diff options
author | David Benjamin <davidben@google.com> | 2023-10-05 19:04:45 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-10-05 19:04:45 +0000 |
commit | 0cd4f360a2bf43def9783412177bc8de76191cbf (patch) | |
tree | 9d109b9905a435441c526fff441305d47aedb17e | |
parent | ba77e6e05f3e1cb9f56184247b77f407d5c27096 (diff) | |
parent | 42faec796186ca96e8058f8ef31fc3078ea87442 (diff) | |
download | boringssl-0cd4f360a2bf43def9783412177bc8de76191cbf.tar.gz |
external/boringssl: Sync to bd20800c22fc8402611b537287bd6948c3f2a5a8. am: f6ac0ed653 am: c2df482881 am: 42faec7961
Original change: https://android-review.googlesource.com/c/platform/external/boringssl/+/2769981
Change-Id: I2638dfd26392d1292daf94bbe7279f3399af8eaa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
180 files changed, 6986 insertions, 4047 deletions
@@ -620,6 +620,8 @@ cc_test { name: "boringssl_crypto_test", test_config: "CryptoNativeTests.xml", host_supported: false, + vendor_available: false, + product_available: false, per_testcase_directory: true, compile_multilib: "both", multilib: { @@ -637,7 +639,10 @@ cc_test { whole_static_libs: ["boringssl_test_support"], // Statically link the library to test to ensure we always pick up the // correct version regardless of device linker configuration. - static_libs: ["libcrypto_static"], + static_libs: [ + "libcrypto_static", + "libgmock_ndk", + ], target: { android: { test_suites: ["mts-conscrypt"], @@ -649,6 +654,8 @@ cc_test { name: "boringssl_ssl_test", test_config: "SslNativeTests.xml", host_supported: false, + vendor_available: false, + product_available: false, per_testcase_directory: true, compile_multilib: "both", multilib: { @@ -668,6 +675,7 @@ cc_test { // correct version regardless of device linker configuration. static_libs: [ "libcrypto_static", + "libgmock_ndk", "libssl", ], target: { diff --git a/BORINGSSL_REVISION b/BORINGSSL_REVISION index 9957c57e..9b2c4efc 100644 --- a/BORINGSSL_REVISION +++ b/BORINGSSL_REVISION @@ -1 +1 @@ -e28988ecaa5e72523a982915084c9422e495116d +bd20800c22fc8402611b537287bd6948c3f2a5a8 diff --git a/BUILD.generated.bzl b/BUILD.generated.bzl index 50246de6..55622b26 100644 --- a/BUILD.generated.bzl +++ b/BUILD.generated.bzl @@ -346,7 +346,6 @@ crypto_sources = [ "src/crypto/cpu_aarch64_openbsd.c", "src/crypto/cpu_aarch64_sysreg.c", "src/crypto/cpu_aarch64_win.c", - "src/crypto/cpu_arm.c", "src/crypto/cpu_arm_freebsd.c", "src/crypto/cpu_arm_linux.c", "src/crypto/cpu_intel.c", @@ -695,14 +694,15 @@ pki_sources = [ "src/pki/crl.cc", "src/pki/encode_values.cc", "src/pki/extended_key_usage.cc", - "src/pki/fillins/base64.cc", - "src/pki/fillins/ip_address.cc", + "src/pki/fillins/fillins_base64.cc", + "src/pki/fillins/fillins_string_util.cc", "src/pki/fillins/openssl_util.cc", - "src/pki/fillins/string_util.cc", - "src/pki/fillins/utf_string_conversions.cc", "src/pki/general_names.cc", "src/pki/input.cc", + "src/pki/ip_util.cc", "src/pki/name_constraints.cc", + "src/pki/ocsp.cc", + "src/pki/ocsp_verify_result.cc", "src/pki/parse_certificate.cc", "src/pki/parse_name.cc", "src/pki/parse_values.cc", diff --git a/BUILD.generated_tests.bzl b/BUILD.generated_tests.bzl index bb81b785..423c6b0a 100644 --- a/BUILD.generated_tests.bzl +++ b/BUILD.generated_tests.bzl @@ -136,6 +136,7 @@ crypto_test_sources = [ "src/crypto/pkcs8/pkcs8_test.cc", "src/crypto/poly1305/poly1305_test.cc", "src/crypto/pool/pool_test.cc", + "src/crypto/rand_extra/getentropy_test.cc", "src/crypto/rand_extra/rand_test.cc", "src/crypto/refcount_test.cc", "src/crypto/rsa_extra/rsa_test.cc", @@ -169,9 +170,11 @@ pki_test_sources = [ "src/pki/fillins/path_service.cc", "src/pki/general_names_unittest.cc", "src/pki/input_unittest.cc", + "src/pki/ip_util_unittest.cc", "src/pki/mock_signature_verify_cache.cc", "src/pki/name_constraints_unittest.cc", "src/pki/nist_pkits_unittest.cc", + "src/pki/ocsp_unittest.cc", "src/pki/parse_certificate_unittest.cc", "src/pki/parse_name_unittest.cc", "src/pki/parse_values_unittest.cc", @@ -562,6 +565,7 @@ pki_test_data = [ "src/pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_2.pem", "src/pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_3.pem", "src/pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_4.pem", + "src/pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem", "src/pki/testdata/name_constraints_unittest/ipaddress-permit_all.pem", "src/pki/testdata/name_constraints_unittest/ipaddress-permit_prefix1.pem", "src/pki/testdata/name_constraints_unittest/ipaddress-permit_prefix31.pem", @@ -1504,6 +1508,9 @@ pki_test_data = [ "src/pki/testdata/ssl/certificates/duplicate_cn_1.pem", "src/pki/testdata/ssl/certificates/duplicate_cn_2.p12", "src/pki/testdata/ssl/certificates/duplicate_cn_2.pem", + "src/pki/testdata/ssl/certificates/ec-prime256v1-1.key", + "src/pki/testdata/ssl/certificates/ec-prime256v1-2.key", + "src/pki/testdata/ssl/certificates/ec-prime256v1-3.key", "src/pki/testdata/ssl/certificates/eku-test-root.pem", "src/pki/testdata/ssl/certificates/ev_test.pem", "src/pki/testdata/ssl/certificates/ev_test_state_only.pem", @@ -1582,6 +1589,16 @@ pki_test_data = [ "src/pki/testdata/ssl/certificates/redundant-validated-chain-root.pem", "src/pki/testdata/ssl/certificates/redundant-validated-chain.pem", "src/pki/testdata/ssl/certificates/root_ca_cert.pem", + "src/pki/testdata/ssl/certificates/rsa-1024-1.key", + "src/pki/testdata/ssl/certificates/rsa-1024-2.key", + "src/pki/testdata/ssl/certificates/rsa-1024-3.key", + "src/pki/testdata/ssl/certificates/rsa-2048-1.key", + "src/pki/testdata/ssl/certificates/rsa-2048-2.key", + "src/pki/testdata/ssl/certificates/rsa-2048-3.key", + "src/pki/testdata/ssl/certificates/rsa-768-1.key", + "src/pki/testdata/ssl/certificates/rsa-768-2.key", + "src/pki/testdata/ssl/certificates/rsa-768-3.key", + "src/pki/testdata/ssl/certificates/rsa-8200-1.key", "src/pki/testdata/ssl/certificates/salesforce_com_test.pem", "src/pki/testdata/ssl/certificates/self-signed-invalid-name.pem", "src/pki/testdata/ssl/certificates/self-signed-invalid-sig.pem", diff --git a/CMakeLists.txt b/CMakeLists.txt index 68380aff..88712b8d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -14,7 +14,7 @@ # This file is created by generate_build_files.py. Do not edit manually. -cmake_minimum_required(VERSION 3.10) +cmake_minimum_required(VERSION 3.12) project(BoringSSL LANGUAGES C CXX) @@ -337,7 +337,6 @@ add_library( src/crypto/cpu_aarch64_openbsd.c src/crypto/cpu_aarch64_sysreg.c src/crypto/cpu_aarch64_win.c - src/crypto/cpu_arm.c src/crypto/cpu_arm_freebsd.c src/crypto/cpu_arm_linux.c src/crypto/cpu_intel.c diff --git a/android-sources.cmake b/android-sources.cmake index 8181d48c..82631d02 100644 --- a/android-sources.cmake +++ b/android-sources.cmake @@ -85,7 +85,6 @@ set(crypto_sources ${BORINGSSL_ROOT}src/crypto/cpu_aarch64_openbsd.c ${BORINGSSL_ROOT}src/crypto/cpu_aarch64_sysreg.c ${BORINGSSL_ROOT}src/crypto/cpu_aarch64_win.c - ${BORINGSSL_ROOT}src/crypto/cpu_arm.c ${BORINGSSL_ROOT}src/crypto/cpu_arm_freebsd.c ${BORINGSSL_ROOT}src/crypto/cpu_arm_linux.c ${BORINGSSL_ROOT}src/crypto/cpu_intel.c @@ -537,6 +536,7 @@ set(crypto_test_sources ${BORINGSSL_ROOT}src/crypto/pkcs8/pkcs8_test.cc ${BORINGSSL_ROOT}src/crypto/poly1305/poly1305_test.cc ${BORINGSSL_ROOT}src/crypto/pool/pool_test.cc + ${BORINGSSL_ROOT}src/crypto/rand_extra/getentropy_test.cc ${BORINGSSL_ROOT}src/crypto/rand_extra/rand_test.cc ${BORINGSSL_ROOT}src/crypto/refcount_test.cc ${BORINGSSL_ROOT}src/crypto/rsa_extra/rsa_test.cc @@ -557,195 +557,3 @@ set(ssl_test_sources ${BORINGSSL_ROOT}src/ssl/ssl_c_test.c ${BORINGSSL_ROOT}src/ssl/ssl_test.cc ) -set(crypto_sources_apple_aarch64 - ${BORINGSSL_ROOT}apple-aarch64/crypto/chacha/chacha-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/aesv8-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/armv8-mont-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/bn-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/ghash-neon-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/ghashv8-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/p256-armv8-asm-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/sha1-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/sha256-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/sha512-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/fipsmodule/vpaes-armv8-apple.S - ${BORINGSSL_ROOT}apple-aarch64/crypto/test/trampoline-armv8-apple.S -) -set(crypto_sources_apple_arm - ${BORINGSSL_ROOT}apple-arm/crypto/chacha/chacha-armv4-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/aesv8-armv7-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/armv4-mont-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/bsaes-armv7-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/ghash-armv4-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/ghashv8-armv7-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/sha1-armv4-large-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/sha256-armv4-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/sha512-armv4-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/fipsmodule/vpaes-armv7-apple.S - ${BORINGSSL_ROOT}apple-arm/crypto/test/trampoline-armv4-apple.S -) -set(crypto_sources_apple_x86 - ${BORINGSSL_ROOT}apple-x86/crypto/chacha/chacha-x86-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/aesni-x86-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/bn-586-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/co-586-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/ghash-ssse3-x86-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/ghash-x86-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/md5-586-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/sha1-586-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/sha256-586-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/sha512-586-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/vpaes-x86-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/fipsmodule/x86-mont-apple.S - ${BORINGSSL_ROOT}apple-x86/crypto/test/trampoline-x86-apple.S -) -set(crypto_sources_apple_x86_64 - ${BORINGSSL_ROOT}apple-x86_64/crypto/chacha/chacha-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/aesni-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/ghash-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/md5-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/p256-x86_64-asm-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/rdrand-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/rsaz-avx2-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/sha1-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/sha256-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/sha512-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/vpaes-x86_64-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/x86_64-mont-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/fipsmodule/x86_64-mont5-apple.S - ${BORINGSSL_ROOT}apple-x86_64/crypto/test/trampoline-x86_64-apple.S - ${BORINGSSL_ROOT}src/third_party/fiat/asm/fiat_curve25519_adx_mul.S - ${BORINGSSL_ROOT}src/third_party/fiat/asm/fiat_curve25519_adx_square.S -) -set(crypto_sources_linux_aarch64 - ${BORINGSSL_ROOT}linux-aarch64/crypto/chacha/chacha-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/aesv8-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/armv8-mont-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/bn-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/ghash-neon-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/ghashv8-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/p256-armv8-asm-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/sha1-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/sha256-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/sha512-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/fipsmodule/vpaes-armv8-linux.S - ${BORINGSSL_ROOT}linux-aarch64/crypto/test/trampoline-armv8-linux.S -) -set(crypto_sources_linux_arm - ${BORINGSSL_ROOT}linux-arm/crypto/chacha/chacha-armv4-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/aesv8-armv7-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/armv4-mont-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/bsaes-armv7-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/ghash-armv4-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/ghashv8-armv7-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/sha1-armv4-large-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/sha256-armv4-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/sha512-armv4-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/fipsmodule/vpaes-armv7-linux.S - ${BORINGSSL_ROOT}linux-arm/crypto/test/trampoline-armv4-linux.S - ${BORINGSSL_ROOT}src/crypto/curve25519/asm/x25519-asm-arm.S - ${BORINGSSL_ROOT}src/crypto/poly1305/poly1305_arm_asm.S -) -set(crypto_sources_linux_x86 - ${BORINGSSL_ROOT}linux-x86/crypto/chacha/chacha-x86-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/aesni-x86-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/bn-586-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/co-586-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/ghash-ssse3-x86-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/ghash-x86-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/md5-586-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/sha1-586-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/sha256-586-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/sha512-586-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/vpaes-x86-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/fipsmodule/x86-mont-linux.S - ${BORINGSSL_ROOT}linux-x86/crypto/test/trampoline-x86-linux.S -) -set(crypto_sources_linux_x86_64 - ${BORINGSSL_ROOT}linux-x86_64/crypto/chacha/chacha-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/aesni-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/ghash-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/md5-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/p256-x86_64-asm-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/rdrand-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/rsaz-avx2-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/sha1-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/sha256-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/sha512-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/vpaes-x86_64-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/x86_64-mont-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/fipsmodule/x86_64-mont5-linux.S - ${BORINGSSL_ROOT}linux-x86_64/crypto/test/trampoline-x86_64-linux.S - ${BORINGSSL_ROOT}src/crypto/hrss/asm/poly_rq_mul.S - ${BORINGSSL_ROOT}src/third_party/fiat/asm/fiat_curve25519_adx_mul.S - ${BORINGSSL_ROOT}src/third_party/fiat/asm/fiat_curve25519_adx_square.S -) -set(crypto_sources_win_aarch64 - ${BORINGSSL_ROOT}win-aarch64/crypto/chacha/chacha-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/aesv8-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/armv8-mont-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/bn-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/ghash-neon-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/ghashv8-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/p256-armv8-asm-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/sha1-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/sha256-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/sha512-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/fipsmodule/vpaes-armv8-win.S - ${BORINGSSL_ROOT}win-aarch64/crypto/test/trampoline-armv8-win.S -) -set(crypto_sources_win_x86 - ${BORINGSSL_ROOT}win-x86/crypto/chacha/chacha-x86-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/aesni-x86-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/bn-586-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/co-586-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/ghash-ssse3-x86-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/ghash-x86-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/md5-586-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/sha1-586-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/sha256-586-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/sha512-586-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/vpaes-x86-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/fipsmodule/x86-mont-win.asm - ${BORINGSSL_ROOT}win-x86/crypto/test/trampoline-x86-win.asm -) -set(crypto_sources_win_x86_64 - ${BORINGSSL_ROOT}win-x86_64/crypto/chacha/chacha-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/aesni-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/ghash-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/md5-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/p256-x86_64-asm-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/rdrand-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/rsaz-avx2-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/sha1-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/sha256-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/sha512-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/vpaes-x86_64-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/x86_64-mont-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/fipsmodule/x86_64-mont5-win.asm - ${BORINGSSL_ROOT}win-x86_64/crypto/test/trampoline-x86_64-win.asm -) diff --git a/apple-x86_64/crypto/chacha/chacha-x86_64-apple.S b/apple-x86_64/crypto/chacha/chacha-x86_64-apple.S index b80364b7..2c469264 100644 --- a/apple-x86_64/crypto/chacha/chacha-x86_64-apple.S +++ b/apple-x86_64/crypto/chacha/chacha-x86_64-apple.S @@ -320,7 +320,7 @@ L$done: leaq (%rsi),%rsp L$no_data: - .byte 0xf3,0xc3 + ret @@ -457,7 +457,7 @@ L$done_ssse3: leaq (%r9),%rsp L$ssse3_epilogue: - .byte 0xf3,0xc3 + ret @@ -1009,7 +1009,7 @@ L$done4x: leaq (%r9),%rsp L$4x_epilogue: - .byte 0xf3,0xc3 + ret @@ -1615,7 +1615,7 @@ L$done8x: leaq (%r9),%rsp L$8x_epilogue: - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-apple.S b/apple-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-apple.S index df3a561d..188ce564 100644 --- a/apple-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-apple.S +++ b/apple-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-apple.S @@ -62,7 +62,7 @@ GFMUL: vpxor %xmm4,%xmm3,%xmm2 vpxor %xmm5,%xmm2,%xmm0 - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_htable_init @@ -89,7 +89,7 @@ _CET_ENDBR vmovdqa %xmm0,96(%rdi) call GFMUL vmovdqa %xmm0,112(%rdi) - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_htable6_init @@ -112,7 +112,7 @@ _CET_ENDBR vmovdqa %xmm0,64(%rdi) call GFMUL vmovdqa %xmm0,80(%rdi) - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_htable_polyval @@ -124,7 +124,7 @@ _aesgcmsiv_htable_polyval: _CET_ENDBR testq %rdx,%rdx jnz L$htable_polyval_start - .byte 0xf3,0xc3 + ret L$htable_polyval_start: vzeroall @@ -330,7 +330,7 @@ L$htable_polyval_out: vmovdqu %xmm1,(%rcx) vzeroupper - .byte 0xf3,0xc3 + ret .globl _aesgcmsiv_polyval_horner @@ -342,7 +342,7 @@ _aesgcmsiv_polyval_horner: _CET_ENDBR testq %rcx,%rcx jnz L$polyval_horner_start - .byte 0xf3,0xc3 + ret L$polyval_horner_start: @@ -364,7 +364,7 @@ L$polyval_horner_loop: vmovdqa %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_aes_ks @@ -421,7 +421,7 @@ L$ks128_loop: vpxor %xmm3,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_aes_ks @@ -470,7 +470,7 @@ L$ks256_loop: vpxor %xmm4,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_aes_ks_enc_x1 .private_extern _aes128gcmsiv_aes_ks_enc_x1 @@ -612,7 +612,7 @@ _CET_ENDBR vmovdqa %xmm4,0(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_kdf @@ -706,7 +706,7 @@ _CET_ENDBR vmovdqa %xmm10,16(%rsi) vmovdqa %xmm11,32(%rsi) vmovdqa %xmm12,48(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_enc_msg_x4 @@ -718,7 +718,7 @@ _aes128gcmsiv_enc_msg_x4: _CET_ENDBR testq %r8,%r8 jnz L$128_enc_msg_x4_start - .byte 0xf3,0xc3 + ret L$128_enc_msg_x4_start: pushq %r12 @@ -882,7 +882,7 @@ L$128_enc_msg_x4_out: popq %r12 - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_enc_msg_x8 @@ -894,7 +894,7 @@ _aes128gcmsiv_enc_msg_x8: _CET_ENDBR testq %r8,%r8 jnz L$128_enc_msg_x8_start - .byte 0xf3,0xc3 + ret L$128_enc_msg_x8_start: pushq %r12 @@ -1138,7 +1138,7 @@ L$128_enc_msg_x8_out: popq %r12 - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_dec @@ -1150,7 +1150,7 @@ _aes128gcmsiv_dec: _CET_ENDBR testq $~15,%r9 jnz L$128_dec_start - .byte 0xf3,0xc3 + ret L$128_dec_start: vzeroupper @@ -1631,7 +1631,7 @@ L$128_dec_loop2: L$128_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .globl _aes128gcmsiv_ecb_enc_block @@ -1657,7 +1657,7 @@ _CET_ENDBR vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_aes_ks_enc_x1 @@ -1841,7 +1841,7 @@ _CET_ENDBR vmovdqu %xmm1,224(%rdx) vmovdqa %xmm8,(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_ecb_enc_block @@ -1868,7 +1868,7 @@ _CET_ENDBR vaesenc 208(%rdx),%xmm1,%xmm1 vaesenclast 224(%rdx),%xmm1,%xmm1 vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_enc_msg_x4 @@ -1880,7 +1880,7 @@ _aes256gcmsiv_enc_msg_x4: _CET_ENDBR testq %r8,%r8 jnz L$256_enc_msg_x4_start - .byte 0xf3,0xc3 + ret L$256_enc_msg_x4_start: movq %r8,%r10 @@ -2070,7 +2070,7 @@ L$256_enc_msg_x4_loop2: jne L$256_enc_msg_x4_loop2 L$256_enc_msg_x4_out: - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_enc_msg_x8 @@ -2082,7 +2082,7 @@ _aes256gcmsiv_enc_msg_x8: _CET_ENDBR testq %r8,%r8 jnz L$256_enc_msg_x8_start - .byte 0xf3,0xc3 + ret L$256_enc_msg_x8_start: @@ -2359,7 +2359,7 @@ L$256_enc_msg_x8_loop2: jnz L$256_enc_msg_x8_loop2 L$256_enc_msg_x8_out: - .byte 0xf3,0xc3 + ret @@ -2372,7 +2372,7 @@ _aes256gcmsiv_dec: _CET_ENDBR testq $~15,%r9 jnz L$256_dec_start - .byte 0xf3,0xc3 + ret L$256_dec_start: vzeroupper @@ -2921,7 +2921,7 @@ L$256_dec_loop2: L$256_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .globl _aes256gcmsiv_kdf @@ -3073,7 +3073,7 @@ _CET_ENDBR vmovdqa %xmm11,48(%rsi) vmovdqa %xmm12,64(%rsi) vmovdqa %xmm13,80(%rsi) - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-apple.S b/apple-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-apple.S index efe05de3..e4a72025 100644 --- a/apple-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-apple.S +++ b/apple-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-apple.S @@ -103,7 +103,7 @@ L$poly_fast_tls_ad: adcq %r9,%r11 adcq $0,%r12 - .byte 0xf3,0xc3 + ret L$hash_ad_loop: cmpq $16,%r8 @@ -212,7 +212,7 @@ L$hash_ad_tail_loop: L$hash_ad_done: - .byte 0xf3,0xc3 + ret @@ -1847,7 +1847,7 @@ L$open_sse_finalize: popq %rbp - .byte 0xf3,0xc3 + ret L$open_sse_128: @@ -3899,7 +3899,7 @@ L$do_length_block: popq %rbp - .byte 0xf3,0xc3 + ret L$seal_sse_128: diff --git a/apple-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-apple.S index c946f93f..e1247bc8 100644 --- a/apple-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-apple.S @@ -336,7 +336,7 @@ L$6x_done: vpxor 16+8(%rsp),%xmm8,%xmm8 vpxor %xmm4,%xmm8,%xmm8 - .byte 0xf3,0xc3 + ret .globl _aesni_gcm_decrypt @@ -459,7 +459,7 @@ L$dec_no_key_aliasing: popq %rbp L$gcm_dec_abort: - .byte 0xf3,0xc3 + ret @@ -530,7 +530,7 @@ L$oop_ctr32: vmovups %xmm14,80(%rsi) leaq 96(%rsi),%rsi - .byte 0xf3,0xc3 + ret .p2align 5 L$handle_ctr32_2: vpshufb %xmm0,%xmm1,%xmm6 @@ -846,7 +846,7 @@ L$enc_no_key_aliasing: popq %rbp L$gcm_enc_abort: - .byte 0xf3,0xc3 + ret diff --git a/apple-x86_64/crypto/fipsmodule/aesni-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/aesni-x86_64-apple.S index ec9030a1..b8ba9106 100644 --- a/apple-x86_64/crypto/fipsmodule/aesni-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/aesni-x86_64-apple.S @@ -34,7 +34,7 @@ L$oop_enc1_1: pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret @@ -62,7 +62,7 @@ L$oop_dec1_2: pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret @@ -93,7 +93,7 @@ L$enc_loop2: .byte 102,15,56,220,217 .byte 102,15,56,221,208 .byte 102,15,56,221,216 - .byte 0xf3,0xc3 + ret @@ -124,7 +124,7 @@ L$dec_loop2: .byte 102,15,56,222,217 .byte 102,15,56,223,208 .byte 102,15,56,223,216 - .byte 0xf3,0xc3 + ret @@ -160,7 +160,7 @@ L$enc_loop3: .byte 102,15,56,221,208 .byte 102,15,56,221,216 .byte 102,15,56,221,224 - .byte 0xf3,0xc3 + ret @@ -196,7 +196,7 @@ L$dec_loop3: .byte 102,15,56,223,208 .byte 102,15,56,223,216 .byte 102,15,56,223,224 - .byte 0xf3,0xc3 + ret @@ -238,7 +238,7 @@ L$enc_loop4: .byte 102,15,56,221,216 .byte 102,15,56,221,224 .byte 102,15,56,221,232 - .byte 0xf3,0xc3 + ret @@ -280,7 +280,7 @@ L$dec_loop4: .byte 102,15,56,223,216 .byte 102,15,56,223,224 .byte 102,15,56,223,232 - .byte 0xf3,0xc3 + ret @@ -336,7 +336,7 @@ L$enc_loop6_enter: .byte 102,15,56,221,232 .byte 102,15,56,221,240 .byte 102,15,56,221,248 - .byte 0xf3,0xc3 + ret @@ -392,7 +392,7 @@ L$dec_loop6_enter: .byte 102,15,56,223,232 .byte 102,15,56,223,240 .byte 102,15,56,223,248 - .byte 0xf3,0xc3 + ret @@ -458,7 +458,7 @@ L$enc_loop8_enter: .byte 102,15,56,221,248 .byte 102,68,15,56,221,192 .byte 102,68,15,56,221,200 - .byte 0xf3,0xc3 + ret @@ -524,7 +524,7 @@ L$dec_loop8_enter: .byte 102,15,56,223,248 .byte 102,68,15,56,223,192 .byte 102,68,15,56,223,200 - .byte 0xf3,0xc3 + ret .globl _aes_hw_ecb_encrypt @@ -870,7 +870,7 @@ L$ecb_dec_six: L$ecb_ret: xorps %xmm0,%xmm0 pxor %xmm1,%xmm1 - .byte 0xf3,0xc3 + ret .globl _aes_hw_ctr32_encrypt_blocks @@ -1456,7 +1456,7 @@ L$ctr32_done: leaq (%r11),%rsp L$ctr32_epilogue: - .byte 0xf3,0xc3 + ret .globl _aes_hw_cbc_encrypt @@ -2050,7 +2050,7 @@ L$cbc_dec_ret: leaq (%r11),%rsp L$cbc_ret: - .byte 0xf3,0xc3 + ret .globl _aes_hw_set_decrypt_key @@ -2095,7 +2095,7 @@ L$dec_key_inverse: L$dec_key_ret: addq $8,%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_set_decrypt_key: @@ -2406,7 +2406,7 @@ L$enc_key_ret: pxor %xmm5,%xmm5 addq $8,%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_set_encrypt_key: @@ -2421,7 +2421,7 @@ L$key_expansion_128_cold: xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .p2align 4 L$key_expansion_192a: @@ -2441,7 +2441,7 @@ L$key_expansion_192b_warm: pxor %xmm1,%xmm0 pshufd $255,%xmm0,%xmm3 pxor %xmm3,%xmm2 - .byte 0xf3,0xc3 + ret .p2align 4 L$key_expansion_192b: @@ -2464,7 +2464,7 @@ L$key_expansion_256a_cold: xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .p2align 4 L$key_expansion_256b: @@ -2477,7 +2477,7 @@ L$key_expansion_256b: xorps %xmm4,%xmm2 shufps $170,%xmm1,%xmm1 xorps %xmm1,%xmm2 - .byte 0xf3,0xc3 + ret .section __DATA,__const diff --git a/apple-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-apple.S index f7d5117c..bcbf824f 100644 --- a/apple-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-apple.S @@ -192,7 +192,7 @@ L$oop_row_3: pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret @@ -405,7 +405,7 @@ L$oop_row_6: pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret diff --git a/apple-x86_64/crypto/fipsmodule/ghash-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/ghash-x86_64-apple.S index bcbea651..c17d8f7f 100644 --- a/apple-x86_64/crypto/fipsmodule/ghash-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/ghash-x86_64-apple.S @@ -164,7 +164,7 @@ L$_init_clmul: movdqu %xmm0,64(%rdi) .byte 102,15,58,15,227,8 movdqu %xmm4,80(%rdi) - .byte 0xf3,0xc3 + ret @@ -220,7 +220,7 @@ L$_gmult_clmul: pxor %xmm1,%xmm0 .byte 102,15,56,0,197 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .globl _gcm_ghash_clmul @@ -609,7 +609,7 @@ L$odd_tail: L$done: .byte 102,65,15,56,0,194 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret @@ -721,7 +721,7 @@ L$init_start_avx: vmovdqu %xmm5,-16(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret @@ -1112,7 +1112,7 @@ L$tail_no_xor_avx: vpshufb %xmm13,%xmm10,%xmm10 vmovdqu %xmm10,(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret diff --git a/apple-x86_64/crypto/fipsmodule/md5-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/md5-x86_64-apple.S index 91706823..e4c02415 100644 --- a/apple-x86_64/crypto/fipsmodule/md5-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/md5-x86_64-apple.S @@ -684,7 +684,7 @@ L$end: addq $40,%rsp L$epilogue: - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/fipsmodule/p256-x86_64-asm-apple.S b/apple-x86_64/crypto/fipsmodule/p256-x86_64-asm-apple.S index b148ec47..81cb582f 100644 --- a/apple-x86_64/crypto/fipsmodule/p256-x86_64-asm-apple.S +++ b/apple-x86_64/crypto/fipsmodule/p256-x86_64-asm-apple.S @@ -83,7 +83,7 @@ L$neg_body: leaq 16(%rsp),%rsp L$neg_epilogue: - .byte 0xf3,0xc3 + ret @@ -411,7 +411,7 @@ L$ord_mul_body: leaq 48(%rsp),%rsp L$ord_mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -710,7 +710,7 @@ L$oop_ord_sqr: leaq 48(%rsp),%rsp L$ord_sqr_epilogue: - .byte 0xf3,0xc3 + ret @@ -946,7 +946,7 @@ L$ord_mulx_body: leaq 48(%rsp),%rsp L$ord_mulx_epilogue: - .byte 0xf3,0xc3 + ret @@ -1154,7 +1154,7 @@ L$oop_ord_sqrx: leaq 48(%rsp),%rsp L$ord_sqrx_epilogue: - .byte 0xf3,0xc3 + ret @@ -1226,7 +1226,7 @@ L$mul_mont_done: leaq 48(%rsp),%rsp L$mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -1444,7 +1444,7 @@ __ecp_nistz256_mul_montq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1513,7 +1513,7 @@ L$sqr_mont_done: leaq 48(%rsp),%rsp L$sqr_epilogue: - .byte 0xf3,0xc3 + ret @@ -1677,7 +1677,7 @@ __ecp_nistz256_sqr_montq: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1845,7 +1845,7 @@ __ecp_nistz256_mul_montx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -1975,7 +1975,7 @@ __ecp_nistz256_sqr_montx: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -2041,7 +2041,7 @@ L$select_loop_sse_w5: movdqu %xmm5,48(%rdi) movdqu %xmm6,64(%rdi) movdqu %xmm7,80(%rdi) - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_select_w5: @@ -2098,7 +2098,7 @@ L$select_loop_sse_w7: movdqu %xmm3,16(%rdi) movdqu %xmm4,32(%rdi) movdqu %xmm5,48(%rdi) - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_select_w7: @@ -2161,7 +2161,7 @@ L$select_loop_avx2_w5: vmovdqu %ymm3,32(%rdi) vmovdqu %ymm4,64(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_avx2_select_w5: @@ -2243,7 +2243,7 @@ L$select_loop_avx2_w7: vmovdqu %ymm2,0(%rdi) vmovdqu %ymm3,32(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret L$SEH_end_ecp_nistz256_avx2_select_w7: @@ -2277,7 +2277,7 @@ __ecp_nistz256_add_toq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -2310,7 +2310,7 @@ __ecp_nistz256_sub_fromq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -2339,7 +2339,7 @@ __ecp_nistz256_subq: cmovnzq %rcx,%r8 cmovnzq %r10,%r9 - .byte 0xf3,0xc3 + ret @@ -2373,7 +2373,7 @@ __ecp_nistz256_mul_by_2q: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .globl _ecp_nistz256_point_double @@ -2602,7 +2602,7 @@ L$point_double_shortcutq: leaq (%rsi),%rsp L$point_doubleq_epilogue: - .byte 0xf3,0xc3 + ret .globl _ecp_nistz256_point_add @@ -3034,7 +3034,7 @@ L$add_doneq: leaq (%rsi),%rsp L$point_addq_epilogue: - .byte 0xf3,0xc3 + ret .globl _ecp_nistz256_point_add_affine @@ -3363,7 +3363,7 @@ L$add_affineq_body: leaq (%rsi),%rsp L$add_affineq_epilogue: - .byte 0xf3,0xc3 + ret @@ -3397,7 +3397,7 @@ __ecp_nistz256_add_tox: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -3432,7 +3432,7 @@ __ecp_nistz256_sub_fromx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -3463,7 +3463,7 @@ __ecp_nistz256_subx: cmovcq %rcx,%r8 cmovcq %r10,%r9 - .byte 0xf3,0xc3 + ret @@ -3498,7 +3498,7 @@ __ecp_nistz256_mul_by_2x: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret @@ -3720,7 +3720,7 @@ L$point_double_shortcutx: leaq (%rsi),%rsp L$point_doublex_epilogue: - .byte 0xf3,0xc3 + ret @@ -4145,7 +4145,7 @@ L$add_donex: leaq (%rsi),%rsp L$point_addx_epilogue: - .byte 0xf3,0xc3 + ret @@ -4467,7 +4467,7 @@ L$add_affinex_body: leaq (%rsi),%rsp L$add_affinex_epilogue: - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-apple.S b/apple-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-apple.S index 5f91bad7..fc6552c5 100644 --- a/apple-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-apple.S +++ b/apple-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-apple.S @@ -315,7 +315,7 @@ L$beeu_finish: popq %rbp - .byte 0xf3,0xc3 + ret diff --git a/apple-x86_64/crypto/fipsmodule/rdrand-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/rdrand-x86_64-apple.S index b101dbeb..5fdf105f 100644 --- a/apple-x86_64/crypto/fipsmodule/rdrand-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/rdrand-x86_64-apple.S @@ -21,7 +21,7 @@ _CET_ENDBR adcq %rax,%rax movq %rdx,0(%rdi) - .byte 0xf3,0xc3 + ret @@ -48,10 +48,10 @@ L$loop: jnz L$loop L$out: movq $1,%rax - .byte 0xf3,0xc3 + ret L$err: xorq %rax,%rax - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/fipsmodule/rsaz-avx2-apple.S b/apple-x86_64/crypto/fipsmodule/rsaz-avx2-apple.S index 09ce2caa..36723091 100644 --- a/apple-x86_64/crypto/fipsmodule/rsaz-avx2-apple.S +++ b/apple-x86_64/crypto/fipsmodule/rsaz-avx2-apple.S @@ -658,7 +658,7 @@ L$OOP_REDUCE_1024: leaq (%rax),%rsp L$sqr_1024_epilogue: - .byte 0xf3,0xc3 + ret .globl _rsaz_1024_mul_avx2 @@ -1215,7 +1215,7 @@ L$oop_mul_1024: leaq (%rax),%rsp L$mul_1024_epilogue: - .byte 0xf3,0xc3 + ret .globl _rsaz_1024_red2norm_avx2 @@ -1415,7 +1415,7 @@ _CET_ENDBR adcq $0,%r11 movq %rax,120(%rdi) movq %r11,%rax - .byte 0xf3,0xc3 + ret @@ -1577,7 +1577,7 @@ _CET_ENDBR movq %r8,168(%rdi) movq %r8,176(%rdi) movq %r8,184(%rdi) - .byte 0xf3,0xc3 + ret .globl _rsaz_1024_scatter5_avx2 @@ -1605,7 +1605,7 @@ L$oop_scatter_1024: jnz L$oop_scatter_1024 vzeroupper - .byte 0xf3,0xc3 + ret @@ -1728,7 +1728,7 @@ L$oop_gather_1024: vzeroupper leaq (%r11),%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_rsaz_1024_gather5: diff --git a/apple-x86_64/crypto/fipsmodule/sha1-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/sha1-x86_64-apple.S index 51bdebbf..6af67444 100644 --- a/apple-x86_64/crypto/fipsmodule/sha1-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/sha1-x86_64-apple.S @@ -1261,7 +1261,7 @@ L$loop: leaq (%rsi),%rsp L$epilogue: - .byte 0xf3,0xc3 + ret @@ -1431,7 +1431,7 @@ L$oop_shaext: pshufd $27,%xmm1,%xmm1 movdqu %xmm0,(%rdi) movd %xmm1,16(%rdi) - .byte 0xf3,0xc3 + ret @@ -2619,7 +2619,7 @@ L$done_ssse3: leaq (%r11),%rsp L$epilogue_ssse3: - .byte 0xf3,0xc3 + ret @@ -3747,7 +3747,7 @@ L$done_avx: leaq (%r11),%rsp L$epilogue_avx: - .byte 0xf3,0xc3 + ret @@ -5440,7 +5440,7 @@ L$done_avx2: leaq (%r11),%rsp L$epilogue_avx2: - .byte 0xf3,0xc3 + ret .section __DATA,__const diff --git a/apple-x86_64/crypto/fipsmodule/sha256-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/sha256-x86_64-apple.S index f2ba0d1a..018af0dd 100644 --- a/apple-x86_64/crypto/fipsmodule/sha256-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/sha256-x86_64-apple.S @@ -1730,7 +1730,7 @@ L$rounds_16_xx: leaq (%rsi),%rsp L$epilogue: - .byte 0xf3,0xc3 + ret .section __DATA,__const @@ -1984,7 +1984,7 @@ L$oop_shaext: movdqu %xmm1,(%rdi) movdqu %xmm2,16(%rdi) - .byte 0xf3,0xc3 + ret @@ -3097,7 +3097,7 @@ L$ssse3_00_47: leaq (%rsi),%rsp L$epilogue_ssse3: - .byte 0xf3,0xc3 + ret @@ -4172,7 +4172,7 @@ L$avx_00_47: leaq (%rsi),%rsp L$epilogue_avx: - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/fipsmodule/sha512-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/sha512-x86_64-apple.S index 9adc2029..6e2e13e7 100644 --- a/apple-x86_64/crypto/fipsmodule/sha512-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/sha512-x86_64-apple.S @@ -1726,7 +1726,7 @@ L$rounds_16_xx: leaq (%rsi),%rsp L$epilogue: - .byte 0xf3,0xc3 + ret .section __DATA,__const @@ -2980,7 +2980,7 @@ L$avx_00_47: leaq (%rsi),%rsp L$epilogue_avx: - .byte 0xf3,0xc3 + ret #endif diff --git a/apple-x86_64/crypto/fipsmodule/vpaes-x86_64-apple.S b/apple-x86_64/crypto/fipsmodule/vpaes-x86_64-apple.S index 041d504f..5aea40f5 100644 --- a/apple-x86_64/crypto/fipsmodule/vpaes-x86_64-apple.S +++ b/apple-x86_64/crypto/fipsmodule/vpaes-x86_64-apple.S @@ -104,7 +104,7 @@ L$enc_entry: movdqa 64(%r11,%r10,1),%xmm1 pxor %xmm4,%xmm0 .byte 102,15,56,0,193 - .byte 0xf3,0xc3 + ret @@ -279,7 +279,7 @@ L$enc2x_entry: pxor %xmm12,%xmm6 .byte 102,15,56,0,193 .byte 102,15,56,0,241 - .byte 0xf3,0xc3 + ret @@ -387,7 +387,7 @@ L$dec_entry: .byte 102,15,56,0,195 pxor %xmm4,%xmm0 .byte 102,15,56,0,194 - .byte 0xf3,0xc3 + ret @@ -565,7 +565,7 @@ L$schedule_mangle_last_dec: pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 pxor %xmm7,%xmm7 - .byte 0xf3,0xc3 + ret @@ -594,7 +594,7 @@ _vpaes_schedule_192_smear: pxor %xmm0,%xmm6 movdqa %xmm6,%xmm0 movhlps %xmm1,%xmm6 - .byte 0xf3,0xc3 + ret @@ -672,7 +672,7 @@ _vpaes_schedule_low_round: pxor %xmm7,%xmm0 movdqa %xmm0,%xmm7 - .byte 0xf3,0xc3 + ret @@ -698,7 +698,7 @@ _vpaes_schedule_transform: movdqa 16(%r11),%xmm0 .byte 102,15,56,0,193 pxor %xmm2,%xmm0 - .byte 0xf3,0xc3 + ret @@ -792,7 +792,7 @@ L$schedule_mangle_both: addq $-16,%r8 andq $0x30,%r8 movdqu %xmm3,(%rdx) - .byte 0xf3,0xc3 + ret @@ -820,7 +820,7 @@ _CET_ENDBR movl $0x30,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret @@ -845,7 +845,7 @@ _CET_ENDBR xorl $32,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret @@ -864,7 +864,7 @@ _CET_ENDBR call _vpaes_preheat call _vpaes_encrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret @@ -879,7 +879,7 @@ _CET_ENDBR call _vpaes_preheat call _vpaes_decrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret .globl _vpaes_cbc_encrypt @@ -923,7 +923,7 @@ L$cbc_dec_loop: L$cbc_done: movdqu %xmm6,(%r8) L$cbc_abort: - .byte 0xf3,0xc3 + ret .globl _vpaes_ctr32_encrypt_blocks @@ -987,7 +987,7 @@ L$ctr32_loop: L$ctr32_done: L$ctr32_abort: - .byte 0xf3,0xc3 + ret @@ -1008,7 +1008,7 @@ _vpaes_preheat: movdqa 64(%r10),%xmm12 movdqa 80(%r10),%xmm15 movdqa 96(%r10),%xmm14 - .byte 0xf3,0xc3 + ret diff --git a/apple-x86_64/crypto/fipsmodule/x86_64-mont-apple.S b/apple-x86_64/crypto/fipsmodule/x86_64-mont-apple.S index 30f67773..a4c719c3 100644 --- a/apple-x86_64/crypto/fipsmodule/x86_64-mont-apple.S +++ b/apple-x86_64/crypto/fipsmodule/x86_64-mont-apple.S @@ -261,7 +261,7 @@ L$copy: leaq (%rsi),%rsp L$mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -695,7 +695,7 @@ L$copy4x: leaq (%rsi),%rsp L$mul4x_epilogue: - .byte 0xf3,0xc3 + ret @@ -886,7 +886,7 @@ L$sqr8x_cond_copy: leaq (%rsi),%rsp L$sqr8x_epilogue: - .byte 0xf3,0xc3 + ret @@ -1242,7 +1242,7 @@ L$mulx4x_cond_copy: leaq (%rsi),%rsp L$mulx4x_epilogue: - .byte 0xf3,0xc3 + ret .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 diff --git a/apple-x86_64/crypto/fipsmodule/x86_64-mont5-apple.S b/apple-x86_64/crypto/fipsmodule/x86_64-mont5-apple.S index 94ae1407..bd63d91c 100644 --- a/apple-x86_64/crypto/fipsmodule/x86_64-mont5-apple.S +++ b/apple-x86_64/crypto/fipsmodule/x86_64-mont5-apple.S @@ -449,7 +449,7 @@ L$copy: leaq (%rsi),%rsp L$mul_epilogue: - .byte 0xf3,0xc3 + ret @@ -554,7 +554,7 @@ L$mul4x_body: leaq (%rsi),%rsp L$mul4x_epilogue: - .byte 0xf3,0xc3 + ret @@ -1221,7 +1221,7 @@ L$power5_body: leaq (%rsi),%rsp L$power5_epilogue: - .byte 0xf3,0xc3 + ret @@ -2007,7 +2007,7 @@ L$8x_no_tail: cmpq %rdx,%rdi jb L$8x_reduction_loop - .byte 0xf3,0xc3 + ret @@ -2063,7 +2063,7 @@ L$sqr4x_sub_entry: movq %r9,%r10 negq %r9 - .byte 0xf3,0xc3 + ret @@ -2173,7 +2173,7 @@ L$mulx4x_body: leaq (%rsi),%rsp L$mulx4x_epilogue: - .byte 0xf3,0xc3 + ret @@ -2734,7 +2734,7 @@ L$powerx5_body: leaq (%rsi),%rsp L$powerx5_epilogue: - .byte 0xf3,0xc3 + ret @@ -3357,7 +3357,7 @@ L$sqrx8x_no_tail: leaq 64(%rdi,%rcx,1),%rdi cmpq 8+8(%rsp),%r8 jb L$sqrx8x_reduction_loop - .byte 0xf3,0xc3 + ret .p2align 5 @@ -3410,7 +3410,7 @@ L$sqrx4x_sub_entry: negq %r9 - .byte 0xf3,0xc3 + ret .globl _bn_scatter5 @@ -3440,7 +3440,7 @@ L$scatter: subl $1,%esi jnz L$scatter L$scatter_epilogue: - .byte 0xf3,0xc3 + ret @@ -3610,7 +3610,7 @@ L$gather: leaq (%r10),%rsp - .byte 0xf3,0xc3 + ret L$SEH_end_bn_gather5: diff --git a/apple-x86_64/crypto/test/trampoline-x86_64-apple.S b/apple-x86_64/crypto/test/trampoline-x86_64-apple.S index 69320082..7c76d2d7 100644 --- a/apple-x86_64/crypto/test/trampoline-x86_64-apple.S +++ b/apple-x86_64/crypto/test/trampoline-x86_64-apple.S @@ -173,7 +173,7 @@ L$call_done: - .byte 0xf3,0xc3 + ret @@ -184,7 +184,7 @@ L$call_done: _abi_test_clobber_rax: _CET_ENDBR xorq %rax,%rax - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_rbx @@ -193,7 +193,7 @@ _CET_ENDBR _abi_test_clobber_rbx: _CET_ENDBR xorq %rbx,%rbx - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_rcx @@ -202,7 +202,7 @@ _CET_ENDBR _abi_test_clobber_rcx: _CET_ENDBR xorq %rcx,%rcx - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_rdx @@ -211,7 +211,7 @@ _CET_ENDBR _abi_test_clobber_rdx: _CET_ENDBR xorq %rdx,%rdx - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_rdi @@ -220,7 +220,7 @@ _CET_ENDBR _abi_test_clobber_rdi: _CET_ENDBR xorq %rdi,%rdi - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_rsi @@ -229,7 +229,7 @@ _CET_ENDBR _abi_test_clobber_rsi: _CET_ENDBR xorq %rsi,%rsi - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_rbp @@ -238,7 +238,7 @@ _CET_ENDBR _abi_test_clobber_rbp: _CET_ENDBR xorq %rbp,%rbp - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r8 @@ -247,7 +247,7 @@ _CET_ENDBR _abi_test_clobber_r8: _CET_ENDBR xorq %r8,%r8 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r9 @@ -256,7 +256,7 @@ _CET_ENDBR _abi_test_clobber_r9: _CET_ENDBR xorq %r9,%r9 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r10 @@ -265,7 +265,7 @@ _CET_ENDBR _abi_test_clobber_r10: _CET_ENDBR xorq %r10,%r10 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r11 @@ -274,7 +274,7 @@ _CET_ENDBR _abi_test_clobber_r11: _CET_ENDBR xorq %r11,%r11 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r12 @@ -283,7 +283,7 @@ _CET_ENDBR _abi_test_clobber_r12: _CET_ENDBR xorq %r12,%r12 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r13 @@ -292,7 +292,7 @@ _CET_ENDBR _abi_test_clobber_r13: _CET_ENDBR xorq %r13,%r13 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r14 @@ -301,7 +301,7 @@ _CET_ENDBR _abi_test_clobber_r14: _CET_ENDBR xorq %r14,%r14 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_r15 @@ -310,7 +310,7 @@ _CET_ENDBR _abi_test_clobber_r15: _CET_ENDBR xorq %r15,%r15 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm0 @@ -319,7 +319,7 @@ _CET_ENDBR _abi_test_clobber_xmm0: _CET_ENDBR pxor %xmm0,%xmm0 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm1 @@ -328,7 +328,7 @@ _CET_ENDBR _abi_test_clobber_xmm1: _CET_ENDBR pxor %xmm1,%xmm1 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm2 @@ -337,7 +337,7 @@ _CET_ENDBR _abi_test_clobber_xmm2: _CET_ENDBR pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm3 @@ -346,7 +346,7 @@ _CET_ENDBR _abi_test_clobber_xmm3: _CET_ENDBR pxor %xmm3,%xmm3 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm4 @@ -355,7 +355,7 @@ _CET_ENDBR _abi_test_clobber_xmm4: _CET_ENDBR pxor %xmm4,%xmm4 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm5 @@ -364,7 +364,7 @@ _CET_ENDBR _abi_test_clobber_xmm5: _CET_ENDBR pxor %xmm5,%xmm5 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm6 @@ -373,7 +373,7 @@ _CET_ENDBR _abi_test_clobber_xmm6: _CET_ENDBR pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm7 @@ -382,7 +382,7 @@ _CET_ENDBR _abi_test_clobber_xmm7: _CET_ENDBR pxor %xmm7,%xmm7 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm8 @@ -391,7 +391,7 @@ _CET_ENDBR _abi_test_clobber_xmm8: _CET_ENDBR pxor %xmm8,%xmm8 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm9 @@ -400,7 +400,7 @@ _CET_ENDBR _abi_test_clobber_xmm9: _CET_ENDBR pxor %xmm9,%xmm9 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm10 @@ -409,7 +409,7 @@ _CET_ENDBR _abi_test_clobber_xmm10: _CET_ENDBR pxor %xmm10,%xmm10 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm11 @@ -418,7 +418,7 @@ _CET_ENDBR _abi_test_clobber_xmm11: _CET_ENDBR pxor %xmm11,%xmm11 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm12 @@ -427,7 +427,7 @@ _CET_ENDBR _abi_test_clobber_xmm12: _CET_ENDBR pxor %xmm12,%xmm12 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm13 @@ -436,7 +436,7 @@ _CET_ENDBR _abi_test_clobber_xmm13: _CET_ENDBR pxor %xmm13,%xmm13 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm14 @@ -445,7 +445,7 @@ _CET_ENDBR _abi_test_clobber_xmm14: _CET_ENDBR pxor %xmm14,%xmm14 - .byte 0xf3,0xc3 + ret .globl _abi_test_clobber_xmm15 @@ -454,7 +454,7 @@ _CET_ENDBR _abi_test_clobber_xmm15: _CET_ENDBR pxor %xmm15,%xmm15 - .byte 0xf3,0xc3 + ret @@ -476,7 +476,7 @@ _CET_ENDBR nop popq %r12 - .byte 0xf3,0xc3 + ret @@ -507,7 +507,7 @@ _CET_ENDBR popq %r12 - .byte 0xf3,0xc3 + ret @@ -525,7 +525,7 @@ _CET_ENDBR andq $0x400,%rax shrq $10,%rax cld - .byte 0xf3,0xc3 + ret @@ -536,6 +536,6 @@ _CET_ENDBR _abi_test_set_direction_flag: _CET_ENDBR std - .byte 0xf3,0xc3 + ret #endif @@ -81,7 +81,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x10339666, 0x10341679, 0x10348f93, - 0x10350ccc, + 0x10350cdf, 0x1035968c, 0x103616b6, 0x103696c9, @@ -103,7 +103,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x103e9839, 0x103f1850, 0x103f9863, - 0x10400c90, + 0x10400ca3, 0x10409876, 0x10411894, 0x104198a7, @@ -125,11 +125,12 @@ const uint32_t kOpenSSLReasonValues[] = { 0x104997d7, 0x104a16a1, 0x14320c73, - 0x14328c81, - 0x14330c90, - 0x14338ca2, + 0x14328c94, + 0x14330ca3, + 0x14338cb5, 0x143400b9, 0x143480f7, + 0x14350c81, 0x18320090, 0x18328fe9, 0x183300b9, @@ -163,7 +164,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x18411164, 0x1841912f, 0x1842114e, - 0x18428cd8, + 0x18428c81, 0x1843110a, 0x18439176, 0x18441028, @@ -185,14 +186,14 @@ const uint32_t kOpenSSLReasonValues[] = { 0x2438133b, 0x24389348, 0x2439135b, - 0x28320cc0, + 0x28320cd3, 0x28328ceb, - 0x28330c90, + 0x28330ca3, 0x28338cfe, - 0x28340ccc, + 0x28340cdf, 0x283480b9, 0x283500f7, - 0x28358cd8, + 0x28358c81, 0x2836099a, 0x2c3232d0, 0x2c329372, @@ -676,7 +677,7 @@ const uint32_t kOpenSSLReasonValues[] = { 0x4c3c1574, 0x4c3c9583, 0x4c3d159c, - 0x4c3d8cb3, + 0x4c3d8cc6, 0x4c3e1609, 0x4c3e95ab, 0x4c3f162b, @@ -761,12 +762,12 @@ const uint32_t kOpenSSLReasonValues[] = { 0x683480f7, 0x6835099a, 0x6c320f59, - 0x6c328ca2, + 0x6c328cb5, 0x6c330f64, 0x6c338f7d, 0x74320a66, 0x743280b9, - 0x74330cb3, + 0x74330cc6, 0x783209cb, 0x783289e0, 0x783309ec, @@ -981,13 +982,13 @@ const char kOpenSSLReasonStringData[] = "VARIABLE_EXPANSION_TOO_LONG\0" "VARIABLE_HAS_NO_VALUE\0" "BAD_GENERATOR\0" + "INVALID_PARAMETERS\0" "INVALID_PUBKEY\0" "MODULUS_TOO_LARGE\0" "NO_PRIVATE_VALUE\0" "UNKNOWN_HASH\0" "BAD_Q_VALUE\0" "BAD_VERSION\0" - "INVALID_PARAMETERS\0" "MISSING_PARAMETERS\0" "NEED_NEW_SETUP_VALUES\0" "BIGNUM_OUT_OF_RANGE\0" @@ -83,7 +83,6 @@ crypto_sources := \ src/crypto/cpu_aarch64_openbsd.c\ src/crypto/cpu_aarch64_sysreg.c\ src/crypto/cpu_aarch64_win.c\ - src/crypto/cpu_arm.c\ src/crypto/cpu_arm_freebsd.c\ src/crypto/cpu_arm_linux.c\ src/crypto/cpu_intel.c\ @@ -474,74 +473,3 @@ tool_sources := \ src/tool/tool.cc\ src/tool/transport_common.cc\ -linux_aarch64_sources := \ - linux-aarch64/crypto/chacha/chacha-armv8-linux.S\ - linux-aarch64/crypto/cipher_extra/chacha20_poly1305_armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/aesv8-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/aesv8-gcm-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/armv8-mont-linux.S\ - linux-aarch64/crypto/fipsmodule/bn-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/ghash-neon-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/ghashv8-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/p256-armv8-asm-linux.S\ - linux-aarch64/crypto/fipsmodule/p256_beeu-armv8-asm-linux.S\ - linux-aarch64/crypto/fipsmodule/sha1-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/sha256-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/sha512-armv8-linux.S\ - linux-aarch64/crypto/fipsmodule/vpaes-armv8-linux.S\ - linux-aarch64/crypto/test/trampoline-armv8-linux.S\ - -linux_arm_sources := \ - linux-arm/crypto/chacha/chacha-armv4-linux.S\ - linux-arm/crypto/fipsmodule/aesv8-armv7-linux.S\ - linux-arm/crypto/fipsmodule/armv4-mont-linux.S\ - linux-arm/crypto/fipsmodule/bsaes-armv7-linux.S\ - linux-arm/crypto/fipsmodule/ghash-armv4-linux.S\ - linux-arm/crypto/fipsmodule/ghashv8-armv7-linux.S\ - linux-arm/crypto/fipsmodule/sha1-armv4-large-linux.S\ - linux-arm/crypto/fipsmodule/sha256-armv4-linux.S\ - linux-arm/crypto/fipsmodule/sha512-armv4-linux.S\ - linux-arm/crypto/fipsmodule/vpaes-armv7-linux.S\ - linux-arm/crypto/test/trampoline-armv4-linux.S\ - src/crypto/curve25519/asm/x25519-asm-arm.S\ - src/crypto/poly1305/poly1305_arm_asm.S\ - -linux_x86_sources := \ - linux-x86/crypto/chacha/chacha-x86-linux.S\ - linux-x86/crypto/fipsmodule/aesni-x86-linux.S\ - linux-x86/crypto/fipsmodule/bn-586-linux.S\ - linux-x86/crypto/fipsmodule/co-586-linux.S\ - linux-x86/crypto/fipsmodule/ghash-ssse3-x86-linux.S\ - linux-x86/crypto/fipsmodule/ghash-x86-linux.S\ - linux-x86/crypto/fipsmodule/md5-586-linux.S\ - linux-x86/crypto/fipsmodule/sha1-586-linux.S\ - linux-x86/crypto/fipsmodule/sha256-586-linux.S\ - linux-x86/crypto/fipsmodule/sha512-586-linux.S\ - linux-x86/crypto/fipsmodule/vpaes-x86-linux.S\ - linux-x86/crypto/fipsmodule/x86-mont-linux.S\ - linux-x86/crypto/test/trampoline-x86-linux.S\ - -linux_x86_64_sources := \ - linux-x86_64/crypto/chacha/chacha-x86_64-linux.S\ - linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.S\ - linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/aesni-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/ghash-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/md5-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/p256-x86_64-asm-linux.S\ - linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.S\ - linux-x86_64/crypto/fipsmodule/rdrand-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/rsaz-avx2-linux.S\ - linux-x86_64/crypto/fipsmodule/sha1-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/sha256-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/sha512-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/vpaes-x86_64-linux.S\ - linux-x86_64/crypto/fipsmodule/x86_64-mont-linux.S\ - linux-x86_64/crypto/fipsmodule/x86_64-mont5-linux.S\ - linux-x86_64/crypto/test/trampoline-x86_64-linux.S\ - src/crypto/hrss/asm/poly_rq_mul.S\ - src/third_party/fiat/asm/fiat_curve25519_adx_mul.S\ - src/third_party/fiat/asm/fiat_curve25519_adx_square.S\ - diff --git a/linux-x86_64/crypto/chacha/chacha-x86_64-linux.S b/linux-x86_64/crypto/chacha/chacha-x86_64-linux.S index eac7a00f..ac080cfe 100644 --- a/linux-x86_64/crypto/chacha/chacha-x86_64-linux.S +++ b/linux-x86_64/crypto/chacha/chacha-x86_64-linux.S @@ -327,7 +327,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_adjust_cfa_offset -136 .Lno_data: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ChaCha20_ctr32,.-ChaCha20_ctr32 .type ChaCha20_ssse3,@function @@ -464,7 +464,7 @@ ChaCha20_ssse3: leaq (%r9),%rsp .cfi_def_cfa_register rsp .Lssse3_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ChaCha20_ssse3,.-ChaCha20_ssse3 .type ChaCha20_4x,@function @@ -1016,7 +1016,7 @@ ChaCha20_4x: leaq (%r9),%rsp .cfi_def_cfa_register rsp .L4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ChaCha20_4x,.-ChaCha20_4x .type ChaCha20_8x,@function @@ -1622,7 +1622,7 @@ ChaCha20_8x: leaq (%r9),%rsp .cfi_def_cfa_register rsp .L8x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ChaCha20_8x,.-ChaCha20_8x #endif diff --git a/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.S b/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.S index 61cad75d..f5255d34 100644 --- a/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.S +++ b/linux-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-linux.S @@ -62,7 +62,7 @@ GFMUL: vpxor %xmm4,%xmm3,%xmm2 vpxor %xmm5,%xmm2,%xmm0 - .byte 0xf3,0xc3 + ret .cfi_endproc .size GFMUL, .-GFMUL .globl aesgcmsiv_htable_init @@ -89,7 +89,7 @@ _CET_ENDBR vmovdqa %xmm0,96(%rdi) call GFMUL vmovdqa %xmm0,112(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_htable_init, .-aesgcmsiv_htable_init .globl aesgcmsiv_htable6_init @@ -112,7 +112,7 @@ _CET_ENDBR vmovdqa %xmm0,64(%rdi) call GFMUL vmovdqa %xmm0,80(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_htable6_init, .-aesgcmsiv_htable6_init .globl aesgcmsiv_htable_polyval @@ -124,7 +124,7 @@ aesgcmsiv_htable_polyval: _CET_ENDBR testq %rdx,%rdx jnz .Lhtable_polyval_start - .byte 0xf3,0xc3 + ret .Lhtable_polyval_start: vzeroall @@ -330,7 +330,7 @@ _CET_ENDBR vmovdqu %xmm1,(%rcx) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_htable_polyval,.-aesgcmsiv_htable_polyval .globl aesgcmsiv_polyval_horner @@ -342,7 +342,7 @@ aesgcmsiv_polyval_horner: _CET_ENDBR testq %rcx,%rcx jnz .Lpolyval_horner_start - .byte 0xf3,0xc3 + ret .Lpolyval_horner_start: @@ -364,7 +364,7 @@ _CET_ENDBR vmovdqa %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesgcmsiv_polyval_horner,.-aesgcmsiv_polyval_horner .globl aes128gcmsiv_aes_ks @@ -421,7 +421,7 @@ _CET_ENDBR vpxor %xmm3,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_aes_ks,.-aes128gcmsiv_aes_ks .globl aes256gcmsiv_aes_ks @@ -470,7 +470,7 @@ _CET_ENDBR vpxor %xmm4,%xmm1,%xmm1 vpxor %xmm2,%xmm1,%xmm1 vmovdqa %xmm1,32(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .globl aes128gcmsiv_aes_ks_enc_x1 .hidden aes128gcmsiv_aes_ks_enc_x1 @@ -612,7 +612,7 @@ _CET_ENDBR vmovdqa %xmm4,0(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_aes_ks_enc_x1,.-aes128gcmsiv_aes_ks_enc_x1 .globl aes128gcmsiv_kdf @@ -706,7 +706,7 @@ _CET_ENDBR vmovdqa %xmm10,16(%rsi) vmovdqa %xmm11,32(%rsi) vmovdqa %xmm12,48(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_kdf,.-aes128gcmsiv_kdf .globl aes128gcmsiv_enc_msg_x4 @@ -718,7 +718,7 @@ aes128gcmsiv_enc_msg_x4: _CET_ENDBR testq %r8,%r8 jnz .L128_enc_msg_x4_start - .byte 0xf3,0xc3 + ret .L128_enc_msg_x4_start: pushq %r12 @@ -886,7 +886,7 @@ _CET_ENDBR popq %r12 .cfi_adjust_cfa_offset -8 .cfi_restore %r12 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_enc_msg_x4,.-aes128gcmsiv_enc_msg_x4 .globl aes128gcmsiv_enc_msg_x8 @@ -898,7 +898,7 @@ aes128gcmsiv_enc_msg_x8: _CET_ENDBR testq %r8,%r8 jnz .L128_enc_msg_x8_start - .byte 0xf3,0xc3 + ret .L128_enc_msg_x8_start: pushq %r12 @@ -1148,7 +1148,7 @@ _CET_ENDBR popq %r12 .cfi_adjust_cfa_offset -8 .cfi_restore %r12 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_enc_msg_x8,.-aes128gcmsiv_enc_msg_x8 .globl aes128gcmsiv_dec @@ -1160,7 +1160,7 @@ aes128gcmsiv_dec: _CET_ENDBR testq $~15,%r9 jnz .L128_dec_start - .byte 0xf3,0xc3 + ret .L128_dec_start: vzeroupper @@ -1641,7 +1641,7 @@ _CET_ENDBR .L128_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_dec, .-aes128gcmsiv_dec .globl aes128gcmsiv_ecb_enc_block @@ -1667,7 +1667,7 @@ _CET_ENDBR vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes128gcmsiv_ecb_enc_block,.-aes128gcmsiv_ecb_enc_block .globl aes256gcmsiv_aes_ks_enc_x1 @@ -1851,7 +1851,7 @@ _CET_ENDBR vmovdqu %xmm1,224(%rdx) vmovdqa %xmm8,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_aes_ks_enc_x1,.-aes256gcmsiv_aes_ks_enc_x1 .globl aes256gcmsiv_ecb_enc_block @@ -1878,7 +1878,7 @@ _CET_ENDBR vaesenc 208(%rdx),%xmm1,%xmm1 vaesenclast 224(%rdx),%xmm1,%xmm1 vmovdqa %xmm1,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_ecb_enc_block,.-aes256gcmsiv_ecb_enc_block .globl aes256gcmsiv_enc_msg_x4 @@ -1890,7 +1890,7 @@ aes256gcmsiv_enc_msg_x4: _CET_ENDBR testq %r8,%r8 jnz .L256_enc_msg_x4_start - .byte 0xf3,0xc3 + ret .L256_enc_msg_x4_start: movq %r8,%r10 @@ -2080,7 +2080,7 @@ _CET_ENDBR jne .L256_enc_msg_x4_loop2 .L256_enc_msg_x4_out: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_enc_msg_x4,.-aes256gcmsiv_enc_msg_x4 .globl aes256gcmsiv_enc_msg_x8 @@ -2092,7 +2092,7 @@ aes256gcmsiv_enc_msg_x8: _CET_ENDBR testq %r8,%r8 jnz .L256_enc_msg_x8_start - .byte 0xf3,0xc3 + ret .L256_enc_msg_x8_start: @@ -2369,7 +2369,7 @@ _CET_ENDBR jnz .L256_enc_msg_x8_loop2 .L256_enc_msg_x8_out: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_enc_msg_x8,.-aes256gcmsiv_enc_msg_x8 @@ -2382,7 +2382,7 @@ aes256gcmsiv_dec: _CET_ENDBR testq $~15,%r9 jnz .L256_dec_start - .byte 0xf3,0xc3 + ret .L256_dec_start: vzeroupper @@ -2931,7 +2931,7 @@ _CET_ENDBR .L256_dec_out: vmovdqu %xmm0,(%rdx) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_dec, .-aes256gcmsiv_dec .globl aes256gcmsiv_kdf @@ -3083,7 +3083,7 @@ _CET_ENDBR vmovdqa %xmm11,48(%rsi) vmovdqa %xmm12,64(%rsi) vmovdqa %xmm13,80(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes256gcmsiv_kdf, .-aes256gcmsiv_kdf #endif diff --git a/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.S b/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.S index 97a2ce24..ac38f8f7 100644 --- a/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.S +++ b/linux-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-linux.S @@ -104,7 +104,7 @@ poly_hash_ad_internal: adcq %r9,%r11 adcq $0,%r12 - .byte 0xf3,0xc3 + ret .Lhash_ad_loop: cmpq $16,%r8 @@ -213,7 +213,7 @@ poly_hash_ad_internal: .Lhash_ad_done: - .byte 0xf3,0xc3 + ret .cfi_endproc .size poly_hash_ad_internal, .-poly_hash_ad_internal @@ -1862,7 +1862,7 @@ _CET_ENDBR popq %rbp .cfi_adjust_cfa_offset -8 .cfi_restore %rbp - .byte 0xf3,0xc3 + ret .Lopen_sse_128: .cfi_restore_state @@ -3928,7 +3928,7 @@ process_extra_in_trailer: popq %rbp .cfi_adjust_cfa_offset -8 .cfi_restore %rbp - .byte 0xf3,0xc3 + ret .Lseal_sse_128: .cfi_restore_state diff --git a/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-linux.S index be0eaf68..774a8d12 100644 --- a/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-linux.S @@ -336,7 +336,7 @@ _aesni_ctr32_ghash_6x: vpxor 16+8(%rsp),%xmm8,%xmm8 vpxor %xmm4,%xmm8,%xmm8 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_ctr32_ghash_6x,.-_aesni_ctr32_ghash_6x .globl aesni_gcm_decrypt @@ -466,7 +466,7 @@ _CET_ENDBR .cfi_adjust_cfa_offset -8 .cfi_restore %rbp .Lgcm_dec_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aesni_gcm_decrypt,.-aesni_gcm_decrypt @@ -537,7 +537,7 @@ _aesni_ctr32_6x: vmovups %xmm14,80(%rsi) leaq 96(%rsi),%rsi - .byte 0xf3,0xc3 + ret .align 32 .Lhandle_ctr32_2: vpshufb %xmm0,%xmm1,%xmm6 @@ -861,10 +861,10 @@ _CET_ENDBR .cfi_adjust_cfa_offset -8 .cfi_restore %rbp .Lgcm_enc_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc -.size aesni_gcm_decrypt,.-aesni_gcm_decrypt +.size aesni_gcm_encrypt,.-aesni_gcm_encrypt .section .rodata .align 64 .Lbswap_mask: diff --git a/linux-x86_64/crypto/fipsmodule/aesni-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/aesni-x86_64-linux.S index 6046f5d0..490fe675 100644 --- a/linux-x86_64/crypto/fipsmodule/aesni-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/aesni-x86_64-linux.S @@ -36,7 +36,7 @@ _CET_ENDBR pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_encrypt,.-aes_hw_encrypt @@ -64,7 +64,7 @@ _CET_ENDBR pxor %xmm1,%xmm1 movups %xmm2,(%rsi) pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_decrypt, .-aes_hw_decrypt .type _aesni_encrypt2,@function @@ -95,7 +95,7 @@ _aesni_encrypt2: .byte 102,15,56,220,217 .byte 102,15,56,221,208 .byte 102,15,56,221,216 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt2,.-_aesni_encrypt2 .type _aesni_decrypt2,@function @@ -126,7 +126,7 @@ _aesni_decrypt2: .byte 102,15,56,222,217 .byte 102,15,56,223,208 .byte 102,15,56,223,216 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt2,.-_aesni_decrypt2 .type _aesni_encrypt3,@function @@ -162,7 +162,7 @@ _aesni_encrypt3: .byte 102,15,56,221,208 .byte 102,15,56,221,216 .byte 102,15,56,221,224 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt3,.-_aesni_encrypt3 .type _aesni_decrypt3,@function @@ -198,7 +198,7 @@ _aesni_decrypt3: .byte 102,15,56,223,208 .byte 102,15,56,223,216 .byte 102,15,56,223,224 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt3,.-_aesni_decrypt3 .type _aesni_encrypt4,@function @@ -240,7 +240,7 @@ _aesni_encrypt4: .byte 102,15,56,221,216 .byte 102,15,56,221,224 .byte 102,15,56,221,232 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt4,.-_aesni_encrypt4 .type _aesni_decrypt4,@function @@ -282,7 +282,7 @@ _aesni_decrypt4: .byte 102,15,56,223,216 .byte 102,15,56,223,224 .byte 102,15,56,223,232 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt4,.-_aesni_decrypt4 .type _aesni_encrypt6,@function @@ -338,7 +338,7 @@ _aesni_encrypt6: .byte 102,15,56,221,232 .byte 102,15,56,221,240 .byte 102,15,56,221,248 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt6,.-_aesni_encrypt6 .type _aesni_decrypt6,@function @@ -394,7 +394,7 @@ _aesni_decrypt6: .byte 102,15,56,223,232 .byte 102,15,56,223,240 .byte 102,15,56,223,248 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt6,.-_aesni_decrypt6 .type _aesni_encrypt8,@function @@ -460,7 +460,7 @@ _aesni_encrypt8: .byte 102,15,56,221,248 .byte 102,68,15,56,221,192 .byte 102,68,15,56,221,200 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_encrypt8,.-_aesni_encrypt8 .type _aesni_decrypt8,@function @@ -526,7 +526,7 @@ _aesni_decrypt8: .byte 102,15,56,223,248 .byte 102,68,15,56,223,192 .byte 102,68,15,56,223,200 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _aesni_decrypt8,.-_aesni_decrypt8 .globl aes_hw_ecb_encrypt @@ -872,7 +872,7 @@ _CET_ENDBR .Lecb_ret: xorps %xmm0,%xmm0 pxor %xmm1,%xmm1 - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_ecb_encrypt,.-aes_hw_ecb_encrypt .globl aes_hw_ctr32_encrypt_blocks @@ -1458,7 +1458,7 @@ _CET_ENDBR leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lctr32_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks .globl aes_hw_cbc_encrypt @@ -2052,7 +2052,7 @@ _CET_ENDBR leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lcbc_ret: - .byte 0xf3,0xc3 + ret .cfi_endproc .size aes_hw_cbc_encrypt,.-aes_hw_cbc_encrypt .globl aes_hw_set_decrypt_key @@ -2097,7 +2097,7 @@ _CET_ENDBR .Ldec_key_ret: addq $8,%rsp .cfi_adjust_cfa_offset -8 - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_set_decrypt_key: .size aes_hw_set_decrypt_key,.-aes_hw_set_decrypt_key @@ -2408,7 +2408,7 @@ _CET_ENDBR pxor %xmm5,%xmm5 addq $8,%rsp .cfi_adjust_cfa_offset -8 - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_set_encrypt_key: @@ -2423,7 +2423,7 @@ _CET_ENDBR xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .align 16 .Lkey_expansion_192a: @@ -2443,7 +2443,7 @@ _CET_ENDBR pxor %xmm1,%xmm0 pshufd $255,%xmm0,%xmm3 pxor %xmm3,%xmm2 - .byte 0xf3,0xc3 + ret .align 16 .Lkey_expansion_192b: @@ -2466,7 +2466,7 @@ _CET_ENDBR xorps %xmm4,%xmm0 shufps $255,%xmm1,%xmm1 xorps %xmm1,%xmm0 - .byte 0xf3,0xc3 + ret .align 16 .Lkey_expansion_256b: @@ -2479,7 +2479,7 @@ _CET_ENDBR xorps %xmm4,%xmm2 shufps $170,%xmm1,%xmm1 xorps %xmm1,%xmm2 - .byte 0xf3,0xc3 + ret .size aes_hw_set_encrypt_key,.-aes_hw_set_encrypt_key .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key .section .rodata diff --git a/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-linux.S index 3b87b479..2acb4489 100644 --- a/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-linux.S @@ -192,7 +192,7 @@ _CET_ENDBR pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_gmult_ssse3,.-gcm_gmult_ssse3 @@ -405,7 +405,7 @@ _CET_ENDBR pxor %xmm4,%xmm4 pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_ghash_ssse3,.-gcm_ghash_ssse3 diff --git a/linux-x86_64/crypto/fipsmodule/ghash-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/ghash-x86_64-linux.S index 5921f1f3..7a8647a1 100644 --- a/linux-x86_64/crypto/fipsmodule/ghash-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/ghash-x86_64-linux.S @@ -165,7 +165,7 @@ _CET_ENDBR movdqu %xmm0,64(%rdi) .byte 102,15,58,15,227,8 movdqu %xmm4,80(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_init_clmul,.-gcm_init_clmul @@ -221,7 +221,7 @@ _CET_ENDBR pxor %xmm1,%xmm0 .byte 102,15,56,0,197 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_gmult_clmul,.-gcm_gmult_clmul .globl gcm_ghash_clmul @@ -610,7 +610,7 @@ _CET_ENDBR .Ldone: .byte 102,65,15,56,0,194 movdqu %xmm0,(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_ghash_clmul,.-gcm_ghash_clmul @@ -722,7 +722,7 @@ _CET_ENDBR vmovdqu %xmm5,-16(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_init_avx,.-gcm_init_avx @@ -1113,7 +1113,7 @@ _CET_ENDBR vpshufb %xmm13,%xmm10,%xmm10 vmovdqu %xmm10,(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size gcm_ghash_avx,.-gcm_ghash_avx diff --git a/linux-x86_64/crypto/fipsmodule/md5-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/md5-x86_64-linux.S index 43a786cb..7b93662a 100644 --- a/linux-x86_64/crypto/fipsmodule/md5-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/md5-x86_64-linux.S @@ -689,7 +689,7 @@ _CET_ENDBR addq $40,%rsp .cfi_adjust_cfa_offset -40 .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size md5_block_asm_data_order,.-md5_block_asm_data_order #endif diff --git a/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm-linux.S b/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm-linux.S index 2914d925..b2855433 100644 --- a/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm-linux.S +++ b/linux-x86_64/crypto/fipsmodule/p256-x86_64-asm-linux.S @@ -86,7 +86,7 @@ _CET_ENDBR leaq 16(%rsp),%rsp .cfi_adjust_cfa_offset -16 .Lneg_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_neg,.