brief This function performs a PKCS#1 v2.1 PSS signature
@ -982,185 +971,38 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx,
const unsigned char *hash,
const unsigned char *sig );
/**
* \brief This function performs a PKCS#1 v1.5 verification
* operation (RSASSA-PKCS1-v1_5-VERIFY).
*
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
* are likely to remove the \p mode argument and have it
* set to #MBEDTLS_RSA_PUBLIC.
*
* \param ctx The initialized RSA public key context to use.
* \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
* this is used for blinding and should be provided; see
* mbedtls_rsa_private() for more. Otherwise, it is ignored.
* \param p_rng The RNG context to be passed to \p f_rng. This may be
* \c NULL if \p f_rng is \c NULL or doesn't need a context.
* \param mode The mode of operation. This must be either
* #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* \param sig The buffer holding the signature. This must be a readable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
*/
int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
const unsigned char *sig );
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
const unsigned char *sig );
/**
* \brief This function performs a PKCS#1 v2.1 PSS verification
* operation (RSASSA-PSS-VERIFY).
*
* The hash function for the MGF mask generating function
* is that specified in the RSA context.
*
* \note The \p hash_id in the RSA context is the one used for the
* verification. \p md_alg in the function call is the type of
* hash that is verified. According to <em>RFC-3447: Public-Key
* Cryptography Standards (PKCS) #1 v2.1: RSA Cryptography
* Specifications</em> it is advised to keep both hashes the
* same. If \p hash_id in the RSA context is unset,
* the \p md_alg from the function call is used.
*
* \deprecated It is deprecated and discouraged to call this function
* in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library
* are likely to remove the \p mode argument and have it
* implicitly set to #MBEDTLS_RSA_PUBLIC.
*
* \param ctx The initialized RSA public key context to use.
* \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
* this is used for blinding and should be provided; see
* mbedtls_rsa_private() for more. Otherwise, it is ignored.
* \param p_rng The RNG context to be passed to \p f_rng. This may be
* \c NULL if \p f_rng is \c NULL or doesn't need a context.
* \param mode The mode of operation. This must be either
* #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated).
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* \param sig The buffer holding the signature. This must be a readable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
*/
int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
const unsigned char *sig );
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
const unsigned char *sig );
/**
* \brief This function performs a PKCS#1 v2.1 PSS verification
* operation (RSASSA-PSS-VERIFY).
*
* The hash function for the MGF mask generating function
* is that specified in \p mgf1_hash_id.
*
* \note The \p sig buffer must be as large as the size
* of \p ctx->N. For example, 128 Bytes if RSA-1024 is used.
*
* \note The \p hash_id in the RSA context is ignored.
*
* \param ctx The initialized RSA public key context to use.
* \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE,
* this is used for blinding and should be provided; see
* mbedtls_rsa_private() for more. Otherwise, it is ignored.
* \param p_rng The RNG context to be passed to \p f_rng. This may be
* \c NULL if \p f_rng is \c NULL or doesn't need a context.
* \param mode The mode of operation. This must be either
* #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE.
* \param md_alg The message-digest algorithm used to hash the original data.
* Use #MBEDTLS_MD_NONE for signing raw data.
* \param hashlen The length of the message digest.
* This is only used if \p md_alg is #MBEDTLS_MD_NONE.
* \param hash The buffer holding the message digest or raw data.
* If \p md_alg is #MBEDTLS_MD_NONE, this must be a readable
* buffer of length \p hashlen Bytes. If \p md_alg is not
* #MBEDTLS_MD_NONE, it must be a readable buffer of length
* the size of the hash corresponding to \p md_alg.
* \param mgf1_hash_id The message digest used for mask generation.
* \param expected_salt_len The length of the salt used in padding. Use
* #MBEDTLS_RSA_SALT_LEN_ANY to accept any salt length.
* \param sig The buffer holding the signature. This must be a readable
* buffer of length \c ctx->len Bytes. For example, \c 256 Bytes
* for an 2048-bit RSA modulus.
*
* \return \c 0 if the verify operation was successful.
* \return An \c MBEDTLS_ERR_RSA_XXX error code on failure.
*/
int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
mbedtls_md_type_t mgf1_hash_id,
int expected_salt_len,
const unsigned char *sig );
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng, int mode,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
mbedtls_md_type_t mgf1_hash_id,
int expected_salt_len,
const unsigned char *sig );
/**
* \brief This function copies the components of an RSA context.
*
* \param dst The destination context. This must be initialized.
* \param src The source context. This must be initialized.
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_MPI_ALLOC_FAILED on memory allocation failure.
*/
int mbedtls_rsa_copy( mbedtls_rsa_context *dst, const mbedtls_rsa_context *src );
/**
* \brief This function frees the components of an RSA key.
*
* \param ctx The RSA context to free. May be \c NULL, in which case
* this function is a no-op. If it is not \c NULL, it must
* point to an initialized RSA context.
*/
void mbedtls_rsa_free( mbedtls_rsa_context *ctx );
int mbedtls_rsa_self_test( int );
#if defined(MBEDTLS_SELF_TEST)
/**
* \brief The RSA checkup routine.
*
* \return \c 0 on success.
* \return \c 1 on failure.
*/
int mbedtls_rsa_self_test( int verbose );
#endif /* MBEDTLS_SELF_TEST */
#ifdef __cplusplus
}
#endif
#endif /* rsa.h */
COSMOPOLITAN_C_END_
#endif /* !(__ASSEMBLER__ + __LINKER__ + 0) */
#endif /* COSMOPOLITAN_THIRD_PARTY_MBEDTLS_RSA_H_ */

131
third_party/mbedtls/sha1.c vendored
View file

@ -16,7 +16,9 @@
limitations under the License.
*/
#include "libc/bits/bits.h"
#include "libc/intrin/asan.internal.h"
#include "libc/macros.internal.h"
#include "libc/nexgen32e/sha.h"
#include "libc/nexgen32e/x86feature.h"
#include "libc/str/str.h"
#include "third_party/mbedtls/common.h"
@ -31,33 +33,15 @@ Mbed TLS (Apache 2.0)\\n\
Copyright ARM Limited\\n\
Copyright Mbed TLS Contributors\"");
asm(".include \"libc/disclaimer.inc\"");
/* clang-format off */
/*
* FIPS-180-1 compliant SHA-1 implementation
*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/*
* The SHA-1 standard was published by NIST in 1993.
*
* http://www.itl.nist.gov/fipspubs/fip180-1.htm
*/
void sha1_transform_avx2(mbedtls_sha1_context *, const uint8_t *, int);
/**
* @fileoverview FIPS-180-1 compliant SHA-1 implementation
*
* The SHA-1 standard was published by NIST in 1993.
*
* @see http://www.itl.nist.gov/fipspubs/fip180-1.htm
*/
#define SHA1_VALIDATE_RET(cond) \
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA1_BAD_INPUT_DATA )
@ -131,9 +115,30 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx,
SHA1_VALIDATE_RET( ctx != NULL );
SHA1_VALIDATE_RET( (const unsigned char *)data != NULL );
if (!IsTiny() && LIKELY(X86_HAVE(AVX2) && X86_HAVE(BMI) && X86_HAVE(BMI2))) {
sha1_transform_avx2(ctx, data, 1);
return 0;
if( !IsTiny() || X86_NEED( SHA ) )
{
if( X86_HAVE( SHA ) )
{
if( IsAsan() )
{
__asan_verify( data, 64 );
__asan_verify( ctx, sizeof(*ctx) );
}
sha1_transform_ni( ctx->state, data, 1 );
return( 0 );
}
if( X86_HAVE( BMI ) &&
X86_HAVE( BMI2 ) &&
X86_HAVE( AVX2 ) )
{
if( IsAsan() )
{
__asan_verify( data, 64 );
__asan_verify( ctx, sizeof(*ctx) );
}
sha1_transform_avx2( ctx->state, data, 1 );
return( 0 );
}
}
#ifdef MBEDTLS_SHA1_SMALLER
@ -399,28 +404,45 @@ int mbedtls_sha1_update_ret( mbedtls_sha1_context *ctx,
if( left && ilen >= fill )
{
memcpy( (void *) (ctx->buffer + left), input, fill );
if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
return( ret );
input += fill;
ilen -= fill;
left = 0;
}
if (!IsTiny() && ilen >= 64 && X86_HAVE(AVX2) && X86_HAVE(BMI) && X86_HAVE(BMI2)) {
sha1_transform_avx2(ctx, input, ilen / 64);
input += ROUNDDOWN(ilen, 64);
ilen -= ROUNDDOWN(ilen, 64);
}
while( ilen >= 64 )
if( ilen >= 64 )
{
if( ( ret = mbedtls_internal_sha1_process( ctx, input ) ) != 0 )
return( ret );
input += 64;
ilen -= 64;
if( ( !IsTiny() || X86_NEED(SHA) ) && X86_HAVE( SHA ) )
{
if( IsAsan() )
__asan_verify( input, ilen );
sha1_transform_ni( ctx->state, input, ilen / 64 );
input += ROUNDDOWN( ilen, 64 );
ilen -= ROUNDDOWN( ilen, 64 );
}
else if( !IsTiny() &&
X86_HAVE( BMI ) &&
X86_HAVE( BMI2 ) &&
X86_HAVE( AVX2 ) )
{
if( IsAsan() )
__asan_verify( input, ilen );
sha1_transform_avx2( ctx->state, input, ilen / 64 );
input += ROUNDDOWN( ilen, 64 );
ilen -= ROUNDDOWN( ilen, 64 );
}
else
{
do
{
if(( ret = mbedtls_internal_sha1_process( ctx, input ) ))
return( ret );
input += 64;
ilen -= 64;
}
while( ilen >= 64 );
}
}
if( ilen > 0 )
@ -471,10 +493,8 @@ int mbedtls_sha1_finish_ret( mbedtls_sha1_context *ctx,
{
/* We'll need an extra block */
mbedtls_platform_zeroize( ctx->buffer + used, 64 - used );
if( ( ret = mbedtls_internal_sha1_process( ctx, ctx->buffer ) ) != 0 )
return( ret );
mbedtls_platform_zeroize( ctx->buffer, 56 );
}
@ -532,24 +552,17 @@ int mbedtls_sha1_ret( const void *input,
{
int ret = MBEDTLS_ERR_THIS_CORRUPTION;
mbedtls_sha1_context ctx;
SHA1_VALIDATE_RET( ilen == 0 || input != NULL );
SHA1_VALIDATE_RET( (unsigned char *)output != NULL );
mbedtls_sha1_init( &ctx );
if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
goto exit;
if( ( ret = mbedtls_sha1_update_ret( &ctx, input, ilen ) ) != 0 )
goto exit;
if( ( ret = mbedtls_sha1_finish_ret( &ctx, output ) ) != 0 )
goto exit;
exit:
mbedtls_sha1_free( &ctx );
return( ret );
}
@ -608,9 +621,7 @@ int mbedtls_sha1_self_test( int verbose )
unsigned char buf[1024];
unsigned char sha1sum[20];
mbedtls_sha1_context ctx;
mbedtls_sha1_init( &ctx );
/*
* SHA-1
*/
@ -618,14 +629,11 @@ int mbedtls_sha1_self_test( int verbose )
{
if( verbose != 0 )
mbedtls_printf( " SHA-1 test #%d: ", i + 1 );
if( ( ret = mbedtls_sha1_starts_ret( &ctx ) ) != 0 )
goto fail;
if( i == 2 )
{
memset( buf, 'a', buflen = 1000 );
for( j = 0; j < 1000; j++ )
{
ret = mbedtls_sha1_update_ret( &ctx, buf, buflen );
@ -640,34 +648,25 @@ int mbedtls_sha1_self_test( int verbose )
if( ret != 0 )
goto fail;
}
if( ( ret = mbedtls_sha1_finish_ret( &ctx, sha1sum ) ) != 0 )
goto fail;
if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
if( timingsafe_bcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
{
ret = 1;
goto fail;
}
if( verbose != 0 )
mbedtls_printf( "passed\n" );
}
if( verbose != 0 )
mbedtls_printf( "\n" );
goto exit;
fail:
if( verbose != 0 )
mbedtls_printf( "failed\n" );
exit:
mbedtls_sha1_free( &ctx );
return( ret );
}
#endif /* MBEDTLS_SELF_TEST */

94
third_party/mbedtls/sha256.c vendored
View file

@ -16,7 +16,9 @@
limitations under the License.
*/
#include "libc/dce.h"
#include "libc/intrin/asan.internal.h"
#include "libc/macros.internal.h"
#include "libc/nexgen32e/sha.h"
#include "libc/nexgen32e/x86feature.h"
#include "libc/str/str.h"
#include "third_party/mbedtls/common.h"
@ -45,8 +47,6 @@ asm(".include \"libc/disclaimer.inc\"");
MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_SHA256_BAD_INPUT_DATA )
#define SHA256_VALIDATE(cond) MBEDTLS_INTERNAL_VALIDATE( cond )
void sha256_transform_rorx(mbedtls_sha256_context *, const uint8_t *, int);
#if !defined(MBEDTLS_SHA256_ALT)
/**
@ -119,25 +119,8 @@ int mbedtls_sha256_starts_ret( mbedtls_sha256_context *ctx, int is224 )
}
#if !defined(MBEDTLS_SHA256_PROCESS_ALT)
static const uint32_t K[] =
{
0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
0xD807AA98, 0x12835B01, 0x243185BE, 0x550C7DC3,
0x72BE5D74, 0x80DEB1FE, 0x9BDC06A7, 0xC19BF174,
0xE49B69C1, 0xEFBE4786, 0x0FC19DC6, 0x240CA1CC,
0x2DE92C6F, 0x4A7484AA, 0x5CB0A9DC, 0x76F988DA,
0x983E5152, 0xA831C66D, 0xB00327C8, 0xBF597FC7,
0xC6E00BF3, 0xD5A79147, 0x06CA6351, 0x14292967,
0x27B70A85, 0x2E1B2138, 0x4D2C6DFC, 0x53380D13,
0x650A7354, 0x766A0ABB, 0x81C2C92E, 0x92722C85,
0xA2BFE8A1, 0xA81A664B, 0xC24B8B70, 0xC76C51A3,
0xD192E819, 0xD6990624, 0xF40E3585, 0x106AA070,
0x19A4C116, 0x1E376C08, 0x2748774C, 0x34B0BCB5,
0x391C0CB3, 0x4ED8AA4A, 0x5B9CCA4F, 0x682E6FF3,
0x748F82EE, 0x78A5636F, 0x84C87814, 0x8CC70208,
0x90BEFFFA, 0xA4506CEB, 0xBEF9A3F7, 0xC67178F2,
};
extern const uint32_t kSha256[64];
#define K kSha256
#define SHR(x,n) (((x) & 0xFFFFFFFF) >> (n))
#define ROTR(x,n) (SHR(x,n) | ((x) << (32 - (n))))
@ -185,15 +168,29 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx,
uint32_t temp1, temp2, W[64];
uint32_t A[8];
} local;
unsigned int i;
SHA256_VALIDATE_RET( ctx != NULL );
SHA256_VALIDATE_RET( (const unsigned char *)data != NULL );
if (!IsTiny() && X86_HAVE(AVX2) && X86_HAVE(BMI2)) {
sha256_transform_rorx(ctx, data, 1);
return 0;
if( !IsTiny() || X86_NEED( SHA ) )
{
if( X86_HAVE( SHA ) )
{
if( IsAsan() )
__asan_verify( data, 64 );
sha256_transform_ni( ctx->state, data, 1 );
return( 0 );
}
if( X86_HAVE( BMI ) &&
X86_HAVE( BMI2 ) &&
X86_HAVE( AVX2 ) )
{
if( IsAsan() )
__asan_verify( data, 64 );
sha256_transform_rorx( ctx->state, data, 1 );
return( 0 );
}
}
for( i = 0; i < 8; i++ )
@ -304,28 +301,45 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
if( left && ilen >= fill )
{
memcpy( (void *) (ctx->buffer + left), input, fill );
if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
return( ret );
input += fill;
ilen -= fill;
left = 0;
}
if (!IsTiny() && ilen >= 64 && X86_HAVE(AVX2) && X86_HAVE(BMI2)) {
sha256_transform_rorx(ctx, input, ilen / 64);
input += ROUNDDOWN(ilen, 64);
ilen -= ROUNDDOWN(ilen, 64);
}
while( ilen >= 64 )
if( ilen >= 64 )
{
if( ( ret = mbedtls_internal_sha256_process( ctx, input ) ) != 0 )
return( ret );
input += 64;
ilen -= 64;
if( ( !IsTiny() || X86_NEED( SHA ) ) && X86_HAVE( SHA ) )
{
if( IsAsan() )
__asan_verify( input, ilen );
sha256_transform_ni( ctx->state, input, ilen / 64 );
input += ROUNDDOWN( ilen, 64 );
ilen -= ROUNDDOWN( ilen, 64 );
}
else if( !IsTiny() &&
X86_HAVE( BMI ) &&
X86_HAVE( BMI2 ) &&
X86_HAVE( AVX2 ) )
{
if( IsAsan() )
__asan_verify( input, ilen );
sha256_transform_rorx( ctx->state, input, ilen / 64 );
input += ROUNDDOWN( ilen, 64 );
ilen -= ROUNDDOWN( ilen, 64 );
}
else
{
do
{
if(( ret = mbedtls_internal_sha256_process( ctx, input ) ))
return( ret );
input += 64;
ilen -= 64;
}
while( ilen >= 64 );
}
}
if( ilen > 0 )
@ -590,7 +604,7 @@ int mbedtls_sha256_self_test( int verbose )
}
if( ( ret = mbedtls_sha256_finish_ret( &ctx, sha256sum ) ) != 0 )
goto fail;
if( memcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
if( timingsafe_bcmp( sha256sum, sha256_test_sum[i], 32 - k * 4 ) != 0 )
{
ret = 1;
goto fail;

