diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index 8b1a0e3a11..a3410552ec 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -448,14 +448,9 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, return 1; } - if (sk_ASN1_VALUE_num(sk) > ((size_t)-1) / sizeof(DER_ENC)) { - OPENSSL_PUT_ERROR(ASN1, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; unsigned char *const buf = OPENSSL_malloc(skcontlen); - DER_ENC *encoded = OPENSSL_malloc(sk_ASN1_VALUE_num(sk) * sizeof(*encoded)); + DER_ENC *encoded = OPENSSL_calloc(sk_ASN1_VALUE_num(sk), sizeof(*encoded)); if (encoded == NULL || buf == NULL) { goto err; } diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index 38b1d2635d..8d955b4c05 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -135,11 +135,10 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, } } if (!combine) { - *pval = OPENSSL_malloc(it->size); + *pval = OPENSSL_zalloc(it->size); if (!*pval) { goto memerr; } - OPENSSL_memset(*pval, 0, it->size); } asn1_set_choice_selector(pval, -1, it); if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) { @@ -161,11 +160,10 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, } } if (!combine) { - *pval = OPENSSL_malloc(it->size); + *pval = OPENSSL_zalloc(it->size); if (!*pval) { goto memerr; } - OPENSSL_memset(*pval, 0, it->size); asn1_refcount_set_one(pval, it); asn1_enc_init(pval, it); } diff --git a/crypto/base64/base64.c b/crypto/base64/base64.c index 6146e1e9fd..e128b3b01b 100644 --- a/crypto/base64/base64.c +++ b/crypto/base64/base64.c @@ -123,12 +123,7 @@ int EVP_EncodedLength(size_t *out_len, size_t len) { } EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void) { - EVP_ENCODE_CTX *ret = OPENSSL_malloc(sizeof(EVP_ENCODE_CTX)); - if (ret == NULL) { - return NULL; - } - OPENSSL_memset(ret, 0, sizeof(EVP_ENCODE_CTX)); - return ret; + return OPENSSL_zalloc(sizeof(EVP_ENCODE_CTX)); } void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) { diff --git a/crypto/bio/bio.c b/crypto/bio/bio.c index 7ab3cc1899..e4aaa32ece 100644 --- a/crypto/bio/bio.c +++ b/crypto/bio/bio.c @@ -98,12 +98,11 @@ static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA; BIO *BIO_new(const BIO_METHOD *method) { - BIO *ret = OPENSSL_malloc(sizeof(BIO)); + BIO *ret = OPENSSL_zalloc(sizeof(BIO)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BIO)); ret->method = method; ret->shutdown = 1; ret->references = 1; @@ -702,11 +701,10 @@ int BIO_get_new_index(void) { } BIO_METHOD *BIO_meth_new(int type, const char *name) { - BIO_METHOD *method = OPENSSL_malloc(sizeof(BIO_METHOD)); + BIO_METHOD *method = OPENSSL_zalloc(sizeof(BIO_METHOD)); if (method == NULL) { return NULL; } - OPENSSL_memset(method, 0, sizeof(BIO_METHOD)); method->type = type; method->name = name; return method; diff --git a/crypto/bio/connect.c b/crypto/bio/connect.c index 49f182f268..0916d0cfa1 100644 --- a/crypto/bio/connect.c +++ b/crypto/bio/connect.c @@ -296,13 +296,10 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { } static BIO_CONNECT *BIO_CONNECT_new(void) { - BIO_CONNECT *ret = OPENSSL_malloc(sizeof(BIO_CONNECT)); - + BIO_CONNECT *ret = OPENSSL_zalloc(sizeof(BIO_CONNECT)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BIO_CONNECT)); - ret->state = BIO_CONN_S_BEFORE; return ret; } diff --git a/crypto/bio/pair.c b/crypto/bio/pair.c index 40711cdf95..988b4cea0f 100644 --- a/crypto/bio/pair.c +++ b/crypto/bio/pair.c @@ -81,13 +81,10 @@ struct bio_bio_st { }; static int bio_new(BIO *bio) { - struct bio_bio_st *b; - - b = OPENSSL_malloc(sizeof *b); + struct bio_bio_st *b = OPENSSL_zalloc(sizeof *b); if (b == NULL) { return 0; } - OPENSSL_memset(b, 0, sizeof(struct bio_bio_st)); b->size = 17 * 1024; // enough for one TLS record (just a default) bio->ptr = b; diff --git a/crypto/buf/buf.c b/crypto/buf/buf.c index 57bf34d4b0..1fe8fe6126 100644 --- a/crypto/buf/buf.c +++ b/crypto/buf/buf.c @@ -64,17 +64,7 @@ #include "../internal.h" -BUF_MEM *BUF_MEM_new(void) { - BUF_MEM *ret; - - ret = OPENSSL_malloc(sizeof(BUF_MEM)); - if (ret == NULL) { - return NULL; - } - - OPENSSL_memset(ret, 0, sizeof(BUF_MEM)); - return ret; -} +BUF_MEM *BUF_MEM_new(void) { return OPENSSL_zalloc(sizeof(BUF_MEM)); } void BUF_MEM_free(BUF_MEM *buf) { if (buf == NULL) { diff --git a/crypto/bytestring/cbb.c b/crypto/bytestring/cbb.c index 303b0cdf70..94d89735a9 100644 --- a/crypto/bytestring/cbb.c +++ b/crypto/bytestring/cbb.c @@ -155,6 +155,29 @@ static struct cbb_buffer_st *cbb_get_base(CBB *cbb) { return &cbb->u.base; } +static void cbb_on_error(CBB *cbb) { + // Due to C's lack of destructors and |CBB|'s auto-flushing API, a failing + // |CBB|-taking function may leave a dangling pointer to a child |CBB|. As a + // result, the convention is callers may not write to |CBB|s that have failed. + // But, as a safety measure, we lock the |CBB| into an error state. Once the + // error bit is set, |cbb->child| will not be read. + // + // TODO(davidben): This still isn't quite ideal. A |CBB| function *outside* + // this file may originate an error while the |CBB| points to a local child. + // In that case we don't set the error bit and are reliant on the error + // convention. Perhaps we allow |CBB_cleanup| on child |CBB|s and make every + // child's |CBB_cleanup| set the error bit if unflushed. That will be + // convenient for C++ callers, but very tedious for C callers. So C callers + // perhaps should get a |CBB_on_error| function that can be, less tediously, + // stuck in a |goto err| block. + cbb_get_base(cbb)->error = 1; + + // Clearing the pointer is not strictly necessary, but GCC's dangling pointer + // warning does not know |cbb->child| will not be read once |error| is set + // above. + cbb->child = NULL; +} + // CBB_flush recurses and then writes out any pending length prefix. The // current length of the underlying base is taken to be the length of the // length-prefixed data. @@ -244,7 +267,7 @@ int CBB_flush(CBB *cbb) { return 1; err: - base->error = 1; + cbb_on_error(cbb); return 0; } @@ -420,7 +443,7 @@ static int cbb_add_u(CBB *cbb, uint64_t v, size_t len_len) { // |v| must fit in |len_len| bytes. if (v != 0) { - cbb_get_base(cbb)->error = 1; + cbb_on_error(cbb); return 0; } @@ -479,7 +502,7 @@ int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) { int CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value, CBS_ASN1_TAG tag) { CBB child; if (!CBB_add_asn1(cbb, &child, tag)) { - return 0; + goto err; } int started = 0; @@ -493,21 +516,25 @@ int CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value, CBS_ASN1_TAG tag) { // If the high bit is set, add a padding byte to make it // unsigned. if ((byte & 0x80) && !CBB_add_u8(&child, 0)) { - return 0; + goto err; } started = 1; } if (!CBB_add_u8(&child, byte)) { - return 0; + goto err; } } // 0 is encoded as a single 0, not the empty string. if (!started && !CBB_add_u8(&child, 0)) { - return 0; + goto err; } return CBB_flush(cbb); + +err: + cbb_on_error(cbb); + return 0; } int CBB_add_asn1_int64(CBB *cbb, int64_t value) { @@ -535,7 +562,7 @@ int CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value, CBS_ASN1_TAG tag) { #endif CBB child; if (!CBB_add_asn1(cbb, &child, tag)) { - return 0; + goto err; } #ifdef OPENSSL_BIG_ENDIAN for (int i = start; i <= 7; i++) { @@ -543,10 +570,14 @@ int CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value, CBS_ASN1_TAG tag) { for (int i = start; i >= 0; i--) { #endif if (!CBB_add_u8(&child, bytes[i])) { - return 0; + goto err; } } return CBB_flush(cbb); + +err: + cbb_on_error(cbb); + return 0; } int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) { @@ -554,6 +585,7 @@ int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len) { if (!CBB_add_asn1(cbb, &child, CBS_ASN1_OCTETSTRING) || !CBB_add_bytes(&child, data, data_len) || !CBB_flush(cbb)) { + cbb_on_error(cbb); return 0; } @@ -565,6 +597,7 @@ int CBB_add_asn1_bool(CBB *cbb, int value) { if (!CBB_add_asn1(cbb, &child, CBS_ASN1_BOOLEAN) || !CBB_add_u8(&child, value != 0 ? 0xff : 0) || !CBB_flush(cbb)) { + cbb_on_error(cbb); return 0; } @@ -659,16 +692,13 @@ int CBB_flush_asn1_set_of(CBB *cbb) { if (num_children < 2) { return 1; // Nothing to do. This is the common case for X.509. } - if (num_children > ((size_t)-1) / sizeof(CBS)) { - return 0; // Overflow. - } // Parse out the children and sort. We alias them into a copy of so they // remain valid as we rewrite |cbb|. int ret = 0; size_t buf_len = CBB_len(cbb); uint8_t *buf = OPENSSL_memdup(CBB_data(cbb), buf_len); - CBS *children = OPENSSL_malloc(num_children * sizeof(CBS)); + CBS *children = OPENSSL_calloc(num_children, sizeof(CBS)); if (buf == NULL || children == NULL) { goto err; } diff --git a/crypto/chacha/asm/chacha-armv4.pl b/crypto/chacha/asm/chacha-armv4.pl index 38cae520b2..fc08e90bb0 100755 --- a/crypto/chacha/asm/chacha-armv4.pl +++ b/crypto/chacha/asm/chacha-armv4.pl @@ -213,7 +213,7 @@ sub ROUND { .LChaCha20_ctr32: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0-r2,r4-r11,lr} -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r14,pc,#16 @ ChaCha20_ctr32 #else adr r14,.LChaCha20_ctr32 @@ -295,8 +295,8 @@ sub ROUND { ldr @t[0],[sp,#4*(0)] @ load key material ldr @t[1],[sp,#4*(1)] -#if __ARM_ARCH__>=6 || !defined(__ARMEB__) -# if __ARM_ARCH__<7 +#if __ARM_ARCH>=6 || !defined(__ARMEB__) +# if __ARM_ARCH<7 orr @t[2],r12,r14 tst @t[2],#3 @ are input and output aligned? ldr @t[2],[sp,#4*(2)] @@ -322,7 +322,7 @@ sub ROUND { # endif ldrhs @t[2],[r12,#-8] ldrhs @t[3],[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev @x[0],@x[0] rev @x[1],@x[1] rev @x[2],@x[2] @@ -359,7 +359,7 @@ sub ROUND { # endif ldrhs @t[2],[r12,#-8] ldrhs @t[3],[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev @x[4],@x[4] rev @x[5],@x[5] rev @x[6],@x[6] @@ -404,7 +404,7 @@ sub ROUND { # endif ldrhs @t[2],[r12,#-8] ldrhs @t[3],[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev @x[0],@x[0] rev @x[1],@x[1] rev @x[2],@x[2] @@ -446,7 +446,7 @@ sub ROUND { # endif ldrhs @t[2],[r12,#-8] ldrhs @t[3],[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev @x[4],@x[4] rev @x[5],@x[5] rev @x[6],@x[6] @@ -477,7 +477,7 @@ sub ROUND { bhi .Loop_outer beq .Ldone -# if __ARM_ARCH__<7 +# if __ARM_ARCH<7 b .Ltail .align 4 @@ -485,7 +485,7 @@ sub ROUND { cmp @t[3],#64 @ restore flags # endif #endif -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldr @t[3],[sp,#4*(3)] ___ for ($i=0;$i<16;$i+=4) { diff --git a/crypto/compiler_test.cc b/crypto/compiler_test.cc index fa5beee16e..3e2577d88c 100644 --- a/crypto/compiler_test.cc +++ b/crypto/compiler_test.cc @@ -23,6 +23,26 @@ #include "test/test_util.h" +// C and C++ have two forms of unspecified behavior: undefined behavior and +// implementation-defined behavior. +// +// Programs that exhibit undefined behavior are invalid. Compilers are +// permitted to, and often do, arbitrarily miscompile them. BoringSSL thus aims +// to avoid undefined behavior. +// +// Implementation-defined behavior is left up to the compiler to define (or +// leave undefined). These are often platform-specific details, such as how big +// |int| is or how |uintN_t| is implemented. Programs that depend on +// implementation-defined behavior are not necessarily invalid, merely less +// portable. A compiler that provides some implementation-defined behavior is +// not permitted to miscompile code that depends on it. +// +// C allows a much wider range of platform behaviors than would be practical +// for us to support, so we make some assumptions on implementation-defined +// behavior. Platforms that violate those assumptions are not supported. This +// file aims to document and test these assumptions, so that platforms outside +// our scope are flagged. + template static void CheckRepresentation(T value) { SCOPED_TRACE(value); diff --git a/crypto/conf/conf.c b/crypto/conf/conf.c index 2d642e5e04..64fb856a3b 100644 --- a/crypto/conf/conf.c +++ b/crypto/conf/conf.c @@ -118,14 +118,7 @@ CONF *NCONF_new(void *method) { return conf; } -CONF_VALUE *CONF_VALUE_new(void) { - CONF_VALUE *v = OPENSSL_malloc(sizeof(CONF_VALUE)); - if (!v) { - return NULL; - } - OPENSSL_memset(v, 0, sizeof(CONF_VALUE)); - return v; -} +CONF_VALUE *CONF_VALUE_new(void) { return OPENSSL_zalloc(sizeof(CONF_VALUE)); } static void value_free_contents(CONF_VALUE *value) { OPENSSL_free(value->section); diff --git a/crypto/curve25519/spake25519.c b/crypto/curve25519/spake25519.c index 9bf95d53ba..c5a9eaba7a 100644 --- a/crypto/curve25519/spake25519.c +++ b/crypto/curve25519/spake25519.c @@ -272,12 +272,11 @@ static const uint8_t kSpakeMSmallPrecomp[15 * 2 * 32] = { SPAKE2_CTX *SPAKE2_CTX_new(enum spake2_role_t my_role, const uint8_t *my_name, size_t my_name_len, const uint8_t *their_name, size_t their_name_len) { - SPAKE2_CTX *ctx = OPENSSL_malloc(sizeof(SPAKE2_CTX)); + SPAKE2_CTX *ctx = OPENSSL_zalloc(sizeof(SPAKE2_CTX)); if (ctx == NULL) { return NULL; } - OPENSSL_memset(ctx, 0, sizeof(SPAKE2_CTX)); ctx->my_role = my_role; CBS my_name_cbs, their_name_cbs; diff --git a/crypto/dsa/dsa.c b/crypto/dsa/dsa.c index 77a24072c1..aa44c2fdf5 100644 --- a/crypto/dsa/dsa.c +++ b/crypto/dsa/dsa.c @@ -90,18 +90,14 @@ static int dsa_sign_setup(const DSA *dsa, BN_CTX *ctx_in, BIGNUM **out_kinv, static CRYPTO_EX_DATA_CLASS g_ex_data_class = CRYPTO_EX_DATA_CLASS_INIT; DSA *DSA_new(void) { - DSA *dsa = OPENSSL_malloc(sizeof(DSA)); + DSA *dsa = OPENSSL_zalloc(sizeof(DSA)); if (dsa == NULL) { return NULL; } - OPENSSL_memset(dsa, 0, sizeof(DSA)); - dsa->references = 1; - CRYPTO_MUTEX_init(&dsa->method_mont_lock); CRYPTO_new_ex_data(&dsa->ex_data); - return dsa; } @@ -558,16 +554,7 @@ int DSA_generate_key(DSA *dsa) { return ok; } -DSA_SIG *DSA_SIG_new(void) { - DSA_SIG *sig; - sig = OPENSSL_malloc(sizeof(DSA_SIG)); - if (!sig) { - return NULL; - } - sig->r = NULL; - sig->s = NULL; - return sig; -} +DSA_SIG *DSA_SIG_new(void) { return OPENSSL_zalloc(sizeof(DSA_SIG)); } void DSA_SIG_free(DSA_SIG *sig) { if (!sig) { diff --git a/crypto/engine/engine.c b/crypto/engine/engine.c index 1737a34ae3..3b5bf5220a 100644 --- a/crypto/engine/engine.c +++ b/crypto/engine/engine.c @@ -31,15 +31,7 @@ struct engine_st { ECDSA_METHOD *ecdsa_method; }; -ENGINE *ENGINE_new(void) { - ENGINE *engine = OPENSSL_malloc(sizeof(ENGINE)); - if (engine == NULL) { - return NULL; - } - - OPENSSL_memset(engine, 0, sizeof(ENGINE)); - return engine; -} +ENGINE *ENGINE_new(void) { return OPENSSL_zalloc(sizeof(ENGINE)); } int ENGINE_free(ENGINE *engine) { // Methods are currently required to be static so are not unref'ed. diff --git a/crypto/evp_extra/scrypt.c b/crypto/evp_extra/scrypt.c index 3ef3f4009d..04fb5341fe 100644 --- a/crypto/evp_extra/scrypt.c +++ b/crypto/evp_extra/scrypt.c @@ -183,12 +183,12 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which // is no bigger than uint64_t, so none of these operations may overflow. - OPENSSL_STATIC_ASSERT(UINT64_MAX >= ((size_t)-1), size_t_exceeds_uint64_t) + OPENSSL_STATIC_ASSERT(UINT64_MAX >= SIZE_MAX, size_t_exceeds_uint64_t) size_t B_blocks = p * 2 * r; size_t B_bytes = B_blocks * sizeof(block_t); size_t T_blocks = 2 * r; size_t V_blocks = N * 2 * r; - block_t *B = OPENSSL_malloc((B_blocks + T_blocks + V_blocks) * sizeof(block_t)); + block_t *B = OPENSSL_calloc((B_blocks + T_blocks + V_blocks), sizeof(block_t)); if (B == NULL) { return 0; } diff --git a/crypto/fipsmodule/CMakeLists.txt b/crypto/fipsmodule/CMakeLists.txt index 5d1f439c2f..a0dda09e9d 100644 --- a/crypto/fipsmodule/CMakeLists.txt +++ b/crypto/fipsmodule/CMakeLists.txt @@ -305,7 +305,7 @@ endif() if(FIPS_DELOCATE) if(FIPS_SHARED) - error("Can't set both delocate and shared mode for FIPS build") + message(FATAL_ERROR "Can't set both delocate and shared mode for FIPS build") endif() if(OPENSSL_NO_ASM) @@ -415,7 +415,7 @@ if(FIPS_DELOCATE) set_target_properties(fipsmodule PROPERTIES LINKER_LANGUAGE C) elseif(FIPS_SHARED) if(NOT BUILD_SHARED_LIBS) - error("FIPS_SHARED set but not BUILD_SHARED_LIBS") + message(FATAL_ERROR "FIPS_SHARED set but not BUILD_SHARED_LIBS") endif() add_library( diff --git a/crypto/fipsmodule/aes/asm/bsaes-armv7.pl b/crypto/fipsmodule/aes/asm/bsaes-armv7.pl index 3777511641..e71e9e1cb6 100644 --- a/crypto/fipsmodule/aes/asm/bsaes-armv7.pl +++ b/crypto/fipsmodule/aes/asm/bsaes-armv7.pl @@ -720,7 +720,6 @@ sub bitslice { # define VFP_ABI_FRAME 0 # define BSAES_ASM_EXTENDED_KEY # define XTS_CHAIN_TWEAK -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif diff --git a/crypto/fipsmodule/bn/asm/armv4-mont.pl b/crypto/fipsmodule/bn/asm/armv4-mont.pl index 3d001afc50..0bda9037d7 100644 --- a/crypto/fipsmodule/bn/asm/armv4-mont.pl +++ b/crypto/fipsmodule/bn/asm/armv4-mont.pl @@ -288,7 +288,7 @@ add sp,sp,#2*4 @ skip over {r0,r2} mov r0,#1 .Labrt: -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ret @ bx lr #else tst lr,#1 diff --git a/crypto/fipsmodule/bn/bn.c b/crypto/fipsmodule/bn/bn.c index e0de0648ba..e6a76f439b 100644 --- a/crypto/fipsmodule/bn/bn.c +++ b/crypto/fipsmodule/bn/bn.c @@ -360,7 +360,7 @@ int bn_wexpand(BIGNUM *bn, size_t words) { return 0; } - a = OPENSSL_malloc(sizeof(BN_ULONG) * words); + a = OPENSSL_calloc(words, sizeof(BN_ULONG)); if (a == NULL) { return 0; } diff --git a/crypto/fipsmodule/bn/ctx.c b/crypto/fipsmodule/bn/ctx.c index cd49e32ccc..24f9f29d6a 100644 --- a/crypto/fipsmodule/bn/ctx.c +++ b/crypto/fipsmodule/bn/ctx.c @@ -212,7 +212,7 @@ static int BN_STACK_push(BN_STACK *st, size_t idx) { // This function intentionally does not push to the error queue on error. // Error-reporting is deferred to |BN_CTX_get|. size_t new_size = st->size != 0 ? st->size * 3 / 2 : BN_CTX_START_FRAMES; - if (new_size <= st->size || new_size > ((size_t)-1) / sizeof(size_t)) { + if (new_size <= st->size || new_size > SIZE_MAX / sizeof(size_t)) { return 0; } size_t *new_indexes = diff --git a/crypto/fipsmodule/bn/exponentiation.c b/crypto/fipsmodule/bn/exponentiation.c index da4152e4cd..74ed54372b 100644 --- a/crypto/fipsmodule/bn/exponentiation.c +++ b/crypto/fipsmodule/bn/exponentiation.c @@ -770,7 +770,7 @@ void bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, const BN_ULONG *p, size_t num_p, const BN_MONT_CTX *mont) { if (num != (size_t)mont->N.width || num > BN_SMALL_MAX_WORDS || - num_p > ((size_t)-1) / BN_BITS2) { + num_p > SIZE_MAX / BN_BITS2) { abort(); } assert(BN_is_odd(&mont->N)); diff --git a/crypto/fipsmodule/bn/prime.c b/crypto/fipsmodule/bn/prime.c index 7da074013b..99839e4414 100644 --- a/crypto/fipsmodule/bn/prime.c +++ b/crypto/fipsmodule/bn/prime.c @@ -359,14 +359,7 @@ static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, static int probable_prime_dh_safe(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); -BN_GENCB *BN_GENCB_new(void) { - BN_GENCB *callback = OPENSSL_malloc(sizeof(BN_GENCB)); - if (callback == NULL) { - return NULL; - } - OPENSSL_memset(callback, 0, sizeof(BN_GENCB)); - return callback; -} +BN_GENCB *BN_GENCB_new(void) { return OPENSSL_zalloc(sizeof(BN_GENCB)); } void BN_GENCB_free(BN_GENCB *callback) { OPENSSL_free(callback); } diff --git a/crypto/fipsmodule/cipher/cipher.c b/crypto/fipsmodule/cipher/cipher.c index 7072994883..6625579751 100644 --- a/crypto/fipsmodule/cipher/cipher.c +++ b/crypto/fipsmodule/cipher/cipher.c @@ -112,12 +112,11 @@ int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) { OPENSSL_memcpy(out, in, sizeof(EVP_CIPHER_CTX)); if (in->cipher_data && in->cipher->ctx_size) { - out->cipher_data = OPENSSL_malloc(in->cipher->ctx_size); + out->cipher_data = OPENSSL_memdup(in->cipher_data, in->cipher->ctx_size); if (!out->cipher_data) { out->cipher = NULL; return 0; } - OPENSSL_memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); } if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { diff --git a/crypto/fipsmodule/cipher/e_aesccm.c b/crypto/fipsmodule/cipher/e_aesccm.c index eada07bd29..3972b7b4bf 100644 --- a/crypto/fipsmodule/cipher/e_aesccm.c +++ b/crypto/fipsmodule/cipher/e_aesccm.c @@ -128,7 +128,7 @@ static int CRYPTO_ccm128_init(struct ccm128_context *ctx, block128_f block, } static size_t CRYPTO_ccm128_max_input(const struct ccm128_context *ctx) { - return ctx->L >= sizeof(size_t) ? (size_t)-1 + return ctx->L >= sizeof(size_t) ? SIZE_MAX : (((size_t)1) << (ctx->L * 8)) - 1; } diff --git a/crypto/fipsmodule/dh/dh.c b/crypto/fipsmodule/dh/dh.c index 90da35e006..5ea303e68a 100644 --- a/crypto/fipsmodule/dh/dh.c +++ b/crypto/fipsmodule/dh/dh.c @@ -70,17 +70,13 @@ DH *DH_new(void) { - DH *dh = OPENSSL_malloc(sizeof(DH)); + DH *dh = OPENSSL_zalloc(sizeof(DH)); if (dh == NULL) { return NULL; } - OPENSSL_memset(dh, 0, sizeof(DH)); - CRYPTO_MUTEX_init(&dh->method_mont_p_lock); - dh->references = 1; - return dh; } @@ -418,7 +414,7 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, size_t max_out_len, const BIGNUM *peers_key, const EVP_MD *digest) { - *out_len = (size_t)-1; + *out_len = SIZE_MAX; const size_t digest_len = EVP_MD_size(digest); if (digest_len > max_out_len) { diff --git a/crypto/fipsmodule/ec/ec.c b/crypto/fipsmodule/ec/ec.c index d0cc69a05b..f0503143d5 100644 --- a/crypto/fipsmodule/ec/ec.c +++ b/crypto/fipsmodule/ec/ec.c @@ -295,11 +295,10 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, goto err; } - ret = OPENSSL_malloc(sizeof(EC_GROUP)); + ret = OPENSSL_zalloc(sizeof(EC_GROUP)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EC_GROUP)); ret->references = 1; ret->meth = EC_GFp_mont_method(); bn_mont_ctx_init(&ret->field); diff --git a/crypto/fipsmodule/ec/ec_key.c b/crypto/fipsmodule/ec/ec_key.c index 88fa8feacd..2373aab38e 100644 --- a/crypto/fipsmodule/ec/ec_key.c +++ b/crypto/fipsmodule/ec/ec_key.c @@ -86,12 +86,11 @@ DEFINE_STATIC_EX_DATA_CLASS(g_ec_ex_data_class) static EC_WRAPPED_SCALAR *ec_wrapped_scalar_new(const EC_GROUP *group) { - EC_WRAPPED_SCALAR *wrapped = OPENSSL_malloc(sizeof(EC_WRAPPED_SCALAR)); + EC_WRAPPED_SCALAR *wrapped = OPENSSL_zalloc(sizeof(EC_WRAPPED_SCALAR)); if (wrapped == NULL) { return NULL; } - OPENSSL_memset(wrapped, 0, sizeof(EC_WRAPPED_SCALAR)); wrapped->bignum.d = wrapped->scalar.words; wrapped->bignum.width = group->order.N.width; wrapped->bignum.dmax = group->order.N.width; @@ -106,13 +105,11 @@ static void ec_wrapped_scalar_free(EC_WRAPPED_SCALAR *scalar) { EC_KEY *EC_KEY_new(void) { return EC_KEY_new_method(NULL); } EC_KEY *EC_KEY_new_method(const ENGINE *engine) { - EC_KEY *ret = OPENSSL_malloc(sizeof(EC_KEY)); + EC_KEY *ret = OPENSSL_zalloc(sizeof(EC_KEY)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EC_KEY)); - if (engine) { ret->ecdsa_meth = ENGINE_get_ECDSA_method(engine); } diff --git a/crypto/fipsmodule/ec/wnaf.c b/crypto/fipsmodule/ec/wnaf.c index f5214b2472..225cdfe1d7 100644 --- a/crypto/fipsmodule/ec/wnaf.c +++ b/crypto/fipsmodule/ec/wnaf.c @@ -197,13 +197,8 @@ int ec_GFp_mont_mul_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, wNAF = wNAF_stack; precomp = precomp_stack; } else { - if (num >= ((size_t)-1) / sizeof(wNAF_alloc[0]) || - num >= ((size_t)-1) / sizeof(precomp_alloc[0])) { - OPENSSL_PUT_ERROR(EC, ERR_R_OVERFLOW); - goto err; - } - wNAF_alloc = OPENSSL_malloc(num * sizeof(wNAF_alloc[0])); - precomp_alloc = OPENSSL_malloc(num * sizeof(precomp_alloc[0])); + wNAF_alloc = OPENSSL_calloc(num, sizeof(wNAF_alloc[0])); + precomp_alloc = OPENSSL_calloc(num, sizeof(precomp_alloc[0])); if (wNAF_alloc == NULL || precomp_alloc == NULL) { goto err; } diff --git a/crypto/fipsmodule/evp/evp.c b/crypto/fipsmodule/evp/evp.c index 517f23c44a..5685452dea 100644 --- a/crypto/fipsmodule/evp/evp.c +++ b/crypto/fipsmodule/evp/evp.c @@ -84,12 +84,11 @@ OPENSSL_DECLARE_ERROR_REASON(EVP, EMPTY_PSK) EVP_PKEY *EVP_PKEY_new(void) { EVP_PKEY *ret; - ret = OPENSSL_malloc(sizeof(EVP_PKEY)); + ret = OPENSSL_zalloc(sizeof(EVP_PKEY)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EVP_PKEY)); ret->type = EVP_PKEY_NONE; ret->references = 1; diff --git a/crypto/fipsmodule/evp/evp_ctx.c b/crypto/fipsmodule/evp/evp_ctx.c index dcc931fbd7..1a8574f718 100644 --- a/crypto/fipsmodule/evp/evp_ctx.c +++ b/crypto/fipsmodule/evp/evp_ctx.c @@ -124,11 +124,10 @@ static EVP_PKEY_CTX *evp_pkey_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) { return NULL; } - ret = OPENSSL_malloc(sizeof(EVP_PKEY_CTX)); + ret = OPENSSL_zalloc(sizeof(EVP_PKEY_CTX)); if (!ret) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EVP_PKEY_CTX)); ret->engine = e; ret->pmeth = pmeth; @@ -175,13 +174,11 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx) { return NULL; } - EVP_PKEY_CTX *ret = OPENSSL_malloc(sizeof(EVP_PKEY_CTX)); + EVP_PKEY_CTX *ret = OPENSSL_zalloc(sizeof(EVP_PKEY_CTX)); if (!ret) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(EVP_PKEY_CTX)); - ret->pmeth = ctx->pmeth; ret->engine = ctx->engine; ret->operation = ctx->operation; diff --git a/crypto/fipsmodule/evp/p_ec.c b/crypto/fipsmodule/evp/p_ec.c index 441e2b4ea4..d332c2afa3 100644 --- a/crypto/fipsmodule/evp/p_ec.c +++ b/crypto/fipsmodule/evp/p_ec.c @@ -81,11 +81,10 @@ typedef struct { static int pkey_ec_init(EVP_PKEY_CTX *ctx) { EC_PKEY_CTX *dctx; - dctx = OPENSSL_malloc(sizeof(EC_PKEY_CTX)); + dctx = OPENSSL_zalloc(sizeof(EC_PKEY_CTX)); if (!dctx) { return 0; } - OPENSSL_memset(dctx, 0, sizeof(EC_PKEY_CTX)); ctx->data = dctx; diff --git a/crypto/fipsmodule/evp/p_hkdf.c b/crypto/fipsmodule/evp/p_hkdf.c index 938da19bd0..fe83d05d1c 100644 --- a/crypto/fipsmodule/evp/p_hkdf.c +++ b/crypto/fipsmodule/evp/p_hkdf.c @@ -35,12 +35,11 @@ typedef struct { } HKDF_PKEY_CTX; static int pkey_hkdf_init(EVP_PKEY_CTX *ctx) { - HKDF_PKEY_CTX *hctx = OPENSSL_malloc(sizeof(HKDF_PKEY_CTX)); + HKDF_PKEY_CTX *hctx = OPENSSL_zalloc(sizeof(HKDF_PKEY_CTX)); if (hctx == NULL) { return 0; } - OPENSSL_memset(hctx, 0, sizeof(HKDF_PKEY_CTX)); if (!CBB_init(&hctx->info, 0)) { OPENSSL_free(hctx); return 0; diff --git a/crypto/fipsmodule/evp/p_hmac.c b/crypto/fipsmodule/evp/p_hmac.c index 9df6066ffc..d0e456c808 100644 --- a/crypto/fipsmodule/evp/p_hmac.c +++ b/crypto/fipsmodule/evp/p_hmac.c @@ -64,11 +64,10 @@ static int hmac_init(EVP_PKEY_CTX *ctx) { HMAC_PKEY_CTX *hctx; - hctx = OPENSSL_malloc(sizeof(HMAC_PKEY_CTX)); + hctx = OPENSSL_zalloc(sizeof(HMAC_PKEY_CTX)); if (hctx == NULL) { return 0; } - OPENSSL_memset(hctx, 0, sizeof(HMAC_PKEY_CTX)); HMAC_CTX_init(&hctx->ctx); ctx->data = hctx; return 1; @@ -132,10 +131,9 @@ int used_for_hmac(EVP_MD_CTX *ctx) { } HMAC_KEY *HMAC_KEY_new(void) { - HMAC_KEY *key = OPENSSL_malloc(sizeof(HMAC_KEY)); + HMAC_KEY *key = OPENSSL_zalloc(sizeof(HMAC_KEY)); if (key == NULL) { return NULL; } - OPENSSL_memset(key, 0, sizeof(HMAC_KEY)); return key; } diff --git a/crypto/fipsmodule/evp/p_rsa.c b/crypto/fipsmodule/evp/p_rsa.c index 889d2f3849..002a363e1c 100644 --- a/crypto/fipsmodule/evp/p_rsa.c +++ b/crypto/fipsmodule/evp/p_rsa.c @@ -192,11 +192,10 @@ static int pkey_pss_init_verify(EVP_PKEY_CTX *ctx) { static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { RSA_PKEY_CTX *rctx; - rctx = OPENSSL_malloc(sizeof(RSA_PKEY_CTX)); + rctx = OPENSSL_zalloc(sizeof(RSA_PKEY_CTX)); if (!rctx) { return 0; } - OPENSSL_memset(rctx, 0, sizeof(RSA_PKEY_CTX)); rctx->nbits = 2048; if (pkey_ctx_is_pss(ctx)) { diff --git a/crypto/fipsmodule/rsa/blinding.c b/crypto/fipsmodule/rsa/blinding.c index c4cfcc2313..8838ad8fa1 100644 --- a/crypto/fipsmodule/rsa/blinding.c +++ b/crypto/fipsmodule/rsa/blinding.c @@ -130,11 +130,10 @@ static int bn_blinding_create_param(BN_BLINDING *b, const BIGNUM *e, const BN_MONT_CTX *mont, BN_CTX *ctx); BN_BLINDING *BN_BLINDING_new(void) { - BN_BLINDING *ret = OPENSSL_malloc(sizeof(BN_BLINDING)); + BN_BLINDING *ret = OPENSSL_zalloc(sizeof(BN_BLINDING)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(BN_BLINDING)); ret->A = BN_new(); if (ret->A == NULL) { diff --git a/crypto/fipsmodule/rsa/rsa.c b/crypto/fipsmodule/rsa/rsa.c index f89aa85f76..a5cfb789c5 100644 --- a/crypto/fipsmodule/rsa/rsa.c +++ b/crypto/fipsmodule/rsa/rsa.c @@ -87,13 +87,11 @@ DEFINE_STATIC_EX_DATA_CLASS(g_rsa_ex_data_class) RSA *RSA_new(void) { return RSA_new_method(NULL); } RSA *RSA_new_method(const ENGINE *engine) { - RSA *rsa = OPENSSL_malloc(sizeof(RSA)); + RSA *rsa = OPENSSL_zalloc(sizeof(RSA)); if (rsa == NULL) { return NULL; } - OPENSSL_memset(rsa, 0, sizeof(RSA)); - if (engine) { rsa->meth = ENGINE_get_RSA_method(engine); } diff --git a/crypto/fipsmodule/rsa/rsa_impl.c b/crypto/fipsmodule/rsa/rsa_impl.c index 4efcbc511e..2dcc91aba9 100644 --- a/crypto/fipsmodule/rsa/rsa_impl.c +++ b/crypto/fipsmodule/rsa/rsa_impl.c @@ -450,7 +450,7 @@ static BN_BLINDING *rsa_blinding_get(RSA *rsa, size_t *index_used, assert(new_num_blindings > rsa->num_blindings); BN_BLINDING **new_blindings = - OPENSSL_malloc(sizeof(BN_BLINDING *) * new_num_blindings); + OPENSSL_calloc(new_num_blindings, sizeof(BN_BLINDING *)); uint8_t *new_blindings_inuse = OPENSSL_malloc(new_num_blindings); if (new_blindings == NULL || new_blindings_inuse == NULL) { goto err; diff --git a/crypto/fipsmodule/self_check/fips.c b/crypto/fipsmodule/self_check/fips.c index 5135419d0a..28226017bb 100644 --- a/crypto/fipsmodule/self_check/fips.c +++ b/crypto/fipsmodule/self_check/fips.c @@ -99,12 +99,11 @@ void boringssl_fips_inc_counter(enum fips_counter_t counter) { CRYPTO_get_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS); if (!array) { const size_t num_bytes = sizeof(size_t) * (fips_counter_max + 1); - array = malloc(num_bytes); + array = OPENSSL_zalloc(num_bytes); if (!array) { return; } - OPENSSL_memset(array, 0, num_bytes); if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS, array, free)) { // |OPENSSL_free| has already been called by |CRYPTO_set_thread_local|. diff --git a/crypto/fipsmodule/sha/asm/sha1-armv4-large.pl b/crypto/fipsmodule/sha/asm/sha1-armv4-large.pl index d276e952fc..b845a824a7 100644 --- a/crypto/fipsmodule/sha/asm/sha1-armv4-large.pl +++ b/crypto/fipsmodule/sha/asm/sha1-armv4-large.pl @@ -134,7 +134,7 @@ sub Xupdate { sub BODY_00_15 { my ($a,$b,$c,$d,$e)=@_; $code.=<<___; -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb $t1,[$inp,#2] ldrb $t0,[$inp,#3] ldrb $t2,[$inp,#1] @@ -298,7 +298,7 @@ sub BODY_40_59 { teq $inp,$len bne .Lloop @ [+18], total 1307 -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4-r12,pc} #else ldmia sp!,{r4-r12,lr} diff --git a/crypto/fipsmodule/sha/asm/sha256-armv4.pl b/crypto/fipsmodule/sha/asm/sha256-armv4.pl index c449a7c6c1..5917f94002 100644 --- a/crypto/fipsmodule/sha/asm/sha256-armv4.pl +++ b/crypto/fipsmodule/sha/asm/sha256-armv4.pl @@ -88,7 +88,7 @@ sub BODY_00_15 { my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_; $code.=<<___ if ($i<16); -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr $t1,[$inp],#4 @ $i # if $i==15 str $inp,[sp,#17*4] @ make room for $t4 @@ -131,7 +131,7 @@ sub BODY_00_15 { cmp $t2,#0xf2 @ done? #endif #if $i<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr $t1,[$inp],#4 @ prefetch # else ldrb $t1,[$inp,#3] @@ -181,7 +181,7 @@ sub BODY_16_XX { #ifndef __KERNEL__ # include #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ +# define __ARM_ARCH __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -229,7 +229,7 @@ sub BODY_16_XX { .type sha256_block_data_order,%function sha256_block_data_order: .Lsha256_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r3,pc,#8 @ sha256_block_data_order #else adr r3,.Lsha256_block_data_order @@ -251,7 +251,7 @@ sub BODY_16_XX { sub $Ktbl,r3,#256+32 @ K256 sub sp,sp,#16*4 @ alloca(X[16]) .Loop: -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr $t1,[$inp],#4 # else ldrb $t1,[$inp,#3] @@ -263,7 +263,7 @@ sub BODY_16_XX { $code.=".Lrounds_16_xx:\n"; for (;$i<32;$i++) { &BODY_16_XX($i,@V); unshift(@V,pop(@V)); } $code.=<<___; -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t3,[sp,#16*4] @ pull ctx @@ -294,7 +294,7 @@ sub BODY_16_XX { bne .Loop add sp,sp,#`16+3`*4 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4-r11,pc} #else ldmia sp!,{r4-r11,lr} diff --git a/crypto/fipsmodule/sha/asm/sha512-armv4.pl b/crypto/fipsmodule/sha/asm/sha512-armv4.pl index 05eff39adf..61d14aea26 100644 --- a/crypto/fipsmodule/sha/asm/sha512-armv4.pl +++ b/crypto/fipsmodule/sha/asm/sha512-armv4.pl @@ -161,7 +161,7 @@ () teq $t0,#$magic ldr $t3,[sp,#$Coff+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq $Ktbl,$Ktbl,#1 @@ -206,7 +206,6 @@ () # define VFP_ABI_PUSH vstmdb sp!,{d8-d15} # define VFP_ABI_POP vldmia sp!,{d8-d15} #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 # define VFP_ABI_PUSH # define VFP_ABI_POP @@ -291,7 +290,7 @@ () .type sha512_block_data_order,%function sha512_block_data_order: .Lsha512_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r3,pc,#8 @ sha512_block_data_order #else adr r3,.Lsha512_block_data_order @@ -341,7 +340,7 @@ () str $Thi,[sp,#$Foff+4] .L00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb $Tlo,[$inp,#7] ldrb $t0, [$inp,#6] ldrb $t1, [$inp,#5] @@ -419,7 +418,7 @@ () ___ &BODY_00_15(0x17); $code.=<<___; -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq $t0,[sp,#`$Xoff+8*(16-1)`+0] @@ -498,7 +497,7 @@ () bne .Loop add sp,sp,#8*9 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4-r12,pc} #else ldmia sp!,{r4-r12,lr} diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index 4a95a2e67d..fbab430ad3 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -104,19 +104,17 @@ struct lhash_st { }; _LHASH *OPENSSL_lh_new(lhash_hash_func hash, lhash_cmp_func comp) { - _LHASH *ret = OPENSSL_malloc(sizeof(_LHASH)); + _LHASH *ret = OPENSSL_zalloc(sizeof(_LHASH)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(_LHASH)); ret->num_buckets = kMinNumBuckets; - ret->buckets = OPENSSL_malloc(sizeof(LHASH_ITEM *) * ret->num_buckets); + ret->buckets = OPENSSL_calloc(ret->num_buckets, sizeof(LHASH_ITEM *)); if (ret->buckets == NULL) { OPENSSL_free(ret); return NULL; } - OPENSSL_memset(ret->buckets, 0, sizeof(LHASH_ITEM *) * ret->num_buckets); ret->comp = comp; ret->hash = hash; @@ -214,11 +212,10 @@ static void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) { return; } - new_buckets = OPENSSL_malloc(alloc_size); + new_buckets = OPENSSL_zalloc(alloc_size); if (new_buckets == NULL) { return; } - OPENSSL_memset(new_buckets, 0, alloc_size); for (i = 0; i < lh->num_buckets; i++) { for (cur = lh->buckets[i]; cur != NULL; cur = next) { diff --git a/crypto/mem.c b/crypto/mem.c index 7a84e9ccd3..7235537a19 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -235,6 +235,23 @@ void *OPENSSL_malloc(size_t size) { return NULL; } +void *OPENSSL_zalloc(size_t size) { + void *ret = OPENSSL_malloc(size); + if (ret != NULL) { + OPENSSL_memset(ret, 0, size); + } + return ret; +} + +void *OPENSSL_calloc(size_t num, size_t size) { + if (size != 0 && num > SIZE_MAX / size) { + OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); + return NULL; + } + + return OPENSSL_zalloc(num * size); +} + void OPENSSL_free(void *orig_ptr) { if (orig_ptr == NULL) { return; diff --git a/crypto/obj/obj.c b/crypto/obj/obj.c index 3a2a9a4bda..cfe4e11bc1 100644 --- a/crypto/obj/obj.c +++ b/crypto/obj/obj.c @@ -123,16 +123,12 @@ ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) { } r->ln = r->sn = NULL; - data = OPENSSL_malloc(o->length); - if (data == NULL) { + // once data is attached to an object, it remains const + r->data = OPENSSL_memdup(o->data, o->length); + if (o->length != 0 && r->data == NULL) { goto err; } - if (o->data != NULL) { - OPENSSL_memcpy(data, o->data, o->length); - } - // once data is attached to an object, it remains const - r->data = data; r->length = o->length; r->nid = o->nid; diff --git a/crypto/pkcs7/pkcs7_x509.c b/crypto/pkcs7/pkcs7_x509.c index fd71bd7b37..7b10f6f239 100644 --- a/crypto/pkcs7/pkcs7_x509.c +++ b/crypto/pkcs7/pkcs7_x509.c @@ -237,11 +237,10 @@ int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls) { } static PKCS7 *pkcs7_new(CBS *cbs) { - PKCS7 *ret = OPENSSL_malloc(sizeof(PKCS7)); + PKCS7 *ret = OPENSSL_zalloc(sizeof(PKCS7)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(PKCS7)); ret->type = OBJ_nid2obj(NID_pkcs7_signed); ret->d.sign = OPENSSL_malloc(sizeof(PKCS7_SIGNED)); if (ret->d.sign == NULL) { @@ -326,11 +325,10 @@ int i2d_PKCS7(const PKCS7 *p7, uint8_t **out) { } if (*out == NULL) { - *out = OPENSSL_malloc(p7->ber_len); + *out = OPENSSL_memdup(p7->ber_bytes, p7->ber_len); if (*out == NULL) { return -1; } - OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len); } else { OPENSSL_memcpy(*out, p7->ber_bytes, p7->ber_len); *out += p7->ber_len; diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c index 87c096198e..c613bf121e 100644 --- a/crypto/pkcs8/pkcs8_x509.c +++ b/crypto/pkcs8/pkcs8_x509.c @@ -741,26 +741,22 @@ struct pkcs12_st { PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len) { - PKCS12 *p12; - - p12 = OPENSSL_malloc(sizeof(PKCS12)); + PKCS12 *p12 = OPENSSL_malloc(sizeof(PKCS12)); if (!p12) { return NULL; } - p12->ber_bytes = OPENSSL_malloc(ber_len); + p12->ber_bytes = OPENSSL_memdup(*ber_bytes, ber_len); if (!p12->ber_bytes) { OPENSSL_free(p12); return NULL; } - OPENSSL_memcpy(p12->ber_bytes, *ber_bytes, ber_len); p12->ber_len = ber_len; *ber_bytes += ber_len; if (out_p12) { PKCS12_free(*out_p12); - *out_p12 = p12; } @@ -843,11 +839,10 @@ int i2d_PKCS12(const PKCS12 *p12, uint8_t **out) { } if (*out == NULL) { - *out = OPENSSL_malloc(p12->ber_len); + *out = OPENSSL_memdup(p12->ber_bytes, p12->ber_len); if (*out == NULL) { return -1; } - OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len); } else { OPENSSL_memcpy(*out, p12->ber_bytes, p12->ber_len); *out += p12->ber_len; diff --git a/crypto/pool/pool.c b/crypto/pool/pool.c index e889f521da..fc048409e4 100644 --- a/crypto/pool/pool.c +++ b/crypto/pool/pool.c @@ -42,12 +42,11 @@ static int CRYPTO_BUFFER_cmp(const CRYPTO_BUFFER *a, const CRYPTO_BUFFER *b) { } CRYPTO_BUFFER_POOL* CRYPTO_BUFFER_POOL_new(void) { - CRYPTO_BUFFER_POOL *pool = OPENSSL_malloc(sizeof(CRYPTO_BUFFER_POOL)); + CRYPTO_BUFFER_POOL *pool = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER_POOL)); if (pool == NULL) { return NULL; } - OPENSSL_memset(pool, 0, sizeof(CRYPTO_BUFFER_POOL)); pool->bufs = lh_CRYPTO_BUFFER_new(CRYPTO_BUFFER_hash, CRYPTO_BUFFER_cmp); if (pool->bufs == NULL) { OPENSSL_free(pool); @@ -109,11 +108,10 @@ static CRYPTO_BUFFER *crypto_buffer_new(const uint8_t *data, size_t len, } } - CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER)); + CRYPTO_BUFFER *const buf = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER)); if (buf == NULL) { return