-ecp_nistz256_neg @@ -420,7 +420,7 @@ _CET_ENDBR leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_mul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_mul_mont,.-ecp_nistz256_ord_mul_mont @@ -725,7 +725,7 @@ _CET_ENDBR leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_sqr_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont @@ -967,7 +967,7 @@ ecp_nistz256_ord_mul_montx: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_mulx_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_mul_montx,.-ecp_nistz256_ord_mul_montx @@ -1181,7 +1181,7 @@ ecp_nistz256_ord_sqr_montx: leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lord_sqrx_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_ord_sqr_montx,.-ecp_nistz256_ord_sqr_montx @@ -1259,7 +1259,7 @@ _CET_ENDBR leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lmul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont @@ -1477,7 +1477,7 @@ __ecp_nistz256_mul_montq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq @@ -1552,7 +1552,7 @@ _CET_ENDBR leaq 48(%rsp),%rsp .cfi_adjust_cfa_offset -48 .Lsqr_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont @@ -1716,7 +1716,7 @@ __ecp_nistz256_sqr_montq: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq .type __ecp_nistz256_mul_montx,@function @@ -1884,7 +1884,7 @@ __ecp_nistz256_mul_montx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx @@ -2014,7 +2014,7 @@ __ecp_nistz256_sqr_montx: movq %r14,16(%rdi) movq %r15,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx @@ -2080,7 +2080,7 @@ _CET_ENDBR movdqu %xmm5,48(%rdi) movdqu %xmm6,64(%rdi) movdqu %xmm7,80(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_select_w5: .size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5 @@ -2137,7 +2137,7 @@ _CET_ENDBR movdqu %xmm3,16(%rdi) movdqu %xmm4,32(%rdi) movdqu %xmm5,48(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_select_w7: .size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 @@ -2200,7 +2200,7 @@ ecp_nistz256_avx2_select_w5: vmovdqu %ymm3,32(%rdi) vmovdqu %ymm4,64(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_avx2_select_w5: .size ecp_nistz256_avx2_select_w5,.-ecp_nistz256_avx2_select_w5 @@ -2282,7 +2282,7 @@ _CET_ENDBR vmovdqu %ymm2,0(%rdi) vmovdqu %ymm3,32(%rdi) vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_ecp_nistz256_avx2_select_w7: .size ecp_nistz256_avx2_select_w7,.-ecp_nistz256_avx2_select_w7 @@ -2316,7 +2316,7 @@ __ecp_nistz256_add_toq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq @@ -2349,7 +2349,7 @@ __ecp_nistz256_sub_fromq: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq @@ -2378,7 +2378,7 @@ __ecp_nistz256_subq: cmovnzq %rcx,%r8 cmovnzq %r10,%r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_subq,.-__ecp_nistz256_subq @@ -2412,7 +2412,7 @@ __ecp_nistz256_mul_by_2q: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q .globl ecp_nistz256_point_double @@ -2647,7 +2647,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_doubleq_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_double,.-ecp_nistz256_point_double .globl ecp_nistz256_point_add @@ -3085,7 +3085,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_addq_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_add,.-ecp_nistz256_point_add .globl ecp_nistz256_point_add_affine @@ -3420,7 +3420,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Ladd_affineq_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine .type __ecp_nistz256_add_tox,@function @@ -3454,7 +3454,7 @@ __ecp_nistz256_add_tox: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox @@ -3489,7 +3489,7 @@ __ecp_nistz256_sub_fromx: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx @@ -3520,7 +3520,7 @@ __ecp_nistz256_subx: cmovcq %rcx,%r8 cmovcq %r10,%r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_subx,.-__ecp_nistz256_subx @@ -3555,7 +3555,7 @@ __ecp_nistz256_mul_by_2x: movq %r8,16(%rdi) movq %r9,24(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x .type ecp_nistz256_point_doublex,@function @@ -3783,7 +3783,7 @@ ecp_nistz256_point_doublex: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_doublex_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_doublex,.-ecp_nistz256_point_doublex .type ecp_nistz256_point_addx,@function @@ -4214,7 +4214,7 @@ ecp_nistz256_point_addx: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpoint_addx_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_addx,.-ecp_nistz256_point_addx .type ecp_nistz256_point_add_affinex,@function @@ -4542,7 +4542,7 @@ ecp_nistz256_point_add_affinex: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Ladd_affinex_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size ecp_nistz256_point_add_affinex,.-ecp_nistz256_point_add_affinex #endif diff --git a/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.S b/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.S index a04d80bc..40ae58b5 100644 --- a/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.S +++ b/linux-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-linux.S @@ -329,7 +329,7 @@ _CET_ENDBR popq %rbp .cfi_adjust_cfa_offset -8 .cfi_restore rbp - .byte 0xf3,0xc3 + ret .cfi_endproc .size beeu_mod_inverse_vartime, .-beeu_mod_inverse_vartime diff --git a/linux-x86_64/crypto/fipsmodule/rdrand-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/rdrand-x86_64-linux.S index 3648a062..fe81dac3 100644 --- a/linux-x86_64/crypto/fipsmodule/rdrand-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/rdrand-x86_64-linux.S @@ -21,7 +21,7 @@ _CET_ENDBR adcq %rax,%rax movq %rdx,0(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size CRYPTO_rdrand,.-CRYPTO_rdrand @@ -48,10 +48,10 @@ _CET_ENDBR jnz .Lloop .Lout: movq $1,%rax - .byte 0xf3,0xc3 + ret .Lerr: xorq %rax,%rax - .byte 0xf3,0xc3 + ret .cfi_endproc .size CRYPTO_rdrand_multiple8_buf,.-CRYPTO_rdrand_multiple8_buf #endif diff --git a/linux-x86_64/crypto/fipsmodule/rsaz-avx2-linux.S b/linux-x86_64/crypto/fipsmodule/rsaz-avx2-linux.S index ee47d4fd..65a6c2e8 100644 --- a/linux-x86_64/crypto/fipsmodule/rsaz-avx2-linux.S +++ b/linux-x86_64/crypto/fipsmodule/rsaz-avx2-linux.S @@ -658,7 +658,7 @@ _CET_ENDBR leaq (%rax),%rsp .cfi_def_cfa_register %rsp .Lsqr_1024_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_sqr_avx2,.-rsaz_1024_sqr_avx2 .globl rsaz_1024_mul_avx2 @@ -1215,7 +1215,7 @@ _CET_ENDBR leaq (%rax),%rsp .cfi_def_cfa_register %rsp .Lmul_1024_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_mul_avx2,.-rsaz_1024_mul_avx2 .globl rsaz_1024_red2norm_avx2 @@ -1415,7 +1415,7 @@ _CET_ENDBR adcq $0,%r11 movq %rax,120(%rdi) movq %r11,%rax - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_red2norm_avx2,.-rsaz_1024_red2norm_avx2 @@ -1577,7 +1577,7 @@ _CET_ENDBR movq %r8,168(%rdi) movq %r8,176(%rdi) movq %r8,184(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_norm2red_avx2,.-rsaz_1024_norm2red_avx2 .globl rsaz_1024_scatter5_avx2 @@ -1605,7 +1605,7 @@ _CET_ENDBR jnz .Loop_scatter_1024 vzeroupper - .byte 0xf3,0xc3 + ret .cfi_endproc .size rsaz_1024_scatter5_avx2,.-rsaz_1024_scatter5_avx2 @@ -1728,7 +1728,7 @@ _CET_ENDBR vzeroupper leaq (%r11),%rsp .cfi_def_cfa_register %rsp - .byte 0xf3,0xc3 + ret .cfi_endproc .LSEH_end_rsaz_1024_gather5: .size rsaz_1024_gather5_avx2,.-rsaz_1024_gather5_avx2 diff --git a/linux-x86_64/crypto/fipsmodule/sha1-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/sha1-x86_64-linux.S index 1b64f020..4eb6ac5e 100644 --- a/linux-x86_64/crypto/fipsmodule/sha1-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/sha1-x86_64-linux.S @@ -1262,7 +1262,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order,.-sha1_block_data_order .type sha1_block_data_order_shaext,@function @@ -1432,7 +1432,7 @@ _shaext_shortcut: pshufd $27,%xmm1,%xmm1 movdqu %xmm0,(%rdi) movd %xmm1,16(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_shaext,.-sha1_block_data_order_shaext .type sha1_block_data_order_ssse3,@function @@ -2620,7 +2620,7 @@ _ssse3_shortcut: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lepilogue_ssse3: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_ssse3,.-sha1_block_data_order_ssse3 .type sha1_block_data_order_avx,@function @@ -3748,7 +3748,7 @@ _avx_shortcut: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_avx,.-sha1_block_data_order_avx .type sha1_block_data_order_avx2,@function @@ -5441,7 +5441,7 @@ _avx2_shortcut: leaq (%r11),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx2: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha1_block_data_order_avx2,.-sha1_block_data_order_avx2 .section .rodata diff --git a/linux-x86_64/crypto/fipsmodule/sha256-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/sha256-x86_64-linux.S index 0fac1a2a..2eee2bdf 100644 --- a/linux-x86_64/crypto/fipsmodule/sha256-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/sha256-x86_64-linux.S @@ -1731,7 +1731,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha256_block_data_order,.-sha256_block_data_order .section .rodata @@ -1985,7 +1985,7 @@ sha256_block_data_order_shaext: movdqu %xmm1,(%rdi) movdqu %xmm2,16(%rdi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha256_block_data_order_shaext,.-sha256_block_data_order_shaext .type sha256_block_data_order_ssse3,@function @@ -3098,7 +3098,7 @@ sha256_block_data_order_ssse3: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue_ssse3: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha256_block_data_order_ssse3,.-sha256_block_data_order_ssse3 .type sha256_block_data_order_avx,@function @@ -4173,7 +4173,7 @@ sha256_block_data_order_avx: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha256_block_data_order_avx,.-sha256_block_data_order_avx #endif diff --git a/linux-x86_64/crypto/fipsmodule/sha512-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/sha512-x86_64-linux.S index 66a60d73..8f7f0e57 100644 --- a/linux-x86_64/crypto/fipsmodule/sha512-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/sha512-x86_64-linux.S @@ -1727,7 +1727,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha512_block_data_order,.-sha512_block_data_order .section .rodata @@ -2981,7 +2981,7 @@ sha512_block_data_order_avx: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lepilogue_avx: - .byte 0xf3,0xc3 + ret .cfi_endproc .size sha512_block_data_order_avx,.-sha512_block_data_order_avx #endif diff --git a/linux-x86_64/crypto/fipsmodule/vpaes-x86_64-linux.S b/linux-x86_64/crypto/fipsmodule/vpaes-x86_64-linux.S index ad892247..019c6385 100644 --- a/linux-x86_64/crypto/fipsmodule/vpaes-x86_64-linux.S +++ b/linux-x86_64/crypto/fipsmodule/vpaes-x86_64-linux.S @@ -104,7 +104,7 @@ _vpaes_encrypt_core: movdqa 64(%r11,%r10,1),%xmm1 pxor %xmm4,%xmm0 .byte 102,15,56,0,193 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_encrypt_core,.-_vpaes_encrypt_core @@ -279,7 +279,7 @@ _vpaes_encrypt_core_2x: pxor %xmm12,%xmm6 .byte 102,15,56,0,193 .byte 102,15,56,0,241 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_encrypt_core_2x,.-_vpaes_encrypt_core_2x @@ -387,7 +387,7 @@ _vpaes_decrypt_core: .byte 102,15,56,0,195 pxor %xmm4,%xmm0 .byte 102,15,56,0,194 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_decrypt_core,.-_vpaes_decrypt_core @@ -565,7 +565,7 @@ _vpaes_schedule_core: pxor %xmm5,%xmm5 pxor %xmm6,%xmm6 pxor %xmm7,%xmm7 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_core,.-_vpaes_schedule_core @@ -594,7 +594,7 @@ _vpaes_schedule_192_smear: pxor %xmm0,%xmm6 movdqa %xmm6,%xmm0 movhlps %xmm1,%xmm6 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear @@ -672,7 +672,7 @@ _vpaes_schedule_low_round: pxor %xmm7,%xmm0 movdqa %xmm0,%xmm7 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_round,.-_vpaes_schedule_round @@ -698,7 +698,7 @@ _vpaes_schedule_transform: movdqa 16(%r11),%xmm0 .byte 102,15,56,0,193 pxor %xmm2,%xmm0 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_transform,.-_vpaes_schedule_transform @@ -792,7 +792,7 @@ _vpaes_schedule_mangle: addq $-16,%r8 andq $0x30,%r8 movdqu %xmm3,(%rdx) - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle @@ -821,7 +821,7 @@ _CET_ENDBR movl $0x30,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key @@ -846,7 +846,7 @@ _CET_ENDBR xorl $32,%r8d call _vpaes_schedule_core xorl %eax,%eax - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key @@ -866,7 +866,7 @@ _CET_ENDBR call _vpaes_preheat call _vpaes_encrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_encrypt,.-vpaes_encrypt @@ -881,7 +881,7 @@ _CET_ENDBR call _vpaes_preheat call _vpaes_decrypt_core movdqu %xmm0,(%rsi) - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_decrypt,.-vpaes_decrypt .globl vpaes_cbc_encrypt @@ -925,7 +925,7 @@ _CET_ENDBR .Lcbc_done: movdqu %xmm6,(%r8) .Lcbc_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt .globl vpaes_ctr32_encrypt_blocks @@ -989,7 +989,7 @@ _CET_ENDBR .Lctr32_done: .Lctr32_abort: - .byte 0xf3,0xc3 + ret .cfi_endproc .size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks @@ -1010,7 +1010,7 @@ _vpaes_preheat: movdqa 64(%r10),%xmm12 movdqa 80(%r10),%xmm15 movdqa 96(%r10),%xmm14 - .byte 0xf3,0xc3 + ret .cfi_endproc .size _vpaes_preheat,.-_vpaes_preheat diff --git a/linux-x86_64/crypto/fipsmodule/x86_64-mont-linux.S b/linux-x86_64/crypto/fipsmodule/x86_64-mont-linux.S index 85c592c0..2ff01d34 100644 --- a/linux-x86_64/crypto/fipsmodule/x86_64-mont-linux.S +++ b/linux-x86_64/crypto/fipsmodule/x86_64-mont-linux.S @@ -262,7 +262,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul_mont,.-bn_mul_mont .type bn_mul4x_mont,@function @@ -696,7 +696,7 @@ bn_mul4x_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul4x_mont,.-bn_mul4x_mont .extern bn_sqrx8x_internal @@ -889,7 +889,7 @@ bn_sqr8x_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lsqr8x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_sqr8x_mont,.-bn_sqr8x_mont .type bn_mulx4x_mont,@function @@ -1245,7 +1245,7 @@ bn_mulx4x_mont: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmulx4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mulx4x_mont,.-bn_mulx4x_mont .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 diff --git a/linux-x86_64/crypto/fipsmodule/x86_64-mont5-linux.S b/linux-x86_64/crypto/fipsmodule/x86_64-mont5-linux.S index 1f15e9fb..14ab4f72 100644 --- a/linux-x86_64/crypto/fipsmodule/x86_64-mont5-linux.S +++ b/linux-x86_64/crypto/fipsmodule/x86_64-mont5-linux.S @@ -450,7 +450,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul_mont_gather5,.-bn_mul_mont_gather5 .type bn_mul4x_mont_gather5,@function @@ -555,7 +555,7 @@ bn_mul4x_mont_gather5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmul4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mul4x_mont_gather5,.-bn_mul4x_mont_gather5 @@ -1222,7 +1222,7 @@ _CET_ENDBR leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpower5_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_power5,.-bn_power5 @@ -2008,7 +2008,7 @@ __bn_sqr8x_reduction: cmpq %rdx,%rdi jb .L8x_reduction_loop - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_sqr8x_internal,.-bn_sqr8x_internal .type __bn_post4x_internal,@function @@ -2064,7 +2064,7 @@ __bn_post4x_internal: movq %r9,%r10 negq %r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __bn_post4x_internal,.-__bn_post4x_internal .type bn_mulx4x_mont_gather5,@function @@ -2174,7 +2174,7 @@ bn_mulx4x_mont_gather5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lmulx4x_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_mulx4x_mont_gather5,.-bn_mulx4x_mont_gather5 @@ -2735,7 +2735,7 @@ bn_powerx5: leaq (%rsi),%rsp .cfi_def_cfa_register %rsp .Lpowerx5_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_powerx5,.-bn_powerx5 @@ -3358,7 +3358,7 @@ __bn_sqrx8x_reduction: leaq 64(%rdi,%rcx,1),%rdi cmpq 8+8(%rsp),%r8 jb .Lsqrx8x_reduction_loop - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_sqrx8x_internal,.-bn_sqrx8x_internal .align 32 @@ -3411,7 +3411,7 @@ __bn_postx4x_internal: negq %r9 - .byte 0xf3,0xc3 + ret .cfi_endproc .size __bn_postx4x_internal,.-__bn_postx4x_internal .globl bn_scatter5 @@ -3441,7 +3441,7 @@ _CET_ENDBR subl $1,%esi jnz .Lscatter .Lscatter_epilogue: - .byte 0xf3,0xc3 + ret .cfi_endproc .size bn_scatter5,.-bn_scatter5 @@ -3611,7 +3611,7 @@ _CET_ENDBR leaq (%r10),%rsp .cfi_def_cfa_register %rsp - .byte 0xf3,0xc3 + ret .LSEH_end_bn_gather5: .cfi_endproc .size bn_gather5,.-bn_gather5 diff --git a/linux-x86_64/crypto/test/trampoline-x86_64-linux.S b/linux-x86_64/crypto/test/trampoline-x86_64-linux.S index 38cd8d52..93af8b94 100644 --- a/linux-x86_64/crypto/test/trampoline-x86_64-linux.S +++ b/linux-x86_64/crypto/test/trampoline-x86_64-linux.S @@ -173,7 +173,7 @@ abi_test_unwind_stop: .cfi_adjust_cfa_offset -120 - .byte 0xf3,0xc3 + ret .cfi_endproc .size abi_test_trampoline,.-abi_test_trampoline @@ -184,7 +184,7 @@ abi_test_unwind_stop: abi_test_clobber_rax: _CET_ENDBR xorq %rax,%rax - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rax,.-abi_test_clobber_rax .type abi_test_clobber_rbx, @function .globl abi_test_clobber_rbx @@ -193,7 +193,7 @@ _CET_ENDBR abi_test_clobber_rbx: _CET_ENDBR xorq %rbx,%rbx - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rbx,.-abi_test_clobber_rbx .type abi_test_clobber_rcx, @function .globl abi_test_clobber_rcx @@ -202,7 +202,7 @@ _CET_ENDBR abi_test_clobber_rcx: _CET_ENDBR xorq %rcx,%rcx - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rcx,.-abi_test_clobber_rcx .type abi_test_clobber_rdx, @function .globl abi_test_clobber_rdx @@ -211,7 +211,7 @@ _CET_ENDBR abi_test_clobber_rdx: _CET_ENDBR xorq %rdx,%rdx - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rdx,.-abi_test_clobber_rdx .type abi_test_clobber_rdi, @function .globl abi_test_clobber_rdi @@ -220,7 +220,7 @@ _CET_ENDBR abi_test_clobber_rdi: _CET_ENDBR xorq %rdi,%rdi - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rdi,.-abi_test_clobber_rdi .type abi_test_clobber_rsi, @function .globl abi_test_clobber_rsi @@ -229,7 +229,7 @@ _CET_ENDBR abi_test_clobber_rsi: _CET_ENDBR xorq %rsi,%rsi - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rsi,.-abi_test_clobber_rsi .type abi_test_clobber_rbp, @function .globl abi_test_clobber_rbp @@ -238,7 +238,7 @@ _CET_ENDBR abi_test_clobber_rbp: _CET_ENDBR xorq %rbp,%rbp - .byte 0xf3,0xc3 + ret .size abi_test_clobber_rbp,.-abi_test_clobber_rbp .type abi_test_clobber_r8, @function .globl abi_test_clobber_r8 @@ -247,7 +247,7 @@ _CET_ENDBR abi_test_clobber_r8: _CET_ENDBR xorq %r8,%r8 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r8,.-abi_test_clobber_r8 .type abi_test_clobber_r9, @function .globl abi_test_clobber_r9 @@ -256,7 +256,7 @@ _CET_ENDBR abi_test_clobber_r9: _CET_ENDBR xorq %r9,%r9 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r9,.-abi_test_clobber_r9 .type abi_test_clobber_r10, @function .globl abi_test_clobber_r10 @@ -265,7 +265,7 @@ _CET_ENDBR abi_test_clobber_r10: _CET_ENDBR xorq %r10,%r10 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r10,.-abi_test_clobber_r10 .type abi_test_clobber_r11, @function .globl abi_test_clobber_r11 @@ -274,7 +274,7 @@ _CET_ENDBR abi_test_clobber_r11: _CET_ENDBR xorq %r11,%r11 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r11,.-abi_test_clobber_r11 .type abi_test_clobber_r12, @function .globl abi_test_clobber_r12 @@ -283,7 +283,7 @@ _CET_ENDBR abi_test_clobber_r12: _CET_ENDBR xorq %r12,%r12 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r12,.-abi_test_clobber_r12 .type abi_test_clobber_r13, @function .globl abi_test_clobber_r13 @@ -292,7 +292,7 @@ _CET_ENDBR abi_test_clobber_r13: _CET_ENDBR xorq %r13,%r13 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r13,.-abi_test_clobber_r13 .type abi_test_clobber_r14, @function .globl abi_test_clobber_r14 @@ -301,7 +301,7 @@ _CET_ENDBR abi_test_clobber_r14: _CET_ENDBR xorq %r14,%r14 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r14,.-abi_test_clobber_r14 .type abi_test_clobber_r15, @function .globl abi_test_clobber_r15 @@ -310,7 +310,7 @@ _CET_ENDBR abi_test_clobber_r15: _CET_ENDBR xorq %r15,%r15 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_r15,.-abi_test_clobber_r15 .type abi_test_clobber_xmm0, @function .globl abi_test_clobber_xmm0 @@ -319,7 +319,7 @@ _CET_ENDBR abi_test_clobber_xmm0: _CET_ENDBR pxor %xmm0,%xmm0 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm0,.-abi_test_clobber_xmm0 .type abi_test_clobber_xmm1, @function .globl abi_test_clobber_xmm1 @@ -328,7 +328,7 @@ _CET_ENDBR abi_test_clobber_xmm1: _CET_ENDBR pxor %xmm1,%xmm1 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm1,.-abi_test_clobber_xmm1 .type abi_test_clobber_xmm2, @function .globl abi_test_clobber_xmm2 @@ -337,7 +337,7 @@ _CET_ENDBR abi_test_clobber_xmm2: _CET_ENDBR pxor %xmm2,%xmm2 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm2,.-abi_test_clobber_xmm2 .type abi_test_clobber_xmm3, @function .globl abi_test_clobber_xmm3 @@ -346,7 +346,7 @@ _CET_ENDBR abi_test_clobber_xmm3: _CET_ENDBR pxor %xmm3,%xmm3 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm3,.-abi_test_clobber_xmm3 .type abi_test_clobber_xmm4, @function .globl abi_test_clobber_xmm4 @@ -355,7 +355,7 @@ _CET_ENDBR abi_test_clobber_xmm4: _CET_ENDBR pxor %xmm4,%xmm4 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm4,.-abi_test_clobber_xmm4 .type abi_test_clobber_xmm5, @function .globl abi_test_clobber_xmm5 @@ -364,7 +364,7 @@ _CET_ENDBR abi_test_clobber_xmm5: _CET_ENDBR pxor %xmm5,%xmm5 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm5,.-abi_test_clobber_xmm5 .type abi_test_clobber_xmm6, @function .globl abi_test_clobber_xmm6 @@ -373,7 +373,7 @@ _CET_ENDBR abi_test_clobber_xmm6: _CET_ENDBR pxor %xmm6,%xmm6 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm6,.-abi_test_clobber_xmm6 .type abi_test_clobber_xmm7, @function .globl abi_test_clobber_xmm7 @@ -382,7 +382,7 @@ _CET_ENDBR abi_test_clobber_xmm7: _CET_ENDBR pxor %xmm7,%xmm7 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm7,.-abi_test_clobber_xmm7 .type abi_test_clobber_xmm8, @function .globl abi_test_clobber_xmm8 @@ -391,7 +391,7 @@ _CET_ENDBR abi_test_clobber_xmm8: _CET_ENDBR pxor %xmm8,%xmm8 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm8,.-abi_test_clobber_xmm8 .type abi_test_clobber_xmm9, @function .globl abi_test_clobber_xmm9 @@ -400,7 +400,7 @@ _CET_ENDBR abi_test_clobber_xmm9: _CET_ENDBR pxor %xmm9,%xmm9 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm9,.-abi_test_clobber_xmm9 .type abi_test_clobber_xmm10, @function .globl abi_test_clobber_xmm10 @@ -409,7 +409,7 @@ _CET_ENDBR abi_test_clobber_xmm10: _CET_ENDBR pxor %xmm10,%xmm10 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm10,.-abi_test_clobber_xmm10 .type abi_test_clobber_xmm11, @function .globl abi_test_clobber_xmm11 @@ -418,7 +418,7 @@ _CET_ENDBR abi_test_clobber_xmm11: _CET_ENDBR pxor %xmm11,%xmm11 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm11,.-abi_test_clobber_xmm11 .type abi_test_clobber_xmm12, @function .globl abi_test_clobber_xmm12 @@ -427,7 +427,7 @@ _CET_ENDBR abi_test_clobber_xmm12: _CET_ENDBR pxor %xmm12,%xmm12 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm12,.-abi_test_clobber_xmm12 .type abi_test_clobber_xmm13, @function .globl abi_test_clobber_xmm13 @@ -436,7 +436,7 @@ _CET_ENDBR abi_test_clobber_xmm13: _CET_ENDBR pxor %xmm13,%xmm13 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm13,.-abi_test_clobber_xmm13 .type abi_test_clobber_xmm14, @function .globl abi_test_clobber_xmm14 @@ -445,7 +445,7 @@ _CET_ENDBR abi_test_clobber_xmm14: _CET_ENDBR pxor %xmm14,%xmm14 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm14,.-abi_test_clobber_xmm14 .type abi_test_clobber_xmm15, @function .globl abi_test_clobber_xmm15 @@ -454,7 +454,7 @@ _CET_ENDBR abi_test_clobber_xmm15: _CET_ENDBR pxor %xmm15,%xmm15 - .byte 0xf3,0xc3 + ret .size abi_test_clobber_xmm15,.-abi_test_clobber_xmm15 @@ -478,7 +478,7 @@ _CET_ENDBR popq %r12 .cfi_adjust_cfa_offset -8 .cfi_restore %r12 - .byte 0xf3,0xc3 + ret .cfi_endproc .size abi_test_bad_unwind_wrong_register,.-abi_test_bad_unwind_wrong_register @@ -511,7 +511,7 @@ _CET_ENDBR popq %r12 .cfi_adjust_cfa_offset -8 .cfi_restore %r12 - .byte 0xf3,0xc3 + ret .cfi_endproc .size abi_test_bad_unwind_temporary,.-abi_test_bad_unwind_temporary @@ -529,7 +529,7 @@ _CET_ENDBR andq $0x400,%rax shrq $10,%rax cld - .byte 0xf3,0xc3 + ret .size abi_test_get_and_clear_direction_flag,.-abi_test_get_and_clear_direction_flag @@ -540,6 +540,6 @@ _CET_ENDBR abi_test_set_direction_flag: _CET_ENDBR std - .byte 0xf3,0xc3 + ret .size abi_test_set_direction_flag,.-abi_test_set_direction_flag #endif @@ -118,7 +118,6 @@ cc_defaults { "src/crypto/cpu_aarch64_openbsd.c", "src/crypto/cpu_aarch64_sysreg.c", "src/crypto/cpu_aarch64_win.c", - "src/crypto/cpu_arm.c", "src/crypto/cpu_arm_freebsd.c", "src/crypto/cpu_arm_linux.c", "src/crypto/cpu_intel.c", @@ -551,6 +550,7 @@ cc_defaults { "src/crypto/pkcs8/pkcs8_test.cc", "src/crypto/poly1305/poly1305_test.cc", "src/crypto/pool/pool_test.cc", + "src/crypto/rand_extra/getentropy_test.cc", "src/crypto/rand_extra/rand_test.cc", "src/crypto/refcount_test.cc", "src/crypto/rsa_extra/rsa_test.cc", @@ -83,7 +83,6 @@ crypto_sources := \ src/crypto/cpu_aarch64_openbsd.c\ src/crypto/cpu_aarch64_sysreg.c\ src/crypto/cpu_aarch64_win.c\ - src/crypto/cpu_arm.c\ src/crypto/cpu_arm_freebsd.c\ src/crypto/cpu_arm_linux.c\ src/crypto/cpu_intel.c\ diff --git a/src/BUILDING.md b/src/BUILDING.md index f915d856..adc15851 100644 --- a/src/BUILDING.md +++ b/src/BUILDING.md @@ -10,7 +10,7 @@ Unless otherwise noted, build tools must at most five years old, matching [Abseil guidelines](https://abseil.io/about/compatibility). If in doubt, use the most recent stable version of each tool. - * [CMake](https://cmake.org/download/) 3.10 or later is required. + * [CMake](https://cmake.org/download/) 3.12 or later is required. * A recent version of Perl is required. On Windows, [Active State Perl](http://www.activestate.com/activeperl/) has been @@ -30,11 +30,11 @@ most recent stable version of each tool. by CMake, it may be configured explicitly by setting `CMAKE_ASM_NASM_COMPILER`. - * C and C++ compilers with C++14 support are required. If using a C compiler - other than MSVC, C11 support is also requried. On Windows, MSVC from - Visual Studio 2019 or later with Windows 10 SDK 2104 or later are supported, - but using the latest versions is recommended. Recent versions of GCC (6.1+) - and Clang should work on non-Windows platforms, and maybe on Windows too. + * Compilers for C11 and C++14, or later, are required. On Windows, MSVC from + Visual Studio 2019 or later with Windows 10 SDK 2104 or later are + supported, but using the latest versions is recommended. Recent versions of + GCC (6.1+) and Clang should work on non-Windows platforms, and maybe on + Windows too. * The most recent stable version of [Go](https://golang.org/dl/) is required. Note Go is exempt from the five year support window. If not found by CMake, diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index 1529526b..ee5cc046 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.10) +cmake_minimum_required(VERSION 3.12) # Defer enabling C and CXX languages. project(BoringSSL NONE) @@ -56,7 +56,7 @@ endif() if(CMAKE_SYSTEM_NAME STREQUAL "Linux" AND NOT CMAKE_CROSSCOMPILING) find_package(PkgConfig QUIET) if (PkgConfig_FOUND) - pkg_check_modules(LIBUNWIND libunwind-generic) + pkg_check_modules(LIBUNWIND libunwind-generic>=1.3.0) if(LIBUNWIND_FOUND) add_definitions(-DBORINGSSL_HAVE_LIBUNWIND) else() @@ -478,14 +478,22 @@ endif() # Add minimal googletest targets. The provided one has many side-effects, and # googletest has a very straightforward build. -add_library(boringssl_gtest third_party/googletest/src/gtest-all.cc) +add_library( + boringssl_gtest + third_party/googletest/googlemock/src/gmock-all.cc + third_party/googletest/googletest/src/gtest-all.cc +) if(USE_CUSTOM_LIBCXX) target_link_libraries(boringssl_gtest libcxx) endif() target_include_directories( boringssl_gtest - PUBLIC third_party/googletest/include - PRIVATE third_party/googletest + PUBLIC + third_party/googletest/googlemock/include + third_party/googletest/googletest/include + PRIVATE + third_party/googletest/googlemock + third_party/googletest/googletest ) # Declare a dummy target to build all unit tests. Test targets should inject diff --git a/src/cmake/perlasm.cmake b/src/cmake/perlasm.cmake index 98287990..6d0c30f0 100644 --- a/src/cmake/perlasm.cmake +++ b/src/cmake/perlasm.cmake @@ -29,27 +29,27 @@ endfunction() # perlasm generates perlasm output from a given file. arch specifies the # architecture. dest specifies the basename of the output file. The list of # generated files will be appended to ${var}_ASM and ${var}_NASM depending on -# the assembler used. +# the assembler used. Extra arguments are passed to the perlasm script. function(perlasm var arch dest src) if(arch STREQUAL "aarch64") - add_perlasm_target("${dest}-apple.S" ${src} ios64) - add_perlasm_target("${dest}-linux.S" ${src} linux64) - add_perlasm_target("${dest}-win.S" ${src} win64) + add_perlasm_target("${dest}-apple.S" ${src} ios64 ${ARGN}) + add_perlasm_target("${dest}-linux.S" ${src} linux64 ${ARGN}) + add_perlasm_target("${dest}-win.S" ${src} win64 ${ARGN}) append_to_parent_scope("${var}_ASM" "${dest}-apple.S" "${dest}-linux.S" "${dest}-win.S") elseif(arch STREQUAL "arm") - add_perlasm_target("${dest}-apple.S" ${src} ios32) - add_perlasm_target("${dest}-linux.S" ${src} linux32) + add_perlasm_target("${dest}-apple.S" ${src} ios32 ${ARGN}) + add_perlasm_target("${dest}-linux.S" ${src} linux32 ${ARGN}) append_to_parent_scope("${var}_ASM" "${dest}-apple.S" "${dest}-linux.S") elseif(arch STREQUAL "x86") - add_perlasm_target("${dest}-apple.S" ${src} macosx -fPIC -DOPENSSL_IA32_SSE2) - add_perlasm_target("${dest}-linux.S" ${src} elf -fPIC -DOPENSSL_IA32_SSE2) - add_perlasm_target("${dest}-win.asm" ${src} win32n -DOPENSSL_IA32_SSE2) + add_perlasm_target("${dest}-apple.S" ${src} macosx -fPIC -DOPENSSL_IA32_SSE2 ${ARGN}) + add_perlasm_target("${dest}-linux.S" ${src} elf -fPIC -DOPENSSL_IA32_SSE2 ${ARGN}) + add_perlasm_target("${dest}-win.asm" ${src} win32n -DOPENSSL_IA32_SSE2 ${ARGN}) append_to_parent_scope("${var}_ASM" "${dest}-apple.S" "${dest}-linux.S") append_to_parent_scope("${var}_NASM" "${dest}-win.asm") elseif(arch STREQUAL "x86_64") - add_perlasm_target("${dest}-apple.S" ${src} macosx) - add_perlasm_target("${dest}-linux.S" ${src} elf) - add_perlasm_target("${dest}-win.asm" ${src} nasm) + add_perlasm_target("${dest}-apple.S" ${src} macosx ${ARGN}) + add_perlasm_target("${dest}-linux.S" ${src} elf ${ARGN}) + add_perlasm_target("${dest}-win.asm" ${src} nasm ${ARGN}) append_to_parent_scope("${var}_ASM" "${dest}-apple.S" "${dest}-linux.S") append_to_parent_scope("${var}_NASM" "${dest}-win.asm") else() diff --git a/src/crypto/CMakeLists.txt b/src/crypto/CMakeLists.txt index 07d0ee38..68fb65b3 100644 --- a/src/crypto/CMakeLists.txt +++ b/src/crypto/CMakeLists.txt @@ -134,7 +134,6 @@ add_library( cpu_aarch64_win.c cpu_arm_freebsd.c cpu_arm_linux.c - cpu_arm.c cpu_intel.c crypto.c curve25519/curve25519.c diff --git a/src/crypto/asn1/a_mbstr.c b/src/crypto/asn1/a_mbstr.c index 8fc82ab5..4d7ea145 100644 --- a/src/crypto/asn1/a_mbstr.c +++ b/src/crypto/asn1/a_mbstr.c @@ -97,22 +97,22 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int error; switch (inform) { case MBSTRING_BMP: - decode_func = cbs_get_ucs2_be; + decode_func = CBS_get_ucs2_be; error = ASN1_R_INVALID_BMPSTRING; break; case MBSTRING_UNIV: - decode_func = cbs_get_utf32_be; + decode_func = CBS_get_utf32_be; error = ASN1_R_INVALID_UNIVERSALSTRING; break; case MBSTRING_UTF8: - decode_func = cbs_get_utf8; + decode_func = CBS_get_utf8; error = ASN1_R_INVALID_UTF8STRING; break; case MBSTRING_ASC: - decode_func = cbs_get_latin1; + decode_func = CBS_get_latin1; error = ERR_R_INTERNAL_ERROR; // Latin-1 inputs are never invalid. break; @@ -162,7 +162,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, } nchar++; - utf8_len += cbb_get_utf8_len(c); + utf8_len += CBB_get_utf8_len(c); if (maxsize > 0 && nchar > (size_t)maxsize) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_STRING_TOO_LONG); ERR_add_error_dataf("maxsize=%zu", (size_t)maxsize); @@ -178,7 +178,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, // Now work out output format and string type int str_type; - int (*encode_func)(CBB *, uint32_t) = cbb_add_latin1; + int (*encode_func)(CBB *, uint32_t) = CBB_add_latin1; size_t size_estimate = nchar; int outform = MBSTRING_ASC; if (mask & B_ASN1_PRINTABLESTRING) { @@ -190,17 +190,17 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, } else if (mask & B_ASN1_BMPSTRING) { str_type = V_ASN1_BMPSTRING; outform = MBSTRING_BMP; - encode_func = cbb_add_ucs2_be; + encode_func = CBB_add_ucs2_be; size_estimate = 2 * nchar; } else if (mask & B_ASN1_UNIVERSALSTRING) { str_type = V_ASN1_UNIVERSALSTRING; - encode_func = cbb_add_utf32_be; + encode_func = CBB_add_utf32_be; size_estimate = 4 * nchar; outform = MBSTRING_UNIV; } else if (mask & B_ASN1_UTF8STRING) { str_type = V_ASN1_UTF8STRING; outform = MBSTRING_UTF8; - encode_func = cbb_add_utf8; + encode_func = CBB_add_utf8; size_estimate = utf8_len; } else { OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_CHARACTERS); diff --git a/src/crypto/asn1/a_strex.c b/src/crypto/asn1/a_strex.c index dcc87f1e..7e9afad0 100644 --- a/src/crypto/asn1/a_strex.c +++ b/src/crypto/asn1/a_strex.c @@ -137,19 +137,19 @@ static int do_buf(const unsigned char *buf, int buflen, int encoding, int get_char_error; switch (encoding) { case MBSTRING_UNIV: - get_char = cbs_get_utf32_be; + get_char = CBS_get_utf32_be; get_char_error = ASN1_R_INVALID_UNIVERSALSTRING; break; case MBSTRING_BMP: - get_char = cbs_get_ucs2_be; + get_char = CBS_get_ucs2_be; get_char_error = ASN1_R_INVALID_BMPSTRING; break; case MBSTRING_ASC: - get_char = cbs_get_latin1; + get_char = CBS_get_latin1; get_char_error = ERR_R_INTERNAL_ERROR; // Should not be possible. break; case MBSTRING_UTF8: - get_char = cbs_get_utf8; + get_char = CBS_get_utf8; get_char_error = ASN1_R_INVALID_UTF8STRING; break; default: @@ -172,7 +172,7 @@ static int do_buf(const unsigned char *buf, int buflen, int encoding, uint8_t utf8_buf[6]; CBB utf8_cbb; CBB_init_fixed(&utf8_cbb, utf8_buf, sizeof(utf8_buf)); - if (!cbb_add_utf8(&utf8_cbb, c)) { + if (!CBB_add_utf8(&utf8_cbb, c)) { OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR); return 1; } diff --git a/src/crypto/asn1/tasn_dec.c b/src/crypto/asn1/tasn_dec.c index 24ab04f2..94891c85 100644 --- a/src/crypto/asn1/tasn_dec.c +++ b/src/crypto/asn1/tasn_dec.c @@ -850,7 +850,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, if (utype == V_ASN1_BMPSTRING) { while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_ucs2_be(&cbs, &c)) { + if (!CBS_get_ucs2_be(&cbs, &c)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_BMPSTRING); goto err; } @@ -859,7 +859,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, if (utype == V_ASN1_UNIVERSALSTRING) { while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf32_be(&cbs, &c)) { + if (!CBS_get_utf32_be(&cbs, &c)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UNIVERSALSTRING); goto err; } @@ -868,7 +868,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, long len, if (utype == V_ASN1_UTF8STRING) { while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&cbs, &c)) { + if (!CBS_get_utf8(&cbs, &c)) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_INVALID_UTF8STRING); goto err; } diff --git a/src/crypto/bio/bio_test.cc b/src/crypto/bio/bio_test.cc index a169b56d..c9e0ae02 100644 --- a/src/crypto/bio/bio_test.cc +++ b/src/crypto/bio/bio_test.cc @@ -633,8 +633,11 @@ TEST(BIOTest, Gets) { check_bio_gets(bio.get()); } - using ScopedFILE = std::unique_ptr<FILE, decltype(&fclose)>; - ScopedFILE file(tmpfile(), fclose); + struct FileCloser { + void operator()(FILE *f) const { fclose(f); } + }; + using ScopedFILE = std::unique_ptr<FILE, FileCloser>; + ScopedFILE file(tmpfile()); #if defined(OPENSSL_ANDROID) // On Android, when running from an APK, |tmpfile| does not work. See // b/36991167#comment8. diff --git a/src/crypto/bn_extra/convert.c b/src/crypto/bn_extra/convert.c index 29234eff..c9161fae 100644 --- a/src/crypto/bn_extra/convert.c +++ b/src/crypto/bn_extra/convert.c @@ -455,3 +455,11 @@ int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len) { } return len; } + +int BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len) { + if (len < 0 || + !BN_bn2le_padded(out, (size_t)len, in)) { + return -1; + } + return len; +} diff --git a/src/crypto/bytestring/bytestring_test.cc b/src/crypto/bytestring/bytestring_test.cc index 10d34697..08cfb873 100644 --- a/src/crypto/bytestring/bytestring_test.cc +++ b/src/crypto/bytestring/bytestring_test.cc @@ -1353,7 +1353,7 @@ TEST(CBBTest, Unicode) { std::vector<uint32_t> out; bool ok; } kTests[] = { - {cbs_get_utf8, cbb_add_utf8, + {CBS_get_utf8, CBB_add_utf8, // This test string captures all four cases in UTF-8. LiteralToBytes(u8"Hello, 世界! ¡Hola, 🌎!"), LiteralToCodePoints(U"Hello, 世界! ¡Hola, 🌎!"), true}, @@ -1362,120 +1362,120 @@ TEST(CBBTest, Unicode) { // http://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt // 2.1 First possible sequence of a certain length. (5- and 6-bit // sequences no longer exist.) - {cbs_get_utf8, cbb_add_utf8, {0xf8, 0x88, 0x80, 0x80, 0x80}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, CBB_add_utf8, {0xf8, 0x88, 0x80, 0x80, 0x80}, {}, false}, + {CBS_get_utf8, + CBB_add_utf8, {0xfc, 0x84, 0x80, 0x80, 0x80, 0x80}, {}, false}, // 3.1 Unexpected continuation bytes. - {cbs_get_utf8, cbb_add_utf8, {0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xbf}, {}, false}, // 3.2 Lonely start characters. - {cbs_get_utf8, cbb_add_utf8, {0xc0, ' '}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xe0, ' '}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, ' '}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xc0, ' '}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xe0, ' '}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, ' '}, {}, false}, // 3.3 Sequences with last continuation byte missing - {cbs_get_utf8, cbb_add_utf8, {0xc0}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xc0}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xe0, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x80, 0x80}, {}, false}, // Variation of the above with unexpected spaces. - {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80, ' '}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80, ' '}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xe0, 0x80, ' '}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x80, 0x80, ' '}, {}, false}, // 4.1 Examples of an overlong ASCII character - {cbs_get_utf8, cbb_add_utf8, {0xc0, 0xaf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80, 0xaf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80, 0xaf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xc0, 0xaf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xe0, 0x80, 0xaf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x80, 0x80, 0xaf}, {}, false}, // 4.2 Maximum overlong sequences - {cbs_get_utf8, cbb_add_utf8, {0xc1, 0xbf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x9f, 0xbf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x8f, 0xbf, 0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xc1, 0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xe0, 0x9f, 0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x8f, 0xbf, 0xbf}, {}, false}, // 4.3 Overlong representation of the NUL character - {cbs_get_utf8, cbb_add_utf8, {0xc0, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xe0, 0x80, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x80, 0x80, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xc0, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xe0, 0x80, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x80, 0x80, 0x80}, {}, false}, // 5.1 Single UTF-16 surrogates - {cbs_get_utf8, cbb_add_utf8, {0xed, 0xa0, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xed, 0xad, 0xbf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xed, 0xae, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xed, 0xb0, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xed, 0xbe, 0x80}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xed, 0xbf, 0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xed, 0xa0, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xed, 0xad, 0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xed, 0xae, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xed, 0xb0, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xed, 0xbe, 0x80}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xed, 0xbf, 0xbf}, {}, false}, // 5.2 Paired UTF-16 surrogates - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xa0, 0x80, 0xed, 0xb0, 0x80}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xa0, 0x80, 0xed, 0xbf, 0xbf}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xad, 0xbf, 0xed, 0xb0, 0x80}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xad, 0xbf, 0xed, 0xbf, 0xbf}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xae, 0x80, 0xed, 0xb0, 0x80}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xae, 0x80, 0xed, 0xbf, 0xbf}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xaf, 0xbf, 0xed, 0xb0, 0x80}, {}, false}, - {cbs_get_utf8, - cbb_add_utf8, + {CBS_get_utf8, + CBB_add_utf8, {0xed, 0xaf, 0xbf, 0xed, 0xbf, 0xbf}, {}, false}, // 5.3 Noncharacter code positions - {cbs_get_utf8, cbb_add_utf8, {0xef, 0xbf, 0xbe}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xef, 0xbf, 0xbf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xef, 0xb7, 0x90}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xef, 0xb7, 0xaf}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x9f, 0xbf, 0xbe}, {}, false}, - {cbs_get_utf8, cbb_add_utf8, {0xf0, 0x9f, 0xbf, 0xbf}, {}, false}, - - {cbs_get_latin1, cbb_add_latin1, LiteralToBytes("\xa1Hola!"), + {CBS_get_utf8, CBB_add_utf8, {0xef, 0xbf, 0xbe}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xef, 0xbf, 0xbf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xef, 0xb7, 0x90}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xef, 0xb7, 0xaf}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x9f, 0xbf, 0xbe}, {}, false}, + {CBS_get_utf8, CBB_add_utf8, {0xf0, 0x9f, 0xbf, 0xbf}, {}, false}, + + {CBS_get_latin1, CBB_add_latin1, LiteralToBytes("\xa1Hola!"), LiteralToCodePoints(U"¡Hola!"), true}, // UCS-2 matches UTF-16 on the BMP. - {cbs_get_ucs2_be, cbb_add_ucs2_be, LiteralToBytes(u"Hello, 世界!"), + {CBS_get_ucs2_be, CBB_add_ucs2_be, LiteralToBytes(u"Hello, 世界!"), LiteralToCodePoints(U"Hello, 世界!"), true}, // It does not support characters beyond the BMP. - {cbs_get_ucs2_be, cbb_add_ucs2_be, + {CBS_get_ucs2_be, CBB_add_ucs2_be, LiteralToBytes(u"Hello, 世界! ¡Hola, 🌎!"), LiteralToCodePoints(U"Hello, 世界! ¡Hola, "), false}, // Unpaired surrogates and non-characters are also rejected. - {cbs_get_ucs2_be, cbb_add_ucs2_be, {0xd8, 0x00}, {}, false}, - {cbs_get_ucs2_be, cbb_add_ucs2_be, {0xff, 0xfe}, {}, false}, + {CBS_get_ucs2_be, CBB_add_ucs2_be, {0xd8, 0x00}, {}, false}, + {CBS_get_ucs2_be, CBB_add_ucs2_be, {0xff, 0xfe}, {}, false}, - {cbs_get_utf32_be, cbb_add_utf32_be, + {CBS_get_utf32_be, CBB_add_utf32_be, LiteralToBytes(U"Hello, 世界! ¡Hola, 🌎!"), LiteralToCodePoints(U"Hello, 世界! ¡Hola, 🌎!"), true}, // Unpaired surrogates and non-characters are rejected. - {cbs_get_utf32_be, cbb_add_utf32_be, {0x00, 0x00, 0xd8, 0x00}, {}, false}, - {cbs_get_utf32_be, cbb_add_utf32_be, {0x00, 0x00, 0xff, 0xfe}, {}, false}, + {CBS_get_utf32_be, CBB_add_utf32_be, {0x00, 0x00, 0xd8, 0x00}, {}, false}, + {CBS_get_utf32_be, CBB_add_utf32_be, {0x00, 0x00, 0xff, 0xfe}, {}, false}, // Test that the NUL character can be encoded. - {cbs_get_latin1, cbb_add_latin1, {0}, {0}, true}, - {cbs_get_utf8, cbb_add_utf8, {0}, {0}, true}, - {cbs_get_ucs2_be, cbb_add_ucs2_be, {0, 0}, {0}, true}, - {cbs_get_utf32_be, cbb_add_utf32_be, {0, 0, 0, 0}, {0}, true}, + {CBS_get_latin1, CBB_add_latin1, {0}, {0}, true}, + {CBS_get_utf8, CBB_add_utf8, {0}, {0}, true}, + {CBS_get_ucs2_be, CBB_add_ucs2_be, {0, 0}, {0}, true}, + {CBS_get_utf32_be, CBB_add_utf32_be, {0, 0, 0, 0}, {0}, true}, }; for (const auto &t : kTests) { SCOPED_TRACE(Bytes(t.in)); @@ -1524,24 +1524,24 @@ TEST(CBBTest, Unicode) { ASSERT_TRUE(CBB_init(cbb.get(), 0)); for (uint32_t v : kBadCodePoints) { SCOPED_TRACE(v); - EXPECT_FALSE(cbb_add_utf8(cbb.get(), v)); - EXPECT_FALSE(cbb_add_latin1(cbb.get(), v)); - EXPECT_FALSE(cbb_add_ucs2_be(cbb.get(), v)); - EXPECT_FALSE(cbb_add_utf32_be(cbb.get(), v)); + EXPECT_FALSE(CBB_add_utf8(cbb.get(), v)); + EXPECT_FALSE(CBB_add_latin1(cbb.get(), v)); + EXPECT_FALSE(CBB_add_ucs2_be(cbb.get(), v)); + EXPECT_FALSE(CBB_add_utf32_be(cbb.get(), v)); } // Additional values that are out of range. - EXPECT_FALSE(cbb_add_latin1(cbb.get(), 0x100)); - EXPECT_FALSE(cbb_add_ucs2_be(cbb.get(), 0x10000)); - - EXPECT_EQ(1u, cbb_get_utf8_len(0)); - EXPECT_EQ(1u, cbb_get_utf8_len(0x7f)); - EXPECT_EQ(2u, cbb_get_utf8_len(0x80)); - EXPECT_EQ(2u, cbb_get_utf8_len(0x7ff)); - EXPECT_EQ(3u, cbb_get_utf8_len(0x800)); - EXPECT_EQ(3u, cbb_get_utf8_len(0xffff)); - EXPECT_EQ(4u, cbb_get_utf8_len(0x10000)); - EXPECT_EQ(4u, cbb_get_utf8_len(0x10ffff)); + EXPECT_FALSE(CBB_add_latin1(cbb.get(), 0x100)); + EXPECT_FALSE(CBB_add_ucs2_be(cbb.get(), 0x10000)); + + EXPECT_EQ(1u, CBB_get_utf8_len(0)); + EXPECT_EQ(1u, CBB_get_utf8_len(0x7f)); + EXPECT_EQ(2u, CBB_get_utf8_len(0x80)); + EXPECT_EQ(2u, CBB_get_utf8_len(0x7ff)); + EXPECT_EQ(3u, CBB_get_utf8_len(0x800)); + EXPECT_EQ(3u, CBB_get_utf8_len(0xffff)); + EXPECT_EQ(4u, CBB_get_utf8_len(0x10000)); + EXPECT_EQ(4u, CBB_get_utf8_len(0x10ffff)); } TEST(CBSTest, BogusTime) { diff --git a/src/crypto/bytestring/internal.h b/src/crypto/bytestring/internal.h index ba23244f..ff7a4a56 100644 --- a/src/crypto/bytestring/internal.h +++ b/src/crypto/bytestring/internal.h @@ -67,28 +67,6 @@ OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out, int CBB_finish_i2d(CBB *cbb, uint8_t **outp); -// Unicode utilities. - -// The following functions read one Unicode code point from |cbs| with the -// corresponding encoding and store it in |*out|. They return one on success and -// zero on error. -OPENSSL_EXPORT int cbs_get_utf8(CBS *cbs, uint32_t *out); -OPENSSL_EXPORT int cbs_get_latin1(CBS *cbs, uint32_t *out); -OPENSSL_EXPORT int cbs_get_ucs2_be(CBS *cbs, uint32_t *out); -OPENSSL_EXPORT int cbs_get_utf32_be(CBS *cbs, uint32_t *out); - -// cbb_get_utf8_len returns the number of bytes needed to represent |u| in -// UTF-8. -OPENSSL_EXPORT size_t cbb_get_utf8_len(uint32_t u); - -// The following functions encode |u| to |cbb| with the corresponding -// encoding. They return one on success and zero on error. -OPENSSL_EXPORT int cbb_add_utf8(CBB *cbb, uint32_t u); -OPENSSL_EXPORT int cbb_add_latin1(CBB *cbb, uint32_t u); -OPENSSL_EXPORT int cbb_add_ucs2_be(CBB *cbb, uint32_t u); -OPENSSL_EXPORT int cbb_add_utf32_be(CBB *cbb, uint32_t u); - - #if defined(__cplusplus) } // extern C #endif diff --git a/src/crypto/bytestring/unicode.c b/src/crypto/bytestring/unicode.c index 6f9467f9..10fba07c 100644 --- a/src/crypto/bytestring/unicode.c +++ b/src/crypto/bytestring/unicode.c @@ -38,7 +38,7 @@ static int is_valid_code_point(uint32_t v) { // TOP_BITS returns a byte with the top |n| bits set. #define TOP_BITS(n) ((uint8_t)~BOTTOM_BITS(8 - (n))) -int cbs_get_utf8(CBS *cbs, uint32_t *out) { +int CBS_get_utf8(CBS *cbs, uint32_t *out) { uint8_t c; if (!CBS_get_u8(cbs, &c)) { return 0; @@ -80,7 +80,7 @@ int cbs_get_utf8(CBS *cbs, uint32_t *out) { return 1; } -int cbs_get_latin1(CBS *cbs, uint32_t *out) { +int CBS_get_latin1(CBS *cbs, uint32_t *out) { uint8_t c; if (!CBS_get_u8(cbs, &c)) { return 0; @@ -89,7 +89,7 @@ int cbs_get_latin1(CBS *cbs, uint32_t *out) { return 1; } -int cbs_get_ucs2_be(CBS *cbs, uint32_t *out) { +int CBS_get_ucs2_be(CBS *cbs, uint32_t *out) { // Note UCS-2 (used by BMPString) does not support surrogates. uint16_t c; if (!CBS_get_u16(cbs, &c) || @@ -100,11 +100,11 @@ int cbs_get_ucs2_be(CBS *cbs, uint32_t *out) { return 1; } -int cbs_get_utf32_be(CBS *cbs, uint32_t *out) { +int CBS_get_utf32_be(CBS *cbs, uint32_t *out) { return CBS_get_u32(cbs, out) && is_valid_code_point(*out); } -size_t cbb_get_utf8_len(uint32_t u) { +size_t CBB_get_utf8_len(uint32_t u) { if (u <= 0x7f) { return 1; } @@ -117,7 +117,7 @@ size_t cbb_get_utf8_len(uint32_t u) { return 4; } -int cbb_add_utf8(CBB *cbb, uint32_t u) { +int CBB_add_utf8(CBB *cbb, uint32_t u) { if (!is_valid_code_point(u)) { return 0; } @@ -142,14 +142,14 @@ int cbb_add_utf8(CBB *cbb, uint32_t u) { return 0; } -int cbb_add_latin1(CBB *cbb, uint32_t u) { +int CBB_add_latin1(CBB *cbb, uint32_t u) { return u <= 0xff && CBB_add_u8(cbb, (uint8_t)u); } -int cbb_add_ucs2_be(CBB *cbb, uint32_t u) { +int CBB_add_ucs2_be(CBB *cbb, uint32_t u) { return u <= 0xffff && is_valid_code_point(u) && CBB_add_u16(cbb, (uint16_t)u); } -int cbb_add_utf32_be(CBB *cbb, uint32_t u) { +int CBB_add_utf32_be(CBB *cbb, uint32_t u) { return is_valid_code_point(u) && CBB_add_u32(cbb, u); } diff --git a/src/crypto/cipher_extra/cipher_test.cc b/src/crypto/cipher_extra/cipher_test.cc index 6101ef96..9375bc19 100644 --- a/src/crypto/cipher_extra/cipher_test.cc +++ b/src/crypto/cipher_extra/cipher_test.cc @@ -211,6 +211,7 @@ static void TestCipherAPI(const EVP_CIPHER *cipher, Operation op, bool padding, ASSERT_LE(iv.size(), size_t{INT_MAX}); ASSERT_TRUE(EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_AEAD_SET_IVLEN, static_cast<int>(iv.size()), 0)); + ASSERT_EQ(EVP_CIPHER_CTX_iv_length(ctx.get()), iv.size()); } else { ASSERT_EQ(iv.size(), EVP_CIPHER_CTX_iv_length(ctx.get())); } diff --git a/src/crypto/compiler_test.cc b/src/crypto/compiler_test.cc index 91023375..129ef7fa 100644 --- a/src/crypto/compiler_test.cc +++ b/src/crypto/compiler_test.cc @@ -22,6 +22,26 @@ #include "test/test_util.h" +// C and C++ have two forms of unspecified behavior: undefined behavior and +// implementation-defined behavior. +// +// Programs that exhibit undefined behavior are invalid. Compilers are +// permitted to, and often do, arbitrarily miscompile them. BoringSSL thus aims +// to avoid undefined behavior. +// +// Implementation-defined behavior is left up to the compiler to define (or +// leave undefined). These are often platform-specific details, such as how big +// |int| is or how |uintN_t| is implemented. Programs that depend on +// implementation-defined behavior are not necessarily invalid, merely less +// portable. A compiler that provides some implementation-defined behavior is +// not permitted to miscompile code that depends on it. +// +// C allows a much wider range of platform behaviors than would be practical +// for us to support, so we make some assumptions on implementation-defined +// behavior. Platforms that violate those assumptions are not supported. This +// file aims to document and test these assumptions, so that platforms outside +// our scope are flagged. + template <typename T> static void CheckRepresentation(T value) { SCOPED_TRACE(value); diff --git a/src/crypto/cpu_arm.c b/src/crypto/cpu_arm.c deleted file mode 100644 index 00cf921a..00000000 --- a/src/crypto/cpu_arm.c +++ /dev/null @@ -1,36 +0,0 @@ -/* Copyright (c) 2014, Google Inc. - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION - * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN - * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ - -#include "internal.h" - -#if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_STATIC_ARMCAP) - -#include <openssl/arm_arch.h> - - -int CRYPTO_is_NEON_capable_at_runtime(void) { - return (OPENSSL_armcap_P & ARMV7_NEON) != 0; -} - -int CRYPTO_is_ARMv8_AES_capable_at_runtime(void) { - return (OPENSSL_armcap_P & ARMV8_AES) != 0; -} - -int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void) { - return (OPENSSL_armcap_P & ARMV8_PMULL) != 0; -} - -#endif /* (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && - !defined(OPENSSL_STATIC_ARMCAP) */ diff --git a/src/crypto/crypto.c b/src/crypto/crypto.c index beaae0f7..0bca1e21 100644 --- a/src/crypto/crypto.c +++ b/src/crypto/crypto.c @@ -78,6 +78,11 @@ HIDDEN uint8_t BORINGSSL_function_hit[7] = {0}; // This value must be explicitly initialized to zero. See similar comment above. HIDDEN uint32_t OPENSSL_ia32cap_P[4] = {0}; +uint32_t OPENSSL_get_ia32cap(int idx) { + CRYPTO_library_init(); + return OPENSSL_ia32cap_P[idx]; +} + #elif defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) #include <openssl/arm_arch.h> @@ -116,10 +121,16 @@ HIDDEN uint32_t OPENSSL_armcap_P = HIDDEN uint32_t OPENSSL_armcap_P = 0; uint32_t *OPENSSL_get_armcap_pointer_for_test(void) { + CRYPTO_library_init(); return &OPENSSL_armcap_P; } #endif +uint32_t OPENSSL_get_armcap(void) { + CRYPTO_library_init(); + return OPENSSL_armcap_P; +} + #endif #if defined(BORINGSSL_FIPS) diff --git a/src/crypto/dh_extra/dh_asn1.c b/src/crypto/dh_extra/dh_asn1.c index de01077d..4e2e2c44 100644 --- a/src/crypto/dh_extra/dh_asn1.c +++ b/src/crypto/dh_extra/dh_asn1.c @@ -110,6 +110,10 @@ DH *DH_parse_parameters(CBS *cbs) { goto err; } + if (!dh_check_params_fast(ret)) { + goto err; + } + return ret; err: diff --git a/src/crypto/dh_extra/dh_test.cc b/src/crypto/dh_extra/dh_test.cc index 8d2c5871..cb5384ef 100644 --- a/src/crypto/dh_extra/dh_test.cc +++ b/src/crypto/dh_extra/dh_test.cc @@ -71,7 +71,6 @@ #include <openssl/mem.h> #include "../fipsmodule/dh/internal.h" -#include "../internal.h" #include "../test/test_util.h" @@ -195,15 +194,35 @@ static const uint8_t kRFC5114_2048_224BadY[] = { 0x93, 0x74, 0x89, 0x59, }; -TEST(DHTest, BadY) { +static bssl::UniquePtr<DH> NewDHGroup(const BIGNUM *p, const BIGNUM *q, + const BIGNUM *g) { + bssl::UniquePtr<BIGNUM> p_copy(BN_dup(p)); + bssl::UniquePtr<BIGNUM> q_copy(q != nullptr ? BN_dup(q) : nullptr); + bssl::UniquePtr<BIGNUM> g_copy(BN_dup(g)); bssl::UniquePtr<DH> dh(DH_new()); + if (p_copy == nullptr || (q != nullptr && q_copy == nullptr) || + g_copy == nullptr || dh == nullptr || + !DH_set0_pqg(dh.get(), p_copy.get(), q_copy.get(), g_copy.get())) { + return nullptr; + } + p_copy.release(); + q_copy.release(); + g_copy.release(); + return dh; +} + +TEST(DHTest, BadY) { + bssl::UniquePtr<BIGNUM> p( + BN_bin2bn(kRFC5114_2048_224P, sizeof(kRFC5114_2048_224P), nullptr)); + bssl::UniquePtr<BIGNUM> q( + BN_bin2bn(kRFC5114_2048_224Q, sizeof(kRFC5114_2048_224Q), nullptr)); + bssl::UniquePtr<BIGNUM> g( + BN_bin2bn(kRFC5114_2048_224G, sizeof(kRFC5114_2048_224G), nullptr)); + ASSERT_TRUE(p); + ASSERT_TRUE(q); + ASSERT_TRUE(g); + bssl::UniquePtr<DH> dh = NewDHGroup(p.get(), q.get(), g.get()); ASSERT_TRUE(dh); - dh->p = BN_bin2bn(kRFC5114_2048_224P, sizeof(kRFC5114_2048_224P), nullptr); - dh->g = BN_bin2bn(kRFC5114_2048_224G, sizeof(kRFC5114_2048_224G), nullptr); - dh->q = BN_bin2bn(kRFC5114_2048_224Q, sizeof(kRFC5114_2048_224Q), nullptr); - ASSERT_TRUE(dh->p); - ASSERT_TRUE(dh->g); - ASSERT_TRUE(dh->q); bssl::UniquePtr<BIGNUM> pub_key( BN_bin2bn(kRFC5114_2048_224BadY, sizeof(kRFC5114_2048_224BadY), nullptr)); @@ -336,11 +355,8 @@ TEST(DHTest, LeadingZeros) { ASSERT_TRUE(g); ASSERT_TRUE(BN_set_word(g.get(), 2)); - bssl::UniquePtr<DH> dh(DH_new()); + bssl::UniquePtr<DH> dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(dh); - ASSERT_TRUE(DH_set0_pqg(dh.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); // These values are far too small to be reasonable Diffie-Hellman keys, but // they are an easy way to get a shared secret with leading zeros. @@ -375,11 +391,8 @@ TEST(DHTest, Overwrite) { ASSERT_TRUE(g); ASSERT_TRUE(BN_set_word(g.get(), 2)); - bssl::UniquePtr<DH> key1(DH_new()); + bssl::UniquePtr<DH> key1 = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(key1); - ASSERT_TRUE(DH_set0_pqg(key1.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); ASSERT_TRUE(DH_generate_key(key1.get())); bssl::UniquePtr<BIGNUM> peer_key(BN_new()); @@ -393,15 +406,8 @@ TEST(DHTest, Overwrite) { // Generate a different key with a different group. p.reset(BN_get_rfc3526_prime_2048(nullptr)); ASSERT_TRUE(p); - g.reset(BN_new()); - ASSERT_TRUE(g); - ASSERT_TRUE(BN_set_word(g.get(), 2)); - - bssl::UniquePtr<DH> key2(DH_new()); + bssl::UniquePtr<DH> key2 = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); ASSERT_TRUE(key2); - ASSERT_TRUE(DH_set0_pqg(key2.get(), p.get(), /*q=*/nullptr, g.get())); - p.release(); - g.release(); ASSERT_TRUE(DH_generate_key(key2.get())); // Overwrite |key1|'s contents with |key2|. @@ -427,3 +433,189 @@ TEST(DHTest, Overwrite) { ASSERT_GT(DH_compute_key_padded(buf2.data(), peer_key.get(), key2.get()), 0); EXPECT_EQ(Bytes(buf1), Bytes(buf2)); } + +TEST(DHTest, GenerateKeyTwice) { + bssl::UniquePtr<BIGNUM> p(BN_get_rfc3526_prime_2048(nullptr)); + ASSERT_TRUE(p); + bssl::UniquePtr<BIGNUM> g(BN_new()); + ASSERT_TRUE(g); + ASSERT_TRUE(BN_set_word(g.get(), 2)); + bssl::UniquePtr<DH> key1 = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(key1); + ASSERT_TRUE(DH_generate_key(key1.get())); + + // Copy the parameters and private key to a new DH object. + bssl::UniquePtr<DH> key2(DHparams_dup(key1.get())); + ASSERT_TRUE(key2); + bssl::UniquePtr<BIGNUM> priv_key(BN_dup(DH_get0_priv_key(key1.get()))); + ASSERT_TRUE(DH_set0_key(key2.get(), /*pub_key=*/NULL, priv_key.get())); + priv_key.release(); + + // This time, calling |DH_generate_key| preserves the old key and recomputes + // the public key. + ASSERT_TRUE(DH_generate_key(key2.get())); + EXPECT_EQ(BN_cmp(DH_get0_priv_key(key1.get()), DH_get0_priv_key(key2.get())), + 0); + EXPECT_EQ(BN_cmp(DH_get0_pub_key(key1.get()), DH_get0_pub_key(key2.get())), + 0); +} + +// Bad parameters should be rejected, rather than cause a DoS risk in the +// event that an application uses Diffie-Hellman incorrectly, with untrusted +// domain parameters. +TEST(DHTest, InvalidParameters) { + auto check_invalid_group = [](DH *dh) { + // All operations on egregiously invalid groups should fail. + EXPECT_FALSE(DH_generate_key(dh)); + int check_result; + EXPECT_FALSE(DH_check(dh, &check_result)); + bssl::UniquePtr<BIGNUM> pub_key(BN_new()); + ASSERT_TRUE(pub_key); + ASSERT_TRUE(BN_set_u64(pub_key.get(), 42)); + EXPECT_FALSE(DH_check_pub_key(dh, pub_key.get(), &check_result)); + uint8_t buf[1024]; + EXPECT_EQ(DH_compute_key(buf, pub_key.get(), dh), -1); + EXPECT_EQ(DH_compute_key_padded(buf, pub_key.get(), dh), -1); + }; + + bssl::UniquePtr<BIGNUM> p(BN_get_rfc3526_prime_2048(nullptr)); + ASSERT_TRUE(p); + bssl::UniquePtr<BIGNUM> g(BN_new()); + ASSERT_TRUE(g); + ASSERT_TRUE(BN_set_word(g.get(), 2)); + + // p is negative. + BN_set_negative(p.get(), 1); + bssl::UniquePtr<DH> dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + BN_set_negative(p.get(), 0); + check_invalid_group(dh.get()); + + // g is negative. + BN_set_negative(g.get(), 1); + dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + BN_set_negative(g.get(), 0); + check_invalid_group(dh.get()); + + // g is not reduced mod p. + dh = NewDHGroup(p.get(), /*q=*/nullptr, p.get()); + ASSERT_TRUE(dh); + BN_set_negative(g.get(), 0); + check_invalid_group(dh.get()); + + // p is too large. + bssl::UniquePtr<BIGNUM> large(BN_new()); + ASSERT_TRUE(BN_set_bit(large.get(), 0)); + ASSERT_TRUE(BN_set_bit(large.get(), 10000000)); + dh = NewDHGroup(large.