184
third_party/mbedtls/sha512.c vendored
View file

@ -15,6 +15,7 @@
See the License for the specific language governing permissions and
limitations under the License.
*/
#include "libc/intrin/asan.internal.h"
#include "libc/literal.h"
#include "libc/macros.internal.h"
#include "libc/nexgen32e/x86feature.h"
@ -73,14 +74,14 @@ int mbedtls_sha512_starts_384( mbedtls_sha512_context *ctx )
SHA512_VALIDATE_RET( ctx );
ctx->total[0] = 0;
ctx->total[1] = 0;
ctx->state[0] = UINT64_C(0xCBBB9D5DC1059ED8);
ctx->state[1] = UINT64_C(0x629A292A367CD507);
ctx->state[2] = UINT64_C(0x9159015A3070DD17);
ctx->state[3] = UINT64_C(0x152FECD8F70E5939);
ctx->state[4] = UINT64_C(0x67332667FFC00B31);
ctx->state[5] = UINT64_C(0x8EB44A8768581511);
ctx->state[6] = UINT64_C(0xDB0C2E0D64F98FA7);
ctx->state[7] = UINT64_C(0x47B5481DBEFA4FA4);
ctx->state[0] = 0xCBBB9D5DC1059ED8;
ctx->state[1] = 0x629A292A367CD507;
ctx->state[2] = 0x9159015A3070DD17;
ctx->state[3] = 0x152FECD8F70E5939;
ctx->state[4] = 0x67332667FFC00B31;
ctx->state[5] = 0x8EB44A8768581511;
ctx->state[6] = 0xDB0C2E0D64F98FA7;
ctx->state[7] = 0x47B5481DBEFA4FA4;
ctx->is384 = true;
return( 0 );
}
@ -90,14 +91,14 @@ int mbedtls_sha512_starts_512( mbedtls_sha512_context *ctx )
SHA512_VALIDATE_RET( ctx );
ctx->total[0] = 0;
ctx->total[1] = 0;
ctx->state[0] = UINT64_C(0x6A09E667F3BCC908);
ctx->state[1] = UINT64_C(0xBB67AE8584CAA73B);
ctx->state[2] = UINT64_C(0x3C6EF372FE94F82B);
ctx->state[3] = UINT64_C(0xA54FF53A5F1D36F1);
ctx->state[4] = UINT64_C(0x510E527FADE682D1);
ctx->state[5] = UINT64_C(0x9B05688C2B3E6C1F);
ctx->state[6] = UINT64_C(0x1F83D9ABFB41BD6B);
ctx->state[7] = UINT64_C(0x5BE0CD19137E2179);
ctx->state[0] = 0x6A09E667F3BCC908;
ctx->state[1] = 0xBB67AE8584CAA73B;
ctx->state[2] = 0x3C6EF372FE94F82B;
ctx->state[3] = 0xA54FF53A5F1D36F1;
ctx->state[4] = 0x510E527FADE682D1;
ctx->state[5] = 0x9B05688C2B3E6C1F;
ctx->state[6] = 0x1F83D9ABFB41BD6B;
ctx->state[7] = 0x5BE0CD19137E2179;
ctx->is384 = false;
return( 0 );
}
@ -134,48 +135,64 @@ int mbedtls_sha512_starts_ret( mbedtls_sha512_context *ctx, int is384 )
*/
static const uint64_t K[80] =
{
UINT64_C(0x428A2F98D728AE22), UINT64_C(0x7137449123EF65CD),
UINT64_C(0xB5C0FBCFEC4D3B2F), UINT64_C(0xE9B5DBA58189DBBC),
UINT64_C(0x3956C25BF348B538), UINT64_C(0x59F111F1B605D019),
UINT64_C(0x923F82A4AF194F9B), UINT64_C(0xAB1C5ED5DA6D8118),
UINT64_C(0xD807AA98A3030242), UINT64_C(0x12835B0145706FBE),
UINT64_C(0x243185BE4EE4B28C), UINT64_C(0x550C7DC3D5FFB4E2),
UINT64_C(0x72BE5D74F27B896F), UINT64_C(0x80DEB1FE3B1696B1),
UINT64_C(0x9BDC06A725C71235), UINT64_C(0xC19BF174CF692694),
UINT64_C(0xE49B69C19EF14AD2), UINT64_C(0xEFBE4786384F25E3),
UINT64_C(0x0FC19DC68B8CD5B5), UINT64_C(0x240CA1CC77AC9C65),
UINT64_C(0x2DE92C6F592B0275), UINT64_C(0x4A7484AA6EA6E483),
UINT64_C(0x5CB0A9DCBD41FBD4), UINT64_C(0x76F988DA831153B5),
UINT64_C(0x983E5152EE66DFAB), UINT64_C(0xA831C66D2DB43210),
UINT64_C(0xB00327C898FB213F), UINT64_C(0xBF597FC7BEEF0EE4),
UINT64_C(0xC6E00BF33DA88FC2), UINT64_C(0xD5A79147930AA725),
UINT64_C(0x06CA6351E003826F), UINT64_C(0x142929670A0E6E70),
UINT64_C(0x27B70A8546D22FFC), UINT64_C(0x2E1B21385C26C926),
UINT64_C(0x4D2C6DFC5AC42AED), UINT64_C(0x53380D139D95B3DF),
UINT64_C(0x650A73548BAF63DE), UINT64_C(0x766A0ABB3C77B2A8),
UINT64_C(0x81C2C92E47EDAEE6), UINT64_C(0x92722C851482353B),
UINT64_C(0xA2BFE8A14CF10364), UINT64_C(0xA81A664BBC423001),
UINT64_C(0xC24B8B70D0F89791), UINT64_C(0xC76C51A30654BE30),
UINT64_C(0xD192E819D6EF5218), UINT64_C(0xD69906245565A910),
UINT64_C(0xF40E35855771202A), UINT64_C(0x106AA07032BBD1B8),
UINT64_C(0x19A4C116B8D2D0C8), UINT64_C(0x1E376C085141AB53),
UINT64_C(0x2748774CDF8EEB99), UINT64_C(0x34B0BCB5E19B48A8),
UINT64_C(0x391C0CB3C5C95A63), UINT64_C(0x4ED8AA4AE3418ACB),
UINT64_C(0x5B9CCA4F7763E373), UINT64_C(0x682E6FF3D6B2B8A3),
UINT64_C(0x748F82EE5DEFB2FC), UINT64_C(0x78A5636F43172F60),
UINT64_C(0x84C87814A1F0AB72), UINT64_C(0x8CC702081A6439EC),
UINT64_C(0x90BEFFFA23631E28), UINT64_C(0xA4506CEBDE82BDE9),
UINT64_C(0xBEF9A3F7B2C67915), UINT64_C(0xC67178F2E372532B),
UINT64_C(0xCA273ECEEA26619C), UINT64_C(0xD186B8C721C0C207),
UINT64_C(0xEADA7DD6CDE0EB1E), UINT64_C(0xF57D4F7FEE6ED178),
UINT64_C(0x06F067AA72176FBA), UINT64_C(0x0A637DC5A2C898A6),
UINT64_C(0x113F9804BEF90DAE), UINT64_C(0x1B710B35131C471B),
UINT64_C(0x28DB77F523047D84), UINT64_C(0x32CAAB7B40C72493),
UINT64_C(0x3C9EBE0A15C9BEBC), UINT64_C(0x431D67C49C100D4C),
UINT64_C(0x4CC5D4BECB3E42B6), UINT64_C(0x597F299CFC657E2A),
UINT64_C(0x5FCB6FAB3AD6FAEC), UINT64_C(0x6C44198C4A475817)
0x428A2F98D728AE22, 0x7137449123EF65CD,
0xB5C0FBCFEC4D3B2F, 0xE9B5DBA58189DBBC,
0x3956C25BF348B538, 0x59F111F1B605D019,
0x923F82A4AF194F9B, 0xAB1C5ED5DA6D8118,
0xD807AA98A3030242, 0x12835B0145706FBE,
0x243185BE4EE4B28C, 0x550C7DC3D5FFB4E2,
0x72BE5D74F27B896F, 0x80DEB1FE3B1696B1,
0x9BDC06A725C71235, 0xC19BF174CF692694,
0xE49B69C19EF14AD2, 0xEFBE4786384F25E3,
0x0FC19DC68B8CD5B5, 0x240CA1CC77AC9C65,
0x2DE92C6F592B0275, 0x4A7484AA6EA6E483,
0x5CB0A9DCBD41FBD4, 0x76F988DA831153B5,
0x983E5152EE66DFAB, 0xA831C66D2DB43210,
0xB00327C898FB213F, 0xBF597FC7BEEF0EE4,
0xC6E00BF33DA88FC2, 0xD5A79147930AA725,
0x06CA6351E003826F, 0x142929670A0E6E70,
0x27B70A8546D22FFC, 0x2E1B21385C26C926,
0x4D2C6DFC5AC42AED, 0x53380D139D95B3DF,
0x650A73548BAF63DE, 0x766A0ABB3C77B2A8,
0x81C2C92E47EDAEE6, 0x92722C851482353B,
0xA2BFE8A14CF10364, 0xA81A664BBC423001,
0xC24B8B70D0F89791, 0xC76C51A30654BE30,
0xD192E819D6EF5218, 0xD69906245565A910,
0xF40E35855771202A, 0x106AA07032BBD1B8,
0x19A4C116B8D2D0C8, 0x1E376C085141AB53,
0x2748774CDF8EEB99, 0x34B0BCB5E19B48A8,
0x391C0CB3C5C95A63, 0x4ED8AA4AE3418ACB,
0x5B9CCA4F7763E373, 0x682E6FF3D6B2B8A3,
0x748F82EE5DEFB2FC, 0x78A5636F43172F60,
0x84C87814A1F0AB72, 0x8CC702081A6439EC,
0x90BEFFFA23631E28, 0xA4506CEBDE82BDE9,
0xBEF9A3F7B2C67915, 0xC67178F2E372532B,
0xCA273ECEEA26619C, 0xD186B8C721C0C207,
0xEADA7DD6CDE0EB1E, 0xF57D4F7FEE6ED178,
0x06F067AA72176FBA, 0x0A637DC5A2C898A6,
0x113F9804BEF90DAE, 0x1B710B35131C471B,
0x28DB77F523047D84, 0x32CAAB7B40C72493,
0x3C9EBE0A15C9BEBC, 0x431D67C49C100D4C,
0x4CC5D4BECB3E42B6, 0x597F299CFC657E2A,
0x5FCB6FAB3AD6FAEC, 0x6C44198C4A475817,
};
#define SHR(x,n) ((x) >> (n))
#define ROR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
#define S0(x) (ROR(x, 1) ^ ROR(x, 8) ^ SHR(x, 7))
#define S1(x) (ROR(x,19) ^ ROR(x,61) ^ SHR(x, 6))
#define S2(x) (ROR(x,28) ^ ROR(x,34) ^ ROR(x,39))
#define S3(x) (ROR(x,14) ^ ROR(x,18) ^ ROR(x,41))
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
#define P(a,b,c,d,e,f,g,h,x,K) \
do \
{ \
local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
local.temp2 = S2(a) + F0((a),(b),(c)); \
(d) += local.temp1; (h) = local.temp1 + local.temp2; \
} while( 0 )
/**
* \brief This function processes a single data block within
* the ongoing SHA-512 computation.
@ -197,37 +214,19 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
uint64_t temp1, temp2, W[80];
uint64_t A[8];
} local;
SHA512_VALIDATE_RET( ctx != NULL );
SHA512_VALIDATE_RET( (const unsigned char *)data != NULL );
if (!IsTiny() && X86_HAVE(AVX2)) {
if( !IsTiny() && X86_HAVE(AVX2) )
{
if (IsAsan())
__asan_verify(data, 128);
sha512_transform_rorx(ctx, data, 1);
return 0;
}
#define SHR(x,n) ((x) >> (n))
#define ROTR(x,n) (SHR((x),(n)) | ((x) << (64 - (n))))
#define S0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7))
#define S1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x, 6))
#define S2(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
#define S3(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
#define F0(x,y,z) (((x) & (y)) | ((z) & ((x) | (y))))
#define F1(x,y,z) ((z) ^ ((x) & ((y) ^ (z))))
#define P(a,b,c,d,e,f,g,h,x,K) \
do \
{ \
local.temp1 = (h) + S3(e) + F1((e),(f),(g)) + (K) + (x); \
local.temp2 = S2(a) + F0((a),(b),(c)); \
(d) += local.temp1; (h) = local.temp1 + local.temp2; \
} while( 0 )
for( i = 0; i < 8; i++ )
local.A[i] = ctx->state[i];
#if defined(MBEDTLS_SHA512_SMALLER)
for( i = 0; i < 80; i++ )
{
@ -240,17 +239,15 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
S0(local.W[i - 15]) + local.W[i - 16];
}
P( local.A[0], local.A[1], local.A[2], local.A[3], local.A[4],
local.A[5], local.A[6], local.A[7], local.W[i], K[i] );
local.temp1 = local.A[7];
local.temp1 = local.A[7];
local.A[7] = local.A[6];
local.A[6] = local.A[5];
local.A[6] = local.A[5];
local.A[5] = local.A[4];
local.A[4] = local.A[3];
local.A[4] = local.A[3];
local.A[3] = local.A[2];
local.A[2] = local.A[1];
local.A[2] = local.A[1];
local.A[1] = local.A[0];
local.A[0] = local.temp1;
}
@ -259,13 +256,11 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
{
GET_UINT64_BE( local.W[i], data, i << 3 );
}
for( ; i < 80; i++ )
{
local.W[i] = S1(local.W[i - 2]) + local.W[i - 7] +
S0(local.W[i - 15]) + local.W[i - 16];
}
i = 0;
do
{
@ -288,10 +283,8 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx,
}
while( i < 80 );
#endif /* MBEDTLS_SHA512_SMALLER */
for( i = 0; i < 8; i++ )
ctx->state[i] += local.A[i];
/* Zeroise buffers and variables to clear sensitive data from memory. */
mbedtls_platform_zeroize( &local, sizeof( local ) );
return( 0 );
@ -338,6 +331,7 @@ int mbedtls_sha512_update_ret( mbedtls_sha512_context *ctx,
left = 0;
}
if (!IsTiny() && ilen >= 128 && X86_HAVE(AVX2)) {
if (IsAsan()) __asan_verify(input, ilen / 128 * 128);
sha512_transform_rorx(ctx, input, ilen / 128);
input += ROUNDDOWN(ilen, 128);
ilen -= ROUNDDOWN(ilen, 128);
@ -515,7 +509,8 @@ const mbedtls_md_info_t mbedtls_sha512_info = {
static const unsigned char sha512_test_buf[3][113] =
{
{ "abc" },
{ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
{ "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmn"
"hijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu" },
{ "" }
};
@ -549,7 +544,6 @@ static const unsigned char sha512_test_sum[][64] =
0x07, 0xB8, 0xB3, 0xDC, 0x38, 0xEC, 0xC4, 0xEB,
0xAE, 0x97, 0xDD, 0xD8, 0x7F, 0x3D, 0x89, 0x85 },
#endif /* !MBEDTLS_SHA512_NO_SHA384 */
/*
* SHA-512 test vectors
*/
@ -579,8 +573,6 @@ static const unsigned char sha512_test_sum[][64] =
0x4E, 0xAD, 0xB2, 0x17, 0xAD, 0x8C, 0xC0, 0x9B }
};
#define ARRAY_LENGTH( a ) ( sizeof( a ) / sizeof( ( a )[0] ) )
/**
* \brief The SHA-384 or SHA-512 checkup routine.
*
@ -601,10 +593,10 @@ int mbedtls_sha512_self_test( int verbose )
return( 1 );
}
mbedtls_sha512_init( &ctx );
for( i = 0; i < (int) ARRAY_LENGTH(sha512_test_sum); i++ )
for( i = 0; i < (int) ARRAYLEN(sha512_test_sum); i++ )
{
j = i % 3;
#if !defined(MBEDTLS_SHA512_NO_SHA384)
#ifndef MBEDTLS_SHA512_NO_SHA384
k = i < 3;
#else
k = 0;
@ -632,7 +624,7 @@ int mbedtls_sha512_self_test( int verbose )
}
if( ( ret = mbedtls_sha512_finish_ret( &ctx, sha512sum ) ) != 0 )
goto fail;
if( memcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
if( timingsafe_bcmp( sha512sum, sha512_test_sum[i], 64 - k * 16 ) != 0 )
{
ret = 1;
goto fail;
@ -652,8 +644,6 @@ exit:
return( ret );
}
#undef ARRAY_LENGTH
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_SHA512_C */

4
third_party/mbedtls/speed.sh vendored
View file

@ -2,8 +2,8 @@
make -j8 o//third_party/mbedtls || exit
run() {
$1
echo $1
$1
}
(
@ -74,7 +74,7 @@ run() {
run o//third_party/mbedtls/test/test_suite_version.com
run o//third_party/mbedtls/test/test_suite_x509parse.com
run o//third_party/mbedtls/test/test_suite_x509write.com
) | o//tool/build/deltaify.com | sort -n | tee speed.txt
) | o//tool/build/deltaify2.com | sort -n | tee speed.txt
mkdir -p ~/speed/mbedtls
cp speed.txt ~/speed/mbedtls/$(date +%Y-%m-%d-%H-%H).txt

2
third_party/mbedtls/ssl.h vendored
View file

@ -1549,7 +1549,7 @@ forceinline int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
}
}
const char *GetSslStateName(mbedtls_ssl_states );
const char *GetSslStateName(mbedtls_ssl_states);
COSMOPOLITAN_C_END_
#endif /* COSMOPOLITAN_THIRD_PARTY_MBEDTLS_SSL_H_ */

6
third_party/mbedtls/ssl_cache.c vendored
View file

@ -88,8 +88,8 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
session->id_len != entry->session.id_len )
continue;
if( memcmp( session->id, entry->session.id,
entry->session.id_len ) != 0 )
if( timingsafe_bcmp( session->id, entry->session.id,
entry->session.id_len ) != 0 )
continue;
ret = mbedtls_ssl_session_copy( session, &entry->session );
@ -164,7 +164,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
}
#endif
if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
if( timingsafe_bcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
break; /* client reconnected, keep timestamp for session id */
#if defined(MBEDTLS_HAVE_TIME)

14
third_party/mbedtls/ssl_cli.c vendored
View file

@ -1403,10 +1403,10 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
/* Check verify-data in constant-time. The length OTOH is no secret */
if( len != 1 + ssl->verify_data_len * 2 ||
buf[0] != ssl->verify_data_len * 2 ||
mbedtls_ssl_safer_memcmp( buf + 1,
ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
mbedtls_ssl_safer_memcmp( buf + 1 + ssl->verify_data_len,
ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
timingsafe_bcmp( buf + 1,
ssl->own_verify_data, ssl->verify_data_len ) != 0 ||
timingsafe_bcmp( buf + 1 + ssl->verify_data_len,
ssl->peer_verify_data, ssl->verify_data_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
mbedtls_ssl_send_alert_message(
@ -1731,7 +1731,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
for( p = ssl->conf->alpn_list; *p != NULL; p++ )
{
if( name_len == strlen( *p ) &&
memcmp( buf + 3, *p, name_len ) == 0 )
timingsafe_bcmp( buf + 3, *p, name_len ) == 0 )
{
ssl->alpn_chosen = *p;
return( 0 );
@ -1845,7 +1845,7 @@ static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
* MUST abort the handshake and SHOULD send an invalid_parameter alert.
*/
if( len > 5 && ( buf[4] != mki_len ||
( memcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) )
( timingsafe_bcmp( ssl->dtls_srtp_info.mki_value, &buf[5], mki_len ) ) ) )
{
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
@ -2179,7 +2179,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
ssl->session_negotiate->ciphersuite != i ||
ssl->session_negotiate->compression != comp ||
ssl->session_negotiate->id_len != n ||
memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
timingsafe_bcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
{
ssl->state++;
ssl->handshake->resume = 0;

2
third_party/mbedtls/ssl_cookie.c vendored
View file

@ -208,7 +208,7 @@ int mbedtls_ssl_cookie_check( void *p_ctx,
if( ret != 0 )
return( ret );
if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
if( timingsafe_bcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
return( -1 );
#if defined(MBEDTLS_HAVE_TIME)

160
third_party/mbedtls/ssl_internal.h vendored
View file

@ -801,109 +801,15 @@ static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *se
#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/**
* \brief Free referenced items in an SSL transform context and clear
* memory
*
* \param transform SSL transform context
*/
void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
/**
* \brief Free referenced items in an SSL handshake context and clear
* memory
*
* \param ssl SSL context
*/
void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
/**
* \brief Update record layer
*
* This function roughly separates the implementation
* of the logic of (D)TLS from the implementation
* of the secure transport.
*
* \param ssl The SSL context to use.
* \param update_hs_digest This indicates if the handshake digest
* should be automatically updated in case
* a handshake message is found.
*
* \return 0 or non-zero error code.
*
* \note A clarification on what is called 'record layer' here
* is in order, as many sensible definitions are possible:
*
* The record layer takes as input an untrusted underlying
* transport (stream or datagram) and transforms it into
* a serially multiplexed, secure transport, which
* conceptually provides the following:
*
* (1) Three datagram based, content-agnostic transports
* for handshake, alert and CCS messages.
* (2) One stream- or datagram-based transport
* for application data.
* (3) Functionality for changing the underlying transform
* securing the contents.
*
* The interface to this functionality is given as follows:
*
* a Updating
* [Currently implemented by mbedtls_ssl_read_record]
*
* Check if and on which of the four 'ports' data is pending:
* Nothing, a controlling datagram of type (1), or application
* data (2). In any case data is present, internal buffers
* provide access to the data for the user to process it.
* Consumption of type (1) datagrams is done automatically
* on the next update, invalidating that the internal buffers
* for previous datagrams, while consumption of application
* data (2) is user-controlled.
*
* b Reading of application data
* [Currently manual adaption of ssl->in_offt pointer]
*
* As mentioned in the last paragraph, consumption of data
* is different from the automatic consumption of control
* datagrams (1) because application data is treated as a stream.
*
* c Tracking availability of application data
* [Currently manually through decreasing ssl->in_msglen]
*
* For efficiency and to retain datagram semantics for
* application data in case of DTLS, the record layer
* provides functionality for checking how much application
* data is still available in the internal buffer.
*
* d Changing the transformation securing the communication.
*
* Given an opaque implementation of the record layer in the
* above sense, it should be possible to implement the logic
* of (D)TLS on top of it without the need to know anything
* about the record layer's internals. This is done e.g.
* in all the handshake handling functions, and in the
* application data reading function mbedtls_ssl_read.
*
* \note The above tries to give a conceptual picture of the
* record layer, but the current implementation deviates
* from it in some places. For example, our implementation of
* the update functionality through mbedtls_ssl_read_record
* discards datagrams depending on the current state, which
* wouldn't fall under the record layer's responsibility
* following the above definition.
*
*/
void mbedtls_ssl_transform_free( mbedtls_ssl_transform * );
void mbedtls_ssl_handshake_free( mbedtls_ssl_context * );
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context * );
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context * );
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context * );
int mbedtls_ssl_derive_keys( mbedtls_ssl_context * );
int mbedtls_ssl_handle_message_type( mbedtls_ssl_context * );
int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context * );
void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context * );
int mbedtls_ssl_read_record( mbedtls_ssl_context *, unsigned );
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *, size_t );
int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context * );
@ -915,7 +821,6 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context * );
int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context * );
int mbedtls_ssl_parse_finished( mbedtls_ssl_context * );
int mbedtls_ssl_write_finished( mbedtls_ssl_context * );
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *, const mbedtls_ssl_ciphersuite_t * );
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
@ -956,11 +861,11 @@ unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context * );
unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t );
#endif
unsigned char mbedtls_ssl_hash_from_md_alg( int md );
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
unsigned char mbedtls_ssl_hash_from_md_alg( int );
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *, int );
#if defined(MBEDTLS_ECP_C)
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *, mbedtls_ecp_group_id );
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@ -989,24 +894,20 @@ static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_key_cert *key_cert;
if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
key_cert = ssl->handshake->key_cert;
else
key_cert = ssl->conf->key_cert;
return( key_cert == NULL ? NULL : key_cert->key );
}
static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_key_cert *key_cert;
if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
key_cert = ssl->handshake->key_cert;
else
key_cert = ssl->conf->key_cert;
return( key_cert == NULL ? NULL : key_cert->cert );
}
@ -1035,7 +936,6 @@ static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
#if !defined(MBEDTLS_SSL_PROTO_DTLS)
((void) ssl);
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
@ -1065,40 +965,20 @@ static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context * );
void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context * );
int mbedtls_ssl_resend( mbedtls_ssl_context * );
int mbedtls_ssl_flight_transmit( mbedtls_ssl_context * );
#endif
/* Visible for testing purposes only */
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const * );
void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context * );
#endif
int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
const mbedtls_ssl_session *src );
/* constant-time buffer comparison */
static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
{
size_t i;
volatile const unsigned char *A = (volatile const unsigned char *) a;
volatile const unsigned char *B = (volatile const unsigned char *) b;
volatile unsigned char diff = 0;
for( i = 0; i < n; i++ )
{
/* Read volatile data in order before computing diff.
* This avoids IAR compiler warning:
* 'the order of volatile accesses is undefined ..' */
unsigned char x = A[i], y = B[i];
diff |= x ^ y;
}
return( diff );
}
int mbedtls_ssl_session_copy( mbedtls_ssl_session *,
const mbedtls_ssl_session * );
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)

109
third_party/mbedtls/ssl_msg.c vendored
View file

@ -1367,7 +1367,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
* Match record's CID with incoming CID.
*/
if( rec->cid_len != transform->in_cid_len ||
memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
timingsafe_bcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
{
return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
}
@ -1569,7 +1569,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
*
* Afterwards, we know that data + data_len is followed by at
* least maclen Bytes, which justifies the call to
* mbedtls_ssl_safer_memcmp() below.
* timingsafe_bcmp() below.
*
* Further, we still know that data_len > minlen */
rec->data_len -= transform->maclen;
@ -1592,8 +1592,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
transform->maclen );
/* Compare expected MAC with MAC at the end of the record. */
if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
transform->maclen ) != 0 )
if( timingsafe_bcmp( data + rec->data_len, mac_expect,
transform->maclen ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
@ -1870,8 +1870,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
#endif
if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
transform->maclen ) != 0 )
if( timingsafe_bcmp( mac_peer, mac_expect,
transform->maclen ) != 0 )
{
#if defined(MBEDTLS_SSL_DEBUG_ALL)
MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
@ -3055,8 +3055,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
{
if( ssl->in_msglen < ssl->in_hslen ||
memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
timingsafe_bcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
timingsafe_bcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
{
return( 1 );
}
@ -4072,6 +4072,81 @@ static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
static int ssl_get_next_record( mbedtls_ssl_context *ssl );
static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
/**
* \brief Update record layer
*
* This function roughly separates the implementation
* of the logic of (D)TLS from the implementation
* of the secure transport.
*
* \param ssl The SSL context to use.
* \param update_hs_digest This indicates if the handshake digest
* should be automatically updated in case
* a handshake message is found.
*
* \return 0 or non-zero error code.
*
* \note A clarification on what is called 'record layer' here
* is in order, as many sensible definitions are possible:
*
* The record layer takes as input an untrusted underlying
* transport (stream or datagram) and transforms it into
* a serially multiplexed, secure transport, which
* conceptually provides the following:
*
* (1) Three datagram based, content-agnostic transports
* for handshake, alert and CCS messages.
* (2) One stream- or datagram-based transport
* for application data.
* (3) Functionality for changing the underlying transform
* securing the contents.
*
* The interface to this functionality is given as follows:
*
* a Updating
* [Currently implemented by mbedtls_ssl_read_record]
*
* Check if and on which of the four 'ports' data is pending:
* Nothing, a controlling datagram of type (1), or application
* data (2). In any case data is present, internal buffers
* provide access to the data for the user to process it.
* Consumption of type (1) datagrams is done automatically
* on the next update, invalidating that the internal buffers
* for previous datagrams, while consumption of application
* data (2) is user-controlled.
*
* b Reading of application data
* [Currently manual adaption of ssl->in_offt pointer]
*
* As mentioned in the last paragraph, consumption of data
* is different from the automatic consumption of control
* datagrams (1) because application data is treated as a stream.
*
* c Tracking availability of application data
* [Currently manually through decreasing ssl->in_msglen]
*
* For efficiency and to retain datagram semantics for
* application data in case of DTLS, the record layer
* provides functionality for checking how much application
* data is still available in the internal buffer.
*
* d Changing the transformation securing the communication.
*
* Given an opaque implementation of the record layer in the
* above sense, it should be possible to implement the logic
* of (D)TLS on top of it without the need to know anything
* about the record layer's internals. This is done e.g.
* in all the handshake handling functions, and in the
* application data reading function mbedtls_ssl_read.
*
* \note The above tries to give a conceptual picture of the
* record layer, but the current implementation deviates
* from it in some places. For example, our implementation of
* the update functionality through mbedtls_ssl_read_record
* discards datagrams depending on the current state, which
* wouldn't fall under the record layer's responsibility
* following the above definition.
*/
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
unsigned update_hs_digest )
{
@ -4450,7 +4525,7 @@ static int ssl_buffer_message( mbedtls_ssl_context *ssl )
else
{
/* Make sure msg_type and length are consistent */
if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
if( timingsafe_bcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
/* Ignore */
@ -5545,10 +5620,12 @@ static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
{
return( 0 );
}
in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
ssl->conf->renego_period + ep_len, 8 - ep_len );
out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
ssl->conf->renego_period + ep_len, 8 - ep_len );
in_ctr_cmp = timingsafe_memcmp( ssl->in_ctr + ep_len,
ssl->conf->renego_period + ep_len,
8 - ep_len );
out_ctr_cmp = timingsafe_memcmp( ssl->cur_out_ctr + ep_len,
ssl->conf->renego_period + ep_len,
8 - ep_len );
if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
{
return( 0 );
@ -6137,6 +6214,12 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
return( 0 );
}
/**
* \brief Free referenced items in an SSL transform context and clear
* memory
*
* \param transform SSL transform context
*/
void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
{
if( transform == NULL )