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + check_invalid_group(dh.get()); + + // q is too large. + dh = NewDHGroup(p.get(), large.get(), g.get()); + ASSERT_TRUE(dh); + check_invalid_group(dh.get()); + + // Attempting to generate too large of a Diffie-Hellman group should fail. + EXPECT_FALSE( + DH_generate_parameters_ex(dh.get(), 20000, DH_GENERATOR_5, nullptr)); +} + +TEST(DHTest, PrivateKeyLength) { + // Use a custom P, rather than one of the MODP primes, to pick one which does + // not begin with all ones. Otherwise some of the tests for boundary + // conditions below will not notice mistakes. + static const uint8_t kP[] = { + 0xb6, 0xfa, 0x00, 0x07, 0x0a, 0x1f, 0xfb, 0x28, 0x7e, 0x6e, 0x6a, 0x97, + 0xca, 0xa4, 0x6d, 0xf5, 0x25, 0x84, 0x76, 0xc6, 0xc4, 0xa5, 0x47, 0xb6, + 0xb2, 0x7d, 0x76, 0x46, 0xf2, 0xb5, 0x7c, 0xc6, 0xc6, 0xb4, 0xb4, 0x82, + 0xc5, 0xed, 0x7b, 0xd9, 0x30, 0x6e, 0x41, 0xdb, 0x7f, 0x93, 0x2f, 0xb5, + 0x85, 0xa7, 0x38, 0x9e, 0x08, 0xc4, 0x25, 0x92, 0x7d, 0x5d, 0x2b, 0x77, + 0x09, 0xe0, 0x2f, 0x4e, 0x14, 0x36, 0x8a, 0x08, 0x0b, 0xfd, 0x89, 0x22, + 0x47, 0xb4, 0xbd, 0xff, 0x79, 0x4e, 0x78, 0x66, 0x2a, 0x77, 0x74, 0xbd, + 0x85, 0xb6, 0xce, 0x5a, 0x89, 0xb7, 0x60, 0xc3, 0x8d, 0x2a, 0x1f, 0xb7, + 0x30, 0x33, 0x1a, 0xc4, 0x51, 0xa8, 0x18, 0x62, 0x40, 0xb6, 0x5a, 0xb5, + 0x6c, 0xf5, 0xf9, 0xbc, 0x94, 0x50, 0xba, 0xeb, 0xa2, 0xe9, 0xb3, 0x99, + 0xde, 0xf8, 0x55, 0xfd, 0xed, 0x46, 0x1b, 0x69, 0xa5, 0x6a, 0x04, 0xe3, + 0xa9, 0x2c, 0x0c, 0x89, 0x41, 0xfe, 0xe4, 0xa0, 0x85, 0x85, 0x2c, 0x45, + 0xf1, 0xcb, 0x96, 0x04, 0x23, 0x4a, 0x7d, 0x56, 0x38, 0xd8, 0x86, 0x9d, + 0xfc, 0xe0, 0x33, 0x65, 0x1a, 0xff, 0x07, 0xf0, 0xfb, 0xc6, 0x5d, 0x26, + 0xa2, 0x96, 0xd4, 0xb5, 0xe8, 0xcd, 0x48, 0xd7, 0x8e, 0x53, 0xfe, 0xcb, + 0x4b, 0xf2, 0x3a, 0x8b, 0x35, 0x87, 0x0a, 0x79, 0xbe, 0x8d, 0x36, 0x45, + 0x12, 0x6e, 0x1b, 0xd4, 0xa5, 0x57, 0xe0, 0x98, 0xb7, 0x59, 0xba, 0xc2, + 0xd8, 0x2e, 0x05, 0x0f, 0xe1, 0x70, 0x39, 0x5b, 0xe6, 0x4e, 0xdb, 0xb0, + 0xdd, 0x7e, 0xe6, 0x66, 0x13, 0x85, 0x26, 0x32, 0x27, 0xa1, 0x00, 0x7f, + 0x6a, 0xa9, 0xda, 0x2e, 0x50, 0x25, 0x87, 0x73, 0xab, 0x71, 0xfb, 0xa0, + 0x92, 0xba, 0x8e, 0x9c, 0x4e, 0xea, 0x18, 0x32, 0xc4, 0x02, 0x8f, 0xe8, + 0x95, 0x9e, 0xcb, 0x9f}; + bssl::UniquePtr<BIGNUM> p(BN_bin2bn(kP, sizeof(kP), nullptr)); + ASSERT_TRUE(p); + bssl::UniquePtr<BIGNUM> g(BN_new()); + ASSERT_TRUE(g); + ASSERT_TRUE(BN_set_word(g.get(), 2)); + bssl::UniquePtr<BIGNUM> q(BN_new()); + ASSERT_TRUE(q); + ASSERT_TRUE(BN_rshift1(q.get(), p.get())); // (p-1)/2 + + EXPECT_EQ(BN_num_bits(p.get()), 2048u); + EXPECT_EQ(BN_num_bits(q.get()), 2047u); + + // This test will only probabilistically notice some kinds of failures, so we + // repeat it for several iterations. + constexpr unsigned kIterations = 100; + + // If the private key was chosen from the range [1, M), num_bits(priv_key) + // should be very close to num_bits(M), but may be a few bits short. Allow 128 + // leading zeros, which should fail with negligible probability. + constexpr unsigned kMaxLeadingZeros = 128; + + for (unsigned i = 0; i < kIterations; i++) { + // If unspecified, the private key is bounded by q = (p-1)/2. + bssl::UniquePtr<DH> dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + ASSERT_TRUE(DH_generate_key(dh.get())); + EXPECT_LT(BN_cmp(DH_get0_priv_key(dh.get()), q.get()), 0); + EXPECT_LE(BN_num_bits(q.get()) - kMaxLeadingZeros, + BN_num_bits(DH_get0_priv_key(dh.get()))); + + // Setting too large of a private key length should not be a DoS vector. The + // key is clamped to q = (p-1)/2. + dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + DH_set_length(dh.get(), 10000000); + ASSERT_TRUE(DH_generate_key(dh.get())); + EXPECT_LT(BN_cmp(DH_get0_priv_key(dh.get()), q.get()), 0); + EXPECT_LE(BN_num_bits(q.get()) - kMaxLeadingZeros, + BN_num_bits(DH_get0_priv_key(dh.get()))); + + // A small private key size should bound the private key. + dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + unsigned bits = 1024; + DH_set_length(dh.get(), bits); + ASSERT_TRUE(DH_generate_key(dh.get())); + EXPECT_LE(BN_num_bits(DH_get0_priv_key(dh.get())), bits); + EXPECT_LE(bits - kMaxLeadingZeros, BN_num_bits(DH_get0_priv_key(dh.get()))); + + // If the private key length is num_bits(q) - 1, the length should be the + // limiting factor. + dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + bits = BN_num_bits(q.get()) - 1; + DH_set_length(dh.get(), bits); + ASSERT_TRUE(DH_generate_key(dh.get())); + EXPECT_LE(BN_num_bits(DH_get0_priv_key(dh.get())), bits); + EXPECT_LE(bits - kMaxLeadingZeros, BN_num_bits(DH_get0_priv_key(dh.get()))); + + // If the private key length is num_bits(q), q should be the limiting + // factor. + dh = NewDHGroup(p.get(), /*q=*/nullptr, g.get()); + ASSERT_TRUE(dh); + DH_set_length(dh.get(), BN_num_bits(q.get())); + ASSERT_TRUE(DH_generate_key(dh.get())); + EXPECT_LT(BN_cmp(DH_get0_priv_key(dh.get()), q.get()), 0); + EXPECT_LE(BN_num_bits(q.get()) - kMaxLeadingZeros, + BN_num_bits(DH_get0_priv_key(dh.get()))); + } +} diff --git a/src/crypto/dh_extra/params.c b/src/crypto/dh_extra/params.c index 0e76747e..548c4c8f 100644 --- a/src/crypto/dh_extra/params.c +++ b/src/crypto/dh_extra/params.c @@ -337,6 +337,11 @@ int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, // It's just as OK (and in some sense better) to use a generator of the // order-q subgroup. + if (prime_bits <= 0 || prime_bits > OPENSSL_DH_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); + return 0; + } + BIGNUM *t1, *t2; int g, ok = 0; BN_CTX *ctx = NULL; diff --git a/src/crypto/ec_extra/hash_to_curve.c b/src/crypto/ec_extra/hash_to_curve.c index 2d11ef5d..f29ef130 100644 --- a/src/crypto/ec_extra/hash_to_curve.c +++ b/src/crypto/ec_extra/hash_to_curve.c @@ -26,8 +26,7 @@ #include "../internal.h" -// This file implements hash-to-curve, as described in -// draft-irtf-cfrg-hash-to-curve-16. +// This file implements hash-to-curve, as described in RFC 9380. // // This hash-to-curve implementation is written generically with the // expectation that we will eventually wish to support other curves. If it @@ -48,8 +47,7 @@ // templates to make specializing more convenient. // expand_message_xmd implements the operation described in section 5.3.1 of -// draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// RFC 9380. It returns one on success and zero on error. static int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, const uint8_t *msg, size_t msg_len, const uint8_t *dst, size_t dst_len) { @@ -138,7 +136,7 @@ err: // num_bytes_to_derive determines the number of bytes to derive when hashing to // a number modulo |modulus|. See the hash_to_field operation defined in -// section 5.2 of draft-irtf-cfrg-hash-to-curve-16. +// section 5.2 of RFC 9380. static int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { size_t bits = BN_num_bits(modulus); size_t L = (bits + k + 7) / 8; @@ -171,8 +169,7 @@ static void big_endian_to_words(BN_ULONG *out, size_t num_words, } // hash_to_field implements the operation described in section 5.2 -// of draft-irtf-cfrg-hash-to-curve-16, with count = 2. |k| is the security -// factor. +// of RFC 9380, with count = 2. |k| is the security factor. static int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, @@ -221,8 +218,7 @@ static inline void mul_A(const EC_GROUP *group, EC_FELEM *out, ec_felem_sub(group, out, in, &tmp); // out = -3*in } -// sgn0 implements the operation described in section 4.1.2 of -// draft-irtf-cfrg-hash-to-curve-16. +// sgn0 implements the operation described in section 4.1.2 of RFC 9380. static BN_ULONG sgn0(const EC_GROUP *group, const EC_FELEM *a) { uint8_t buf[EC_MAX_BYTES]; size_t len; @@ -235,7 +231,7 @@ OPENSSL_UNUSED static int is_3mod4(const EC_GROUP *group) { } // sqrt_ratio_3mod4 implements the operation described in appendix F.2.1.2 -// of draft-irtf-cfrg-hash-to-curve-16. +// of RFC 9380. static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_FELEM *out_y, @@ -270,8 +266,7 @@ static BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, } // map_to_curve_simple_swu implements the operation described in section 6.6.2 -// of draft-irtf-cfrg-hash-to-curve-16, using the straight-line implementation -// in appendix F.2. +// of RFC 9380, using the straight-line implementation in appendix F.2. static void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z, const BN_ULONG *c1, size_t num_c1, const EC_FELEM *c2, EC_JACOBIAN *out, @@ -405,7 +400,7 @@ int ec_hash_to_curve_p256_xmd_sha256_sswu(const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_X9_62_prime256v1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; @@ -438,7 +433,7 @@ int ec_hash_to_curve_p384_xmd_sha384_sswu(const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len) { - // See section 8.3 of draft-irtf-cfrg-hash-to-curve-16. + // See section 8.3 of RFC 9380. if (EC_GROUP_get_curve_name(group) != NID_secp384r1) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); return 0; diff --git a/src/crypto/ec_extra/internal.h b/src/crypto/ec_extra/internal.h index 8a9d9900..6b865a37 100644 --- a/src/crypto/ec_extra/internal.h +++ b/src/crypto/ec_extra/internal.h @@ -30,24 +30,22 @@ extern "C" { // ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group| // and writes the result to |out|, using the hash_to_field operation from the -// P384_XMD:SHA-384_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-16, but -// generating a value modulo the group order rather than a field element. +// P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo +// the group order rather than a field element. OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384( const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); diff --git a/src/crypto/err/dh.errordata b/src/crypto/err/dh.errordata index 9e1b87d8..09053aec 100644 --- a/src/crypto/err/dh.errordata +++ b/src/crypto/err/dh.errordata @@ -1,6 +1,7 @@ DH,100,BAD_GENERATOR DH,104,DECODE_ERROR DH,105,ENCODE_ERROR +DH,106,INVALID_PARAMETERS DH,101,INVALID_PUBKEY DH,102,MODULUS_TOO_LARGE DH,103,NO_PRIVATE_VALUE diff --git a/src/crypto/fipsmodule/CMakeLists.txt b/src/crypto/fipsmodule/CMakeLists.txt index 6c18791a..9d369994 100644 --- a/src/crypto/fipsmodule/CMakeLists.txt +++ b/src/crypto/fipsmodule/CMakeLists.txt @@ -7,8 +7,8 @@ perlasm(BCM_SOURCES aarch64 ghashv8-armv8 modes/asm/ghashv8-armx.pl) perlasm(BCM_SOURCES aarch64 p256_beeu-armv8-asm ec/asm/p256_beeu-armv8-asm.pl) perlasm(BCM_SOURCES aarch64 p256-armv8-asm ec/asm/p256-armv8-asm.pl) perlasm(BCM_SOURCES aarch64 sha1-armv8 sha/asm/sha1-armv8.pl) -perlasm(BCM_SOURCES aarch64 sha256-armv8 sha/asm/sha512-armv8.pl) -perlasm(BCM_SOURCES aarch64 sha512-armv8 sha/asm/sha512-armv8.pl) +perlasm(BCM_SOURCES aarch64 sha256-armv8 sha/asm/sha512-armv8.pl sha256) +perlasm(BCM_SOURCES aarch64 sha512-armv8 sha/asm/sha512-armv8.pl sha512) perlasm(BCM_SOURCES aarch64 vpaes-armv8 aes/asm/vpaes-armv8.pl) perlasm(BCM_SOURCES arm aesv8-armv7 aes/asm/aesv8-armx.pl) perlasm(BCM_SOURCES arm armv4-mont bn/asm/armv4-mont.pl) @@ -40,8 +40,8 @@ perlasm(BCM_SOURCES x86_64 p256-x86_64-asm ec/asm/p256-x86_64-asm.pl) perlasm(BCM_SOURCES x86_64 rdrand-x86_64 rand/asm/rdrand-x86_64.pl) perlasm(BCM_SOURCES x86_64 rsaz-avx2 bn/asm/rsaz-avx2.pl) perlasm(BCM_SOURCES x86_64 sha1-x86_64 sha/asm/sha1-x86_64.pl) -perlasm(BCM_SOURCES x86_64 sha256-x86_64 sha/asm/sha512-x86_64.pl) -perlasm(BCM_SOURCES x86_64 sha512-x86_64 sha/asm/sha512-x86_64.pl) +perlasm(BCM_SOURCES x86_64 sha256-x86_64 sha/asm/sha512-x86_64.pl sha256) +perlasm(BCM_SOURCES x86_64 sha512-x86_64 sha/asm/sha512-x86_64.pl sha512) perlasm(BCM_SOURCES x86_64 vpaes-x86_64 aes/asm/vpaes-x86_64.pl) perlasm(BCM_SOURCES x86_64 x86_64-mont bn/asm/x86_64-mont.pl) perlasm(BCM_SOURCES x86_64 x86_64-mont5 bn/asm/x86_64-mont5.pl) @@ -55,7 +55,7 @@ endif() if(FIPS_DELOCATE) if(FIPS_SHARED) - error("Can't set both delocate and shared mode for FIPS build") + message(FATAL_ERROR "Can't set both delocate and shared mode for FIPS build") endif() add_library( @@ -134,7 +134,7 @@ if(FIPS_DELOCATE) set_target_properties(fipsmodule PROPERTIES LINKER_LANGUAGE C) elseif(FIPS_SHARED) if(NOT BUILD_SHARED_LIBS) - error("FIPS_SHARED set but not BUILD_SHARED_LIBS") + message(FATAL_ERROR "FIPS_SHARED set but not BUILD_SHARED_LIBS") endif() add_library( diff --git a/src/crypto/fipsmodule/bn/bn_test.cc b/src/crypto/fipsmodule/bn/bn_test.cc index 5bf2e133..08c4719d 100644 --- a/src/crypto/fipsmodule/bn/bn_test.cc +++ b/src/crypto/fipsmodule/bn/bn_test.cc @@ -1158,8 +1158,8 @@ TEST_F(BNTest, LittleEndian) { ASSERT_TRUE(BN_bn2le_padded(out, sizeof(out), x.get())); EXPECT_EQ(Bytes(zeros), Bytes(out)); - ASSERT_TRUE(BN_le2bn(out, sizeof(out), y.get())); - EXPECT_BIGNUMS_EQUAL("BN_le2bn round-trip", x.get(), y.get()); + ASSERT_TRUE(BN_lebin2bn(out, sizeof(out), y.get())); + EXPECT_BIGNUMS_EQUAL("BN_lebin2bn round-trip", x.get(), y.get()); // Test random numbers at various byte lengths. for (size_t bytes = 128 - 7; bytes <= 128; bytes++) { @@ -1182,8 +1182,8 @@ TEST_F(BNTest, LittleEndian) { EXPECT_EQ(Bytes(out), Bytes(expected)); // Make sure the decoding produces the same BIGNUM. - ASSERT_TRUE(BN_le2bn(out, bytes, y.get())); - EXPECT_BIGNUMS_EQUAL("BN_le2bn round-trip", x.get(), y.get()); + ASSERT_TRUE(BN_lebin2bn(out, bytes, y.get())); + EXPECT_BIGNUMS_EQUAL("BN_lebin2bn round-trip", x.get(), y.get()); } } diff --git a/src/crypto/fipsmodule/bn/bytes.c b/src/crypto/fipsmodule/bn/bytes.c index 331e0859..aca0e38e 100644 --- a/src/crypto/fipsmodule/bn/bytes.c +++ b/src/crypto/fipsmodule/bn/bytes.c @@ -116,7 +116,7 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } -BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { +BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { BIGNUM *bn = NULL; if (ret == NULL) { bn = BN_new(); @@ -149,6 +149,10 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } +BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { + return BN_lebin2bn(in, len, ret); +} + // fits_in_bytes returns one if the |num_words| words in |words| can be // represented in |num_bytes| bytes. static int fits_in_bytes(const BN_ULONG *words, size_t num_words, diff --git a/src/crypto/fipsmodule/cipher/cipher.c b/src/crypto/fipsmodule/cipher/cipher.c index 18b5e0a5..bff7996a 100644 --- a/src/crypto/fipsmodule/cipher/cipher.c +++ b/src/crypto/fipsmodule/cipher/cipher.c @@ -586,6 +586,16 @@ unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx) { } unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx) { + if (EVP_CIPHER_mode(ctx->cipher) == EVP_CIPH_GCM_MODE) { + int length; + int res = EVP_CIPHER_CTX_ctrl((EVP_CIPHER_CTX *)ctx, EVP_CTRL_GET_IVLEN, 0, + &length); + // EVP_CIPHER_CTX_ctrl returning an error should be impossible under this + // circumstance. If it somehow did, fallback to the static cipher iv_len. + if (res == 1) { + return length; + } + } return ctx->cipher->iv_len; } diff --git a/src/crypto/fipsmodule/cipher/e_aes.c b/src/crypto/fipsmodule/cipher/e_aes.c index 0db77b84..6d91cc4c 100644 --- a/src/crypto/fipsmodule/cipher/e_aes.c +++ b/src/crypto/fipsmodule/cipher/e_aes.c @@ -454,6 +454,10 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { gctx->ivlen = arg; return 1; + case EVP_CTRL_GET_IVLEN: + *(int *)ptr = gctx->ivlen; + return 1; + case EVP_CTRL_AEAD_SET_TAG: if (arg <= 0 || arg > 16 || c->encrypt) { return 0; diff --git a/src/crypto/fipsmodule/dh/check.c b/src/crypto/fipsmodule/dh/check.c index 0c82c17f..b92b700d 100644 --- a/src/crypto/fipsmodule/dh/check.c +++ b/src/crypto/fipsmodule/dh/check.c @@ -57,12 +57,40 @@ #include <openssl/dh.h> #include <openssl/bn.h> +#include <openssl/err.h> #include "internal.h" +int dh_check_params_fast(const DH *dh) { + // Most operations scale with p and q. + if (BN_is_negative(dh->p) || !BN_is_odd(dh->p) || + BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + // q must be bounded by p. + if (dh->q != NULL && (BN_is_negative(dh->q) || BN_ucmp(dh->q, dh->p) > 0)) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + // g must be an element of p's multiplicative group. + if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || + BN_ucmp(dh->g, dh->p) >= 0) { + OPENSSL_PUT_ERROR(DH, DH_R_INVALID_PARAMETERS); + return 0; + } + + return 1; +} + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { *out_flags = 0; + if (!dh_check_params_fast(dh)) { + return 0; + } BN_CTX *ctx = BN_CTX_new(); if (ctx == NULL) { @@ -73,17 +101,14 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { int ok = 0; // Check |pub_key| is greater than 1. - BIGNUM *tmp = BN_CTX_get(ctx); - if (tmp == NULL || - !BN_set_word(tmp, 1)) { - goto err; - } - if (BN_cmp(pub_key, tmp) <= 0) { + if (BN_cmp(pub_key, BN_value_one()) <= 0) { *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL; } // Check |pub_key| is less than |dh->p| - 1. - if (!BN_copy(tmp, dh->p) || + BIGNUM *tmp = BN_CTX_get(ctx); + if (tmp == NULL || + !BN_copy(tmp, dh->p) || !BN_sub_word(tmp, 1)) { goto err; } @@ -113,6 +138,11 @@ err: int DH_check(const DH *dh, int *out_flags) { + *out_flags = 0; + if (!dh_check_params_fast(dh)) { + return 0; + } + // Check that p is a safe prime and if g is 2, 3 or 5, check that it is a // suitable generator where: // for 2, p mod 24 == 11 @@ -124,7 +154,6 @@ int DH_check(const DH *dh, int *out_flags) { BN_ULONG l; BIGNUM *t1 = NULL, *t2 = NULL; - *out_flags = 0; ctx = BN_CTX_new(); if (ctx == NULL) { goto err; diff --git a/src/crypto/fipsmodule/dh/dh.c b/src/crypto/fipsmodule/dh/dh.c index 80940fdb..a20b6d11 100644 --- a/src/crypto/fipsmodule/dh/dh.c +++ b/src/crypto/fipsmodule/dh/dh.c @@ -70,8 +70,6 @@ #include "internal.h" -#define OPENSSL_DH_MAX_MODULUS_BITS 10000 - DH *DH_new(void) { DH *dh = OPENSSL_malloc(sizeof(DH)); if (dh == NULL) { @@ -191,15 +189,14 @@ int DH_set_length(DH *dh, unsigned priv_length) { int DH_generate_key(DH *dh) { boringssl_ensure_ffdh_self_test(); + if (!dh_check_params_fast(dh)) { + return 0; + } + int ok = 0; int generate_new_key = 0; BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); - goto err; - } + BIGNUM *pub_key = NULL, *priv_key = NULL, *priv_key_limit = NULL; ctx = BN_CTX_new(); if (ctx == NULL) { @@ -232,22 +229,44 @@ int DH_generate_key(DH *dh) { if (generate_new_key) { if (dh->q) { - if (!BN_rand_range_ex(priv_key, 2, dh->q)) { + // Section 5.6.1.1.4 of SP 800-56A Rev3 generates a private key uniformly + // from [1, min(2^N-1, q-1)]. + // + // Although SP 800-56A Rev3 now permits a private key length N, + // |dh->priv_length| historically was ignored when q is available. We + // continue to ignore it and interpret such a configuration as N = len(q). + if (!BN_rand_range_ex(priv_key, 1, dh->q)) { goto err; } } else { - // secret exponent length - unsigned priv_bits = dh->priv_length; - if (priv_bits == 0) { - const unsigned p_bits = BN_num_bits(dh->p); - if (p_bits == 0) { + // If q is unspecified, we expect p to be a safe prime, with g generating + // the (p-1)/2 subgroup. So, we use q = (p-1)/2. (If g generates a smaller + // prime-order subgroup, q will still divide (p-1)/2.) + // + // We set N from |dh->priv_length|. Section 5.6.1.1.4 of SP 800-56A Rev3 + // says to reject N > len(q), or N > num_bits(p) - 1. However, this logic + // originally aligned with PKCS#3, which allows num_bits(p). Instead, we + // clamp |dh->priv_length| before invoking the algorithm. + + // Compute M = min(2^N, q). + priv_key_limit = BN_new(); + if (priv_key_limit == NULL) { + goto err; + } + if (dh->priv_length == 0 || dh->priv_length >= BN_num_bits(dh->p) - 1) { + // M = q = (p - 1) / 2. + if (!BN_rshift1(priv_key_limit, dh->p)) { + goto err; + } + } else { + // M = 2^N. + if (!BN_set_bit(priv_key_limit, dh->priv_length)) { goto err; } - - priv_bits = p_bits - 1; } - if (!BN_rand(priv_key, priv_bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) { + // Choose a private key uniformly from [1, M-1]. + if (!BN_rand_range_ex(priv_key, 1, priv_key_limit)) { goto err; } } @@ -273,14 +292,14 @@ err: if (dh->priv_key == NULL) { BN_free(priv_key); } + BN_free(priv_key_limit); BN_CTX_free(ctx); return ok; } static int dh_compute_key(DH *dh, BIGNUM *out_shared_key, const BIGNUM *peers_key, BN_CTX *ctx) { - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - OPENSSL_PUT_ERROR(DH, DH_R_MODULUS_TOO_LARGE); + if (!dh_check_params_fast(dh)) { return 0; } diff --git a/src/crypto/fipsmodule/dh/internal.h b/src/crypto/fipsmodule/dh/internal.h index fe7fda4e..d11e59b5 100644 --- a/src/crypto/fipsmodule/dh/internal.h +++ b/src/crypto/fipsmodule/dh/internal.h @@ -26,6 +26,8 @@ extern "C" { #endif +#define OPENSSL_DH_MAX_MODULUS_BITS 10000 + struct dh_st { BIGNUM *p; BIGNUM *g; @@ -44,6 +46,11 @@ struct dh_st { CRYPTO_refcount_t references; }; +// dh_check_params_fast checks basic invariants on |dh|'s domain parameters. It +// does not check that |dh| forms a valid group, only that the sizes are within +// DoS bounds. +int dh_check_params_fast(const DH *dh); + // dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|, // but doesn't try to run the self-test first. This is for use in the self tests // themselves, to prevent an infinite loop. diff --git a/src/crypto/fipsmodule/ec/ec_test.cc b/src/crypto/fipsmodule/ec/ec_test.cc index 75e11f84..b9bc1a26 100644 --- a/src/crypto/fipsmodule/ec/ec_test.cc +++ b/src/crypto/fipsmodule/ec/ec_test.cc @@ -1223,7 +1223,7 @@ TEST(ECTest, HashToCurve) { const char *y_hex; }; const HashToCurveTest kTests[] = { - // See draft-irtf-cfrg-hash-to-curve-16, appendix J.1.1. + // See RFC 9380, appendix J.1.1. {&EC_hash_to_curve_p256_xmd_sha256_sswu, EC_group_p256(), "QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_", "", "2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91" diff --git a/src/crypto/fipsmodule/modes/asm/aesni-gcm-x86_64.pl b/src/crypto/fipsmodule/modes/asm/aesni-gcm-x86_64.pl index 25302131..82e46d48 100644 --- a/src/crypto/fipsmodule/modes/asm/aesni-gcm-x86_64.pl +++ b/src/crypto/fipsmodule/modes/asm/aesni-gcm-x86_64.pl @@ -1064,7 +1064,7 @@ $code.=<<___; ret .seh_endproc .cfi_endproc -.size aesni_gcm_decrypt,.-aesni_gcm_decrypt +.size aesni_gcm_encrypt,.-aesni_gcm_encrypt ___ $code.=<<___; diff --git a/src/crypto/fipsmodule/sha/asm/sha512-armv8.pl b/src/crypto/fipsmodule/sha/asm/sha512-armv8.pl index 0235be33..c7d91540 100644 --- a/src/crypto/fipsmodule/sha/asm/sha512-armv8.pl +++ b/src/crypto/fipsmodule/sha/asm/sha512-armv8.pl @@ -39,23 +39,9 @@ # generated with -mgeneral-regs-only is significantly faster # and the gap is only 40-90%. -$output=pop; -$flavour=pop; +my ($flavour, $hash, $output) = @ARGV; -if ($flavour && $flavour ne "void") { - $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; - ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or - ( $xlate="${dir}../../../perlasm/arm-xlate.pl" and -f $xlate) or - die "can't locate arm-xlate.pl"; - - open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""; - *STDOUT=*OUT; -} else { - open OUT,">$output"; - *STDOUT=*OUT; -} - -if ($output =~ /512/) { +if ($hash eq "sha512") { $BITS=512; $SZ=8; @Sigma0=(28,34,39); @@ -64,7 +50,7 @@ if ($output =~ /512/) { @sigma1=(19,61, 6); $rounds=80; $reg_t="x"; -} else { +} elsif ($hash eq "sha256") { $BITS=256; $SZ=4; @Sigma0=( 2,13,22); @@ -73,6 +59,21 @@ if ($output =~ /512/) { @sigma1=(17,19,10); $rounds=64; $reg_t="w"; +} else { + die "unknown hash: $hash"; +} + +if ($flavour && $flavour ne "void") { + $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; + ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or + ( $xlate="${dir}../../../perlasm/arm-xlate.pl" and -f $xlate) or + die "can't locate arm-xlate.pl"; + + open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""; + *STDOUT=*OUT; +} else { + open OUT,">$output"; + *STDOUT=*OUT; } $func="sha${BITS}_block_data_order"; diff --git a/src/crypto/fipsmodule/sha/asm/sha512-x86_64.pl b/src/crypto/fipsmodule/sha/asm/sha512-x86_64.pl index 35e88d9b..a3e4122a 100755 --- a/src/crypto/fipsmodule/sha/asm/sha512-x86_64.pl +++ b/src/crypto/fipsmodule/sha/asm/sha512-x86_64.pl @@ -111,32 +111,9 @@ # # Modified from upstream OpenSSL to remove the XOP code. -$flavour = shift; -$output = shift; -if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } +my ($flavour, $hash, $output) = @ARGV; -$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../../perlasm/x86_64-xlate.pl" and -f $xlate) or -die "can't locate x86_64-xlate.pl"; - -# In upstream, this is controlled by shelling out to the compiler to check -# versions, but BoringSSL is intended to be used with pre-generated perlasm -# output, so this isn't useful anyway. -# -# This file also has an AVX2 implementation, controlled by setting $avx to 2. -# For now, we intentionally disable it. While it gives a 13-16% perf boost, the -# CFI annotations are wrong. It allocates stack in a loop and should be -# rewritten to avoid this. -$avx = 1; -$shaext = 1; - -open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""; -*STDOUT=*OUT; - -if ($output =~ /512/) { +if ($hash eq "sha512") { $func="sha512_block_data_order"; $TABLE="K512"; $SZ=8; @@ -148,7 +125,7 @@ if ($output =~ /512/) { @sigma0=(1, 8, 7); @sigma1=(19,61, 6); $rounds=80; -} else { +} elsif ($hash eq "sha256") { $func="sha256_block_data_order"; $TABLE="K256"; $SZ=4; @@ -160,8 +137,31 @@ if ($output =~ /512/) { @sigma0=( 7,18, 3); @sigma1=(17,19,10); $rounds=64; +} else { + die "unknown hash: $hash"; } +$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../../perlasm/x86_64-xlate.pl" and -f $xlate) or +die "can't locate x86_64-xlate.pl"; + +# In upstream, this is controlled by shelling out to the compiler to check +# versions, but BoringSSL is intended to be used with pre-generated perlasm +# output, so this isn't useful anyway. +# +# This file also has an AVX2 implementation, controlled by setting $avx to 2. +# For now, we intentionally disable it. While it gives a 13-16% perf boost, the +# CFI annotations are wrong. It allocates stack in a loop and should be +# rewritten to avoid this. +$avx = 1; +$shaext = 1; + +open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\""; +*STDOUT=*OUT; + $ctx="%rdi"; # 1st arg, zapped by $a3 $inp="%rsi"; # 2nd arg $Tbl="%rbp"; diff --git a/src/crypto/hpke/hpke.c b/src/crypto/hpke/hpke.c index 144b1278..ff8b17b6 100644 --- a/src/crypto/hpke/hpke.c +++ b/src/crypto/hpke/hpke.c @@ -352,6 +352,13 @@ int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) { return 1; } +void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) { + EVP_HPKE_KEY_cleanup(out); + // For now, |EVP_HPKE_KEY| is trivially movable. + OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY)); + EVP_HPKE_KEY_zero(in); +} + int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem, const uint8_t *priv_key, size_t priv_key_len) { EVP_HPKE_KEY_zero(key); diff --git a/src/crypto/hpke/hpke_test.cc b/src/crypto/hpke/hpke_test.cc index 03b23b52..30593f99 100644 --- a/src/crypto/hpke/hpke_test.cc +++ b/src/crypto/hpke/hpke_test.cc @@ -93,13 +93,24 @@ class HPKETestVector { ScopedEVP_HPKE_KEY base_key; ASSERT_TRUE(EVP_HPKE_KEY_init(base_key.get(), kem, secret_key_r_.data(), secret_key_r_.size())); - for (bool copy : {false, true}) { - SCOPED_TRACE(copy); + + enum class CopyMode { kOriginal, kCopy, kMove }; + for (CopyMode copy : + {CopyMode::kOriginal, CopyMode::kCopy, CopyMode::kMove}) { + SCOPED_TRACE(static_cast<int>(copy)); const EVP_HPKE_KEY *key = base_key.get(); ScopedEVP_HPKE_KEY key_copy; - if (copy) { - ASSERT_TRUE(EVP_HPKE_KEY_copy(key_copy.get(), base_key.get())); - key = key_copy.get(); + switch (copy) { + case CopyMode::kOriginal: + break; + case CopyMode::kCopy: + ASSERT_TRUE(EVP_HPKE_KEY_copy(key_copy.get(), base_key.get())); + key = key_copy.get(); + break; + case CopyMode::kMove: + EVP_HPKE_KEY_move(key_copy.get(), base_key.get()); + key = key_copy.get(); + break; } uint8_t public_key[EVP_HPKE_MAX_PUBLIC_KEY_LENGTH]; diff --git a/src/crypto/internal.h b/src/crypto/internal.h index 6f5a9e0e..4de4597d 100644 --- a/src/crypto/internal.h +++ b/src/crypto/internal.h @@ -109,6 +109,7 @@ #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H #define OPENSSL_HEADER_CRYPTO_INTERNAL_H +#include <openssl/arm_arch.h> #include <openssl/crypto.h> #include <openssl/ex_data.h> #include <openssl/stack.h> @@ -126,24 +127,13 @@ #endif #if !defined(__cplusplus) -#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 201112L -#include <stdalign.h> -#elif defined(_MSC_VER) && !defined(__clang__) -#define alignas(x) __declspec(align(x)) -#define alignof __alignof -#else -// With the exception of MSVC, we require C11 to build the library. C11 is a -// prerequisite for improved refcounting performance. All our supported C -// compilers have long implemented C11 and made it default. The most likely -// cause of pre-C11 modes is stale -std=c99 or -std=gnu99 flags in build -// configuration. Such flags can be removed. -// -// TODO(davidben): In MSVC 2019 16.8 or higher (_MSC_VER >= 1928), -// |__STDC_VERSION__| will be 201112 when passed /std:c11 and unset otherwise. -// C11 alignas and alignof are only implemented in C11 mode. Can we mandate C11 -// mode for those versions? +#if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 201112L +// BoringSSL requires C11 to build the library. The most likely cause of +// pre-C11 modes is stale -std=c99 or -std=gnu99 flags in build configuration. +// Such flags can be removed. If building with MSVC, build with /std:c11. #error "BoringSSL must be built in C11 mode or higher." #endif +#include <stdalign.h> #endif #if defined(OPENSSL_THREADS) && \ @@ -159,9 +149,8 @@ // Determine the atomics implementation to use with C. #if !defined(__cplusplus) -#if !defined(OPENSSL_C11_ATOMIC) && defined(OPENSSL_THREADS) && \ - !defined(__STDC_NO_ATOMICS__) && defined(__STDC_VERSION__) && \ - __STDC_VERSION__ >= 201112L +#if !defined(OPENSSL_C11_ATOMIC) && defined(OPENSSL_THREADS) && \ + !defined(__STDC_NO_ATOMICS__) #define OPENSSL_C11_ATOMIC #endif @@ -254,6 +243,12 @@ typedef __uint128_t uint128_t; #define OPENSSL_SSE2 #endif +#if defined(__GNUC__) || defined(__clang__) +#define OPENSSL_ATTR_PURE __attribute__((pure)) +#else +#define OPENSSL_ATTR_PURE +#endif + #if defined(BORINGSSL_MALLOC_FAILURE_TESTING) // OPENSSL_reset_malloc_counter_for_testing, when malloc testing is enabled, // resets the internal malloc counter, to simulate further malloc failures. This @@ -1227,18 +1222,14 @@ OPENSSL_INLINE int boringssl_fips_break_test(const char *test) { // // Note: the CPUID bits are pre-adjusted for the OSXSAVE bit and the YMM and XMM // bits in XCR0, so it is not necessary to check those. +// +// From C, this symbol should only be accessed with |OPENSSL_get_ia32cap|. extern uint32_t OPENSSL_ia32cap_P[4]; -#if defined(BORINGSSL_FIPS) && !defined(BORINGSSL_SHARED_LIBRARY) -// The FIPS module, as a static library, requires an out-of-line version of -// |OPENSSL_ia32cap_get| so accesses can be rewritten by delocate. Mark the -// function const so multiple accesses can be optimized together. -const uint32_t *OPENSSL_ia32cap_get(void) __attribute__((const)); -#else -OPENSSL_INLINE const uint32_t *OPENSSL_ia32cap_get(void) { - return OPENSSL_ia32cap_P; -} -#endif +// OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th +// entry of |OPENSSL_ia32cap_P|. It is marked as a pure function so duplicate +// calls can be merged by the compiler, at least when indices match. +OPENSSL_ATTR_PURE uint32_t OPENSSL_get_ia32cap(int idx); // See Intel manual, volume 2A, table 3-11. @@ -1246,13 +1237,13 @@ OPENSSL_INLINE int CRYPTO_is_FXSR_capable(void) { #if defined(__FXSR__) return 1; #else - return (OPENSSL_ia32cap_get()[0] & (1 << 24)) != 0; + return (OPENSSL_get_ia32cap(0) & (1u << 24)) != 0; #endif } OPENSSL_INLINE int CRYPTO_is_intel_cpu(void) { // The reserved bit 30 is used to indicate an Intel CPU. - return (OPENSSL_ia32cap_get()[0] & (1 << 30)) != 0; + return (OPENSSL_get_ia32cap(0) & (1u << 30)) != 0; } // See Intel manual, volume 2A, table 3-10. @@ -1261,7 +1252,7 @@ OPENSSL_INLINE int CRYPTO_is_PCLMUL_capable(void) { #if defined(__PCLMUL__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 1)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 1)) != 0; #endif } @@ -1269,7 +1260,7 @@ OPENSSL_INLINE int CRYPTO_is_SSSE3_capable(void) { #if defined(__SSSE3__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 9)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 9)) != 0; #endif } @@ -1277,7 +1268,7 @@ OPENSSL_INLINE int CRYPTO_is_SSE4_1_capable(void) { #if defined(__SSE4_1__) return 1; #else - return (OPENSSL_ia32cap_P[1] & (1 << 19)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 19)) != 0; #endif } @@ -1285,7 +1276,7 @@ OPENSSL_INLINE int CRYPTO_is_MOVBE_capable(void) { #if defined(__MOVBE__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 22)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 22)) != 0; #endif } @@ -1293,7 +1284,7 @@ OPENSSL_INLINE int CRYPTO_is_AESNI_capable(void) { #if defined(__AES__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 25)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 25)) != 0; #endif } @@ -1301,7 +1292,7 @@ OPENSSL_INLINE int CRYPTO_is_AVX_capable(void) { #if defined(__AVX__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1 << 28)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 28)) != 0; #endif } @@ -1311,7 +1302,7 @@ OPENSSL_INLINE int CRYPTO_is_RDRAND_capable(void) { #if defined(__RDRND__) return 1; #else - return (OPENSSL_ia32cap_get()[1] & (1u << 30)) != 0; + return (OPENSSL_get_ia32cap(1) & (1u << 30)) != 0; #endif } @@ -1321,7 +1312,7 @@ OPENSSL_INLINE int CRYPTO_is_BMI1_capable(void) { #if defined(__BMI1__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 3)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 3)) != 0; #endif } @@ -1329,7 +1320,7 @@ OPENSSL_INLINE int CRYPTO_is_AVX2_capable(void) { #if defined(__AVX2__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 5)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 5)) != 0; #endif } @@ -1337,7 +1328,7 @@ OPENSSL_INLINE int CRYPTO_is_BMI2_capable(void) { #if defined(__BMI2__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 8)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 8)) != 0; #endif } @@ -1345,7 +1336,7 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { #if defined(__ADX__) return 1; #else - return (OPENSSL_ia32cap_get()[2] & (1 << 19)) != 0; + return (OPENSSL_get_ia32cap(2) & (1u << 19)) != 0; #endif } @@ -1353,8 +1344,15 @@ OPENSSL_INLINE int CRYPTO_is_ADX_capable(void) { #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) +// OPENSSL_armcap_P contains ARM CPU capabilities. From C, this should only be +// accessed with |OPENSSL_get_armcap|. extern uint32_t OPENSSL_armcap_P; +// OPENSSL_get_armcap initializes the library if needed and returns ARM CPU +// capabilities. It is marked as a pure function so duplicate calls can be +// merged by the compiler, at least when indices match. +OPENSSL_ATTR_PURE uint32_t OPENSSL_get_armcap(void); + // We do not detect any features at runtime on several 32-bit Arm platforms. // Apple platforms and OpenBSD require NEON and moved to 64-bit to pick up Armv8 // extensions. Android baremetal does not aim to support 32-bit Arm at all, but @@ -1379,21 +1377,6 @@ extern uint32_t OPENSSL_armcap_P; #endif #endif -#if !defined(OPENSSL_STATIC_ARMCAP) -// CRYPTO_is_NEON_capable_at_runtime returns true if the current CPU has a NEON -// unit. Note that |OPENSSL_armcap_P| also exists and contains the same -// information in a form that's easier for assembly to use. -OPENSSL_EXPORT int CRYPTO_is_NEON_capable_at_runtime(void); - -// CRYPTO_is_ARMv8_AES_capable_at_runtime returns true if the current CPU -// supports the ARMv8 AES instruction. -int CRYPTO_is_ARMv8_AES_capable_at_runtime(void); - -// CRYPTO_is_ARMv8_PMULL_capable_at_runtime returns true if the current CPU -// supports the ARMv8 PMULL instruction. -int CRYPTO_is_ARMv8_PMULL_capable_at_runtime(void); -#endif // !OPENSSL_STATIC_ARMCAP - // CRYPTO_is_NEON_capable returns true if the current CPU has a NEON unit. If // this is known statically, it is a constant inline function. OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) { @@ -1402,7 +1385,7 @@ OPENSSL_INLINE int CRYPTO_is_NEON_capable(void) { #elif defined(OPENSSL_STATIC_ARMCAP) return 0; #else - return CRYPTO_is_NEON_capable_at_runtime(); + return (OPENSSL_get_armcap() & ARMV7_NEON) != 0; #endif } @@ -1412,7 +1395,7 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_AES_capable(void) { #elif defined(OPENSSL_STATIC_ARMCAP) return 0; #else - return CRYPTO_is_ARMv8_AES_capable_at_runtime(); + return (OPENSSL_get_armcap() & ARMV8_AES) != 0; #endif } @@ -1422,7 +1405,7 @@ OPENSSL_INLINE int CRYPTO_is_ARMv8_PMULL_capable(void) { #elif defined(OPENSSL_STATIC_ARMCAP) return 0; #else - return CRYPTO_is_ARMv8_PMULL_capable_at_runtime(); + return (OPENSSL_get_armcap() & ARMV8_PMULL) != 0; #endif } diff --git a/src/crypto/obj/obj.c b/src/crypto/obj/obj.c index 67c73d4f..9be37305 100644 --- a/src/crypto/obj/obj.c +++ b/src/crypto/obj/obj.c @@ -159,11 +159,10 @@ err: } int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { - int ret; - - ret = a->length - b->length; - if (ret) { - return ret; + if (a->length < b->length) { + return -1; + } else if (a->length > b->length) { + return 1; } return OPENSSL_memcmp(a->data, b->data, a->length); } @@ -189,15 +188,7 @@ size_t OBJ_length(const ASN1_OBJECT *obj) { // unsigned int in the array. static int obj_cmp(const void *key, const void *element) { uint16_t nid = *((const uint16_t *)element); - const ASN1_OBJECT *a = key; - const ASN1_OBJECT *b = &kObjects[nid]; - - if (a->length < b->length) { - return -1; - } else if (a->length > b->length) { - return 1; - } - return OPENSSL_memcmp(a->data, b->data, a->length); + return OBJ_cmp(key, &kObjects[nid]); } int OBJ_obj2nid(const ASN1_OBJECT *obj) { @@ -474,14 +465,6 @@ static uint32_t hash_data(const ASN1_OBJECT *obj) { return OPENSSL_hash32(obj->data, obj->length); } -static int cmp_data(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { - int i = a->length - b->length; - if (i) { - return i; - } - return OPENSSL_memcmp(a->data, b->data, a->length); -} - static uint32_t hash_short_name(const ASN1_OBJECT *obj) { return OPENSSL_strhash(obj->sn); } @@ -509,7 +492,7 @@ static int obj_add_object(ASN1_OBJECT *obj) { global_added_by_nid = lh_ASN1_OBJECT_new(hash_nid, cmp_nid); } if (global_added_by_data == NULL) { - global_added_by_data = lh_ASN1_OBJECT_new(hash_data, cmp_data); + global_added_by_data = lh_ASN1_OBJECT_new(hash_data, OBJ_cmp); } if (global_added_by_short_name == NULL) { global_added_by_short_name = diff --git a/src/crypto/perlasm/x86_64-xlate.pl b/src/crypto/perlasm/x86_64-xlate.pl index e9fc322b..9fb1de19 100755 --- a/src/crypto/perlasm/x86_64-xlate.pl +++ b/src/crypto/perlasm/x86_64-xlate.pl @@ -47,7 +47,6 @@ # (sorry about latter). # 6. Don't use [or hand-code with .byte] "rep ret." "ret" mnemonic is # required to identify the spots, where to inject Win64 epilogue! -# But on the pros, it's then prefixed with rep automatically:-) # 7. Stick to explicit ip-relative addressing. If you have to use # GOTPCREL addressing, stick to mov symbol@GOTPCREL(%rip),%r??. # Both are recognized and translated to proper Win64 addressing @@ -157,7 +156,7 @@ my %globals; $epilogue = "movq 8(%rsp),%rdi\n\t" . "movq 16(%rsp),%rsi\n\t"; } - $epilogue . ".byte 0xf3,0xc3"; + $epilogue . "ret"; } elsif ($self->{op} eq "call" && !$elf && $current_segment eq ".init") { ".p2align\t3\n\t.quad"; } else { @@ -171,7 +170,7 @@ my %globals; $self->{op} = "mov rdi,QWORD$PTR\[8+rsp\]\t;WIN64 epilogue\n\t". "mov rsi,QWORD$PTR\[16+rsp\]\n\t"; } - $self->{op} .= "DB\t0F3h,0C3h\t\t;repret"; + $self->{op} .= "ret"; } elsif ($self->{op} =~ /^(pop|push)f/) { $self->{op} .= $self->{sz}; } elsif ($self->{op} eq "call" && $current_segment eq ".CRT\$XCU") { diff --git a/src/crypto/pkcs8/pkcs8.c b/src/crypto/pkcs8/pkcs8.c index 4bc337bf..07d5de8b 100644 --- a/src/crypto/pkcs8/pkcs8.c +++ b/src/crypto/pkcs8/pkcs8.c @@ -85,15 +85,15 @@ static int pkcs12_encode_password(const char *in, size_t in_len, uint8_t **out, CBS_init(&cbs, (const uint8_t *)in, in_len); while (CBS_len(&cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&cbs, &c) || - !cbb_add_ucs2_be(&cbb, c)) { + if (!CBS_get_utf8(&cbs, &c) || + !CBB_add_ucs2_be(&cbb, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); goto err; } } // Terminate the result with a UCS-2 NUL. - if (!cbb_add_ucs2_be(&cbb, 0) || + if (!CBB_add_ucs2_be(&cbb, 0) || !CBB_finish(&cbb, out, out_len)) { goto err; } diff --git a/src/crypto/pkcs8/pkcs8_x509.c b/src/crypto/pkcs8/pkcs8_x509.c index 87c09619..92bdb9d1 100644 --- a/src/crypto/pkcs8/pkcs8_x509.c +++ b/src/crypto/pkcs8/pkcs8_x509.c @@ -339,8 +339,8 @@ static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name, } while (CBS_len(&value) != 0) { uint32_t c; - if (!cbs_get_ucs2_be(&value, &c) || - !cbb_add_utf8(&cbb, c)) { + if (!CBS_get_ucs2_be(&value, &c) || + !CBB_add_utf8(&cbb, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); CBB_cleanup(&cbb); goto err; @@ -972,8 +972,8 @@ static int add_bag_attributes(CBB *bag, const char *name, size_t name_len, CBS_init(&name_cbs, (const uint8_t *)name, name_len); while (CBS_len(&name_cbs) != 0) { uint32_t c; - if (!cbs_get_utf8(&name_cbs, &c) || - !cbb_add_ucs2_be(&value, c)) { + if (!CBS_get_utf8(&name_cbs, &c) || + !CBB_add_ucs2_be(&value, c)) { OPENSSL_PUT_ERROR(PKCS8, PKCS8_R_INVALID_CHARACTERS); return 0; } diff --git a/src/crypto/rand_extra/getentropy_test.cc b/src/crypto/rand_extra/getentropy_test.cc new file mode 100644 index 00000000..7f0c43ac --- /dev/null +++ b/src/crypto/rand_extra/getentropy_test.cc @@ -0,0 +1,65 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#if !defined(_DEFAULT_SOURCE) +#define _DEFAULT_SOURCE // Needed for getentropy on musl and glibc +#endif + +#include <openssl/rand.h> + +#include "../fipsmodule/rand/internal.h" + +#if defined(OPENSSL_RAND_GETENTROPY) + +#include <unistd.h> + +#include <errno.h> + +#if defined(OPENSSL_MACOS) || defined(OPENSSL_FUCHSIA) +#include <sys/random.h> +#endif + +#include <gtest/gtest.h> + +#include <openssl/span.h> + +#include "../test/test_util.h" + +// This test is, strictly speaking, flaky, but we use large enough buffers +// that the probability of failing when we should pass is negligible. + +TEST(GetEntropyTest, NotObviouslyBroken) { + static const uint8_t kZeros[256] = {0}; + + uint8_t buf1[256], buf2[256]; + + EXPECT_EQ(getentropy(buf1, sizeof(buf1)), 0); + EXPECT_EQ(getentropy(buf2, sizeof(buf2)), 0); + EXPECT_NE(Bytes(buf1), Bytes(buf2)); + EXPECT_NE(Bytes(buf1), Bytes(kZeros)); + EXPECT_NE(Bytes(buf2), Bytes(kZeros)); + uint8_t buf3[256]; + // Ensure that the implementation is not simply returning the memory unchanged. + memcpy(buf3, buf1, sizeof(buf3)); + EXPECT_EQ(getentropy(buf1, sizeof(buf1)), 0); + EXPECT_NE(Bytes(buf1), Bytes(buf3)); + errno = 0; + uint8_t toobig[257]; + // getentropy should fail returning -1 and setting errno to EIO if you request + // more than 256 bytes of entropy. macOS's man page says EIO but it actually + // returns EINVAL, so we accept either. + EXPECT_EQ(getentropy(toobig, 257), -1); + EXPECT_TRUE(errno == EIO || errno == EINVAL); +} +#endif diff --git a/src/crypto/test/abi_test.cc b/src/crypto/test/abi_test.cc index 3e5043de..7c84d884 100644 --- a/src/crypto/test/abi_test.cc +++ b/src/crypto/test/abi_test.cc @@ -87,43 +87,6 @@ static void ForEachMismatch(const CallerState &a, const CallerState &b, LOOP_CALLER_STATE_REGISTERS() #undef CALLER_STATE_REGISTER } - -// ReadUnwindResult adds the results of the most recent unwind test to |out|. -static void ReadUnwindResult(Result *out); - -crypto_word_t RunTrampoline(Result *out, crypto_word_t func, - const crypto_word_t *argv, size_t argc, - bool unwind) { - CallerState state; - RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state)); - - unwind &= g_unwind_tests_enabled; - CallerState state2 = state; - crypto_word_t ret = abi_test_trampoline(func, &state2, argv, argc, unwind); -#if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) - // Query and clear the direction flag early, so negative tests do not - // interfere with |malloc|. - bool direction_flag = abi_test_get_and_clear_direction_flag(); -#endif // OPENSSL_X86_64 || OPENSSL_X86 - - *out = Result(); - ForEachMismatch(state, state2, [&](const char *reg) { - out->errors.push_back(std::string(reg) + " was not restored after return"); - }); -#if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) - // Linux and Windows ABIs for x86 require the direction flag be cleared on - // return. (Some OpenSSL assembly preserves it, which is stronger, but we only - // require what is specified by the ABI so |CHECK_ABI| works with C compiler - // output.) - if (direction_flag) { - out->errors.emplace_back("Direction flag set after return"); - } -#endif // OPENSSL_X86_64 || OPENSSL_X86 - if (unwind) { - ReadUnwindResult(out); - } - return ret; -} #endif // SUPPORTS_ABI_TEST #if defined(SUPPORTS_UNWIND_TEST) @@ -208,7 +171,10 @@ template <typename... Args> WriteFile(stderr_handle, buf, strlen(buf), &unused, nullptr); } #else - write(STDERR_FILENO, buf, strlen(buf)); + ssize_t ret = write(STDERR_FILENO, buf, strlen(buf)); + // We'll abort soon anyway, so if we fail to write the message, there's + // nothing to do. + (void)ret; #endif abort(); } @@ -336,7 +302,7 @@ class UnwindCursor { class UnwindCursor { public: explicit UnwindCursor(unw_context_t *ctx) : ctx_(ctx) { - int ret = InitAtSignalFrame(&cursor_); + int ret = unw_init_local2(&cursor_, ctx_, UNW_INIT_SIGNAL_FRAME); if (ret < 0) { FatalError("Error getting unwind context: ", unw_strerror(ret)); } @@ -401,7 +367,7 @@ class UnwindCursor { // constructor. unw_cursor_t cursor; unw_word_t off; - if (InitAtSignalFrame(&cursor) != 0 || + if (unw_init_local2(&cursor, ctx_, UNW_INIT_SIGNAL_FRAME) != 0 || unw_get_proc_name(&cursor, starting_ip_buf_, sizeof(starting_ip_buf_), &off) != 0) { StrCatSignalSafe(starting_ip_buf_, "0x", WordToHex(starting_ip_).data()); @@ -423,30 +389,6 @@ class UnwindCursor { return UnwindStatus(msg == nullptr ? "unknown error" : msg); } - int InitAtSignalFrame(unw_cursor_t *cursor) { - // Work around a bug in libunwind which breaks rax and rdx recovery. This - // breaks functions which temporarily use rax as the CFA register. See - // https://git.savannah.gnu.org/gitweb/?p=libunwind.git;a=commit;h=819bf51bbd2da462c2ec3401e8ac9153b6e725e3 - OPENSSL_memset(cursor, 0, sizeof(*cursor)); - int ret = unw_init_local(cursor, ctx_); - if (ret < 0) { - return ret; - } - for (;;) { - ret = unw_is_signal_frame(cursor); - if (ret < 0) { - return ret; - } - if (ret != 0) { - return 0; // Found the signal frame. - } - ret = unw_step(cursor); - if (ret < 0) { - return ret; - } - } - } - int GetReg(crypto_word_t *out, unw_regnum_t reg) { unw_word_t val; int ret = unw_get_reg(&cursor_, reg, &val); @@ -471,8 +413,8 @@ static bool g_in_trampoline = false; // g_unwind_function_done, if |g_in_trampoline| is true, is whether the function // under test has returned. It is undefined otherwise. static bool g_unwind_function_done; -// g_trampoline_state, if |g_in_trampoline| is true, is the state the function -// under test must preserve. It is undefined otherwise. +// g_trampoline_state, during an unwind-enabled ABI test, is the state the +// function under test must preserve. It is undefined otherwise. static CallerState g_trampoline_state; // g_trampoline_sp, if |g_in_trampoline| is true, is the stack pointer of the // trampoline frame. It is undefined otherwise. @@ -533,8 +475,6 @@ static void CheckUnwind(UnwindCursor *cursor) { g_in_trampoline = true; g_unwind_function_done = false; g_trampoline_sp = sp; - g_trampoline_state = cursor->GetCallerState().ValueOrDie( - "Error getting initial caller state"); } else { if (sp == g_trampoline_sp || g_unwind_function_done) { // |g_unwind_function_done| should imply |sp| is |g_trampoline_sp|, but @@ -605,6 +545,7 @@ static void CheckUnwind(UnwindCursor *cursor) { } } +// ReadUnwindResult adds the results of the most recent unwind test to |out|. static void ReadUnwindResult(Result *out) { for (size_t i = 0; i < g_num_unwind_errors; i++) { #if defined(OPENSSL_WINDOWS) @@ -729,10 +670,11 @@ static bool IsBeingDebugged() { static pthread_t g_main_thread; -static void TrapHandler(int sig) { +static void TrapHandler(int sig, siginfo_t *info, void *ucontext_v) { // Note this is a signal handler, so only async-signal-safe functions may be // used here. See signal-safety(7). libunwind promises local unwind is // async-signal-safe. + ucontext_t *ucontext = static_cast<ucontext_t*>(ucontext_v); // |pthread_equal| is not listed as async-signal-safe, but this is clearly an // oversight. @@ -740,13 +682,7 @@ static void TrapHandler(int sig) { FatalError("SIGTRAP on background thread"); } - unw_context_t ctx; - int ret = unw_getcontext(&ctx); - if (ret < 0) { - FatalError("Error getting unwind context: ", unw_strerror(ret)); - } - - UnwindCursor cursor(&ctx); + UnwindCursor cursor(ucontext); CheckUnwind(&cursor); } @@ -762,7 +698,8 @@ static void EnableUnwindTestsImpl() { struct sigaction trap_action; OPENSSL_memset(&trap_action, 0, sizeof(trap_action)); sigemptyset(&trap_action.sa_mask); - trap_action.sa_handler = TrapHandler; + trap_action.sa_flags = SA_SIGINFO; + trap_action.sa_sigaction = TrapHandler; if (sigaction(SIGTRAP, &trap_action, NULL) != 0) { perror("sigaction"); abort(); @@ -781,6 +718,48 @@ static void EnableUnwindTestsImpl() {} #endif // SUPPORTS_UNWIND_TEST +#if defined(SUPPORTS_ABI_TEST) +crypto_word_t RunTrampoline(Result *out, crypto_word_t func, + const crypto_word_t *argv, size_t argc, + bool unwind) { + CallerState state; + RAND_bytes(reinterpret_cast<uint8_t *>(&state), sizeof(state)); + + unwind &= g_unwind_tests_enabled; +#if defined(SUPPORTS_UNWIND_TEST) + if (unwind) { + // Save the caller state for the unwind tester to check for. + g_trampoline_state = state; + } +#endif + CallerState state2 = state; + crypto_word_t ret = abi_test_trampoline(func, &state2, argv, argc, unwind); +#if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) + // Query and clear the direction flag early, so negative tests do not + // interfere with |malloc|. + bool direction_flag = abi_test_get_and_clear_direction_flag(); +#endif // OPENSSL_X86_64 || OPENSSL_X86 + + *out = Result(); + ForEachMismatch(state, state2, [&](const char *reg) { + out->errors.push_back(std::string(reg) + " was not restored after return"); + }); +#if defined(OPENSSL_X86_64) || defined(OPENSSL_X86) + // Linux and Windows ABIs for x86 require the direction flag be cleared on + // return. (Some OpenSSL assembly preserves it, which is stronger, but we only + // require what is specified by the ABI so |CHECK_ABI| works with C compiler + // output.) + if (direction_flag) { + out->errors.emplace_back("Direction flag set after return"); + } +#endif // OPENSSL_X86_64 || OPENSSL_X86 + if (unwind) { + ReadUnwindResult(out); + } + return ret; +} +#endif // SUPPORTS_ABI_TEST + } // namespace internal void EnableUnwindTests() { internal::EnableUnwindTestsImpl(); } diff --git a/src/crypto/test/gtest_main.cc b/src/crypto/test/gtest_main.cc index 591cef70..26ed321c 100644 --- a/src/crypto/test/gtest_main.cc +++ b/src/crypto/test/gtest_main.cc @@ -15,6 +15,7 @@ #include <stdio.h> #include <string.h> +#include <gmock/gmock.h> #include <gtest/gtest.h> #include <openssl/rand.h> @@ -31,7 +32,7 @@ int main(int argc, char **argv) { - testing::InitGoogleTest(&argc, argv); + testing::InitGoogleMock(&argc, argv); bssl::SetupGoogleTest(); bool unwind_tests = true; diff --git a/src/include/openssl/base.h b/src/include/openssl/base.h index 97a17bb3..a53f96a4 100644 --- a/src/include/openssl/base.h +++ b/src/include/openssl/base.h @@ -58,6 +58,7 @@ #include <stddef.h> #include <stdint.h> +#include <stdlib.h> #include <sys/types.h> #if defined(__MINGW32__) @@ -108,7 +109,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 26 +#define BORINGSSL_API_VERSION 27 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -383,6 +384,13 @@ typedef struct x509_trust_st X509_TRUST; typedef void *OPENSSL_BLOCK; +// BSSL_CHECK aborts if |condition| is not true. +#define BSSL_CHECK(condition) \ + do { \ + if (!(condition)) { \ + abort(); \ + } \ + } while (0); #if defined(__cplusplus) } // extern C diff --git a/src/include/openssl/bn.h b/src/include/openssl/bn.h index 0361645a..92ff7a14 100644 --- a/src/include/openssl/bn.h +++ b/src/include/openssl/bn.h @@ -254,11 +254,11 @@ OPENSSL_EXPORT BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret); // |in| is secret, use |BN_bn2bin_padded| instead. OPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out); -// BN_le2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as +// BN_lebin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as // a little-endian number, and returns |ret|. If |ret| is NULL then a fresh // |BIGNUM| is allocated and returned. It returns NULL on allocation // failure. -OPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret); +OPENSSL_EXPORT BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret); // BN_bn2le_padded serialises the absolute value of |in| to |out| as a // little-endian integer, which must have |len| of space available, padding @@ -972,6 +972,12 @@ OPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, // Use |BN_bn2bin_padded| instead. It is |size_t|-clean. OPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len); +// BN_bn2lebinpad behaves like |BN_bn2le_padded|, but it returns |len| on +// success and -1 on error. +// +// Use |BN_bn2le_padded| instead. It is |size_t|-clean. +OPENSSL_EXPORT int BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len); + // BN_prime_checks is a deprecated alias for |BN_prime_checks_for_validation|. // Use |BN_prime_checks_for_generation| or |BN_prime_checks_for_validation| // instead. (This defaults to the |_for_validation| value in order to be @@ -981,6 +987,9 @@ OPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len); // BN_secure_new calls |BN_new|. OPENSSL_EXPORT BIGNUM *BN_secure_new(void); +// BN_le2bn calls |BN_lebin2bn|. +OPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret); + // Private functions diff --git a/src/include/openssl/bytestring.h b/src/include/openssl/bytestring.h index 33e13ef8..7dce9c45 100644 --- a/src/include/openssl/bytestring.h +++ b/src/include/openssl/bytestring.h @@ -635,6 +635,28 @@ OPENSSL_EXPORT int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, OPENSSL_EXPORT int CBB_flush_asn1_set_of(CBB *cbb); +// Unicode utilities. + +// The following functions read one Unicode code point from |cbs| with the +// corresponding encoding and store it in |*out|. They return one on success and +// zero on error. +OPENSSL_EXPORT int CBS_get_utf8(CBS *cbs, uint32_t *out); +OPENSSL_EXPORT int CBS_get_latin1(CBS *cbs, uint32_t *out); +OPENSSL_EXPORT int CBS_get_ucs2_be(CBS *cbs, uint32_t *out); +OPENSSL_EXPORT int CBS_get_utf32_be(CBS *cbs, uint32_t *out); + +// CBB_get_utf8_len returns the number of bytes needed to represent |u| in +// UTF-8. +OPENSSL_EXPORT size_t CBB_get_utf8_len(uint32_t u); + +// The following functions encode |u| to |cbb| with the corresponding +// encoding. They return one on success and zero on error. +OPENSSL_EXPORT int CBB_add_utf8(CBB *cbb, uint32_t u); +OPENSSL_EXPORT int CBB_add_latin1(CBB *cbb, uint32_t u); +OPENSSL_EXPORT int CBB_add_ucs2_be(CBB *cbb, uint32_t u); +OPENSSL_EXPORT int CBB_add_utf32_be(CBB *cbb, uint32_t u); + + #if defined(__cplusplus) } // extern C diff --git a/src/include/openssl/cipher.h b/src/include/openssl/cipher.h index 310d7c23..18c1e708 100644 --- a/src/include/openssl/cipher.h +++ b/src/include/openssl/cipher.h @@ -542,6 +542,7 @@ OPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, #define EVP_CTRL_AEAD_SET_MAC_KEY 0x17 // EVP_CTRL_GCM_SET_IV_INV sets the GCM invocation field, decrypt only #define EVP_CTRL_GCM_SET_IV_INV 0x18 +#define EVP_CTRL_GET_IVLEN 0x19 // The following constants are unused. #define EVP_GCM_TLS_FIXED_IV_LEN 4 diff --git a/src/include/openssl/dh.h b/src/include/openssl/dh.h index 660627db..a3094d8f 100644 --- a/src/include/openssl/dh.h +++ b/src/include/openssl/dh.h @@ -193,7 +193,9 @@ OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits, // Diffie-Hellman operations. // DH_generate_key generates a new, random, private key and stores it in -// |dh|. It returns one on success and zero on error. +// |dh|, if |dh| does not already have a private key. Otherwise, it updates +// |dh|'s public key to match the private key. It returns one on success and +// zero on error. OPENSSL_EXPORT int DH_generate_key(DH *dh); // DH_compute_key_padded calculates the shared key between |dh| and |peers_key| @@ -351,5 +353,6 @@ BSSL_NAMESPACE_END #define DH_R_NO_PRIVATE_VALUE 103 #define DH_R_DECODE_ERROR 104 #define DH_R_ENCODE_ERROR 105 +#define DH_R_INVALID_PARAMETERS 106 #endif // OPENSSL_HEADER_DH_H diff --git a/src/include/openssl/ec.h b/src/include/openssl/ec.h index f1a77b22..2d005af6 100644 --- a/src/include/openssl/ec.h +++ b/src/include/openssl/ec.h @@ -340,24 +340,22 @@ OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, // Hash-to-curve. // -// The following functions implement primitives from -// draft-irtf-cfrg-hash-to-curve-16. The |dst| parameter in each function is the -// domain separation tag and must be unique for each protocol and between the -// |hash_to_curve| and |hash_to_scalar| variants. See section 3.1 of the spec -// for additional guidance on this parameter. +// The following functions implement primitives from RFC 9380. The |dst| +// parameter in each function is the domain separation tag and must be unique +// for each protocol and between the |hash_to_curve| and |hash_to_scalar| +// variants. See section 3.1 of the spec for additional guidance on this +// parameter. // EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); // EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and // writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite -// from draft-irtf-cfrg-hash-to-curve-16. It returns one on success and zero on -// error. +// from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); diff --git a/src/include/openssl/hpke.h b/src/include/openssl/hpke.h index eaf5947f..892ab887 100644 --- a/src/include/openssl/hpke.h +++ b/src/include/openssl/hpke.h @@ -140,6 +140,10 @@ OPENSSL_EXPORT void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key); OPENSSL_EXPORT int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src); +// EVP_HPKE_KEY_move sets |out|, which must be initialized or in the zero state, +// to the key in |in|. |in| is mutated and left in the zero state. +OPENSSL_EXPORT void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in); + // EVP_HPKE_KEY_init decodes |priv_key| as a private key for |kem| and // initializes |key| with the result. It returns one on success and zero if // |priv_key| was invalid. On success, the caller must call @@ -389,8 +393,8 @@ using ScopedEVP_HPKE_CTX = internal::StackAllocated<EVP_HPKE_CTX, void, EVP_HPKE_CTX_zero, EVP_HPKE_CTX_cleanup>; using ScopedEVP_HPKE_KEY = - internal::StackAllocated<EVP_HPKE_KEY, void, EVP_HPKE_KEY_zero, - EVP_HPKE_KEY_cleanup>; + internal::StackAllocatedMovable<EVP_HPKE_KEY, void, EVP_HPKE_KEY_zero, + EVP_HPKE_KEY_cleanup, EVP_HPKE_KEY_move>; BORINGSSL_MAKE_DELETER(EVP_HPKE_CTX, EVP_HPKE_CTX_free) BORINGSSL_MAKE_DELETER(EVP_HPKE_KEY, EVP_HPKE_KEY_free) diff --git a/src/include/openssl/ssl.h b/src/include/openssl/ssl.h index 995d05e8..e500dd76 100644 --- a/src/include/openssl/ssl.h +++ b/src/include/openssl/ssl.h @@ -3036,6 +3036,10 @@ OPENSSL_EXPORT void SSL_get0_peer_application_settings(const SSL *ssl, // connection and zero otherwise. OPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl); +// SSL_set_alps_use_new_codepoint configures whether to use the new ALPS +// codepoint. By default, the old codepoint is used. +OPENSSL_EXPORT void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new); + // Certificate compression. // @@ -4056,12 +4060,15 @@ OPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, // Handshake hints. // -// *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING *** +// WARNING: Contact the BoringSSL team before using this API. While this +// mechanism was designed to gracefully recover from version skew and +// configuration mismatch, splitting a single TLS server into multiple services +// is complex. // // Some server deployments make asynchronous RPC calls in both ClientHello // dispatch and private key operations. In TLS handshakes where the private key // operation occurs in the first round-trip, this results in two consecutive RPC -// round-trips. Handshake hints allow the RPC service to predicte a signature. +// round-trips. Handshake hints allow the RPC service to predict a signature. // If correctly predicted, this can skip the second RPC call. // // First, the server installs a certificate selection callback (see @@ -4087,10 +4094,6 @@ OPENSSL_EXPORT int SSL_CTX_set_record_protocol_version(SSL_CTX *ctx, // the private key in later round-trips, such as TLS 1.3 HelloRetryRequest. In // those cases, BoringSSL will not predict a signature as there is no benefit. // Callers must allow for handshakes to complete without a predicted signature. -// -// Handshake hints are supported for TLS 1.3 and partially supported for -// TLS 1.2. TLS 1.2 resumption handshakes are not yet fully hinted. They will -// still work, but may not be as efficient. // SSL_serialize_capabilities writes an opaque byte string to |out| describing // some of |ssl|'s capabilities. It returns one on success and zero on error. @@ -5532,10 +5535,18 @@ BORINGSSL_MAKE_DELETER(SSL_SESSION, SSL_SESSION_free) BORINGSSL_MAKE_UP_REF(SSL_SESSION, SSL_SESSION_up_ref) -// *** EXPERIMENTAL — DO NOT USE WITHOUT CHECKING *** +// *** DEPRECATED EXPERIMENT — DO NOT USE *** // // Split handshakes. // +// WARNING: This mechanism is deprecated and should not be used. It is very +// fragile and difficult to use correctly. The relationship between +// configuration options across the two halves is ill-defined and not +// self-consistent. Additionally, version skew across the two halves risks +// unusual behavior and connection failure. New development should use the +// handshake hints API. Existing deployments should migrate to handshake hints +// to reduce the risk of service outages. +// // Split handshakes allows the handshake part of a TLS connection to be // performed in a different process (or on a different machine) than the data // exchange. This only applies to servers. diff --git a/src/include/openssl/target.h b/src/include/openssl/target.h index f830c14c..12736416 100644 --- a/src/include/openssl/target.h +++ b/src/include/openssl/target.h @@ -70,13 +70,18 @@ #define OPENSSL_WINDOWS #endif -// Trusty and Android baremetal aren't't Linux but currently define __linux__. -// As a workaround, we exclude them here. +// Trusty and Android baremetal aren't Linux but currently define __linux__. +// As a workaround, we exclude them here. We also exclude nanolibc. nanolibc +// sometimes build for a non-Linux target (which should not define __linux__), +// but also sometimes build for Linux. Although technically running in Linux +// userspace, this lacks all the libc APIs we'd normally expect on Linux, so we +// treat it as a non-Linux target. // // TODO(b/169780122): Remove this workaround once Trusty no longer defines it. // TODO(b/291101350): Remove this workaround once Android baremetal no longer // defines it. -#if defined(__linux__) && !defined(__TRUSTY__) && !defined(ANDROID_BAREMETAL) +#if defined(__linux__) && !defined(__TRUSTY__) && \ + !defined(ANDROID_BAREMETAL) && !defined(OPENSSL_NANOLIBC) #define OPENSSL_LINUX #endif @@ -117,6 +122,30 @@ #define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED #endif +// CROS_EC is an embedded target for ChromeOS Embedded Controller. Defining +// this on any other platform is not supported. Other embedded platforms must +// introduce their own defines. +// +// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/README.md +#if defined(CROS_EC) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + +// CROS_ZEPHYR is an embedded target for ChromeOS Zephyr Embedded Controller. +// Defining this on any other platform is not supported. Other embedded +// platforms must introduce their own defines. +// +// https://chromium.googlesource.com/chromiumos/platform/ec/+/HEAD/docs/zephyr/README.md +#if defined(CROS_ZEPHYR) +#define OPENSSL_NO_FILESYSTEM +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#define OPENSSL_NO_THREADS_CORRUPT_MEMORY_AND_LEAK_SECRETS_IF_THREADED +#endif + #if defined(__ANDROID_API__) #define OPENSSL_ANDROID #endif diff --git a/src/include/openssl/tls1.h b/src/include/openssl/tls1.h index 772fb87a..c1207a3b 100644 --- a/src/include/openssl/tls1.h +++ b/src/include/openssl/tls1.h @@ -244,7 +244,8 @@ extern "C" { // ExtensionType value from draft-vvv-tls-alps. This is not an IANA defined // extension number. -#define TLSEXT_TYPE_application_settings 17513 +#define TLSEXT_TYPE_application_settings_old 17513 +#define TLSEXT_TYPE_application_settings 17613 // ExtensionType values from draft-ietf-tls-esni-13. This is not an IANA defined // extension number. diff --git a/src/rust/bssl-crypto/Cargo.toml b/src/rust/bssl-crypto/Cargo.toml index c60e9ca2..315c35b8 100644 --- a/src/rust/bssl-crypto/Cargo.toml +++ b/src/rust/bssl-crypto/Cargo.toml @@ -7,3 +7,7 @@ license = "MIT" [dependencies] bssl-sys = {path = "../bssl-sys"} + +[features] +default = [] +std = [] diff --git a/src/rust/bssl-crypto/README.md b/src/rust/bssl-crypto/README.md index bc7371a2..95188626 100644 --- a/src/rust/bssl-crypto/README.md +++ b/src/rust/bssl-crypto/README.md @@ -9,3 +9,6 @@ cd rust/bssl-crypto && cargo clippy && cargo deny check && cargo test ``` Unlike BoringSSL itself, this crate does not attempt to handle allocation failures. If an allocation fails, functions in this crate will panic. + +WARNING - This crate is experimental and does *NOT* have a stable API. We expect to iterate on the API as it develops. If you use this crate you must be prepared to adapt your code to future changes as they occur. + diff --git a/src/rust/bssl-crypto/src/aead.rs b/src/rust/bssl-crypto/src/aead.rs new file mode 100644 index 00000000..a387e308 --- /dev/null +++ b/src/rust/bssl-crypto/src/aead.rs @@ -0,0 +1,423 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +use crate::{CSlice, CSliceMut}; +use alloc::vec::Vec; +use bssl_sys::{EVP_AEAD, EVP_AEAD_CTX}; + +/// Error returned in the event of an unsuccessful AEAD operation. +#[derive(Debug)] +pub struct AeadError; + +/// Authenticated Encryption with Associated Data (AEAD) algorithm trait. +pub trait Aead { + /// The size of the auth tag for the given AEAD implementation. This is the amount of bytes + /// appended to the data when it is encrypted. + const TAG_SIZE: usize; + + /// The byte array nonce type which specifies the size of the nonce used in the aes operations. + type Nonce: AsRef<[u8]>; + + /// Encrypt the given buffer containing a plaintext message. On success returns the encrypted + /// `msg` and appended auth tag, which will result in a Vec which is `Self::TAG_SIZE` bytes + /// greater than the initial message. + fn encrypt(&self, msg: &[u8], aad: &[u8], nonce: &Self::Nonce) -> Result<Vec<u8>, AeadError>; + + /// Decrypt the message, returning the decrypted plaintext or an error in the event the + /// provided authentication tag does not match the given ciphertext. On success the returned + /// Vec will only contain the plaintext and so will be `Self::TAG_SIZE` bytes less than the + /// initial message. + fn decrypt(&self, msg: &[u8], aad: &[u8], nonce: &Self::Nonce) -> Result<Vec<u8>, AeadError>; +} + +/// AES-GCM-SIV implementation. +pub struct AesGcmSiv(AeadImpl<12, 16>); + +/// Instantiates a new AES-128-GCM-SIV instance from key material. +pub fn new_aes_128_gcm_siv(key: &[u8; 16]) -> AesGcmSiv { + AesGcmSiv(AeadImpl::new::<EvpAes128GcmSiv>(key)) +} + +/// Instantiates a new AES-256-GCM-SIV instance from key material. +pub fn new_aes_256_gcm_siv(key: &[u8; 32]) -> AesGcmSiv { + AesGcmSiv(AeadImpl::new::<EvpAes256GcmSiv>(key)) +} + +impl Aead for AesGcmSiv { + const TAG_SIZE: usize = 16; + type Nonce = [u8; 12]; + + fn encrypt(&self, msg: &[u8], aad: &[u8], nonce: &[u8; 12]) -> Result<Vec<u8>, AeadError> { + self.0.encrypt(msg, aad, nonce) + } + + fn decrypt(&self, msg: &[u8], aad: &[u8], nonce: &[u8; 12]) -> Result<Vec<u8>, AeadError> { + self.0.decrypt(msg, aad, nonce) + } +} + +trait EvpAeadType { + type Key: AsRef<[u8]>; + fn evp_aead() -> *const EVP_AEAD; +} + +struct EvpAes128GcmSiv; +impl EvpAeadType for EvpAes128GcmSiv { + type Key = [u8; 16]; + + fn evp_aead() -> *const EVP_AEAD { + // Safety: + // - this just returns a constant value + unsafe { bssl_sys::EVP_aead_aes_128_gcm_siv() } + } +} + +struct EvpAes256GcmSiv; +impl EvpAeadType for EvpAes256GcmSiv { + type Key = [u8; 32]; + + fn evp_aead() -> *const EVP_AEAD { + // Safety: + // - this just returns a constant value + unsafe { bssl_sys::EVP_aead_aes_256_gcm_siv() } + } +} + +/// AES-GCM implementation. +pub struct AesGcm(AeadImpl<12, 16>); + +/// Instantiates a new AES-128-GCM instance from key material. +pub fn new_aes_128_gcm(key: &[u8; 16]) -> AesGcm { + AesGcm(AeadImpl::new::<EvpAes128Gcm>(key)) +} + +/// Instantiates a new AES-256-GCM instance from key material. +pub fn new_aes_256_gcm(key: &[u8; 32]) -> AesGcm { + AesGcm(AeadImpl::new::<EvpAes256Gcm>(key)) +} + +impl Aead for AesGcm { + const TAG_SIZE: usize = 16; + type Nonce = [u8; 12]; + + fn encrypt(&self, msg: &[u8], aad: &[u8], nonce: &[u8; 12]) -> Result<Vec<u8>, AeadError> { + self.0.encrypt(msg, aad, nonce) + } + + fn decrypt(&self, msg: &[u8], aad: &[u8], nonce: &[u8; 12]) -> Result<Vec<u8>, AeadError> { + self.0.decrypt(msg, aad, nonce) + } +} + +struct EvpAes128Gcm; +impl EvpAeadType for EvpAes128Gcm { + type Key = [u8; 16]; + + fn evp_aead() -> *const EVP_AEAD { + // Safety: + // - this just returns a constant value + unsafe { bssl_sys::EVP_aead_aes_128_gcm() } + } +} + +struct EvpAes256Gcm; +impl EvpAeadType for EvpAes256Gcm { + type Key = [u8; 32]; + + fn evp_aead() -> *const EVP_AEAD { + // Safety: + // - this just returns a constant value + unsafe { bssl_sys::EVP_aead_aes_256_gcm() } + } +} + +// Private implementation of an AEAD which is generic over Nonce size and Tag size. This should +// only be exposed publicly by wrapper types which provide the correctly sized const generics for +// the given aead algorithm. +struct AeadImpl<const N: usize, const T: usize>(*mut EVP_AEAD_CTX); + +impl<const N: usize, const T: usize> AeadImpl<N, T> { + // Create a new AeadImpl instance from key material and for a supported AeadType. + fn new<A: EvpAeadType>(key: &A::Key) -> Self { + let key_cslice = CSlice::from(key.as_ref()); + + // Safety: + // - This is always safe as long as the correct key size is set by the wrapper type. + let ctx = unsafe { + bssl_sys::EVP_AEAD_CTX_new( + A::evp_aead(), + key_cslice.as_ptr(), + key_cslice.len(), + bssl_sys::EVP_AEAD_DEFAULT_TAG_LENGTH as usize, + ) + }; + assert!