10
third_party/mbedtls/ssl_srv.c vendored
View file

@ -213,8 +213,8 @@ static int ssl_parse_renegotiation_info( mbedtls_ssl_context *ssl,
/* Check verify-data in constant-time. The length OTOH is no secret */
if( len != 1 + ssl->verify_data_len ||
buf[0] != ssl->verify_data_len ||
mbedtls_ssl_safer_memcmp( buf + 1, ssl->peer_verify_data,
ssl->verify_data_len ) != 0 )
timingsafe_bcmp( buf + 1, ssl->peer_verify_data,
ssl->verify_data_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching renegotiation info" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@ -773,7 +773,7 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
cur_len = *theirs++;
if( cur_len == ours_len &&
memcmp( theirs, *ours, cur_len ) == 0 )
timingsafe_bcmp( theirs, *ours, cur_len ) == 0 )
{
ssl->alpn_chosen = *ours;
return( 0 );
@ -1662,7 +1662,7 @@ read_record_header:
* fragment_offset == 0 and fragment_length == length
*/
if( ssl->in_msg[6] != 0 || ssl->in_msg[7] != 0 || ssl->in_msg[8] != 0 ||
memcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
timingsafe_bcmp( ssl->in_msg + 1, ssl->in_msg + 9, 3 ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ClientHello fragmentation not supported" ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
@ -3938,7 +3938,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
/* Identity is not a big secret since clients send it in the clear,
* but treat it carefully anyway, just in case */
if( n != ssl->conf->psk_identity_len ||
mbedtls_ssl_safer_memcmp( ssl->conf->psk_identity, *p, n ) != 0 )
timingsafe_bcmp( ssl->conf->psk_identity, *p, n ) != 0 )
{
ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
}

2
third_party/mbedtls/ssl_ticket.c vendored
View file

@ -304,7 +304,7 @@ static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
unsigned char i;
for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
if( timingsafe_bcmp( name, ctx->keys[i].name, 4 ) == 0 )
return( &ctx->keys[i] );
return( NULL );

27
third_party/mbedtls/ssl_tls.c vendored
View file

@ -1967,18 +1967,17 @@ write_msg:
#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
unsigned char *crt_buf,
size_t crt_buf_len )
{
mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
if( peer_crt == NULL )
return( -1 );
if( peer_crt->raw.len != crt_buf_len )
return( -1 );
return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
return( timingsafe_bcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
}
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@ -2004,7 +2003,7 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
if( ret != 0 )
return( -1 );
return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
return( timingsafe_bcmp( tmp_digest, peer_cert_digest, digest_len ) );
}
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@ -2175,7 +2174,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
timingsafe_bcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
return( 0 );
@ -3059,8 +3058,8 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
}
if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
buf, hash_len ) != 0 )
if( timingsafe_bcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
buf, hash_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
@ -6125,7 +6124,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( memcmp( p, ssl_serialized_session_header,
if( timingsafe_bcmp( p, ssl_serialized_session_header,
sizeof( ssl_serialized_session_header ) ) != 0 )
{
return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
@ -6621,6 +6620,12 @@ void mbedtls_ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/**
* \brief Free referenced items in an SSL handshake context and clear
* memory
*
* \param ssl SSL context
*/
void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
{
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -7161,8 +7166,8 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
if( memcmp( p, ssl_serialized_context_header,
sizeof( ssl_serialized_context_header ) ) != 0 )
if( timingsafe_bcmp( p, ssl_serialized_context_header,
sizeof( ssl_serialized_context_header ) ) != 0 )
{
return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
}
@ -7336,7 +7341,7 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
{
if( strlen( *cur ) == alpn_len &&
memcmp( p, cur, alpn_len ) == 0 )
timingsafe_bcmp( p, cur, alpn_len ) == 0 )
{
ssl->alpn_chosen = *cur;
break;

21
third_party/mbedtls/test/lib.c vendored
View file

@ -21,12 +21,15 @@
#include "libc/fmt/conv.h"
#include "libc/fmt/fmt.h"
#include "libc/log/backtrace.internal.h"
#include "libc/log/check.h"
#include "libc/log/libfatal.internal.h"
#include "libc/log/log.h"
#include "libc/mem/mem.h"
#include "libc/nexgen32e/vendor.internal.h"
#include "libc/nt/runtime.h"
#include "libc/rand/rand.h"
#include "libc/runtime/internal.h"
#include "libc/runtime/runtime.h"
#include "libc/runtime/symbols.internal.h"
#include "libc/stdio/append.internal.h"
#include "libc/stdio/stdio.h"
@ -46,6 +49,8 @@ Copyright ARM Limited\\n\
Copyright Mbed TLS Contributors\"");
asm(".include \"libc/disclaimer.inc\"");
STATIC_YOINK("zip_uri_support");
#if defined(MBEDTLS_PLATFORM_C)
static mbedtls_platform_context platform_ctx;
#endif
@ -67,7 +72,7 @@ struct Buffer {
char *output;
jmp_buf jmp_tmp;
int option_verbose;
int option_verbose = 1;
mbedtls_test_info_t mbedtls_test_info;
static uint64_t Rando(void) {
@ -81,11 +86,10 @@ static uint64_t Rando(void) {
int mbedtls_test_platform_setup(void) {
char *p;
int ret = 0;
static char mybuf[2][BUFSIZ];
showcrashreports();
setvbuf(stdout, (p = malloc(BUFSIZ)), _IOLBF, BUFSIZ);
__cxa_atexit(free, p, 0);
setvbuf(stderr, (p = malloc(BUFSIZ)), _IOLBF, BUFSIZ);
__cxa_atexit(free, p, 0);
setvbuf(stdout, mybuf[0], _IOLBF, BUFSIZ);
setvbuf(stderr, mybuf[1], _IOLBF, BUFSIZ);
#if defined(MBEDTLS_PLATFORM_C)
ret = mbedtls_platform_setup(&platform_ctx);
#endif /* MBEDTLS_PLATFORM_C */
@ -101,6 +105,7 @@ void mbedtls_test_platform_teardown(void) {
wontreturn void exit(int rc) {
if (rc) xwrite(1, output, appendz(output).i);
free(output);
output = 0;
__cxa_finalize(0);
_Exit(rc);
}
@ -131,8 +136,8 @@ int mbedtls_hardware_poll(void *wut, unsigned char *p, size_t n, size_t *olen) {
}
int mbedtls_test_write(const char *fmt, ...) {
char *p;
int i, n;
char *p;
va_list va;
va_start(va, fmt);
if (option_verbose) {
@ -1004,7 +1009,9 @@ int execute_tests(int argc, const char **argv, const char *default_filename) {
test_filename = test_files[testfile_index];
file = fopen(test_filename, "r");
if (file == NULL) {
WRITE("Failed to open test file: %s\n", test_filename);
WRITE("%s (%s) failed to open test file: %s %m\n",
program_invocation_short_name, program_executable_name,
test_filename);
if (outcome_file != NULL) fclose(outcome_file);
return 1;
}

20
third_party/mbedtls/test/test.mk vendored
View file

@ -40,7 +40,6 @@ THIRD_PARTY_MBEDTLS_TEST_COMS = \
o/$(MODE)/third_party/mbedtls/test/test_suite_dhm.com \
o/$(MODE)/third_party/mbedtls/test/test_suite_ecdh.com \
o/$(MODE)/third_party/mbedtls/test/test_suite_ecdsa.com \
o/$(MODE)/third_party/mbedtls/test/test_suite_ecjpake.com \
o/$(MODE)/third_party/mbedtls/test/test_suite_ecp.com \
o/$(MODE)/third_party/mbedtls/test/test_suite_entropy.com \
o/$(MODE)/third_party/mbedtls/test/test_suite_error.com \
@ -468,17 +467,6 @@ o/$(MODE)/third_party/mbedtls/test/test_suite_ecdsa.com.dbg: \
$(APE)
@$(APELINK)
o/$(MODE)/third_party/mbedtls/test/test_suite_ecjpake.com: o/$(MODE)/third_party/mbedtls/test/test_suite_ecjpake.com.dbg
o/$(MODE)/third_party/mbedtls/test/test_suite_ecjpake.com.dbg: \
$(THIRD_PARTY_MBEDTLS_TEST_DEPS) \
o/$(MODE)/third_party/mbedtls/test/lib.o \
o/$(MODE)/third_party/mbedtls/test/test_suite_ecjpake.o \
o/$(MODE)/third_party/mbedtls/test/test_suite_ecjpake.datax.zip.o \
o/$(MODE)/third_party/mbedtls/test/test.pkg \
$(CRT) \
$(APE)
@$(APELINK)
o/$(MODE)/third_party/mbedtls/test/test_suite_ecp.com: o/$(MODE)/third_party/mbedtls/test/test_suite_ecp.com.dbg
o/$(MODE)/third_party/mbedtls/test/test_suite_ecp.com.dbg: \
$(THIRD_PARTY_MBEDTLS_TEST_DEPS) \
@ -1039,6 +1027,7 @@ o/$(MODE)/third_party/mbedtls/test/test_suite_x509parse.com.dbg: \
o/$(MODE)/third_party/mbedtls/test/lib.o \
o/$(MODE)/third_party/mbedtls/test/test_suite_x509parse.o \
o/$(MODE)/third_party/mbedtls/test/test_suite_x509parse.datax.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/bitstring-in-dn.pem.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/cert_example_multi.crt.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/cert_example_multi_nocn.crt.zip.o \
@ -1082,6 +1071,7 @@ o/$(MODE)/third_party/mbedtls/test/test_suite_x509parse.com.dbg: \
o/$(MODE)/third_party/mbedtls/test/data/crl_sha256.pem.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/crl_sha384.pem.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/crl_sha512.pem.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/00.crt.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/00.key.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/01.crt.zip.o \
@ -1148,6 +1138,10 @@ o/$(MODE)/third_party/mbedtls/test/test_suite_x509parse.com.dbg: \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/c20.pem.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/int.opensslconf.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir-maxpath/long.sh.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir1/.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir2/.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir3/.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir4/.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir1/test-ca.crt.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir2/test-ca.crt.zip.o \
o/$(MODE)/third_party/mbedtls/test/data/dir2/test-ca2.crt.zip.o \
@ -1353,6 +1347,7 @@ o/$(MODE)/third_party/mbedtls/test/everest_test.com.dbg: \
$(THIRD_PARTY_MBEDTLS_TEST_DEPS) \
o/$(MODE)/third_party/mbedtls/test/everest_test.o \
o/$(MODE)/third_party/mbedtls/test/everest_unravaged.o \
o/$(MODE)/third_party/mbedtls/test/test.pkg \
$(LIBC_TESTMAIN) \
$(CRT) \
$(APE)
@ -1362,6 +1357,7 @@ o/$(MODE)/third_party/mbedtls/test/secp384r1_test.com: o/$(MODE)/third_party/mbe
o/$(MODE)/third_party/mbedtls/test/secp384r1_test.com.dbg: \
$(THIRD_PARTY_MBEDTLS_TEST_DEPS) \
o/$(MODE)/third_party/mbedtls/test/secp384r1_test.o \
o/$(MODE)/third_party/mbedtls/test/test.pkg \
$(LIBC_TESTMAIN) \
$(CRT) \
$(APE)

6
third_party/mbedtls/test/test_suite_aes.cfb.c vendored
View file

@ -200,7 +200,7 @@ void test_aes_encrypt_xts( char *hex_key_string, char *hex_data_unit_string,
TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_ENCRYPT, src_len,
data_unit, src, output ) == 0 );
TEST_ASSERT( memcmp( output, dst, dst_len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( output, dst, dst_len ) == 0 );
exit:
mbedtls_aes_xts_free( &ctx );
@ -249,7 +249,7 @@ void test_aes_decrypt_xts( char *hex_key_string, char *hex_data_unit_string,
TEST_ASSERT( mbedtls_aes_crypt_xts( &ctx, MBEDTLS_AES_DECRYPT, src_len,
data_unit, src, output ) == 0 );
TEST_ASSERT( memcmp( output, dst, dst_len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( output, dst, dst_len ) == 0 );
exit:
mbedtls_aes_xts_free( &ctx );
@ -463,7 +463,7 @@ void test_aes_encrypt_ofb( int fragment_size, data_t *key_str,
TEST_ASSERT( mbedtls_aes_crypt_ofb( &ctx, fragment_size, &iv_offset,
iv_str->x, src_str_next, output ) == 0 );
TEST_ASSERT( memcmp( output, expected_output->x, fragment_size ) == 0 );
TEST_ASSERT( timingsafe_bcmp( output, expected_output->x, fragment_size ) == 0 );
in_buffer_len -= fragment_size;
expected_output->x += fragment_size;

6
third_party/mbedtls/test/test_suite_base64.c vendored
View file

@ -118,7 +118,7 @@ void test_base64_encode_hex( data_t * src, char * dst, int dst_buf_size,
if( result == 0 )
{
TEST_ASSERT( len == strlen( dst ) );
TEST_ASSERT( memcmp( dst, res, len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( dst, res, len ) == 0 );
}
exit:
@ -144,7 +144,7 @@ void test_base64_decode_hex( char * src, data_t * dst, int dst_buf_size,
if( result == 0 )
{
TEST_ASSERT( len == dst->len );
TEST_ASSERT( memcmp( dst->x, res, len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( dst->x, res, len ) == 0 );
}
exit:
@ -166,7 +166,7 @@ void test_base64_decode_hex_src( data_t * src, char * dst_ref, int result )
if( result == 0 )
{
TEST_ASSERT( len == strlen( dst_ref ) );
TEST_ASSERT( memcmp( dst, dst_ref, len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( dst, dst_ref, len ) == 0 );
}
exit:

18
third_party/mbedtls/test/test_suite_cipher.blowfish.c vendored
View file

@ -866,7 +866,7 @@ void test_enc_dec_buf( int cipher_id, char * cipher_string, int key_len,
/* check result */
TEST_ASSERT( total_len == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
}
/*
@ -1114,7 +1114,7 @@ void test_enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_va
TEST_ASSERT( totaloutlen == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
exit:
mbedtls_cipher_free( &ctx_dec );
@ -1175,7 +1175,7 @@ void test_decrypt_test_vec( int cipher_id, int pad_mode, data_t * key,
if( 0 == finish_result && 0 == tag_result )
{
TEST_ASSERT( total_len == clear->len );
TEST_ASSERT( 0 == memcmp( output, clear->x, clear->len ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, clear->x, clear->len ) );
}
exit:
@ -1384,8 +1384,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == cipher->len + tag->len );
TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( encrypt_buf + cipher->len,
TEST_ASSERT( timingsafe_bcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( encrypt_buf + cipher->len,
tag->x, tag->len ) == 0 );
mbedtls_free( encrypt_buf );
@ -1504,8 +1504,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( outlen == cipher->len );
if( cipher->len != 0 )
TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_tag, tag->x, tag->len ) == 0 );
}
}
@ -1569,7 +1569,7 @@ void test_test_vec_ecb( int cipher_id, int operation, data_t * key,
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x,
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x,
mbedtls_cipher_get_block_size( &ctx ) ) );
exit:
@ -1622,7 +1622,7 @@ void test_test_vec_crypt( int cipher_id, int operation, data_t *key,
TEST_ASSERT( result->len == outlen );
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x, outlen ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x, outlen ) );
exit:
mbedtls_cipher_free( &ctx );

18
third_party/mbedtls/test/test_suite_cipher.chacha20.c vendored
View file

@ -866,7 +866,7 @@ void test_enc_dec_buf( int cipher_id, char * cipher_string, int key_len,
/* check result */
TEST_ASSERT( total_len == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
}
/*
@ -1114,7 +1114,7 @@ void test_enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_va
TEST_ASSERT( totaloutlen == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
exit:
mbedtls_cipher_free( &ctx_dec );
@ -1175,7 +1175,7 @@ void test_decrypt_test_vec( int cipher_id, int pad_mode, data_t * key,
if( 0 == finish_result && 0 == tag_result )
{
TEST_ASSERT( total_len == clear->len );
TEST_ASSERT( 0 == memcmp( output, clear->x, clear->len ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, clear->x, clear->len ) );
}
exit:
@ -1384,8 +1384,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == cipher->len + tag->len );
TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( encrypt_buf + cipher->len,
TEST_ASSERT( timingsafe_bcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( encrypt_buf + cipher->len,
tag->x, tag->len ) == 0 );
mbedtls_free( encrypt_buf );
@ -1504,8 +1504,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( outlen == cipher->len );
if( cipher->len != 0 )
TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_tag, tag->x, tag->len ) == 0 );
}
}
@ -1569,7 +1569,7 @@ void test_test_vec_ecb( int cipher_id, int operation, data_t * key,
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x,
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x,
mbedtls_cipher_get_block_size( &ctx ) ) );
exit:
@ -1622,7 +1622,7 @@ void test_test_vec_crypt( int cipher_id, int operation, data_t *key,
TEST_ASSERT( result->len == outlen );
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x, outlen ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x, outlen ) );
exit:
mbedtls_cipher_free( &ctx );

18
third_party/mbedtls/test/test_suite_cipher.des.c vendored
View file

@ -846,7 +846,7 @@ void test_enc_dec_buf( int cipher_id, char * cipher_string, int key_len,
/* check result */
TEST_ASSERT( total_len == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
}
/*
@ -1094,7 +1094,7 @@ void test_enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_va
TEST_ASSERT( totaloutlen == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
exit:
mbedtls_cipher_free( &ctx_dec );
@ -1155,7 +1155,7 @@ void test_decrypt_test_vec( int cipher_id, int pad_mode, data_t * key,
if( 0 == finish_result && 0 == tag_result )
{
TEST_ASSERT( total_len == clear->len );
TEST_ASSERT( 0 == memcmp( output, clear->x, clear->len ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, clear->x, clear->len ) );
}
exit:
@ -1356,8 +1356,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == cipher->len + tag->len );
TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( encrypt_buf + cipher->len,
TEST_ASSERT( timingsafe_bcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( encrypt_buf + cipher->len,
tag->x, tag->len ) == 0 );
mbedtls_free( encrypt_buf );
@ -1453,8 +1453,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( outlen == cipher->len );
if( cipher->len != 0 )
TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_tag, tag->x, tag->len ) == 0 );
}
}
@ -1513,7 +1513,7 @@ void test_test_vec_ecb( int cipher_id, int operation, data_t * key,
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x,
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x,
mbedtls_cipher_get_block_size( &ctx ) ) );
exit:
@ -1555,7 +1555,7 @@ void test_test_vec_crypt( int cipher_id, int operation, data_t *key,
TEST_ASSERT( result->len == outlen );
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x, outlen ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x, outlen ) );
exit:
mbedtls_cipher_free( &ctx );

18
third_party/mbedtls/test/test_suite_cipher.padding.c vendored
View file

@ -849,7 +849,7 @@ void test_enc_dec_buf( int cipher_id, char * cipher_string, int key_len,
/* check result */
TEST_ASSERT( total_len == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
}
/*
@ -1097,7 +1097,7 @@ void test_enc_dec_buf_multipart( int cipher_id, int key_len, int first_length_va
TEST_ASSERT( totaloutlen == length );
TEST_ASSERT( 0 == memcmp(inbuf, decbuf, length) );
TEST_ASSERT( 0 == timingsafe_bcmp(inbuf, decbuf, length) );
exit:
mbedtls_cipher_free( &ctx_dec );
@ -1158,7 +1158,7 @@ void test_decrypt_test_vec( int cipher_id, int pad_mode, data_t * key,
if( 0 == finish_result && 0 == tag_result )
{
TEST_ASSERT( total_len == clear->len );
TEST_ASSERT( 0 == memcmp( output, clear->x, clear->len ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, clear->x, clear->len ) );
}
exit:
@ -1367,8 +1367,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( ret == 0 );
TEST_ASSERT( outlen == cipher->len + tag->len );
TEST_ASSERT( memcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( encrypt_buf + cipher->len,
TEST_ASSERT( timingsafe_bcmp( encrypt_buf, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( encrypt_buf + cipher->len,
tag->x, tag->len ) == 0 );
mbedtls_free( encrypt_buf );
@ -1487,8 +1487,8 @@ void test_auth_crypt_tv( int cipher_id, data_t * key, data_t * iv,
TEST_ASSERT( outlen == cipher->len );
if( cipher->len != 0 )
TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( tmp_tag, tag->x, tag->len ) == 0 );
}
}
@ -1552,7 +1552,7 @@ void test_test_vec_ecb( int cipher_id, int operation, data_t * key,
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x,
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x,
mbedtls_cipher_get_block_size( &ctx ) ) );
exit:
@ -1605,7 +1605,7 @@ void test_test_vec_crypt( int cipher_id, int operation, data_t *key,
TEST_ASSERT( result->len == outlen );
/* check plaintext only if everything went fine */
if( 0 == finish_result )
TEST_ASSERT( 0 == memcmp( output, result->x, outlen ) );
TEST_ASSERT( 0 == timingsafe_bcmp( output, result->x, outlen ) );
exit:
mbedtls_cipher_free( &ctx );

2
third_party/mbedtls/test/test_suite_ctr_drbg.c vendored
View file

@ -125,7 +125,7 @@ static void ctr_drbg_validate_internal( int reseed_mode, data_t * nonce,
&ctx,
buf, result->len,
add2->x, add2->len ) == 0 );
TEST_ASSERT( memcmp( buf, result->x, result->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( buf, result->x, result->len ) == 0 );
exit:
mbedtls_ctr_drbg_free( &ctx );

6
third_party/mbedtls/test/test_suite_dhm.c vendored
View file

@ -214,7 +214,7 @@ void test_dhm_do_dhm( int radix_P, char *input_P,
TEST_ASSERT( sec_srv_len == sec_cli_len );
TEST_ASSERT( sec_srv_len != 0 );
TEST_ASSERT( memcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
/* Re-do calc_secret on server a few times to test update of blinding values */
for( i = 0; i < 3; i++ )
@ -227,7 +227,7 @@ void test_dhm_do_dhm( int radix_P, char *input_P,
TEST_ASSERT( sec_srv_len == sec_cli_len );
TEST_ASSERT( sec_srv_len != 0 );
TEST_ASSERT( memcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
}
/*
@ -255,7 +255,7 @@ void test_dhm_do_dhm( int radix_P, char *input_P,
TEST_ASSERT( sec_srv_len == sec_cli_len );
TEST_ASSERT( sec_srv_len != 0 );
TEST_ASSERT( memcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( sec_srv, sec_cli, sec_srv_len ) == 0 );
exit:
mbedtls_dhm_free( &ctx_srv );