(!ctx.is_null()); + AeadImpl(ctx) + } + + // Encrypts msg in-place, adding enough space to msg for the auth tag. + fn encrypt(&self, msg: &[u8], aad: &[u8], nonce: &[u8; N]) -> Result<Vec<u8>, AeadError> { + let mut out = Vec::new(); + out.resize(msg.len() + T, 0u8); + + let mut out_cslice = CSliceMut::from(out.as_mut_slice()); + let msg_cslice = CSlice::from(msg); + let aad_cslice = CSlice::from(aad); + let nonce_cslice = CSlice::from(nonce.as_slice()); + let mut out_len = 0usize; + + // Safety: + // - The buffers are all valid, with corresponding ptr and length + let result = unsafe { + bssl_sys::EVP_AEAD_CTX_seal( + self.0, + out_cslice.as_mut_ptr(), + &mut out_len, + out_cslice.len(), + nonce_cslice.as_ptr(), + nonce_cslice.len(), + msg_cslice.as_ptr(), + msg_cslice.len(), + aad_cslice.as_ptr(), + aad_cslice.len(), + ) + }; + + if result == 1 { + // Verify the correct number of bytes were written. + assert_eq!(out_len, out.len()); + Ok(out) + } else { + Err(AeadError) + } + } + + // Decrypts msg in-place, on success msg will contain the plain text alone, without the auth + // tag. + fn decrypt(&self, msg: &[u8], aad: &[u8], nonce: &[u8; N]) -> Result<Vec<u8>, AeadError> { + if msg.len() < T { + return Err(AeadError); + } + let mut out = Vec::new(); + out.resize(msg.len() - T, 0u8); + + let mut out_cslice = CSliceMut::from(out.as_mut_slice()); + let aad_cslice = CSlice::from(aad); + let msg_cslice = CSlice::from(msg); + let mut out_len = 0usize; + + // Safety: + // - The buffers are all valid, with corresponding ptr and length + let result = unsafe { + bssl_sys::EVP_AEAD_CTX_open( + self.0, + out_cslice.as_mut_ptr(), + &mut out_len, + out_cslice.len(), + nonce.as_ptr(), + nonce.len(), + msg_cslice.as_ptr(), + msg_cslice.len(), + aad_cslice.as_ptr(), + aad_cslice.len(), + ) + }; + + if result == 1 { + // Verify the correct number of bytes were written. + assert_eq!(out_len, out.len()); + Ok(out) + } else { + Err(AeadError) + } + } +} + +impl<const N: usize, const T: usize> Drop for AeadImpl<N, T> { + fn drop(&mut self) { + // Safety: + // - `self.0` was allocated by `EVP_AEAD_CTX_new` and has not yet been freed. + unsafe { bssl_sys::EVP_AEAD_CTX_free(self.0) } + } +} + +#[cfg(test)] +mod test { + use super::*; + use crate::test_helpers::decode_hex; + + #[test] + fn aes_128_gcm_siv_tests() { + // https://github.com/google/wycheproof/blob/master/testvectors/aes_gcm_siv_test.json + // TC1 - Empty Message + let key = decode_hex("01000000000000000000000000000000"); + let nonce = decode_hex("030000000000000000000000"); + let tag: [u8; 16] = decode_hex("dc20e2d83f25705bb49e439eca56de25"); + let mut buf = Vec::from(&[] as &[u8]); + let aes = new_aes_128_gcm_siv(&key); + let result = aes.encrypt(&mut buf, b"", &nonce); + assert!(result.is_ok()); + assert_eq!(result.unwrap(), &tag); + + // TC2 + let msg: [u8; 8] = decode_hex("0100000000000000"); + let ct: [u8; 8] = decode_hex("b5d839330ac7b786"); + let tag: [u8; 16] = decode_hex("578782fff6013b815b287c22493a364c"); + let result = aes.encrypt(&msg, b"", &nonce); + assert!(result.is_ok()); + let mut result_vec = result.unwrap(); + assert_eq!(&result_vec[..8], &ct); + assert_eq!(&result_vec[8..], &tag); + let result = aes.decrypt(result_vec.as_mut_slice(), b"", &nonce); + assert!(result.is_ok()); + assert_eq!(&result.unwrap(), &msg); + + // TC14 contains associated data + let msg: [u8; 4] = decode_hex("02000000"); + let ct: [u8; 4] = decode_hex("a8fe3e87"); + let aad: [u8; 12] = decode_hex("010000000000000000000000"); + let tag: [u8; 16] = decode_hex("07eb1f84fb28f8cb73de8e99e2f48a14"); + let result = aes.encrypt(&msg, &aad, &nonce); + assert!(result.is_ok()); + let mut result_vec = result.unwrap(); + assert_eq!(&result_vec[..4], &ct); + assert_eq!(&result_vec[4..], &tag); + let result = aes.decrypt(result_vec.as_mut_slice(), &aad, &nonce); + assert!(result.is_ok()); + assert_eq!(&result.unwrap(), &msg); + } + + #[test] + fn aes_256_gcm_siv_tests() { + // https://github.com/google/wycheproof/blob/master/testvectors/aes_gcm_siv_test.json + // TC77 + let test_key = + decode_hex("0100000000000000000000000000000000000000000000000000000000000000"); + let nonce = decode_hex("030000000000000000000000"); + let aes = new_aes_256_gcm_siv(&test_key); + let mut msg: [u8; 8] = decode_hex("0100000000000000"); + let ct: [u8; 8] = decode_hex("c2ef328e5c71c83b"); + let tag: [u8; 16] = decode_hex("843122130f7364b761e0b97427e3df28"); + let enc_result = aes.encrypt(&mut msg, b"", &nonce); + assert!(enc_result.is_ok()); + let mut enc_data = enc_result.unwrap(); + assert_eq!(&enc_data[..8], &ct); + assert_eq!(&enc_data[8..], &tag); + let result = aes.decrypt(enc_data.as_mut_slice(), b"", &nonce); + assert!(result.is_ok()); + assert_eq!(&result.unwrap(), &msg); + + // TC78 + let mut msg: [u8; 12] = decode_hex("010000000000000000000000"); + let ct: [u8; 12] = decode_hex("9aab2aeb3faa0a34aea8e2b1"); + let tag: [u8; 16] = decode_hex("8ca50da9ae6559e48fd10f6e5c9ca17e"); + let enc_result = aes.encrypt(&mut msg, b"", &nonce); + assert!(enc_result.is_ok()); + let mut enc_data = enc_result.unwrap(); + assert_eq!(&enc_data[..12], &ct); + assert_eq!(&enc_data[12..], &tag); + let result = aes.decrypt(enc_data.as_mut_slice(), b"", &nonce); + assert!(result.is_ok()); + assert_eq!(&result.unwrap(), &msg); + + // TC89 contains associated data + let mut msg: [u8; 4] = decode_hex("02000000"); + let ct: [u8; 4] = decode_hex("22b3f4cd"); + let tag: [u8; 16] = decode_hex("1835e517741dfddccfa07fa4661b74cf"); + let aad: [u8; 12] = decode_hex("010000000000000000000000"); + let enc_result = aes.encrypt(&mut msg, &aad, &nonce); + assert!(enc_result.is_ok()); + let mut enc_data = enc_result.unwrap(); + assert_eq!(&enc_data[..4], &ct); + assert_eq!(&enc_data[4..], &tag); + let result = aes.decrypt(enc_data.as_mut_slice(), &aad, &nonce); + assert!(result.is_ok()); + assert_eq!(&result.unwrap(), &msg); + } + + #[test] + fn aes_128_gcm_tests() { + // TC 1 from crypto/cipher_extra/test/aes_128_gcm_tests.txt + let key = decode_hex("d480429666d48b400633921c5407d1d1"); + let nonce = decode_hex("3388c676dc754acfa66e172a"); + let tag: [u8; 16] = decode_hex("7d7daf44850921a34e636b01adeb104f"); + let mut buf = Vec::from(&[] as &[u8]); + let aes = new_aes_128_gcm(&key); + let result = aes.encrypt(&mut buf, b"", &nonce); + assert!(result.is_ok()); + assert_eq!(result.unwrap(), &tag); + + // TC2 + let key = decode_hex("3881e7be1bb3bbcaff20bdb78e5d1b67"); + let nonce = decode_hex("dcf5b7ae2d7552e2297fcfa9"); + let msg: [u8; 5] = decode_hex("0a2714aa7d"); + let ad: [u8; 5] = decode_hex("c60c64bbf7"); + let ct: [u8; 5] = decode_hex("5626f96ecb"); + let tag: [u8; 16] = decode_hex("ff4c4f1d92b0abb1d0820833d9eb83c7"); + + let mut buf = Vec::from(msg.as_slice()); + let aes = new_aes_128_gcm(&key); + let result = aes.encrypt(&mut buf, &ad, &nonce); + assert!(result.is_ok()); + let mut data = result.unwrap(); + assert_eq!(&data[..5], &ct); + assert_eq!(&data[5..], &tag); + let result = aes.decrypt(data.as_mut_slice(), &ad, &nonce); + assert!(result.is_ok()); + assert_eq!(result.unwrap(), &msg); + } + + #[test] + fn aes_256_gcm_tests() { + // TC 1 from crypto/cipher_extra/test/aes_256_gcm_tests.txt + let key = decode_hex("e5ac4a32c67e425ac4b143c83c6f161312a97d88d634afdf9f4da5bd35223f01"); + let nonce = decode_hex("5bf11a0951f0bfc7ea5c9e58"); + let tag: [u8; 16] = decode_hex("d7cba289d6d19a5af45dc13857016bac"); + let mut buf = Vec::from(&[] as &[u8]); + let aes = new_aes_256_gcm(&key); + let result = aes.encrypt(&mut buf, b"", &nonce); + assert!(result.is_ok()); + assert_eq!(result.unwrap(), &tag); + + // TC2 + let key = decode_hex("73ad7bbbbc640c845a150f67d058b279849370cd2c1f3c67c4dd6c869213e13a"); + let nonce = decode_hex("a330a184fc245812f4820caa"); + let msg: [u8; 5] = decode_hex("f0535fe211"); + let ad: [u8; 5] = decode_hex("e91428be04"); + let ct: [u8; 5] = decode_hex("e9b8a896da"); + let tag: [u8; 16] = decode_hex("9115ed79f26a030c14947b3e454db9e7"); + + let mut buf = Vec::from(msg.as_slice()); + let aes = new_aes_256_gcm(&key); + let result = aes.encrypt(&mut buf, &ad, &nonce); + assert!(result.is_ok()); + let mut data = result.unwrap(); + assert_eq!(&data[..5], &ct); + assert_eq!(&data[5..], &tag); + let result = aes.decrypt(data.as_mut_slice(), &ad, &nonce); + assert!(result.is_ok()); + assert_eq!(result.unwrap(), &msg); + } + + #[test] + fn test_invalid_data_length_decrypt() { + let key = decode_hex("00000000000000000000000000000000"); + let nonce = decode_hex("000000000000000000000000"); + let buf = Vec::from(&[] as &[u8]); + let aes = new_aes_128_gcm_siv(&key); + let result = aes.decrypt(&buf, b"", &nonce); + assert!(result.is_err()); + } +} diff --git a/src/rust/bssl-crypto/src/bn.rs b/src/rust/bssl-crypto/src/bn.rs new file mode 100644 index 00000000..35a196a7 --- /dev/null +++ b/src/rust/bssl-crypto/src/bn.rs @@ -0,0 +1,61 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +use crate::{CSlice, ForeignType}; + +pub(crate) struct BigNum { + ptr: *mut bssl_sys::BIGNUM, +} + +// Safety: Implementation ensures `from_ptr(x).as_ptr() == x` +unsafe impl ForeignType for BigNum { + type CType = bssl_sys::BIGNUM; + + unsafe fn from_ptr(ptr: *mut Self::CType) -> Self { + Self { ptr } + } + + fn as_ptr(&self) -> *mut Self::CType { + self.ptr + } +} + +impl BigNum { + pub(crate) fn new() -> Self { + // Safety: There are no preconditions for BN_new() + unsafe { Self::from_ptr(bssl_sys::BN_new()) } + } +} + +impl From<&[u8]> for BigNum { + fn from(value: &[u8]) -> Self { + let value_ffi = CSlice(value); + // Safety: + // - `value` is a CSlice from safe Rust. + // - The `ret` argument can be null to request allocating a new result. + let ptr = unsafe { + bssl_sys::BN_bin2bn(value_ffi.as_ptr(), value_ffi.len(), core::ptr::null_mut()) + }; + assert!(!ptr.is_null()); + Self { ptr } + } +} + +impl Drop for BigNum { + fn drop(&mut self) { + // Safety: `self.ptr` is owned by `self`. + unsafe { bssl_sys::BN_free(self.ptr) } + } +} diff --git a/src/rust/bssl-crypto/src/cipher/aes_ctr.rs b/src/rust/bssl-crypto/src/cipher/aes_ctr.rs new file mode 100644 index 00000000..1375d3e8 --- /dev/null +++ b/src/rust/bssl-crypto/src/cipher/aes_ctr.rs @@ -0,0 +1,208 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +use crate::cipher::{Cipher, CipherError, EvpAes128Ctr, EvpAes256Ctr, StreamCipher}; + +/// AES-CTR-128 Cipher implementation. +pub struct Aes128Ctr(Cipher<EvpAes128Ctr>); + +impl StreamCipher for Aes128Ctr { + type Key = [u8; 16]; + type Nonce = [u8; 16]; + + /// Creates a new AES-128-CTR cipher instance from key material. + fn new(key: &Self::Key, nonce: &Self::Nonce) -> Self { + Self(Cipher::new(key, nonce)) + } + + /// Applies the keystream in-place, advancing the counter state appropriately. + fn apply_keystream(&mut self, buffer: &mut [u8]) -> Result<(), CipherError> { + self.0.apply_keystream_in_place(buffer) + } +} + +/// AES-CTR-256 Cipher implementation. +pub struct Aes256Ctr(Cipher<EvpAes256Ctr>); + +impl StreamCipher for Aes256Ctr { + type Key = [u8; 32]; + type Nonce = [u8; 16]; + + /// Creates a new AES-256-CTR cipher instance from key material. + fn new(key: &Self::Key, nonce: &Self::Nonce) -> Self { + Self(Cipher::new(key, nonce)) + } + + /// Applies the keystream in-place, advancing the counter state appropriately. + fn apply_keystream(&mut self, buffer: &mut [u8]) -> Result<(), CipherError> { + self.0.apply_keystream_in_place(buffer) + } +} + +#[cfg(test)] +mod test { + use super::*; + use crate::test_helpers::decode_hex; + + #[test] + fn aes_128_ctr_test_encrypt() { + // https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf F.5.1 + let iv = decode_hex("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); + let key = decode_hex("2b7e151628aed2a6abf7158809cf4f3c"); + + let mut cipher = Aes128Ctr::new(&key, &iv); + let mut block: [u8; 16]; + block = decode_hex("6bc1bee22e409f96e93d7e117393172a"); + + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + + let expected_ciphertext_1 = decode_hex("874d6191b620e3261bef6864990db6ce"); + assert_eq!(expected_ciphertext_1, block); + + block = decode_hex("ae2d8a571e03ac9c9eb76fac45af8e51"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_2 = decode_hex("9806f66b7970fdff8617187bb9fffdff"); + assert_eq!(expected_ciphertext_2, block); + + block = decode_hex("30c81c46a35ce411e5fbc1191a0a52ef"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_3 = decode_hex("5ae4df3edbd5d35e5b4f09020db03eab"); + assert_eq!(expected_ciphertext_3, block); + + block = decode_hex("f69f2445df4f9b17ad2b417be66c3710"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_3 = decode_hex("1e031dda2fbe03d1792170a0f3009cee"); + assert_eq!(expected_ciphertext_3, block); + } + + #[test] + fn aes_128_ctr_test_decrypt() { + // https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf F.5.2 + let key = decode_hex("2b7e151628aed2a6abf7158809cf4f3c"); + let iv = decode_hex("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); + let mut cipher = Aes128Ctr::new(&key, &iv); + + let mut block: [u8; 16]; + block = decode_hex("874d6191b620e3261bef6864990db6ce"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_1 = decode_hex("6bc1bee22e409f96e93d7e117393172a"); + assert_eq!(expected_plaintext_1, block); + + block = decode_hex("9806f66b7970fdff8617187bb9fffdff"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_2 = decode_hex("ae2d8a571e03ac9c9eb76fac45af8e51"); + assert_eq!(expected_plaintext_2, block); + + block = decode_hex("5ae4df3edbd5d35e5b4f09020db03eab"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_3 = decode_hex("30c81c46a35ce411e5fbc1191a0a52ef"); + assert_eq!(expected_plaintext_3, block); + + block = decode_hex("1e031dda2fbe03d1792170a0f3009cee"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_3 = decode_hex("f69f2445df4f9b17ad2b417be66c3710"); + assert_eq!(expected_plaintext_3, block); + } + + #[test] + pub fn aes_256_ctr_test_encrypt() { + // https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf F.5.5 + let key = decode_hex("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"); + let iv = decode_hex("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); + let mut block: [u8; 16]; + let mut cipher = Aes256Ctr::new(&key, &iv); + + block = decode_hex("6bc1bee22e409f96e93d7e117393172a"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_1 = decode_hex("601ec313775789a5b7a7f504bbf3d228"); + assert_eq!(expected_ciphertext_1, block); + + block = decode_hex("ae2d8a571e03ac9c9eb76fac45af8e51"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_2 = decode_hex("f443e3ca4d62b59aca84e990cacaf5c5"); + assert_eq!(expected_ciphertext_2, block); + + block = decode_hex("30c81c46a35ce411e5fbc1191a0a52ef"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_3 = decode_hex("2b0930daa23de94ce87017ba2d84988d"); + assert_eq!(expected_ciphertext_3, block); + + block = decode_hex("f69f2445df4f9b17ad2b417be66c3710"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_ciphertext_3 = decode_hex("dfc9c58db67aada613c2dd08457941a6"); + assert_eq!(expected_ciphertext_3, block); + } + + #[test] + fn aes_256_ctr_test_decrypt() { + // https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf F.5.6 + let key = decode_hex("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"); + let iv = decode_hex("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"); + let mut cipher = Aes256Ctr::new(&key, &iv); + + let mut block: [u8; 16]; + block = decode_hex("601ec313775789a5b7a7f504bbf3d228"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_1 = decode_hex("6bc1bee22e409f96e93d7e117393172a"); + assert_eq!(expected_plaintext_1, block); + + block = decode_hex("f443e3ca4d62b59aca84e990cacaf5c5"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_2 = decode_hex("ae2d8a571e03ac9c9eb76fac45af8e51"); + assert_eq!(expected_plaintext_2, block); + + block = decode_hex("2b0930daa23de94ce87017ba2d84988d"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_3 = decode_hex("30c81c46a35ce411e5fbc1191a0a52ef"); + assert_eq!(expected_plaintext_3, block); + + block = decode_hex("dfc9c58db67aada613c2dd08457941a6"); + cipher + .apply_keystream(&mut block) + .expect("Failed to apply keystream"); + let expected_plaintext_3 = decode_hex("f69f2445df4f9b17ad2b417be66c3710"); + assert_eq!(expected_plaintext_3, block); + } +} diff --git a/src/rust/bssl-crypto/src/cipher/mod.rs b/src/rust/bssl-crypto/src/cipher/mod.rs new file mode 100644 index 00000000..2ff6b3ab --- /dev/null +++ b/src/rust/bssl-crypto/src/cipher/mod.rs @@ -0,0 +1,146 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +use crate::{CSlice, CSliceMut}; +use bssl_sys::EVP_CIPHER; +use core::ffi::c_int; +use core::marker::PhantomData; + +/// AES-CTR stream cipher operations. +pub mod aes_ctr; + +/// Error returned in the event of an unsuccessful cipher operation. +#[derive(Debug)] +pub struct CipherError; + +/// Synchronous stream cipher trait. +pub trait StreamCipher { + /// The byte array key type which specifies the size of the key used to instantiate the cipher. + type Key: AsRef<[u8]>; + + /// The byte array nonce type which specifies the size of the nonce used in the cipher + /// operations. + type Nonce: AsRef<[u8]>; + + /// Instantiate a new instance of a stream cipher from a `key` and `iv`. + fn new(key: &Self::Key, iv: &Self::Nonce) -> Self; + + /// Applies the cipher keystream to `buffer` in place, returning CipherError on an unsuccessful + /// operation. + fn apply_keystream(&mut self, buffer: &mut [u8]) -> Result<(), CipherError>; +} + +trait EvpCipherType { + type Key: AsRef<[u8]>; + type Nonce: AsRef<[u8]>; + fn evp_cipher() -> *const EVP_CIPHER; +} + +struct EvpAes128Ctr; +impl EvpCipherType for EvpAes128Ctr { + type Key = [u8; 16]; + type Nonce = [u8; 16]; + fn evp_cipher() -> *const EVP_CIPHER { + // Safety: + // - this just returns a constant value + unsafe { bssl_sys::EVP_aes_128_ctr() } + } +} + +struct EvpAes256Ctr; +impl EvpCipherType for EvpAes256Ctr { + type Key = [u8; 32]; + type Nonce = [u8; 16]; + fn evp_cipher() -> *const EVP_CIPHER { + // Safety: + // - this just returns a constant value + unsafe { bssl_sys::EVP_aes_256_ctr() } + } +} + +// Internal cipher implementation which wraps EVP_CIPHER_*, where K is the size of the Key and I is +// the size of the IV. This must only be exposed publicly by types who ensure that K is the correct +// size for the given CipherType. This can be checked via bssl_sys::EVP_CIPHER_key_length. +// +// WARNING: This is not safe to re-use for the CBC mode of operation since it is applying the +// key stream in-place. +struct Cipher<C: EvpCipherType> { + ctx: *mut bssl_sys::EVP_CIPHER_CTX, + _marker: PhantomData<C>, +} + +impl<C: EvpCipherType> Cipher<C> { + fn new(key: &C::Key, iv: &C::Nonce) -> Self { + // Safety: + // - Panics on allocation failure. + let ctx = unsafe { bssl_sys::EVP_CIPHER_CTX_new() }; + assert!(!ctx.is_null()); + + let key_cslice = CSlice::from(key.as_ref()); + let iv_cslice = CSlice::from(iv.as_ref()); + + // Safety: + // - Key size and iv size must be properly set by the higher level wrapper types. + // - Panics on allocation failure. + let result = unsafe { + bssl_sys::EVP_EncryptInit_ex( + ctx, + C::evp_cipher(), + core::ptr::null_mut(), + key_cslice.as_ptr(), + iv_cslice.as_ptr(), + ) + }; + assert_eq!(result, 1); + + Self { + ctx, + _marker: Default::default(), + } + } + + fn apply_keystream_in_place(&mut self, buffer: &mut [u8]) -> Result<(), CipherError> { + let mut cslice_buf_mut = CSliceMut::from(buffer); + let mut out_len = 0; + + let buff_len_int = c_int::try_from(cslice_buf_mut.len()).map_err(|_| CipherError)?; + + // Safety: + // - The output buffer provided is always large enough for an in-place operation. + let result = unsafe { + bssl_sys::EVP_EncryptUpdate( + self.ctx, + cslice_buf_mut.as_mut_ptr(), + &mut out_len, + cslice_buf_mut.as_mut_ptr(), + buff_len_int, + ) + }; + if result == 1 { + assert_eq!(out_len as usize, cslice_buf_mut.len()); + Ok(()) + } else { + Err(CipherError) + } + } +} + +impl<C: EvpCipherType> Drop for Cipher<C> { + fn drop(&mut self) { + // Safety: + // - `self.ctx` was allocated by `EVP_CIPHER_CTX_new` and has not yet been freed. + unsafe { bssl_sys::EVP_CIPHER_CTX_free(self.ctx) } + } +} diff --git a/src/rust/bssl-crypto/src/digest.rs b/src/rust/bssl-crypto/src/digest.rs index 35b65345..72402976 100644 --- a/src/rust/bssl-crypto/src/digest.rs +++ b/src/rust/bssl-crypto/src/digest.rs @@ -15,7 +15,7 @@ use core::marker::PhantomData; -use crate::ForeignTypeRef; +use crate::{CSlice, ForeignTypeRef}; /// The SHA-256 digest algorithm. #[derive(Clone)] @@ -86,7 +86,6 @@ impl Sha512 { pub struct Digest<M: Md, const OUTPUT_SIZE: usize>(bssl_sys::EVP_MD_CTX, PhantomData<M>); impl<M: Md, const OUTPUT_SIZE: usize> Digest<M, OUTPUT_SIZE> { - /// Creates a new Digest from the given `Md` type parameter. /// /// Panics: @@ -110,10 +109,11 @@ impl<M: Md, const OUTPUT_SIZE: usize> Digest<M, OUTPUT_SIZE> { /// Hashes the provided input into the current digest operation. pub fn update(&mut self, data: &[u8]) { + let data_ffi = CSlice(data); // Safety: - // - `data` is a slice from safe Rust. + // - `data` is a CSlice from safe Rust. let result = unsafe { - bssl_sys::EVP_DigestUpdate(&mut self.0, data.as_ptr() as *const _, data.len()) + bssl_sys::EVP_DigestUpdate(&mut self.0, data_ffi.as_ptr() as *const _, data_ffi.len()) }; assert_eq!(result, 1, "bssl_sys::EVP_DigestUpdate failed"); } diff --git a/src/rust/bssl-crypto/src/ec.rs b/src/rust/bssl-crypto/src/ec.rs new file mode 100644 index 00000000..55fe4e97 --- /dev/null +++ b/src/rust/bssl-crypto/src/ec.rs @@ -0,0 +1,424 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +//! `EcKey` and `EcGroup` structs for working with elliptic curve cryptography. This module is +//! intended for internal use within this crate only, to create higher-level abstractions suitable +//! to be exposed externally. + +use alloc::borrow::ToOwned; +use alloc::vec; +use alloc::vec::Vec; +use core::panic; +use core::{borrow::Borrow, fmt::Debug, ops::Deref}; + +use crate::{bn::BigNum, CSlice, CSliceMut, ForeignType, ForeignTypeRef}; + +#[derive(Debug)] +pub(crate) struct EcKey { + ptr: *mut bssl_sys::EC_KEY, +} + +// Safety: Implementation ensures `from_ptr(x).as_ptr() == x` +unsafe impl ForeignType for EcKey { + type CType = bssl_sys::EC_KEY; + + unsafe fn from_ptr(ptr: *mut Self::CType) -> Self { + Self { ptr } + } + + fn as_ptr(&self) -> *mut Self::CType { + self.ptr + } +} + +// Safety: +// - `EC_KEY`'s documentation says "A given object may be used concurrently on multiple threads by +// non-mutating functions, provided no other thread is concurrently calling a mutating function.", +// which matches Rust's aliasing rules. +// - `ptr(&self)` and `ptr_mut(&mut self)` ensures that only a mutable reference can get a mutable +// `EC_KEY` pointer outside of this module. +unsafe impl Send for EcKey {} + +impl Clone for EcKey { + fn clone(&self) -> Self { + // Safety: + // - EcKey makes sure self.ptr is a valid pointer. + let ptr = unsafe { bssl_sys::EC_KEY_dup(self.ptr) }; + Self { ptr } + } +} + +/// Error type returned when conversion to or from an `EcKey` failed. +pub(crate) struct ConversionFailed; + +impl EcKey { + pub fn new_by_ec_group(ec_group: &EcGroupRef) -> Self { + // Safety: `EC_KEY_new` does not have preconditions + let eckey = unsafe { bssl_sys::EC_KEY_new() }; + assert!(!eckey.is_null()); + // Safety: + // - `eckey` is just allocated and doesn't have its group set yet + // - `EcGroup` ensures the `ptr` it contains is valid + unsafe { + assert_eq!( + bssl_sys::EC_KEY_set_group(eckey, ec_group.as_ptr()), + 1, + "EC_KEY_set_group failed" + ); + } + // Safety: `eckey` is allocated and null-checked + unsafe { Self::from_ptr(eckey) } + } + + /// Try to create a public-key version of `EcKey` from the given `value`. Returns error if the + /// slice is not a valid representation of a public key for the given curve. + /// + /// `curve_nid` should be a value defined in `bssl_sys::NID_*`. + #[allow(clippy::panic)] + pub(crate) fn try_new_public_key_from_bytes( + ec_group: &EcGroupRef, + value: &[u8], + ) -> Result<Self, ConversionFailed> { + let eckey = Self::new_by_ec_group(ec_group); + let value_ffi = CSlice(value); + + // Safety: The input slice `value_ffi` is a CSlice from safe Rust. + let result = unsafe { + bssl_sys::EC_KEY_oct2key( + eckey.ptr, + value_ffi.as_ptr(), + value_ffi.len(), + core::ptr::null_mut(), + ) + }; + match result { + 0 => Err(ConversionFailed), + 1 => Ok(eckey), + _ => panic!("Unexpected return value {result} from EC_KEY_oct2key"), + } + } + + pub(crate) fn to_affine_coordinates(&self) -> (BigNum, BigNum) { + let ecpoint = unsafe { bssl_sys::EC_KEY_get0_public_key(self.ptr) }; + let bn_x = BigNum::new(); + let bn_y = BigNum::new(); + + // Safety: + // - `EcKey` and `BigNum` structs ensures validity of their pointers. + let result = unsafe { + bssl_sys::EC_POINT_get_affine_coordinates( + bssl_sys::EC_KEY_get0_group(self.ptr), + ecpoint, + bn_x.as_ptr(), + bn_y.as_ptr(), + core::ptr::null_mut(), + ) + }; + assert_eq!( + result, 1, + "bssl_sys::EC_POINT_get_affine_coordinates failed" + ); + (bn_x, bn_y) + } + + pub(crate) fn generate(ec_group: &EcGroupRef) -> Self { + let eckey = EcKey::new_by_ec_group(ec_group); + // Safety: `EcKey` ensures eckey.ptr is valid. + let result = unsafe { bssl_sys::EC_KEY_generate_key(eckey.as_ptr()) }; + assert_eq!(result, 1, "bssl_sys::EC_KEY_generate_key failed"); + eckey + } + + pub(crate) fn try_new_public_key_from_affine_coordinates( + ec_group: &EcGroupRef, + x: &[u8], + y: &[u8], + ) -> Result<Self, ConversionFailed> { + let bn_x = BigNum::from(x); + let bn_y = BigNum::from(y); + + let eckey = EcKey::new_by_ec_group(ec_group); + // Safety: + // - Wrapper classes `EcKey` and `BigNum` ensures validity of the pointers + let result = unsafe { + bssl_sys::EC_KEY_set_public_key_affine_coordinates( + eckey.as_ptr(), + bn_x.as_ptr(), + bn_y.as_ptr(), + ) + }; + if result == 1 { + Ok(eckey) + } else { + Err(ConversionFailed) + } + } + + /// Tries to convert the given bytes into a private key contained within `EcKey`. + /// + /// `private_key_bytes` must be padded to the size of `curve_nid`'s group order, otherwise the + /// conversion will fail. + pub(crate) fn try_from_raw_bytes( + ec_group: &EcGroupRef, + private_key_bytes: &[u8], + ) -> Result<Self, ConversionFailed> { + let eckey = EcKey::new_by_ec_group(ec_group); + let private_key_bytes_ffi = CSlice(private_key_bytes); + // Safety: + // - `EcKey` ensures `eckey.ptr` is valid. + // - `private_key_bytes` is a CSlice from safe-rust. + let result = unsafe { + bssl_sys::EC_KEY_oct2priv( + eckey.as_ptr(), + private_key_bytes_ffi.as_ptr(), + private_key_bytes_ffi.len(), + ) + }; + if result != 1 { + return Err(ConversionFailed); + } + + Ok(eckey) + } + + /// Converts between the private key component of `eckey` and octet form. The octet form + /// consists of the content octets of the `privateKey` `OCTET STRING` in an `ECPrivateKey` ASN.1 + /// structure + pub(crate) fn to_raw_bytes(&self) -> Vec<u8> { + let mut output = vec![0_u8; 66]; + let mut private_key_bytes_ffi = CSliceMut::from(&mut output[..]); + // Safety: + // - `EcKey` ensures `self.ptr` is valid. + // - `private_key_bytes_ffi` is a CSliceMut we just allocated. + // - 66 bytes is guaranteed to be sufficient to store an EC private key + let num_octets_stored = unsafe { + bssl_sys::EC_KEY_priv2oct( + self.as_ptr(), + private_key_bytes_ffi.as_mut_ptr(), + private_key_bytes_ffi.len(), + ) + }; + // Safety: `EC_KEY_priv2oct` just wrote `num_octets_stored` into the buffer. + unsafe { output.set_len(num_octets_stored) } + output + } + + pub(crate) fn public_key_eq(&self, other: &Self) -> bool { + let result = unsafe { + bssl_sys::EC_POINT_cmp( + bssl_sys::EC_KEY_get0_group(self.ptr), + bssl_sys::EC_KEY_get0_public_key(self.ptr), + bssl_sys::EC_KEY_get0_public_key(other.ptr), + core::ptr::null_mut(), + ) + }; + assert_ne!(result, -1, "bssl_sys::EC_POINT_cmp failed"); + result == 0 + } + + pub(crate) fn to_vec(&self) -> Vec<u8> { + // Safety: `self.ptr` is owned by `self` + let ecgroup = unsafe { bssl_sys::EC_KEY_get0_group(self.ptr) }; + let ecpoint = unsafe { bssl_sys::EC_KEY_get0_public_key(self.ptr) }; + let conv_form = unsafe { bssl_sys::EC_KEY_get_conv_form(self.ptr) }; + // Safety: + // - When passing null to EC_POINT_point2oct's `buf` argument, it returns the size of the + // resulting buffer. + let output_size = unsafe { + bssl_sys::EC_POINT_point2oct( + ecgroup, + ecpoint, + conv_form, + core::ptr::null_mut(), + 0, + core::ptr::null_mut(), + ) + }; + assert_ne!(output_size, 0, "bssl_sys::EC_POINT_point2oct failed"); + let mut result_vec = Vec::<u8>::with_capacity(output_size); + let buf_len = unsafe { + bssl_sys::EC_POINT_point2oct( + ecgroup, + ecpoint, + conv_form, + result_vec.as_mut_ptr(), + output_size, + core::ptr::null_mut(), + ) + }; + assert_ne!(buf_len, 0, "bssl_sys::EC_POINT_point2oct failed"); + // Safety: The length is what EC_POINT_point2oct just told us it filled into the buffer. + unsafe { result_vec.set_len(buf_len) } + result_vec + } +} + +impl Drop for EcKey { + fn drop(&mut self) { + // Safety: `self.ptr` is owned by this struct + unsafe { bssl_sys::EC_KEY_free(self.ptr) } + } +} + +/// Describes an elliptic curve. +#[non_exhaustive] +pub struct EcGroupRef; + +// Safety: Default implementation in ForeignTypeRef ensures the preconditions +// required by that trait holds. +unsafe impl ForeignTypeRef for EcGroupRef { + type CType = bssl_sys::EC_GROUP; +} + +impl Borrow<EcGroupRef> for EcGroup { + fn borrow(&self) -> &EcGroupRef { + unsafe { EcGroupRef::from_ptr(self.ptr) } + } +} + +impl ToOwned for EcGroupRef { + type Owned = EcGroup; + + fn to_owned(&self) -> Self::Owned { + // Safety: `EcGroupRef` is a valid pointer + let new_ec_group = unsafe { bssl_sys::EC_GROUP_dup(self.as_ptr()) }; + assert!(!new_ec_group.is_null(), "EC_GROUP_dup failed"); + EcGroup { ptr: new_ec_group } + } +} + +impl AsRef<EcGroupRef> for EcGroup { + fn as_ref(&self) -> &EcGroupRef { + self.deref() + } +} + +impl PartialEq for EcGroupRef { + fn eq(&self, other: &Self) -> bool { + // Safety: + // - Self and other are valid pointers since they come from `EcGroupRef` + // - Third argument is ignored + unsafe { + bssl_sys::EC_GROUP_cmp( + self.as_ptr(), + other.as_ptr(), + /* ignored */ core::ptr::null_mut(), + ) == 0 + } + } +} + +impl Eq for EcGroupRef {} + +pub struct EcGroup { + ptr: *mut bssl_sys::EC_GROUP, +} + +impl Deref for EcGroup { + type Target = EcGroupRef; + + fn deref(&self) -> &Self::Target { + unsafe { EcGroupRef::from_ptr(self.ptr) } + } +} + +impl Drop for EcGroup { + fn drop(&mut self) { + unsafe { bssl_sys::EC_GROUP_free(self.ptr) } + } +} + +/// An elliptic curve, used as the type parameter for [`PublicKey`] and [`PrivateKey`]. +pub trait Curve: Debug { + /// The size of the affine coordinates for this curve. + const AFFINE_COORDINATE_SIZE: usize; + + /// Create a new [`EcGroup`] for this curve. + fn ec_group() -> &'static EcGroupRef; +} + +/// The P-224 curve, corresponding to `NID_secp224r1`. +#[derive(Debug)] +pub struct P224; + +impl Curve for P224 { + const AFFINE_COORDINATE_SIZE: usize = 28; + + fn ec_group() -> &'static EcGroupRef { + // Safety: EC_group_p224 does not have any preconditions + unsafe { EcGroupRef::from_ptr(bssl_sys::EC_group_p224() as *mut _) } + } +} + +/// The P-256 curve, corresponding to `NID_X9_62_prime256v1`. +#[derive(Debug)] +pub struct P256; + +impl Curve for P256 { + const AFFINE_COORDINATE_SIZE: usize = 32; + + fn ec_group() -> &'static EcGroupRef { + // Safety: EC_group_p256 does not have any preconditions + unsafe { EcGroupRef::from_ptr(bssl_sys::EC_group_p256() as *mut _) } + } +} + +/// The P-384 curve, corresponding to `NID_secp384r1`. +#[derive(Debug)] +pub struct P384; + +impl Curve for P384 { + const AFFINE_COORDINATE_SIZE: usize = 48; + + fn ec_group() -> &'static EcGroupRef { + // Safety: EC_group_p384 does not have any preconditions + unsafe { EcGroupRef::from_ptr(bssl_sys::EC_group_p384() as *mut _) } + } +} + +/// The P-521 curve, corresponding to `NID_secp521r1`. +#[derive(Debug)] +pub struct P521; + +impl Curve for P521 { + const AFFINE_COORDINATE_SIZE: usize = 66; + + fn ec_group() -> &'static EcGroupRef { + // Safety: EC_group_p521 does not have any preconditions + unsafe { EcGroupRef::from_ptr(bssl_sys::EC_group_p521() as *mut _) } + } +} + +#[cfg(test)] +mod test { + use crate::ec::P521; + + use super::{Curve, EcGroupRef, P256}; + + #[test] + fn test_ec_group_clone_and_eq() { + let group = P256::ec_group(); + let group_clone = group.to_owned(); + let group2: &EcGroupRef = &group_clone; + assert!(group == group2); + } + + #[test] + fn test_ec_group_not_equal() { + let group = P256::ec_group(); + let group2 = P521::ec_group(); + assert!(group != group2) + } +} diff --git a/src/rust/bssl-crypto/src/ecdh.rs b/src/rust/bssl-crypto/src/ecdh.rs new file mode 100644 index 00000000..aca711bd --- /dev/null +++ b/src/rust/bssl-crypto/src/ecdh.rs @@ -0,0 +1,415 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +use alloc::vec::Vec; +use core::marker::PhantomData; + +use crate::{ + ec::{Curve, EcKey}, + pkey::{Pkey, PkeyCtx}, + CSliceMut, ForeignType, +}; + +pub use crate::ec::P256; + +/// Private key used in a elliptic curve Diffie-Hellman. +pub struct PrivateKey<C: Curve> { + /// An EcKey containing the private-public key pair + eckey: EcKey, + marker: PhantomData<C>, +} + +/// Error type for ECDH operations. +#[derive(Debug)] +pub enum Error { + /// Failed when trying to convert between representations. + ConversionFailed, + /// The Diffie-Hellman key exchange failed. + DiffieHellmanFailed, +} + +impl<C: Curve> PrivateKey<C> { + /// Derives a shared secret from this private key and the given public key. + /// + /// # Panics + /// When `OUTPUT_SIZE` is insufficient to store the output of the shared secret. + #[allow(clippy::expect_used)] + pub fn diffie_hellman<const OUTPUT_SIZE: usize>( + &self, + other_public_key: &PublicKey<C>, + ) -> Result<SharedSecret<OUTPUT_SIZE>, Error> { + let pkey: Pkey = (&self.eckey).into(); + let pkey_ctx = PkeyCtx::new(&pkey); + let other_pkey: Pkey = (&other_public_key.eckey).into(); + let mut output = [0_u8; OUTPUT_SIZE]; + pkey_ctx + .diffie_hellman(&other_pkey, CSliceMut(&mut output)) + .map(|_| SharedSecret(output)) + .map_err(|_| Error::DiffieHellmanFailed) + } + + /// Generate a new private key for use in a Diffie-Hellman key exchange. + pub fn generate() -> Self { + Self { + eckey: EcKey::generate(C::ec_group()), + marker: PhantomData, + } + } + + /// Tries to convert the given bytes into an private key. + /// + /// `private_key_bytes` is the octet form that consists of the content octets of the + /// `privateKey` `OCTET STRING` in an `ECPrivateKey` ASN.1 structure. + /// + /// Returns an error if the given bytes is not a valid representation of a P-256 private key. + pub fn from_private_bytes(private_key_bytes: &[u8]) -> Result<Self, Error> { + EcKey::try_from_raw_bytes(C::ec_group(), private_key_bytes) + .map(|eckey| Self { + eckey, + marker: PhantomData, + }) + .map_err(|_| Error::ConversionFailed) + } + + /// Serializes this private key as a big-endian integer, zero-padded to the size of key's group + /// order and returns the result. + pub fn to_bytes(&self) -> Vec<u8> { + self.eckey.to_raw_bytes() + } +} + +impl<'a, C: Curve> From<&'a PrivateKey<C>> for PublicKey<C> { + fn from(value: &'a PrivateKey<C>) -> Self { + Self { + eckey: value.eckey.clone(), + marker: PhantomData, + } + } +} + +/// A public key for elliptic curve. +#[derive(Clone, Debug)] +pub struct PublicKey<C: Curve> { + /// An EcKey containing the public key + eckey: EcKey, + marker: PhantomData<C>, +} + +impl<C: Curve> Eq for PublicKey<C> {} + +impl<C: Curve> PartialEq for PublicKey<C> { + fn eq(&self, other: &Self) -> bool { + self.eckey.public_key_eq(&other.eckey) + } +} + +impl<C: Curve> PublicKey<C> { + /// Converts this public key to its byte representation. + pub fn to_vec(&self) -> Vec<u8> { + self.eckey.to_vec() + } + + /// Converts the given affine coordinates into a public key. + pub fn from_affine_coordinates<const AFFINE_COORDINATE_SIZE: usize>( + x: &[u8; AFFINE_COORDINATE_SIZE], + y: &[u8; AFFINE_COORDINATE_SIZE], + ) -> Result<Self, Error> { + assert_eq!(AFFINE_COORDINATE_SIZE, C::AFFINE_COORDINATE_SIZE); + EcKey::try_new_public_key_from_affine_coordinates(C::ec_group(), &x[..], &y[..]) + .map(|eckey| Self { + eckey, + marker: PhantomData, + }) + .map_err(|_| Error::ConversionFailed) + } + + /// Converts this public key to its affine coordinates. + pub fn to_affine_coordinates<const AFFINE_COORDINATE_SIZE: usize>( + &self, + ) -> ([u8; AFFINE_COORDINATE_SIZE], [u8; AFFINE_COORDINATE_SIZE]) { + assert_eq!(AFFINE_COORDINATE_SIZE, C::AFFINE_COORDINATE_SIZE); + let (bn_x, bn_y) = self.eckey.to_affine_coordinates(); + + let mut x_bytes_uninit = core::mem::MaybeUninit::<[u8; AFFINE_COORDINATE_SIZE]>::uninit(); + let mut y_bytes_uninit = core::mem::MaybeUninit::<[u8; AFFINE_COORDINATE_SIZE]>::uninit(); + // Safety: + // - `BigNum` guarantees the validity of its ptr + // - The size of `x/y_bytes_uninit` and the length passed to `BN_bn2bin_padded` are both + // `AFFINE_COORDINATE_SIZE` + let (result_x, result_y) = unsafe { + ( + bssl_sys::BN_bn2bin_padded( + x_bytes_uninit.as_mut_ptr() as *mut _, + AFFINE_COORDINATE_SIZE, + bn_x.as_ptr(), + ), + bssl_sys::BN_bn2bin_padded( + y_bytes_uninit.as_mut_ptr() as *mut _, + AFFINE_COORDINATE_SIZE, + bn_y.as_ptr(), + ), + ) + }; + assert_eq!(result_x, 1, "bssl_sys::BN_bn2bin_padded failed"); + assert_eq!(result_y, 1, "bssl_sys::BN_bn2bin_padded failed"); + + // Safety: Fields initialized by `BN_bn2bin_padded` above. + unsafe { (x_bytes_uninit.assume_init(), y_bytes_uninit.assume_init()) } + } +} + +impl<C: Curve> TryFrom<&[u8]> for PublicKey<C> { + type Error = Error; + + fn try_from(value: &[u8]) -> Result<Self, Error> { + EcKey::try_new_public_key_from_bytes(C::ec_group(), value) + .map(|eckey| Self { + eckey, + marker: PhantomData, + }) + .map_err(|_| Error::ConversionFailed) + } +} + +/// Shared secret derived from a Diffie-Hellman key exchange. Don't use the shared key directly, +/// rather use a KDF and also include the two public values as inputs. +pub struct SharedSecret<const SIZE: usize>(pub(crate) [u8; SIZE]); + +impl<const SIZE: usize> SharedSecret<SIZE> { + /// Gets a copy of the shared secret. + pub fn to_bytes(&self) -> [u8; SIZE] { + self.0 + } + + /// Gets a reference to the underlying data in this shared secret. + pub fn as_bytes(&self) -> &[u8; SIZE] { + &self.0 + } +} + +#[cfg(test)] +#[allow(clippy::unwrap_used, clippy::expect_used)] +mod tests { + use crate::{ + ec::{Curve, P224, P256, P384, P521}, + ecdh::{PrivateKey, PublicKey}, + test_helpers::decode_hex, + }; + + #[test] + fn p224_test_diffie_hellman() { + // From wycheproof ecdh_secp224r1_ecpoint_test.json, tcId 1 + // sec1 public key manually extracted from the ASN encoded test data + let public_key_bytes: [u8; 57] = decode_hex(concat!( + "047d8ac211e1228eb094e285a957d9912e93deee433ed777440ae9fc719b01d0", + "50dfbe653e72f39491be87fb1a2742daa6e0a2aada98bb1aca", + )); + let private_key_bytes: [u8; 28] = + decode_hex("565577a49415ca761a0322ad54e4ad0ae7625174baf372c2816f5328"); + let expected_shared_secret: [u8; 28] = + decode_hex("b8ecdb552d39228ee332bafe4886dbff272f7109edf933bc7542bd4f"); + + let public_key: PublicKey<P224> = (&public_key_bytes[..]).try_into().unwrap(); + let private_key = PrivateKey::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + let actual_shared_secret = private_key.diffie_hellman(&public_key).unwrap(); + + assert_eq!(actual_shared_secret.0, expected_shared_secret); + } + + #[test] + fn p256_test_diffie_hellman() { + // From wycheproof ecdh_secp256r1_ecpoint_test.json, tcId 1 + // sec1 public key manually extracted from the ASN encoded test data + let public_key_bytes: [u8; 65] = decode_hex(concat!( + "0462d5bd3372af75fe85a040715d0f502428e07046868b0bfdfa61d731afe44f", + "26ac333a93a9e70a81cd5a95b5bf8d13990eb741c8c38872b4a07d275a014e30cf", + )); + let private_key_bytes: [u8; 32] = + decode_hex("0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346"); + let expected_shared_secret: [u8; 32] = + decode_hex("53020d908b0219328b658b525f26780e3ae12bcd952bb25a93bc0895e1714285"); + + let public_key: PublicKey<P256> = (&public_key_bytes[..]).try_into().unwrap(); + let private_key = PrivateKey::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + let actual_shared_secret = private_key.diffie_hellman(&public_key).unwrap(); + + assert_eq!(actual_shared_secret.0, expected_shared_secret); + } + + #[test] + fn p384_test_diffie_hellman() { + // From wycheproof ecdh_secp384r1_ecpoint_test.json, tcId 1 + // sec1 public key manually extracted from the ASN encoded test data + let public_key_bytes: [u8; 97] = decode_hex(concat!( + "04790a6e059ef9a5940163183d4a7809135d29791643fc43a2f17ee8bf677ab8", + "4f791b64a6be15969ffa012dd9185d8796d9b954baa8a75e82df711b3b56eadf", + "f6b0f668c3b26b4b1aeb308a1fcc1c680d329a6705025f1c98a0b5e5bfcb163caa", + )); + let private_key_bytes: [u8; 48] = decode_hex(concat!( + "766e61425b2da9f846c09fc3564b93a6f8603b7392c785165bf20da948c49fd1", + "fb1dee4edd64356b9f21c588b75dfd81" + )); + let expected_shared_secret: [u8; 48] = decode_hex(concat!( + "6461defb95d996b24296f5a1832b34db05ed031114fbe7d98d098f93859866e4", + "de1e229da71fef0c77fe49b249190135" + )); + + let public_key: PublicKey<P384> = (&public_key_bytes[..]).try_into().unwrap(); + let private_key = PrivateKey::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + let actual_shared_secret = private_key.diffie_hellman(&public_key).unwrap(); + + assert_eq!(actual_shared_secret.0, expected_shared_secret); + } + + #[test] + fn p521_test_diffie_hellman() { + // From wycheproof ecdh_secp521r1_ecpoint_test.json, tcId 1 + // sec1 public key manually extracted from the ASN encoded test data + let public_key_bytes: [u8; 133] = decode_hex(concat!( + "040064da3e94733db536a74a0d8a5cb2265a31c54a1da6529a198377fbd38575", + "d9d79769ca2bdf2d4c972642926d444891a652e7f492337251adf1613cf30779", + "99b5ce00e04ad19cf9fd4722b0c824c069f70c3c0e7ebc5288940dfa92422152", + "ae4a4f79183ced375afb54db1409ddf338b85bb6dbfc5950163346bb63a90a70", + "c5aba098f7", + )); + let private_key_bytes: [u8; 66] = decode_hex(concat!( + "01939982b529596ce77a94bc6efd03e92c21a849eb4f87b8f619d506efc9bb22", + "e7c61640c90d598f795b64566dc6df43992ae34a1341d458574440a7371f611c", + "7dcd" + )); + let expected_shared_secret: [u8; 66] = decode_hex(concat!( + "01f1e410f2c6262bce6879a3f46dfb7dd11d30eeee9ab49852102e1892201dd1", + "0f27266c2cf7cbccc7f6885099043dad80ff57f0df96acf283fb090de53df95f", + "7d87", + )); + + let public_key: PublicKey<P521> = (&public_key_bytes[..]).try_into().unwrap(); + let private_key = PrivateKey::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + let actual_shared_secret = private_key.diffie_hellman(&public_key).unwrap(); + + assert_eq!(actual_shared_secret.0, expected_shared_secret); + } + + #[test] + fn p224_generate_diffie_hellman_matches() { + generate_diffie_hellman_matches::<P224, 28>() + } + + #[test] + fn p256_generate_diffie_hellman_matches() { + generate_diffie_hellman_matches::<P256, 32>() + } + + #[test] + fn p384_generate_diffie_hellman_matches() { + generate_diffie_hellman_matches::<P384, 48>() + } + + #[test] + fn p521_generate_diffie_hellman_matches() { + generate_diffie_hellman_matches::<P521, 66>() + } + + fn generate_diffie_hellman_matches<C: Curve, const OUTPUT_SIZE: usize>() { + let private_key_1 = PrivateKey::<C>::generate(); + let private_key_2 = PrivateKey::<C>::generate(); + let public_key_1 = PublicKey::from(&private_key_1); + let public_key_2 = PublicKey::from(&private_key_2); + + let diffie_hellman_1 = private_key_1 + .diffie_hellman::<OUTPUT_SIZE>(&public_key_2) + .unwrap(); + let diffie_hellman_2 = private_key_2 + .diffie_hellman::<OUTPUT_SIZE>(&public_key_1) + .unwrap(); + + assert_eq!(diffie_hellman_1.to_bytes(), diffie_hellman_2.to_bytes()); + } + + #[test] + fn p224_to_private_bytes() { + let private_key_bytes: [u8; 28] = + decode_hex("565577a49415ca761a0322ad54e4ad0ae7625174baf372c2816f5328"); + let private_key = PrivateKey::<P224>::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + assert_eq!(&private_key.to_bytes()[..], &private_key_bytes[..]); + } + + #[test] + fn p256_to_private_bytes() { + let private_key_bytes: [u8; 32] = + decode_hex("0612465c89a023ab17855b0a6bcebfd3febb53aef84138647b5352e02c10c346"); + let private_key = PrivateKey::<P256>::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + assert_eq!(&private_key.to_bytes()[..], &private_key_bytes[..]); + } + + #[test] + fn p384_to_private_bytes() { + let private_key_bytes: [u8; 48] = decode_hex(concat!( + "766e61425b2da9f846c09fc3564b93a6f8603b7392c785165bf20da948c49fd1", + "fb1dee4edd64356b9f21c588b75dfd81" + )); + let private_key = PrivateKey::<P384>::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + assert_eq!(&private_key.to_bytes()[..], &private_key_bytes[..]); + } + + #[test] + fn p521_to_private_bytes() { + let private_key_bytes: [u8; 66] = decode_hex(concat!( + "01939982b529596ce77a94bc6efd03e92c21a849eb4f87b8f619d506efc9bb22", + "e7c61640c90d598f795b64566dc6df43992ae34a1341d458574440a7371f611c", + "7dcd", + )); + let private_key = PrivateKey::<P521>::from_private_bytes(&private_key_bytes) + .expect("Input private key should be valid"); + assert_eq!(&private_key.to_bytes()[..], &private_key_bytes[..]); + } + + #[test] + fn p224_affine_coordinates_test() { + affine_coordinates_test::<P224, { P224::AFFINE_COORDINATE_SIZE }>(); + } + + #[test] + fn p256_affine_coordinates_test() { + affine_coordinates_test::<P256, { P256::AFFINE_COORDINATE_SIZE }>(); + } + + #[test] + fn p384_affine_coordinates_test() { + affine_coordinates_test::<P384, { P384::AFFINE_COORDINATE_SIZE }>(); + } + + #[test] + fn p521_affine_coordinates_test() { + affine_coordinates_test::<P521, { P521::AFFINE_COORDINATE_SIZE }>(); + } + + fn affine_coordinates_test<C: Curve, const AFFINE_COORDINATE_SIZE: usize>() { + let private_key = PrivateKey::<C>::generate(); + let public_key = PublicKey::from(&private_key); + + let (x, y) = public_key.to_affine_coordinates::<AFFINE_COORDINATE_SIZE>(); + + let recreated_public_key = PublicKey::from_affine_coordinates(&x, &y); + assert_eq!(public_key, recreated_public_key.unwrap()); + } +} diff --git a/src/rust/bssl-crypto/src/ed25519.rs b/src/rust/bssl-crypto/src/ed25519.rs index df365079..f4ab5bec 100644 --- a/src/rust/bssl-crypto/src/ed25519.rs +++ b/src/rust/bssl-crypto/src/ed25519.rs @@ -89,14 +89,15 @@ impl PrivateKey { pub fn sign(&self, msg: &[u8]) -> Signature { let mut sig_bytes = [0u8; SIGNATURE_LENGTH]; + let msg_ffi = CSlice(msg); // Safety: // - On allocation failure we panic. // - Signature and private keys are always the correct length. let result = unsafe { bssl_sys::ED25519_sign( sig_bytes.as_mut_ptr(), - msg.as_ptr(), - msg.len(), + msg_ffi.as_ptr(), + msg_ffi.len(), self.0.as_ptr(), ) }; diff --git a/src/rust/bssl-crypto/src/hkdf.rs b/src/rust/bssl-crypto/src/hkdf.rs index d3144951..e4e9c013 100644 --- a/src/rust/bssl-crypto/src/hkdf.rs +++ b/src/rust/bssl-crypto/src/hkdf.rs @@ -15,6 +15,7 @@ use crate::digest::Md; use crate::digest::{Sha256, Sha512}; use crate::{CSlice, CSliceMut, ForeignTypeRef}; +use alloc::vec::Vec; use core::marker::PhantomData; /// Implementation of HKDF-SHA-256 @@ -45,7 +46,7 @@ impl<M: Md> Hkdf<M> { Self { salt: salt.map(Vec::from), ikm: Vec::from(ikm), - _marker: PhantomData::default(), + _marker: PhantomData, } } @@ -94,6 +95,12 @@ impl<M: Md> Hkdf<M> { } #[cfg(test)] +#[allow( + clippy::expect_used, + clippy::panic, + clippy::indexing_slicing, + clippy::unwrap_used +)] mod tests { use crate::hkdf::{HkdfSha256, HkdfSha512}; use crate::test_helpers::{decode_hex, decode_hex_into_vec}; diff --git a/src/rust/bssl-crypto/src/lib.rs b/src/rust/bssl-crypto/src/lib.rs index f4d1291c..e53469d9 100644 --- a/src/rust/bssl-crypto/src/lib.rs +++ b/src/rust/bssl-crypto/src/lib.rs @@ -21,14 +21,22 @@ clippy::panic, clippy::expect_used )] +#![cfg_attr(not(any(feature = "std", test)), no_std)] //! Rust BoringSSL bindings +extern crate alloc; extern crate core; +/// Authenticated Encryption with Additional Data algorithms. +pub mod aead; + /// AES block operations. pub mod aes; +/// Ciphers. +pub mod cipher; + /// Hash functions. pub mod digest; @@ -44,9 +52,19 @@ pub mod hmac; /// Random number generation. pub mod rand; -/// BoringSSL implemented memory-manipulation operations. +/// X25519 elliptic curve operations. +pub mod x25519; + +/// Memory-manipulation operations. pub mod mem; +/// Elliptic curve diffie-hellman operations. +pub mod ecdh; + +pub(crate) mod bn; +pub(crate) mod ec; +pub(crate) mod pkey; + #[cfg(test)] mod test_helpers; @@ -63,7 +81,7 @@ impl CSlice<'_> { /// Returns a raw pointer to the value, which is safe to pass over FFI. pub fn as_ptr<T>(&self) -> *const T { if self.0.is_empty() { - std::ptr::null() + core::ptr::null() } else { self.0.as_ptr() as *const T } @@ -81,7 +99,7 @@ impl CSliceMut<'_> { /// Returns a raw pointer to the value, which is safe to pass over FFI. pub fn as_mut_ptr<T>(&mut self) -> *mut T { if self.0.is_empty() { - std::ptr::null_mut() + core::ptr::null_mut() } else { self.0.as_mut_ptr() as *mut T } @@ -105,7 +123,7 @@ impl<'a> From<&'a mut [u8]> for CSliceMut<'a> { /// Implementations of `ForeignTypeRef` must guarantee the following: /// /// - `Self::from_ptr(x).as_ptr() == x` -/// - `Self::from_mut_ptr(x).as_ptr() == x` +/// - `Self::from_ptr_mut(x).as_ptr() == x` unsafe trait ForeignTypeRef: Sized { /// The raw C type. type CType; @@ -138,3 +156,26 @@ unsafe trait ForeignTypeRef: Sized { self as *const _ as *mut _ } } + +/// A helper trait implemented by types which has an owned reference to foreign types. +/// +/// # Safety +/// +/// Implementations of `ForeignType` must guarantee the following: +/// +/// - `Self::from_ptr(x).as_ptr() == x` +unsafe trait ForeignType { + /// The raw C type. + type CType; + + /// Constructs an instance of this type from its raw type. + /// + /// # Safety + /// + /// - `ptr` must be a valid, immutable, instance of `CType`. + /// - Ownership of `ptr` is passed to the implementation, and will free `ptr` when dropped. + unsafe fn from_ptr(ptr: *mut Self::CType) -> Self; + + /// Returns a raw pointer to the wrapped value. + fn as_ptr(&self) -> *mut Self::CType; +} diff --git a/src/rust/bssl-crypto/src/pkey.rs b/src/rust/bssl-crypto/src/pkey.rs new file mode 100644 index 00000000..3d4a62b5 --- /dev/null +++ b/src/rust/bssl-crypto/src/pkey.rs @@ -0,0 +1,103 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +//! `Pkey` and `PkeyCtx` classes for holding asymmetric keys. This module is intended for internal +//! use within this crate only, to create higher-level abstractions suitable to be exposed +//! externally. + +use crate::{ec::EcKey, CSliceMut, ForeignType}; +use alloc::borrow::ToOwned; +use alloc::string::String; + +pub(crate) struct Pkey { + ptr: *mut bssl_sys::EVP_PKEY, +} + +// Safety: Implementation ensures `from_ptr(x).as_ptr == x` +unsafe impl ForeignType for Pkey { + type CType = bssl_sys::EVP_PKEY; + + unsafe fn from_ptr(ptr: *mut Self::CType) -> Self { + Self { ptr } + } + + fn as_ptr(&self) -> *mut Self::CType { + self.ptr + } +} + +impl From<&EcKey> for Pkey { + fn from(eckey: &EcKey) -> Self { + // Safety: EVP_PKEY_new does not have any preconditions + let pkey = unsafe { bssl_sys::EVP_PKEY_new() }; + assert!(!pkey.is_null()); + // Safety: + // - pkey is just allocated and is null-checked + // - EcKey ensures eckey.ptr is valid during its lifetime + // - EVP_PKEY_set1_EC_KEY doesn't take ownership + let result = unsafe { bssl_sys::EVP_PKEY_set1_EC_KEY(pkey, eckey.as_ptr()) }; + assert_eq!(result, 1, "bssl_sys::EVP_PKEY_set1_EC_KEY failed"); + Self { ptr: pkey } + } +} + +impl Drop for Pkey { + fn drop(&mut self) { + // Safety: `self.ptr` is owned by this struct + unsafe { bssl_sys::EVP_PKEY_free(self.ptr) } + } +} + +pub(crate) struct PkeyCtx { + ptr: *mut bssl_sys::EVP_PKEY_CTX, +} + +impl PkeyCtx { + pub fn new(pkey: &Pkey) -> Self { + // Safety: + // - `Pkey` ensures `pkey.ptr` is valid, and EVP_PKEY_CTX_new does not take ownership. + let pkeyctx = unsafe { bssl_sys::EVP_PKEY_CTX_new(pkey.ptr, core::ptr::null_mut()) }; + assert!(!pkeyctx.is_null()); + Self { ptr: pkeyctx } + } + + #[allow(clippy::panic)] + pub(crate) fn diffie_hellman( + self, + other_public_key: &Pkey, + mut output: CSliceMut, + ) -> Result<(), String> { + let result = unsafe { bssl_sys::EVP_PKEY_derive_init(self.ptr) }; + assert_eq!(result, 1, "bssl_sys::EVP_PKEY_derive_init failed"); + + let result = unsafe { bssl_sys::EVP_PKEY_derive_set_peer(self.ptr, other_public_key.ptr) }; + assert_eq!(result, 1, "bssl_sys::EVP_PKEY_derive_set_peer failed"); + + let result = + unsafe { bssl_sys::EVP_PKEY_derive(self.ptr, output.as_mut_ptr(), &mut output.len()) }; + match result { + 0 => Err("bssl_sys::EVP_PKEY_derive failed".to_owned()), + 1 => Ok(()), + _ => panic!("Unexpected result {result:?} from bssl_sys::EVP_PKEY_derive"), + } + } +} + +impl Drop for PkeyCtx { + fn drop(&mut self) { + // Safety: self.ptr is owned by this struct + unsafe { bssl_sys::EVP_PKEY_CTX_free(self.ptr) } + } +} diff --git a/src/rust/bssl-crypto/src/test_helpers.rs b/src/rust/bssl-crypto/src/test_helpers.rs index ea2d9dbc..9834805f 100644 --- a/src/rust/bssl-crypto/src/test_helpers.rs +++ b/src/rust/bssl-crypto/src/test_helpers.rs @@ -12,7 +12,9 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +use alloc::vec::Vec; +#[allow(clippy::expect_used, clippy::unwrap_used, clippy::indexing_slicing)] pub(crate) fn decode_hex<const N: usize>(s: &str) -> [u8; N] { (0..s.len()) .step_by(2) @@ -23,6 +25,7 @@ pub(crate) fn decode_hex<const N: usize>(s: &str) -> [u8; N] { .unwrap() } +#[allow(clippy::expect_used, clippy::unwrap_used, clippy::indexing_slicing)] pub(crate) fn decode_hex_into_vec(s: &str) -> Vec<u8> { (0..s.len()) .step_by(2) diff --git a/src/rust/bssl-crypto/src/x25519.rs b/src/rust/bssl-crypto/src/x25519.rs new file mode 100644 index 00000000..9ee449be --- /dev/null +++ b/src/rust/bssl-crypto/src/x25519.rs @@ -0,0 +1,215 @@ +/* Copyright (c) 2023, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +//! X25519 is the Diffie-Hellman primitive built from curve25519. It is sometimes referred to as +//! “curve25519”, but “X25519” is a more precise name. See http://cr.yp.to/ecdh.html and +//! https://tools.ietf.org/html/rfc7748. + +use alloc::borrow::ToOwned; + +/// Number of bytes in a private key in X25519 +pub const PRIVATE_KEY_LEN: usize = bssl_sys::X25519_PRIVATE_KEY_LEN as usize; +/// Number of bytes in a public key in X25519 +pub const PUBLIC_KEY_LEN: usize = bssl_sys::X25519_PUBLIC_VALUE_LEN as usize; +/// Number of bytes in a shared secret derived with X25519 +pub const SHARED_KEY_LEN: usize = bssl_sys::X25519_SHARED_KEY_LEN as usize; + +/// Error while performing a X25519 Diffie-Hellman key exchange. +#[derive(Debug)] +pub struct DiffieHellmanError; + +/// A struct containing a X25519 key pair. +pub struct PrivateKey { + private_key: [u8; PRIVATE_KEY_LEN], + public_key: [u8; PUBLIC_KEY_LEN], +} + +impl PrivateKey { + /// Derives a shared secrect from this private key and the given public key. + pub fn diffie_hellman( + &self, + other_public_key: &PublicKey, + ) -> Result<SharedSecret, DiffieHellmanError> { + let mut shared_key_uninit = core::mem::MaybeUninit::<[u8; SHARED_KEY_LEN]>::uninit(); + // Safety: + // - private_key and other_public_key are Rust 32-byte arrays + // - shared_key_uninit is just initialized above to a 32 byte array + let result = unsafe { + bssl_sys::X25519( + shared_key_uninit.as_mut_ptr() as *mut u8, + self.private_key.as_ptr(), + other_public_key.0.as_ptr(), + ) + }; + if result == 1 { + // Safety: + // - `shared_key_uninit` is initialized by `X25519` above, and we checked that it + // succeeded + let shared_key = unsafe { shared_key_uninit.assume_init() }; + Ok(crate::ecdh::SharedSecret(shared_key)) + } else { + Err(DiffieHellmanError) + } + } + + /// Generate a new key pair for use in a Diffie-Hellman key exchange. + pub fn generate() -> Self { + let mut public_key_uninit = core::mem::MaybeUninit::<[u8; PUBLIC_KEY_LEN]>::uninit(); + let mut private_key_uninit = core::mem::MaybeUninit::<[u8; PRIVATE_KEY_LEN]>::uninit(); + // Safety: + // - private_key_uninit and public_key_uninit are allocated to 32-bytes + let (public_key, private_key) = unsafe { + bssl_sys::X25519_keypair( + public_key_uninit.as_mut_ptr() as *mut u8, + private_key_uninit.as_mut_ptr() as *mut u8, + ); + // Safety: Initialized by `X25519_keypair` above + ( + public_key_uninit.assume_init(), + private_key_uninit.assume_init(), + ) + }; + Self { + private_key, + public_key, + } + } + + /// Tries to convert the given bytes into a private key. + pub fn from_private_bytes(private_key_bytes: &[u8; PRIVATE_KEY_LEN]) -> Self { + let mut public_key_uninit = core::mem::MaybeUninit::<[u8; PUBLIC_KEY_LEN]>::uninit(); + let private_key: [u8; PRIVATE_KEY_LEN] = private_key_bytes.to_owned(); + // Safety: + // - private_key and public_key are Rust 32-byte arrays + let public_key = unsafe { + bssl_sys::X25519_public_from_private( + public_key_uninit.as_mut_ptr() as *mut _, + private_key.as_ptr(), + ); + public_key_uninit.assume_init() + }; + Self { + private_key, + public_key, + } + } +} + +impl<'a> From<&'a PrivateKey> for PublicKey { + fn from(value: &'a PrivateKey) -> Self { + Self(value.public_key) + } +} + +/// A public key for X25519 elliptic curve. +#[derive(Debug, PartialEq, Eq)] +pub struct PublicKey([u8; PUBLIC_KEY_LEN]); + +impl PublicKey { + /// Converts this public key to its byte representation. + pub fn to_bytes(&self) -> [u8; PUBLIC_KEY_LEN] { + self.0 + } + + /// Returns a reference to the byte representation of this public key. + pub fn as_bytes(&self) -> &[u8; PUBLIC_KEY_LEN] { + &self.0 + } +} + +impl From<&[u8; 32]> for PublicKey { + fn from(value: &[u8; 32]) -> Self { + Self(*value) + } +} + +/// Shared secret derived from a Diffie-Hellman key exchange. Don't use the shared key directly, +/// rather use a KDF and also include the two public values as inputs. +type SharedSecret = crate::ecdh::SharedSecret<SHARED_KEY_LEN>; + +#[cfg(test)] +#[allow(clippy::unwrap_used)] +mod tests { + use crate::{ + test_helpers::decode_hex, + x25519::{PrivateKey, PublicKey}, + }; + + #[test] + fn x25519_test_diffie_hellman() { + // wycheproof/testvectors/x25519_test.json tcId 1 + let public_key_bytes: [u8; 32] = + decode_hex("504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829"); + let private_key = + decode_hex("c8a9d5a91091ad851c668b0736c1c9a02936c0d3ad62670858088047ba057475"); + let expected_shared_secret: [u8; 32] = + decode_hex("436a2c040cf45fea9b29a0cb81b1f41458f863d0d61b453d0a982720d6d61320"); + let public_key = PublicKey::from(&public_key_bytes); + let private_key = PrivateKey::from_private_bytes(&private_key); + + let shared_secret = private_key.diffie_hellman(&public_key).unwrap(); + assert_eq!(expected_shared_secret, shared_secret.to_bytes()); + } + + #[test] + fn x25519_generate_diffie_hellman_matches() { + let private_key_1 = PrivateKey::generate(); + let private_key_2 = PrivateKey::generate(); + let public_key_1 = PublicKey::from(&private_key_1); + let public_key_2 = PublicKey::from(&private_key_2); + + let diffie_hellman_1 = private_key_1.diffie_hellman(&public_key_2).unwrap(); + let diffie_hellman_2 = private_key_2.diffie_hellman(&public_key_1).unwrap(); + + assert_eq!(diffie_hellman_1.to_bytes(), diffie_hellman_2.to_bytes()); + } + + #[test] + fn x25519_test_diffie_hellman_zero_public_key() { + // wycheproof/testvectors/x25519_test.json tcId 32 + let public_key_bytes = + decode_hex("0000000000000000000000000000000000000000000000000000000000000000"); + let private_key = + decode_hex("88227494038f2bb811d47805bcdf04a2ac585ada7f2f23389bfd4658f9ddd45e"); + let public_key = PublicKey::from(&public_key_bytes); + let private_key = PrivateKey::from_private_bytes(&private_key); + + let shared_secret = private_key.diffie_hellman(&public_key); + assert!(shared_secret.is_err()); + } + + #[test] + fn x25519_public_key_byte_conversion() { + let public_key_bytes = + decode_hex("504a36999f489cd2fdbc08baff3d88fa00569ba986cba22548ffde80f9806829"); + let public_key = PublicKey::from(&public_key_bytes); + assert_eq!(public_key_bytes, public_key.to_bytes()); + } + + #[test] + fn x25519_test_public_key_from_private_key() { + // Taken from https://www.rfc-editor.org/rfc/rfc7748.html#section-6.1 + let public_key_bytes = + decode_hex("8520f0098930a754748b7ddcb43ef75a0dbf3a0d26381af4eba4a98eaa9b4e6a"); + let private_key_bytes = + decode_hex("77076d0a7318a57d3c16c17251b26645df4c2f87ebc0992ab177fba51db92c2a"); + let private_key = PrivateKey::from_private_bytes(&private_key_bytes); + + assert_eq!