662
third_party/mbedtls/test/test_suite_ecjpake.c vendored
View file

@ -1,662 +0,0 @@
/* clang-format off */
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "third_party/mbedtls/test/test.inc"
/*
* *** THIS FILE WAS MACHINE GENERATED ***
*
* This file has been machine generated using the script:
* generate_test_code.py and then mbedtls_test_suite.sh and then mbedtls_test_suite.sh
*
* Test file : ./test_suite_ecjpake.c
*
* The following files were used to create this file.
*
* Main code file : suites/main_test.function
* Platform code file : suites/host_test.function
* Helper file : suites/helpers.function
* Test suite file : suites/test_suite_ecjpake.function
* Test suite data : suites/test_suite_ecjpake.data
*
*/
#define TEST_SUITE_ACTIVE
#if defined(MBEDTLS_ECJPAKE_C)
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_SHA256_C)
static const unsigned char ecjpake_test_x1[] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c,
0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x21
};
static const unsigned char ecjpake_test_x2[] = {
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
};
static const unsigned char ecjpake_test_x3[] = {
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c,
0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x81
};
static const unsigned char ecjpake_test_x4[] = {
0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb, 0xcc,
0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8,
0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe1
};
static const unsigned char ecjpake_test_X1[] = {
0x04, 0xac, 0xcf, 0x01, 0x06, 0xef, 0x85, 0x8f, 0xa2, 0xd9, 0x19, 0x33,
0x13, 0x46, 0x80, 0x5a, 0x78, 0xb5, 0x8b, 0xba, 0xd0, 0xb8, 0x44, 0xe5,
0xc7, 0x89, 0x28, 0x79, 0x14, 0x61, 0x87, 0xdd, 0x26, 0x66, 0xad, 0xa7,
0x81, 0xbb, 0x7f, 0x11, 0x13, 0x72, 0x25, 0x1a, 0x89, 0x10, 0x62, 0x1f,
0x63, 0x4d, 0xf1, 0x28, 0xac, 0x48, 0xe3, 0x81, 0xfd, 0x6e, 0xf9, 0x06,
0x07, 0x31, 0xf6, 0x94, 0xa4
};
static const unsigned char ecjpake_test_X2[] = {
0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7,
0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40,
0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79,
0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1,
0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3,
0x2b, 0xb0, 0x13, 0xbb, 0x2b
};
static const unsigned char ecjpake_test_X3[] = {
0x04, 0x7e, 0xa6, 0xe3, 0xa4, 0x48, 0x70, 0x37, 0xa9, 0xe0, 0xdb, 0xd7,
0x92, 0x62, 0xb2, 0xcc, 0x27, 0x3e, 0x77, 0x99, 0x30, 0xfc, 0x18, 0x40,
0x9a, 0xc5, 0x36, 0x1c, 0x5f, 0xe6, 0x69, 0xd7, 0x02, 0xe1, 0x47, 0x79,
0x0a, 0xeb, 0x4c, 0xe7, 0xfd, 0x65, 0x75, 0xab, 0x0f, 0x6c, 0x7f, 0xd1,
0xc3, 0x35, 0x93, 0x9a, 0xa8, 0x63, 0xba, 0x37, 0xec, 0x91, 0xb7, 0xe3,
0x2b, 0xb0, 0x13, 0xbb, 0x2b
};
static const unsigned char ecjpake_test_X4[] = {
0x04, 0x19, 0x0a, 0x07, 0x70, 0x0f, 0xfa, 0x4b, 0xe6, 0xae, 0x1d, 0x79,
0xee, 0x0f, 0x06, 0xae, 0xb5, 0x44, 0xcd, 0x5a, 0xdd, 0xaa, 0xbe, 0xdf,
0x70, 0xf8, 0x62, 0x33, 0x21, 0x33, 0x2c, 0x54, 0xf3, 0x55, 0xf0, 0xfb,
0xfe, 0xc7, 0x83, 0xed, 0x35, 0x9e, 0x5d, 0x0b, 0xf7, 0x37, 0x7a, 0x0f,
0xc4, 0xea, 0x7a, 0xce, 0x47, 0x3c, 0x9c, 0x11, 0x2b, 0x41, 0xcc, 0xd4,
0x1a, 0xc5, 0x6a, 0x56, 0x12
};
/* Load my private and public keys, and peer's public keys */
static int ecjpake_test_load( mbedtls_ecjpake_context *ctx,
const unsigned char *xm1, size_t len_xm1,
const unsigned char *xm2, size_t len_xm2,
const unsigned char *Xm1, size_t len_Xm1,
const unsigned char *Xm2, size_t len_Xm2,
const unsigned char *Xp1, size_t len_Xp1,
const unsigned char *Xp2, size_t len_Xp2 )
{
int ret;
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm1, xm1, len_xm1 ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( &ctx->xm2, xm2, len_xm2 ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp,
&ctx->Xm1, Xm1, len_Xm1 ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp,
&ctx->Xm2, Xm2, len_Xm2 ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp,
&ctx->Xp1, Xp1, len_Xp1 ) );
MBEDTLS_MPI_CHK( mbedtls_ecp_point_read_binary( &ctx->grp,
&ctx->Xp2, Xp2, len_Xp2 ) );
cleanup:
return( ret );
}
#define ADD_SIZE( x ) x, sizeof( x )
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED && MBEDTLS_SHA256_C */
#if defined(MBEDTLS_CHECK_PARAMS)
#if !defined(MBEDTLS_PARAM_FAILED_ALT)
void test_ecjpake_invalid_param( )
{
mbedtls_ecjpake_context ctx;
unsigned char buf[42] = { 0 };
size_t olen;
size_t const len = sizeof( buf );
mbedtls_ecjpake_role valid_role = MBEDTLS_ECJPAKE_SERVER;
mbedtls_ecjpake_role invalid_role = (mbedtls_ecjpake_role) 42;
mbedtls_md_type_t valid_md = MBEDTLS_MD_SHA256;
mbedtls_ecp_group_id valid_group = MBEDTLS_ECP_DP_SECP256R1;
TEST_INVALID_PARAM( mbedtls_ecjpake_init( NULL ) );
TEST_VALID_PARAM( mbedtls_ecjpake_free( NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_setup( NULL,
valid_role,
valid_md,
valid_group,
buf, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_setup( &ctx,
invalid_role,
valid_md,
valid_group,
buf, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_setup( &ctx,
valid_role,
valid_md,
valid_group,
NULL, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_check( NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_one( NULL, buf, len, &olen,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_one( &ctx, NULL, len, &olen,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_one( &ctx, buf, len, NULL,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_one( &ctx, buf, len, &olen, NULL, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_two( NULL, buf, len, &olen,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_two( &ctx, NULL, len, &olen,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_two( &ctx, buf, len, NULL,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_write_round_two( &ctx, buf, len, &olen, NULL, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_read_round_one( NULL,
buf, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_read_round_one( &ctx,
NULL, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_read_round_two( NULL,
buf, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_read_round_two( &ctx,
NULL, len ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_derive_secret( NULL, buf, len, &olen,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_derive_secret( &ctx, NULL, len, &olen,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_derive_secret( &ctx, buf, len, NULL,
mbedtls_test_rnd_std_rand, NULL ) );
TEST_INVALID_PARAM_RET( MBEDTLS_ERR_ECP_BAD_INPUT_DATA,
mbedtls_ecjpake_derive_secret( &ctx, buf, len, &olen, NULL, NULL ) );
exit:
return;
}
void test_ecjpake_invalid_param_wrapper( void ** params )
{
(void)params;
test_ecjpake_invalid_param( );
}
#endif /* !MBEDTLS_PARAM_FAILED_ALT */
#endif /* MBEDTLS_CHECK_PARAMS */
#if defined(MBEDTLS_SELF_TEST)
void test_ecjpake_selftest( )
{
TEST_ASSERT( mbedtls_ecjpake_self_test( 1 ) == 0 );
exit:
;
}
void test_ecjpake_selftest_wrapper( void ** params )
{
(void)params;
test_ecjpake_selftest( );
}
#endif /* MBEDTLS_SELF_TEST */
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
#if defined(MBEDTLS_SHA256_C)
void test_read_bad_md( data_t *msg )
{
mbedtls_ecjpake_context corrupt_ctx;
const unsigned char * pw = NULL;
const size_t pw_len = 0;
int any_role = MBEDTLS_ECJPAKE_CLIENT;
mbedtls_ecjpake_init( &corrupt_ctx );
TEST_ASSERT( mbedtls_ecjpake_setup( &corrupt_ctx, any_role,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
corrupt_ctx.md_info = NULL;
TEST_ASSERT( mbedtls_ecjpake_read_round_one( &corrupt_ctx, msg->x,
msg->len ) == MBEDTLS_ERR_MD_BAD_INPUT_DATA );
exit:
mbedtls_ecjpake_free( &corrupt_ctx );
}
void test_read_bad_md_wrapper( void ** params )
{
data_t data0 = {(uint8_t *) params[0], *( (uint32_t *) params[1] )};
test_read_bad_md( &data0 );
}
#endif /* MBEDTLS_SHA256_C */
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
#if defined(MBEDTLS_SHA256_C)
void test_read_round_one( int role, data_t * msg, int ref_ret )
{
mbedtls_ecjpake_context ctx;
const unsigned char * pw = NULL;
const size_t pw_len = 0;
mbedtls_ecjpake_init( &ctx );
TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, role,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
TEST_ASSERT( mbedtls_ecjpake_read_round_one( &ctx, msg->x, msg->len ) == ref_ret );
exit:
mbedtls_ecjpake_free( &ctx );
}
void test_read_round_one_wrapper( void ** params )
{
data_t data1 = {(uint8_t *) params[1], *( (uint32_t *) params[2] )};
test_read_round_one( *( (int *) params[0] ), &data1, *( (int *) params[3] ) );
}
#endif /* MBEDTLS_SHA256_C */
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
#if defined(MBEDTLS_SHA256_C)
void test_read_round_two_cli( data_t * msg, int ref_ret )
{
mbedtls_ecjpake_context ctx;
const unsigned char * pw = NULL;
const size_t pw_len = 0;
mbedtls_ecjpake_init( &ctx );
TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_ECJPAKE_CLIENT,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
TEST_ASSERT( ecjpake_test_load( &ctx,
ADD_SIZE( ecjpake_test_x1 ), ADD_SIZE( ecjpake_test_x2 ),
ADD_SIZE( ecjpake_test_X1 ), ADD_SIZE( ecjpake_test_X2 ),
ADD_SIZE( ecjpake_test_X3 ), ADD_SIZE( ecjpake_test_X4 ) )
== 0 );
TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg->x, msg->len ) == ref_ret );
exit:
mbedtls_ecjpake_free( &ctx );
}
void test_read_round_two_cli_wrapper( void ** params )
{
data_t data0 = {(uint8_t *) params[0], *( (uint32_t *) params[1] )};
test_read_round_two_cli( &data0, *( (int *) params[2] ) );
}
#endif /* MBEDTLS_SHA256_C */
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
#if defined(MBEDTLS_SHA256_C)
void test_read_round_two_srv( data_t * msg, int ref_ret )
{
mbedtls_ecjpake_context ctx;
const unsigned char * pw = NULL;
const size_t pw_len = 0;
mbedtls_ecjpake_init( &ctx );
TEST_ASSERT( mbedtls_ecjpake_setup( &ctx, MBEDTLS_ECJPAKE_SERVER,
MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) == 0 );
TEST_ASSERT( ecjpake_test_load( &ctx,
ADD_SIZE( ecjpake_test_x3 ), ADD_SIZE( ecjpake_test_x4 ),
ADD_SIZE( ecjpake_test_X3 ), ADD_SIZE( ecjpake_test_X4 ),
ADD_SIZE( ecjpake_test_X1 ), ADD_SIZE( ecjpake_test_X2 ) )
== 0 );
TEST_ASSERT( mbedtls_ecjpake_read_round_two( &ctx, msg->x, msg->len ) == ref_ret );
exit:
mbedtls_ecjpake_free( &ctx );
}
void test_read_round_two_srv_wrapper( void ** params )
{
data_t data0 = {(uint8_t *) params[0], *( (uint32_t *) params[1] )};
test_read_round_two_srv( &data0, *( (int *) params[2] ) );
}
#endif /* MBEDTLS_SHA256_C */
#endif /* MBEDTLS_ECP_DP_SECP256R1_ENABLED */
#endif /* MBEDTLS_ECJPAKE_C */
/*----------------------------------------------------------------------------*/
/* Test dispatch code */
/**
* \brief Evaluates an expression/macro into its literal integer value.
* For optimizing space for embedded targets each expression/macro
* is identified by a unique identifier instead of string literals.
* Identifiers and evaluation code is generated by script:
* generate_test_code.py and then mbedtls_test_suite.sh and then mbedtls_test_suite.sh
*
* \param exp_id Expression identifier.
* \param out_value Pointer to int to hold the integer.
*
* \return 0 if exp_id is found. 1 otherwise.
*/
int get_expression( int32_t exp_id, int32_t * out_value )
{
int ret = KEY_VALUE_MAPPING_FOUND;
(void) exp_id;
(void) out_value;
switch( exp_id )
{
#if defined(MBEDTLS_ECJPAKE_C)
case 0:
{
*out_value = MBEDTLS_ECJPAKE_CLIENT;
}
break;
case 1:
{
*out_value = MBEDTLS_ECJPAKE_SERVER;
}
break;
case 2:
{
*out_value = MBEDTLS_ERR_ECP_VERIFY_FAILED;
}
break;
case 3:
{
*out_value = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
break;
case 4:
{
*out_value = MBEDTLS_ERR_ECP_INVALID_KEY;
}
break;
case 5:
{
*out_value = MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
}
break;
#endif
default:
{
ret = KEY_VALUE_MAPPING_NOT_FOUND;
}
break;
}
return( ret );
}
/**
* \brief Checks if the dependency i.e. the compile flag is set.
* For optimizing space for embedded targets each dependency
* is identified by a unique identifier instead of string literals.
* Identifiers and check code is generated by script:
* generate_test_code.py and then mbedtls_test_suite.sh and then mbedtls_test_suite.sh
*
* \param dep_id Dependency identifier.
*
* \return DEPENDENCY_SUPPORTED if set else DEPENDENCY_NOT_SUPPORTED
*/
int dep_check( int dep_id )
{
int ret = DEPENDENCY_NOT_SUPPORTED;
(void) dep_id;
switch( dep_id )
{
#if defined(MBEDTLS_ECJPAKE_C)
#endif
default:
break;
}
return( ret );
}
/**
* \brief Function pointer type for test function wrappers.
*
* A test function wrapper decodes the parameters and passes them to the
* underlying test function. Both the wrapper and the underlying function
* return void. Test wrappers assume that they are passed a suitable
* parameter array and do not perform any error detection.
*
* \param param_array The array of parameters. Each element is a `void *`
* which the wrapper casts to the correct type and
* dereferences. Each wrapper function hard-codes the
* number and types of the parameters.
*/
typedef void (*TestWrapper_t)( void **param_array );
/**
* \brief Table of test function wrappers. Used by dispatch_test().
* This table is populated by script:
* generate_test_code.py and then mbedtls_test_suite.sh and then mbedtls_test_suite.sh
*
*/
TestWrapper_t test_funcs[] =
{
/* Function Id: 0 */
#if defined(MBEDTLS_ECJPAKE_C) && defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT)
test_ecjpake_invalid_param_wrapper,
#else
NULL,
#endif
/* Function Id: 1 */
#if defined(MBEDTLS_ECJPAKE_C) && defined(MBEDTLS_SELF_TEST)
test_ecjpake_selftest_wrapper,
#else
NULL,
#endif
/* Function Id: 2 */
#if defined(MBEDTLS_ECJPAKE_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_SHA256_C)
test_read_bad_md_wrapper,
#else
NULL,
#endif
/* Function Id: 3 */
#if defined(MBEDTLS_ECJPAKE_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_SHA256_C)
test_read_round_one_wrapper,
#else
NULL,
#endif
/* Function Id: 4 */
#if defined(MBEDTLS_ECJPAKE_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_SHA256_C)
test_read_round_two_cli_wrapper,
#else
NULL,
#endif
/* Function Id: 5 */
#if defined(MBEDTLS_ECJPAKE_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_SHA256_C)
test_read_round_two_srv_wrapper,
#else
NULL,
#endif
};
/**
* \brief Execute the test function.
*
* This is a wrapper function around the test function execution
* to allow the setjmp() call used to catch any calls to the
* parameter failure callback, to be used. Calls to setjmp()
* can invalidate the state of any local auto variables.
*
* \param fp Function pointer to the test function.
* \param params Parameters to pass to the #TestWrapper_t wrapper function.
*
*/
void execute_function_ptr(TestWrapper_t fp, void **params)
{
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
mbedtls_test_enable_insecure_external_rng( );
#endif
#if defined(MBEDTLS_CHECK_PARAMS)
mbedtls_test_param_failed_location_record_t location_record;
if ( setjmp( mbedtls_test_param_failed_get_state_buf( ) ) == 0 )
{
fp( params );
}
else
{
/* Unexpected parameter validation error */
mbedtls_test_param_failed_get_location_record( &location_record );
mbedtls_test_fail( location_record.failure_condition,
location_record.line,
location_record.file );
}
mbedtls_test_param_failed_reset_state( );
#else
fp( params );
#endif
#if defined(MBEDTLS_TEST_MUTEX_USAGE)
mbedtls_test_mutex_usage_check( );
#endif /* MBEDTLS_TEST_MUTEX_USAGE */
}
/**
* \brief Dispatches test functions based on function index.
*
* \param func_idx Test function index.
* \param params The array of parameters to pass to the test function.
* It will be decoded by the #TestWrapper_t wrapper function.
*
* \return DISPATCH_TEST_SUCCESS if found
* DISPATCH_TEST_FN_NOT_FOUND if not found
* DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
*/
int dispatch_test( size_t func_idx, void ** params )
{
int ret = DISPATCH_TEST_SUCCESS;
TestWrapper_t fp = NULL;
if ( func_idx < (int)( sizeof( test_funcs ) / sizeof( TestWrapper_t ) ) )
{
fp = test_funcs[func_idx];
if ( fp )
execute_function_ptr(fp, params);
else
ret = DISPATCH_UNSUPPORTED_SUITE;
}
else
{
ret = DISPATCH_TEST_FN_NOT_FOUND;
}
return( ret );
}
/**
* \brief Checks if test function is supported in this build-time
* configuration.
*
* \param func_idx Test function index.
*
* \return DISPATCH_TEST_SUCCESS if found
* DISPATCH_TEST_FN_NOT_FOUND if not found
* DISPATCH_UNSUPPORTED_SUITE if not compile time enabled.
*/
int check_test( size_t func_idx )
{
int ret = DISPATCH_TEST_SUCCESS;
TestWrapper_t fp = NULL;
if ( func_idx < (int)( sizeof(test_funcs)/sizeof( TestWrapper_t ) ) )
{
fp = test_funcs[func_idx];
if ( fp == NULL )
ret = DISPATCH_UNSUPPORTED_SUITE;
}
else
{
ret = DISPATCH_TEST_FN_NOT_FOUND;
}
return( ret );
}
int main( int argc, const char *argv[] )
{
int ret;
mbedtls_test_platform_setup();
ret = execute_tests( argc, argv, "/zip/third_party/mbedtls/test/test_suite_ecjpake.datax" );
mbedtls_test_platform_teardown();
return( ret );
}

237
third_party/mbedtls/test/test_suite_ecjpake.datax vendored
View file

@ -1,237 +0,0 @@
ECJPAKE parameter validation
0
ECJPAKE selftest
1
ECJPAKE fail read corrupt MD
2:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12"
ECJPAKE round one: client, valid
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":int:0
ECJPAKE round one: server, valid
3:exp:1:hex:"4104accf0106ef858fa2d919331346805a78b58bbad0b844e5c7892879146187dd2666ada781bb7f111372251a8910621f634df128ac48e381fd6ef9060731f694a441041dd0bd5d4566c9bed9ce7de701b5e82e08e84b730466018ab903c79eb982172236c0c1728ae4bf73610d34de44246ef3d9c05a2236fb66a6583d7449308babce2072fe16662992e9235c25002f11b15087b82738e03c945bf7a2995dda1e98345841047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b4104a49558d32ed1ebfc1816af4ff09b55fcb4ca47b2a02d1e7caf1179ea3fe1395b22b861964016fabaf72c975695d93d4df0e5197fe9f040634ed59764937787be20bc4deebbf9b8d60a335f046ca3aa941e45864c7cadef9cf75b3d8b010e443ef0":int:0
ECJPAKE round one: role mismatch
3:exp:0:hex:"4104accf0106ef858fa2d919331346805a78b58bbad0b844e5c7892879146187dd2666ada781bb7f111372251a8910621f634df128ac48e381fd6ef9060731f694a441041dd0bd5d4566c9bed9ce7de701b5e82e08e84b730466018ab903c79eb982172236c0c1728ae4bf73610d34de44246ef3d9c05a2236fb66a6583d7449308babce2072fe16662992e9235c25002f11b15087b82738e03c945bf7a2995dda1e98345841047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b4104a49558d32ed1ebfc1816af4ff09b55fcb4ca47b2a02d1e7caf1179ea3fe1395b22b861964016fabaf72c975695d93d4df0e5197fe9f040634ed59764937787be20bc4deebbf9b8d60a335f046ca3aa941e45864c7cadef9cf75b3d8b010e443ef0":exp:2
ECJPAKE round one: trailing byte
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d905193735144104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1200":exp:3
ECJPAKE round one: KKP1: no data
3:exp:0:hex:"":exp:3
ECJPAKE round one: KKP1: length of first point too small
3:exp:0:hex:"00":exp:3
ECJPAKE round one: KKP1: length of first point too big
3:exp:0:hex:"01":exp:3
ECJPAKE round one: KKP1: no point data
3:exp:0:hex:"0104":exp:3
ECJPAKE round one: KKP1: first point is zero
3:exp:0:hex:"0100":exp:4
ECJPAKE round one: KKP1: unknown first point format
3:exp:0:hex:"41057ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":exp:5
ECJPAKE round one: KKP1: nothing after first point
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":exp:3
ECJPAKE round one: KKP1: length of second point too small
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b00":exp:3
ECJPAKE round one: KKP1: length of second point too big
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":exp:3
ECJPAKE round one: KKP1: no second point data
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b0104":exp:3
ECJPAKE round one: KKP1: unknow second point format
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410509f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":exp:5
ECJPAKE round one: KKP1: nothing after second point
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":exp:3
ECJPAKE round one: KKP1: zero-length r
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51600":exp:4
ECJPAKE round one: KKP1: no data for r
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51601":exp:3
ECJPAKE round one: KKP1: corrupted r
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373515":exp:2
ECJPAKE round one: KKP1: X not on the curve
3:exp:0:hex:"41047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2a410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373514":exp:4
ECJPAKE round one: KKP2: no data
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb12":exp:3
ECJPAKE round one: KKP2: length of first point too small
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1200":exp:3
ECJPAKE round one: KKP2: length of first point too big
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1201":exp:3
ECJPAKE round one: KKP2: no point data
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb120104":exp:3
ECJPAKE round one: KKP2: first point is zero
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb120100":exp:4
ECJPAKE round one: KKP2: unknown first point format
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241057ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":exp:5
ECJPAKE round one: KKP2: nothing after first point
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b":exp:3
ECJPAKE round one: KKP2: length of second point too small
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b00":exp:3
ECJPAKE round one: KKP2: length of second point too big
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b01":exp:3
ECJPAKE round one: KKP2: no second point data
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b0104":exp:3
ECJPAKE round one: KKP2: unknow second point format
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410509f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":exp:5
ECJPAKE round one: KKP2: nothing after second point
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb516":exp:3
ECJPAKE round one: KKP2: zero-length r
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51600":exp:4
ECJPAKE round one: KKP2: no data for r
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51601":exp:3
ECJPAKE round one: KKP2: corrupted r
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2b410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373515":exp:2
ECJPAKE round one: KKP2: X not on the curve
3:exp:0:hex:"4104190a07700ffa4be6ae1d79ee0f06aeb544cd5addaabedf70f8623321332c54f355f0fbfec783ed359e5d0bf7377a0fc4ea7ace473c9c112b41ccd41ac56a56124104360a1cea33fce641156458e0a4eac219e96831e6aebc88b3f3752f93a0281d1bf1fb106051db9694a8d6e862a5ef1324a3d9e27894f1ee4f7c59199965a8dd4a2091847d2d22df3ee55faa2a3fb33fd2d1e055a07a7c61ecfb8d80ec00c2c9eb1241047ea6e3a4487037a9e0dbd79262b2cc273e779930fc18409ac5361c5fe669d702e147790aeb4ce7fd6575ab0f6c7fd1c335939aa863ba37ec91b7e32bb013bb2a410409f85b3d20ebd7885ce464c08d056d6428fe4dd9287aa365f131f4360ff386d846898bc4b41583c2a5197f65d78742746c12a5ec0a4ffe2f270a750a1d8fb51620934d74eb43e54df424fd96306c0117bf131afabf90a9d33d1198d90519373514":exp:4
ECJPAKE round two client: valid
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836c":int:0
ECJPAKE round two client: trailing byte
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836c00":exp:3
ECJPAKE round two client: no data
4:hex:"":exp:3
ECJPAKE round two client: ECParams too short
4:hex:"0300":exp:3
ECJPAKE round two client: ECParams not named curve
4:hex:"010017":exp:3
ECJPAKE round two client: ECParams wrong curve
4:hex:"030016":exp:5
ECJPAKE round two client: no data after ECParams
4:hex:"030017":exp:3
ECJPAKE round two client: length of first point too small
4:hex:"03001700":exp:3
ECJPAKE round two client: length of first point too big
4:hex:"03001701":exp:3
ECJPAKE round two client: no first point data
4:hex:"0300170104":exp:3
ECJPAKE round two client: first point is zero
4:hex:"0300170100":exp:4
ECJPAKE round two client: unknown first point format
4:hex:"03001741050fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a6":exp:5
ECJPAKE round two client: nothing after first point
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a6":exp:3
ECJPAKE round two client: length of second point too small
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a600":exp:3
ECJPAKE round two client: length of second point too big
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a601":exp:3
ECJPAKE round two client: no second point data
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a60104":exp:3
ECJPAKE round two client: unknown second point format
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641055516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c8":exp:5
ECJPAKE round two client: nothing after second point
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c8":exp:3
ECJPAKE round two client: zero-length r
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c800":exp:4
ECJPAKE round two client: no data for r
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c801":exp:3
ECJPAKE round two client: corrupted r
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a641045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836d":exp:2
ECJPAKE round two client: X not on the curve
4:hex:"03001741040fb22b1d5d1123e0ef9feb9d8a2e590a1f4d7ced2c2b06586e8f2a16d4eb2fda4328a20b07d8fd667654ca18c54e32a333a0845451e926ee8804fd7af0aaa7a741045516ea3e54a0d5d8b2ce786b38d383370029a5dbe4459c9dd601b408a24ae6465c8ac905b9eb03b5d3691c139ef83f1cd4200f6c9cd4ec392218a59ed243d3c820ff724a9a70b88cb86f20b434c6865aa1cd7906dd7c9bce3525f508276f26836c":exp:4
ECJPAKE round two server: valid
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54c":int:0
ECJPAKE round two server: trailing byte
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54c00":exp:3
ECJPAKE round two server: no data
5:hex:"":exp:3
ECJPAKE round two server: length of forst point too small
5:hex:"00":exp:3
ECJPAKE round two server: length of first point too big
5:hex:"01":exp:3
ECJPAKE round two server: no first point data
5:hex:"0104":exp:3
ECJPAKE round two server: first point is zero
5:hex:"0100":exp:4
ECJPAKE round two server: unknown first point format
5:hex:"410569d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee":exp:5
ECJPAKE round two server: nothing after first point
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee":exp:3
ECJPAKE round two server: length of second point too small
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee00":exp:3
ECJPAKE round two server: length of second point too big
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee01":exp:3
ECJPAKE round two server: no second point data
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee0104":exp:3
ECJPAKE round two server: unknown second point format
5:hex:"410569d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d":exp:5
ECJPAKE round two server: nothing after second point
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d":exp:3
ECJPAKE round two server: zero-length r
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d00":exp:4
ECJPAKE round two server: no data for r
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d20":exp:3
ECJPAKE round two server: corrupted r
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ee4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54d":exp:2
ECJPAKE round two server: X not on curve
5:hex:"410469d54ee85e90ce3f1246742de507e939e81d1dc1c5cb988b58c310c9fdd9524d93720b45541c83ee8841191da7ced86e3312d43623c1d63e74989aba4affd1ef4104077e8c31e20e6bedb760c13593e69f15be85c27d68cd09ccb8c4183608917c5c3d409fac39fefee82f7292d36f0d23e055913f45a52b85dd8a2052e9e129bb4d200f011f19483535a6e89a580c9b0003baf21462ece91a82cc38dbdcae60d9c54c":exp:4

99
third_party/mbedtls/test/test_suite_hkdf.c vendored
View file

@ -39,25 +39,20 @@
#if defined(MBEDTLS_HKDF_C)
#include "third_party/mbedtls/hkdf.h"
void test_test_hkdf( int md_alg, data_t *ikm, data_t *salt, data_t *info,
data_t *expected_okm )
data_t *expected_okm )
{
int ret;
unsigned char okm[128] = { '\0' };
const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
TEST_ASSERT( md != NULL );
TEST_ASSERT( expected_okm->len <= sizeof( okm ) );
ret = mbedtls_hkdf( md, salt->x, salt->len, ikm->x, ikm->len,
info->x, info->len, okm, expected_okm->len );
TEST_ASSERT( ret == 0 );
ASSERT_COMPARE( okm , expected_okm->len,
expected_okm->x, expected_okm->len );
exit:
;
}
void test_test_hkdf_wrapper( void ** params )
@ -66,11 +61,11 @@ void test_test_hkdf_wrapper( void ** params )
data_t data3 = {(uint8_t *) params[3], *( (uint32_t *) params[4] )};
data_t data5 = {(uint8_t *) params[5], *( (uint32_t *) params[6] )};
data_t data7 = {(uint8_t *) params[7], *( (uint32_t *) params[8] )};
test_test_hkdf( *( (int *) params[0] ), &data1, &data3, &data5, &data7 );
}
void test_test_hkdf_extract( int md_alg, char *hex_ikm_string,
char *hex_salt_string, char *hex_prk_string )
char *hex_salt_string, char *hex_prk_string )
{
int ret;
unsigned char *ikm = NULL;
@ -78,22 +73,16 @@ void test_test_hkdf_extract( int md_alg, char *hex_ikm_string,
unsigned char *prk = NULL;
unsigned char *output_prk = NULL;
size_t ikm_len, salt_len, prk_len, output_prk_len;
const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
TEST_ASSERT( md != NULL );
output_prk_len = mbedtls_md_get_size( md );
output_prk = mbedtls_calloc( 1, output_prk_len );
ikm = mbedtls_test_unhexify_alloc( hex_ikm_string, &ikm_len );
salt = mbedtls_test_unhexify_alloc( hex_salt_string, &salt_len );
prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len );
ret = mbedtls_hkdf_extract( md, salt, salt_len, ikm, ikm_len, output_prk );
TEST_ASSERT( ret == 0 );
ASSERT_COMPARE( output_prk, output_prk_len, prk, prk_len );
exit:
mbedtls_free(ikm);
mbedtls_free(salt);
@ -103,36 +92,34 @@ exit:
void test_test_hkdf_extract_wrapper( void ** params )
{
test_test_hkdf_extract( *( (int *) params[0] ), (char *) params[1], (char *) params[2], (char *) params[3] );
test_test_hkdf_extract( *( (int *) params[0] ),
(char *) params[1],
(char *) params[2],
(char *) params[3] );
}
void test_test_hkdf_expand( int md_alg, char *hex_info_string,
char *hex_prk_string, char *hex_okm_string )
{
enum { OKM_LEN = 1024 };
enum { OKM_LEN = 1024 };
int ret;
unsigned char *info = NULL;
unsigned char *prk = NULL;
unsigned char *okm = NULL;
unsigned char *output_okm = NULL;
size_t info_len, prk_len, okm_len;
const mbedtls_md_info_t *md = mbedtls_md_info_from_type( md_alg );
TEST_ASSERT( md != NULL );
output_okm = mbedtls_calloc( OKM_LEN, 1 );
prk = mbedtls_test_unhexify_alloc( hex_prk_string, &prk_len );
info = mbedtls_test_unhexify_alloc( hex_info_string, &info_len );
okm = mbedtls_test_unhexify_alloc( hex_okm_string, &okm_len );
TEST_ASSERT( prk_len == mbedtls_md_get_size( md ) );
TEST_ASSERT( okm_len < OKM_LEN );
ret = mbedtls_hkdf_expand( md, prk, prk_len, info, info_len,
output_okm, OKM_LEN );
TEST_ASSERT( ret == 0 );
ASSERT_COMPARE( output_okm, okm_len, okm, okm_len );
exit:
mbedtls_free(info);
mbedtls_free(prk);
@ -142,9 +129,12 @@ exit:
void test_test_hkdf_expand_wrapper( void ** params )
{
test_test_hkdf_expand( *( (int *) params[0] ), (char *) params[1], (char *) params[2], (char *) params[3] );
test_test_hkdf_expand( *( (int *) params[0] ),
(char *) params[1],
(char *) params[2],
(char *) params[3] );
}
void test_test_hkdf_extract_ret( int hash_len, int ret )
{
int output_ret;
@ -153,28 +143,25 @@ void test_test_hkdf_extract_ret( int hash_len, int ret )
unsigned char *prk = NULL;
size_t salt_len, ikm_len;
struct mbedtls_md_info_t fake_md_info;
memset( &fake_md_info, 0, sizeof( fake_md_info ) );
fake_md_info.type = MBEDTLS_MD_NONE;
fake_md_info.size = hash_len;
prk = mbedtls_calloc( MBEDTLS_MD_MAX_SIZE, 1 );
salt_len = 0;
ikm_len = 0;
output_ret = mbedtls_hkdf_extract( &fake_md_info, salt, salt_len,
ikm, ikm_len, prk );
TEST_ASSERT( output_ret == ret );
exit:
mbedtls_free(prk);
}
void test_test_hkdf_extract_ret_wrapper( void ** params )
{
test_test_hkdf_extract_ret( *( (int *) params[0] ), *( (int *) params[1] ) );
test_test_hkdf_extract_ret( *( (int *) params[0] ),
*( (int *) params[1] ) );
}
void test_test_hkdf_expand_ret( int hash_len, int prk_len, int okm_len, int ret )
{
int output_ret;
@ -183,23 +170,17 @@ void test_test_hkdf_expand_ret( int hash_len, int prk_len, int okm_len, int ret
unsigned char *okm = NULL;
size_t info_len;
struct mbedtls_md_info_t fake_md_info;
memset( &fake_md_info, 0, sizeof( fake_md_info ) );
fake_md_info.type = MBEDTLS_MD_NONE;
fake_md_info.size = hash_len;
info_len = 0;
if (prk_len > 0)
prk = mbedtls_calloc( prk_len, 1 );
if (okm_len > 0)
okm = mbedtls_calloc( okm_len, 1 );
output_ret = mbedtls_hkdf_expand( &fake_md_info, prk, prk_len,
info, info_len, okm, okm_len );
TEST_ASSERT( output_ret == ret );
exit:
mbedtls_free(prk);
mbedtls_free(okm);
@ -207,15 +188,10 @@ exit:
void test_test_hkdf_expand_ret_wrapper( void ** params )
{
test_test_hkdf_expand_ret( *( (int *) params[0] ), *( (int *) params[1] ), *( (int *) params[2] ), *( (int *) params[3] ) );
}
#endif /* MBEDTLS_HKDF_C */
/*----------------------------------------------------------------------------*/
/* Test dispatch code */
/**
* \brief Evaluates an expression/macro into its literal integer value.
* For optimizing space for embedded targets each expression/macro
@ -231,32 +207,20 @@ void test_test_hkdf_expand_ret_wrapper( void ** params )
int get_expression( int32_t exp_id, int32_t * out_value )
{
int ret = KEY_VALUE_MAPPING_FOUND;
(void) exp_id;
(void) out_value;
switch( exp_id )
{
#if defined(MBEDTLS_HKDF_C)
case 0:
{
*out_value = MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
}
*out_value = MBEDTLS_ERR_HKDF_BAD_INPUT_DATA;
break;
#endif
default:
{
ret = KEY_VALUE_MAPPING_NOT_FOUND;
}
ret = KEY_VALUE_MAPPING_NOT_FOUND;
break;
}
return( ret );
}
/**
* \brief Checks if the dependency i.e. the compile flag is set.
* For optimizing space for embedded targets each dependency
@ -271,14 +235,9 @@ int get_expression( int32_t exp_id, int32_t * out_value )
int dep_check( int dep_id )
{
int ret = DEPENDENCY_NOT_SUPPORTED;
(void) dep_id;
switch( dep_id )
{
#if defined(MBEDTLS_HKDF_C)
case 0:
{
#if defined(MBEDTLS_SHA256_C)
@ -298,14 +257,12 @@ int dep_check( int dep_id )
}
break;
#endif
default:
break;
}
return( ret );
}
/**
* \brief Function pointer type for test function wrappers.
*
@ -321,7 +278,6 @@ int dep_check( int dep_id )
*/
typedef void (*TestWrapper_t)( void **param_array );
/**
* \brief Table of test function wrappers. Used by dispatch_test().
* This table is populated by script:
@ -331,41 +287,35 @@ typedef void (*TestWrapper_t)( void **param_array );
TestWrapper_t test_funcs[] =
{
/* Function Id: 0 */
#if defined(MBEDTLS_HKDF_C)
test_test_hkdf_wrapper,
#else
NULL,
#endif
/* Function Id: 1 */
#if defined(MBEDTLS_HKDF_C)
test_test_hkdf_extract_wrapper,
#else
NULL,
#endif
/* Function Id: 2 */
#if defined(MBEDTLS_HKDF_C)
test_test_hkdf_expand_wrapper,
#else
NULL,
#endif
/* Function Id: 3 */
#if defined(MBEDTLS_HKDF_C)
test_test_hkdf_extract_ret_wrapper,
#else
NULL,
#endif
/* Function Id: 4 */
#if defined(MBEDTLS_HKDF_C)
test_test_hkdf_expand_ret_wrapper,
#else
NULL,
#endif
};
/**
@ -385,10 +335,8 @@ void execute_function_ptr(TestWrapper_t fp, void **params)
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
mbedtls_test_enable_insecure_external_rng( );
#endif
#if defined(MBEDTLS_CHECK_PARAMS)
mbedtls_test_param_failed_location_record_t location_record;
if ( setjmp( mbedtls_test_param_failed_get_state_buf( ) ) == 0 )
{
fp( params );
@ -401,12 +349,10 @@ void execute_function_ptr(TestWrapper_t fp, void **params)
location_record.line,
location_record.file );
}
mbedtls_test_param_failed_reset_state( );
#else
fp( params );
#endif
#if defined(MBEDTLS_TEST_MUTEX_USAGE)
mbedtls_test_mutex_usage_check( );
#endif /* MBEDTLS_TEST_MUTEX_USAGE */
@ -427,7 +373,6 @@ int dispatch_test( size_t func_idx, void ** params )
{
int ret = DISPATCH_TEST_SUCCESS;
TestWrapper_t fp = NULL;
if ( func_idx < (int)( sizeof( test_funcs ) / sizeof( TestWrapper_t ) ) )
{
fp = test_funcs[func_idx];
@ -440,11 +385,9 @@ int dispatch_test( size_t func_idx, void ** params )
{
ret = DISPATCH_TEST_FN_NOT_FOUND;
}
return( ret );
}
/**
* \brief Checks if test function is supported in this build-time
* configuration.
@ -459,7 +402,6 @@ int check_test( size_t func_idx )
{
int ret = DISPATCH_TEST_SUCCESS;
TestWrapper_t fp = NULL;
if ( func_idx < (int)( sizeof(test_funcs)/sizeof( TestWrapper_t ) ) )
{
fp = test_funcs[func_idx];
@ -470,7 +412,6 @@ int check_test( size_t func_idx )
{
ret = DISPATCH_TEST_FN_NOT_FOUND;
}
return( ret );
}