( + PublicKey::from(&public_key_bytes), + PublicKey::from(&private_key) + ); + } +} diff --git a/src/sources.cmake b/src/sources.cmake index 3153efc0..d2e15c73 100644 --- a/src/sources.cmake +++ b/src/sources.cmake @@ -60,6 +60,7 @@ set( crypto/poly1305/poly1305_test.cc crypto/pool/pool_test.cc crypto/rand_extra/rand_test.cc + crypto/rand_extra/getentropy_test.cc crypto/refcount_test.cc crypto/rsa_extra/rsa_test.cc crypto/self_test.cc @@ -352,14 +353,15 @@ set( pki/crl.cc pki/encode_values.cc pki/extended_key_usage.cc - pki/fillins/base64.cc - pki/fillins/ip_address.cc + pki/fillins/fillins_base64.cc pki/fillins/openssl_util.cc - pki/fillins/string_util.cc - pki/fillins/utf_string_conversions.cc + pki/fillins/fillins_string_util.cc pki/general_names.cc pki/input.cc + pki/ip_util.cc pki/name_constraints.cc + pki/ocsp.cc + pki/ocsp_verify_result.cc pki/parse_certificate.cc pki/parse_name.cc pki/parse_values.cc @@ -393,10 +395,11 @@ set( pki/fillins/path_service.cc pki/general_names_unittest.cc pki/input_unittest.cc + pki/ip_util_unittest.cc pki/mock_signature_verify_cache.cc pki/name_constraints_unittest.cc pki/nist_pkits_unittest.cc - # pki/ocsp_unittest.cc # Not sure we will keep this here.. + pki/ocsp_unittest.cc pki/parse_certificate_unittest.cc pki/parse_name_unittest.cc pki/parse_values_unittest.cc @@ -586,6 +589,7 @@ set( pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_2.pem pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_3.pem pki/testdata/name_constraints_unittest/ipaddress-invalid_mask_not_contiguous_4.pem + pki/testdata/name_constraints_unittest/ipaddress-mapped_addrs.pem pki/testdata/name_constraints_unittest/ipaddress-permit_all.pem pki/testdata/name_constraints_unittest/ipaddress-permit_prefix1.pem pki/testdata/name_constraints_unittest/ipaddress-permit_prefix31.pem @@ -1528,6 +1532,9 @@ set( pki/testdata/ssl/certificates/duplicate_cn_1.pem pki/testdata/ssl/certificates/duplicate_cn_2.p12 pki/testdata/ssl/certificates/duplicate_cn_2.pem + pki/testdata/ssl/certificates/ec-prime256v1-1.key + pki/testdata/ssl/certificates/ec-prime256v1-2.key + pki/testdata/ssl/certificates/ec-prime256v1-3.key pki/testdata/ssl/certificates/eku-test-root.pem pki/testdata/ssl/certificates/ev_test.pem pki/testdata/ssl/certificates/ev_test_state_only.pem @@ -1606,6 +1613,16 @@ set( pki/testdata/ssl/certificates/redundant-validated-chain-root.pem pki/testdata/ssl/certificates/redundant-validated-chain.pem pki/testdata/ssl/certificates/root_ca_cert.pem + pki/testdata/ssl/certificates/rsa-1024-1.key + pki/testdata/ssl/certificates/rsa-1024-2.key + pki/testdata/ssl/certificates/rsa-1024-3.key + pki/testdata/ssl/certificates/rsa-2048-1.key + pki/testdata/ssl/certificates/rsa-2048-2.key + pki/testdata/ssl/certificates/rsa-2048-3.key + pki/testdata/ssl/certificates/rsa-768-1.key + pki/testdata/ssl/certificates/rsa-768-2.key + pki/testdata/ssl/certificates/rsa-768-3.key + pki/testdata/ssl/certificates/rsa-8200-1.key pki/testdata/ssl/certificates/salesforce_com_test.pem pki/testdata/ssl/certificates/self-signed-invalid-name.pem pki/testdata/ssl/certificates/self-signed-invalid-sig.pem diff --git a/src/ssl/extensions.cc b/src/ssl/extensions.cc index 05aeb40d..b1340009 100644 --- a/src/ssl/extensions.cc +++ b/src/ssl/extensions.cc @@ -2906,9 +2906,10 @@ bool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs, return false; } -static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, - CBB *out_compressible, - ssl_client_hello_type_t type) { +static bool ext_alps_add_clienthello_impl(const SSL_HANDSHAKE *hs, CBB *out, + CBB *out_compressible, + ssl_client_hello_type_t type, + bool use_new_codepoint) { const SSL *const ssl = hs->ssl; if (// ALPS requires TLS 1.3. hs->max_version < TLS1_3_VERSION || @@ -2921,8 +2922,18 @@ static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, return true; } + if (use_new_codepoint != hs->config->alps_use_new_codepoint) { + // Do nothing, we'll send the other codepoint. + return true; + } + + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } + CBB contents, proto_list, proto; - if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_application_settings) || + if (!CBB_add_u16(out_compressible, extension_type) || !CBB_add_u16_length_prefixed(out_compressible, &contents) || !CBB_add_u16_length_prefixed(&contents, &proto_list)) { return false; @@ -2939,8 +2950,24 @@ static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, return CBB_flush(out_compressible); } -static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, - CBS *contents) { +static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, + CBB *out_compressible, + ssl_client_hello_type_t type) { + return ext_alps_add_clienthello_impl(hs, out, out_compressible, type, + /*use_new_codepoint=*/true); +} + +static bool ext_alps_add_clienthello_old(const SSL_HANDSHAKE *hs, CBB *out, + CBB *out_compressible, + ssl_client_hello_type_t type) { + return ext_alps_add_clienthello_impl(hs, out, out_compressible, type, + /*use_new_codepoint=*/false); +} + +static bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs, + uint8_t *out_alert, + CBS *contents, + bool use_new_codepoint) { SSL *const ssl = hs->ssl; if (contents == nullptr) { return true; @@ -2949,6 +2976,7 @@ static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, assert(!ssl->s3->initial_handshake_complete); assert(!hs->config->alpn_client_proto_list.empty()); assert(!hs->config->alps_configs.empty()); + assert(use_new_codepoint == hs->config->alps_use_new_codepoint); // ALPS requires TLS 1.3. if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { @@ -2968,7 +2996,22 @@ static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return true; } -static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { +static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, + uint8_t *out_alert, + CBS *contents) { + return ext_alps_parse_serverhello_impl(hs, out_alert, contents, + /*use_new_codepoint=*/true); +} + +static bool ext_alps_parse_serverhello_old(SSL_HANDSHAKE *hs, + uint8_t *out_alert, + CBS *contents) { + return ext_alps_parse_serverhello_impl(hs, out_alert, contents, + /*use_new_codepoint=*/false); +} + +static bool ext_alps_add_serverhello_impl(SSL_HANDSHAKE *hs, CBB *out, + bool use_new_codepoint) { SSL *const ssl = hs->ssl; // If early data is accepted, we omit the ALPS extension. It is implicitly // carried over from the previous connection. @@ -2978,8 +3021,18 @@ static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } + if (use_new_codepoint != hs->config->alps_use_new_codepoint) { + // Do nothing, we'll send the other codepoint. + return true; + } + + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } + CBB contents; - if (!CBB_add_u16(out, TLSEXT_TYPE_application_settings) || + if (!CBB_add_u16(out, extension_type) || !CBB_add_u16_length_prefixed(out, &contents) || !CBB_add_bytes(&contents, hs->new_session->local_application_settings.data(), @@ -2991,6 +3044,14 @@ static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } +static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { + return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/true); +} + +static bool ext_alps_add_serverhello_old(SSL_HANDSHAKE *hs, CBB *out) { + return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/false); +} + bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello) { SSL *const ssl = hs->ssl; @@ -3001,11 +3062,15 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, // If we negotiate ALPN over TLS 1.3, try to negotiate ALPS. CBS alps_contents; Span<const uint8_t> settings; + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } if (ssl_protocol_version(ssl) >= TLS1_3_VERSION && ssl_get_local_application_settings(hs, &settings, ssl->s3->alpn_selected) && ssl_client_hello_get_extension(client_hello, &alps_contents, - TLSEXT_TYPE_application_settings)) { + extension_type)) { // Check if the client supports ALPS with the selected ALPN. bool found = false; CBS alps_list; @@ -3216,6 +3281,14 @@ static const struct tls_extension kExtensions[] = { ignore_parse_clienthello, ext_alps_add_serverhello, }, + { + TLSEXT_TYPE_application_settings_old, + ext_alps_add_clienthello_old, + ext_alps_parse_serverhello_old, + // ALPS is negotiated late in |ssl_negotiate_alpn|. + ignore_parse_clienthello, + ext_alps_add_serverhello_old, + }, }; #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension)) diff --git a/src/ssl/handoff.cc b/src/ssl/handoff.cc index a4563c7e..037e070e 100644 --- a/src/ssl/handoff.cc +++ b/src/ssl/handoff.cc @@ -41,7 +41,7 @@ enum early_data_t { // serialize_features adds a description of features supported by this binary to // |out|. Returns true on success and false on error. -static bool serialize_features(CBB *out) { +static bool serialize_features(CBB *out, uint16_t alps_extension_type) { CBB ciphers; if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) { return false; @@ -68,7 +68,7 @@ static bool serialize_features(CBB *out) { // removed. CBB alps; if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) || - !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) { + !CBB_add_u16(&alps, alps_extension_type)) { return false; } return CBB_flush(out); @@ -86,13 +86,18 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out, CBB seq; SSLMessage msg; Span<const uint8_t> transcript = s3->hs->transcript.buffer(); + + uint16_t alps_extension_type = TLSEXT_TYPE_application_settings_old; + if (s3->hs->config->alps_use_new_codepoint) { + alps_extension_type = TLSEXT_TYPE_application_settings; + } if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&seq, kHandoffVersion) || !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) || !CBB_add_asn1_octet_string(&seq, reinterpret_cast<uint8_t *>(s3->hs_buf->data), s3->hs_buf->length) || - !serialize_features(&seq) || + !serialize_features(&seq, alps_extension_type) || !CBB_flush(out) || !ssl->method->get_message(ssl, &msg) || !ssl_client_hello_init(ssl, out_hello, msg.body)) { @@ -222,9 +227,12 @@ static bool apply_remote_features(SSL *ssl, CBS *in) { if (!CBS_get_u16(&alps, &id)) { return false; } - // For now, we only support one ALPS code point, so we only need to extract - // a boolean signal from the feature list. - if (id == TLSEXT_TYPE_application_settings) { + // For now, we support two ALPS codepoints, so we need to extract both + // codepoints, and then filter what the handshaker might try to send. + if ((id == TLSEXT_TYPE_application_settings && + ssl->config->alps_use_new_codepoint) || + (id == TLSEXT_TYPE_application_settings_old && + !ssl->config->alps_use_new_codepoint)) { supports_alps = true; break; } @@ -742,8 +750,13 @@ using namespace bssl; int SSL_serialize_capabilities(const SSL *ssl, CBB *out) { CBB seq; + const SSL_HANDSHAKE *hs = ssl->s3->hs.get(); + uint16_t alps_extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + alps_extension_type = TLSEXT_TYPE_application_settings; + } if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || - !serialize_features(&seq) || // + !serialize_features(&seq, alps_extension_type) || // !CBB_flush(out)) { return 0; } diff --git a/src/ssl/internal.h b/src/ssl/internal.h index fa35073f..c9facb69 100644 --- a/src/ssl/internal.h +++ b/src/ssl/internal.h @@ -3153,6 +3153,10 @@ struct SSL_CONFIG { // of support for AES hw. The value is only considered if |aes_hw_override| is // true. bool aes_hw_override_value : 1; + + // alps_use_new_codepoint if set indicates we use new ALPS extension codepoint + // to negotiate and convey application settings. + bool alps_use_new_codepoint : 1; }; // From RFC 8446, used in determining PSK modes. diff --git a/src/ssl/ssl_lib.cc b/src/ssl/ssl_lib.cc index 5a2ac2a8..58b68e67 100644 --- a/src/ssl/ssl_lib.cc +++ b/src/ssl/ssl_lib.cc @@ -707,7 +707,8 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) shed_handshake_config(false), jdk11_workaround(false), quic_use_legacy_codepoint(false), - permute_extensions(false) { + permute_extensions(false), + alps_use_new_codepoint(false) { assert(ssl); } @@ -2402,6 +2403,13 @@ int SSL_has_application_settings(const SSL *ssl) { return session && session->has_application_settings; } +void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new) { + if (!ssl->config) { + return; + } + ssl->config->alps_use_new_codepoint = !!use_new; +} + int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id, ssl_cert_compression_func_t compress, ssl_cert_decompression_func_t decompress) { diff --git a/src/ssl/ssl_test.cc b/src/ssl/ssl_test.cc index 73963c94..b97680d1 100644 --- a/src/ssl/ssl_test.cc +++ b/src/ssl/ssl_test.cc @@ -7989,6 +7989,141 @@ TEST(SSLTest, ALPNConfig) { check_alpn_proto({}); } +// This is a basic unit-test class to verify completing handshake successfully, +// sending the correct codepoint extension and having correct application +// setting on different combination of ALPS codepoint settings. More integration +// tests on runner.go. +class AlpsNewCodepointTest : public testing::Test { + protected: + void SetUp() override { + client_ctx_.reset(SSL_CTX_new(TLS_method())); + server_ctx_ = CreateContextWithTestCertificate(TLS_method()); + ASSERT_TRUE(client_ctx_); + ASSERT_TRUE(server_ctx_); + } + + void SetUpExpectedNewCodePoint() { + SSL_CTX_set_select_certificate_cb( + server_ctx_.get(), + [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { + const uint8_t *data; + size_t len; + if (!SSL_early_callback_ctx_extension_get( + client_hello, TLSEXT_TYPE_application_settings, &data, + &len)) { + ADD_FAILURE() << "Could not find alps new codpoint."; + return ssl_select_cert_error; + } + return ssl_select_cert_success; + }); + } + + void SetUpExpectedOldCodePoint() { + SSL_CTX_set_select_certificate_cb( + server_ctx_.get(), + [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { + const uint8_t *data; + size_t len; + if (!SSL_early_callback_ctx_extension_get( + client_hello, TLSEXT_TYPE_application_settings_old, &data, + &len)) { + ADD_FAILURE() << "Could not find alps old codpoint."; + return ssl_select_cert_error; + } + return ssl_select_cert_success; + }); + } + + void SetUpApplicationSetting() { + static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'}; + static const uint8_t proto[] = {'f', 'o', 'o'}; + static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'}; + // SSL_set_alpn_protos's return value is backwards. It returns zero on + // success and one on failure. + ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn))); + SSL_CTX_set_alpn_select_cb( + server_ctx_.get(), + [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, + unsigned in_len, void *arg) -> int { + return SSL_select_next_proto( + const_cast<uint8_t **>(out), out_len, in, in_len, + alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED + ? SSL_TLSEXT_ERR_OK + : SSL_TLSEXT_ERR_NOACK; + }, + nullptr); + ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto, + sizeof(proto), nullptr, 0)); + ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto, + sizeof(proto), alps, sizeof(alps))); + } + + bssl::UniquePtr<SSL_CTX> client_ctx_; + bssl::UniquePtr<SSL_CTX> server_ctx_; + + bssl::UniquePtr<SSL> client_; + bssl::UniquePtr<SSL> server_; +}; + +TEST_F(AlpsNewCodepointTest, Enabled) { + SetUpExpectedNewCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 1); + SSL_set_alps_use_new_codepoint(server_.get(), 1); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_TRUE(SSL_has_application_settings(client_.get())); +} + +TEST_F(AlpsNewCodepointTest, Disabled) { + // Both client and server disable alps new codepoint. + SetUpExpectedOldCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 0); + SSL_set_alps_use_new_codepoint(server_.get(), 0); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_TRUE(SSL_has_application_settings(client_.get())); +} + +TEST_F(AlpsNewCodepointTest, ClientOnly) { + // If client set new codepoint but server doesn't set, server ignores it. + SetUpExpectedNewCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 1); + SSL_set_alps_use_new_codepoint(server_.get(), 0); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_FALSE(SSL_has_application_settings(client_.get())); +} + +TEST_F(AlpsNewCodepointTest, ServerOnly) { + // If client doesn't set new codepoint, while server set. + SetUpExpectedOldCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 0); + SSL_set_alps_use_new_codepoint(server_.get(), 1); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_FALSE(SSL_has_application_settings(client_.get())); +} + // Test that the key usage checker can correctly handle issuerUID and // subjectUID. See https://crbug.com/1199744. TEST(SSLTest, KeyUsageWithUIDs) { diff --git a/src/ssl/test/runner/common.go b/src/ssl/test/runner/common.go index d0279c6f..ce080eea 100644 --- a/src/ssl/test/runner/common.go +++ b/src/ssl/test/runner/common.go @@ -122,7 +122,8 @@ const ( extensionQUICTransportParams uint16 = 57 extensionCustom uint16 = 1234 // not IANA assigned extensionNextProtoNeg uint16 = 13172 // not IANA assigned - extensionApplicationSettings uint16 = 17513 // not IANA assigned + extensionApplicationSettingsOld uint16 = 17513 // not IANA assigned + extensionApplicationSettings uint16 = 17613 // not IANA assigned extensionRenegotiationInfo uint16 = 0xff01 extensionQUICTransportParamsLegacy uint16 = 0xffa5 // draft-ietf-quic-tls-32 and earlier extensionChannelID uint16 = 30032 // not IANA assigned @@ -277,6 +278,8 @@ type ConnectionState struct { QUICTransportParamsLegacy []byte // the legacy QUIC transport params received from the peer HasApplicationSettings bool // whether ALPS was negotiated PeerApplicationSettings []byte // application settings received from the peer + HasApplicationSettingsOld bool // whether ALPS old codepoint was negotiated + PeerApplicationSettingsOld []byte // the old application settings received from the peer ECHAccepted bool // whether ECH was accepted on this connection } @@ -295,25 +298,28 @@ const ( // ClientSessionState contains the state needed by clients to resume TLS // sessions. type ClientSessionState struct { - sessionID []uint8 // Session ID supplied by the server. nil if the session has a ticket. - sessionTicket []uint8 // Encrypted ticket used for session resumption with server - vers uint16 // SSL/TLS version negotiated for the session - wireVersion uint16 // Wire SSL/TLS version negotiated for the session - cipherSuite *cipherSuite // Ciphersuite negotiated for the session - secret []byte // Secret associated with the session - handshakeHash []byte // Handshake hash for Channel ID purposes. - serverCertificates []*x509.Certificate // Certificate chain presented by the server - extendedMasterSecret bool // Whether an extended master secret was used to generate the session - sctList []byte - ocspResponse []byte - earlyALPN string - ticketCreationTime time.Time - ticketExpiration time.Time - ticketAgeAdd uint32 - maxEarlyDataSize uint32 - hasApplicationSettings bool - localApplicationSettings []byte - peerApplicationSettings []byte + sessionID []uint8 // Session ID supplied by the server. nil if the session has a ticket. + sessionTicket []uint8 // Encrypted ticket used for session resumption with server + vers uint16 // SSL/TLS version negotiated for the session + wireVersion uint16 // Wire SSL/TLS version negotiated for the session + cipherSuite *cipherSuite // Ciphersuite negotiated for the session + secret []byte // Secret associated with the session + handshakeHash []byte // Handshake hash for Channel ID purposes. + serverCertificates []*x509.Certificate // Certificate chain presented by the server + extendedMasterSecret bool // Whether an extended master secret was used to generate the session + sctList []byte + ocspResponse []byte + earlyALPN string + ticketCreationTime time.Time + ticketExpiration time.Time + ticketAgeAdd uint32 + maxEarlyDataSize uint32 + hasApplicationSettings bool + localApplicationSettings []byte + peerApplicationSettings []byte + hasApplicationSettingsOld bool + localApplicationSettingsOld []byte + peerApplicationSettingsOld []byte } // ClientSessionCache is a cache of ClientSessionState objects that can be used @@ -389,6 +395,35 @@ func (c QUICUseCodepoint) String() string { panic("unknown value") } +// ALPSUseCodepoint controls which TLS extension codepoint is used to convey the +// ApplicationSettings. ALPSUseCodepointNew means use 17613, +// ALPSUseCodepointOld means use old value 17513. +type ALPSUseCodepoint int + +const ( + ALPSUseCodepointNew ALPSUseCodepoint = iota + ALPSUseCodepointOld + NumALPSUseCodepoints +) + +func (c ALPSUseCodepoint) IncludeNew() bool { + return c == ALPSUseCodepointNew +} + +func (c ALPSUseCodepoint) IncludeOld() bool { + return c == ALPSUseCodepointOld +} + +func (c ALPSUseCodepoint) String() string { + switch c { + case ALPSUseCodepointNew: + return "New" + case ALPSUseCodepointOld: + return "Old" + } + panic("unknown value") +} + // A Config structure is used to configure a TLS client or server. // After one has been passed to a TLS function it must not be // modified. A Config may be reused; the tls package will also not @@ -429,6 +464,10 @@ type Config struct { // application protocol. ApplicationSettings map[string][]byte + // ALPSUseNewCodepoint controls which TLS extension codepoint is used to + // convey the ApplicationSettings. + ALPSUseNewCodepoint ALPSUseCodepoint + // ServerName is used to verify the hostname on the returned // certificates unless InsecureSkipVerify is given. It is also included // in the client's handshake to support virtual hosting. @@ -996,10 +1035,20 @@ type ProtocolBugs struct { // return. ALPNProtocol *string - // AlwaysNegotiateApplicationSettings, if true, causes the server to - // negotiate ALPS for a protocol even if the client did not support it or - // the version is wrong. - AlwaysNegotiateApplicationSettings bool + // AlwaysNegotiateApplicationSettingsBoth, if true, causes the server to + // negotiate ALPS using both codepoint for a protocol even if the client did + // not support it or the version is wrong. + AlwaysNegotiateApplicationSettingsBoth bool + + // AlwaysNegotiateApplicationSettingsNew, if true, causes the server to + // negotiate ALPS using new codepoint for a protocol even if the client did + // not support it or the version is wrong. + AlwaysNegotiateApplicationSettingsNew bool + + // AlwaysNegotiateApplicationSettingsOld, if true, causes the server to + // negotiate ALPS using old codepoint for a protocol even if the client did + // not support it or the version is wrong. + AlwaysNegotiateApplicationSettingsOld bool // SendApplicationSettingsWithEarlyData, if true, causes the client and // server to send the application_settings extension with early data, diff --git a/src/ssl/test/runner/conn.go b/src/ssl/test/runner/conn.go index 2e9114db..a3251dc1 100644 --- a/src/ssl/test/runner/conn.go +++ b/src/ssl/test/runner/conn.go @@ -74,8 +74,10 @@ type Conn struct { clientProtocolFallback bool usedALPN bool - localApplicationSettings, peerApplicationSettings []byte - hasApplicationSettings bool + localApplicationSettings, peerApplicationSettings []byte + hasApplicationSettings bool + localApplicationSettingsOld, peerApplicationSettingsOld []byte + hasApplicationSettingsOld bool // verify_data values for the renegotiation extension. clientVerify []byte @@ -1581,22 +1583,25 @@ func (c *Conn) processTLS13NewSessionTicket(newSessionTicket *newSessionTicketMs } session := &ClientSessionState{ - sessionTicket: newSessionTicket.ticket, - vers: c.vers, - wireVersion: c.wireVersion, - cipherSuite: cipherSuite, - secret: deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce), - serverCertificates: c.peerCertificates, - sctList: c.sctList, - ocspResponse: c.ocspResponse, - ticketCreationTime: c.config.time(), - ticketExpiration: c.config.time().Add(time.Duration(newSessionTicket.ticketLifetime) * time.Second), - ticketAgeAdd: newSessionTicket.ticketAgeAdd, - maxEarlyDataSize: newSessionTicket.maxEarlyDataSize, - earlyALPN: c.clientProtocol, - hasApplicationSettings: c.hasApplicationSettings, - localApplicationSettings: c.localApplicationSettings, - peerApplicationSettings: c.peerApplicationSettings, + sessionTicket: newSessionTicket.ticket, + vers: c.vers, + wireVersion: c.wireVersion, + cipherSuite: cipherSuite, + secret: deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce), + serverCertificates: c.peerCertificates, + sctList: c.sctList, + ocspResponse: c.ocspResponse, + ticketCreationTime: c.config.time(), + ticketExpiration: c.config.time().Add(time.Duration(newSessionTicket.ticketLifetime) * time.Second), + ticketAgeAdd: newSessionTicket.ticketAgeAdd, + maxEarlyDataSize: newSessionTicket.maxEarlyDataSize, + earlyALPN: c.clientProtocol, + hasApplicationSettings: c.hasApplicationSettings, + localApplicationSettings: c.localApplicationSettings, + peerApplicationSettings: c.peerApplicationSettings, + hasApplicationSettingsOld: c.hasApplicationSettingsOld, + localApplicationSettingsOld: c.localApplicationSettingsOld, + peerApplicationSettingsOld: c.peerApplicationSettingsOld, } cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config) @@ -1858,6 +1863,8 @@ func (c *Conn) ConnectionState() ConnectionState { state.QUICTransportParamsLegacy = c.quicTransportParamsLegacy state.HasApplicationSettings = c.hasApplicationSettings state.PeerApplicationSettings = c.peerApplicationSettings + state.HasApplicationSettingsOld = c.hasApplicationSettingsOld + state.PeerApplicationSettingsOld = c.peerApplicationSettingsOld state.ECHAccepted = c.echAccepted } @@ -1983,17 +1990,20 @@ func (c *Conn) SendNewSessionTicket(nonce []byte) error { } state := sessionState{ - vers: c.vers, - cipherSuite: c.cipherSuite.id, - secret: deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce), - certificates: peerCertificatesRaw, - ticketCreationTime: c.config.time(), - ticketExpiration: c.config.time().Add(time.Duration(m.ticketLifetime) * time.Second), - ticketAgeAdd: uint32(addBuffer[3])<<24 | uint32(addBuffer[2])<<16 | uint32(addBuffer[1])<<8 | uint32(addBuffer[0]), - earlyALPN: []byte(c.clientProtocol), - hasApplicationSettings: c.hasApplicationSettings, - localApplicationSettings: c.localApplicationSettings, - peerApplicationSettings: c.peerApplicationSettings, + vers: c.vers, + cipherSuite: c.cipherSuite.id, + secret: deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce), + certificates: peerCertificatesRaw, + ticketCreationTime: c.config.time(), + ticketExpiration: c.config.time().Add(time.Duration(m.ticketLifetime) * time.Second), + ticketAgeAdd: uint32(addBuffer[3])<<24 | uint32(addBuffer[2])<<16 | uint32(addBuffer[1])<<8 | uint32(addBuffer[0]), + earlyALPN: []byte(c.clientProtocol), + hasApplicationSettings: c.hasApplicationSettings, + localApplicationSettings: c.localApplicationSettings, + peerApplicationSettings: c.peerApplicationSettings, + hasApplicationSettingsOld: c.hasApplicationSettingsOld, + localApplicationSettingsOld: c.localApplicationSettingsOld, + peerApplicationSettingsOld: c.peerApplicationSettingsOld, } if !c.config.Bugs.SendEmptySessionTicket { diff --git a/src/ssl/test/runner/handshake_client.go b/src/ssl/test/runner/handshake_client.go index 0ed0094e..d074bb5e 100644 --- a/src/ssl/test/runner/handshake_client.go +++ b/src/ssl/test/runner/handshake_client.go @@ -630,8 +630,15 @@ func (hs *clientHandshakeState) createClientHello(innerHello *clientHelloMsg, ec hello.secureRenegotiation = nil } - for protocol := range c.config.ApplicationSettings { - hello.alpsProtocols = append(hello.alpsProtocols, protocol) + if c.config.ALPSUseNewCodepoint.IncludeNew() { + for protocol := range c.config.ApplicationSettings { + hello.alpsProtocols = append(hello.alpsProtocols, protocol) + } + } + if c.config.ALPSUseNewCodepoint.IncludeOld() { + for protocol := range c.config.ApplicationSettings { + hello.alpsProtocolsOld = append(hello.alpsProtocolsOld, protocol) + } } if maxVersion >= VersionTLS13 { @@ -997,6 +1004,10 @@ func (hs *clientHandshakeState) doTLS13Handshake(msg any) error { if haveHelloRetryRequest { hs.writeServerHash(helloRetryRequest.marshal()) + if !bytes.Equal(hs.hello.sessionID, helloRetryRequest.sessionID) { + return errors.New("tls: ClientHello and HelloRetryRequest session IDs did not match.") + } + if c.config.Bugs.FailIfHelloRetryRequested { return errors.New("tls: unexpected HelloRetryRequest") } @@ -1097,7 +1108,7 @@ func (hs *clientHandshakeState) doTLS13Handshake(msg any) error { } if !bytes.Equal(hs.hello.sessionID, hs.serverHello.sessionID) { - return errors.New("tls: session IDs did not match.") + return errors.New("tls: ClientHello and ServerHello session IDs did not match.") } // Resolve PSK and compute the early secret. @@ -1402,6 +1413,13 @@ func (hs *clientHandshakeState) doTLS13Handshake(msg any) error { clientEncryptedExtensions.applicationSettings = c.localApplicationSettings } } + if encryptedExtensions.extensions.hasApplicationSettingsOld || (c.config.Bugs.SendApplicationSettingsWithEarlyData && c.hasApplicationSettingsOld) { + hasEncryptedExtensions = true + if !c.config.Bugs.OmitClientApplicationSettings { + clientEncryptedExtensions.hasApplicationSettingsOld = true + clientEncryptedExtensions.applicationSettingsOld = c.localApplicationSettingsOld + } + } if c.config.Bugs.SendExtraClientEncryptedExtension { hasEncryptedExtensions = true clientEncryptedExtensions.customExtension = []byte{0} @@ -2054,7 +2072,11 @@ func (hs *clientHandshakeState) processServerExtensions(serverExtensions *server c.quicTransportParamsLegacy = serverExtensions.quicTransportParamsLegacy } - if serverExtensions.hasApplicationSettings { + if serverExtensions.hasApplicationSettings && serverExtensions.hasApplicationSettingsOld { + return errors.New("tls: server negotiated both old and new application settings together") + } + + if serverExtensions.hasApplicationSettings || serverExtensions.hasApplicationSettingsOld { if c.vers < VersionTLS13 { return errors.New("tls: server sent application settings at invalid version") } @@ -2068,14 +2090,26 @@ func (hs *clientHandshakeState) processServerExtensions(serverExtensions *server if !ok { return errors.New("tls: server sent application settings for invalid protocol") } - c.hasApplicationSettings = true - c.localApplicationSettings = settings - c.peerApplicationSettings = serverExtensions.applicationSettings + + if serverExtensions.hasApplicationSettings { + c.hasApplicationSettings = true + c.localApplicationSettings = settings + c.peerApplicationSettings = serverExtensions.applicationSettings + } + + if serverExtensions.hasApplicationSettingsOld { + c.hasApplicationSettingsOld = true + c.localApplicationSettingsOld = settings + c.peerApplicationSettingsOld = serverExtensions.applicationSettingsOld + } } else if serverExtensions.hasEarlyData { // 0-RTT connections inherit application settings from the session. c.hasApplicationSettings = hs.session.hasApplicationSettings c.localApplicationSettings = hs.session.localApplicationSettings c.peerApplicationSettings = hs.session.peerApplicationSettings + c.hasApplicationSettingsOld = hs.session.hasApplicationSettingsOld + c.localApplicationSettingsOld = hs.session.localApplicationSettingsOld + c.peerApplicationSettingsOld = hs.session.peerApplicationSettingsOld } return nil diff --git a/src/ssl/test/runner/handshake_messages.go b/src/ssl/test/runner/handshake_messages.go index 6ea7faaa..991f08a2 100644 --- a/src/ssl/test/runner/handshake_messages.go +++ b/src/ssl/test/runner/handshake_messages.go @@ -196,6 +196,7 @@ type clientHelloMsg struct { compressedCertAlgs []uint16 delegatedCredentials bool alpsProtocols []string + alpsProtocolsOld []string outerExtensions []uint16 reorderOuterExtensionsWithoutCompressing bool prefixExtensions []uint16 @@ -524,6 +525,18 @@ func (m *clientHelloMsg) marshalBody(hello *cryptobyte.Builder, typ clientHelloT body: body.BytesOrPanic(), }) } + if len(m.alpsProtocolsOld) > 0 { + body := cryptobyte.NewBuilder(nil) + body.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { + for _, s := range m.alpsProtocolsOld { + addUint8LengthPrefixedBytes(protocolNameList, []byte(s)) + } + }) + extensions = append(extensions, extension{ + id: extensionApplicationSettingsOld, + body: body.BytesOrPanic(), + }) + } // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 if len(m.pskIdentities) > 0 { @@ -745,6 +758,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { m.customExtension = "" m.delegatedCredentials = false m.alpsProtocols = nil + m.alpsProtocolsOld = nil if len(reader) == 0 { // ClientHello is optionally followed by extension data @@ -1032,6 +1046,18 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { } m.alpsProtocols = append(m.alpsProtocols, string(protocol)) } + case extensionApplicationSettingsOld: + var protocols cryptobyte.String + if !body.ReadUint16LengthPrefixed(&protocols) || len(body) != 0 { + return false + } + for len(protocols) > 0 { + var protocol []byte + if !readUint8LengthPrefixedBytes(&protocols, &protocol) || len(protocol) == 0 { + return false + } + m.alpsProtocolsOld = append(m.alpsProtocolsOld, string(protocol)) + } } if isGREASEValue(extension) { @@ -1412,6 +1438,8 @@ type serverExtensions struct { serverNameAck bool applicationSettings []byte hasApplicationSettings bool + applicationSettingsOld []byte + hasApplicationSettingsOld bool echRetryConfigs []byte } @@ -1539,6 +1567,10 @@ func (m *serverExtensions) marshal(extensions *cryptobyte.Builder) { extensions.AddUint16(extensionApplicationSettings) addUint16LengthPrefixedBytes(extensions, m.applicationSettings) } + if m.hasApplicationSettingsOld { + extensions.AddUint16(extensionApplicationSettingsOld) + addUint16LengthPrefixedBytes(extensions, m.applicationSettingsOld) + } if len(m.echRetryConfigs) > 0 { extensions.AddUint16(extensionEncryptedClientHello) addUint16LengthPrefixedBytes(extensions, m.echRetryConfigs) @@ -1649,6 +1681,9 @@ func (m *serverExtensions) unmarshal(data cryptobyte.String, version uint16) boo case extensionApplicationSettings: m.hasApplicationSettings = true m.applicationSettings = body + case extensionApplicationSettingsOld: + m.hasApplicationSettingsOld = true + m.applicationSettingsOld = body case extensionEncryptedClientHello: if version < VersionTLS13 { return false @@ -1681,10 +1716,12 @@ func (m *serverExtensions) unmarshal(data cryptobyte.String, version uint16) boo } type clientEncryptedExtensionsMsg struct { - raw []byte - applicationSettings []byte - hasApplicationSettings bool - customExtension []byte + raw []byte + applicationSettings []byte + hasApplicationSettings bool + applicationSettingsOld []byte + hasApplicationSettingsOld bool + customExtension []byte } func (m *clientEncryptedExtensionsMsg) marshal() (x []byte) { @@ -1700,6 +1737,10 @@ func (m *clientEncryptedExtensionsMsg) marshal() (x []byte) { extensions.AddUint16(extensionApplicationSettings) addUint16LengthPrefixedBytes(extensions, m.applicationSettings) } + if m.hasApplicationSettingsOld { + extensions.AddUint16(extensionApplicationSettingsOld) + addUint16LengthPrefixedBytes(extensions, m.applicationSettingsOld) + } if len(m.customExtension) > 0 { extensions.AddUint16(extensionCustom) addUint16LengthPrefixedBytes(extensions, m.customExtension) @@ -1736,6 +1777,9 @@ func (m *clientEncryptedExtensionsMsg) unmarshal(data []byte) bool { case extensionApplicationSettings: m.hasApplicationSettings = true m.applicationSettings = body + case extensionApplicationSettingsOld: + m.hasApplicationSettingsOld = true + m.applicationSettingsOld = body default: // Unknown extensions are illegal in EncryptedExtensions. return false diff --git a/src/ssl/test/runner/handshake_server.go b/src/ssl/test/runner/handshake_server.go index 5c49afbc..aeb950bb 100644 --- a/src/ssl/test/runner/handshake_server.go +++ b/src/ssl/test/runner/handshake_server.go @@ -911,7 +911,9 @@ ResendHelloRetryRequest: if hs.sessionState.cipherSuite == hs.suite.id && c.clientProtocol == string(hs.sessionState.earlyALPN) && c.hasApplicationSettings == hs.sessionState.hasApplicationSettings && - bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) { + bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) && + c.hasApplicationSettingsOld == hs.sessionState.hasApplicationSettingsOld && + bytes.Equal(c.localApplicationSettingsOld, hs.sessionState.localApplicationSettingsOld) { encryptedExtensions.extensions.hasEarlyData = true } if config.Bugs.AlwaysAcceptEarlyData { @@ -926,6 +928,8 @@ ResendHelloRetryRequest: if !config.Bugs.SendApplicationSettingsWithEarlyData { encryptedExtensions.extensions.hasApplicationSettings = false encryptedExtensions.extensions.applicationSettings = nil + encryptedExtensions.extensions.hasApplicationSettingsOld = false + encryptedExtensions.extensions.applicationSettingsOld = nil } sessionCipher := cipherSuiteFromID(hs.sessionState.cipherSuite) @@ -1262,8 +1266,8 @@ ResendHelloRetryRequest: return err } - // If we sent an ALPS extension, the client must respond with one. - if encryptedExtensions.extensions.hasApplicationSettings { + // If we sent an ALPS extension, the client must respond with a single EncryptedExtensions. + if encryptedExtensions.extensions.hasApplicationSettings || encryptedExtensions.extensions.hasApplicationSettingsOld { msg, err := c.readHandshake() if err != nil { return err @@ -1275,14 +1279,35 @@ ResendHelloRetryRequest: } hs.writeClientHash(clientEncryptedExtensions.marshal()) - if !clientEncryptedExtensions.hasApplicationSettings { - c.sendAlert(alertMissingExtension) - return errors.New("tls: client didn't provide application settings") + // Expect client send new application settings not old. + if encryptedExtensions.extensions.hasApplicationSettings { + if !clientEncryptedExtensions.hasApplicationSettings { + c.sendAlert(alertMissingExtension) + return errors.New("tls: client didn't provide new application settings") + } + if clientEncryptedExtensions.hasApplicationSettingsOld { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: client shouldn't provide old application settings") + } + c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings + } + + // Expect client send old application settings not new. + if encryptedExtensions.extensions.hasApplicationSettingsOld { + if !clientEncryptedExtensions.hasApplicationSettingsOld { + c.sendAlert(alertMissingExtension) + return errors.New("tls: client didn't provide old application settings") + } + if clientEncryptedExtensions.hasApplicationSettings { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: client shouldn't provide new application settings") + } + c.peerApplicationSettingsOld = clientEncryptedExtensions.applicationSettingsOld } - c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings } else if encryptedExtensions.extensions.hasEarlyData { // 0-RTT sessions carry application settings over. c.peerApplicationSettings = hs.sessionState.peerApplicationSettings + c.peerApplicationSettingsOld = hs.sessionState.peerApplicationSettingsOld } // If we requested a client certificate, then the client must send a @@ -1595,7 +1620,7 @@ func (hs *serverHandshakeState) processClientExtensions(serverExtensions *server c.usedALPN = true } - var alpsAllowed bool + var alpsAllowed, alpsAllowedOld bool if c.vers >= VersionTLS13 { for _, proto := range hs.clientHello.alpsProtocols { if proto == c.clientProtocol { @@ -1603,10 +1628,24 @@ func (hs *serverHandshakeState) processClientExtensions(serverExtensions *server break } } + for _, proto := range hs.clientHello.alpsProtocolsOld { + if proto == c.clientProtocol { + alpsAllowedOld = true + break + } + } + } + + if c.config.Bugs.AlwaysNegotiateApplicationSettingsBoth { + alpsAllowed = true + alpsAllowedOld = true } - if c.config.Bugs.AlwaysNegotiateApplicationSettings { + if c.config.Bugs.AlwaysNegotiateApplicationSettingsNew { alpsAllowed = true } + if c.config.Bugs.AlwaysNegotiateApplicationSettingsOld { + alpsAllowedOld = true + } if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowed { c.hasApplicationSettings = true c.localApplicationSettings = settings @@ -1614,6 +1653,13 @@ func (hs *serverHandshakeState) processClientExtensions(serverExtensions *server serverExtensions.hasApplicationSettings = true serverExtensions.applicationSettings = settings } + if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowedOld { + c.hasApplicationSettingsOld = true + c.localApplicationSettingsOld = settings + // Note these fields may later be cleared we accept 0-RTT. + serverExtensions.hasApplicationSettingsOld = true + serverExtensions.applicationSettingsOld = settings + } } if len(c.config.Bugs.SendALPN) > 0 { diff --git a/src/ssl/test/runner/runner.go b/src/ssl/test/runner/runner.go index fcdd11a3..286a4bed 100644 --- a/src/ssl/test/runner/runner.go +++ b/src/ssl/test/runner/runner.go @@ -554,6 +554,10 @@ type connectionExpectations struct { // peerApplicationSettings are the expected application settings for the // connection. If nil, no application settings are expected. peerApplicationSettings []byte + // peerApplicationSettingsOld are the expected application settings for + // the connection that are to be sent by the peer using old codepoint. + // If nil, no application settings are expected. + peerApplicationSettingsOld []byte // echAccepted is whether ECH should have been accepted on this connection. echAccepted bool } @@ -938,6 +942,17 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, tr return errors.New("application settings unexpectedly negotiated") } + if expectations.peerApplicationSettingsOld != nil { + if !connState.HasApplicationSettingsOld { + return errors.New("old application settings should have been negotiated") + } + if !bytes.Equal(connState.PeerApplicationSettingsOld, expectations.peerApplicationSettingsOld) { + return fmt.Errorf("old peer application settings mismatch: got %q, wanted %q", connState.PeerApplicationSettingsOld, expectations.peerApplicationSettingsOld) + } + } else if connState.HasApplicationSettingsOld { + return errors.New("old application settings unexpectedly negotiated") + } + if p := connState.SRTPProtectionProfile; p != expectations.srtpProtectionProfile { return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, expectations.srtpProtectionProfile) } @@ -7181,598 +7196,809 @@ func addExtensionTests() { // Test ALPS. if ver.version >= VersionTLS13 { - // Test that client and server can negotiate ALPS, including - // different values on resumption. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Basic-Client-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim1"), - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: []byte("shim2"), - }, - flags: []string{ + // Test basic client with different ALPS codepoint. + for _, alpsCodePoint := range []ALPSUseCodepoint{ALPSUseCodepointNew, ALPSUseCodepointOld} { + flags := []string{} + expectations := connectionExpectations{ + peerApplicationSettingsOld: []byte("shim1"), + } + resumeExpectations := &connectionExpectations{ + peerApplicationSettingsOld: []byte("shim2"), + } + + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettings: []byte("shim2"), + } + } + + flags = append(flags, "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", "-on-initial-application-settings", "proto,shim1", "-on-initial-expect-peer-application-settings", "runner1", "-on-resume-application-settings", "proto,shim2", - "-on-resume-expect-peer-application-settings", "runner2", - }, - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Basic-Server-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim1"), - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: []byte("shim2"), - }, - flags: []string{ - "-select-alpn", "proto", - "-on-initial-application-settings", "proto,shim1", - "-on-initial-expect-peer-application-settings", "runner1", - "-on-resume-application-settings", "proto,shim2", - "-on-resume-expect-peer-application-settings", "runner2", - }, - }) + "-on-resume-expect-peer-application-settings", "runner2") - // Test that the server can defer its ALPS configuration to the ALPN - // selection callback. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Basic-Server-Defer-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim1"), - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: []byte("shim2"), - }, - flags: []string{ + // Test that server can negotiate ALPS, including different values + // on resumption. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-Basic-Client-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + expectations: expectations, + resumeExpectations: resumeExpectations, + flags: flags, + }) + + // Test basic server with different ALPS codepoint. + flags = []string{} + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettingsOld: []byte("shim2"), + } + + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettings: []byte("shim2"), + } + } + + flags = append(flags, "-select-alpn", "proto", - "-defer-alps", "-on-initial-application-settings", "proto,shim1", "-on-initial-expect-peer-application-settings", "runner1", "-on-resume-application-settings", "proto,shim2", - "-on-resume-expect-peer-application-settings", "runner2", - }, - }) - - // Test the client and server correctly handle empty settings. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Empty-Client-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte{}}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte{}, - }, - flags: []string{ - "-advertise-alpn", "\x05proto", - "-expect-alpn", "proto", - "-application-settings", "proto,", - "-expect-peer-application-settings", "", - }, - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Empty-Server-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte{}}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte{}, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,", - "-expect-peer-application-settings", "", - }, - }) + "-on-resume-expect-peer-application-settings", "runner2") - // Test the client rejects application settings from the server on - // protocols it doesn't have them. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-UnsupportedProtocol-Client-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto1"}, - ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, - Bugs: ProtocolBugs{ - AlwaysNegotiateApplicationSettings: true, + // Test that server can negotiate ALPS, including different values + // on resumption. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-Basic-Server-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - // The client supports ALPS with "proto2", but not "proto1". - flags: []string{ - "-advertise-alpn", "\x06proto1\x06proto2", - "-application-settings", "proto2,shim", - "-expect-alpn", "proto1", - }, - // The server sends ALPS with "proto1", which is invalid. - shouldFail: true, - expectedError: ":INVALID_ALPN_PROTOCOL:", - expectedLocalError: "remote error: illegal parameter", - }) - - // Test the server declines ALPS if it doesn't support it for the - // specified protocol. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-UnsupportedProtocol-Server-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto1"}, - ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, - }, - // The server supports ALPS with "proto2", but not "proto1". - flags: []string{ - "-select-alpn", "proto1", - "-application-settings", "proto2,shim", - }, - }) - - // Test that the server rejects a missing application_settings extension. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-OmitClientApplicationSettings-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, - Bugs: ProtocolBugs{ - OmitClientApplicationSettings: true, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - // The runner is a client, so it only processes the shim's alert - // after checking connection state. - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim"), - }, - shouldFail: true, - expectedError: ":MISSING_EXTENSION:", - expectedLocalError: "remote error: missing extension", - }) + resumeSession: true, + expectations: expectations, + resumeExpectations: resumeExpectations, + flags: flags, + }) - // Test that the server rejects a missing EncryptedExtensions message. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-OmitClientEncryptedExtensions-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, - Bugs: ProtocolBugs{ - OmitClientEncryptedExtensions: true, - }, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - // The runner is a client, so it only processes the shim's alert - // after checking connection state. - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim"), - }, - shouldFail: true, - expectedError: ":UNEXPECTED_MESSAGE:", - expectedLocalError: "remote error: unexpected message", - }) + // Try different ALPS codepoint for all the existing tests. + alpsFlags := []string{} + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettingsOld: []byte("shim2"), + } + if alpsCodePoint == ALPSUseCodepointNew { + alpsFlags = append(alpsFlags, "-alps-use-new-codepoint") + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettings: []byte("shim2"), + } + } - // Test that the server rejects an unexpected EncryptedExtensions message. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "UnexpectedClientEncryptedExtensions-" + suffix, - config: Config{ - MaxVersion: ver.version, - Bugs: ProtocolBugs{ - AlwaysSendClientEncryptedExtensions: true, + // Test that the server can defer its ALPS configuration to the ALPN + // selection callback. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-Basic-Server-Defer-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - shouldFail: true, - expectedError: ":UNEXPECTED_MESSAGE:", - expectedLocalError: "remote error: unexpected message", - }) - - // Test that the server rejects an unexpected extension in an - // expected EncryptedExtensions message. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ExtraClientEncryptedExtension-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, - Bugs: ProtocolBugs{ - SendExtraClientEncryptedExtension: true, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - // The runner is a client, so it only processes the shim's alert - // after checking connection state. - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim"), - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - expectedLocalError: "remote error: unsupported extension", - }) + resumeSession: true, + expectations: expectations, + resumeExpectations: resumeExpectations, + flags: append([]string{ + "-select-alpn", "proto", + "-defer-alps", + "-on-initial-application-settings", "proto,shim1", + "-on-initial-expect-peer-application-settings", "runner1", + "-on-resume-application-settings", "proto,shim2", + "-on-resume-expect-peer-application-settings", "runner2", + }, alpsFlags...), + }) - // Test that ALPS is carried over on 0-RTT. - for _, empty := range []bool{false, true} { - maybeEmpty := "" - runnerSettings := "runner" - shimSettings := "shim" - if empty { - maybeEmpty = "Empty-" - runnerSettings = "" - shimSettings = "" + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte{}, } - + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: []byte{}, + } + } + // Test the client and server correctly handle empty settings. testCases = append(testCases, testCase{ protocol: protocol, testType: clientTest, - name: "ALPS-EarlyData-Client-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-Empty-Client-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ApplicationSettings: map[string][]byte{"proto": []byte{}}, + ALPSUseNewCodepoint: alpsCodePoint, }, resumeSession: true, - earlyData: true, - flags: []string{ + expectations: expectations, + flags: append([]string{ "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, - }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), - }, + "-application-settings", "proto,", + "-expect-peer-application-settings", "", + }, alpsFlags...), }) testCases = append(testCases, testCase{ protocol: protocol, testType: serverTest, - name: "ALPS-EarlyData-Server-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-Empty-Server-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ApplicationSettings: map[string][]byte{"proto": []byte{}}, + ALPSUseNewCodepoint: alpsCodePoint, }, resumeSession: true, - earlyData: true, - flags: []string{ + expectations: expectations, + flags: append([]string{ "-select-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, - }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), + "-application-settings", "proto,", + "-expect-peer-application-settings", "", + }, alpsFlags...), + }) + + bugs := ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointNew { + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + // Test the client rejects application settings from the server on + // protocols it doesn't have them. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-UnsupportedProtocol-Client-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto1"}, + ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, }, + // The client supports ALPS with "proto2", but not "proto1". + flags: append([]string{ + "-advertise-alpn", "\x06proto1\x06proto2", + "-application-settings", "proto2,shim", + "-expect-alpn", "proto1", + }, alpsFlags...), + // The server sends ALPS with "proto1", which is invalid. + shouldFail: true, + expectedError: ":INVALID_ALPN_PROTOCOL:", + expectedLocalError: "remote error: illegal parameter", }) - // Sending application settings in 0-RTT handshakes is forbidden. + // Test client rejects application settings from the server when + // server sends the wrong ALPS codepoint. + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointOld { + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + testCases = append(testCases, testCase{ protocol: protocol, testType: clientTest, - name: "ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Client-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-WrongServerCodepoint-Client-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, - Bugs: ProtocolBugs{ - SendApplicationSettingsWithEarlyData: true, - }, + ApplicationSettings: map[string][]byte{"proto": []byte{}}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeSession: true, - earlyData: true, - flags: []string{ + flags: append([]string{ "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, + "-application-settings", "proto,", + "-expect-peer-application-settings", "", + }, alpsFlags...), + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) + + // Test server ignore wrong codepoint from client. + clientSends := ALPSUseCodepointNew + if alpsCodePoint == ALPSUseCodepointNew { + clientSends = ALPSUseCodepointOld + } + + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-IgnoreClientWrongCodepoint-Server-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: clientSends, }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: clientSends, + }, + resumeSession: true, + flags: append([]string{ + "-select-alpn", "proto", + "-on-initial-application-settings", "proto,shim1", + "-on-resume-application-settings", "proto,shim2", + }, alpsFlags...), + }) + + // Test the server declines ALPS if it doesn't support it for the + // specified protocol. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-UnsupportedProtocol-Server-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto1"}, + ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + // The server supports ALPS with "proto2", but not "proto1". + flags: append([]string{ + "-select-alpn", "proto1", + "-application-settings", "proto2,shim", + }, alpsFlags...), + }) + + // Test the client rejects application settings from the server when + // it always negotiate both codepoint. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-UnsupportedProtocol-Client-ServerBoth-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto1"}, + ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, + Bugs: ProtocolBugs{ + AlwaysNegotiateApplicationSettingsBoth: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, + flags: append([]string{ + "-advertise-alpn", "\x06proto1\x06proto2", + "-application-settings", "proto1,shim", + "-expect-alpn", "proto1", + }, alpsFlags...), + // The server sends ALPS with both application settings, which is invalid. shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:", - expectedLocalError: "remote error: illegal parameter", + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", }) + + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte("shim"), + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim"), + } + } + + // Test that the server rejects a missing application_settings extension. testCases = append(testCases, testCase{ protocol: protocol, testType: serverTest, - name: "ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-OmitClientApplicationSettings-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, Bugs: ProtocolBugs{ - SendApplicationSettingsWithEarlyData: true, + OmitClientApplicationSettings: true, }, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeSession: true, - earlyData: true, - flags: []string{ + flags: append([]string{ "-select-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, + "-application-settings", "proto,shim", + }, alpsFlags...), + // The runner is a client, so it only processes the shim's alert + // after checking connection state. + expectations: expectations, + shouldFail: true, + expectedError: ":MISSING_EXTENSION:", + expectedLocalError: "remote error: missing extension", + }) + + // Test that the server rejects a missing EncryptedExtensions message. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-OmitClientEncryptedExtensions-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + Bugs: ProtocolBugs{ + OmitClientEncryptedExtensions: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto,shim", + }, alpsFlags...), + // The runner is a client, so it only processes the shim's alert + // after checking connection state. + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_MESSAGE:", + expectedLocalError: "remote error: unexpected message", + }) + + // Test that the server rejects an unexpected EncryptedExtensions message. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("UnexpectedClientEncryptedExtensions-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + Bugs: ProtocolBugs{ + AlwaysSendClientEncryptedExtensions: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, shouldFail: true, expectedError: ":UNEXPECTED_MESSAGE:", expectedLocalError: "remote error: unexpected message", }) - } - // Test that the client and server each decline early data if local - // ALPS preferences has changed for the current connection. - alpsMismatchTests := []struct { - name string - initialSettings, resumeSettings []byte - }{ - {"DifferentValues", []byte("settings1"), []byte("settings2")}, - {"OnOff", []byte("settings"), nil}, - {"OffOn", nil, []byte("settings")}, - // The empty settings value should not be mistaken for ALPS not - // being negotiated. - {"OnEmpty", []byte("settings"), []byte{}}, - {"EmptyOn", []byte{}, []byte("settings")}, - {"EmptyOff", []byte{}, nil}, - {"OffEmpty", nil, []byte{}}, - } - for _, test := range alpsMismatchTests { - flags := []string{"-on-resume-expect-early-data-reason", "alps_mismatch"} - if test.initialSettings != nil { - flags = append(flags, "-on-initial-application-settings", "proto,"+string(test.initialSettings)) - flags = append(flags, "-on-initial-expect-peer-application-settings", "runner") - } - if test.resumeSettings != nil { - flags = append(flags, "-on-resume-application-settings", "proto,"+string(test.resumeSettings)) - flags = append(flags, "-on-resume-expect-peer-application-settings", "runner") - } + // Test that the server rejects an unexpected extension in an + // expected EncryptedExtensions message. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ExtraClientEncryptedExtension-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + Bugs: ProtocolBugs{ + SendExtraClientEncryptedExtension: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, + }, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto,shim", + }, alpsFlags...), + // The runner is a client, so it only processes the shim's alert + // after checking connection state. + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) - // The client should not offer early data if the session is - // inconsistent with the new configuration. Note that if - // the session did not negotiate ALPS (test.initialSettings - // is nil), the client always offers early data. - if test.initialSettings != nil { + // Test that ALPS is carried over on 0-RTT. + for _, empty := range []bool{false, true} { + maybeEmpty := "" + runnerSettings := "runner" + shimSettings := "shim" + if empty { + maybeEmpty = "Empty-" + runnerSettings = "" + shimSettings = "" + } + + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte(shimSettings), + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: []byte(shimSettings), + } + } testCases = append(testCases, testCase{ protocol: protocol, testType: clientTest, - name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Client-%s", test.name, suffix), + name: fmt.Sprintf("ALPS-EarlyData-Client-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, - MaxEarlyDataSize: 16384, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ALPSUseNewCodepoint: alpsCodePoint, }, resumeSession: true, + earlyData: true, flags: append([]string{ - "-enable-early-data", - "-expect-ticket-supports-early-data", - "-expect-no-offer-early-data", "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", - }, flags...), - expectations: connectionExpectations{ - peerApplicationSettings: test.initialSettings, + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + }) + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-EarlyData-Server-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + }) + + // Sending application settings in 0-RTT handshakes is forbidden. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Client-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + Bugs: ProtocolBugs{ + SendApplicationSettingsWithEarlyData: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:", + expectedLocalError: "remote error: illegal parameter", + }) + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + Bugs: ProtocolBugs{ + SendApplicationSettingsWithEarlyData: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeExpectations: &connectionExpectations{ + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_MESSAGE:", + expectedLocalError: "remote error: unexpected message", + }) + } + + // Test that the client and server each decline early data if local + // ALPS preferences has changed for the current connection. + alpsMismatchTests := []struct { + name string + initialSettings, resumeSettings []byte + }{ + {"DifferentValues", []byte("settings1"), []byte("settings2")}, + {"OnOff", []byte("settings"), nil}, + {"OffOn", nil, []byte("settings")}, + // The empty settings value should not be mistaken for ALPS not + // being negotiated. + {"OnEmpty", []byte("settings"), []byte{}}, + {"EmptyOn", []byte{}, []byte("settings")}, + {"EmptyOff", []byte{}, nil}, + {"OffEmpty", nil, []byte{}}, + } + for _, test := range alpsMismatchTests { + flags := []string{"-on-resume-expect-early-data-reason", "alps_mismatch"} + flags = append(flags, alpsFlags...) + if test.initialSettings != nil { + flags = append(flags, "-on-initial-application-settings", "proto,"+string(test.initialSettings)) + flags = append(flags, "-on-initial-expect-peer-application-settings", "runner") + } + if test.resumeSettings != nil { + flags = append(flags, "-on-resume-application-settings", "proto,"+string(test.resumeSettings)) + flags = append(flags, "-on-resume-expect-peer-application-settings", "runner") + } + + expectations = connectionExpectations{ + peerApplicationSettingsOld: test.initialSettings, + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettingsOld: test.resumeSettings, + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: test.initialSettings, + } + resumeExpectations = &connectionExpectations{ peerApplicationSettings: test.resumeSettings, + } + } + // The client should not offer early data if the session is + // inconsistent with the new configuration. Note that if + // the session did not negotiate ALPS (test.initialSettings + // is nil), the client always offers early data. + if test.initialSettings != nil { + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Client-%s-%s", test.name, alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + MaxEarlyDataSize: 16384, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + flags: append([]string{ + "-enable-early-data", + "-expect-ticket-supports-early-data", + "-expect-no-offer-early-data", + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + }, flags...), + expectations: expectations, + resumeExpectations: resumeExpectations, + }) + } + + // The server should reject early data if the session is + // inconsistent with the new selection. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Server-%s-%s", test.name, alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, }, + resumeSession: true, + earlyData: true, + expectEarlyDataRejected: true, + flags: append([]string{ + "-select-alpn", "proto", + }, flags...), + expectations: expectations, + resumeExpectations: resumeExpectations, }) } - // The server should reject early data if the session is - // inconsistent with the new selection. + // Test that 0-RTT continues working when the shim configures + // ALPS but the peer does not. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-EarlyData-Client-ServerDecline-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + "-application-settings", "proto,shim", + }, alpsFlags...), + }) testCases = append(testCases, testCase{ protocol: protocol, testType: serverTest, - name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Server-%s", test.name, suffix), + name: fmt.Sprintf("ALPS-EarlyData-Server-ClientNoOffe-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeSession: true, - earlyData: true, - expectEarlyDataRejected: true, + resumeSession: true, + earlyData: true, flags: append([]string{ "-select-alpn", "proto", - }, flags...), - expectations: connectionExpectations{ - peerApplicationSettings: test.initialSettings, - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: test.resumeSettings, - }, + "-application-settings", "proto,shim", + }, alpsFlags...), }) } - - // Test that 0-RTT continues working when the shim configures - // ALPS but the peer does not. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-EarlyData-Client-ServerDecline-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - }, - resumeSession: true, - earlyData: true, - flags: []string{ - "-advertise-alpn", "\x05proto", - "-expect-alpn", "proto", - "-application-settings", "proto,shim", - }, - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-EarlyData-Server-ClientNoOffer-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - }, - resumeSession: true, - earlyData: true, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - }) } else { // Test the client rejects the ALPS extension if the server // negotiated TLS 1.2 or below. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Reject-Client-" + suffix, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"foo"}, - ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, - Bugs: ProtocolBugs{ - AlwaysNegotiateApplicationSettings: true, - }, - }, - flags: []string{ + for _, alpsCodePoint := range []ALPSUseCodepoint{ALPSUseCodepointNew, ALPSUseCodepointOld} { + flags := []string{ "-advertise-alpn", "\x03foo", "-expect-alpn", "foo", "-application-settings", "foo,shim", - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - expectedLocalError: "remote error: unsupported extension", - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Reject-Client-Resume-" + suffix, - config: Config{ - MaxVersion: ver.version, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"foo"}, - ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, - Bugs: ProtocolBugs{ - AlwaysNegotiateApplicationSettings: true, + } + bugs := ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-Reject-Client-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"foo"}, + ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - resumeSession: true, - flags: []string{ + flags: flags, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) + + flags = []string{ "-on-resume-advertise-alpn", "\x03foo", "-on-resume-expect-alpn", "foo", "-on-resume-application-settings", "foo,shim", - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - expectedLocalError: "remote error: unsupported extension", - }) + } + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-Reject-Client-Resume-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + }, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"foo"}, + ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + flags: flags, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) - // Test the server declines ALPS if it negotiates TLS 1.2 or below. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Decline-Server-" + suffix, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"foo"}, - ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, - }, - // Test both TLS 1.2 full and resumption handshakes. - resumeSession: true, - flags: []string{ + // Test the server declines ALPS if it negotiates TLS 1.2 or below. + flags = []string{ "-select-alpn", "foo", "-application-settings", "foo,shim", - }, - // If not specified, runner and shim both implicitly expect ALPS - // is not negotiated. - }) + } + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + } + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-Decline-Server-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"foo"}, + ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + // Test both TLS 1.2 full and resumption handshakes. + resumeSession: true, + flags: flags, + // If not specified, runner and shim both implicitly expect ALPS + // is not negotiated. + }) + } } // Test QUIC transport params @@ -8364,6 +8590,7 @@ func addExtensionTests() { test.config.ApplicationSettings = map[string][]byte{"proto": []byte("runner")} test.flags = append(test.flags, "-application-settings", "proto,shim", + "-alps-use-new-codepoint", "-expect-peer-application-settings", "runner") test.expectations.peerApplicationSettings = []byte("shim") } diff --git a/src/ssl/test/runner/ticket.go b/src/ssl/test/runner/ticket.go index f0a8bf18..51842d10 100644 --- a/src/ssl/test/runner/ticket.go +++ b/src/ssl/test/runner/ticket.go @@ -20,20 +20,23 @@ import ( // sessionState contains the information that is serialized into a session // ticket in order to later resume a connection. type sessionState struct { - vers uint16 - cipherSuite uint16 - secret []byte - handshakeHash []byte - certificates [][]byte - extendedMasterSecret bool - earlyALPN []byte - ticketCreationTime time.Time - ticketExpiration time.Time - ticketFlags uint32 - ticketAgeAdd uint32 - hasApplicationSettings bool - localApplicationSettings []byte - peerApplicationSettings []byte + vers uint16 + cipherSuite uint16 + secret []byte + handshakeHash []byte + certificates [][]byte + extendedMasterSecret bool + earlyALPN []byte + ticketCreationTime time.Time + ticketExpiration time.Time + ticketFlags uint32 + ticketAgeAdd uint32 + hasApplicationSettings bool + localApplicationSettings []byte + peerApplicationSettings []byte + hasApplicationSettingsOld bool + localApplicationSettingsOld []byte + peerApplicationSettingsOld []byte } func (s *sessionState) marshal() []byte { @@ -70,6 +73,14 @@ func (s *sessionState) marshal() []byte { msg.AddUint8(0) } + if s.hasApplicationSettingsOld { + msg.AddUint8(1) + addUint16LengthPrefixedBytes(msg, s.localApplicationSettingsOld) + addUint16LengthPrefixedBytes(msg, s.peerApplicationSettingsOld) + } else { + msg.AddUint8(0) + } + return msg.BytesOrPanic() } @@ -135,6 +146,17 @@ func (s *sessionState) unmarshal(data []byte) bool { } } + if !readBool(&reader, &s.hasApplicationSettingsOld) { + return false + } + + if s.hasApplicationSettingsOld { + if !readUint16LengthPrefixedBytes(&reader, &s.localApplicationSettingsOld) || + !readUint16LengthPrefixedBytes(&reader, &s.peerApplicationSettingsOld) { + return false + } + } + if len(reader) > 0 { return false } diff --git a/src/ssl/test/settings_writer.cc b/src/ssl/test/settings_writer.cc index 8605222f..78598a86 100644 --- a/src/ssl/test/settings_writer.cc +++ b/src/ssl/test/settings_writer.cc @@ -75,8 +75,11 @@ bool SettingsWriter::Commit() { } bssl::UniquePtr<uint8_t> free_settings(settings); - using ScopedFILE = std::unique_ptr<FILE, decltype(&fclose)>; - ScopedFILE file(fopen(path_.c_str(), "w"), fclose); + struct FileCloser { + void operator()(FILE *f) const { fclose(f); } + }; + using ScopedFILE = std::unique_ptr<FILE, FileCloser>; + ScopedFILE file(fopen(path_.c_str(), "w")); if (!file) { return false; } diff --git a/src/ssl/test/test_config.cc b/src/ssl/test/test_config.cc index 7a188f60..c6cbb776 100644 --- a/src/ssl/test/test_config.cc +++ b/src/ssl/test/test_config.cc @@ -270,6 +270,8 @@ std::vector<Flag> SortedFlags() { &TestConfig::application_settings), OptionalStringFlag("-expect-peer-application-settings", &TestConfig::expect_peer_application_settings), + BoolFlag("-alps-use-new-codepoint", + &TestConfig::alps_use_new_codepoint), Base64Flag("-quic-transport-params", &TestConfig::quic_transport_params), Base64Flag("-expect-quic-transport-params", &TestConfig::expect_quic_transport_params), @@ -1945,6 +1947,9 @@ bssl::UniquePtr<SSL> TestConfig::NewSSL( if (max_send_fragment > 0) { SSL_set_max_send_fragment(ssl.get(), max_send_fragment); } + if (alps_use_new_codepoint) { + SSL_set_alps_use_new_codepoint(ssl.get(), 1); + } if (quic_use_legacy_codepoint != -1) { SSL_set_quic_use_legacy_codepoint(ssl.get(), quic_use_legacy_codepoint); } diff --git a/src/ssl/test/test_config.h b/src/ssl/test/test_config.h index 1181a730..f302ff25 100644 --- a/src/ssl/test/test_config.h +++ b/src/ssl/test/test_config.h @@ -82,6 +82,7 @@ struct TestConfig { bool defer_alps = false; std::vector<std::pair<std::string, std::string>> application_settings; std::unique_ptr<std::string> expect_peer_application_settings; + bool alps_use_new_codepoint = false; std::string quic_transport_params; std::string expect_quic_transport_params; // Set quic_use_legacy_codepoint to 0 or 1 to configure, -1 uses default. diff --git a/src/ssl/tls13_client.cc b/src/ssl/tls13_client.cc index 7f84241b..82ed7a84 100644 --- a/src/ssl/tls13_client.cc +++ b/src/ssl/tls13_client.cc @@ -811,10 +811,14 @@ static enum ssl_hs_wait_t do_send_client_encrypted_extensions( !ssl->s3->early_data_accepted) { ScopedCBB cbb; CBB body, extensions, extension; + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_ENCRYPTED_EXTENSIONS) || !CBB_add_u16_length_prefixed(&body, &extensions) || - !CBB_add_u16(&extensions, TLSEXT_TYPE_application_settings) || + !CBB_add_u16(&extensions, extension_type) || !CBB_add_u16_length_prefixed(&extensions, &extension) || !CBB_add_bytes(&extension, hs->new_session->local_application_settings.data(), diff --git a/src/ssl/tls13_server.cc b/src/ssl/tls13_server.cc index 9d26f4e0..707cf846 100644 --- a/src/ssl/tls13_server.cc +++ b/src/ssl/tls13_server.cc @@ -1051,7 +1051,11 @@ static enum ssl_hs_wait_t do_read_client_encrypted_extensions( return ssl_hs_error; } - SSLExtension application_settings(TLSEXT_TYPE_application_settings); + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } + SSLExtension application_settings(extension_type); uint8_t alert = SSL_AD_DECODE_ERROR; if (!ssl_parse_extensions(&extensions, &alert, {&application_settings}, /*ignore_unknown=*/false)) { diff --git a/src/third_party/fiat/asm/fiat_curve25519_adx_mul.S b/src/third_party/fiat/asm/fiat_curve25519_adx_mul.S index b5d2aae5..c9ff8893 100644 --- a/src/third_party/fiat/asm/fiat_curve25519_adx_mul.S +++ b/src/third_party/fiat/asm/fiat_curve25519_adx_mul.S @@ -18,8 +18,9 @@ fiat_curve25519_adx_mul: .cfi_startproc _CET_ENDBR -mov [rsp - 0x08], rbp -.cfi_offset rbp, -8-0x08 +push rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset rbp, -16 mov rbp, rsp mov rax, rdx @@ -27,21 +28,21 @@ mov rdx, [ rsi + 0x18 ] mulx r11, r10, [ rax + 0x8 ] mov rdx, [ rax + 0x0 ] mov [ rsp - 0x58 ], r15 -.cfi_offset r15, -8-0x58 +.cfi_offset r15, -16-0x58 mulx r8, rcx, [ rsi + 0x18 ] mov rdx, [ rsi + 0x8 ] mov [ rsp - 0x80 ], rbx -.cfi_offset rbx, -8-0x80 +.cfi_offset rbx, -16-0x80 mulx rbx, r9, [ rax + 0x18 ] mov rdx, [ rsi + 0x8 ] mov [ rsp - 0x70 ], r12 -.cfi_offset r12, -8-0x70 +.cfi_offset r12, -16-0x70 mulx r15, r12, [ rax + 0x8 ] mov rdx, [ rsi + 0x0 ] mov [ rsp - 0x68 ], r13 -.cfi_offset r13, -8-0x68 +.cfi_offset r13, -16-0x68 mov [ rsp - 0x60 ], r14 -.cfi_offset r14, -8-0x60 +.cfi_offset r14, -16-0x60 mulx r14, r13, [ rax + 0x0 ] mov rdx, [ rax + 0x10 ] mov [ rsp - 0x18 ], r15 @@ -155,12 +156,19 @@ adcx r15, r14 mov [ r8 + 0x0 ], r15 mov [ r8 + 0x10 ], rcx mov rbx, [ rsp - 0x80 ] +.cfi_restore rbx mov r12, [ rsp - 0x70 ] +.cfi_restore r12 mov r13, [ rsp - 0x68 ] +.cfi_restore r13 mov r14, [ rsp - 0x60 ] +.cfi_restore r14 mov r15, [ rsp - 0x58 ] +.cfi_restore r15 -mov rbp, [rsp - 0x08] +pop rbp +.cfi_restore rbp +.cfi_adjust_cfa_offset -8 ret .cfi_endproc #if defined(__ELF__) diff --git a/src/third_party/fiat/asm/fiat_curve25519_adx_square.S b/src/third_party/fiat/asm/fiat_curve25519_adx_square.S index 0b876ab6..9bc68fc7 100644 --- a/src/third_party/fiat/asm/fiat_curve25519_adx_square.S +++ b/src/third_party/fiat/asm/fiat_curve25519_adx_square.S @@ -18,8 +18,9 @@ fiat_curve25519_adx_square: .cfi_startproc _CET_ENDBR -mov [rsp - 0x08], rbp -.cfi_offset rbp, -8-0x08 +push rbp +.cfi_adjust_cfa_offset 8 +.cfi_offset rbp, -16 mov rbp, rsp mov rdx, [ rsi + 0x0 ] @@ -32,7 +33,7 @@ mov rdx, [ rsi + 0x0 ] mulx r9, r8, [ rsi + 0x18 ] mov rdx, [ rsi + 0x8 ] mov [ rsp - 0x80 ], rbx -.cfi_offset rbx, -8-0x80 +.cfi_offset rbx, -16-0x80 mulx rbx, r10, [ rsi + 0x18 ] adox r8, rcx mov [rsp - 0x48 ], rdi @@ -46,7 +47,7 @@ mulx rdi, rbx, [ rsi + 0x8 ] mov rdx, 0x0 adox r9, rdx mov [ rsp - 0x70 ], r12 -.cfi_offset r12, -8-0x70 +.cfi_offset r12, -16-0x70 mov r12, -0x3 inc r12 adox rbx, r8 @@ -61,9 +62,9 @@ mov rdx, [ rsi + 0x0 ] mulx r9, rcx, rdx mov rdx, [ rsi + 0x8 ] mov [ rsp - 0x68 ], r13 -.cfi_offset r13, -8-0x68 +.cfi_offset r13, -16-0x68 mov [ rsp - 0x60 ], r14 -.cfi_offset r14, -8-0x60 +.cfi_offset r14, -16-0x60 mulx r14, r13, rdx seto dl inc r12 @@ -88,7 +89,7 @@ mulx rdi, rax, rdx adox rax, r10 mov rdx, 0x26 mov [ rsp - 0x58 ], r15 -.cfi_offset r15, -8-0x58 +.cfi_offset r15, -16-0x58 mulx r15, r10, r11 clc adcx r10, rcx @@ -123,12 +124,19 @@ adcx r13, rcx mov [ rdi + 0x0 ], r13 mov [ rdi + 0x18 ], r10 mov rbx, [ rsp - 0x80 ] +.cfi_restore rbx mov r12, [ rsp - 0x70 ] +.cfi_restore r12 mov r13, [ rsp - 0x68 ] +.cfi_restore r13 mov r14, [ rsp - 0x60 ] +.cfi_restore r14 mov r15, [ rsp - 0x58 ] +.cfi_restore r15 -mov rbp, [rsp - 0x08] +pop rbp +.cfi_restore rbp +.cfi_adjust_cfa_offset -8 ret .cfi_endproc #if defined(__ELF__) diff --git a/src/util/BUILD.toplevel b/src/util/BUILD.toplevel index f5bbbdc5..48dc9206 100644 --- a/src/util/BUILD.toplevel +++ b/src/util/BUILD.toplevel @@ -121,10 +121,7 @@ boringssl_copts = [ }) + asm_copts boringssl_copts_c11 = boringssl_copts + select({ - # TODO(crbug.com/boringssl/624): This should pass /std:c11 on MSVC. It was - # reverted due to https://github.com/bazelbuild/bazel/issues/15073. When - # Bazel 6.3.0 is released, restore it and require C11 on MSVC. - "@platforms//os:windows": [], + "@platforms//os:windows": ["/std:c11"], "//conditions:default": gcc_copts_c11, }) diff --git a/src/util/fipstools/acvp/acvptool/subprocess/aead.go b/src/util/fipstools/acvp/acvptool/subprocess/aead.go index ba0eee96..c38b1707 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/aead.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/aead.go @@ -72,6 +72,7 @@ func (a *aead) Process(vectorSet []byte, m Transactable) (any, error) { // versions of the ACVP documents. You can find fragments in // https://github.com/usnistgov/ACVP.) for _, group := range parsed.Groups { + group := group response := aeadTestGroupResponse{ ID: group.ID, } @@ -102,6 +103,8 @@ func (a *aead) Process(vectorSet []byte, m Transactable) (any, error) { tagBytes := group.TagBits / 8 for _, test := range group.Tests { + test := test + if len(test.KeyHex) != keyBytes*2 { return nil, fmt.Errorf("test case %d/%d contains key %q of length %d, but expected %d-bit key", group.ID, test.ID, test.KeyHex, len(test.KeyHex), group.KeyBits) } diff --git a/src/util/fipstools/acvp/acvptool/subprocess/block.go b/src/util/fipstools/acvp/acvptool/subprocess/block.go index 2f058027..bcc6613a 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/block.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/block.go @@ -299,6 +299,7 @@ func (b *blockCipher) Process(vectorSet []byte, m Transactable) (any, error) { // http://usnistgov.github.io/ACVP/artifacts/draft-celi-acvp-block-ciph-00.html#rfc.section.5.2 // for details about the tests. for _, group := range parsed.Groups { + group := group response := blockCipherTestGroupResponse{ ID: group.ID, } @@ -346,6 +347,8 @@ func (b *blockCipher) Process(vectorSet []byte, m Transactable) (any, error) { } for _, test := range group.Tests { + test := test + if len(test.KeyHex) == 0 && len(test.Key1Hex) > 0 { // 3DES encodes the key differently. test.KeyHex = test.Key1Hex + test.Key2Hex + test.Key3Hex diff --git a/src/util/fipstools/acvp/acvptool/subprocess/drbg.go b/src/util/fipstools/acvp/acvptool/subprocess/drbg.go index b403f046..87584d63 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/drbg.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/drbg.go @@ -84,6 +84,7 @@ func (d *drbg) Process(vectorSet []byte, m Transactable) (any, error) { // https://pages.nist.gov/ACVP/draft-vassilev-acvp-drbg.html#name-test-vectors // for details about the tests. for _, group := range parsed.Groups { + group := group response := drbgTestGroupResponse{ ID: group.ID, } @@ -97,6 +98,8 @@ func (d *drbg) Process(vectorSet []byte, m Transactable) (any, error) { } for _, test := range group.Tests { + test := test + ent, err := extractField(test.EntropyHex, group.EntropyBits) if err != nil { return nil, fmt.Errorf("failed to extract entropy hex from test case %d/%d: %s", group.ID, test.ID, err) diff --git a/src/util/fipstools/acvp/acvptool/subprocess/ecdsa.go b/src/util/fipstools/acvp/acvptool/subprocess/ecdsa.go index 16d3a833..69706bdd 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/ecdsa.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/ecdsa.go @@ -83,6 +83,8 @@ func (e *ecdsa) Process(vectorSet []byte, m Transactable) (any, error) { // https://pages.nist.gov/ACVP/draft-fussell-acvp-ecdsa.html#name-test-vectors // for details about the tests. for _, group := range parsed.Groups { + group := group + if _, ok := e.curves[group.Curve]; !ok { return nil, fmt.Errorf("curve %q in test group %d not supported", group.Curve, group.ID) } @@ -93,6 +95,8 @@ func (e *ecdsa) Process(vectorSet []byte, m Transactable) (any, error) { var sigGenPrivateKey []byte for _, test := range group.Tests { + test := test + var testResp ecdsaTestResponse testResp.ID = test.ID diff --git a/src/util/fipstools/acvp/acvptool/subprocess/hash.go b/src/util/fipstools/acvp/acvptool/subprocess/hash.go index 1f34d1a9..aeac6d66 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/hash.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/hash.go @@ -73,11 +73,14 @@ func (h *hashPrimitive) Process(vectorSet []byte, m Transactable) (any, error) { // https://pages.nist.gov/ACVP/draft-celi-acvp-sha.html#name-test-vectors // for details about the tests. for _, group := range parsed.Groups { + group := group response := hashTestGroupResponse{ ID: group.ID, } for _, test := range group.Tests { + test := test + if uint64(len(test.MsgHex))*4 != test.BitLength { return nil, fmt.Errorf("test case %d/%d contains hex message of length %d but specifies a bit length of %d", group.ID, test.ID, len(test.MsgHex), test.BitLength) } diff --git a/src/util/fipstools/acvp/acvptool/subprocess/hkdf.go b/src/util/fipstools/acvp/acvptool/subprocess/hkdf.go index 3a6ba04c..c64e2b86 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/hkdf.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/hkdf.go @@ -124,6 +124,7 @@ func (k *hkdf) Process(vectorSet []byte, m Transactable) (any, error) { var respGroups []hkdfTestGroupResponse for _, group := range parsed.Groups { + group := group groupResp := hkdfTestGroupResponse{ID: group.ID} var isValidationTest bool @@ -142,6 +143,7 @@ func (k *hkdf) Process(vectorSet []byte, m Transactable) (any, error) { } for _, test := range group.Tests { + test := test testResp := hkdfTestResponse{ID: test.ID} key, salt, err := test.Params.extract() diff --git a/src/util/fipstools/acvp/acvptool/subprocess/hmac.go b/src/util/fipstools/acvp/acvptool/subprocess/hmac.go index 8fc76951..6b8a3cfa 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/hmac.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/hmac.go @@ -87,6 +87,7 @@ func (h *hmacPrimitive) Process(vectorSet []byte, m Transactable) (any, error) { // https://pages.nist.gov/ACVP/draft-fussell-acvp-mac.html#name-test-vectors // for details about the tests. for _, group := range parsed.Groups { + group := group response := hmacTestGroupResponse{ ID: group.ID, } @@ -99,6 +100,8 @@ func (h *hmacPrimitive) Process(vectorSet []byte, m Transactable) (any, error) { outBytes := group.MACBits / 8 for _, test := range group.Tests { + test := test + if len(test.MsgHex)*4 != group.MsgBits { return nil, fmt.Errorf("test case %d/%d contains hex message of length %d but specifies a bit length of %d", group.ID, test.ID, len(test.MsgHex), group.MsgBits) } diff --git a/src/util/fipstools/acvp/acvptool/subprocess/kas.go b/src/util/fipstools/acvp/acvptool/subprocess/kas.go index cbc99ed5..4c99f8aa 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/kas.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/kas.go @@ -77,6 +77,7 @@ func (k *kas) Process(vectorSet []byte, m Transactable) (any, error) { // See https://pages.nist.gov/ACVP/draft-fussell-acvp-kas-ecc.html#name-test-vectors var ret []kasTestGroupResponse for _, group := range parsed.Groups { + group := group response := kasTestGroupResponse{ ID: group.ID, } @@ -119,6 +120,8 @@ func (k *kas) Process(vectorSet []byte, m Transactable) (any, error) { method := "ECDH/" + group.Curve for _, test := range group.Tests { + test := test + var xHex, yHex, privateKeyHex string if useStaticNamedFields { xHex, yHex, privateKeyHex = test.StaticXHex, test.StaticYHex, test.StaticPrivateKeyHex diff --git a/src/util/fipstools/acvp/acvptool/subprocess/kasdh.go b/src/util/fipstools/acvp/acvptool/subprocess/kasdh.go index f262b820..212dd316 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/kasdh.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/kasdh.go @@ -68,6 +68,7 @@ func (k *kasDH) Process(vectorSet []byte, m Transactable) (any, error) { // See https://pages.nist.gov/ACVP/draft-hammett-acvp-kas-ffc-sp800-56ar3.html var ret []kasDHTestGroupResponse for _, group := range parsed.Groups { + group := group response := kasDHTestGroupResponse{ ID: group.ID, } @@ -110,6 +111,8 @@ func (k *kasDH) Process(vectorSet []byte, m Transactable) (any, error) { const method = "FFDH" for _, test := range group.Tests { + test := test + if len(test.PeerPublicHex) == 0 { return nil, fmt.Errorf("%d/%d is missing peer's key", group.ID, test.ID) } diff --git a/src/util/fipstools/acvp/acvptool/subprocess/kdf.go b/src/util/fipstools/acvp/acvptool/subprocess/kdf.go index e27fcaa9..6e414589 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/kdf.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/kdf.go @@ -68,6 +68,7 @@ func (k *kdfPrimitive) Process(vectorSet []byte, m Transactable) (any, error) { var respGroups []kdfTestGroupResponse for _, group := range parsed.Groups { + group := group groupResp := kdfTestGroupResponse{ID: group.ID} if group.OutputBits%8 != 0 { @@ -91,6 +92,7 @@ func (k *kdfPrimitive) Process(vectorSet []byte, m Transactable) (any, error) { outputBytes := uint32le(group.OutputBits / 8) for _, test := range group.Tests { + test := test testResp := kdfTestResponse{ID: test.ID} var key []byte diff --git a/src/util/fipstools/acvp/acvptool/subprocess/keyedMac.go b/src/util/fipstools/acvp/acvptool/subprocess/keyedMac.go index e43ab5d5..c91bb416 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/keyedMac.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/keyedMac.go @@ -65,6 +65,7 @@ func (k *keyedMACPrimitive) Process(vectorSet []byte, m Transactable) (any, erro var respGroups []keyedMACTestGroupResponse for _, group := range vs.Groups { + group := group respGroup := keyedMACTestGroupResponse{ID: group.ID} if group.KeyBits%8 != 0 { @@ -90,6 +91,7 @@ func (k *keyedMACPrimitive) Process(vectorSet []byte, m Transactable) (any, erro outputBytes := uint32le(group.MACBits / 8) for _, test := range group.Tests { + test := test respTest := keyedMACTestResponse{ID: test.ID} // Validate input. diff --git a/src/util/fipstools/acvp/acvptool/subprocess/rsa.go b/src/util/fipstools/acvp/acvptool/subprocess/rsa.go index d975026e..923cdad0 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/rsa.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/rsa.go @@ -126,6 +126,8 @@ func processKeyGen(vectorSet []byte, m Transactable) (any, error) { var ret []rsaKeyGenTestGroupResponse for _, group := range parsed.Groups { + group := group + // GDT means "Generated data test", i.e. "please generate an RSA key". const expectedType = "GDT" if group.Type != expectedType { @@ -137,6 +139,8 @@ func processKeyGen(vectorSet []byte, m Transactable) (any, error) { } for _, test := range group.Tests { + test := test + m.TransactAsync("RSA/keyGen", 5, [][]byte{uint32le(group.ModulusBits)}, func(result [][]byte) error { response.Tests = append(response.Tests, rsaKeyGenTestResponse{ ID: test.ID, @@ -171,6 +175,8 @@ func processSigGen(vectorSet []byte, m Transactable) (any, error) { var ret []rsaSigGenTestGroupResponse for _, group := range parsed.Groups { + group := group + // GDT means "Generated data test", i.e. "please generate an RSA signature". const expectedType = "GDT" if group.Type != expectedType { @@ -184,6 +190,8 @@ func processSigGen(vectorSet []byte, m Transactable) (any, error) { operation := "RSA/sigGen/" + group.Hash + "/" + group.SigType for _, test := range group.Tests { + test := test + msg, err := hex.DecodeString(test.MessageHex) if err != nil { return nil, fmt.Errorf("test case %d/%d contains invalid hex: %s", group.ID, test.ID, err) @@ -226,6 +234,8 @@ func processSigVer(vectorSet []byte, m Transactable) (any, error) { var ret []rsaSigVerTestGroupResponse for _, group := range parsed.Groups { + group := group + // GDT means "Generated data test", which makes no sense in this context. const expectedType = "GDT" if group.Type != expectedType { @@ -248,6 +258,7 @@ func processSigVer(vectorSet []byte, m Transactable) (any, error) { operation := "RSA/sigVer/" + group.Hash + "/" + group.SigType for _, test := range group.Tests { + test := test msg, err := hex.DecodeString(test.MessageHex) if err != nil { return nil, fmt.Errorf("test case %d/%d contains invalid hex: %s", group.ID, test.ID, err) diff --git a/src/util/fipstools/acvp/acvptool/subprocess/tls13.go b/src/util/fipstools/acvp/acvptool/subprocess/tls13.go index af2aae83..bd121422 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/tls13.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/tls13.go @@ -77,9 +77,11 @@ func (k *tls13) Process(vectorSet []byte, m Transactable) (any, error) { var respGroups []tls13TestGroupResponse for _, group := range parsed.Groups { + group := group groupResp := tls13TestGroupResponse{ID: group.ID} for _, test := range group.Tests { + test := test testResp := tls13TestResponse{ID: test.ID} clientHello, err := hex.DecodeString(test.ClientHelloHex) diff --git a/src/util/fipstools/acvp/acvptool/subprocess/tlskdf.go b/src/util/fipstools/acvp/acvptool/subprocess/tlskdf.go index 3a0d7cea..251b53e6 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/tlskdf.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/tlskdf.go @@ -64,6 +64,7 @@ func (k *tlsKDF) Process(vectorSet []byte, m Transactable) (any, error) { // See https://pages.nist.gov/ACVP/draft-celi-acvp-kdf-tls.html var ret []tlsKDFTestGroupResponse for _, group := range parsed.Groups { + group := group response := tlsKDFTestGroupResponse{ ID: group.ID, } @@ -82,6 +83,7 @@ func (k *tlsKDF) Process(vectorSet []byte, m Transactable) (any, error) { method := "TLSKDF/1.2/" + group.Hash for _, test := range group.Tests { + test := test pms, err := hex.DecodeString(test.PMSHex) if err != nil { return nil, err diff --git a/src/util/fipstools/acvp/acvptool/subprocess/xts.go b/src/util/fipstools/acvp/acvptool/subprocess/xts.go index e8134097..5a9e7402 100644 --- a/src/util/fipstools/acvp/acvptool/subprocess/xts.go +++ b/src/util/fipstools/acvp/acvptool/subprocess/xts.go @@ -67,6 +67,7 @@ func (h *xts) Process(vectorSet []byte, m Transactable) (any, error) { var ret []xtsTestGroupResponse for _, group := range parsed.Groups { + group := group response := xtsTestGroupResponse{ ID: group.ID, } @@ -88,6 +89,7 @@ func (h *xts) Process(vectorSet []byte, m Transactable) (any, error) { funcName := "AES-XTS/" + group.Direction for _, test := range group.Tests { + test := test if group.KeyLen != len(test.KeyHex)*4/2 { return nil, fmt.Errorf("test case %d/%d contains hex message of length %d but specifies a key length of %d (remember that XTS keys are twice the length of the underlying key size)", group.ID, test.ID, len(test.KeyHex), group.KeyLen) } diff --git a/src/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2 b/src/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2 Binary files differindex d83b6916..ff4ded06 100644 --- a/src/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2 +++ b/src/util/fipstools/acvp/acvptool/test/expected/TLS12.bz2 diff --git a/src/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2 b/src/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2 Binary files differindex d1911ab9..00d9bbbe 100644 --- a/src/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2 +++ b/src/util/fipstools/acvp/acvptool/test/vectors/TLS12.bz2 diff --git a/src/util/fipstools/delocate/delocate.go b/src/util/fipstools/delocate/delocate.go index b801d6df..8e0e508a 100644 --- a/src/util/fipstools/delocate/delocate.go +++ b/src/util/fipstools/delocate/delocate.go @@ -263,6 +263,47 @@ func (d *delocation) processDirective(statement, directive *node32) (*node32, er return statement, nil } +func (d *delocation) processSymbolExpr(expr *node32, b *strings.Builder) bool { + changed := false + assertNodeType(expr, ruleSymbolExpr) + + for expr != nil { + atom := expr.up + assertNodeType(atom, ruleSymbolAtom) + + for term := atom.up; term != nil; term = skipWS(term.next) { + if term.pegRule == ruleSymbolExpr { + changed = d.processSymbolExpr(term, b) || changed + continue + } + + if term.pegRule != ruleLocalSymbol { + b.WriteString(d.contents(term)) + continue + } + + oldSymbol := d.contents(term) + newSymbol := d.mapLocalSymbol(oldSymbol) + if newSymbol != oldSymbol { + changed = true + } + + b.WriteString(newSymbol) + } + + next := skipWS(atom.next) + if next == nil { + break + } + assertNodeType(next, ruleSymbolOperator) + b.WriteString(d.contents(next)) + next = skipWS(next.next) + assertNodeType(next, ruleSymbolExpr) + expr = next + } + return changed +} + func (d *delocation) processLabelContainingDirective(statement, directive *node32) (*node32, error) { // The symbols within directives need to be mapped so that local // symbols in two different .s inputs don't collide. @@ -280,24 +321,12 @@ func (d *delocation) processLabelContainingDirective(statement, directive *node3 for node = skipWS(node.up); node != nil; node = skipWS(node.next) { assertNodeType(node, ruleSymbolArg) arg := node.up - var mapped string + assertNodeType(arg, ruleSymbolExpr) - for term := arg; term != nil; term = term.next { - if term.pegRule != ruleLocalSymbol { - mapped += d.contents(term) - continue - } - - oldSymbol := d.contents(term) - newSymbol := d.mapLocalSymbol(oldSymbol) - if newSymbol != oldSymbol { - changed = true - } - - mapped += newSymbol - } + var b strings.Builder + changed = d.processSymbolExpr(arg, &b) || changed - args = append(args, mapped) + args = append(args, b.String()) } if !changed { @@ -1260,6 +1289,16 @@ func writeAarch64Function(w stringWriter, funcName string, writeContents func(st w.WriteString(".type " + funcName + ", @function\n") w.WriteString(funcName + ":\n") w.WriteString(".cfi_startproc\n") + // We insert a landing pad (`bti c` instruction) unconditionally at the beginning of + // every generated function so that they can be called indirectly (with `blr` or + // `br x16/x17`). The instruction is encoded in the HINT space as `hint #34` and is + // a no-op on machines or program states not supporting BTI (Branch Target Identification). + // None of the generated function bodies call other functions (with bl or blr), so we only + // insert a landing pad instead of signing and validating $lr with `paciasp` and `autiasp`. + // Normally we would also generate a .note.gnu.property section to annotate the assembly + // file as BTI-compatible, but if the input assembly files are BTI-compatible, they should + // already have those sections so there is no need to add an extra one ourselves. + w.WriteString("\thint #34 // bti c\n") writeContents(w) w.WriteString(".cfi_endproc\n") w.WriteString(".size " + funcName + ", .-" + funcName + "\n") diff --git a/src/util/fipstools/delocate/delocate.peg b/src/util/fipstools/delocate/delocate.peg index 9db3e8cf..9ba357a2 100644 --- a/src/util/fipstools/delocate/delocate.peg +++ b/src/util/fipstools/delocate/delocate.peg @@ -47,17 +47,14 @@ QuotedText <- (EscapedChar / [^"])* LabelContainingDirective <- LabelContainingDirectiveName WS SymbolArgs LabelContainingDirectiveName <- ".xword" / ".word" / ".long" / ".set" / ".byte" / ".8byte" / ".4byte" / ".quad" / ".tc" / ".localentry" / ".size" / ".type" / ".uleb128" / ".sleb128" SymbolArgs <- SymbolArg ((WS? ',' WS?) SymbolArg)* -SymbolShift <- ('<<' / '>>') WS? [0-9]+ -SymbolArg <- (OpenParen WS?)? ( - Offset / - SymbolType / - (Offset / LocalSymbol / SymbolName / Dot) (WS? Operator WS? (Offset / LocalSymbol / SymbolName))* / - LocalSymbol TCMarker? / - SymbolName Offset / - SymbolName TCMarker?) - (WS? CloseParen)? (WS? SymbolShift)? + +SymbolArg <- SymbolExpr +SymbolExpr <- SymbolAtom (WS? SymbolOperator WS? SymbolExpr)? +SymbolAtom <- Offset / SymbolType / LocalSymbol TCMarker? / SymbolName Offset / SymbolName TCMarker? / Dot / OpenParen WS? SymbolExpr WS? CloseParen +SymbolOperator <- '+' / '-' / '|' / '<<' / '>>' OpenParen <- '(' CloseParen <- ')' + SymbolType <- [@%] ('function' / 'object') Dot <- '.' TCMarker <- '[TC]' diff --git a/src/util/fipstools/delocate/delocate.peg.go b/src/util/fipstools/delocate/delocate.peg.go index 01a1fc2c..c65eb502 100644 --- a/src/util/fipstools/delocate/delocate.peg.go +++ b/src/util/fipstools/delocate/delocate.peg.go @@ -33,8 +33,10 @@ const ( ruleLabelContainingDirective ruleLabelContainingDirectiveName ruleSymbolArgs - ruleSymbolShift ruleSymbolArg + ruleSymbolExpr + ruleSymbolAtom + ruleSymbolOperator ruleOpenParen ruleCloseParen ruleSymbolType @@ -91,8 +93,10 @@ var rul3s = [...]string{ "LabelContainingDirective", "LabelContainingDirectiveName", "SymbolArgs", - "SymbolShift", "SymbolArg", + "SymbolExpr", + "SymbolAtom", + "SymbolOperator", "OpenParen", "CloseParen", "SymbolType", @@ -244,7 +248,7 @@ func (t *tokens32) Tokens() []token32 { type Asm struct { Buffer string buffer []rune - rules [55]func() bool + rules [57]func() bool parse func(rule ...int) error reset func() Pretty bool @@ -2513,37 +2517,55 @@ func (p *Asm) Init(options ...func(*Asm) error) error { position, tokenIndex = position283, tokenIndex283 return false }, - /* 15 SymbolShift <- <((('<' '<') / ('>' '>')) WS? [0-9]+)> */ + /* 15 SymbolArg <- <SymbolExpr> */ func() bool { position291, tokenIndex291 := position, tokenIndex { position292 := position - { - position293, tokenIndex293 := position, tokenIndex - if buffer[position] != rune('<') { - goto l294 - } - position++ - if buffer[position] != rune('<') { - goto l294 - } - position++ + if !_rules[ruleSymbolExpr]() { + goto l291 + } + add(ruleSymbolArg, position292) + } + return true + l291: + position, tokenIndex = position291, tokenIndex291 + return false + }, + /* 16 SymbolExpr <- <(SymbolAtom (WS? SymbolOperator WS? SymbolExpr)?)> */ + func() bool { + position293, tokenIndex293 := position, tokenIndex + { + position294 := position + if !_rules[ruleSymbolAtom]() { goto l293 - l294: - position, tokenIndex = position293, tokenIndex293 - if buffer[position] != rune('>') { - goto l291 - } - position++ - if buffer[position] != rune('>') { - goto l291 - } - position++ } - l293: { position295, tokenIndex295 := position, tokenIndex - if !_rules[ruleWS]() { + { + position297, tokenIndex297 := position, tokenIndex + if !_rules[ruleWS]() { + goto l297 + } + goto l298 + l297: + position, tokenIndex = position297, tokenIndex297 + } + l298: + if !_rules[ruleSymbolOperator]() { + goto l295 + } + { + position299, tokenIndex299 := position, tokenIndex + if !_rules[ruleWS]() { + goto l299 + } + goto l300 + l299: + position, tokenIndex = position299, tokenIndex299 + } + l300: + if !_rules[ruleSymbolExpr]() { goto l295 } goto l296 @@ -2551,3872 +2573,3814 @@ func (p *Asm) Init(options ...func(*Asm) error) error { position, tokenIndex = position295, tokenIndex295 } l296: - if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l291 - } - position++ - l297: - { - position298, tokenIndex298 := position, tokenIndex - if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l298 - } - position++ - goto l297 - l298: - position, tokenIndex = position298, tokenIndex298 - } - add(ruleSymbolShift, position292) + add(ruleSymbolExpr, position294) } return true - l291: - position, tokenIndex = position291, tokenIndex291 + l293: + position, tokenIndex = position293, tokenIndex293 return false }, - /* 16 SymbolArg <- <((OpenParen WS?)? (Offset / SymbolType / ((Offset / LocalSymbol / SymbolName / Dot) (WS? Operator WS? (Offset / LocalSymbol / SymbolName))*) / (LocalSymbol TCMarker?) / (SymbolName Offset) / (SymbolName TCMarker?)) (WS? CloseParen)? (WS? SymbolShift)?)> */ + /* 17 SymbolAtom <- <(Offset / SymbolType / (LocalSymbol TCMarker?) / (SymbolName Offset) / (SymbolName TCMarker?) / Dot / (OpenParen WS? SymbolExpr WS? CloseParen))> */ func() bool { - position299, tokenIndex299 := position, tokenIndex + position301, tokenIndex301 := position, tokenIndex { - position300 := position + position302 := position { - position301, tokenIndex301 := position, tokenIndex - if !_rules[ruleOpenParen]() { - goto l301 - } - { - position303, tokenIndex303 := position, tokenIndex - if !_rules[ruleWS]() { - goto l303 - } + position303, tokenIndex303 := position, tokenIndex + if !_rules[ruleOffset]() { goto l304 - l303: - position, tokenIndex = position303, tokenIndex303 } + goto l303 l304: - goto l302 - l301: - position, tokenIndex = position301, tokenIndex301 - } - l302: - { - position305, tokenIndex305 := position, tokenIndex - if !_rules[ruleOffset]() { - goto l306 - } - goto l305 - l306: - position, tokenIndex = position305, tokenIndex305 + position, tokenIndex = position303, tokenIndex303 if !_rules[ruleSymbolType]() { - goto l307 + goto l305 + } + goto l303 + l305: + position, tokenIndex = position303, tokenIndex303 + if !_rules[ruleLocalSymbol]() { + goto l306 } - goto l305 - l307: - position, tokenIndex = position305, tokenIndex305 { - position309, tokenIndex309 := position, tokenIndex - if !_rules[ruleOffset]() { - goto l310 + position307, tokenIndex307 := position, tokenIndex + if !_rules[ruleTCMarker]() { + goto l307 } + goto l308 + l307: + position, tokenIndex = position307, tokenIndex307 + } + l308: + goto l303 + l306: + position, tokenIndex = position303, tokenIndex303 + if !_rules[ruleSymbolName]() { goto l309 - l310: - position, tokenIndex = position309, tokenIndex309 - if !_rules[ruleLocalSymbol]() { + } + if !_rules[ruleOffset]() { + goto l309 + } + goto l303 + l309: + position, tokenIndex = position303, tokenIndex303 + if !_rules[ruleSymbolName]() { + goto l310 + } + { + position311, tokenIndex311 := position, tokenIndex + if !_rules[ruleTCMarker]() { goto l311 } - goto l309 + goto l312 l311: - position, tokenIndex = position309, tokenIndex309 - if !_rules[ruleSymbolName]() { - goto l312 - } - goto l309 - l312: - position, tokenIndex = position309, tokenIndex309 - if !_rules[ruleDot]() { - goto l308 - } + position, tokenIndex = position311, tokenIndex311 } - l309: + l312: + goto l303 + l310: + position, tokenIndex = position303, tokenIndex303 + if !_rules[ruleDot]() { + goto l313 + } + goto l303 l313: + position, tokenIndex = position303, tokenIndex303 + if !_rules[ruleOpenParen]() { + goto l301 + } { position314, tokenIndex314 := position, tokenIndex - { - position315, tokenIndex315 := position, tokenIndex - if !_rules[ruleWS]() { - goto l315 - } - goto l316 - l315: - position, tokenIndex = position315, tokenIndex315 - } - l316: - if !_rules[ruleOperator]() { + if !_rules[ruleWS]() { goto l314 } - { - position317, tokenIndex317 := position, tokenIndex - if !_rules[ruleWS]() { - goto l317 - } - goto l318 - l317: - position, tokenIndex = position317, tokenIndex317 - } - l318: - { - position319, tokenIndex319 := position, tokenIndex - if !_rules[ruleOffset]() { - goto l320 - } - goto l319 - l320: - position, tokenIndex = position319, tokenIndex319 - if !_rules[ruleLocalSymbol]() { - goto l321 - } - goto l319 - l321: - position, tokenIndex = position319, tokenIndex319 - if !_rules[ruleSymbolName]() { - goto l314 - } - } - l319: - goto l313 + goto l315 l314: position, tokenIndex = position314, tokenIndex314 } - goto l305 - l308: - position, tokenIndex = position305, tokenIndex305 - if !_rules[ruleLocalSymbol]() { - goto l322 + l315: + if !_rules[ruleSymbolExpr]() { + goto l301 } { - position323, tokenIndex323 := position, tokenIndex - if !_rules[ruleTCMarker]() { - goto l323 + position316, tokenIndex316 := position, tokenIndex + if !_rules[ruleWS]() { + goto l316 } - goto l324 - l323: - position, tokenIndex = position323, tokenIndex323 + goto l317 + l316: + position, tokenIndex = position316, tokenIndex316 } - l324: - goto l305 - l322: - position, tokenIndex = position305, tokenIndex305 - if !_rules[ruleSymbolName]() { - goto l325 + l317: + if !_rules[ruleCloseParen]() { + goto l301 } - if !_rules[ruleOffset]() { - goto l325 + } + l303: + add(ruleSymbolAtom, position302) + } + return true + l301: + position, tokenIndex = position301, tokenIndex301 + return false + }, + /* 18 SymbolOperator <- <('+' / '-' / '|' / ('<' '<') / ('>' '>'))> */ + func() bool { + position318, tokenIndex318 := position, tokenIndex + { + position319 := position + { + position320, tokenIndex320 := position, tokenIndex + if buffer[position] != rune('+') { + goto l321 } - goto l305 - l325: - position, tokenIndex = position305, tokenIndex305 - if !_rules[ruleSymbolName]() { - goto l299 + position++ + goto l320 + l321: + position, tokenIndex = position320, tokenIndex320 + if buffer[position] != rune('-') { + goto l322 } - { - position326, tokenIndex326 := position, tokenIndex - if !_rules[ruleTCMarker]() { - goto l326 - } - goto l327 - l326: - position, tokenIndex = position326, tokenIndex326 + position++ + goto l320 + l322: + position, tokenIndex = position320, tokenIndex320 + if buffer[position] != rune('|') { + goto l323 } - l327: - } - l305: - { - position328, tokenIndex328 := position, tokenIndex - { - position330, tokenIndex330 := position, tokenIndex - if !_rules[ruleWS]() { - goto l330 - } - goto l331 - l330: - position, tokenIndex = position330, tokenIndex330 + position++ + goto l320 + l323: + position, tokenIndex = position320, tokenIndex320 + if buffer[position] != rune('<') { + goto l324 } - l331: - if !_rules[ruleCloseParen]() { - goto l328 + position++ + if buffer[position] != rune('<') { + goto l324 } - goto l329 - l328: - position, tokenIndex = position328, tokenIndex328 - } - l329: - { - position332, tokenIndex332 := position, tokenIndex - { - position334, tokenIndex334 := position, tokenIndex - if !_rules[ruleWS]() { - goto l334 - } - goto l335 - l334: - position, tokenIndex = position334, tokenIndex334 + position++ + goto l320 + l324: + position, tokenIndex = position320, tokenIndex320 + if buffer[position] != rune('>') { + goto l318 } - l335: - if !_rules[ruleSymbolShift]() { - goto l332 + position++ + if buffer[position] != rune('>') { + goto l318 } - goto l333 - l332: - position, tokenIndex = position332, tokenIndex332 + position++ } - l333: - add(ruleSymbolArg, position300) + l320: + add(ruleSymbolOperator, position319) } return true - l299: - position, tokenIndex = position299, tokenIndex299 + l318: + position, tokenIndex = position318, tokenIndex318 return false }, - /* 17 OpenParen <- <'('> */ + /* 19 OpenParen <- <'('> */ func() bool { - position336, tokenIndex336 := position, tokenIndex + position325, tokenIndex325 := position, tokenIndex { - position337 := position + position326 := position if buffer[position] != rune('(') { - goto l336 + goto l325 } position++ - add(ruleOpenParen, position337) + add(ruleOpenParen, position326) } return true - l336: - position, tokenIndex = position336, tokenIndex336 + l325: + position, tokenIndex = position325, tokenIndex325 return false }, - /* 18 CloseParen <- <')'> */ + /* 20 CloseParen <- <')'> */ func() bool { - position338, tokenIndex338 := position, tokenIndex + position327, tokenIndex327 := position, tokenIndex { - position339 := position + position328 := position if buffer[position] != rune(')') { - goto l338 + goto l327 } position++ - add(ruleCloseParen, position339) + add(ruleCloseParen, position328) } return true - l338: - position, tokenIndex = position338, tokenIndex338 + l327: + position, tokenIndex = position327, tokenIndex327 return false }, - /* 19 SymbolType <- <(('@' / '%') (('f' 'u' 'n' 'c' 't' 'i' 'o' 'n') / ('o' 'b' 'j' 'e' 'c' 't')))> */ + /* 21 SymbolType <- <(('@' / '%') (('f' 'u' 'n' 'c' 't' 'i' 'o' 'n') / ('o' 'b' 'j' 'e' 'c' 't')))> */ func() bool { - position340, tokenIndex340 := position, tokenIndex + position329, tokenIndex329 := position, tokenIndex { - position341 := position + position330 := position { - position342, tokenIndex342 := position, tokenIndex + position331, tokenIndex331 := position, tokenIndex if buffer[position] != rune('@') { - goto l343 + goto l332 } position++ - goto l342 - l343: - position, tokenIndex = position342, tokenIndex342 + goto l331 + l332: + position, tokenIndex = position331, tokenIndex331 if buffer[position] != rune('%') { - goto l340 + goto l329 } position++ } - l342: + l331: { - position344, tokenIndex344 := position, tokenIndex + position333, tokenIndex333 := position, tokenIndex if buffer[position] != rune('f') { - goto l345 + goto l334 } position++ if buffer[position] != rune('u') { - goto l345 + goto l334 } position++ if buffer[position] != rune('n') { - goto l345 + goto l334 } position++ if buffer[position] != rune('c') { - goto l345 + goto l334 } position++ if buffer[position] != rune('t') { - goto l345 + goto l334 } position++ if buffer[position] != rune('i') { - goto l345 + goto l334 } position++ if buffer[position] != rune('o') { - goto l345 + goto l334 } position++ if buffer[position] != rune('n') { - goto l345 + goto l334 } position++ - goto l344 - l345: - position, tokenIndex = position344, tokenIndex344 + goto l333 + l334: + position, tokenIndex = position333, tokenIndex333 if buffer[position] != rune('o') { - goto l340 + goto l329 } position++ if buffer[position] != rune('b') { - goto l340 + goto l329 } position++ if buffer[position] != rune('j') { - goto l340 + goto l329 } position++ if buffer[position] != rune('e') { - goto l340 + goto l329 } position++ if buffer[position] != rune('c') { - goto l340 + goto l329 } position++ if buffer[position] != rune('t') { - goto l340 + goto l329 } position++ } - l344: - add(ruleSymbolType, position341) + l333: + add(ruleSymbolType, position330) } return true - l340: - position, tokenIndex = position340, tokenIndex340 + l329: + position, tokenIndex = position329, tokenIndex329 return false }, - /* 20 Dot <- <'.'> */ + /* 22 Dot <- <'.'> */ func() bool { - position346, tokenIndex346 := position, tokenIndex + position335, tokenIndex335 := position, tokenIndex { - position347 := position + position336 := position if buffer[position] != rune('.') { - goto l346 + goto l335 } position++ - add(ruleDot, position347) + add(ruleDot, position336) } return true - l346: - position, tokenIndex = position346, tokenIndex346 + l335: + position, tokenIndex = position335, tokenIndex335 return false }, - /* 21 TCMarker <- <('[' 'T' 'C' ']')> */ + /* 23 TCMarker <- <('[' 'T' 'C' ']')> */ func() bool { - position348, tokenIndex348 := position, tokenIndex + position337, tokenIndex337 := position, tokenIndex { - position349 := position + position338 := position if buffer[position] != rune('[') { - goto l348 + goto l337 } position++ if buffer[position] != rune('T') { - goto l348 + goto l337 } position++ if buffer[position] != rune('C') { - goto l348 + goto l337 } position++ if buffer[position] != rune(']') { - goto l348 + goto l337 } position++ - add(ruleTCMarker, position349) + add(ruleTCMarker, position338) } return true - l348: - position, tokenIndex = position348, tokenIndex348 + l337: + position, tokenIndex = position337, tokenIndex337 return false }, - /* 22 EscapedChar <- <('\\' .)> */ + /* 24 EscapedChar <- <('\\' .)> */ func() bool { - position350, tokenIndex350 := position, tokenIndex + position339, tokenIndex339 := position, tokenIndex { - position351 := position + position340 := position if buffer[position] != rune('\\') { - goto l350 + goto l339 } position++ if !matchDot() { - goto l350 + goto l339 } - add(ruleEscapedChar, position351) + add(ruleEscapedChar, position340) } return true - l350: - position, tokenIndex = position350, tokenIndex350 + l339: + position, tokenIndex = position339, tokenIndex339 return false }, - /* 23 WS <- <(' ' / '\t')+> */ + /* 25 WS <- <(' ' / '\t')+> */ func() bool { - position352, tokenIndex352 := position, tokenIndex + position341, tokenIndex341 := position, tokenIndex { - position353 := position + position342 := position { - position356, tokenIndex356 := position, tokenIndex + position345, tokenIndex345 := position, tokenIndex if buffer[position] != rune(' ') { - goto l357 + goto l346 } position++ - goto l356 - l357: - position, tokenIndex = position356, tokenIndex356 + goto l345 + l346: + position, tokenIndex = position345, tokenIndex345 if buffer[position] != rune('\t') { - goto l352 + goto l341 } position++ } - l356: - l354: + l345: + l343: { - position355, tokenIndex355 := position, tokenIndex + position344, tokenIndex344 := position, tokenIndex { - position358, tokenIndex358 := position, tokenIndex + position347, tokenIndex347 := position, tokenIndex if buffer[position] != rune(' ') { - goto l359 + goto l348 } position++ - goto l358 - l359: - position, tokenIndex = position358, tokenIndex358 + goto l347 + l348: + position, tokenIndex = position347, tokenIndex347 if buffer[position] != rune('\t') { - goto l355 + goto l344 } position++ } - l358: - goto l354 - l355: - position, tokenIndex = position355, tokenIndex355 + l347: + goto l343 + l344: + position, tokenIndex = position344, tokenIndex344 } - add(ruleWS, position353) + add(ruleWS, position342) } return true - l352: - position, tokenIndex = position352, tokenIndex352 + l341: + position, tokenIndex = position341, tokenIndex341 return false }, - /* 24 Comment <- <((('/' '/') / '#') (!'\n' .)*)> */ + /* 26 Comment <- <((('/' '/') / '#') (!'\n' .)*)> */ func() bool { - position360, tokenIndex360 := position, tokenIndex + position349, tokenIndex349 := position, tokenIndex { - position361 := position + position350 := position { - position362, tokenIndex362 := position, tokenIndex + position351, tokenIndex351 := position, tokenIndex if buffer[position] != rune('/') { - goto l363 + goto l352 } position++ if buffer[position] != rune('/') { - goto l363 + goto l352 } position++ - goto l362 - l363: - position, tokenIndex = position362, tokenIndex362 + goto l351 + l352: + position, tokenIndex = position351, tokenIndex351 if buffer[position] != rune('#') { - goto l360 + goto l349 } position++ } - l362: - l364: + l351: + l353: { - position365, tokenIndex365 := position, tokenIndex + position354, tokenIndex354 := position, tokenIndex { - position366, tokenIndex366 := position, tokenIndex + position355, tokenIndex355 := position, tokenIndex if buffer[position] != rune('\n') { - goto l366 + goto l355 } position++ - goto l365 - l366: - position, tokenIndex = position366, tokenIndex366 + goto l354 + l355: + position, tokenIndex = position355, tokenIndex355 } if !matchDot() { - goto l365 + goto l354 } - goto l364 - l365: - position, tokenIndex = position365, tokenIndex365 + goto l353 + l354: + position, tokenIndex = position354, tokenIndex354 } - add(ruleComment, position361) + add(ruleComment, position350) } return true - l360: - position, tokenIndex = position360, tokenIndex360 + l349: + position, tokenIndex = position349, tokenIndex349 return false }, - /* 25 Label <- <((LocalSymbol / LocalLabel / SymbolName) ':')> */ + /* 27 Label <- <((LocalSymbol / LocalLabel / SymbolName) ':')> */ func() bool { - position367, tokenIndex367 := position, tokenIndex + position356, tokenIndex356 := position, tokenIndex { - position368 := position + position357 := position { - position369, tokenIndex369 := position, tokenIndex + position358, tokenIndex358 := position, tokenIndex if !_rules[ruleLocalSymbol]() { - goto l370 + goto l359 } - goto l369 - l370: - position, tokenIndex = position369, tokenIndex369 + goto l358 + l359: + position, tokenIndex = position358, tokenIndex358 if !_rules[ruleLocalLabel]() { - goto l371 + goto l360 } - goto l369 - l371: - position, tokenIndex = position369, tokenIndex369 + goto l358 + l360: + position, tokenIndex = position358, tokenIndex358 if !_rules[ruleSymbolName]() { - goto l367 + goto l356 } } - l369: + l358: if buffer[position] != rune(':') { - goto l367 + goto l356 } position++ - add(ruleLabel, position368) + add(ruleLabel, position357) } return true - l367: - position, tokenIndex = position367, tokenIndex367 + l356: + position, tokenIndex = position356, tokenIndex356 return false }, - /* 26 SymbolName <- <(([a-z] / [A-Z] / '.' / '_') ([a-z] / [A-Z] / '.' / ([0-9] / [0-9]) / '$' / '_')*)> */ + /* 28 SymbolName <- <(([a-z] / [A-Z] / '.' / '_') ([a-z] / [A-Z] / '.' / ([0-9] / [0-9]) / '$' / '_')*)> */ func() bool { - position372, tokenIndex372 := position, tokenIndex + position361, tokenIndex361 := position, tokenIndex { - position373 := position + position362 := position { - position374, tokenIndex374 := position, tokenIndex + position363, tokenIndex363 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l375 + goto l364 } position++ - goto l374 - l375: - position, tokenIndex = position374, tokenIndex374 + goto l363 + l364: + position, tokenIndex = position363, tokenIndex363 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l376 + goto l365 } position++ - goto l374 - l376: - position, tokenIndex = position374, tokenIndex374 + goto l363 + l365: + position, tokenIndex = position363, tokenIndex363 if buffer[position] != rune('.') { - goto l377 + goto l366 } position++ - goto l374 - l377: - position, tokenIndex = position374, tokenIndex374 + goto l363 + l366: + position, tokenIndex = position363, tokenIndex363 if buffer[position] != rune('_') { - goto l372 + goto l361 } position++ } - l374: - l378: + l363: + l367: { - position379, tokenIndex379 := position, tokenIndex + position368, tokenIndex368 := position, tokenIndex { - position380, tokenIndex380 := position, tokenIndex + position369, tokenIndex369 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l381 + goto l370 } position++ - goto l380 - l381: - position, tokenIndex = position380, tokenIndex380 + goto l369 + l370: + position, tokenIndex = position369, tokenIndex369 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l382 + goto l371 } position++ - goto l380 - l382: - position, tokenIndex = position380, tokenIndex380 + goto l369 + l371: + position, tokenIndex = position369, tokenIndex369 if buffer[position] != rune('.') { - goto l383 + goto l372 } position++ - goto l380 - l383: - position, tokenIndex = position380, tokenIndex380 + goto l369 + l372: + position, tokenIndex = position369, tokenIndex369 { - position385, tokenIndex385 := position, tokenIndex + position374, tokenIndex374 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l386 + goto l375 } position++ - goto l385 - l386: - position, tokenIndex = position385, tokenIndex385 + goto l374 + l375: + position, tokenIndex = position374, tokenIndex374 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l384 + goto l373 } position++ } - l385: - goto l380 - l384: - position, tokenIndex = position380, tokenIndex380 + l374: + goto l369 + l373: + position, tokenIndex = position369, tokenIndex369 if buffer[position] != rune('$') { - goto l387 + goto l376 } position++ - goto l380 - l387: - position, tokenIndex = position380, tokenIndex380 + goto l369 + l376: + position, tokenIndex = position369, tokenIndex369 if buffer[position] != rune('_') { - goto l379 + goto l368 } position++ } - l380: - goto l378 - l379: - position, tokenIndex = position379, tokenIndex379 + l369: + goto l367 + l368: + position, tokenIndex = position368, tokenIndex368 } - add(ruleSymbolName, position373) + add(ruleSymbolName, position362) } return true - l372: - position, tokenIndex = position372, tokenIndex372 + l361: + position, tokenIndex = position361, tokenIndex361 return false }, - /* 27 LocalSymbol <- <('.' 'L' ([a-z] / [A-Z] / ([a-z] / [A-Z]) / '.' / ([0-9] / [0-9]) / '$' / '_')+)> */ + /* 29 LocalSymbol <- <('.' 'L' ([a-z] / [A-Z] / ([a-z] / [A-Z]) / '.' / ([0-9] / [0-9]) / '$' / '_')+)> */ func() bool { - position388, tokenIndex388 := position, tokenIndex + position377, tokenIndex377 := position, tokenIndex { - position389 := position + position378 := position if buffer[position] != rune('.') { - goto l388 + goto l377 } position++ if buffer[position] != rune('L') { - goto l388 + goto l377 } position++ { - position392, tokenIndex392 := position, tokenIndex + position381, tokenIndex381 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l393 + goto l382 } position++ - goto l392 - l393: - position, tokenIndex = position392, tokenIndex392 + goto l381 + l382: + position, tokenIndex = position381, tokenIndex381 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l394 + goto l383 } position++ - goto l392 - l394: - position, tokenIndex = position392, tokenIndex392 + goto l381 + l383: + position, tokenIndex = position381, tokenIndex381 { - position396, tokenIndex396 := position, tokenIndex + position385, tokenIndex385 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l397 + goto l386 } position++ - goto l396 - l397: - position, tokenIndex = position396, tokenIndex396 + goto l385 + l386: + position, tokenIndex = position385, tokenIndex385 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l395 + goto l384 } position++ } - l396: - goto l392 - l395: - position, tokenIndex = position392, tokenIndex392 + l385: + goto l381 + l384: + position, tokenIndex = position381, tokenIndex381 if buffer[position] != rune('.') { - goto l398 + goto l387 } position++ - goto l392 - l398: - position, tokenIndex = position392, tokenIndex392 + goto l381 + l387: + position, tokenIndex = position381, tokenIndex381 { - position400, tokenIndex400 := position, tokenIndex + position389, tokenIndex389 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l401 + goto l390 } position++ - goto l400 - l401: - position, tokenIndex = position400, tokenIndex400 + goto l389 + l390: + position, tokenIndex = position389, tokenIndex389 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l399 + goto l388 } position++ } - l400: - goto l392 - l399: - position, tokenIndex = position392, tokenIndex392 + l389: + goto l381 + l388: + position, tokenIndex = position381, tokenIndex381 if buffer[position] != rune('$') { - goto l402 + goto l391 } position++ - goto l392 - l402: - position, tokenIndex = position392, tokenIndex392 + goto l381 + l391: + position, tokenIndex = position381, tokenIndex381 if buffer[position] != rune('_') { - goto l388 + goto l377 } position++ } - l392: - l390: + l381: + l379: { - position391, tokenIndex391 := position, tokenIndex + position380, tokenIndex380 := position, tokenIndex { - position403, tokenIndex403 := position, tokenIndex + position392, tokenIndex392 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l404 + goto l393 } position++ - goto l403 - l404: - position, tokenIndex = position403, tokenIndex403 + goto l392 + l393: + position, tokenIndex = position392, tokenIndex392 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l405 + goto l394 } position++ - goto l403 - l405: - position, tokenIndex = position403, tokenIndex403 + goto l392 + l394: + position, tokenIndex = position392, tokenIndex392 { - position407, tokenIndex407 := position, tokenIndex + position396, tokenIndex396 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l408 + goto l397 } position++ - goto l407 - l408: - position, tokenIndex = position407, tokenIndex407 + goto l396 + l397: + position, tokenIndex = position396, tokenIndex396 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l406 + goto l395 } position++ } - l407: - goto l403 - l406: - position, tokenIndex = position403, tokenIndex403 + l396: + goto l392 + l395: + position, tokenIndex = position392, tokenIndex392 if buffer[position] != rune('.') { - goto l409 + goto l398 } position++ - goto l403 - l409: - position, tokenIndex = position403, tokenIndex403 + goto l392 + l398: + position, tokenIndex = position392, tokenIndex392 { - position411, tokenIndex411 := position, tokenIndex + position400, tokenIndex400 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l412 + goto l401 } position++ - goto l411 - l412: - position, tokenIndex = position411, tokenIndex411 + goto l400 + l401: + position, tokenIndex = position400, tokenIndex400 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l410 + goto l399 } position++ } - l411: - goto l403 - l410: - position, tokenIndex = position403, tokenIndex403 + l400: + goto l392 + l399: + position, tokenIndex = position392, tokenIndex392 if buffer[position] != rune('$') { - goto l413 + goto l402 } position++ - goto l403 - l413: - position, tokenIndex = position403, tokenIndex403 + goto l392 + l402: + position, tokenIndex = position392, tokenIndex392 if buffer[position] != rune('_') { - goto l391 + goto l380 } position++ } - l403: - goto l390 - l391: - position, tokenIndex = position391, tokenIndex391 + l392: + goto l379 + l380: + position, tokenIndex = position380, tokenIndex380 } - add(ruleLocalSymbol, position389) + add(ruleLocalSymbol, position378) } return true - l388: - position, tokenIndex = position388, tokenIndex388 + l377: + position, tokenIndex = position377, tokenIndex377 return false }, - /* 28 LocalLabel <- <([0-9] ([0-9] / '$')*)> */ + /* 30 LocalLabel <- <([0-9] ([0-9] / '$')*)> */ func() bool { - position414, tokenIndex414 := position, tokenIndex + position403, tokenIndex403 := position, tokenIndex { - position415 := position + position404 := position if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l414 + goto l403 } position++ - l416: + l405: { - position417, tokenIndex417 := position, tokenIndex + position406, tokenIndex406 := position, tokenIndex { - position418, tokenIndex418 := position, tokenIndex + position407, tokenIndex407 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l419 + goto l408 } position++ - goto l418 - l419: - position, tokenIndex = position418, tokenIndex418 + goto l407 + l408: + position, tokenIndex = position407, tokenIndex407 if buffer[position] != rune('$') { - goto l417 + goto l406 } position++ } - l418: - goto l416 - l417: - position, tokenIndex = position417, tokenIndex417 + l407: + goto l405 + l406: + position, tokenIndex = position406, tokenIndex406 } - add(ruleLocalLabel, position415) + add(ruleLocalLabel, position404) } return true - l414: - position, tokenIndex = position414, tokenIndex414 + l403: + position, tokenIndex = position403, tokenIndex403 return false }, - /* 29 LocalLabelRef <- <([0-9] ([0-9] / '$')* ('b' / 'f'))> */ + /* 31 LocalLabelRef <- <([0-9] ([0-9] / '$')* ('b' / 'f'))> */ func() bool { - position420, tokenIndex420 := position, tokenIndex + position409, tokenIndex409 := position, tokenIndex { - position421 := position + position410 := position if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l420 + goto l409 } position++ - l422: + l411: { - position423, tokenIndex423 := position, tokenIndex + position412, tokenIndex412 := position, tokenIndex { - position424, tokenIndex424 := position, tokenIndex + position413, tokenIndex413 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l425 + goto l414 } position++ - goto l424 - l425: - position, tokenIndex = position424, tokenIndex424 + goto l413 + l414: + position, tokenIndex = position413, tokenIndex413 if buffer[position] != rune('$') { - goto l423 + goto l412 } position++ } - l424: - goto l422 - l423: - position, tokenIndex = position423, tokenIndex423 + l413: + goto l411 + l412: + position, tokenIndex = position412, tokenIndex412 } { - position426, tokenIndex426 := position, tokenIndex + position415, tokenIndex415 := position, tokenIndex if buffer[position] != rune('b') { - goto l427 + goto l416 } position++ - goto l426 - l427: - position, tokenIndex = position426, tokenIndex426 + goto l415 + l416: + position, tokenIndex = position415, tokenIndex415 if buffer[position] != rune('f') { - goto l420 + goto l409 } position++ } - l426: - add(ruleLocalLabelRef, position421) + l415: + add(ruleLocalLabelRef, position410) } return true - l420: - position, tokenIndex = position420, tokenIndex420 + l409: + position, tokenIndex = position409, tokenIndex409 return false }, - /* 30 Instruction <- <(InstructionName (WS InstructionArg (WS? ',' WS? InstructionArg)*)?)> */ + /* 32 Instruction <- <(InstructionName (WS InstructionArg (WS? ',' WS? InstructionArg)*)?)> */ func() bool { - position428, tokenIndex428 := position, tokenIndex + position417, tokenIndex417 := position, tokenIndex { - position429 := position + position418 := position if !_rules[ruleInstructionName]() { - goto l428 + goto l417 } { - position430, tokenIndex430 := position, tokenIndex + position419, tokenIndex419 := position, tokenIndex if !_rules[ruleWS]() { - goto l430 + goto l419 } if !_rules[ruleInstructionArg]() { - goto l430 + goto l419 } - l432: + l421: { - position433, tokenIndex433 := position, tokenIndex + position422, tokenIndex422 := position, tokenIndex { - position434, tokenIndex434 := position, tokenIndex + position423, tokenIndex423 := position, tokenIndex if !_rules[ruleWS]() { - goto l434 + goto l423 } - goto l435 - l434: - position, tokenIndex = position434, tokenIndex434 + goto l424 + l423: + position, tokenIndex = position423, tokenIndex423 } - l435: + l424: if buffer[position] != rune(',') { - goto l433 + goto l422 } position++ { - position436, tokenIndex436 := position, tokenIndex + position425, tokenIndex425 := position, tokenIndex if !_rules[ruleWS]() { - goto l436 + goto l425 } - goto l437 - l436: - position, tokenIndex = position436, tokenIndex436 + goto l426 + l425: + position, tokenIndex = position425, tokenIndex425 } - l437: + l426: if !_rules[ruleInstructionArg]() { - goto l433 + goto l422 } - goto l432 - l433: - position, tokenIndex = position433, tokenIndex433 + goto l421 + l422: + position, tokenIndex = position422, tokenIndex422 } - goto l431 - l430: - position, tokenIndex = position430, tokenIndex430 + goto l420 + l419: + position, tokenIndex = position419, tokenIndex419 } - l431: - add(ruleInstruction, position429) + l420: + add(ruleInstruction, position418) } return true - l428: - position, tokenIndex = position428, tokenIndex428 + l417: + position, tokenIndex = position417, tokenIndex417 return false }, - /* 31 InstructionName <- <(([a-z] / [A-Z]) ([a-z] / [A-Z] / '.' / ([0-9] / [0-9]))* ('.' / '+' / '-')?)