8
third_party/mbedtls/test/test_suite_hmac_drbg.pr.c vendored
View file

@ -247,7 +247,7 @@ void test_hmac_drbg_no_reseed( int md_alg, data_t * entropy,
/* Reset context for second run */
mbedtls_hmac_drbg_free( &ctx );
TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( my_output, output->x, output->len ) == 0 );
/* And now the normal entropy-based variant */
TEST_ASSERT( mbedtls_hmac_drbg_seed( &ctx, md_info, mbedtls_test_entropy_func, &p_entropy,
@ -256,7 +256,7 @@ void test_hmac_drbg_no_reseed( int md_alg, data_t * entropy,
add1->x, add1->len ) == 0 );
TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
add2->x, add2->len ) == 0 );
TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( my_output, output->x, output->len ) == 0 );
exit:
mbedtls_hmac_drbg_free( &ctx );
@ -297,7 +297,7 @@ void test_hmac_drbg_nopr( int md_alg, data_t * entropy, data_t * custom,
TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
add3->x, add3->len ) == 0 );
TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( my_output, output->x, output->len ) == 0 );
exit:
mbedtls_hmac_drbg_free( &ctx );
@ -338,7 +338,7 @@ void test_hmac_drbg_pr( int md_alg, data_t * entropy, data_t * custom,
TEST_ASSERT( mbedtls_hmac_drbg_random_with_add( &ctx, my_output, output->len,
add2->x, add2->len ) == 0 );
TEST_ASSERT( memcmp( my_output, output->x, output->len ) == 0 );
TEST_ASSERT( timingsafe_bcmp( my_output, output->x, output->len ) == 0 );
exit:
mbedtls_hmac_drbg_free( &ctx );

5
third_party/mbedtls/test/test_suite_pkcs1_v15.c vendored
View file

@ -267,9 +267,8 @@ void test_pkcs1_v15_decode( int mode,
if( expected_result == 0 )
{
TEST_ASSERT( output_length == expected_plaintext_length );
TEST_ASSERT( memcmp( original + sizeof( N ) - output_length,
final,
output_length ) == 0 );
TEST_ASSERT( timingsafe_bcmp( original + sizeof( N ) - output_length,
final, output_length ) == 0 );
}
else if( expected_result == MBEDTLS_ERR_RSA_INVALID_PADDING ||
expected_result == MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE )

7
third_party/mbedtls/test/test_suite_pkcs5.c vendored
View file

@ -40,24 +40,19 @@
#if defined(MBEDTLS_PKCS5_C)
#include "third_party/mbedtls/pkcs5.h"
void test_pbkdf2_hmac( int hash, data_t * pw_str, data_t * salt_str,
int it_cnt, int key_len, data_t * result_key_string )
int it_cnt, int key_len, data_t * result_key_string )
{
mbedtls_md_context_t ctx;
const mbedtls_md_info_t *info;
unsigned char key[100];
mbedtls_md_init( &ctx );
info = mbedtls_md_info_from_type( hash );
TEST_ASSERT( info != NULL );
TEST_ASSERT( mbedtls_md_setup( &ctx, info, 1 ) == 0 );
TEST_ASSERT( mbedtls_pkcs5_pbkdf2_hmac( &ctx, pw_str->x, pw_str->len, salt_str->x, salt_str->len,
it_cnt, key_len, key ) == 0 );
TEST_ASSERT( mbedtls_test_hexcmp( key, result_key_string->x,
key_len, result_key_string->len ) == 0 );
exit:
mbedtls_md_free( &ctx );
}

8
third_party/mbedtls/test/test_suite_random.c vendored
View file

@ -85,7 +85,7 @@ void test_random_twice_with_ctr_drbg( )
mbedtls_entropy_free( &entropy );
/* The two rounds must generate different random data. */
TEST_ASSERT( memcmp( output1, output2, OUTPUT_SIZE ) != 0 );
TEST_ASSERT( timingsafe_bcmp( output1, output2, OUTPUT_SIZE ) != 0 );
exit:
mbedtls_ctr_drbg_free( &drbg );
@ -135,7 +135,7 @@ void test_random_twice_with_hmac_drbg( int md_type )
mbedtls_entropy_free( &entropy );
/* The two rounds must generate different random data. */
TEST_ASSERT( memcmp( output1, output2, OUTPUT_SIZE ) != 0 );
TEST_ASSERT( timingsafe_bcmp( output1, output2, OUTPUT_SIZE ) != 0 );
exit:
mbedtls_hmac_drbg_free( &drbg );
@ -171,7 +171,7 @@ void test_random_twice_with_psa_from_classic( )
PSA_DONE( );
/* The two rounds must generate different random data. */
TEST_ASSERT( memcmp( output1, output2, OUTPUT_SIZE ) != 0 );
TEST_ASSERT( timingsafe_bcmp( output1, output2, OUTPUT_SIZE ) != 0 );
exit:
PSA_DONE( );
@ -205,7 +205,7 @@ void test_random_twice_with_psa_from_psa( )
PSA_DONE( );
/* The two rounds must generate different random data. */
TEST_ASSERT( memcmp( output1, output2, OUTPUT_SIZE ) != 0 );
TEST_ASSERT( timingsafe_bcmp( output1, output2, OUTPUT_SIZE ) != 0 );
exit:
PSA_DONE( );

2
third_party/mbedtls/test/test_suite_x509parse.c vendored
View file

@ -425,7 +425,7 @@ int parse_crt_ext_cb( void *p_ctx, mbedtls_x509_crt const *crt, mbedtls_x509_buf
return( parse_ret );
}
else if( new_oid != NULL && new_oid->tag == oid->tag && new_oid->len == oid->len &&
memcmp( new_oid->p, oid->p, oid->len ) == 0 )
timingsafe_bcmp( new_oid->p, oid->p, oid->len ) == 0 )
return( 0 );
else
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );

7
third_party/mbedtls/x509.c vendored
View file

@ -129,10 +129,8 @@ int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
mbedtls_x509_buf *alg, mbedtls_x509_buf *params )
{
int ret = MBEDTLS_ERR_THIS_CORRUPTION;
if( ( ret = mbedtls_asn1_get_alg( p, end, alg, params ) ) != 0 )
return( MBEDTLS_ERR_X509_INVALID_ALG + ret );
return( 0 );
}
@ -776,7 +774,6 @@ int mbedtls_x509_time_is_future( const mbedtls_x509_time *from ) {
}
#if defined(MBEDTLS_SELF_TEST)
/**
* \brief Checkup routine
*
@ -797,7 +794,7 @@ int mbedtls_x509_self_test( int verbose )
mbedtls_x509_crt_init( &clicert );
ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
mbedtls_test_cli_crt_len );
mbedtls_test_cli_crt_len );
if( ret != 0 )
{
if( verbose != 0 )
@ -807,7 +804,7 @@ int mbedtls_x509_self_test( int verbose )
}
ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
mbedtls_test_ca_crt_len );
mbedtls_test_ca_crt_len );
if( ret != 0 )
{
if( verbose != 0 )

4
third_party/mbedtls/x509_crl.c vendored
View file

@ -484,10 +484,10 @@ int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
}
if( crl->sig_oid.len != sig_oid2.len ||
memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
timingsafe_bcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
sig_params1.len != sig_params2.len ||
( sig_params1.len != 0 &&
memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
timingsafe_bcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
{
mbedtls_x509_crl_free( crl );
return( MBEDTLS_ERR_X509_SIG_MISMATCH );

35
third_party/mbedtls/x509_crt.c vendored
View file

@ -245,7 +245,7 @@ static int x509_string_cmp( const mbedtls_x509_buf *a, const mbedtls_x509_buf *b
{
if( a->tag == b->tag &&
a->len == b->len &&
memcmp( a->p, b->p, b->len ) == 0 )
timingsafe_bcmp( a->p, b->p, b->len ) == 0 )
{
return 0;
}
@ -279,7 +279,7 @@ int mbedtls_x509_name_cmp( const mbedtls_x509_name *a, const mbedtls_x509_name *
/* type */
if( a->oid.tag != b->oid.tag ||
a->oid.len != b->oid.len ||
memcmp( a->oid.p, b->oid.p, b->oid.len ) )
timingsafe_bcmp( a->oid.p, b->oid.p, b->oid.len ) )
{
return -1;
}
@ -1106,11 +1106,11 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
return ret;
}
if( crt->sig_oid.len != sig_oid2.len ||
memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) ||
timingsafe_bcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) ||
sig_params1.tag != sig_params2.tag ||
sig_params1.len != sig_params2.len ||
( sig_params1.len &&
memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) ) )
timingsafe_bcmp( sig_params1.p, sig_params2.p, sig_params1.len ) ) )
{
mbedtls_x509_crt_free( crt );
return( MBEDTLS_ERR_X509_SIG_MISMATCH );
@ -2182,7 +2182,7 @@ int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
{
const mbedtls_x509_buf *cur_oid = &cur->buf;
if( cur_oid->len == usage_len &&
memcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
timingsafe_bcmp( cur_oid->p, usage_oid, usage_len ) == 0 )
{
return 0;
}
@ -2207,7 +2207,7 @@ int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509
while( cur && cur->serial.len )
{
if( crt->serial.len == cur->serial.len &&
memcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
timingsafe_bcmp( crt->serial.p, cur->serial.p, crt->serial.len ) == 0 )
{
return( 1 );
}
@ -2575,7 +2575,7 @@ static int x509_crt_check_ee_locally_trusted(
for( cur = trust_ca; cur; cur = cur->next )
{
if( crt->raw.len == cur->raw.len &&
memcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
timingsafe_bcmp( crt->raw.p, cur->raw.p, crt->raw.len ) == 0 )
{
return 0;
}
@ -2890,16 +2890,17 @@ static int x509_crt_merge_flags_with_cb(
* of trusted signers, and `ca_crl` will be use as the static list
* of CRLs.
*/
static int x509_crt_verify_restartable_ca_cb( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
mbedtls_x509_crt_ca_cb_t f_ca_cb,
void *p_ca_cb,
const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
mbedtls_x509_crt_restart_ctx *rs_ctx )
static int x509_crt_verify_restartable_ca_cb(
mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
mbedtls_x509_crt_ca_cb_t f_ca_cb,
void *p_ca_cb,
const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
mbedtls_x509_crt_restart_ctx *rs_ctx )
{
int ret = MBEDTLS_ERR_THIS_CORRUPTION;
mbedtls_pk_type_t pk_type;

47
third_party/mbedtls/zeroize.c vendored
View file

@ -19,52 +19,7 @@
#include "libc/str/str.h"
#include "third_party/mbedtls/platform.h"
typedef long long xmm_t __attribute__((__vector_size__(16), __aligned__(1)));
void mbedtls_platform_zeroize(void *p, size_t n) {
char *b;
uint64_t x;
MBEDTLS_INTERNAL_VALIDATE(!n || p);
x = 0;
b = p;
switch (n) {
case 0:
break;
case 1:
__builtin_memcpy(b, &x, 1);
break;
case 2:
__builtin_memcpy(b, &x, 2);
break;
case 3:
__builtin_memcpy(b, &x, 2);
__builtin_memcpy(b + 1, &x, 2);
break;
case 4:
__builtin_memcpy(b, &x, 4);
break;
case 5 ... 7:
__builtin_memcpy(b, &x, 4);
__builtin_memcpy(b + n - 4, &x, 4);
break;
case 8:
__builtin_memcpy(b, &x, 8);
break;
case 9 ... 15:
__builtin_memcpy(b, &x, 8);
__builtin_memcpy(b + n - 8, &x, 8);
break;
case 16:
*(xmm_t *)b = (xmm_t){0};
break;
default:
while (n > 32) {
*(xmm_t *)(b + n - 16) = (xmm_t){0};
*(xmm_t *)(b + n - 32) = (xmm_t){0};
n -= 32;
}
if (n > 16) *(xmm_t *)(b + n - 16) = (xmm_t){0};
*(xmm_t *)b = (xmm_t){0};
break;
}
bzero(p, n);
}