> */ + /* 33 InstructionName <- <(([a-z] / [A-Z]) ([a-z] / [A-Z] / '.' / ([0-9] / [0-9]))* ('.' / '+' / '-')?)> */ func() bool { - position438, tokenIndex438 := position, tokenIndex + position427, tokenIndex427 := position, tokenIndex { - position439 := position + position428 := position { - position440, tokenIndex440 := position, tokenIndex + position429, tokenIndex429 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l441 + goto l430 } position++ - goto l440 - l441: - position, tokenIndex = position440, tokenIndex440 + goto l429 + l430: + position, tokenIndex = position429, tokenIndex429 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l438 + goto l427 } position++ } - l440: - l442: + l429: + l431: { - position443, tokenIndex443 := position, tokenIndex + position432, tokenIndex432 := position, tokenIndex { - position444, tokenIndex444 := position, tokenIndex + position433, tokenIndex433 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l445 + goto l434 } position++ - goto l444 - l445: - position, tokenIndex = position444, tokenIndex444 + goto l433 + l434: + position, tokenIndex = position433, tokenIndex433 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l446 + goto l435 } position++ - goto l444 - l446: - position, tokenIndex = position444, tokenIndex444 + goto l433 + l435: + position, tokenIndex = position433, tokenIndex433 if buffer[position] != rune('.') { - goto l447 + goto l436 } position++ - goto l444 - l447: - position, tokenIndex = position444, tokenIndex444 + goto l433 + l436: + position, tokenIndex = position433, tokenIndex433 { - position448, tokenIndex448 := position, tokenIndex + position437, tokenIndex437 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l449 + goto l438 } position++ - goto l448 - l449: - position, tokenIndex = position448, tokenIndex448 + goto l437 + l438: + position, tokenIndex = position437, tokenIndex437 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l443 + goto l432 } position++ } - l448: + l437: } - l444: - goto l442 - l443: - position, tokenIndex = position443, tokenIndex443 + l433: + goto l431 + l432: + position, tokenIndex = position432, tokenIndex432 } { - position450, tokenIndex450 := position, tokenIndex + position439, tokenIndex439 := position, tokenIndex { - position452, tokenIndex452 := position, tokenIndex + position441, tokenIndex441 := position, tokenIndex if buffer[position] != rune('.') { - goto l453 + goto l442 } position++ - goto l452 - l453: - position, tokenIndex = position452, tokenIndex452 + goto l441 + l442: + position, tokenIndex = position441, tokenIndex441 if buffer[position] != rune('+') { - goto l454 + goto l443 } position++ - goto l452 - l454: - position, tokenIndex = position452, tokenIndex452 + goto l441 + l443: + position, tokenIndex = position441, tokenIndex441 if buffer[position] != rune('-') { - goto l450 + goto l439 } position++ } - l452: - goto l451 - l450: - position, tokenIndex = position450, tokenIndex450 + l441: + goto l440 + l439: + position, tokenIndex = position439, tokenIndex439 } - l451: - add(ruleInstructionName, position439) + l440: + add(ruleInstructionName, position428) } return true - l438: - position, tokenIndex = position438, tokenIndex438 + l427: + position, tokenIndex = position427, tokenIndex427 return false }, - /* 32 InstructionArg <- <(IndirectionIndicator? (ARMConstantTweak / RegisterOrConstant / LocalLabelRef / TOCRefHigh / TOCRefLow / GOTLocation / GOTSymbolOffset / MemoryRef) AVX512Token*)> */ + /* 34 InstructionArg <- <(IndirectionIndicator? (ARMConstantTweak / RegisterOrConstant / LocalLabelRef / TOCRefHigh / TOCRefLow / GOTLocation / GOTSymbolOffset / MemoryRef) AVX512Token*)> */ func() bool { - position455, tokenIndex455 := position, tokenIndex + position444, tokenIndex444 := position, tokenIndex { - position456 := position + position445 := position { - position457, tokenIndex457 := position, tokenIndex + position446, tokenIndex446 := position, tokenIndex if !_rules[ruleIndirectionIndicator]() { - goto l457 + goto l446 } - goto l458 - l457: - position, tokenIndex = position457, tokenIndex457 + goto l447 + l446: + position, tokenIndex = position446, tokenIndex446 } - l458: + l447: { - position459, tokenIndex459 := position, tokenIndex + position448, tokenIndex448 := position, tokenIndex if !_rules[ruleARMConstantTweak]() { - goto l460 + goto l449 } - goto l459 - l460: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l449: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleRegisterOrConstant]() { - goto l461 + goto l450 } - goto l459 - l461: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l450: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleLocalLabelRef]() { - goto l462 + goto l451 } - goto l459 - l462: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l451: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleTOCRefHigh]() { - goto l463 + goto l452 } - goto l459 - l463: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l452: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleTOCRefLow]() { - goto l464 + goto l453 } - goto l459 - l464: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l453: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleGOTLocation]() { - goto l465 + goto l454 } - goto l459 - l465: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l454: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleGOTSymbolOffset]() { - goto l466 + goto l455 } - goto l459 - l466: - position, tokenIndex = position459, tokenIndex459 + goto l448 + l455: + position, tokenIndex = position448, tokenIndex448 if !_rules[ruleMemoryRef]() { - goto l455 + goto l444 } } - l459: - l467: + l448: + l456: { - position468, tokenIndex468 := position, tokenIndex + position457, tokenIndex457 := position, tokenIndex if !_rules[ruleAVX512Token]() { - goto l468 + goto l457 } - goto l467 - l468: - position, tokenIndex = position468, tokenIndex468 + goto l456 + l457: + position, tokenIndex = position457, tokenIndex457 } - add(ruleInstructionArg, position456) + add(ruleInstructionArg, position445) } return true - l455: - position, tokenIndex = position455, tokenIndex455 + l444: + position, tokenIndex = position444, tokenIndex444 return false }, - /* 33 GOTLocation <- <('$' '_' 'G' 'L' 'O' 'B' 'A' 'L' '_' 'O' 'F' 'F' 'S' 'E' 'T' '_' 'T' 'A' 'B' 'L' 'E' '_' '-' LocalSymbol)> */ + /* 35 GOTLocation <- <('$' '_' 'G' 'L' 'O' 'B' 'A' 'L' '_' 'O' 'F' 'F' 'S' 'E' 'T' '_' 'T' 'A' 'B' 'L' 'E' '_' '-' LocalSymbol)> */ func() bool { - position469, tokenIndex469 := position, tokenIndex + position458, tokenIndex458 := position, tokenIndex { - position470 := position + position459 := position if buffer[position] != rune('$') { - goto l469 + goto l458 } position++ if buffer[position] != rune('_') { - goto l469 + goto l458 } position++ if buffer[position] != rune('G') { - goto l469 + goto l458 } position++ if buffer[position] != rune('L') { - goto l469 + goto l458 } position++ if buffer[position] != rune('O') { - goto l469 + goto l458 } position++ if buffer[position] != rune('B') { - goto l469 + goto l458 } position++ if buffer[position] != rune('A') { - goto l469 + goto l458 } position++ if buffer[position] != rune('L') { - goto l469 + goto l458 } position++ if buffer[position] != rune('_') { - goto l469 + goto l458 } position++ if buffer[position] != rune('O') { - goto l469 + goto l458 } position++ if buffer[position] != rune('F') { - goto l469 + goto l458 } position++ if buffer[position] != rune('F') { - goto l469 + goto l458 } position++ if buffer[position] != rune('S') { - goto l469 + goto l458 } position++ if buffer[position] != rune('E') { - goto l469 + goto l458 } position++ if buffer[position] != rune('T') { - goto l469 + goto l458 } position++ if buffer[position] != rune('_') { - goto l469 + goto l458 } position++ if buffer[position] != rune('T') { - goto l469 + goto l458 } position++ if buffer[position] != rune('A') { - goto l469 + goto l458 } position++ if buffer[position] != rune('B') { - goto l469 + goto l458 } position++ if buffer[position] != rune('L') { - goto l469 + goto l458 } position++ if buffer[position] != rune('E') { - goto l469 + goto l458 } position++ if buffer[position] != rune('_') { - goto l469 + goto l458 } position++ if buffer[position] != rune('-') { - goto l469 + goto l458 } position++ if !_rules[ruleLocalSymbol]() { - goto l469 + goto l458 } - add(ruleGOTLocation, position470) + add(ruleGOTLocation, position459) } return true - l469: - position, tokenIndex = position469, tokenIndex469 + l458: + position, tokenIndex = position458, tokenIndex458 return false }, - /* 34 GOTSymbolOffset <- <(('$' SymbolName ('@' 'G' 'O' 'T') ('O' 'F' 'F')?) / (':' ('g' / 'G') ('o' / 'O') ('t' / 'T') ':' SymbolName))> */ + /* 36 GOTSymbolOffset <- <(('$' SymbolName ('@' 'G' 'O' 'T') ('O' 'F' 'F')?) / (':' ('g' / 'G') ('o' / 'O') ('t' / 'T') ':' SymbolName))> */ func() bool { - position471, tokenIndex471 := position, tokenIndex + position460, tokenIndex460 := position, tokenIndex { - position472 := position + position461 := position { - position473, tokenIndex473 := position, tokenIndex + position462, tokenIndex462 := position, tokenIndex if buffer[position] != rune('$') { - goto l474 + goto l463 } position++ if !_rules[ruleSymbolName]() { - goto l474 + goto l463 } if buffer[position] != rune('@') { - goto l474 + goto l463 } position++ if buffer[position] != rune('G') { - goto l474 + goto l463 } position++ if buffer[position] != rune('O') { - goto l474 + goto l463 } position++ if buffer[position] != rune('T') { - goto l474 + goto l463 } position++ { - position475, tokenIndex475 := position, tokenIndex + position464, tokenIndex464 := position, tokenIndex if buffer[position] != rune('O') { - goto l475 + goto l464 } position++ if buffer[position] != rune('F') { - goto l475 + goto l464 } position++ if buffer[position] != rune('F') { - goto l475 + goto l464 } position++ - goto l476 - l475: - position, tokenIndex = position475, tokenIndex475 + goto l465 + l464: + position, tokenIndex = position464, tokenIndex464 } - l476: - goto l473 - l474: - position, tokenIndex = position473, tokenIndex473 + l465: + goto l462 + l463: + position, tokenIndex = position462, tokenIndex462 if buffer[position] != rune(':') { - goto l471 + goto l460 } position++ { - position477, tokenIndex477 := position, tokenIndex + position466, tokenIndex466 := position, tokenIndex if buffer[position] != rune('g') { - goto l478 + goto l467 } position++ - goto l477 - l478: - position, tokenIndex = position477, tokenIndex477 + goto l466 + l467: + position, tokenIndex = position466, tokenIndex466 if buffer[position] != rune('G') { - goto l471 + goto l460 } position++ } - l477: + l466: { - position479, tokenIndex479 := position, tokenIndex + position468, tokenIndex468 := position, tokenIndex if buffer[position] != rune('o') { - goto l480 + goto l469 } position++ - goto l479 - l480: - position, tokenIndex = position479, tokenIndex479 + goto l468 + l469: + position, tokenIndex = position468, tokenIndex468 if buffer[position] != rune('O') { - goto l471 + goto l460 } position++ } - l479: + l468: { - position481, tokenIndex481 := position, tokenIndex + position470, tokenIndex470 := position, tokenIndex if buffer[position] != rune('t') { - goto l482 + goto l471 } position++ - goto l481 - l482: - position, tokenIndex = position481, tokenIndex481 + goto l470 + l471: + position, tokenIndex = position470, tokenIndex470 if buffer[position] != rune('T') { - goto l471 + goto l460 } position++ } - l481: + l470: if buffer[position] != rune(':') { - goto l471 + goto l460 } position++ if !_rules[ruleSymbolName]() { - goto l471 + goto l460 } } - l473: - add(ruleGOTSymbolOffset, position472) + l462: + add(ruleGOTSymbolOffset, position461) } return true - l471: - position, tokenIndex = position471, tokenIndex471 + l460: + position, tokenIndex = position460, tokenIndex460 return false }, - /* 35 AVX512Token <- <(WS? '{' '%'? ([0-9] / [a-z])* '}')> */ + /* 37 AVX512Token <- <(WS? '{' '%'? ([0-9] / [a-z])* '}')> */ func() bool { - position483, tokenIndex483 := position, tokenIndex + position472, tokenIndex472 := position, tokenIndex { - position484 := position + position473 := position { - position485, tokenIndex485 := position, tokenIndex + position474, tokenIndex474 := position, tokenIndex if !_rules[ruleWS]() { - goto l485 + goto l474 } - goto l486 - l485: - position, tokenIndex = position485, tokenIndex485 + goto l475 + l474: + position, tokenIndex = position474, tokenIndex474 } - l486: + l475: if buffer[position] != rune('{') { - goto l483 + goto l472 } position++ { - position487, tokenIndex487 := position, tokenIndex + position476, tokenIndex476 := position, tokenIndex if buffer[position] != rune('%') { - goto l487 + goto l476 } position++ - goto l488 - l487: - position, tokenIndex = position487, tokenIndex487 + goto l477 + l476: + position, tokenIndex = position476, tokenIndex476 } - l488: - l489: + l477: + l478: { - position490, tokenIndex490 := position, tokenIndex + position479, tokenIndex479 := position, tokenIndex { - position491, tokenIndex491 := position, tokenIndex + position480, tokenIndex480 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l492 + goto l481 } position++ - goto l491 - l492: - position, tokenIndex = position491, tokenIndex491 + goto l480 + l481: + position, tokenIndex = position480, tokenIndex480 if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l490 + goto l479 } position++ } - l491: - goto l489 - l490: - position, tokenIndex = position490, tokenIndex490 + l480: + goto l478 + l479: + position, tokenIndex = position479, tokenIndex479 } if buffer[position] != rune('}') { - goto l483 + goto l472 } position++ - add(ruleAVX512Token, position484) + add(ruleAVX512Token, position473) } return true - l483: - position, tokenIndex = position483, tokenIndex483 + l472: + position, tokenIndex = position472, tokenIndex472 return false }, - /* 36 TOCRefHigh <- <('.' 'T' 'O' 'C' '.' '-' (('0' 'b') / ('.' 'L' ([a-z] / [A-Z] / '_' / [0-9])+)) ('@' ('h' / 'H') ('a' / 'A')))> */ + /* 38 TOCRefHigh <- <('.' 'T' 'O' 'C' '.' '-' (('0' 'b') / ('.' 'L' ([a-z] / [A-Z] / '_' / [0-9])+)) ('@' ('h' / 'H') ('a' / 'A')))> */ func() bool { - position493, tokenIndex493 := position, tokenIndex + position482, tokenIndex482 := position, tokenIndex { - position494 := position + position483 := position if buffer[position] != rune('.') { - goto l493 + goto l482 } position++ if buffer[position] != rune('T') { - goto l493 + goto l482 } position++ if buffer[position] != rune('O') { - goto l493 + goto l482 } position++ if buffer[position] != rune('C') { - goto l493 + goto l482 } position++ if buffer[position] != rune('.') { - goto l493 + goto l482 } position++ if buffer[position] != rune('-') { - goto l493 + goto l482 } position++ { - position495, tokenIndex495 := position, tokenIndex + position484, tokenIndex484 := position, tokenIndex if buffer[position] != rune('0') { - goto l496 + goto l485 } position++ if buffer[position] != rune('b') { - goto l496 + goto l485 } position++ - goto l495 - l496: - position, tokenIndex = position495, tokenIndex495 + goto l484 + l485: + position, tokenIndex = position484, tokenIndex484 if buffer[position] != rune('.') { - goto l493 + goto l482 } position++ if buffer[position] != rune('L') { - goto l493 + goto l482 } position++ { - position499, tokenIndex499 := position, tokenIndex + position488, tokenIndex488 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l500 + goto l489 } position++ - goto l499 - l500: - position, tokenIndex = position499, tokenIndex499 + goto l488 + l489: + position, tokenIndex = position488, tokenIndex488 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l501 + goto l490 } position++ - goto l499 - l501: - position, tokenIndex = position499, tokenIndex499 + goto l488 + l490: + position, tokenIndex = position488, tokenIndex488 if buffer[position] != rune('_') { - goto l502 + goto l491 } position++ - goto l499 - l502: - position, tokenIndex = position499, tokenIndex499 + goto l488 + l491: + position, tokenIndex = position488, tokenIndex488 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l493 + goto l482 } position++ } - l499: - l497: + l488: + l486: { - position498, tokenIndex498 := position, tokenIndex + position487, tokenIndex487 := position, tokenIndex { - position503, tokenIndex503 := position, tokenIndex + position492, tokenIndex492 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l504 + goto l493 } position++ - goto l503 - l504: - position, tokenIndex = position503, tokenIndex503 + goto l492 + l493: + position, tokenIndex = position492, tokenIndex492 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l505 + goto l494 } position++ - goto l503 - l505: - position, tokenIndex = position503, tokenIndex503 + goto l492 + l494: + position, tokenIndex = position492, tokenIndex492 if buffer[position] != rune('_') { - goto l506 + goto l495 } position++ - goto l503 - l506: - position, tokenIndex = position503, tokenIndex503 + goto l492 + l495: + position, tokenIndex = position492, tokenIndex492 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l498 + goto l487 } position++ } - l503: - goto l497 - l498: - position, tokenIndex = position498, tokenIndex498 + l492: + goto l486 + l487: + position, tokenIndex = position487, tokenIndex487 } } - l495: + l484: if buffer[position] != rune('@') { - goto l493 + goto l482 } position++ { - position507, tokenIndex507 := position, tokenIndex + position496, tokenIndex496 := position, tokenIndex if buffer[position] != rune('h') { - goto l508 + goto l497 } position++ - goto l507 - l508: - position, tokenIndex = position507, tokenIndex507 + goto l496 + l497: + position, tokenIndex = position496, tokenIndex496 if buffer[position] != rune('H') { - goto l493 + goto l482 } position++ } - l507: + l496: { - position509, tokenIndex509 := position, tokenIndex + position498, tokenIndex498 := position, tokenIndex if buffer[position] != rune('a') { - goto l510 + goto l499 } position++ - goto l509 - l510: - position, tokenIndex = position509, tokenIndex509 + goto l498 + l499: + position, tokenIndex = position498, tokenIndex498 if buffer[position] != rune('A') { - goto l493 + goto l482 } position++ } - l509: - add(ruleTOCRefHigh, position494) + l498: + add(ruleTOCRefHigh, position483) } return true - l493: - position, tokenIndex = position493, tokenIndex493 + l482: + position, tokenIndex = position482, tokenIndex482 return false }, - /* 37 TOCRefLow <- <('.' 'T' 'O' 'C' '.' '-' (('0' 'b') / ('.' 'L' ([a-z] / [A-Z] / '_' / [0-9])+)) ('@' ('l' / 'L')))> */ + /* 39 TOCRefLow <- <('.' 'T' 'O' 'C' '.' '-' (('0' 'b') / ('.' 'L' ([a-z] / [A-Z] / '_' / [0-9])+)) ('@' ('l' / 'L')))> */ func() bool { - position511, tokenIndex511 := position, tokenIndex + position500, tokenIndex500 := position, tokenIndex { - position512 := position + position501 := position if buffer[position] != rune('.') { - goto l511 + goto l500 } position++ if buffer[position] != rune('T') { - goto l511 + goto l500 } position++ if buffer[position] != rune('O') { - goto l511 + goto l500 } position++ if buffer[position] != rune('C') { - goto l511 + goto l500 } position++ if buffer[position] != rune('.') { - goto l511 + goto l500 } position++ if buffer[position] != rune('-') { - goto l511 + goto l500 } position++ { - position513, tokenIndex513 := position, tokenIndex + position502, tokenIndex502 := position, tokenIndex if buffer[position] != rune('0') { - goto l514 + goto l503 } position++ if buffer[position] != rune('b') { - goto l514 + goto l503 } position++ - goto l513 - l514: - position, tokenIndex = position513, tokenIndex513 + goto l502 + l503: + position, tokenIndex = position502, tokenIndex502 if buffer[position] != rune('.') { - goto l511 + goto l500 } position++ if buffer[position] != rune('L') { - goto l511 + goto l500 } position++ { - position517, tokenIndex517 := position, tokenIndex + position506, tokenIndex506 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l518 + goto l507 } position++ - goto l517 - l518: - position, tokenIndex = position517, tokenIndex517 + goto l506 + l507: + position, tokenIndex = position506, tokenIndex506 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l519 + goto l508 } position++ - goto l517 - l519: - position, tokenIndex = position517, tokenIndex517 + goto l506 + l508: + position, tokenIndex = position506, tokenIndex506 if buffer[position] != rune('_') { - goto l520 + goto l509 } position++ - goto l517 - l520: - position, tokenIndex = position517, tokenIndex517 + goto l506 + l509: + position, tokenIndex = position506, tokenIndex506 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l511 + goto l500 } position++ } - l517: - l515: + l506: + l504: { - position516, tokenIndex516 := position, tokenIndex + position505, tokenIndex505 := position, tokenIndex { - position521, tokenIndex521 := position, tokenIndex + position510, tokenIndex510 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l522 + goto l511 } position++ - goto l521 - l522: - position, tokenIndex = position521, tokenIndex521 + goto l510 + l511: + position, tokenIndex = position510, tokenIndex510 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l523 + goto l512 } position++ - goto l521 - l523: - position, tokenIndex = position521, tokenIndex521 + goto l510 + l512: + position, tokenIndex = position510, tokenIndex510 if buffer[position] != rune('_') { - goto l524 + goto l513 } position++ - goto l521 - l524: - position, tokenIndex = position521, tokenIndex521 + goto l510 + l513: + position, tokenIndex = position510, tokenIndex510 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l516 + goto l505 } position++ } - l521: - goto l515 - l516: - position, tokenIndex = position516, tokenIndex516 + l510: + goto l504 + l505: + position, tokenIndex = position505, tokenIndex505 } } - l513: + l502: if buffer[position] != rune('@') { - goto l511 + goto l500 } position++ { - position525, tokenIndex525 := position, tokenIndex + position514, tokenIndex514 := position, tokenIndex if buffer[position] != rune('l') { - goto l526 + goto l515 } position++ - goto l525 - l526: - position, tokenIndex = position525, tokenIndex525 + goto l514 + l515: + position, tokenIndex = position514, tokenIndex514 if buffer[position] != rune('L') { - goto l511 + goto l500 } position++ } - l525: - add(ruleTOCRefLow, position512) + l514: + add(ruleTOCRefLow, position501) } return true - l511: - position, tokenIndex = position511, tokenIndex511 + l500: + position, tokenIndex = position500, tokenIndex500 return false }, - /* 38 IndirectionIndicator <- <'*'> */ + /* 40 IndirectionIndicator <- <'*'> */ func() bool { - position527, tokenIndex527 := position, tokenIndex + position516, tokenIndex516 := position, tokenIndex { - position528 := position + position517 := position if buffer[position] != rune('*') { - goto l527 + goto l516 } position++ - add(ruleIndirectionIndicator, position528) + add(ruleIndirectionIndicator, position517) } return true - l527: - position, tokenIndex = position527, tokenIndex527 + l516: + position, tokenIndex = position516, tokenIndex516 return false }, - /* 39 RegisterOrConstant <- <((('%' ([a-z] / [A-Z]) ([a-z] / [A-Z] / ([0-9] / [0-9]))*) / ('$'? ((Offset Offset) / Offset)) / ('#' Offset ('*' [0-9]+ ('-' [0-9] [0-9]*)?)?) / ('#' '~'? '(' [0-9] WS? ('<' '<') WS? [0-9] ')') / ARMRegister) !('f' / 'b' / ':' / '(' / '+' / '-'))> */ + /* 41 RegisterOrConstant <- <((('%' ([a-z] / [A-Z]) ([a-z] / [A-Z] / ([0-9] / [0-9]))*) / ('$'? ((Offset Offset) / Offset)) / ('#' Offset ('*' [0-9]+ ('-' [0-9] [0-9]*)?)?) / ('#' '~'? '(' [0-9] WS? ('<' '<') WS? [0-9] ')') / ARMRegister) !('f' / 'b' / ':' / '(' / '+' / '-'))> */ func() bool { - position529, tokenIndex529 := position, tokenIndex + position518, tokenIndex518 := position, tokenIndex { - position530 := position + position519 := position { - position531, tokenIndex531 := position, tokenIndex + position520, tokenIndex520 := position, tokenIndex if buffer[position] != rune('%') { - goto l532 + goto l521 } position++ { - position533, tokenIndex533 := position, tokenIndex + position522, tokenIndex522 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l534 + goto l523 } position++ - goto l533 - l534: - position, tokenIndex = position533, tokenIndex533 + goto l522 + l523: + position, tokenIndex = position522, tokenIndex522 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l532 + goto l521 } position++ } - l533: - l535: + l522: + l524: { - position536, tokenIndex536 := position, tokenIndex + position525, tokenIndex525 := position, tokenIndex { - position537, tokenIndex537 := position, tokenIndex + position526, tokenIndex526 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l538 + goto l527 } position++ - goto l537 - l538: - position, tokenIndex = position537, tokenIndex537 + goto l526 + l527: + position, tokenIndex = position526, tokenIndex526 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l539 + goto l528 } position++ - goto l537 - l539: - position, tokenIndex = position537, tokenIndex537 + goto l526 + l528: + position, tokenIndex = position526, tokenIndex526 { - position540, tokenIndex540 := position, tokenIndex + position529, tokenIndex529 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l541 + goto l530 } position++ - goto l540 - l541: - position, tokenIndex = position540, tokenIndex540 + goto l529 + l530: + position, tokenIndex = position529, tokenIndex529 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l536 + goto l525 } position++ } - l540: + l529: } - l537: - goto l535 - l536: - position, tokenIndex = position536, tokenIndex536 + l526: + goto l524 + l525: + position, tokenIndex = position525, tokenIndex525 } - goto l531 - l532: - position, tokenIndex = position531, tokenIndex531 + goto l520 + l521: + position, tokenIndex = position520, tokenIndex520 { - position543, tokenIndex543 := position, tokenIndex + position532, tokenIndex532 := position, tokenIndex if buffer[position] != rune('$') { - goto l543 + goto l532 } position++ - goto l544 - l543: - position, tokenIndex = position543, tokenIndex543 + goto l533 + l532: + position, tokenIndex = position532, tokenIndex532 } - l544: + l533: { - position545, tokenIndex545 := position, tokenIndex + position534, tokenIndex534 := position, tokenIndex if !_rules[ruleOffset]() { - goto l546 + goto l535 } if !_rules[ruleOffset]() { - goto l546 + goto l535 } - goto l545 - l546: - position, tokenIndex = position545, tokenIndex545 + goto l534 + l535: + position, tokenIndex = position534, tokenIndex534 if !_rules[ruleOffset]() { - goto l542 + goto l531 } } - l545: - goto l531 - l542: - position, tokenIndex = position531, tokenIndex531 + l534: + goto l520 + l531: + position, tokenIndex = position520, tokenIndex520 if buffer[position] != rune('#') { - goto l547 + goto l536 } position++ if !_rules[ruleOffset]() { - goto l547 + goto l536 } { - position548, tokenIndex548 := position, tokenIndex + position537, tokenIndex537 := position, tokenIndex if buffer[position] != rune('*') { - goto l548 + goto l537 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l548 + goto l537 } position++ - l550: + l539: { - position551, tokenIndex551 := position, tokenIndex + position540, tokenIndex540 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l551 + goto l540 } position++ - goto l550 - l551: - position, tokenIndex = position551, tokenIndex551 + goto l539 + l540: + position, tokenIndex = position540, tokenIndex540 } { - position552, tokenIndex552 := position, tokenIndex + position541, tokenIndex541 := position, tokenIndex if buffer[position] != rune('-') { - goto l552 + goto l541 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l552 + goto l541 } position++ - l554: + l543: { - position555, tokenIndex555 := position, tokenIndex + position544, tokenIndex544 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l555 + goto l544 } position++ - goto l554 - l555: - position, tokenIndex = position555, tokenIndex555 + goto l543 + l544: + position, tokenIndex = position544, tokenIndex544 } - goto l553 - l552: - position, tokenIndex = position552, tokenIndex552 + goto l542 + l541: + position, tokenIndex = position541, tokenIndex541 } - l553: - goto l549 - l548: - position, tokenIndex = position548, tokenIndex548 + l542: + goto l538 + l537: + position, tokenIndex = position537, tokenIndex537 } - l549: - goto l531 - l547: - position, tokenIndex = position531, tokenIndex531 + l538: + goto l520 + l536: + position, tokenIndex = position520, tokenIndex520 if buffer[position] != rune('#') { - goto l556 + goto l545 } position++ { - position557, tokenIndex557 := position, tokenIndex + position546, tokenIndex546 := position, tokenIndex if buffer[position] != rune('~') { - goto l557 + goto l546 } position++ - goto l558 - l557: - position, tokenIndex = position557, tokenIndex557 + goto l547 + l546: + position, tokenIndex = position546, tokenIndex546 } - l558: + l547: if buffer[position] != rune('(') { - goto l556 + goto l545 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l556 + goto l545 } position++ { - position559, tokenIndex559 := position, tokenIndex + position548, tokenIndex548 := position, tokenIndex if !_rules[ruleWS]() { - goto l559 + goto l548 } - goto l560 - l559: - position, tokenIndex = position559, tokenIndex559 + goto l549 + l548: + position, tokenIndex = position548, tokenIndex548 } - l560: + l549: if buffer[position] != rune('<') { - goto l556 + goto l545 } position++ if buffer[position] != rune('<') { - goto l556 + goto l545 } position++ { - position561, tokenIndex561 := position, tokenIndex + position550, tokenIndex550 := position, tokenIndex if !_rules[ruleWS]() { - goto l561 + goto l550 } - goto l562 - l561: - position, tokenIndex = position561, tokenIndex561 + goto l551 + l550: + position, tokenIndex = position550, tokenIndex550 } - l562: + l551: if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l556 + goto l545 } position++ if buffer[position] != rune(')') { - goto l556 + goto l545 } position++ - goto l531 - l556: - position, tokenIndex = position531, tokenIndex531 + goto l520 + l545: + position, tokenIndex = position520, tokenIndex520 if !_rules[ruleARMRegister]() { - goto l529 + goto l518 } } - l531: + l520: { - position563, tokenIndex563 := position, tokenIndex + position552, tokenIndex552 := position, tokenIndex { - position564, tokenIndex564 := position, tokenIndex + position553, tokenIndex553 := position, tokenIndex if buffer[position] != rune('f') { - goto l565 + goto l554 } position++ - goto l564 - l565: - position, tokenIndex = position564, tokenIndex564 + goto l553 + l554: + position, tokenIndex = position553, tokenIndex553 if buffer[position] != rune('b') { - goto l566 + goto l555 } position++ - goto l564 - l566: - position, tokenIndex = position564, tokenIndex564 + goto l553 + l555: + position, tokenIndex = position553, tokenIndex553 if buffer[position] != rune(':') { - goto l567 + goto l556 } position++ - goto l564 - l567: - position, tokenIndex = position564, tokenIndex564 + goto l553 + l556: + position, tokenIndex = position553, tokenIndex553 if buffer[position] != rune('(') { - goto l568 + goto l557 } position++ - goto l564 - l568: - position, tokenIndex = position564, tokenIndex564 + goto l553 + l557: + position, tokenIndex = position553, tokenIndex553 if buffer[position] != rune('+') { - goto l569 + goto l558 } position++ - goto l564 - l569: - position, tokenIndex = position564, tokenIndex564 + goto l553 + l558: + position, tokenIndex = position553, tokenIndex553 if buffer[position] != rune('-') { - goto l563 + goto l552 } position++ } - l564: - goto l529 - l563: - position, tokenIndex = position563, tokenIndex563 + l553: + goto l518 + l552: + position, tokenIndex = position552, tokenIndex552 } - add(ruleRegisterOrConstant, position530) + add(ruleRegisterOrConstant, position519) } return true - l529: - position, tokenIndex = position529, tokenIndex529 + l518: + position, tokenIndex = position518, tokenIndex518 return false }, - /* 40 ARMConstantTweak <- <(((('u' / 's') (('x' / 'X') ('t' / 'T')) ('x' / 'w' / 'h' / 'b')) / (('l' / 'L') ('s' / 'S') ('l' / 'L')) / (('l' / 'L') ('s' / 'S') ('r' / 'R')) / (('r' / 'R') ('o' / 'O') ('r' / 'R')) / (('a' / 'A') ('s' / 'S') ('r' / 'R'))) (WS '#' Offset)?)> */ + /* 42 ARMConstantTweak <- <(((('u' / 's') (('x' / 'X') ('t' / 'T')) ('x' / 'w' / 'h' / 'b')) / (('l' / 'L') ('s' / 'S') ('l' / 'L')) / (('l' / 'L') ('s' / 'S') ('r' / 'R')) / (('r' / 'R') ('o' / 'O') ('r' / 'R')) / (('a' / 'A') ('s' / 'S') ('r' / 'R'))) (WS '#' Offset)?)> */ func() bool { - position570, tokenIndex570 := position, tokenIndex + position559, tokenIndex559 := position, tokenIndex { - position571 := position + position560 := position { - position572, tokenIndex572 := position, tokenIndex + position561, tokenIndex561 := position, tokenIndex { - position574, tokenIndex574 := position, tokenIndex + position563, tokenIndex563 := position, tokenIndex if buffer[position] != rune('u') { - goto l575 + goto l564 } position++ - goto l574 - l575: - position, tokenIndex = position574, tokenIndex574 + goto l563 + l564: + position, tokenIndex = position563, tokenIndex563 if buffer[position] != rune('s') { - goto l573 + goto l562 } position++ } - l574: + l563: { - position576, tokenIndex576 := position, tokenIndex + position565, tokenIndex565 := position, tokenIndex if buffer[position] != rune('x') { - goto l577 + goto l566 } position++ - goto l576 - l577: - position, tokenIndex = position576, tokenIndex576 + goto l565 + l566: + position, tokenIndex = position565, tokenIndex565 if buffer[position] != rune('X') { - goto l573 + goto l562 } position++ } - l576: + l565: { - position578, tokenIndex578 := position, tokenIndex + position567, tokenIndex567 := position, tokenIndex if buffer[position] != rune('t') { - goto l579 + goto l568 } position++ - goto l578 - l579: - position, tokenIndex = position578, tokenIndex578 + goto l567 + l568: + position, tokenIndex = position567, tokenIndex567 if buffer[position] != rune('T') { - goto l573 + goto l562 } position++ } - l578: + l567: { - position580, tokenIndex580 := position, tokenIndex + position569, tokenIndex569 := position, tokenIndex if buffer[position] != rune('x') { - goto l581 + goto l570 } position++ - goto l580 - l581: - position, tokenIndex = position580, tokenIndex580 + goto l569 + l570: + position, tokenIndex = position569, tokenIndex569 if buffer[position] != rune('w') { - goto l582 + goto l571 } position++ - goto l580 - l582: - position, tokenIndex = position580, tokenIndex580 + goto l569 + l571: + position, tokenIndex = position569, tokenIndex569 if buffer[position] != rune('h') { - goto l583 + goto l572 } position++ - goto l580 - l583: - position, tokenIndex = position580, tokenIndex580 + goto l569 + l572: + position, tokenIndex = position569, tokenIndex569 if buffer[position] != rune('b') { - goto l573 + goto l562 } position++ } - l580: - goto l572 - l573: - position, tokenIndex = position572, tokenIndex572 + l569: + goto l561 + l562: + position, tokenIndex = position561, tokenIndex561 { - position585, tokenIndex585 := position, tokenIndex + position574, tokenIndex574 := position, tokenIndex if buffer[position] != rune('l') { - goto l586 + goto l575 } position++ - goto l585 - l586: - position, tokenIndex = position585, tokenIndex585 + goto l574 + l575: + position, tokenIndex = position574, tokenIndex574 if buffer[position] != rune('L') { - goto l584 + goto l573 } position++ } - l585: + l574: { - position587, tokenIndex587 := position, tokenIndex + position576, tokenIndex576 := position, tokenIndex if buffer[position] != rune('s') { - goto l588 + goto l577 } position++ - goto l587 - l588: - position, tokenIndex = position587, tokenIndex587 + goto l576 + l577: + position, tokenIndex = position576, tokenIndex576 if buffer[position] != rune('S') { - goto l584 + goto l573 } position++ } - l587: + l576: { - position589, tokenIndex589 := position, tokenIndex + position578, tokenIndex578 := position, tokenIndex if buffer[position] != rune('l') { - goto l590 + goto l579 } position++ - goto l589 - l590: - position, tokenIndex = position589, tokenIndex589 + goto l578 + l579: + position, tokenIndex = position578, tokenIndex578 if buffer[position] != rune('L') { - goto l584 + goto l573 } position++ } - l589: - goto l572 - l584: - position, tokenIndex = position572, tokenIndex572 + l578: + goto l561 + l573: + position, tokenIndex = position561, tokenIndex561 { - position592, tokenIndex592 := position, tokenIndex + position581, tokenIndex581 := position, tokenIndex if buffer[position] != rune('l') { - goto l593 + goto l582 } position++ - goto l592 - l593: - position, tokenIndex = position592, tokenIndex592 + goto l581 + l582: + position, tokenIndex = position581, tokenIndex581 if buffer[position] != rune('L') { - goto l591 + goto l580 } position++ } - l592: + l581: { - position594, tokenIndex594 := position, tokenIndex + position583, tokenIndex583 := position, tokenIndex if buffer[position] != rune('s') { - goto l595 + goto l584 } position++ - goto l594 - l595: - position, tokenIndex = position594, tokenIndex594 + goto l583 + l584: + position, tokenIndex = position583, tokenIndex583 if buffer[position] != rune('S') { - goto l591 + goto l580 } position++ } - l594: + l583: { - position596, tokenIndex596 := position, tokenIndex + position585, tokenIndex585 := position, tokenIndex if buffer[position] != rune('r') { - goto l597 + goto l586 } position++ - goto l596 - l597: - position, tokenIndex = position596, tokenIndex596 + goto l585 + l586: + position, tokenIndex = position585, tokenIndex585 if buffer[position] != rune('R') { - goto l591 + goto l580 } position++ } - l596: - goto l572 - l591: - position, tokenIndex = position572, tokenIndex572 + l585: + goto l561 + l580: + position, tokenIndex = position561, tokenIndex561 { - position599, tokenIndex599 := position, tokenIndex + position588, tokenIndex588 := position, tokenIndex if buffer[position] != rune('r') { - goto l600 + goto l589 } position++ - goto l599 - l600: - position, tokenIndex = position599, tokenIndex599 + goto l588 + l589: + position, tokenIndex = position588, tokenIndex588 if buffer[position] != rune('R') { - goto l598 + goto l587 } position++ } - l599: + l588: { - position601, tokenIndex601 := position, tokenIndex + position590, tokenIndex590 := position, tokenIndex if buffer[position] != rune('o') { - goto l602 + goto l591 } position++ - goto l601 - l602: - position, tokenIndex = position601, tokenIndex601 + goto l590 + l591: + position, tokenIndex = position590, tokenIndex590 if buffer[position] != rune('O') { - goto l598 + goto l587 } position++ } - l601: + l590: { - position603, tokenIndex603 := position, tokenIndex + position592, tokenIndex592 := position, tokenIndex if buffer[position] != rune('r') { - goto l604 + goto l593 } position++ - goto l603 - l604: - position, tokenIndex = position603, tokenIndex603 + goto l592 + l593: + position, tokenIndex = position592, tokenIndex592 if buffer[position] != rune('R') { - goto l598 + goto l587 } position++ } - l603: - goto l572 - l598: - position, tokenIndex = position572, tokenIndex572 + l592: + goto l561 + l587: + position, tokenIndex = position561, tokenIndex561 { - position605, tokenIndex605 := position, tokenIndex + position594, tokenIndex594 := position, tokenIndex if buffer[position] != rune('a') { - goto l606 + goto l595 } position++ - goto l605 - l606: - position, tokenIndex = position605, tokenIndex605 + goto l594 + l595: + position, tokenIndex = position594, tokenIndex594 if buffer[position] != rune('A') { - goto l570 + goto l559 } position++ } - l605: + l594: { - position607, tokenIndex607 := position, tokenIndex + position596, tokenIndex596 := position, tokenIndex if buffer[position] != rune('s') { - goto l608 + goto l597 } position++ - goto l607 - l608: - position, tokenIndex = position607, tokenIndex607 + goto l596 + l597: + position, tokenIndex = position596, tokenIndex596 if buffer[position] != rune('S') { - goto l570 + goto l559 } position++ } - l607: + l596: { - position609, tokenIndex609 := position, tokenIndex + position598, tokenIndex598 := position, tokenIndex if buffer[position] != rune('r') { - goto l610 + goto l599 } position++ - goto l609 - l610: - position, tokenIndex = position609, tokenIndex609 + goto l598 + l599: + position, tokenIndex = position598, tokenIndex598 if buffer[position] != rune('R') { - goto l570 + goto l559 } position++ } - l609: + l598: } - l572: + l561: { - position611, tokenIndex611 := position, tokenIndex + position600, tokenIndex600 := position, tokenIndex if !_rules[ruleWS]() { - goto l611 + goto l600 } if buffer[position] != rune('#') { - goto l611 + goto l600 } position++ if !_rules[ruleOffset]() { - goto l611 + goto l600 } - goto l612 - l611: - position, tokenIndex = position611, tokenIndex611 + goto l601 + l600: + position, tokenIndex = position600, tokenIndex600 } - l612: - add(ruleARMConstantTweak, position571) + l601: + add(ruleARMConstantTweak, position560) } return true - l570: - position, tokenIndex = position570, tokenIndex570 + l559: + position, tokenIndex = position559, tokenIndex559 return false }, - /* 41 ARMRegister <- <((('s' / 'S') ('p' / 'P')) / (('x' / 'w' / 'd' / 'q' / 's' / 'h' / 'b') [0-9] [0-9]?) / (('x' / 'X') ('z' / 'Z') ('r' / 'R')) / (('w' / 'W') ('z' / 'Z') ('r' / 'R')) / (('n' / 'N') ('z' / 'Z') ('c' / 'C') ('v' / 'V')) / ARMVectorRegister / ('{' WS? ARMVectorRegister (',' WS? ARMVectorRegister)* WS? '}' ('[' [0-9] [0-9]? ']')?))> */ + /* 43 ARMRegister <- <((('s' / 'S') ('p' / 'P')) / (('x' / 'w' / 'd' / 'q' / 's' / 'h' / 'b') [0-9] [0-9]?) / (('x' / 'X') ('z' / 'Z') ('r' / 'R')) / (('w' / 'W') ('z' / 'Z') ('r' / 'R')) / (('n' / 'N') ('z' / 'Z') ('c' / 'C') ('v' / 'V')) / ARMVectorRegister / ('{' WS? ARMVectorRegister (',' WS? ARMVectorRegister)* WS? '}' ('[' [0-9] [0-9]? ']')?))> */ func() bool { - position613, tokenIndex613 := position, tokenIndex + position602, tokenIndex602 := position, tokenIndex { - position614 := position + position603 := position { - position615, tokenIndex615 := position, tokenIndex + position604, tokenIndex604 := position, tokenIndex { - position617, tokenIndex617 := position, tokenIndex + position606, tokenIndex606 := position, tokenIndex if buffer[position] != rune('s') { - goto l618 + goto l607 } position++ - goto l617 - l618: - position, tokenIndex = position617, tokenIndex617 + goto l606 + l607: + position, tokenIndex = position606, tokenIndex606 if buffer[position] != rune('S') { - goto l616 + goto l605 } position++ } - l617: + l606: { - position619, tokenIndex619 := position, tokenIndex + position608, tokenIndex608 := position, tokenIndex if buffer[position] != rune('p') { - goto l620 + goto l609 } position++ - goto l619 - l620: - position, tokenIndex = position619, tokenIndex619 + goto l608 + l609: + position, tokenIndex = position608, tokenIndex608 if buffer[position] != rune('P') { - goto l616 + goto l605 } position++ } - l619: - goto l615 - l616: - position, tokenIndex = position615, tokenIndex615 + l608: + goto l604 + l605: + position, tokenIndex = position604, tokenIndex604 { - position622, tokenIndex622 := position, tokenIndex + position611, tokenIndex611 := position, tokenIndex if buffer[position] != rune('x') { - goto l623 + goto l612 } position++ - goto l622 - l623: - position, tokenIndex = position622, tokenIndex622 + goto l611 + l612: + position, tokenIndex = position611, tokenIndex611 if buffer[position] != rune('w') { - goto l624 + goto l613 } position++ - goto l622 - l624: - position, tokenIndex = position622, tokenIndex622 + goto l611 + l613: + position, tokenIndex = position611, tokenIndex611 if buffer[position] != rune('d') { - goto l625 + goto l614 } position++ - goto l622 - l625: - position, tokenIndex = position622, tokenIndex622 + goto l611 + l614: + position, tokenIndex = position611, tokenIndex611 if buffer[position] != rune('q') { - goto l626 + goto l615 } position++ - goto l622 - l626: - position, tokenIndex = position622, tokenIndex622 + goto l611 + l615: + position, tokenIndex = position611, tokenIndex611 if buffer[position] != rune('s') { - goto l627 + goto l616 } position++ - goto l622 - l627: - position, tokenIndex = position622, tokenIndex622 + goto l611 + l616: + position, tokenIndex = position611, tokenIndex611 if buffer[position] != rune('h') { - goto l628 + goto l617 } position++ - goto l622 - l628: - position, tokenIndex = position622, tokenIndex622 + goto l611 + l617: + position, tokenIndex = position611, tokenIndex611 if buffer[position] != rune('b') { - goto l621 + goto l610 } position++ } - l622: + l611: if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l621 + goto l610 } position++ { - position629, tokenIndex629 := position, tokenIndex + position618, tokenIndex618 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l629 + goto l618 } position++ - goto l630 - l629: - position, tokenIndex = position629, tokenIndex629 + goto l619 + l618: + position, tokenIndex = position618, tokenIndex618 } - l630: - goto l615 - l621: - position, tokenIndex = position615, tokenIndex615 + l619: + goto l604 + l610: + position, tokenIndex = position604, tokenIndex604 { - position632, tokenIndex632 := position, tokenIndex + position621, tokenIndex621 := position, tokenIndex if buffer[position] != rune('x') { - goto l633 + goto l622 } position++ - goto l632 - l633: - position, tokenIndex = position632, tokenIndex632 + goto l621 + l622: + position, tokenIndex = position621, tokenIndex621 if buffer[position] != rune('X') { - goto l631 + goto l620 } position++ } - l632: + l621: { - position634, tokenIndex634 := position, tokenIndex + position623, tokenIndex623 := position, tokenIndex if buffer[position] != rune('z') { - goto l635 + goto l624 } position++ - goto l634 - l635: - position, tokenIndex = position634, tokenIndex634 + goto l623 + l624: + position, tokenIndex = position623, tokenIndex623 if buffer[position] != rune('Z') { - goto l631 + goto l620 } position++ } - l634: + l623: { - position636, tokenIndex636 := position, tokenIndex + position625, tokenIndex625 := position, tokenIndex if buffer[position] != rune('r') { - goto l637 + goto l626 } position++ - goto l636 - l637: - position, tokenIndex = position636, tokenIndex636 + goto l625 + l626: + position, tokenIndex = position625, tokenIndex625 if buffer[position] != rune('R') { - goto l631 + goto l620 } position++ } - l636: - goto l615 - l631: - position, tokenIndex = position615, tokenIndex615 + l625: + goto l604 + l620: + position, tokenIndex = position604, tokenIndex604 { - position639, tokenIndex639 := position, tokenIndex + position628, tokenIndex628 := position, tokenIndex if buffer[position] != rune('w') { - goto l640 + goto l629 } position++ - goto l639 - l640: - position, tokenIndex = position639, tokenIndex639 + goto l628 + l629: + position, tokenIndex = position628, tokenIndex628 if buffer[position] != rune('W') { - goto l638 + goto l627 } position++ } - l639: + l628: { - position641, tokenIndex641 := position, tokenIndex + position630, tokenIndex630 := position, tokenIndex if buffer[position] != rune('z') { - goto l642 + goto l631 } position++ - goto l641 - l642: - position, tokenIndex = position641, tokenIndex641 + goto l630 + l631: + position, tokenIndex = position630, tokenIndex630 if buffer[position] != rune('Z') { - goto l638 + goto l627 } position++ } - l641: + l630: { - position643, tokenIndex643 := position, tokenIndex + position632, tokenIndex632 := position, tokenIndex if buffer[position] != rune('r') { - goto l644 + goto l633 } position++ - goto l643 - l644: - position, tokenIndex = position643, tokenIndex643 + goto l632 + l633: + position, tokenIndex = position632, tokenIndex632 if buffer[position] != rune('R') { - goto l638 + goto l627 } position++ } - l643: - goto l615 - l638: - position, tokenIndex = position615, tokenIndex615 + l632: + goto l604 + l627: + position, tokenIndex = position604, tokenIndex604 { - position646, tokenIndex646 := position, tokenIndex + position635, tokenIndex635 := position, tokenIndex if buffer[position] != rune('n') { - goto l647 + goto l636 } position++ - goto l646 - l647: - position, tokenIndex = position646, tokenIndex646 + goto l635 + l636: + position, tokenIndex = position635, tokenIndex635 if buffer[position] != rune('N') { - goto l645 + goto l634 } position++ } - l646: + l635: { - position648, tokenIndex648 := position, tokenIndex + position637, tokenIndex637 := position, tokenIndex if buffer[position] != rune('z') { - goto l649 + goto l638 } position++ - goto l648 - l649: - position, tokenIndex = position648, tokenIndex648 + goto l637 + l638: + position, tokenIndex = position637, tokenIndex637 if buffer[position] != rune('Z') { - goto l645 + goto l634 } position++ } - l648: + l637: { - position650, tokenIndex650 := position, tokenIndex + position639, tokenIndex639 := position, tokenIndex if buffer[position] != rune('c') { - goto l651 + goto l640 } position++ - goto l650 - l651: - position, tokenIndex = position650, tokenIndex650 + goto l639 + l640: + position, tokenIndex = position639, tokenIndex639 if buffer[position] != rune('C') { - goto l645 + goto l634 } position++ } - l650: + l639: { - position652, tokenIndex652 := position, tokenIndex + position641, tokenIndex641 := position, tokenIndex if buffer[position] != rune('v') { - goto l653 + goto l642 } position++ - goto l652 - l653: - position, tokenIndex = position652, tokenIndex652 + goto l641 + l642: + position, tokenIndex = position641, tokenIndex641 if buffer[position] != rune('V') { - goto l645 + goto l634 } position++ } - l652: - goto l615 - l645: - position, tokenIndex = position615, tokenIndex615 + l641: + goto l604 + l634: + position, tokenIndex = position604, tokenIndex604 if !_rules[ruleARMVectorRegister]() { - goto l654 + goto l643 } - goto l615 - l654: - position, tokenIndex = position615, tokenIndex615 + goto l604 + l643: + position, tokenIndex = position604, tokenIndex604 if buffer[position] != rune('{') { - goto l613 + goto l602 } position++ { - position655, tokenIndex655 := position, tokenIndex + position644, tokenIndex644 := position, tokenIndex if !_rules[ruleWS]() { - goto l655 + goto l644 } - goto l656 - l655: - position, tokenIndex = position655, tokenIndex655 + goto l645 + l644: + position, tokenIndex = position644, tokenIndex644 } - l656: + l645: if !_rules[ruleARMVectorRegister]() { - goto l613 + goto l602 } - l657: + l646: { - position658, tokenIndex658 := position, tokenIndex + position647, tokenIndex647 := position, tokenIndex if buffer[position] != rune(',') { - goto l658 + goto l647 } position++ { - position659, tokenIndex659 := position, tokenIndex + position648, tokenIndex648 := position, tokenIndex if !_rules[ruleWS]() { - goto l659 + goto l648 } - goto l660 - l659: - position, tokenIndex = position659, tokenIndex659 + goto l649 + l648: + position, tokenIndex = position648, tokenIndex648 } - l660: + l649: if !_rules[ruleARMVectorRegister]() { - goto l658 + goto l647 } - goto l657 - l658: - position, tokenIndex = position658, tokenIndex658 + goto l646 + l647: + position, tokenIndex = position647, tokenIndex647 } { - position661, tokenIndex661 := position, tokenIndex + position650, tokenIndex650 := position, tokenIndex if !_rules[ruleWS]() { - goto l661 + goto l650 } - goto l662 - l661: - position, tokenIndex = position661, tokenIndex661 + goto l651 + l650: + position, tokenIndex = position650, tokenIndex650 } - l662: + l651: if buffer[position] != rune('}') { - goto l613 + goto l602 } position++ { - position663, tokenIndex663 := position, tokenIndex + position652, tokenIndex652 := position, tokenIndex if buffer[position] != rune('[') { - goto l663 + goto l652 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l663 + goto l652 } position++ { - position665, tokenIndex665 := position, tokenIndex + position654, tokenIndex654 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l665 + goto l654 } position++ - goto l666 - l665: - position, tokenIndex = position665, tokenIndex665 + goto l655 + l654: + position, tokenIndex = position654, tokenIndex654 } - l666: + l655: if buffer[position] != rune(']') { - goto l663 + goto l652 } position++ - goto l664 - l663: - position, tokenIndex = position663, tokenIndex663 + goto l653 + l652: + position, tokenIndex = position652, tokenIndex652 } - l664: + l653: } - l615: - add(ruleARMRegister, position614) + l604: + add(ruleARMRegister, position603) } return true - l613: - position, tokenIndex = position613, tokenIndex613 + l602: + position, tokenIndex = position602, tokenIndex602 return false }, - /* 42 ARMVectorRegister <- <(('v' / 'V') [0-9] [0-9]? ('.' [0-9]* ('b' / 's' / 'd' / 'h' / 'q') ('[' [0-9] [0-9]? ']')?)?)> */ + /* 44 ARMVectorRegister <- <(('v' / 'V') [0-9] [0-9]? ('.' [0-9]* ('b' / 's' / 'd' / 'h' / 'q') ('[' [0-9] [0-9]? ']')?)?)> */ func() bool { - position667, tokenIndex667 := position, tokenIndex + position656, tokenIndex656 := position, tokenIndex { - position668 := position + position657 := position { - position669, tokenIndex669 := position, tokenIndex + position658, tokenIndex658 := position, tokenIndex if buffer[position] != rune('v') { - goto l670 + goto l659 } position++ - goto l669 - l670: - position, tokenIndex = position669, tokenIndex669 + goto l658 + l659: + position, tokenIndex = position658, tokenIndex658 if buffer[position] != rune('V') { - goto l667 + goto l656 } position++ } - l669: + l658: if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l667 + goto l656 } position++ { - position671, tokenIndex671 := position, tokenIndex + position660, tokenIndex660 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l671 + goto l660 } position++ - goto l672 - l671: - position, tokenIndex = position671, tokenIndex671 + goto l661 + l660: + position, tokenIndex = position660, tokenIndex660 } - l672: + l661: { - position673, tokenIndex673 := position, tokenIndex + position662, tokenIndex662 := position, tokenIndex if buffer[position] != rune('.') { - goto l673 + goto l662 } position++ - l675: + l664: { - position676, tokenIndex676 := position, tokenIndex + position665, tokenIndex665 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l676 + goto l665 } position++ - goto l675 - l676: - position, tokenIndex = position676, tokenIndex676 + goto l664 + l665: + position, tokenIndex = position665, tokenIndex665 } { - position677, tokenIndex677 := position, tokenIndex + position666, tokenIndex666 := position, tokenIndex if buffer[position] != rune('b') { - goto l678 + goto l667 } position++ - goto l677 - l678: - position, tokenIndex = position677, tokenIndex677 + goto l666 + l667: + position, tokenIndex = position666, tokenIndex666 if buffer[position] != rune('s') { - goto l679 + goto l668 } position++ - goto l677 - l679: - position, tokenIndex = position677, tokenIndex677 + goto l666 + l668: + position, tokenIndex = position666, tokenIndex666 if buffer[position] != rune('d') { - goto l680 + goto l669 } position++ - goto l677 - l680: - position, tokenIndex = position677, tokenIndex677 + goto l666 + l669: + position, tokenIndex = position666, tokenIndex666 if buffer[position] != rune('h') { - goto l681 + goto l670 } position++ - goto l677 - l681: - position, tokenIndex = position677, tokenIndex677 + goto l666 + l670: + position, tokenIndex = position666, tokenIndex666 if buffer[position] != rune('q') { - goto l673 + goto l662 } position++ } - l677: + l666: { - position682, tokenIndex682 := position, tokenIndex + position671, tokenIndex671 := position, tokenIndex if buffer[position] != rune('[') { - goto l682 + goto l671 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l682 + goto l671 } position++ { - position684, tokenIndex684 := position, tokenIndex + position673, tokenIndex673 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l684 + goto l673 } position++ - goto l685 - l684: - position, tokenIndex = position684, tokenIndex684 + goto l674 + l673: + position, tokenIndex = position673, tokenIndex673 } - l685: + l674: if buffer[position] != rune(']') { - goto l682 + goto l671 } position++ - goto l683 - l682: - position, tokenIndex = position682, tokenIndex682 + goto l672 + l671: + position, tokenIndex = position671, tokenIndex671 } - l683: - goto l674 - l673: - position, tokenIndex = position673, tokenIndex673 + l672: + goto l663 + l662: + position, tokenIndex = position662, tokenIndex662 } - l674: - add(ruleARMVectorRegister, position668) + l663: + add(ruleARMVectorRegister, position657) } return true - l667: - position, tokenIndex = position667, tokenIndex667 + l656: + position, tokenIndex = position656, tokenIndex656 return false }, - /* 43 MemoryRef <- <((SymbolRef BaseIndexScale) / SymbolRef / Low12BitsSymbolRef / (Offset* BaseIndexScale) / (SegmentRegister Offset BaseIndexScale) / (SegmentRegister BaseIndexScale) / (SegmentRegister Offset) / ARMBaseIndexScale / BaseIndexScale)> */ + /* 45 MemoryRef <- <((SymbolRef BaseIndexScale) / SymbolRef / Low12BitsSymbolRef / (Offset* BaseIndexScale) / (SegmentRegister Offset BaseIndexScale) / (SegmentRegister BaseIndexScale) / (SegmentRegister Offset) / ARMBaseIndexScale / BaseIndexScale)> */ func() bool { - position686, tokenIndex686 := position, tokenIndex + position675, tokenIndex675 := position, tokenIndex { - position687 := position + position676 := position { - position688, tokenIndex688 := position, tokenIndex + position677, tokenIndex677 := position, tokenIndex if !_rules[ruleSymbolRef]() { - goto l689 + goto l678 } if !_rules[ruleBaseIndexScale]() { - goto l689 + goto l678 } - goto l688 - l689: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l678: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleSymbolRef]() { - goto l690 + goto l679 } - goto l688 - l690: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l679: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleLow12BitsSymbolRef]() { - goto l691 + goto l680 } - goto l688 - l691: - position, tokenIndex = position688, tokenIndex688 - l693: + goto l677 + l680: + position, tokenIndex = position677, tokenIndex677 + l682: { - position694, tokenIndex694 := position, tokenIndex + position683, tokenIndex683 := position, tokenIndex if !_rules[ruleOffset]() { - goto l694 + goto l683 } - goto l693 - l694: - position, tokenIndex = position694, tokenIndex694 + goto l682 + l683: + position, tokenIndex = position683, tokenIndex683 } if !_rules[ruleBaseIndexScale]() { - goto l692 + goto l681 } - goto l688 - l692: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l681: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleSegmentRegister]() { - goto l695 + goto l684 } if !_rules[ruleOffset]() { - goto l695 + goto l684 } if !_rules[ruleBaseIndexScale]() { - goto l695 + goto l684 } - goto l688 - l695: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l684: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleSegmentRegister]() { - goto l696 + goto l685 } if !_rules[ruleBaseIndexScale]() { - goto l696 + goto l685 } - goto l688 - l696: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l685: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleSegmentRegister]() { - goto l697 + goto l686 } if !_rules[ruleOffset]() { - goto l697 + goto l686 } - goto l688 - l697: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l686: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleARMBaseIndexScale]() { - goto l698 + goto l687 } - goto l688 - l698: - position, tokenIndex = position688, tokenIndex688 + goto l677 + l687: + position, tokenIndex = position677, tokenIndex677 if !_rules[ruleBaseIndexScale]() { - goto l686 + goto l675 } } - l688: - add(ruleMemoryRef, position687) + l677: + add(ruleMemoryRef, position676) } return true - l686: - position, tokenIndex = position686, tokenIndex686 + l675: + position, tokenIndex = position675, tokenIndex675 return false }, - /* 44 SymbolRef <- <((Offset* '+')? (LocalSymbol / SymbolName) Offset* ('@' Section Offset*)?)> */ + /* 46 SymbolRef <- <((Offset* '+')? (LocalSymbol / SymbolName) Offset* ('@' Section Offset*)?)> */ func() bool { - position699, tokenIndex699 := position, tokenIndex + position688, tokenIndex688 := position, tokenIndex { - position700 := position + position689 := position { - position701, tokenIndex701 := position, tokenIndex - l703: + position690, tokenIndex690 := position, tokenIndex + l692: { - position704, tokenIndex704 := position, tokenIndex + position693, tokenIndex693 := position, tokenIndex if !_rules[ruleOffset]() { - goto l704 + goto l693 } - goto l703 - l704: - position, tokenIndex = position704, tokenIndex704 + goto l692 + l693: + position, tokenIndex = position693, tokenIndex693 } if buffer[position] != rune('+') { - goto l701 + goto l690 } position++ - goto l702 - l701: - position, tokenIndex = position701, tokenIndex701 + goto l691 + l690: + position, tokenIndex = position690, tokenIndex690 } - l702: + l691: { - position705, tokenIndex705 := position, tokenIndex + position694, tokenIndex694 := position, tokenIndex if !_rules[ruleLocalSymbol]() { - goto l706 + goto l695 } - goto l705 - l706: - position, tokenIndex = position705, tokenIndex705 + goto l694 + l695: + position, tokenIndex = position694, tokenIndex694 if !_rules[ruleSymbolName]() { - goto l699 + goto l688 } } - l705: - l707: + l694: + l696: { - position708, tokenIndex708 := position, tokenIndex + position697, tokenIndex697 := position, tokenIndex if !_rules[ruleOffset]() { - goto l708 + goto l697 } - goto l707 - l708: - position, tokenIndex = position708, tokenIndex708 + goto l696 + l697: + position, tokenIndex = position697, tokenIndex697 } { - position709, tokenIndex709 := position, tokenIndex + position698, tokenIndex698 := position, tokenIndex if buffer[position] != rune('@') { - goto l709 + goto l698 } position++ if !_rules[ruleSection]() { - goto l709 + goto l698 } - l711: + l700: { - position712, tokenIndex712 := position, tokenIndex + position701, tokenIndex701 := position, tokenIndex if !_rules[ruleOffset]() { - goto l712 + goto l701 } - goto l711 - l712: - position, tokenIndex = position712, tokenIndex712 + goto l700 + l701: + position, tokenIndex = position701, tokenIndex701 } - goto l710 - l709: - position, tokenIndex = position709, tokenIndex709 + goto l699 + l698: + position, tokenIndex = position698, tokenIndex698 } - l710: - add(ruleSymbolRef, position700) + l699: + add(ruleSymbolRef, position689) } return true - l699: - position, tokenIndex = position699, tokenIndex699 + l688: + position, tokenIndex = position688, tokenIndex688 return false }, - /* 45 Low12BitsSymbolRef <- <(':' ('l' / 'L') ('o' / 'O') '1' '2' ':' (LocalSymbol / SymbolName) Offset?)> */ + /* 47 Low12BitsSymbolRef <- <(':' ('l' / 'L') ('o' / 'O') '1' '2' ':' (LocalSymbol / SymbolName) Offset?)> */ func() bool { - position713, tokenIndex713 := position, tokenIndex + position702, tokenIndex702 := position, tokenIndex { - position714 := position + position703 := position if buffer[position] != rune(':') { - goto l713 + goto l702 } position++ { - position715, tokenIndex715 := position, tokenIndex + position704, tokenIndex704 := position, tokenIndex if buffer[position] != rune('l') { - goto l716 + goto l705 } position++ - goto l715 - l716: - position, tokenIndex = position715, tokenIndex715 + goto l704 + l705: + position, tokenIndex = position704, tokenIndex704 if buffer[position] != rune('L') { - goto l713 + goto l702 } position++ } - l715: + l704: { - position717, tokenIndex717 := position, tokenIndex + position706, tokenIndex706 := position, tokenIndex if buffer[position] != rune('o') { - goto l718 + goto l707 } position++ - goto l717 - l718: - position, tokenIndex = position717, tokenIndex717 + goto l706 + l707: + position, tokenIndex = position706, tokenIndex706 if buffer[position] != rune('O') { - goto l713 + goto l702 } position++ } - l717: + l706: if buffer[position] != rune('1') { - goto l713 + goto l702 } position++ if buffer[position] != rune('2') { - goto l713 + goto l702 } position++ if buffer[position] != rune(':') { - goto l713 + goto l702 } position++ { - position719, tokenIndex719 := position, tokenIndex + position708, tokenIndex708 := position, tokenIndex if !_rules[ruleLocalSymbol]() { - goto l720 + goto l709 } - goto l719 - l720: - position, tokenIndex = position719, tokenIndex719 + goto l708 + l709: + position, tokenIndex = position708, tokenIndex708 if !_rules[ruleSymbolName]() { - goto l713 + goto l702 } } - l719: + l708: { - position721, tokenIndex721 := position, tokenIndex + position710, tokenIndex710 := position, tokenIndex if !_rules[ruleOffset]() { - goto l721 + goto l710 } - goto l722 - l721: - position, tokenIndex = position721, tokenIndex721 + goto l711 + l710: + position, tokenIndex = position710, tokenIndex710 } - l722: - add(ruleLow12BitsSymbolRef, position714) + l711: + add(ruleLow12BitsSymbolRef, position703) } return true - l713: - position, tokenIndex = position713, tokenIndex713 + l702: + position, tokenIndex = position702, tokenIndex702 return false }, - /* 46 ARMBaseIndexScale <- <('[' ARMRegister (',' WS? (('#' Offset (('*' [0-9]+) / ('*' '(' [0-9]+ Operator [0-9]+ ')') / ('+' [0-9]+)*)?) / ARMGOTLow12 / Low12BitsSymbolRef / ARMRegister) (',' WS? ARMConstantTweak)?)? ']' ARMPostincrement?)> */ + /* 48 ARMBaseIndexScale <- <('[' ARMRegister (',' WS? (('#' Offset (('*' [0-9]+) / ('*' '(' [0-9]+ Operator [0-9]+ ')') / ('+' [0-9]+)*)?) / ARMGOTLow12 / Low12BitsSymbolRef / ARMRegister) (',' WS? ARMConstantTweak)?)? ']' ARMPostincrement?)> */ func() bool { - position723, tokenIndex723 := position, tokenIndex + position712, tokenIndex712 := position, tokenIndex { - position724 := position + position713 := position if buffer[position] != rune('[') { - goto l723 + goto l712 } position++ if !_rules[ruleARMRegister]() { - goto l723 + goto l712 } { - position725, tokenIndex725 := position, tokenIndex + position714, tokenIndex714 := position, tokenIndex if buffer[position] != rune(',') { - goto l725 + goto l714 } position++ { - position727, tokenIndex727 := position, tokenIndex + position716, tokenIndex716 := position, tokenIndex if !_rules[ruleWS]() { - goto l727 + goto l716 } - goto l728 - l727: - position, tokenIndex = position727, tokenIndex727 + goto l717 + l716: + position, tokenIndex = position716, tokenIndex716 } - l728: + l717: { - position729, tokenIndex729 := position, tokenIndex + position718, tokenIndex718 := position, tokenIndex if buffer[position] != rune('#') { - goto l730 + goto l719 } position++ if !_rules[ruleOffset]() { - goto l730 + goto l719 } { - position731, tokenIndex731 := position, tokenIndex + position720, tokenIndex720 := position, tokenIndex { - position733, tokenIndex733 := position, tokenIndex + position722, tokenIndex722 := position, tokenIndex if buffer[position] != rune('*') { - goto l734 + goto l723 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l734 + goto l723 } position++ - l735: + l724: { - position736, tokenIndex736 := position, tokenIndex + position725, tokenIndex725 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l736 + goto l725 } position++ - goto l735 - l736: - position, tokenIndex = position736, tokenIndex736 + goto l724 + l725: + position, tokenIndex = position725, tokenIndex725 } - goto l733 - l734: - position, tokenIndex = position733, tokenIndex733 + goto l722 + l723: + position, tokenIndex = position722, tokenIndex722 if buffer[position] != rune('*') { - goto l737 + goto l726 } position++ if buffer[position] != rune('(') { - goto l737 + goto l726 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l737 + goto l726 } position++ - l738: + l727: { - position739, tokenIndex739 := position, tokenIndex + position728, tokenIndex728 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l739 + goto l728 } position++ - goto l738 - l739: - position, tokenIndex = position739, tokenIndex739 + goto l727 + l728: + position, tokenIndex = position728, tokenIndex728 } if !_rules[ruleOperator]() { - goto l737 + goto l726 } if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l737 + goto l726 } position++ - l740: + l729: { - position741, tokenIndex741 := position, tokenIndex + position730, tokenIndex730 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l741 + goto l730 } position++ - goto l740 - l741: - position, tokenIndex = position741, tokenIndex741 + goto l729 + l730: + position, tokenIndex = position730, tokenIndex730 } if buffer[position] != rune(')') { - goto l737 + goto l726 } position++ - goto l733 - l737: - position, tokenIndex = position733, tokenIndex733 - l742: + goto l722 + l726: + position, tokenIndex = position722, tokenIndex722 + l731: { - position743, tokenIndex743 := position, tokenIndex + position732, tokenIndex732 := position, tokenIndex if buffer[position] != rune('+') { - goto l743 + goto l732 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l743 + goto l732 } position++ - l744: + l733: { - position745, tokenIndex745 := position, tokenIndex + position734, tokenIndex734 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l745 + goto l734 } position++ - goto l744 - l745: - position, tokenIndex = position745, tokenIndex745 + goto l733 + l734: + position, tokenIndex = position734, tokenIndex734 } - goto l742 - l743: - position, tokenIndex = position743, tokenIndex743 + goto l731 + l732: + position, tokenIndex = position732, tokenIndex732 } } - l733: - goto l732 + l722: + goto l721 - position, tokenIndex = position731, tokenIndex731 + position, tokenIndex = position720, tokenIndex720 } - l732: - goto l729 - l730: - position, tokenIndex = position729, tokenIndex729 + l721: + goto l718 + l719: + position, tokenIndex = position718, tokenIndex718 if !_rules[ruleARMGOTLow12]() { - goto l746 + goto l735 } - goto l729 - l746: - position, tokenIndex = position729, tokenIndex729 + goto l718 + l735: + position, tokenIndex = position718, tokenIndex718 if !_rules[ruleLow12BitsSymbolRef]() { - goto l747 + goto l736 } - goto l729 - l747: - position, tokenIndex = position729, tokenIndex729 + goto l718 + l736: + position, tokenIndex = position718, tokenIndex718 if !_rules[ruleARMRegister]() { - goto l725 + goto l714 } } - l729: + l718: { - position748, tokenIndex748 := position, tokenIndex + position737, tokenIndex737 := position, tokenIndex if buffer[position] != rune(',') { - goto l748 + goto l737 } position++ { - position750, tokenIndex750 := position, tokenIndex + position739, tokenIndex739 := position, tokenIndex if !_rules[ruleWS]() { - goto l750 + goto l739 } - goto l751 - l750: - position, tokenIndex = position750, tokenIndex750 + goto l740 + l739: + position, tokenIndex = position739, tokenIndex739 } - l751: + l740: if !_rules[ruleARMConstantTweak]() { - goto l748 + goto l737 } - goto l749 - l748: - position, tokenIndex = position748, tokenIndex748 + goto l738 + l737: + position, tokenIndex = position737, tokenIndex737 } - l749: - goto l726 - l725: - position, tokenIndex = position725, tokenIndex725 + l738: + goto l715 + l714: + position, tokenIndex = position714, tokenIndex714 } - l726: + l715: if buffer[position] != rune(']') { - goto l723 + goto l712 } position++ { - position752, tokenIndex752 := position, tokenIndex + position741, tokenIndex741 := position, tokenIndex if !_rules[ruleARMPostincrement]() { - goto l752 + goto l741 } - goto l753 - l752: - position, tokenIndex = position752, tokenIndex752 + goto l742 + l741: + position, tokenIndex = position741, tokenIndex741 } - l753: - add(ruleARMBaseIndexScale, position724) + l742: + add(ruleARMBaseIndexScale, position713) } return true - l723: - position, tokenIndex = position723, tokenIndex723 + l712: + position, tokenIndex = position712, tokenIndex712 return false }, - /* 47 ARMGOTLow12 <- <(':' ('g' / 'G') ('o' / 'O') ('t' / 'T') '_' ('l' / 'L') ('o' / 'O') '1' '2' ':' SymbolName)> */ + /* 49 ARMGOTLow12 <- <(':' ('g' / 'G') ('o' / 'O') ('t' / 'T') '_' ('l' / 'L') ('o' / 'O') '1' '2' ':' SymbolName)> */ func() bool { - position754, tokenIndex754 := position, tokenIndex + position743, tokenIndex743 := position, tokenIndex { - position755 := position + position744 := position if buffer[position] != rune(':') { - goto l754 + goto l743 } position++ { - position756, tokenIndex756 := position, tokenIndex + position745, tokenIndex745 := position, tokenIndex if buffer[position] != rune('g') { - goto l757 + goto l746 } position++ - goto l756 - l757: - position, tokenIndex = position756, tokenIndex756 + goto l745 + l746: + position, tokenIndex = position745, tokenIndex745 if buffer[position] != rune('G') { - goto l754 + goto l743 } position++ } - l756: + l745: { - position758, tokenIndex758 := position, tokenIndex + position747, tokenIndex747 := position, tokenIndex if buffer[position] != rune('o') { - goto l759 + goto l748 } position++ - goto l758 - l759: - position, tokenIndex = position758, tokenIndex758 + goto l747 + l748: + position, tokenIndex = position747, tokenIndex747 if buffer[position] != rune('O') { - goto l754 + goto l743 } position++ } - l758: + l747: { - position760, tokenIndex760 := position, tokenIndex + position749, tokenIndex749 := position, tokenIndex if buffer[position] != rune('t') { - goto l761 + goto l750 } position++ - goto l760 - l761: - position, tokenIndex = position760, tokenIndex760 + goto l749 + l750: + position, tokenIndex = position749, tokenIndex749 if buffer[position] != rune('T') { - goto l754 + goto l743 } position++ } - l760: + l749: if buffer[position] != rune('_') { - goto l754 + goto l743 } position++ { - position762, tokenIndex762 := position, tokenIndex + position751, tokenIndex751 := position, tokenIndex if buffer[position] != rune('l') { - goto l763 + goto l752 } position++ - goto l762 - l763: - position, tokenIndex = position762, tokenIndex762 + goto l751 + l752: + position, tokenIndex = position751, tokenIndex751 if buffer[position] != rune('L') { - goto l754 + goto l743 } position++ } - l762: + l751: { - position764, tokenIndex764 := position, tokenIndex + position753, tokenIndex753 := position, tokenIndex if buffer[position] != rune('o') { - goto l765 + goto l754 } position++ - goto l764 - l765: - position, tokenIndex = position764, tokenIndex764 + goto l753 + l754: + position, tokenIndex = position753, tokenIndex753 if buffer[position] != rune('O') { - goto l754 + goto l743 } position++ } - l764: + l753: if buffer[position] != rune('1') { - goto l754 + goto l743 } position++ if buffer[position] != rune('2') { - goto l754 + goto l743 } position++ if buffer[position] != rune(':') { - goto l754 + goto l743 } position++ if !_rules[ruleSymbolName]() { - goto l754 + goto l743 } - add(ruleARMGOTLow12, position755) + add(ruleARMGOTLow12, position744) } return true - l754: - position, tokenIndex = position754, tokenIndex754 + l743: + position, tokenIndex = position743, tokenIndex743 return false }, - /* 48 ARMPostincrement <- <'!'> */ + /* 50 ARMPostincrement <- <'!'> */ func() bool { - position766, tokenIndex766 := position, tokenIndex + position755, tokenIndex755 := position, tokenIndex { - position767 := position + position756 := position if buffer[position] != rune('!') { - goto l766 + goto l755 } position++ - add(ruleARMPostincrement, position767) + add(ruleARMPostincrement, position756) } return true - l766: - position, tokenIndex = position766, tokenIndex766 + l755: + position, tokenIndex = position755, tokenIndex755 return false }, - /* 49 BaseIndexScale <- <('(' RegisterOrConstant? WS? (',' WS? RegisterOrConstant WS? (',' [0-9]+)?)? ')')> */ + /* 51 BaseIndexScale <- <('(' RegisterOrConstant? WS? (',' WS? RegisterOrConstant WS? (',' [0-9]+)?)? ')')> */ func() bool { - position768, tokenIndex768 := position, tokenIndex + position757, tokenIndex757 := position, tokenIndex { - position769 := position + position758 := position if buffer[position] != rune('(') { - goto l768 + goto l757 } position++ { - position770, tokenIndex770 := position, tokenIndex + position759, tokenIndex759 := position, tokenIndex if !_rules[ruleRegisterOrConstant]() { - goto l770 + goto l759 } - goto l771 - l770: - position, tokenIndex = position770, tokenIndex770 + goto l760 + l759: + position, tokenIndex = position759, tokenIndex759 } - l771: + l760: { - position772, tokenIndex772 := position, tokenIndex + position761, tokenIndex761 := position, tokenIndex if !_rules[ruleWS]() { - goto l772 + goto l761 } - goto l773 - l772: - position, tokenIndex = position772, tokenIndex772 + goto l762 + l761: + position, tokenIndex = position761, tokenIndex761 } - l773: + l762: { - position774, tokenIndex774 := position, tokenIndex + position763, tokenIndex763 := position, tokenIndex if buffer[position] != rune(',') { - goto l774 + goto l763 } position++ { - position776, tokenIndex776 := position, tokenIndex + position765, tokenIndex765 := position, tokenIndex if !_rules[ruleWS]() { - goto l776 + goto l765 } - goto l777 - l776: - position, tokenIndex = position776, tokenIndex776 + goto l766 + l765: + position, tokenIndex = position765, tokenIndex765 } - l777: + l766: if !_rules[ruleRegisterOrConstant]() { - goto l774 + goto l763 } { - position778, tokenIndex778 := position, tokenIndex + position767, tokenIndex767 := position, tokenIndex if !_rules[ruleWS]() { - goto l778 + goto l767 } - goto l779 - l778: - position, tokenIndex = position778, tokenIndex778 + goto l768 + l767: + position, tokenIndex = position767, tokenIndex767 } - l779: + l768: { - position780, tokenIndex780 := position, tokenIndex + position769, tokenIndex769 := position, tokenIndex if buffer[position] != rune(',') { - goto l780 + goto l769 } position++ if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l780 + goto l769 } position++ - l782: + l771: { - position783, tokenIndex783 := position, tokenIndex + position772, tokenIndex772 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l783 + goto l772 } position++ - goto l782 - l783: - position, tokenIndex = position783, tokenIndex783 + goto l771 + l772: + position, tokenIndex = position772, tokenIndex772 } - goto l781 - l780: - position, tokenIndex = position780, tokenIndex780 + goto l770 + l769: + position, tokenIndex = position769, tokenIndex769 } - l781: - goto l775 - l774: - position, tokenIndex = position774, tokenIndex774 + l770: + goto l764 + l763: + position, tokenIndex = position763, tokenIndex763 } - l775: + l764: if buffer[position] != rune(')') { - goto l768 + goto l757 } position++ - add(ruleBaseIndexScale, position769) + add(ruleBaseIndexScale, position758) } return true - l768: - position, tokenIndex = position768, tokenIndex768 + l757: + position, tokenIndex = position757, tokenIndex757 return false }, - /* 50 Operator <- <('+' / '-')> */ + /* 52 Operator <- <('+' / '-')> */ func() bool { - position784, tokenIndex784 := position, tokenIndex + position773, tokenIndex773 := position, tokenIndex { - position785 := position + position774 := position { - position786, tokenIndex786 := position, tokenIndex + position775, tokenIndex775 := position, tokenIndex if buffer[position] != rune('+') { - goto l787 + goto l776 } position++ - goto l786 - l787: - position, tokenIndex = position786, tokenIndex786 + goto l775 + l776: + position, tokenIndex = position775, tokenIndex775 if buffer[position] != rune('-') { - goto l784 + goto l773 } position++ } - l786: - add(ruleOperator, position785) + l775: + add(ruleOperator, position774) } return true - l784: - position, tokenIndex = position784, tokenIndex784 + l773: + position, tokenIndex = position773, tokenIndex773 return false }, - /* 51 Offset <- <('+'? '-'? (('0' ('b' / 'B') ('0' / '1')+) / ('0' ('x' / 'X') ([0-9] / [0-9] / ([a-f] / [A-F]))+) / [0-9]+))> */ + /* 53 Offset <- <('+'? '-'? (('0' ('b' / 'B') ('0' / '1')+) / ('0' ('x' / 'X') ([0-9] / [0-9] / ([a-f] / [A-F]))+) / [0-9]+))> */ func() bool { - position788, tokenIndex788 := position, tokenIndex + position777, tokenIndex777 := position, tokenIndex { - position789 := position + position778 := position { - position790, tokenIndex790 := position, tokenIndex + position779, tokenIndex779 := position, tokenIndex if buffer[position] != rune('+') { - goto l790 + goto l779 } position++ - goto l791 - l790: - position, tokenIndex = position790, tokenIndex790 + goto l780 + l779: + position, tokenIndex = position779, tokenIndex779 } - l791: + l780: { - position792, tokenIndex792 := position, tokenIndex + position781, tokenIndex781 := position, tokenIndex if buffer[position] != rune('-') { - goto l792 + goto l781 } position++ - goto l793 - l792: - position, tokenIndex = position792, tokenIndex792 + goto l782 + l781: + position, tokenIndex = position781, tokenIndex781 } - l793: + l782: { - position794, tokenIndex794 := position, tokenIndex + position783, tokenIndex783 := position, tokenIndex if buffer[position] != rune('0') { - goto l795 + goto l784 } position++ { - position796, tokenIndex796 := position, tokenIndex + position785, tokenIndex785 := position, tokenIndex if buffer[position] != rune('b') { - goto l797 + goto l786 } position++ - goto l796 - l797: - position, tokenIndex = position796, tokenIndex796 + goto l785 + l786: + position, tokenIndex = position785, tokenIndex785 if buffer[position] != rune('B') { - goto l795 + goto l784 } position++ } - l796: + l785: { - position800, tokenIndex800 := position, tokenIndex + position789, tokenIndex789 := position, tokenIndex if buffer[position] != rune('0') { - goto l801 + goto l790 } position++ - goto l800 - l801: - position, tokenIndex = position800, tokenIndex800 + goto l789 + l790: + position, tokenIndex = position789, tokenIndex789 if buffer[position] != rune('1') { - goto l795 + goto l784 } position++ } - l800: - l798: + l789: + l787: { - position799, tokenIndex799 := position, tokenIndex + position788, tokenIndex788 := position, tokenIndex { - position802, tokenIndex802 := position, tokenIndex + position791, tokenIndex791 := position, tokenIndex if buffer[position] != rune('0') { - goto l803 + goto l792 } position++ - goto l802 - l803: - position, tokenIndex = position802, tokenIndex802 + goto l791 + l792: + position, tokenIndex = position791, tokenIndex791 if buffer[position] != rune('1') { - goto l799 + goto l788 } position++ } - l802: - goto l798 - l799: - position, tokenIndex = position799, tokenIndex799 + l791: + goto l787 + l788: + position, tokenIndex = position788, tokenIndex788 } - goto l794 - l795: - position, tokenIndex = position794, tokenIndex794 + goto l783 + l784: + position, tokenIndex = position783, tokenIndex783 if buffer[position] != rune('0') { - goto l804 + goto l793 } position++ { - position805, tokenIndex805 := position, tokenIndex + position794, tokenIndex794 := position, tokenIndex if buffer[position] != rune('x') { - goto l806 + goto l795 } position++ - goto l805 - l806: - position, tokenIndex = position805, tokenIndex805 + goto l794 + l795: + position, tokenIndex = position794, tokenIndex794 if buffer[position] != rune('X') { - goto l804 + goto l793 } position++ } - l805: + l794: { - position809, tokenIndex809 := position, tokenIndex + position798, tokenIndex798 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l810 + goto l799 } position++ - goto l809 - l810: - position, tokenIndex = position809, tokenIndex809 + goto l798 + l799: + position, tokenIndex = position798, tokenIndex798 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l811 + goto l800 } position++ - goto l809 - l811: - position, tokenIndex = position809, tokenIndex809 + goto l798 + l800: + position, tokenIndex = position798, tokenIndex798 { - position812, tokenIndex812 := position, tokenIndex + position801, tokenIndex801 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('f') { - goto l813 + goto l802 } position++ - goto l812 - l813: - position, tokenIndex = position812, tokenIndex812 + goto l801 + l802: + position, tokenIndex = position801, tokenIndex801 if c := buffer[position]; c < rune('A') || c > rune('F') { - goto l804 + goto l793 } position++ } - l812: + l801: } - l809: - l807: + l798: + l796: { - position808, tokenIndex808 := position, tokenIndex + position797, tokenIndex797 := position, tokenIndex { - position814, tokenIndex814 := position, tokenIndex + position803, tokenIndex803 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l815 + goto l804 } position++ - goto l814 - l815: - position, tokenIndex = position814, tokenIndex814 + goto l803 + l804: + position, tokenIndex = position803, tokenIndex803 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l816 + goto l805 } position++ - goto l814 - l816: - position, tokenIndex = position814, tokenIndex814 + goto l803 + l805: + position, tokenIndex = position803, tokenIndex803 { - position817, tokenIndex817 := position, tokenIndex + position806, tokenIndex806 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('f') { - goto l818 + goto l807 } position++ - goto l817 - l818: - position, tokenIndex = position817, tokenIndex817 + goto l806 + l807: + position, tokenIndex = position806, tokenIndex806 if c := buffer[position]; c < rune('A') || c > rune('F') { - goto l808 + goto l797 } position++ } - l817: + l806: } - l814: - goto l807 - l808: - position, tokenIndex = position808, tokenIndex808 + l803: + goto l796 + l797: + position, tokenIndex = position797, tokenIndex797 } - goto l794 - l804: - position, tokenIndex = position794, tokenIndex794 + goto l783 + l793: + position, tokenIndex = position783, tokenIndex783 if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l788 + goto l777 } position++ - l819: + l808: { - position820, tokenIndex820 := position, tokenIndex + position809, tokenIndex809 := position, tokenIndex if c := buffer[position]; c < rune('0') || c > rune('9') { - goto l820 + goto l809 } position++ - goto l819 - l820: - position, tokenIndex = position820, tokenIndex820 + goto l808 + l809: + position, tokenIndex = position809, tokenIndex809 } } - l794: - add(ruleOffset, position789) + l783: + add(ruleOffset, position778) } return true - l788: - position, tokenIndex = position788, tokenIndex788 + l777: + position, tokenIndex = position777, tokenIndex777 return false }, - /* 52 Section <- <([a-z] / [A-Z] / '@')+> */ + /* 54 Section <- <([a-z] / [A-Z] / '@')+> */ func() bool { - position821, tokenIndex821 := position, tokenIndex + position810, tokenIndex810 := position, tokenIndex { - position822 := position + position811 := position { - position825, tokenIndex825 := position, tokenIndex + position814, tokenIndex814 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l826 + goto l815 } position++ - goto l825 - l826: - position, tokenIndex = position825, tokenIndex825 + goto l814 + l815: + position, tokenIndex = position814, tokenIndex814 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l827 + goto l816 } position++ - goto l825 - l827: - position, tokenIndex = position825, tokenIndex825 + goto l814 + l816: + position, tokenIndex = position814, tokenIndex814 if buffer[position] != rune('@') { - goto l821 + goto l810 } position++ } - l825: - l823: + l814: + l812: { - position824, tokenIndex824 := position, tokenIndex + position813, tokenIndex813 := position, tokenIndex { - position828, tokenIndex828 := position, tokenIndex + position817, tokenIndex817 := position, tokenIndex if c := buffer[position]; c < rune('a') || c > rune('z') { - goto l829 + goto l818 } position++ - goto l828 - l829: - position, tokenIndex = position828, tokenIndex828 + goto l817 + l818: + position, tokenIndex = position817, tokenIndex817 if c := buffer[position]; c < rune('A') || c > rune('Z') { - goto l830 + goto l819 } position++ - goto l828 - l830: - position, tokenIndex = position828, tokenIndex828 + goto l817 + l819: + position, tokenIndex = position817, tokenIndex817 if buffer[position] != rune('@') { - goto l824 + goto l813 } position++ } - l828: - goto l823 - l824: - position, tokenIndex = position824, tokenIndex824 + l817: + goto l812 + l813: + position, tokenIndex = position813, tokenIndex813 } - add(ruleSection, position822) + add(ruleSection, position811) } return true - l821: - position, tokenIndex = position821, tokenIndex821 + l810: + position, tokenIndex = position810, tokenIndex810 return false }, - /* 53 SegmentRegister <- <('%' ([c-g] / 's') ('s' ':'))> */ + /* 55 SegmentRegister <- <('%' ([c-g] / 's') ('s' ':'))> */ func() bool { - position831, tokenIndex831 := position, tokenIndex + position820, tokenIndex820 := position, tokenIndex { - position832 := position + position821 := position if buffer[position] != rune('%') { - goto l831 + goto l820 } position++ { - position833, tokenIndex833 := position, tokenIndex + position822, tokenIndex822 := position, tokenIndex if c := buffer[position]; c < rune('c') || c > rune('g') { - goto l834 + goto l823 } position++ - goto l833 - l834: - position, tokenIndex = position833, tokenIndex833 + goto l822 + l823: + position, tokenIndex = position822, tokenIndex822 if buffer[position] != rune('s') { - goto l831 + goto l820 } position++ } - l833: + l822: if buffer[position] != rune('s') { - goto l831 + goto l820 } position++ if buffer[position] != rune(':') { - goto l831 + goto l820 } position++ - add(ruleSegmentRegister, position832) + add(ruleSegmentRegister, position821) } return true - l831: - position, tokenIndex = position831, tokenIndex831 + l820: + position, tokenIndex = position820, tokenIndex820 return false }, } diff --git a/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s b/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s index 0b9828f8..852312b8 100644 --- a/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s +++ b/src/util/fipstools/delocate/testdata/aarch64-Basic/out.s @@ -145,6 +145,7 @@ BORINGSSL_bcm_text_end: .type bcm_redirector_remote_function, @function bcm_redirector_remote_function: .cfi_startproc + hint #34 // bti c b remote_function .cfi_endproc .size bcm_redirector_remote_function, .-bcm_redirector_remote_function @@ -153,6 +154,7 @@ bcm_redirector_remote_function: .type bcm_redirector_y0, @function bcm_redirector_y0: .cfi_startproc + hint #34 // bti c b y0 .cfi_endproc .size bcm_redirector_y0, .-bcm_redirector_y0 @@ -161,6 +163,7 @@ bcm_redirector_y0: .type bcm_redirector_y12, @function bcm_redirector_y12: .cfi_startproc + hint #34 // bti c b y12 .cfi_endproc .size bcm_redirector_y12, .-bcm_redirector_y12 @@ -169,6 +172,7 @@ bcm_redirector_y12: .type bss_symbol_bss_get, @function bss_symbol_bss_get: .cfi_startproc + hint #34 // bti c adrp x0, .Lbss_symbol_local_target add x0, x0, :lo12:.Lbss_symbol_local_target ret @@ -179,6 +183,7 @@ bss_symbol_bss_get: .type .Lboringssl_loadgot_stderr, @function .Lboringssl_loadgot_stderr: .cfi_startproc + hint #34 // bti c adrp x0, :got:stderr ldr x0, [x0, :got_lo12:stderr] ret @@ -189,6 +194,7 @@ bss_symbol_bss_get: .type .LOPENSSL_armcap_P_addr, @function .LOPENSSL_armcap_P_addr: .cfi_startproc + hint #34 // bti c adrp x0, OPENSSL_armcap_P add x0, x0, :lo12:OPENSSL_armcap_P ret diff --git a/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s b/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s index 6549db71..03580d10 100644 --- a/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s +++ b/src/util/fipstools/delocate/testdata/x86_64-LabelRewrite/out.s @@ -93,7 +93,7 @@ bar: # assumption that it's too small to hold a pointer. But Clang # will store offsets in it. # WAS .byte (.LBB231_40-.LBB231_19)>>2, 4, .Lfoo, (.Lfoo), .Lfoo<<400, ( .Lfoo ) << 66 - .byte (.LBB231_40_BCM_1-.LBB231_19_BCM_1)>>2, 4, .Lfoo_BCM_1, (.Lfoo_BCM_1), .Lfoo_BCM_1<<400, ( .Lfoo_BCM_1 ) << 66 + .byte (.LBB231_40_BCM_1-.LBB231_19_BCM_1)>>2, 4, .Lfoo_BCM_1, (.Lfoo_BCM_1), .Lfoo_BCM_1<<400, (.Lfoo_BCM_1)<<66 .byte 421 .text .loc 1 2 0 diff --git a/src/util/generate_build_files.py b/src/util/generate_build_files.py index d0c01d58..1dd1629d 100644 --- a/src/util/generate_build_files.py +++ b/src/util/generate_build_files.py @@ -26,7 +26,7 @@ import json # OS_ARCH_COMBOS maps from OS and platform to the OpenSSL assembly "style" for # that platform and the extension used by asm files. # -# TODO(https://crbug.com/boringssl/524): This probably should be a map, but some +# TODO(https://crbug.com/boringssl/542): This probably should be a map, but some # downstream scripts import this to find what folders to add/remove from git. OS_ARCH_COMBOS = [ ('apple', 'arm', 'ios32', [], 'S'), @@ -106,7 +106,7 @@ class Android(object): out.write(' %s\\\n' % f) out.write('\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): # New Android.bp format with open('sources.bp', 'w+') as blueprint: blueprint.write(self.header.replace('#', '//')) @@ -204,7 +204,7 @@ class AndroidCMake(object): out.write(' ${BORINGSSL_ROOT}%s\n' % f) out.write(')\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): # The Android emulator uses a custom CMake buildsystem. # # TODO(crbug.com/boringssl/542): Move our various source lists into @@ -224,12 +224,6 @@ class AndroidCMake(object): files['crypto_test']) self.PrintVariableSection(out, 'ssl_test_sources', files['ssl_test']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - self.PrintVariableSection( - out, 'crypto_sources_%s_%s' % (osname, arch), asm_files) - class Bazel(object): """Bazel outputs files suitable for including in Bazel files.""" @@ -251,7 +245,7 @@ class Bazel(object): out.write(' "%s",\n' % PathOf(f)) out.write(']\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('BUILD.generated.bzl', 'w+') as out: out.write(self.header) @@ -312,7 +306,7 @@ class Eureka(object): out.write(' %s\\\n' % f) out.write('\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): # Legacy Android.mk format with open('eureka.mk', 'w+') as makefile: makefile.write(self.header) @@ -325,14 +319,6 @@ class Eureka(object): self.PrintVariableSection(makefile, 'ssl_sources', files['ssl']) self.PrintVariableSection(makefile, 'tool_sources', files['tool']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - if osname != 'linux': - continue - self.PrintVariableSection( - makefile, '%s_%s_sources' % (osname, arch), asm_files) - class GN(object): @@ -353,7 +339,7 @@ class GN(object): out.write(' "%s",\n' % f) out.write(']\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('BUILD.generated.gni', 'w+') as out: out.write(self.header) @@ -368,6 +354,8 @@ class GN(object): self.PrintVariableSection(out, 'ssl_sources', files['ssl'] + files['ssl_internal_headers']) self.PrintVariableSection(out, 'ssl_headers', files['ssl_headers']) + self.PrintVariableSection(out, 'pki_sources', + files['pki'] + files['pki_internal_headers']) self.PrintVariableSection(out, 'tool_sources', files['tool'] + files['tool_headers']) @@ -386,7 +374,10 @@ class GN(object): files['crypto_test']) self.PrintVariableSection(out, 'crypto_test_data', files['crypto_test_data']) + self.PrintVariableSection(out, 'pki_test_data', + files['pki_test_data']) self.PrintVariableSection(out, 'ssl_test_sources', files['ssl_test']) + self.PrintVariableSection(out, 'pki_test_sources', files['pki_test']) class GYP(object): @@ -403,7 +394,7 @@ class GYP(object): out.write(' \'%s\',\n' % f) out.write(' ],\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('boringssl.gypi', 'w+') as gypi: gypi.write(self.header + '{\n \'variables\': {\n') @@ -418,12 +409,6 @@ class GYP(object): self.PrintVariableSection(gypi, 'boringssl_crypto_nasm_sources', files['crypto_nasm']) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - self.PrintVariableSection(gypi, 'boringssl_%s_%s_sources' % - (osname, arch), asm_files) - gypi.write(' }\n}\n') class CMake(object): @@ -432,7 +417,7 @@ class CMake(object): self.header = LicenseHeader("#") + R''' # This file is created by generate_build_files.py. Do not edit manually. -cmake_minimum_required(VERSION 3.10) +cmake_minimum_required(VERSION 3.12) project(BoringSSL LANGUAGES C CXX) @@ -528,7 +513,7 @@ endif() out.write(' %s\n' % PathOf(f)) out.write(')\n\n') - def WriteFiles(self, files, asm_outputs): + def WriteFiles(self, files): with open('CMakeLists.txt', 'w+') as cmake: cmake.write(self.header) @@ -564,14 +549,9 @@ endif() ''') class JSON(object): - def WriteFiles(self, files, asm_outputs): - sources = dict(files) - # TODO(crbug.com/boringssl/542): Migrate users to the combined asm source - # lists, so we don't need to generate both sets. - for ((osname, arch), asm_files) in asm_outputs: - sources['crypto_%s_%s' % (osname, arch)] = asm_files + def WriteFiles(self, files): with open('sources.json', 'w+') as f: - json.dump(sources, f, sort_keys=True, indent=2) + json.dump(files, f, sort_keys=True, indent=2) def FindCMakeFiles(directory): """Returns list of all CMakeLists.txt files recursively in directory.""" @@ -673,12 +653,13 @@ def ExtractPerlAsmFromCMakeFile(cmakefile): raise ValueError('Bad perlasm line in %s' % cmakefile) # Remove "perlasm(" from start and ")" from end params = line[8:-1].split() - if len(params) != 4: + if len(params) < 4: raise ValueError('Bad perlasm line in %s' % cmakefile) perlasms.append({ 'arch': params[1], 'output': os.path.join(os.path.dirname(cmakefile), params[2]), 'input': os.path.join(os.path.dirname(cmakefile), params[3]), + 'extra_args': params[4:], }) return perlasms @@ -714,7 +695,7 @@ def WriteAsmFiles(perlasms): for (osname, arch, perlasm_style, extra_args, asm_ext) in OS_ARCH_COMBOS: if arch != perlasm['arch']: continue - # TODO(https://crbug.com/boringssl/524): Now that we incorporate osname in + # TODO(https://crbug.com/boringssl/542): Now that we incorporate osname in # the output filename, the asm files can just go in a single directory. # For now, we keep them in target-specific directories to avoid breaking # downstream scripts. @@ -725,7 +706,8 @@ def WriteAsmFiles(perlasms): raise ValueError('output missing src: %s' % output) output = os.path.join(outDir, output[4:]) output = '%s-%s.%s' % (output, osname, asm_ext) - PerlAsm(output, perlasm['input'], perlasm_style, extra_args) + PerlAsm(output, perlasm['input'], perlasm_style, + extra_args + perlasm['extra_args']) asmfiles.setdefault(key, []).append(output) for (key, non_perl_asm_files) in NON_PERL_FILES.items(): @@ -827,11 +809,13 @@ def main(platforms): asm_outputs = sorted(WriteAsmFiles(ReadPerlAsmOperations()).items()) - # Generate combined source lists for gas and nasm. Build files have a choice - # of using the per-platform ones or the combined ones. In the combined mode, - # Windows x86 and Windows x86_64 must still be special-cased, but otherwise - # all assembly files can be linked together. Some files appear in multiple - # per-platform lists, so we duplicate. + # Generate combined source lists for gas and nasm. Some files appear in + # multiple per-platform lists, so we de-duplicate. + # + # TODO(https://crbug.com/boringssl/542): It would be simpler to build the + # combined source lists directly. This is a remnant of the previous assembly + # strategy. When we move to pre-generated assembly files, this will be + # removed. asm_sources = set() nasm_sources = set() for ((osname, arch), asm_files) in asm_outputs: @@ -867,7 +851,7 @@ def main(platforms): } for platform in platforms: - platform.WriteFiles(files, asm_outputs) + platform.WriteFiles(files) return 0 diff --git a/win-x86_64/crypto/chacha/chacha-x86_64-win.asm b/win-x86_64/crypto/chacha/chacha-x86_64-win.asm index 4d0101df..427eb1b3 100644 --- a/win-x86_64/crypto/chacha/chacha-x86_64-win.asm +++ b/win-x86_64/crypto/chacha/chacha-x86_64-win.asm @@ -345,7 +345,7 @@ $L$done: $L$no_data: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ChaCha20_ctr32: @@ -500,7 +500,7 @@ $L$done_ssse3: $L$ssse3_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ChaCha20_ssse3: @@ -1086,7 +1086,7 @@ $L$done4x: $L$4x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ChaCha20_4x: @@ -1726,7 +1726,7 @@ $L$done8x: $L$8x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ChaCha20_8x: EXTERN __imp_RtlVirtualUnwind @@ -1812,7 +1812,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret diff --git a/win-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-win.asm b/win-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-win.asm index a5273829..285df4f5 100644 --- a/win-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-win.asm +++ b/win-x86_64/crypto/cipher_extra/aes128gcmsiv-x86_64-win.asm @@ -70,7 +70,7 @@ GFMUL: vpxor xmm2,xmm3,xmm4 vpxor xmm0,xmm2,xmm5 - DB 0F3h,0C3h ;repret + ret global aesgcmsiv_htable_init @@ -106,7 +106,7 @@ _CET_ENDBR vmovdqa XMMWORD[112+rdi],xmm0 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aesgcmsiv_htable_init: global aesgcmsiv_htable6_init @@ -138,7 +138,7 @@ _CET_ENDBR vmovdqa XMMWORD[80+rdi],xmm0 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aesgcmsiv_htable6_init: global aesgcmsiv_htable_polyval @@ -161,7 +161,7 @@ _CET_ENDBR jnz NEAR $L$htable_polyval_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$htable_polyval_start: vzeroall @@ -369,7 +369,7 @@ $L$htable_polyval_out: vzeroupper mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aesgcmsiv_htable_polyval: global aesgcmsiv_polyval_horner @@ -392,7 +392,7 @@ _CET_ENDBR jnz NEAR $L$polyval_horner_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$polyval_horner_start: @@ -416,7 +416,7 @@ $L$polyval_horner_loop: vmovdqa XMMWORD[rdi],xmm0 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aesgcmsiv_polyval_horner: global aes128gcmsiv_aes_ks @@ -482,7 +482,7 @@ $L$ks128_loop: vmovdqa XMMWORD[32+rsi],xmm1 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_aes_ks: global aes256gcmsiv_aes_ks @@ -540,7 +540,7 @@ $L$ks256_loop: vmovdqa XMMWORD[32+rsi],xmm1 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret global aes128gcmsiv_aes_ks_enc_x1 @@ -693,7 +693,7 @@ _CET_ENDBR vmovdqa XMMWORD[rsi],xmm4 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_aes_ks_enc_x1: global aes128gcmsiv_kdf @@ -797,7 +797,7 @@ _CET_ENDBR vmovdqa XMMWORD[48+rsi],xmm12 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_kdf: global aes128gcmsiv_enc_msg_x4 @@ -821,7 +821,7 @@ _CET_ENDBR jnz NEAR $L$128_enc_msg_x4_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$128_enc_msg_x4_start: push r12 @@ -987,7 +987,7 @@ $L$128_enc_msg_x4_out: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_enc_msg_x4: global aes128gcmsiv_enc_msg_x8 @@ -1011,7 +1011,7 @@ _CET_ENDBR jnz NEAR $L$128_enc_msg_x8_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$128_enc_msg_x8_start: push r12 @@ -1257,7 +1257,7 @@ $L$128_enc_msg_x8_out: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_enc_msg_x8: global aes128gcmsiv_dec @@ -1282,7 +1282,7 @@ _CET_ENDBR jnz NEAR $L$128_dec_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$128_dec_start: vzeroupper @@ -1765,7 +1765,7 @@ $L$128_dec_out: vmovdqu XMMWORD[rdx],xmm0 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_dec: global aes128gcmsiv_ecb_enc_block @@ -1801,7 +1801,7 @@ _CET_ENDBR mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes128gcmsiv_ecb_enc_block: global aes256gcmsiv_aes_ks_enc_x1 @@ -1996,7 +1996,7 @@ _CET_ENDBR vmovdqa XMMWORD[rsi],xmm8 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes256gcmsiv_aes_ks_enc_x1: global aes256gcmsiv_ecb_enc_block @@ -2033,7 +2033,7 @@ _CET_ENDBR vmovdqa XMMWORD[rsi],xmm1 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes256gcmsiv_ecb_enc_block: global aes256gcmsiv_enc_msg_x4 @@ -2057,7 +2057,7 @@ _CET_ENDBR jnz NEAR $L$256_enc_msg_x4_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$256_enc_msg_x4_start: mov r10,r8 @@ -2249,7 +2249,7 @@ $L$256_enc_msg_x4_loop2: $L$256_enc_msg_x4_out: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes256gcmsiv_enc_msg_x4: global aes256gcmsiv_enc_msg_x8 @@ -2273,7 +2273,7 @@ _CET_ENDBR jnz NEAR $L$256_enc_msg_x8_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$256_enc_msg_x8_start: @@ -2552,7 +2552,7 @@ $L$256_enc_msg_x8_loop2: $L$256_enc_msg_x8_out: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes256gcmsiv_enc_msg_x8: @@ -2578,7 +2578,7 @@ _CET_ENDBR jnz NEAR $L$256_dec_start mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$256_dec_start: vzeroupper @@ -3129,7 +3129,7 @@ $L$256_dec_out: vmovdqu XMMWORD[rdx],xmm0 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes256gcmsiv_dec: global aes256gcmsiv_kdf @@ -3291,7 +3291,7 @@ _CET_ENDBR vmovdqa XMMWORD[80+rsi],xmm13 mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes256gcmsiv_kdf: %else diff --git a/win-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-win.asm b/win-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-win.asm index 0afb28e5..095689cf 100644 --- a/win-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-win.asm +++ b/win-x86_64/crypto/cipher_extra/chacha20_poly1305_x86_64-win.asm @@ -112,7 +112,7 @@ $L$poly_fast_tls_ad: adc r11,r9 adc r12,0 - DB 0F3h,0C3h ;repret + ret $L$hash_ad_loop: cmp r8,16 @@ -221,7 +221,7 @@ $L$hash_ad_tail_loop: $L$hash_ad_done: - DB 0F3h,0C3h ;repret + ret @@ -1891,7 +1891,7 @@ $L$open_sse_finalize: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$open_sse_128: @@ -3978,7 +3978,7 @@ $L$do_length_block: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$seal_sse_128: diff --git a/win-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-win.asm index c4e0fdac..d7a2665e 100644 --- a/win-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/aesni-gcm-x86_64-win.asm @@ -344,7 +344,7 @@ $L$6x_done: vpxor xmm8,xmm8,XMMWORD[((16+8))+rsp] vpxor xmm8,xmm8,xmm4 - DB 0F3h,0C3h ;repret + ret global aesni_gcm_decrypt @@ -511,7 +511,7 @@ $L$dec_no_key_aliasing: pop rbp $L$gcm_dec_abort: - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aesni_gcm_decrypt_22: @@ -582,7 +582,7 @@ $L$oop_ctr32: vmovups XMMWORD[80+rdx],xmm14 lea rdx,[96+rdx] - DB 0F3h,0C3h ;repret + ret ALIGN 32 $L$handle_ctr32_2: vpshufb xmm6,xmm1,xmm0 @@ -942,7 +942,7 @@ $L$enc_no_key_aliasing: pop rbp $L$gcm_enc_abort: - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aesni_gcm_encrypt_22: diff --git a/win-x86_64/crypto/fipsmodule/aesni-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/aesni-x86_64-win.asm index c914c53a..0dbcc20c 100644 --- a/win-x86_64/crypto/fipsmodule/aesni-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/aesni-x86_64-win.asm @@ -41,7 +41,7 @@ $L$oop_enc1_1: pxor xmm1,xmm1 movups XMMWORD[rdx],xmm2 pxor xmm2,xmm2 - DB 0F3h,0C3h ;repret + ret @@ -68,7 +68,7 @@ $L$oop_dec1_2: pxor xmm1,xmm1 movups XMMWORD[rdx],xmm2 pxor xmm2,xmm2 - DB 0F3h,0C3h ;repret + ret @@ -99,7 +99,7 @@ $L$enc_loop2: DB 102,15,56,220,217 DB 102,15,56,221,208 DB 102,15,56,221,216 - DB 0F3h,0C3h ;repret + ret @@ -130,7 +130,7 @@ $L$dec_loop2: DB 102,15,56,222,217 DB 102,15,56,223,208 DB 102,15,56,223,216 - DB 0F3h,0C3h ;repret + ret @@ -166,7 +166,7 @@ $L$enc_loop3: DB 102,15,56,221,208 DB 102,15,56,221,216 DB 102,15,56,221,224 - DB 0F3h,0C3h ;repret + ret @@ -202,7 +202,7 @@ $L$dec_loop3: DB 102,15,56,223,208 DB 102,15,56,223,216 DB 102,15,56,223,224 - DB 0F3h,0C3h ;repret + ret @@ -244,7 +244,7 @@ $L$enc_loop4: DB 102,15,56,221,216 DB 102,15,56,221,224 DB 102,15,56,221,232 - DB 0F3h,0C3h ;repret + ret @@ -286,7 +286,7 @@ $L$dec_loop4: DB 102,15,56,223,216 DB 102,15,56,223,224 DB 102,15,56,223,232 - DB 0F3h,0C3h ;repret + ret @@ -342,7 +342,7 @@ $L$enc_loop6_enter: DB 102,15,56,221,232 DB 102,15,56,221,240 DB 102,15,56,221,248 - DB 0F3h,0C3h ;repret + ret @@ -398,7 +398,7 @@ $L$dec_loop6_enter: DB 102,15,56,223,232 DB 102,15,56,223,240 DB 102,15,56,223,248 - DB 0F3h,0C3h ;repret + ret @@ -464,7 +464,7 @@ $L$enc_loop8_enter: DB 102,15,56,221,248 DB 102,68,15,56,221,192 DB 102,68,15,56,221,200 - DB 0F3h,0C3h ;repret + ret @@ -530,7 +530,7 @@ $L$dec_loop8_enter: DB 102,15,56,223,248 DB 102,68,15,56,223,192 DB 102,68,15,56,223,200 - DB 0F3h,0C3h ;repret + ret global aes_hw_ecb_encrypt @@ -904,7 +904,7 @@ $L$ecb_ret: $L$ecb_enc_ret: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes_hw_ecb_encrypt: global aes_hw_ctr32_encrypt_blocks @@ -1523,7 +1523,7 @@ $L$ctr32_done: $L$ctr32_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes_hw_ctr32_encrypt_blocks: global aes_hw_cbc_encrypt @@ -2157,7 +2157,7 @@ $L$cbc_dec_ret: $L$cbc_ret: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_aes_hw_cbc_encrypt: global aes_hw_set_decrypt_key @@ -2201,7 +2201,7 @@ $L$dec_key_inverse: $L$dec_key_ret: add rsp,8 - DB 0F3h,0C3h ;repret + ret $L$SEH_end_set_decrypt_key: @@ -2511,7 +2511,7 @@ $L$enc_key_ret: pxor xmm5,xmm5 add rsp,8 - DB 0F3h,0C3h ;repret + ret $L$SEH_end_set_encrypt_key: @@ -2526,7 +2526,7 @@ $L$key_expansion_128_cold: xorps xmm0,xmm4 shufps xmm1,xmm1,255 xorps xmm0,xmm1 - DB 0F3h,0C3h ;repret + ret ALIGN 16 $L$key_expansion_192a: @@ -2546,7 +2546,7 @@ $L$key_expansion_192b_warm: pxor xmm0,xmm1 pshufd xmm3,xmm0,255 pxor xmm2,xmm3 - DB 0F3h,0C3h ;repret + ret ALIGN 16 $L$key_expansion_192b: @@ -2569,7 +2569,7 @@ $L$key_expansion_256a_cold: xorps xmm0,xmm4 shufps xmm1,xmm1,255 xorps xmm0,xmm1 - DB 0F3h,0C3h ;repret + ret ALIGN 16 $L$key_expansion_256b: @@ -2582,7 +2582,7 @@ $L$key_expansion_256b: xorps xmm2,xmm4 shufps xmm1,xmm1,170 xorps xmm2,xmm1 - DB 0F3h,0C3h ;repret + ret section .rdata rdata align=8 @@ -2779,7 +2779,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-win.asm index a5ccffd3..84c5d40b 100644 --- a/win-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/ghash-ssse3-x86_64-win.asm @@ -208,7 +208,7 @@ DB 102,65,15,56,0,210 movdqa xmm6,XMMWORD[rsp] movdqa xmm10,XMMWORD[16+rsp] add rsp,40 - DB 0F3h,0C3h ;repret + ret $L$SEH_end_gcm_gmult_ssse3_5: @@ -432,7 +432,7 @@ DB 102,65,15,56,0,194 movdqa xmm10,XMMWORD[16+rsp] movdqa xmm11,XMMWORD[32+rsp] add rsp,56 - DB 0F3h,0C3h ;repret + ret $L$SEH_end_gcm_ghash_ssse3_6: diff --git a/win-x86_64/crypto/fipsmodule/ghash-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/ghash-x86_64-win.asm index 9afa8084..96df27c9 100644 --- a/win-x86_64/crypto/fipsmodule/ghash-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/ghash-x86_64-win.asm @@ -177,7 +177,7 @@ DB 102,15,58,15,227,8 movdqu XMMWORD[80+rcx],xmm4 movaps xmm6,XMMWORD[rsp] lea rsp,[24+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_gcm_init_clmul_4: @@ -232,7 +232,7 @@ DB 102,15,58,68,220,0 pxor xmm0,xmm1 DB 102,15,56,0,197 movdqu XMMWORD[rcx],xmm0 - DB 0F3h,0C3h ;repret + ret global gcm_ghash_clmul @@ -654,7 +654,7 @@ DB 102,65,15,56,0,194 movaps xmm14,XMMWORD[128+rsp] movaps xmm15,XMMWORD[144+rsp] lea rsp,[168+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_gcm_ghash_clmul_13: @@ -772,7 +772,7 @@ $L$init_start_avx: vzeroupper movaps xmm6,XMMWORD[rsp] lea rsp,[24+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_gcm_init_avx_4: @@ -1196,7 +1196,7 @@ $L$tail_no_xor_avx: movaps xmm14,XMMWORD[128+rsp] movaps xmm15,XMMWORD[144+rsp] lea rsp,[168+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_gcm_ghash_avx_13: diff --git a/win-x86_64/crypto/fipsmodule/md5-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/md5-x86_64-win.asm index 71c0fe1b..f6c5b627 100644 --- a/win-x86_64/crypto/fipsmodule/md5-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/md5-x86_64-win.asm @@ -702,7 +702,7 @@ $L$end: $L$epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_md5_block_asm_data_order: EXTERN __imp_RtlVirtualUnwind @@ -783,7 +783,7 @@ $L$in_prologue: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/p256-x86_64-asm-win.asm b/win-x86_64/crypto/fipsmodule/p256-x86_64-asm-win.asm index 5b456172..c25cac33 100644 --- a/win-x86_64/crypto/fipsmodule/p256-x86_64-asm-win.asm +++ b/win-x86_64/crypto/fipsmodule/p256-x86_64-asm-win.asm @@ -101,7 +101,7 @@ $L$neg_body: $L$neg_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_neg: @@ -439,7 +439,7 @@ $L$ord_mul_body: $L$ord_mul_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_ord_mul_mont: @@ -748,7 +748,7 @@ DB 102,72,15,126,216 $L$ord_sqr_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_ord_sqr_mont: @@ -995,7 +995,7 @@ $L$ord_mulx_body: $L$ord_mulx_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_ord_mul_montx: @@ -1214,7 +1214,7 @@ DB 102,72,15,126,218 $L$ord_sqrx_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_ord_sqr_montx: @@ -1296,7 +1296,7 @@ $L$mul_mont_done: $L$mul_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_mul_mont: @@ -1514,7 +1514,7 @@ __ecp_nistz256_mul_montq: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -1592,7 +1592,7 @@ $L$sqr_mont_done: $L$sqr_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_sqr_mont: @@ -1756,7 +1756,7 @@ __ecp_nistz256_sqr_montq: mov QWORD[16+rdi],r14 mov QWORD[24+rdi],r15 - DB 0F3h,0C3h ;repret + ret @@ -1924,7 +1924,7 @@ __ecp_nistz256_mul_montx: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -2054,7 +2054,7 @@ __ecp_nistz256_sqr_montx: mov QWORD[16+rdi],r14 mov QWORD[24+rdi],r15 - DB 0F3h,0C3h ;repret + ret @@ -2143,7 +2143,7 @@ $L$select_loop_sse_w5: movaps xmm14,XMMWORD[128+rsp] movaps xmm15,XMMWORD[144+rsp] lea rsp,[168+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_select_w5: @@ -2223,7 +2223,7 @@ $L$select_loop_sse_w7: movaps xmm14,XMMWORD[128+rsp] movaps xmm15,XMMWORD[144+rsp] lea rsp,[168+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_select_w7: @@ -2311,7 +2311,7 @@ $L$select_loop_avx2_w5: movaps xmm14,XMMWORD[128+rsp] movaps xmm15,XMMWORD[144+rsp] lea rsp,[r11] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_avx2_select_w5: @@ -2417,7 +2417,7 @@ $L$select_loop_avx2_w7: movaps xmm14,XMMWORD[128+rsp] movaps xmm15,XMMWORD[144+rsp] lea rsp,[r11] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_avx2_select_w7: @@ -2451,7 +2451,7 @@ __ecp_nistz256_add_toq: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -2484,7 +2484,7 @@ __ecp_nistz256_sub_fromq: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -2513,7 +2513,7 @@ __ecp_nistz256_subq: cmovnz r8,rcx cmovnz r9,r10 - DB 0F3h,0C3h ;repret + ret @@ -2547,7 +2547,7 @@ __ecp_nistz256_mul_by_2q: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret global ecp_nistz256_point_double @@ -2785,7 +2785,7 @@ DB 102,72,15,126,207 $L$point_doubleq_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_point_double: global ecp_nistz256_point_add @@ -3227,7 +3227,7 @@ $L$add_doneq: $L$point_addq_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_point_add: global ecp_nistz256_point_add_affine @@ -3566,7 +3566,7 @@ DB 102,72,15,126,199 $L$add_affineq_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_point_add_affine: @@ -3600,7 +3600,7 @@ __ecp_nistz256_add_tox: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -3635,7 +3635,7 @@ __ecp_nistz256_sub_fromx: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -3666,7 +3666,7 @@ __ecp_nistz256_subx: cmovc r8,rcx cmovc r9,r10 - DB 0F3h,0C3h ;repret + ret @@ -3701,7 +3701,7 @@ __ecp_nistz256_mul_by_2x: mov QWORD[16+rdi],r8 mov QWORD[24+rdi],r9 - DB 0F3h,0C3h ;repret + ret @@ -3933,7 +3933,7 @@ DB 102,72,15,126,207 $L$point_doublex_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_point_doublex: @@ -4369,7 +4369,7 @@ $L$add_donex: $L$point_addx_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_point_addx: @@ -4702,7 +4702,7 @@ DB 102,72,15,126,199 $L$add_affinex_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_ecp_nistz256_point_add_affinex: EXTERN __imp_RtlVirtualUnwind @@ -4834,7 +4834,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-win.asm b/win-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-win.asm index 5f6fa175..7c7da683 100644 --- a/win-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-win.asm +++ b/win-x86_64/crypto/fipsmodule/p256_beeu-x86_64-asm-win.asm @@ -336,7 +336,7 @@ $L$beeu_finish: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_beeu_mod_inverse_vartime: diff --git a/win-x86_64/crypto/fipsmodule/rdrand-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/rdrand-x86_64-win.asm index 78c95443..aae3d76b 100644 --- a/win-x86_64/crypto/fipsmodule/rdrand-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/rdrand-x86_64-win.asm @@ -28,7 +28,7 @@ DB 73,15,199,240 adc rax,rax mov QWORD[rcx],r8 - DB 0F3h,0C3h ;repret + ret @@ -54,10 +54,10 @@ DB 73,15,199,241 jnz NEAR $L$loop $L$out: mov rax,1 - DB 0F3h,0C3h ;repret + ret $L$err: xor rax,rax - DB 0F3h,0C3h ;repret + ret %else diff --git a/win-x86_64/crypto/fipsmodule/rsaz-avx2-win.asm b/win-x86_64/crypto/fipsmodule/rsaz-avx2-win.asm index ef38336a..beadbdde 100644 --- a/win-x86_64/crypto/fipsmodule/rsaz-avx2-win.asm +++ b/win-x86_64/crypto/fipsmodule/rsaz-avx2-win.asm @@ -701,7 +701,7 @@ $L$sqr_1024_in_tail: $L$sqr_1024_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_rsaz_1024_sqr_avx2: global rsaz_1024_mul_avx2 @@ -1294,7 +1294,7 @@ $L$mul_1024_in_tail: $L$mul_1024_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_rsaz_1024_mul_avx2: global rsaz_1024_red2norm_avx2 @@ -1493,7 +1493,7 @@ _CET_ENDBR adc r11,0 mov QWORD[120+rcx],rax mov rax,r11 - DB 0F3h,0C3h ;repret + ret @@ -1654,7 +1654,7 @@ _CET_ENDBR mov QWORD[168+rcx],r8 mov QWORD[176+rcx],r8 mov QWORD[184+rcx],r8 - DB 0F3h,0C3h ;repret + ret global rsaz_1024_scatter5_avx2 @@ -1681,7 +1681,7 @@ $L$oop_scatter_1024: jnz NEAR $L$oop_scatter_1024 vzeroupper - DB 0F3h,0C3h ;repret + ret @@ -1827,7 +1827,7 @@ $L$oop_gather_1024: movaps xmm15,XMMWORD[((-24))+r11] lea rsp,[r11] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_rsaz_1024_gather5: @@ -1939,7 +1939,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/sha1-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/sha1-x86_64-win.asm index 734755c6..56d979ab 100644 --- a/win-x86_64/crypto/fipsmodule/sha1-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/sha1-x86_64-win.asm @@ -1279,7 +1279,7 @@ $L$loop: $L$epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha1_block_data_order: @@ -1472,7 +1472,7 @@ DB 102,15,56,0,251 $L$epilogue_shaext: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha1_block_data_order_shaext: @@ -2684,7 +2684,7 @@ $L$done_ssse3: $L$epilogue_ssse3: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha1_block_data_order_ssse3: @@ -3836,7 +3836,7 @@ $L$done_avx: $L$epilogue_avx: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha1_block_data_order_avx: @@ -5554,7 +5554,7 @@ $L$done_avx2: $L$epilogue_avx2: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha1_block_data_order_avx2: section .rdata rdata align=8 @@ -5739,7 +5739,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/sha256-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/sha256-x86_64-win.asm index f4374c27..89ab7062 100644 --- a/win-x86_64/crypto/fipsmodule/sha256-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/sha256-x86_64-win.asm @@ -1748,7 +1748,7 @@ $L$rounds_16_xx: $L$epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha256_block_data_order: section .rdata rdata align=8 @@ -2032,7 +2032,7 @@ DB 102,15,58,15,215,8 $L$epilogue_shaext: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha256_block_data_order_shaext: @@ -3164,7 +3164,7 @@ DB 102,15,58,15,249,4 $L$epilogue_ssse3: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha256_block_data_order_ssse3: @@ -4258,7 +4258,7 @@ $L$avx_00_47: $L$epilogue_avx: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha256_block_data_order_avx: EXTERN __imp_RtlVirtualUnwind @@ -4355,7 +4355,7 @@ $L$in_prologue: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret ALIGN 16 diff --git a/win-x86_64/crypto/fipsmodule/sha512-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/sha512-x86_64-win.asm index 793cc36a..b6be2654 100644 --- a/win-x86_64/crypto/fipsmodule/sha512-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/sha512-x86_64-win.asm @@ -1744,7 +1744,7 @@ $L$rounds_16_xx: $L$epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha512_block_data_order: section .rdata rdata align=8 @@ -3026,7 +3026,7 @@ $L$avx_00_47: $L$epilogue_avx: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_sha512_block_data_order_avx: EXTERN __imp_RtlVirtualUnwind @@ -3123,7 +3123,7 @@ $L$in_prologue: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 ALIGN 4 diff --git a/win-x86_64/crypto/fipsmodule/vpaes-x86_64-win.asm b/win-x86_64/crypto/fipsmodule/vpaes-x86_64-win.asm index a6f5c391..ddbfb121 100644 --- a/win-x86_64/crypto/fipsmodule/vpaes-x86_64-win.asm +++ b/win-x86_64/crypto/fipsmodule/vpaes-x86_64-win.asm @@ -112,7 +112,7 @@ DB 102,15,56,0,195 movdqa xmm1,XMMWORD[64+r10*1+r11] pxor xmm0,xmm4 DB 102,15,56,0,193 - DB 0F3h,0C3h ;repret + ret @@ -287,7 +287,7 @@ DB 102,65,15,56,0,243 pxor xmm6,xmm12 DB 102,15,56,0,193 DB 102,15,56,0,241 - DB 0F3h,0C3h ;repret + ret @@ -395,7 +395,7 @@ DB 102,15,56,0,226 DB 102,15,56,0,195 pxor xmm0,xmm4 DB 102,15,56,0,194 - DB 0F3h,0C3h ;repret + ret @@ -573,7 +573,7 @@ $L$schedule_mangle_last_dec: pxor xmm5,xmm5 pxor xmm6,xmm6 pxor xmm7,xmm7 - DB 0F3h,0C3h ;repret + ret @@ -602,7 +602,7 @@ _vpaes_schedule_192_smear: pxor xmm6,xmm0 movdqa xmm0,xmm6 movhlps xmm6,xmm1 - DB 0F3h,0C3h ;repret + ret @@ -680,7 +680,7 @@ DB 102,15,56,0,195 pxor xmm0,xmm7 movdqa xmm7,xmm0 - DB 0F3h,0C3h ;repret + ret @@ -706,7 +706,7 @@ DB 102,15,56,0,208 movdqa xmm0,XMMWORD[16+r11] DB 102,15,56,0,193 pxor xmm0,xmm2 - DB 0F3h,0C3h ;repret + ret @@ -800,7 +800,7 @@ DB 102,15,56,0,217 add r8,-16 and r8,0x30 movdqu XMMWORD[rdx],xmm3 - DB 0F3h,0C3h ;repret + ret @@ -862,7 +862,7 @@ $L$enc_key_epilogue: xor eax,eax mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_vpaes_set_encrypt_key: @@ -921,7 +921,7 @@ $L$dec_key_epilogue: xor eax,eax mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_vpaes_set_decrypt_key: @@ -974,7 +974,7 @@ $L$enc_body: $L$enc_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_vpaes_encrypt: @@ -1023,7 +1023,7 @@ $L$dec_body: $L$dec_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_vpaes_decrypt: global vpaes_cbc_encrypt @@ -1104,7 +1104,7 @@ $L$cbc_epilogue: $L$cbc_abort: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_vpaes_cbc_encrypt: global vpaes_ctr32_encrypt_blocks @@ -1204,7 +1204,7 @@ $L$ctr32_epilogue: $L$ctr32_abort: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_vpaes_ctr32_encrypt_blocks: @@ -1225,7 +1225,7 @@ _vpaes_preheat: movdqa xmm12,XMMWORD[64+r10] movdqa xmm15,XMMWORD[80+r10] movdqa xmm14,XMMWORD[96+r10] - DB 0F3h,0C3h ;repret + ret @@ -1426,7 +1426,7 @@ $L$in_prologue: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/x86_64-mont-win.asm b/win-x86_64/crypto/fipsmodule/x86_64-mont-win.asm index b08d65a5..9bc3341c 100644 --- a/win-x86_64/crypto/fipsmodule/x86_64-mont-win.asm +++ b/win-x86_64/crypto/fipsmodule/x86_64-mont-win.asm @@ -282,7 +282,7 @@ $L$copy: $L$mul_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_mul_mont: @@ -730,7 +730,7 @@ $L$copy4x: $L$mul4x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_mul4x_mont: EXTERN bn_sqrx8x_internal @@ -935,7 +935,7 @@ $L$sqr8x_cond_copy: $L$sqr8x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_sqr8x_mont: @@ -1305,7 +1305,7 @@ $L$mulx4x_cond_copy: $L$mulx4x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_mulx4x_mont: DB 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 @@ -1443,7 +1443,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/fipsmodule/x86_64-mont5-win.asm b/win-x86_64/crypto/fipsmodule/x86_64-mont5-win.asm index 02bdffcb..46aae517 100644 --- a/win-x86_64/crypto/fipsmodule/x86_64-mont5-win.asm +++ b/win-x86_64/crypto/fipsmodule/x86_64-mont5-win.asm @@ -470,7 +470,7 @@ $L$copy: $L$mul_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_mul_mont_gather5: @@ -589,7 +589,7 @@ $L$mul4x_body: $L$mul4x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_mul4x_mont_gather5: @@ -1269,7 +1269,7 @@ DB 102,72,15,126,226 $L$power5_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_power5: @@ -2054,7 +2054,7 @@ DB 102,73,15,126,217 cmp rdi,rdx jb NEAR $L$8x_reduction_loop - DB 0F3h,0C3h ;repret + ret @@ -2110,7 +2110,7 @@ $L$sqr4x_sub_entry: mov r10,r9 neg r9 - DB 0F3h,0C3h ;repret + ret @@ -2234,7 +2234,7 @@ $L$mulx4x_body: $L$mulx4x_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_mulx4x_mont_gather5: @@ -2809,7 +2809,7 @@ DB 102,72,15,126,226 $L$powerx5_epilogue: mov rdi,QWORD[8+rsp] ;WIN64 epilogue mov rsi,QWORD[16+rsp] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_powerx5: @@ -3431,7 +3431,7 @@ DB 102,72,15,126,213 lea rdi,[64+rcx*1+rdi] cmp r8,QWORD[((8+8))+rsp] jb NEAR $L$sqrx8x_reduction_loop - DB 0F3h,0C3h ;repret + ret ALIGN 32 @@ -3484,7 +3484,7 @@ $L$sqrx4x_sub_entry: neg r9 - DB 0F3h,0C3h ;repret + ret global bn_scatter5 @@ -3513,7 +3513,7 @@ $L$scatter: sub edx,1 jnz NEAR $L$scatter $L$scatter_epilogue: - DB 0F3h,0C3h ;repret + ret @@ -3682,7 +3682,7 @@ $L$gather: lea rsp,[r10] - DB 0F3h,0C3h ;repret + ret $L$SEH_end_bn_gather5: @@ -3799,7 +3799,7 @@ $L$common_seh_tail: pop rbx pop rdi pop rsi - DB 0F3h,0C3h ;repret + ret section .pdata rdata align=4 diff --git a/win-x86_64/crypto/test/trampoline-x86_64-win.asm b/win-x86_64/crypto/test/trampoline-x86_64-win.asm index 87cdfe29..ae04cbed 100644 --- a/win-x86_64/crypto/test/trampoline-x86_64-win.asm +++ b/win-x86_64/crypto/test/trampoline-x86_64-win.asm @@ -252,7 +252,7 @@ $L$call_done: - DB 0F3h,0C3h ;repret + ret $L$SEH_end_abi_test_trampoline_21: @@ -262,7 +262,7 @@ ALIGN 16 abi_test_clobber_rax: _CET_ENDBR xor rax,rax - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_rbx @@ -270,7 +270,7 @@ ALIGN 16 abi_test_clobber_rbx: _CET_ENDBR xor rbx,rbx - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_rcx @@ -278,7 +278,7 @@ ALIGN 16 abi_test_clobber_rcx: _CET_ENDBR xor rcx,rcx - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_rdx @@ -286,7 +286,7 @@ ALIGN 16 abi_test_clobber_rdx: _CET_ENDBR xor rdx,rdx - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_rdi @@ -294,7 +294,7 @@ ALIGN 16 abi_test_clobber_rdi: _CET_ENDBR xor rdi,rdi - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_rsi @@ -302,7 +302,7 @@ ALIGN 16 abi_test_clobber_rsi: _CET_ENDBR xor rsi,rsi - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_rbp @@ -310,7 +310,7 @@ ALIGN 16 abi_test_clobber_rbp: _CET_ENDBR xor rbp,rbp - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r8 @@ -318,7 +318,7 @@ ALIGN 16 abi_test_clobber_r8: _CET_ENDBR xor r8,r8 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r9 @@ -326,7 +326,7 @@ ALIGN 16 abi_test_clobber_r9: _CET_ENDBR xor r9,r9 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r10 @@ -334,7 +334,7 @@ ALIGN 16 abi_test_clobber_r10: _CET_ENDBR xor r10,r10 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r11 @@ -342,7 +342,7 @@ ALIGN 16 abi_test_clobber_r11: _CET_ENDBR xor r11,r11 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r12 @@ -350,7 +350,7 @@ ALIGN 16 abi_test_clobber_r12: _CET_ENDBR xor r12,r12 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r13 @@ -358,7 +358,7 @@ ALIGN 16 abi_test_clobber_r13: _CET_ENDBR xor r13,r13 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r14 @@ -366,7 +366,7 @@ ALIGN 16 abi_test_clobber_r14: _CET_ENDBR xor r14,r14 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_r15 @@ -374,7 +374,7 @@ ALIGN 16 abi_test_clobber_r15: _CET_ENDBR xor r15,r15 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm0 @@ -382,7 +382,7 @@ ALIGN 16 abi_test_clobber_xmm0: _CET_ENDBR pxor xmm0,xmm0 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm1 @@ -390,7 +390,7 @@ ALIGN 16 abi_test_clobber_xmm1: _CET_ENDBR pxor xmm1,xmm1 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm2 @@ -398,7 +398,7 @@ ALIGN 16 abi_test_clobber_xmm2: _CET_ENDBR pxor xmm2,xmm2 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm3 @@ -406,7 +406,7 @@ ALIGN 16 abi_test_clobber_xmm3: _CET_ENDBR pxor xmm3,xmm3 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm4 @@ -414,7 +414,7 @@ ALIGN 16 abi_test_clobber_xmm4: _CET_ENDBR pxor xmm4,xmm4 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm5 @@ -422,7 +422,7 @@ ALIGN 16 abi_test_clobber_xmm5: _CET_ENDBR pxor xmm5,xmm5 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm6 @@ -430,7 +430,7 @@ ALIGN 16 abi_test_clobber_xmm6: _CET_ENDBR pxor xmm6,xmm6 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm7 @@ -438,7 +438,7 @@ ALIGN 16 abi_test_clobber_xmm7: _CET_ENDBR pxor xmm7,xmm7 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm8 @@ -446,7 +446,7 @@ ALIGN 16 abi_test_clobber_xmm8: _CET_ENDBR pxor xmm8,xmm8 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm9 @@ -454,7 +454,7 @@ ALIGN 16 abi_test_clobber_xmm9: _CET_ENDBR pxor xmm9,xmm9 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm10 @@ -462,7 +462,7 @@ ALIGN 16 abi_test_clobber_xmm10: _CET_ENDBR pxor xmm10,xmm10 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm11 @@ -470,7 +470,7 @@ ALIGN 16 abi_test_clobber_xmm11: _CET_ENDBR pxor xmm11,xmm11 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm12 @@ -478,7 +478,7 @@ ALIGN 16 abi_test_clobber_xmm12: _CET_ENDBR pxor xmm12,xmm12 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm13 @@ -486,7 +486,7 @@ ALIGN 16 abi_test_clobber_xmm13: _CET_ENDBR pxor xmm13,xmm13 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm14 @@ -494,7 +494,7 @@ ALIGN 16 abi_test_clobber_xmm14: _CET_ENDBR pxor xmm14,xmm14 - DB 0F3h,0C3h ;repret + ret global abi_test_clobber_xmm15 @@ -502,7 +502,7 @@ ALIGN 16 abi_test_clobber_xmm15: _CET_ENDBR pxor xmm15,xmm15 - DB 0F3h,0C3h ;repret + ret @@ -523,7 +523,7 @@ $L$SEH_prolog_abi_test_bad_unwind_wrong_register_2: nop pop r12 - DB 0F3h,0C3h ;repret + ret $L$SEH_end_abi_test_bad_unwind_wrong_register_3: @@ -553,7 +553,7 @@ $L$SEH_prolog_abi_test_bad_unwind_temporary_2: pop r12 - DB 0F3h,0C3h ;repret + ret $L$SEH_end_abi_test_bad_unwind_temporary_3: @@ -570,7 +570,7 @@ _CET_ENDBR and rax,0x400 shr rax,10 cld - DB 0F3h,0C3h ;repret + ret @@ -580,7 +580,7 @@ global abi_test_set_direction_flag abi_test_set_direction_flag: _CET_ENDBR std - DB 0F3h,0C3h ;repret + ret @@ -599,7 +599,7 @@ $L$SEH_prolog_abi_test_bad_unwind_epilog_2: pop r12 nop - DB 0F3h,0C3h ;repret + ret $L$SEH_end_abi_test_bad_unwind_epilog_3: section .pdata rdata align=4 |