NULL; } - OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER)); if (data_is_static) { buf->data = (uint8_t *)data; @@ -170,11 +168,10 @@ CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, } CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len) { - CRYPTO_BUFFER *const buf = OPENSSL_malloc(sizeof(CRYPTO_BUFFER)); + CRYPTO_BUFFER *const buf = OPENSSL_zalloc(sizeof(CRYPTO_BUFFER)); if (buf == NULL) { return NULL; } - OPENSSL_memset(buf, 0, sizeof(CRYPTO_BUFFER)); buf->data = OPENSSL_malloc(len); if (len != 0 && buf->data == NULL) { diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index a11533ed51..80d2fce5ed 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -84,19 +84,16 @@ struct stack_st { static const size_t kMinSize = 4; OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp) { - OPENSSL_STACK *ret = OPENSSL_malloc(sizeof(OPENSSL_STACK)); + OPENSSL_STACK *ret = OPENSSL_zalloc(sizeof(OPENSSL_STACK)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(OPENSSL_STACK)); - ret->data = OPENSSL_malloc(sizeof(void *) * kMinSize); + ret->data = OPENSSL_calloc(kMinSize, sizeof(void *)); if (ret->data == NULL) { goto err; } - OPENSSL_memset(ret->data, 0, sizeof(void *) * kMinSize); - ret->comp = comp; ret->num_alloc = kMinSize; @@ -370,19 +367,17 @@ OPENSSL_STACK *OPENSSL_sk_dup(const OPENSSL_STACK *sk) { return NULL; } - OPENSSL_STACK *ret = OPENSSL_malloc(sizeof(OPENSSL_STACK)); + OPENSSL_STACK *ret = OPENSSL_zalloc(sizeof(OPENSSL_STACK)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(OPENSSL_STACK)); - ret->data = OPENSSL_malloc(sizeof(void *) * sk->num_alloc); + ret->data = OPENSSL_memdup(sk->data, sizeof(void *) * sk->num_alloc); if (ret->data == NULL) { goto err; } ret->num = sk->num; - OPENSSL_memcpy(ret->data, sk->data, sizeof(void *) * sk->num); ret->sorted = sk->sorted; ret->num_alloc = sk->num_alloc; ret->comp = sk->comp; diff --git a/crypto/trust_token/pmbtoken.c b/crypto/trust_token/pmbtoken.c index 5334a0c6f2..0aa4d0992a 100644 --- a/crypto/trust_token/pmbtoken.c +++ b/crypto/trust_token/pmbtoken.c @@ -799,18 +799,12 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, return 0; } - if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) || - num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; - EC_JACOBIAN *Tps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Sps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wsps = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + EC_JACOBIAN *Tps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Sps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wsps = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (!Tps || @@ -940,19 +934,13 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind( return NULL; } - if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) || - count > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return NULL; - } - int ok = 0; STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); - EC_JACOBIAN *Tps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Sps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Wsps = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + EC_JACOBIAN *Tps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Sps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Wsps = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(count, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (ret == NULL || diff --git a/crypto/trust_token/trust_token.c b/crypto/trust_token/trust_token.c index 93172c37c2..521e7adc06 100644 --- a/crypto/trust_token/trust_token.c +++ b/crypto/trust_token/trust_token.c @@ -118,11 +118,10 @@ void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *pretoken) { } TRUST_TOKEN *TRUST_TOKEN_new(const uint8_t *data, size_t len) { - TRUST_TOKEN *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN)); + TRUST_TOKEN *ret = OPENSSL_zalloc(sizeof(TRUST_TOKEN)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN)); ret->data = OPENSSL_memdup(data, len); if (len != 0 && ret->data == NULL) { OPENSSL_free(ret); @@ -205,11 +204,10 @@ TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new(const TRUST_TOKEN_METHOD *method, return NULL; } - TRUST_TOKEN_CLIENT *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN_CLIENT)); + TRUST_TOKEN_CLIENT *ret = OPENSSL_zalloc(sizeof(TRUST_TOKEN_CLIENT)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN_CLIENT)); ret->method = method; ret->max_batchsize = (uint16_t)max_batchsize; return ret; @@ -446,11 +444,10 @@ TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new(const TRUST_TOKEN_METHOD *method, return NULL; } - TRUST_TOKEN_ISSUER *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN_ISSUER)); + TRUST_TOKEN_ISSUER *ret = OPENSSL_zalloc(sizeof(TRUST_TOKEN_ISSUER)); if (ret == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(TRUST_TOKEN_ISSUER)); ret->method = method; ret->max_batchsize = (uint16_t)max_batchsize; return ret; diff --git a/crypto/trust_token/voprf.c b/crypto/trust_token/voprf.c index c2ab815b1e..504deee534 100644 --- a/crypto/trust_token/voprf.c +++ b/crypto/trust_token/voprf.c @@ -483,16 +483,10 @@ static int voprf_sign_tt(const VOPRF_METHOD *method, return 0; } - if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) || - num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; - EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (!BTs || @@ -582,17 +576,11 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( return NULL; } - if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) || - count > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return NULL; - } - int ok = 0; STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); - EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_SCALAR *es = OPENSSL_calloc(count, sizeof(EC_SCALAR)); CBB batch_cbb; CBB_zero(&batch_cbb); if (ret == NULL || @@ -868,16 +856,10 @@ static int voprf_sign_impl(const VOPRF_METHOD *method, return 0; } - if (num_to_issue > ((size_t)-1) / sizeof(EC_JACOBIAN) || - num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return 0; - } - int ret = 0; - EC_JACOBIAN *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_JACOBIAN)); - EC_SCALAR *dis = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(num_to_issue, sizeof(EC_JACOBIAN)); + EC_SCALAR *dis = OPENSSL_calloc(num_to_issue, sizeof(EC_SCALAR)); if (!BTs || !Zs || !dis) { goto err; } @@ -984,17 +966,11 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind( return NULL; } - if (count > ((size_t)-1) / sizeof(EC_JACOBIAN) || - count > ((size_t)-1) / sizeof(EC_SCALAR)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); - return NULL; - } - int ok = 0; STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); - EC_JACOBIAN *BTs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_JACOBIAN *Zs = OPENSSL_malloc(count * sizeof(EC_JACOBIAN)); - EC_SCALAR *dis = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + EC_JACOBIAN *BTs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_JACOBIAN *Zs = OPENSSL_calloc(count, sizeof(EC_JACOBIAN)); + EC_SCALAR *dis = OPENSSL_calloc(count, sizeof(EC_SCALAR)); if (ret == NULL || !BTs || !Zs || !dis) { goto err; } diff --git a/crypto/x509/policy.c b/crypto/x509/policy.c index d877d1e0e5..6390fe8795 100644 --- a/crypto/x509/policy.c +++ b/crypto/x509/policy.c @@ -107,11 +107,10 @@ static void x509_policy_node_free(X509_POLICY_NODE *node) { static X509_POLICY_NODE *x509_policy_node_new(const ASN1_OBJECT *policy) { assert(!is_any_policy(policy)); - X509_POLICY_NODE *node = OPENSSL_malloc(sizeof(X509_POLICY_NODE)); + X509_POLICY_NODE *node = OPENSSL_zalloc(sizeof(X509_POLICY_NODE)); if (node == NULL) { return NULL; } - OPENSSL_memset(node, 0, sizeof(X509_POLICY_NODE)); node->policy = OBJ_dup(policy); node->parent_policies = sk_ASN1_OBJECT_new_null(); if (node->policy == NULL || node->parent_policies == NULL) { @@ -134,11 +133,10 @@ static void x509_policy_level_free(X509_POLICY_LEVEL *level) { } static X509_POLICY_LEVEL *x509_policy_level_new(void) { - X509_POLICY_LEVEL *level = OPENSSL_malloc(sizeof(X509_POLICY_LEVEL)); + X509_POLICY_LEVEL *level = OPENSSL_zalloc(sizeof(X509_POLICY_LEVEL)); if (level == NULL) { return NULL; } - OPENSSL_memset(level, 0, sizeof(X509_POLICY_LEVEL)); level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp); if (level->nodes == NULL) { x509_policy_level_free(level); diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index aa34fc2142..cb25ae71c6 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -164,10 +164,9 @@ static int x509_object_cmp_sk(const X509_OBJECT *const *a, X509_STORE *X509_STORE_new(void) { X509_STORE *ret; - if ((ret = (X509_STORE *)OPENSSL_malloc(sizeof(X509_STORE))) == NULL) { + if ((ret = (X509_STORE *)OPENSSL_zalloc(sizeof(X509_STORE))) == NULL) { return NULL; } - OPENSSL_memset(ret, 0, sizeof(*ret)); CRYPTO_MUTEX_init(&ret->objs_lock); ret->objs = sk_X509_OBJECT_new(x509_object_cmp_sk); if (ret->objs == NULL) { diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index eac39723e1..7ef3cd8ed7 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -164,12 +164,10 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) { } X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) { - X509_VERIFY_PARAM *param; - param = OPENSSL_malloc(sizeof(X509_VERIFY_PARAM)); + X509_VERIFY_PARAM *param = OPENSSL_zalloc(sizeof(X509_VERIFY_PARAM)); if (!param) { return NULL; } - OPENSSL_memset(param, 0, sizeof(X509_VERIFY_PARAM)); x509_verify_param_zero(param); return param; } diff --git a/crypto/x509/x_pkey.c b/crypto/x509/x_pkey.c index d48ecd111f..33a9aa91d2 100644 --- a/crypto/x509/x_pkey.c +++ b/crypto/x509/x_pkey.c @@ -67,11 +67,10 @@ X509_PKEY *X509_PKEY_new(void) { - X509_PKEY *ret = OPENSSL_malloc(sizeof(X509_PKEY)); + X509_PKEY *ret = OPENSSL_zalloc(sizeof(X509_PKEY)); if (ret == NULL) { goto err; } - OPENSSL_memset(ret, 0, sizeof(X509_PKEY)); ret->enc_algor = X509_ALGOR_new(); if (ret->enc_algor == NULL) { diff --git a/generated-src/ios-arm/crypto/chacha/chacha-armv4.S b/generated-src/ios-arm/crypto/chacha/chacha-armv4.S index cf2644e009..bd836b60a4 100644 --- a/generated-src/ios-arm/crypto/chacha/chacha-armv4.S +++ b/generated-src/ios-arm/crypto/chacha/chacha-armv4.S @@ -46,7 +46,7 @@ _ChaCha20_ctr32: LChaCha20_ctr32: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r14,pc,#16 @ _ChaCha20_ctr32 #else adr r14,LChaCha20_ctr32 @@ -232,8 +232,8 @@ Loop: ldr r8,[sp,#4*(0)] @ load key material ldr r9,[sp,#4*(1)] -#if __ARM_ARCH__>=6 || !defined(__ARMEB__) -# if __ARM_ARCH__<7 +#if __ARM_ARCH>=6 || !defined(__ARMEB__) +# if __ARM_ARCH<7 orr r10,r12,r14 tst r10,#3 @ are input and output aligned? ldr r10,[sp,#4*(2)] @@ -259,7 +259,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -296,7 +296,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -341,7 +341,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -383,7 +383,7 @@ Loop: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -414,7 +414,7 @@ Loop: bhi Loop_outer beq Ldone -# if __ARM_ARCH__<7 +# if __ARM_ARCH<7 b Ltail .align 4 @@ -422,7 +422,7 @@ Lunaligned:@ unaligned endian-neutral path cmp r11,#64 @ restore flags # endif #endif -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldr r11,[sp,#4*(3)] add r0,r0,r8 @ accumulate key material add r1,r1,r9 diff --git a/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S b/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S index 54bd13f2f7..07d1b064b0 100644 --- a/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S +++ b/generated-src/ios-arm/crypto/fipsmodule/armv4-mont.S @@ -195,7 +195,7 @@ Lcopy: ldr r7,[r4] @ conditional copy add sp,sp,#2*4 @ skip over {r0,r2} mov r0,#1 Labrt: -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 bx lr @ bx lr #else tst lr,#1 diff --git a/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S b/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S index 28cc6b3637..67696ff457 100644 --- a/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S +++ b/generated-src/ios-arm/crypto/fipsmodule/bsaes-armv7.S @@ -67,7 +67,6 @@ # define VFP_ABI_FRAME 0 # define BSAES_ASM_EXTENDED_KEY # define XTS_CHAIN_TWEAK -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif diff --git a/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S b/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S index d653f2d1f1..aaae29b579 100644 --- a/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S +++ b/generated-src/ios-arm/crypto/fipsmodule/sha1-armv4-large.S @@ -46,7 +46,7 @@ Lloop: mov r6,r6,ror#30 mov r7,r7,ror#30 @ [6] L_00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -71,7 +71,7 @@ L_00_15: eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r7,r7,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -96,7 +96,7 @@ L_00_15: eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r6,r6,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -121,7 +121,7 @@ L_00_15: eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r5,r5,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -146,7 +146,7 @@ L_00_15: eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r4,r4,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -179,7 +179,7 @@ L_00_15: #endif bne L_00_15 @ [((11+4)*5+2)*3] sub sp,sp,#25*4 -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -477,7 +477,7 @@ L_done: teq r1,r2 bne Lloop @ [+18], total 1307 -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} diff --git a/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S b/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S index 8379765e99..7e30b8811d 100644 --- a/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S +++ b/generated-src/ios-arm/crypto/fipsmodule/sha256-armv4.S @@ -52,7 +52,7 @@ #ifndef __KERNEL__ # include #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ +# define __ARM_ARCH __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -103,7 +103,7 @@ LOPENSSL_armcap: #endif _sha256_block_data_order: Lsha256_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r3,pc,#8 @ _sha256_block_data_order #else adr r3,Lsha256_block_data_order @@ -125,14 +125,14 @@ Lsha256_block_data_order: sub r14,r3,#256+32 @ K256 sub sp,sp,#16*4 @ alloca(X[16]) Loop: -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 # else ldrb r2,[r1,#3] # endif eor r3,r5,r6 @ magic eor r12,r12,r12 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 0 # if 0==15 str r1,[sp,#17*4] @ make room for r1 @@ -173,7 +173,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 0<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -190,7 +190,7 @@ Loop: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 1 # if 1==15 str r1,[sp,#17*4] @ make room for r1 @@ -231,7 +231,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 1<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -248,7 +248,7 @@ Loop: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 2 # if 2==15 str r1,[sp,#17*4] @ make room for r1 @@ -289,7 +289,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 2<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -306,7 +306,7 @@ Loop: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 3 # if 3==15 str r1,[sp,#17*4] @ make room for r1 @@ -347,7 +347,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 3<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -364,7 +364,7 @@ Loop: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 4 # if 4==15 str r1,[sp,#17*4] @ make room for r1 @@ -405,7 +405,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 4<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -422,7 +422,7 @@ Loop: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 5 # if 5==15 str r1,[sp,#17*4] @ make room for r1 @@ -463,7 +463,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 5<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -480,7 +480,7 @@ Loop: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 6 # if 6==15 str r1,[sp,#17*4] @ make room for r1 @@ -521,7 +521,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 6<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -538,7 +538,7 @@ Loop: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 7 # if 7==15 str r1,[sp,#17*4] @ make room for r1 @@ -579,7 +579,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 7<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -596,7 +596,7 @@ Loop: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 8 # if 8==15 str r1,[sp,#17*4] @ make room for r1 @@ -637,7 +637,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 8<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -654,7 +654,7 @@ Loop: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 9 # if 9==15 str r1,[sp,#17*4] @ make room for r1 @@ -695,7 +695,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 9<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -712,7 +712,7 @@ Loop: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 10 # if 10==15 str r1,[sp,#17*4] @ make room for r1 @@ -753,7 +753,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 10<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -770,7 +770,7 @@ Loop: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 11 # if 11==15 str r1,[sp,#17*4] @ make room for r1 @@ -811,7 +811,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 11<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -828,7 +828,7 @@ Loop: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 12 # if 12==15 str r1,[sp,#17*4] @ make room for r1 @@ -869,7 +869,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 12<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -886,7 +886,7 @@ Loop: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 13 # if 13==15 str r1,[sp,#17*4] @ make room for r1 @@ -927,7 +927,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 13<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -944,7 +944,7 @@ Loop: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 14 # if 14==15 str r1,[sp,#17*4] @ make room for r1 @@ -985,7 +985,7 @@ Loop: cmp r12,#0xf2 @ done? #endif #if 14<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1002,7 +1002,7 @@ Loop: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 15 # if 15==15 str r1,[sp,#17*4] @ make room for r1 @@ -1043,7 +1043,7 @@ Loop: cmp r3,#0xf2 @ done? #endif #if 15<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1093,7 +1093,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 16<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1142,7 +1142,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 17<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1191,7 +1191,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 18<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1240,7 +1240,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 19<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1289,7 +1289,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 20<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1338,7 +1338,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 21<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1387,7 +1387,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 22<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1436,7 +1436,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 23<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1485,7 +1485,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 24<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1534,7 +1534,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 25<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1583,7 +1583,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 26<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1632,7 +1632,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 27<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1681,7 +1681,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 28<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1730,7 +1730,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 29<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1779,7 +1779,7 @@ Lrounds_16_xx: cmp r12,#0xf2 @ done? #endif #if 30<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1828,7 +1828,7 @@ Lrounds_16_xx: cmp r3,#0xf2 @ done? #endif #if 31<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1845,7 +1845,7 @@ Lrounds_16_xx: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq r3,[sp,#16*4] @ pull ctx @@ -1876,7 +1876,7 @@ Lrounds_16_xx: bne Loop add sp,sp,#19*4 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,lr} diff --git a/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S b/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S index 12884b5537..2b1cd5004a 100644 --- a/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S +++ b/generated-src/ios-arm/crypto/fipsmodule/sha512-armv4.S @@ -63,7 +63,6 @@ # define VFP_ABI_PUSH vstmdb sp!,{d8-d15} # define VFP_ABI_POP vldmia sp!,{d8-d15} #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 # define VFP_ABI_PUSH # define VFP_ABI_POP @@ -151,7 +150,7 @@ LOPENSSL_armcap: #endif _sha512_block_data_order: Lsha512_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r3,pc,#8 @ _sha512_block_data_order #else adr r3,Lsha512_block_data_order @@ -201,7 +200,7 @@ Loop: str r4,[sp,#40+4] L00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r3,[r1,#7] ldrb r9, [r1,#6] ldrb r10, [r1,#5] @@ -278,7 +277,7 @@ L00_15: teq r9,#148 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -418,7 +417,7 @@ L16_79: teq r9,#23 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -455,7 +454,7 @@ L16_79: adc r6,r6,r4 @ h += T tst r14,#1 add r14,r14,#8 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq r9,[sp,#184+0] @@ -534,7 +533,7 @@ L16_79: bne Loop add sp,sp,#8*9 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} diff --git a/generated-src/linux-arm/crypto/chacha/chacha-armv4.S b/generated-src/linux-arm/crypto/chacha/chacha-armv4.S index 9974e14cdc..4494c50b8e 100644 --- a/generated-src/linux-arm/crypto/chacha/chacha-armv4.S +++ b/generated-src/linux-arm/crypto/chacha/chacha-armv4.S @@ -44,7 +44,7 @@ ChaCha20_ctr32: .LChaCha20_ctr32: ldr r12,[sp,#0] @ pull pointer to counter and nonce stmdb sp!,{r0,r1,r2,r4-r11,lr} -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r14,pc,#16 @ ChaCha20_ctr32 #else adr r14,.LChaCha20_ctr32 @@ -230,8 +230,8 @@ ChaCha20_ctr32: ldr r8,[sp,#4*(0)] @ load key material ldr r9,[sp,#4*(1)] -#if __ARM_ARCH__>=6 || !defined(__ARMEB__) -# if __ARM_ARCH__<7 +#if __ARM_ARCH>=6 || !defined(__ARMEB__) +# if __ARM_ARCH<7 orr r10,r12,r14 tst r10,#3 @ are input and output aligned? ldr r10,[sp,#4*(2)] @@ -257,7 +257,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -294,7 +294,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -339,7 +339,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r0,r0 rev r1,r1 rev r2,r2 @@ -381,7 +381,7 @@ ChaCha20_ctr32: # endif ldrhs r10,[r12,#-8] ldrhs r11,[r12,#-4] -# if __ARM_ARCH__>=6 && defined(__ARMEB__) +# if __ARM_ARCH>=6 && defined(__ARMEB__) rev r4,r4 rev r5,r5 rev r6,r6 @@ -412,7 +412,7 @@ ChaCha20_ctr32: bhi .Loop_outer beq .Ldone -# if __ARM_ARCH__<7 +# if __ARM_ARCH<7 b .Ltail .align 4 @@ -420,7 +420,7 @@ ChaCha20_ctr32: cmp r11,#64 @ restore flags # endif #endif -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldr r11,[sp,#4*(3)] add r0,r0,r8 @ accumulate key material add r1,r1,r9 diff --git a/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S b/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S index 0ec68610c9..8073aa62f3 100644 --- a/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S +++ b/generated-src/linux-arm/crypto/fipsmodule/armv4-mont.S @@ -193,7 +193,7 @@ bn_mul_mont: add sp,sp,#2*4 @ skip over {r0,r2} mov r0,#1 .Labrt: -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 bx lr @ bx lr #else tst lr,#1 diff --git a/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S b/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S index 49eda8d6f0..01a9ead28a 100644 --- a/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S +++ b/generated-src/linux-arm/crypto/fipsmodule/bsaes-armv7.S @@ -67,7 +67,6 @@ # define VFP_ABI_FRAME 0 # define BSAES_ASM_EXTENDED_KEY # define XTS_CHAIN_TWEAK -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif diff --git a/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S b/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S index 660ccbaa42..b284c3f9a5 100644 --- a/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S +++ b/generated-src/linux-arm/crypto/fipsmodule/sha1-armv4-large.S @@ -44,7 +44,7 @@ sha1_block_data_order: mov r6,r6,ror#30 mov r7,r7,ror#30 @ [6] .L_00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -69,7 +69,7 @@ sha1_block_data_order: eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r7,r7,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -94,7 +94,7 @@ sha1_block_data_order: eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r6,r6,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -119,7 +119,7 @@ sha1_block_data_order: eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r5,r5,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -144,7 +144,7 @@ sha1_block_data_order: eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) str r9,[r14,#-4]! add r4,r4,r10 @ E+=F_00_19(B,C,D) -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -177,7 +177,7 @@ sha1_block_data_order: #endif bne .L_00_15 @ [((11+4)*5+2)*3] sub sp,sp,#25*4 -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] ldrb r11,[r1,#1] @@ -475,7 +475,7 @@ sha1_block_data_order: teq r1,r2 bne .Lloop @ [+18], total 1307 -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} diff --git a/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S b/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S index 2450322e9e..75ebaeb4f7 100644 --- a/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S +++ b/generated-src/linux-arm/crypto/fipsmodule/sha256-armv4.S @@ -52,7 +52,7 @@ #ifndef __KERNEL__ # include #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ +# define __ARM_ARCH __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 #endif @@ -101,7 +101,7 @@ K256: .type sha256_block_data_order,%function sha256_block_data_order: .Lsha256_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r3,pc,#8 @ sha256_block_data_order #else adr r3,.Lsha256_block_data_order @@ -123,14 +123,14 @@ sha256_block_data_order: sub r14,r3,#256+32 @ K256 sub sp,sp,#16*4 @ alloca(X[16]) .Loop: -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 # else ldrb r2,[r1,#3] # endif eor r3,r5,r6 @ magic eor r12,r12,r12 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 0 # if 0==15 str r1,[sp,#17*4] @ make room for r1 @@ -171,7 +171,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 0<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -188,7 +188,7 @@ sha256_block_data_order: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 1 # if 1==15 str r1,[sp,#17*4] @ make room for r1 @@ -229,7 +229,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 1<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -246,7 +246,7 @@ sha256_block_data_order: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 2 # if 2==15 str r1,[sp,#17*4] @ make room for r1 @@ -287,7 +287,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 2<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -304,7 +304,7 @@ sha256_block_data_order: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 3 # if 3==15 str r1,[sp,#17*4] @ make room for r1 @@ -345,7 +345,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 3<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -362,7 +362,7 @@ sha256_block_data_order: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 4 # if 4==15 str r1,[sp,#17*4] @ make room for r1 @@ -403,7 +403,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 4<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -420,7 +420,7 @@ sha256_block_data_order: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 5 # if 5==15 str r1,[sp,#17*4] @ make room for r1 @@ -461,7 +461,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 5<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -478,7 +478,7 @@ sha256_block_data_order: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 6 # if 6==15 str r1,[sp,#17*4] @ make room for r1 @@ -519,7 +519,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 6<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -536,7 +536,7 @@ sha256_block_data_order: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 7 # if 7==15 str r1,[sp,#17*4] @ make room for r1 @@ -577,7 +577,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 7<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -594,7 +594,7 @@ sha256_block_data_order: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 8 # if 8==15 str r1,[sp,#17*4] @ make room for r1 @@ -635,7 +635,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 8<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -652,7 +652,7 @@ sha256_block_data_order: eor r3,r3,r5 @ Maj(a,b,c) add r11,r11,r0,ror#2 @ h+=Sigma0(a) @ add r11,r11,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 9 # if 9==15 str r1,[sp,#17*4] @ make room for r1 @@ -693,7 +693,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 9<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -710,7 +710,7 @@ sha256_block_data_order: eor r12,r12,r4 @ Maj(a,b,c) add r10,r10,r0,ror#2 @ h+=Sigma0(a) @ add r10,r10,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 10 # if 10==15 str r1,[sp,#17*4] @ make room for r1 @@ -751,7 +751,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 10<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -768,7 +768,7 @@ sha256_block_data_order: eor r3,r3,r11 @ Maj(a,b,c) add r9,r9,r0,ror#2 @ h+=Sigma0(a) @ add r9,r9,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 11 # if 11==15 str r1,[sp,#17*4] @ make room for r1 @@ -809,7 +809,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 11<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -826,7 +826,7 @@ sha256_block_data_order: eor r12,r12,r10 @ Maj(a,b,c) add r8,r8,r0,ror#2 @ h+=Sigma0(a) @ add r8,r8,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 12 # if 12==15 str r1,[sp,#17*4] @ make room for r1 @@ -867,7 +867,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 12<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -884,7 +884,7 @@ sha256_block_data_order: eor r3,r3,r9 @ Maj(a,b,c) add r7,r7,r0,ror#2 @ h+=Sigma0(a) @ add r7,r7,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 13 # if 13==15 str r1,[sp,#17*4] @ make room for r1 @@ -925,7 +925,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 13<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -942,7 +942,7 @@ sha256_block_data_order: eor r12,r12,r8 @ Maj(a,b,c) add r6,r6,r0,ror#2 @ h+=Sigma0(a) @ add r6,r6,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 14 # if 14==15 str r1,[sp,#17*4] @ make room for r1 @@ -983,7 +983,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 14<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1000,7 +1000,7 @@ sha256_block_data_order: eor r3,r3,r7 @ Maj(a,b,c) add r5,r5,r0,ror#2 @ h+=Sigma0(a) @ add r5,r5,r3 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 @ ldr r2,[r1],#4 @ 15 # if 15==15 str r1,[sp,#17*4] @ make room for r1 @@ -1041,7 +1041,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 15<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1091,7 +1091,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 16<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1140,7 +1140,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 17<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1189,7 +1189,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 18<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1238,7 +1238,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 19<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1287,7 +1287,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 20<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1336,7 +1336,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 21<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1385,7 +1385,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 22<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1434,7 +1434,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 23<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1483,7 +1483,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 24<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1532,7 +1532,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 25<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1581,7 +1581,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 26<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1630,7 +1630,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 27<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1679,7 +1679,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 28<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1728,7 +1728,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 29<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1777,7 +1777,7 @@ sha256_block_data_order: cmp r12,#0xf2 @ done? #endif #if 30<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1826,7 +1826,7 @@ sha256_block_data_order: cmp r3,#0xf2 @ done? #endif #if 31<15 -# if __ARM_ARCH__>=7 +# if __ARM_ARCH>=7 ldr r2,[r1],#4 @ prefetch # else ldrb r2,[r1,#3] @@ -1843,7 +1843,7 @@ sha256_block_data_order: eor r12,r12,r6 @ Maj(a,b,c) add r4,r4,r0,ror#2 @ h+=Sigma0(a) @ add r4,r4,r12 @ h+=Maj(a,b,c) -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ite eq @ Thumb2 thing, sanity check in ARM #endif ldreq r3,[sp,#16*4] @ pull ctx @@ -1874,7 +1874,7 @@ sha256_block_data_order: bne .Loop add sp,sp,#19*4 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,lr} diff --git a/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S b/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S index 9aed7cb635..4003168827 100644 --- a/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S +++ b/generated-src/linux-arm/crypto/fipsmodule/sha512-armv4.S @@ -63,7 +63,6 @@ # define VFP_ABI_PUSH vstmdb sp!,{d8-d15} # define VFP_ABI_POP vldmia sp!,{d8-d15} #else -# define __ARM_ARCH__ __LINUX_ARM_ARCH__ # define __ARM_MAX_ARCH__ 7 # define VFP_ABI_PUSH # define VFP_ABI_POP @@ -149,7 +148,7 @@ K512: .type sha512_block_data_order,%function sha512_block_data_order: .Lsha512_block_data_order: -#if __ARM_ARCH__<7 && !defined(__thumb2__) +#if __ARM_ARCH<7 && !defined(__thumb2__) sub r3,pc,#8 @ sha512_block_data_order #else adr r3,.Lsha512_block_data_order @@ -199,7 +198,7 @@ sha512_block_data_order: str r4,[sp,#40+4] .L00_15: -#if __ARM_ARCH__<7 +#if __ARM_ARCH<7 ldrb r3,[r1,#7] ldrb r9, [r1,#6] ldrb r10, [r1,#5] @@ -276,7 +275,7 @@ sha512_block_data_order: teq r9,#148 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -416,7 +415,7 @@ sha512_block_data_order: teq r9,#23 ldr r12,[sp,#16+0] @ c.lo -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 it eq @ Thumb2 thing, sanity check in ARM #endif orreq r14,r14,#1 @@ -453,7 +452,7 @@ sha512_block_data_order: adc r6,r6,r4 @ h += T tst r14,#1 add r14,r14,#8 -#if __ARM_ARCH__>=7 +#if __ARM_ARCH>=7 ittt eq @ Thumb2 thing, sanity check in ARM #endif ldreq r9,[sp,#184+0] @@ -532,7 +531,7 @@ sha512_block_data_order: bne .Loop add sp,sp,#8*9 @ destroy frame -#if __ARM_ARCH__>=5 +#if __ARM_ARCH>=5 ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,pc} #else ldmia sp!,{r4,r5,r6,r7,r8,r9,r10,r11,r12,lr} diff --git a/include/openssl/arm_arch.h b/include/openssl/arm_arch.h index dda62124f2..fa7548809b 100644 --- a/include/openssl/arm_arch.h +++ b/include/openssl/arm_arch.h @@ -131,27 +131,6 @@ # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \ (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum)) -#if defined(__ASSEMBLER__) - -// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language -// Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does -// not implement ACLE, but we require Clang's assembler on Windows. -#if !defined(__ARM_ARCH) -#error "ARM assembler must define __ARM_ARCH" -#endif - -// __ARM_ARCH__ is used by OpenSSL assembly to determine the minimum target ARM -// version. -// -// TODO(davidben): Switch the assembly to use |__ARM_ARCH| directly. -#define __ARM_ARCH__ __ARM_ARCH - -// Even when building for 32-bit ARM, support for aarch64 crypto instructions -// will be included. -#define __ARM_MAX_ARCH__ 8 - -#endif // __ASSEMBLER__ - #endif // ARM || AARCH64 #endif // OPENSSL_HEADER_ARM_ARCH_H diff --git a/include/openssl/asm_base.h b/include/openssl/asm_base.h index 1dacb4f6f1..a3369af4c2 100644 --- a/include/openssl/asm_base.h +++ b/include/openssl/asm_base.h @@ -53,14 +53,13 @@ #error "ARM assembler must define __ARM_ARCH" #endif -// __ARM_ARCH__ is used by OpenSSL assembly to determine the minimum target ARM -// version. -// -// TODO(davidben): Switch the assembly to use |__ARM_ARCH| directly. -#define __ARM_ARCH__ __ARM_ARCH - // Even when building for 32-bit ARM, support for aarch64 crypto instructions // will be included. +// +// TODO(davidben): Remove this and the corresponding ifdefs? This is only +// defined because some OpenSSL assembly files would allow disabling the NEON +// code entirely. I think we'd prefer to do that by lifting the dispatch to C +// anyway. #define __ARM_MAX_ARCH__ 8 // Support macros for diff --git a/include/openssl/base.h b/include/openssl/base.h index eb500e9e75..0d114720ef 100644 --- a/include/openssl/base.h +++ b/include/openssl/base.h @@ -114,7 +114,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define AWSLC_API_VERSION 27 +#define AWSLC_API_VERSION 28 // This string tracks the most current production release version on Github // https://github.com/aws/aws-lc/releases. diff --git a/include/openssl/mem.h b/include/openssl/mem.h index 0a2ac7c3a6..ce99bec509 100644 --- a/include/openssl/mem.h +++ b/include/openssl/mem.h @@ -81,14 +81,16 @@ extern "C" { // the case of a malloc failure, prior to returning NULL |OPENSSL_malloc| will // push |ERR_R_MALLOC_FAILURE| onto the openssl error stack. OPENSSL_EXPORT void *OPENSSL_malloc(size_t size); -#endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC -// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the -// memory allocated at |ptr| and frees it along with the private data. -// It must only be used on on |ptr| values obtained from |OPENSSL_malloc| -OPENSSL_EXPORT void OPENSSL_free(void *ptr); +// OPENSSL_zalloc behaves like |OPENSSL_malloc| except it also initializes the +// resulting memory to zero. +OPENSSL_EXPORT void *OPENSSL_zalloc(size_t size); + +// OPENSSL_calloc is similar to a regular |calloc|, but allocates data with +// |OPENSSL_malloc|. On overflow, it will push |ERR_R_OVERFLOW| onto the error +// queue. +OPENSSL_EXPORT void *OPENSSL_calloc(size_t num, size_t size); -#ifndef _BORINGSSL_PROHIBIT_OPENSSL_MALLOC // OPENSSL_realloc returns a pointer to a buffer of |new_size| bytes that // contains the contents of |ptr|. Unlike |realloc|, a new buffer is always // allocated and the data at |ptr| is always wiped and freed. Memory is @@ -97,6 +99,11 @@ OPENSSL_EXPORT void OPENSSL_free(void *ptr); OPENSSL_EXPORT void *OPENSSL_realloc(void *ptr, size_t new_size); #endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC +// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the +// memory allocated at |ptr| and frees it along with the private data. +// It must only be used on on |ptr| values obtained from |OPENSSL_malloc| +OPENSSL_EXPORT void OPENSSL_free(void *ptr); + // OPENSSL_cleanse zeros out |len| bytes of memory at |ptr|. This is similar to // |memset_s| from C11. OPENSSL_EXPORT void OPENSSL_cleanse(void *ptr, size_t len); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 620f0edbb2..7e94bbaf1a 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -3334,6 +3334,10 @@ OPENSSL_EXPORT void SSL_get0_peer_application_settings(const SSL *ssl, // connection and zero otherwise. OPENSSL_EXPORT int SSL_has_application_settings(const SSL *ssl); +// SSL_set_alps_use_new_codepoint configures whether to use the new ALPS +// codepoint. By default, the old codepoint is used. +OPENSSL_EXPORT void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new); + // Certificate compression. // diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 724d580257..cb90bb62ba 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -244,7 +244,8 @@ extern "C" { // ExtensionType value from draft-vvv-tls-alps. This is not an IANA defined // extension number. -#define TLSEXT_TYPE_application_settings 17513 +#define TLSEXT_TYPE_application_settings_old 17513 +#define TLSEXT_TYPE_application_settings 17613 // ExtensionType values from draft-ietf-tls-esni-13. This is not an IANA defined // extension number. diff --git a/ssl/d1_both.cc b/ssl/d1_both.cc index 55c92fad8a..b910b96d9c 100644 --- a/ssl/d1_both.cc +++ b/ssl/d1_both.cc @@ -184,11 +184,10 @@ static UniquePtr dtls1_hm_fragment_new( return nullptr; } size_t bitmask_len = (msg_hdr->msg_len + 7) / 8; - frag->reassembly = (uint8_t *)OPENSSL_malloc(bitmask_len); + frag->reassembly = (uint8_t *)OPENSSL_zalloc(bitmask_len); if (frag->reassembly == NULL) { return nullptr; } - OPENSSL_memset(frag->reassembly, 0, bitmask_len); } return frag; diff --git a/ssl/extensions.cc b/ssl/extensions.cc index a9cb89a36d..ced206b509 100644 --- a/ssl/extensions.cc +++ b/ssl/extensions.cc @@ -2906,9 +2906,10 @@ bool ssl_get_local_application_settings(const SSL_HANDSHAKE *hs, return false; } -static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, - CBB *out_compressible, - ssl_client_hello_type_t type) { +static bool ext_alps_add_clienthello_impl(const SSL_HANDSHAKE *hs, CBB *out, + CBB *out_compressible, + ssl_client_hello_type_t type, + bool use_new_codepoint) { const SSL *const ssl = hs->ssl; if (// ALPS requires TLS 1.3. hs->max_version < TLS1_3_VERSION || @@ -2921,8 +2922,18 @@ static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, return true; } + if (use_new_codepoint != hs->config->alps_use_new_codepoint) { + // Do nothing, we'll send the other codepoint. + return true; + } + + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } + CBB contents, proto_list, proto; - if (!CBB_add_u16(out_compressible, TLSEXT_TYPE_application_settings) || + if (!CBB_add_u16(out_compressible, extension_type) || !CBB_add_u16_length_prefixed(out_compressible, &contents) || !CBB_add_u16_length_prefixed(&contents, &proto_list)) { return false; @@ -2939,8 +2950,24 @@ static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, return CBB_flush(out_compressible); } -static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, - CBS *contents) { +static bool ext_alps_add_clienthello(const SSL_HANDSHAKE *hs, CBB *out, + CBB *out_compressible, + ssl_client_hello_type_t type) { + return ext_alps_add_clienthello_impl(hs, out, out_compressible, type, + /*use_new_codepoint=*/true); +} + +static bool ext_alps_add_clienthello_old(const SSL_HANDSHAKE *hs, CBB *out, + CBB *out_compressible, + ssl_client_hello_type_t type) { + return ext_alps_add_clienthello_impl(hs, out, out_compressible, type, + /*use_new_codepoint=*/false); +} + +static bool ext_alps_parse_serverhello_impl(SSL_HANDSHAKE *hs, + uint8_t *out_alert, + CBS *contents, + bool use_new_codepoint) { SSL *const ssl = hs->ssl; if (contents == nullptr) { return true; @@ -2949,6 +2976,7 @@ static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, assert(!ssl->s3->initial_handshake_complete); assert(!hs->config->alpn_client_proto_list.empty()); assert(!hs->config->alps_configs.empty()); + assert(use_new_codepoint == hs->config->alps_use_new_codepoint); // ALPS requires TLS 1.3. if (ssl_protocol_version(ssl) < TLS1_3_VERSION) { @@ -2968,7 +2996,22 @@ static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, uint8_t *out_alert, return true; } -static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { +static bool ext_alps_parse_serverhello(SSL_HANDSHAKE *hs, + uint8_t *out_alert, + CBS *contents) { + return ext_alps_parse_serverhello_impl(hs, out_alert, contents, + /*use_new_codepoint=*/true); +} + +static bool ext_alps_parse_serverhello_old(SSL_HANDSHAKE *hs, + uint8_t *out_alert, + CBS *contents) { + return ext_alps_parse_serverhello_impl(hs, out_alert, contents, + /*use_new_codepoint=*/false); +} + +static bool ext_alps_add_serverhello_impl(SSL_HANDSHAKE *hs, CBB *out, + bool use_new_codepoint) { SSL *const ssl = hs->ssl; // If early data is accepted, we omit the ALPS extension. It is implicitly // carried over from the previous connection. @@ -2978,8 +3021,18 @@ static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } + if (use_new_codepoint != hs->config->alps_use_new_codepoint) { + // Do nothing, we'll send the other codepoint. + return true; + } + + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } + CBB contents; - if (!CBB_add_u16(out, TLSEXT_TYPE_application_settings) || + if (!CBB_add_u16(out, extension_type) || !CBB_add_u16_length_prefixed(out, &contents) || !CBB_add_bytes(&contents, hs->new_session->local_application_settings.data(), @@ -2991,6 +3044,14 @@ static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { return true; } +static bool ext_alps_add_serverhello(SSL_HANDSHAKE *hs, CBB *out) { + return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/true); +} + +static bool ext_alps_add_serverhello_old(SSL_HANDSHAKE *hs, CBB *out) { + return ext_alps_add_serverhello_impl(hs, out, /*use_new_codepoint=*/false); +} + bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, const SSL_CLIENT_HELLO *client_hello) { SSL *const ssl = hs->ssl; @@ -3001,11 +3062,15 @@ bool ssl_negotiate_alps(SSL_HANDSHAKE *hs, uint8_t *out_alert, // If we negotiate ALPN over TLS 1.3, try to negotiate ALPS. CBS alps_contents; Span settings; + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } if (ssl_protocol_version(ssl) >= TLS1_3_VERSION && ssl_get_local_application_settings(hs, &settings, ssl->s3->alpn_selected) && ssl_client_hello_get_extension(client_hello, &alps_contents, - TLSEXT_TYPE_application_settings)) { + extension_type)) { // Check if the client supports ALPS with the selected ALPN. bool found = false; CBS alps_list; @@ -3216,6 +3281,14 @@ static const struct tls_extension kExtensions[] = { ignore_parse_clienthello, ext_alps_add_serverhello, }, + { + TLSEXT_TYPE_application_settings_old, + ext_alps_add_clienthello_old, + ext_alps_parse_serverhello_old, + // ALPS is negotiated late in |ssl_negotiate_alpn|. + ignore_parse_clienthello, + ext_alps_add_serverhello_old, + }, }; #define kNumExtensions (sizeof(kExtensions) / sizeof(struct tls_extension)) diff --git a/ssl/handoff.cc b/ssl/handoff.cc index 0e58e03801..e281838cfe 100644 --- a/ssl/handoff.cc +++ b/ssl/handoff.cc @@ -40,7 +40,7 @@ enum early_data_t { // serialize_features adds a description of features supported by this binary to // |out|. Returns true on success and false on error. -static bool serialize_features(CBB *out) { +static bool serialize_features(CBB *out, uint16_t alps_extension_type) { CBB ciphers; if (!CBB_add_asn1(out, &ciphers, CBS_ASN1_OCTETSTRING)) { return false; @@ -67,7 +67,7 @@ static bool serialize_features(CBB *out) { // removed. CBB alps; if (!CBB_add_asn1(out, &alps, kHandoffTagALPS) || - !CBB_add_u16(&alps, TLSEXT_TYPE_application_settings)) { + !CBB_add_u16(&alps, alps_extension_type)) { return false; } return CBB_flush(out); @@ -85,13 +85,18 @@ bool SSL_serialize_handoff(const SSL *ssl, CBB *out, CBB seq; SSLMessage msg; Span transcript = s3->hs->transcript.buffer(); + + uint16_t alps_extension_type = TLSEXT_TYPE_application_settings_old; + if (s3->hs->config->alps_use_new_codepoint) { + alps_extension_type = TLSEXT_TYPE_application_settings; + } if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&seq, kHandoffVersion) || !CBB_add_asn1_octet_string(&seq, transcript.data(), transcript.size()) || !CBB_add_asn1_octet_string(&seq, reinterpret_cast(s3->hs_buf->data), s3->hs_buf->length) || - !serialize_features(&seq) || + !serialize_features(&seq, alps_extension_type) || !CBB_flush(out) || !ssl->method->get_message(ssl, &msg) || !ssl_client_hello_init(ssl, out_hello, msg.body)) { @@ -221,9 +226,12 @@ static bool apply_remote_features(SSL *ssl, CBS *in) { if (!CBS_get_u16(&alps, &id)) { return false; } - // For now, we only support one ALPS code point, so we only need to extract - // a boolean signal from the feature list. - if (id == TLSEXT_TYPE_application_settings) { + // For now, we support two ALPS codepoints, so we need to extract both + // codepoints, and then filter what the handshaker might try to send. + if ((id == TLSEXT_TYPE_application_settings && + ssl->config->alps_use_new_codepoint) || + (id == TLSEXT_TYPE_application_settings_old && + !ssl->config->alps_use_new_codepoint)) { supports_alps = true; break; } @@ -737,8 +745,13 @@ using namespace bssl; int SSL_serialize_capabilities(const SSL *ssl, CBB *out) { CBB seq; + const SSL_HANDSHAKE *hs = ssl->s3->hs.get(); + uint16_t alps_extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + alps_extension_type = TLSEXT_TYPE_application_settings; + } if (!CBB_add_asn1(out, &seq, CBS_ASN1_SEQUENCE) || - !serialize_features(&seq) || // + !serialize_features(&seq, alps_extension_type) || // !CBB_flush(out)) { return 0; } diff --git a/ssl/internal.h b/ssl/internal.h index 857de775af..573613f72e 100644 --- a/ssl/internal.h +++ b/ssl/internal.h @@ -3317,6 +3317,10 @@ struct SSL_CONFIG { // the default min version. callers can change the min version used by calling // |SSL_set_min_proto_version| with a non-zero value. bool conf_min_version_use_default : 1; + + // alps_use_new_codepoint if set indicates we use new ALPS extension codepoint + // to negotiate and convey application settings. + bool alps_use_new_codepoint : 1; }; // From RFC 8446, used in determining PSK modes. diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc index 24cfecea10..1069db2017 100644 --- a/ssl/ssl_lib.cc +++ b/ssl/ssl_lib.cc @@ -724,7 +724,8 @@ SSL_CONFIG::SSL_CONFIG(SSL *ssl_arg) quic_use_legacy_codepoint(false), permute_extensions(false), conf_max_version_use_default(true), - conf_min_version_use_default(true) { + conf_min_version_use_default(true), + alps_use_new_codepoint(false) { assert(ssl); } @@ -2430,6 +2431,13 @@ int SSL_has_application_settings(const SSL *ssl) { return session && session->has_application_settings; } +void SSL_set_alps_use_new_codepoint(SSL *ssl, int use_new) { + if (!ssl->config) { + return; + } + ssl->config->alps_use_new_codepoint = !!use_new; +} + int SSL_CTX_add_cert_compression_alg(SSL_CTX *ctx, uint16_t alg_id, ssl_cert_compression_func_t compress, ssl_cert_decompression_func_t decompress) { diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc index c390f4da2a..26ec2f6af3 100644 --- a/ssl/ssl_test.cc +++ b/ssl/ssl_test.cc @@ -6088,8 +6088,8 @@ enum ssl_test_ticket_aead_failure_mode { }; struct ssl_test_ticket_aead_state { - unsigned retry_count; - ssl_test_ticket_aead_failure_mode failure_mode; + unsigned retry_count = 0; + ssl_test_ticket_aead_failure_mode failure_mode = ssl_test_ticket_aead_ok; }; static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to, @@ -6102,12 +6102,7 @@ static int ssl_test_ticket_aead_ex_index_dup(CRYPTO_EX_DATA *to, static void ssl_test_ticket_aead_ex_index_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, int index, long argl, void *argp) { - auto state = reinterpret_cast(ptr); - if (state == nullptr) { - return; - } - - OPENSSL_free(state); + delete reinterpret_cast(ptr); } static CRYPTO_once_t g_ssl_test_ticket_aead_ex_index_once = CRYPTO_ONCE_INIT; @@ -6196,10 +6191,7 @@ static void ConnectClientAndServerWithTicketMethod( SSL_set_connect_state(client.get()); SSL_set_accept_state(server.get()); - auto state = reinterpret_cast( - OPENSSL_malloc(sizeof(ssl_test_ticket_aead_state))); - ASSERT_TRUE(state); - OPENSSL_memset(state, 0, sizeof(ssl_test_ticket_aead_state)); + auto state = new ssl_test_ticket_aead_state; state->retry_count = retry_count; state->failure_mode = failure_mode; @@ -9782,6 +9774,141 @@ TEST(SSLTest, ALPNConfig) { check_alpn_proto({}); } +// This is a basic unit-test class to verify completing handshake successfully, +// sending the correct codepoint extension and having correct application +// setting on different combination of ALPS codepoint settings. More integration +// tests on runner.go. +class AlpsNewCodepointTest : public testing::Test { + protected: + void SetUp() override { + client_ctx_.reset(SSL_CTX_new(TLS_method())); + server_ctx_ = CreateContextWithTestCertificate(TLS_method()); + ASSERT_TRUE(client_ctx_); + ASSERT_TRUE(server_ctx_); + } + + void SetUpExpectedNewCodePoint() { + SSL_CTX_set_select_certificate_cb( + server_ctx_.get(), + [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { + const uint8_t *data; + size_t len; + if (!SSL_early_callback_ctx_extension_get( + client_hello, TLSEXT_TYPE_application_settings, &data, + &len)) { + ADD_FAILURE() << "Could not find alps new codpoint."; + return ssl_select_cert_error; + } + return ssl_select_cert_success; + }); + } + + void SetUpExpectedOldCodePoint() { + SSL_CTX_set_select_certificate_cb( + server_ctx_.get(), + [](const SSL_CLIENT_HELLO *client_hello) -> ssl_select_cert_result_t { + const uint8_t *data; + size_t len; + if (!SSL_early_callback_ctx_extension_get( + client_hello, TLSEXT_TYPE_application_settings_old, &data, + &len)) { + ADD_FAILURE() << "Could not find alps old codpoint."; + return ssl_select_cert_error; + } + return ssl_select_cert_success; + }); + } + + void SetUpApplicationSetting() { + static const uint8_t alpn[] = {0x03, 'f', 'o', 'o'}; + static const uint8_t proto[] = {'f', 'o', 'o'}; + static const uint8_t alps[] = {0x04, 'a', 'l', 'p', 's'}; + // SSL_set_alpn_protos's return value is backwards. It returns zero on + // success and one on failure. + ASSERT_FALSE(SSL_set_alpn_protos(client_.get(), alpn, sizeof(alpn))); + SSL_CTX_set_alpn_select_cb( + server_ctx_.get(), + [](SSL *ssl, const uint8_t **out, uint8_t *out_len, const uint8_t *in, + unsigned in_len, void *arg) -> int { + return SSL_select_next_proto( + const_cast(out), out_len, in, in_len, + alpn, sizeof(alpn)) == OPENSSL_NPN_NEGOTIATED + ? SSL_TLSEXT_ERR_OK + : SSL_TLSEXT_ERR_NOACK; + }, + nullptr); + ASSERT_TRUE(SSL_add_application_settings(client_.get(), proto, + sizeof(proto), nullptr, 0)); + ASSERT_TRUE(SSL_add_application_settings(server_.get(), proto, + sizeof(proto), alps, sizeof(alps))); + } + + bssl::UniquePtr client_ctx_; + bssl::UniquePtr server_ctx_; + + bssl::UniquePtr client_; + bssl::UniquePtr server_; +}; + +TEST_F(AlpsNewCodepointTest, Enabled) { + SetUpExpectedNewCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 1); + SSL_set_alps_use_new_codepoint(server_.get(), 1); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_TRUE(SSL_has_application_settings(client_.get())); +} + +TEST_F(AlpsNewCodepointTest, Disabled) { + // Both client and server disable alps new codepoint. + SetUpExpectedOldCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 0); + SSL_set_alps_use_new_codepoint(server_.get(), 0); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_TRUE(SSL_has_application_settings(client_.get())); +} + +TEST_F(AlpsNewCodepointTest, ClientOnly) { + // If client set new codepoint but server doesn't set, server ignores it. + SetUpExpectedNewCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 1); + SSL_set_alps_use_new_codepoint(server_.get(), 0); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_FALSE(SSL_has_application_settings(client_.get())); +} + +TEST_F(AlpsNewCodepointTest, ServerOnly) { + // If client doesn't set new codepoint, while server set. + SetUpExpectedOldCodePoint(); + + ASSERT_TRUE(CreateClientAndServer(&client_, &server_, client_ctx_.get(), + server_ctx_.get())); + + SSL_set_alps_use_new_codepoint(client_.get(), 0); + SSL_set_alps_use_new_codepoint(server_.get(), 1); + + SetUpApplicationSetting(); + ASSERT_TRUE(CompleteHandshakes(client_.get(), server_.get())); + ASSERT_FALSE(SSL_has_application_settings(client_.get())); +} + // Test that the key usage checker can correctly handle issuerUID and // subjectUID. See https://crbug.com/1199744. TEST(SSLTest, KeyUsageWithUIDs) { diff --git a/ssl/test/async_bio.cc b/ssl/test/async_bio.cc index 9eae290f1a..1c9859afee 100644 --- a/ssl/test/async_bio.cc +++ b/ssl/test/async_bio.cc @@ -108,11 +108,10 @@ static long AsyncCtrl(BIO *bio, int cmd, long num, void *ptr) { } static int AsyncNew(BIO *bio) { - AsyncBio *a = (AsyncBio *)OPENSSL_malloc(sizeof(*a)); + AsyncBio *a = (AsyncBio *)OPENSSL_zalloc(sizeof(*a)); if (a == NULL) { return 0; } - OPENSSL_memset(a, 0, sizeof(*a)); a->enforce_write_quota = true; bio->init = 1; bio->ptr = (char *)a; diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index febab21193..0ed3ce7c01 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go @@ -122,7 +122,8 @@ const ( extensionQUICTransportParams uint16 = 57 extensionCustom uint16 = 1234 // not IANA assigned extensionNextProtoNeg uint16 = 13172 // not IANA assigned - extensionApplicationSettings uint16 = 17513 // not IANA assigned + extensionApplicationSettingsOld uint16 = 17513 // not IANA assigned + extensionApplicationSettings uint16 = 17613 // not IANA assigned extensionRenegotiationInfo uint16 = 0xff01 extensionQUICTransportParamsLegacy uint16 = 0xffa5 // draft-ietf-quic-tls-32 and earlier extensionChannelID uint16 = 30032 // not IANA assigned @@ -272,6 +273,8 @@ type ConnectionState struct { QUICTransportParamsLegacy []byte // the legacy QUIC transport params received from the peer HasApplicationSettings bool // whether ALPS was negotiated PeerApplicationSettings []byte // application settings received from the peer + HasApplicationSettingsOld bool // whether ALPS old codepoint was negotiated + PeerApplicationSettingsOld []byte // the old application settings received from the peer ECHAccepted bool // whether ECH was accepted on this connection } @@ -290,25 +293,28 @@ const ( // ClientSessionState contains the state needed by clients to resume TLS // sessions. type ClientSessionState struct { - sessionID []uint8 // Session ID supplied by the server. nil if the session has a ticket. - sessionTicket []uint8 // Encrypted ticket used for session resumption with server - vers uint16 // SSL/TLS version negotiated for the session - wireVersion uint16 // Wire SSL/TLS version negotiated for the session - cipherSuite *cipherSuite // Ciphersuite negotiated for the session - secret []byte // Secret associated with the session - handshakeHash []byte // Handshake hash for Channel ID purposes. - serverCertificates []*x509.Certificate // Certificate chain presented by the server - extendedMasterSecret bool // Whether an extended master secret was used to generate the session - sctList []byte - ocspResponse []byte - earlyALPN string - ticketCreationTime time.Time - ticketExpiration time.Time - ticketAgeAdd uint32 - maxEarlyDataSize uint32 - hasApplicationSettings bool - localApplicationSettings []byte - peerApplicationSettings []byte + sessionID []uint8 // Session ID supplied by the server. nil if the session has a ticket. + sessionTicket []uint8 // Encrypted ticket used for session resumption with server + vers uint16 // SSL/TLS version negotiated for the session + wireVersion uint16 // Wire SSL/TLS version negotiated for the session + cipherSuite *cipherSuite // Ciphersuite negotiated for the session + secret []byte // Secret associated with the session + handshakeHash []byte // Handshake hash for Channel ID purposes. + serverCertificates []*x509.Certificate // Certificate chain presented by the server + extendedMasterSecret bool // Whether an extended master secret was used to generate the session + sctList []byte + ocspResponse []byte + earlyALPN string + ticketCreationTime time.Time + ticketExpiration time.Time + ticketAgeAdd uint32 + maxEarlyDataSize uint32 + hasApplicationSettings bool + localApplicationSettings []byte + peerApplicationSettings []byte + hasApplicationSettingsOld bool + localApplicationSettingsOld []byte + peerApplicationSettingsOld []byte } // ClientSessionCache is a cache of ClientSessionState objects that can be used @@ -384,6 +390,35 @@ func (c QUICUseCodepoint) String() string { panic("unknown value") } +// ALPSUseCodepoint controls which TLS extension codepoint is used to convey the +// ApplicationSettings. ALPSUseCodepointNew means use 17613, +// ALPSUseCodepointOld means use old value 17513. +type ALPSUseCodepoint int + +const ( + ALPSUseCodepointNew ALPSUseCodepoint = iota + ALPSUseCodepointOld + NumALPSUseCodepoints +) + +func (c ALPSUseCodepoint) IncludeNew() bool { + return c == ALPSUseCodepointNew +} + +func (c ALPSUseCodepoint) IncludeOld() bool { + return c == ALPSUseCodepointOld +} + +func (c ALPSUseCodepoint) String() string { + switch c { + case ALPSUseCodepointNew: + return "New" + case ALPSUseCodepointOld: + return "Old" + } + panic("unknown value") +} + // A Config structure is used to configure a TLS client or server. // After one has been passed to a TLS function it must not be // modified. A Config may be reused; the tls package will also not @@ -424,6 +459,10 @@ type Config struct { // application protocol. ApplicationSettings map[string][]byte + // ALPSUseNewCodepoint controls which TLS extension codepoint is used to + // convey the ApplicationSettings. + ALPSUseNewCodepoint ALPSUseCodepoint + // ServerName is used to verify the hostname on the returned // certificates unless InsecureSkipVerify is given. It is also included // in the client's handshake to support virtual hosting. @@ -991,10 +1030,20 @@ type ProtocolBugs struct { // return. ALPNProtocol *string - // AlwaysNegotiateApplicationSettings, if true, causes the server to - // negotiate ALPS for a protocol even if the client did not support it or - // the version is wrong. - AlwaysNegotiateApplicationSettings bool + // AlwaysNegotiateApplicationSettingsBoth, if true, causes the server to + // negotiate ALPS using both codepoint for a protocol even if the client did + // not support it or the version is wrong. + AlwaysNegotiateApplicationSettingsBoth bool + + // AlwaysNegotiateApplicationSettingsNew, if true, causes the server to + // negotiate ALPS using new codepoint for a protocol even if the client did + // not support it or the version is wrong. + AlwaysNegotiateApplicationSettingsNew bool + + // AlwaysNegotiateApplicationSettingsOld, if true, causes the server to + // negotiate ALPS using old codepoint for a protocol even if the client did + // not support it or the version is wrong. + AlwaysNegotiateApplicationSettingsOld bool // SendApplicationSettingsWithEarlyData, if true, causes the client and // server to send the application_settings extension with early data, diff --git a/ssl/test/runner/conn.go b/ssl/test/runner/conn.go index 2e9114dba1..a3251dc100 100644 --- a/ssl/test/runner/conn.go +++ b/ssl/test/runner/conn.go @@ -74,8 +74,10 @@ type Conn struct { clientProtocolFallback bool usedALPN bool - localApplicationSettings, peerApplicationSettings []byte - hasApplicationSettings bool + localApplicationSettings, peerApplicationSettings []byte + hasApplicationSettings bool + localApplicationSettingsOld, peerApplicationSettingsOld []byte + hasApplicationSettingsOld bool // verify_data values for the renegotiation extension. clientVerify []byte @@ -1581,22 +1583,25 @@ func (c *Conn) processTLS13NewSessionTicket(newSessionTicket *newSessionTicketMs } session := &ClientSessionState{ - sessionTicket: newSessionTicket.ticket, - vers: c.vers, - wireVersion: c.wireVersion, - cipherSuite: cipherSuite, - secret: deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce), - serverCertificates: c.peerCertificates, - sctList: c.sctList, - ocspResponse: c.ocspResponse, - ticketCreationTime: c.config.time(), - ticketExpiration: c.config.time().Add(time.Duration(newSessionTicket.ticketLifetime) * time.Second), - ticketAgeAdd: newSessionTicket.ticketAgeAdd, - maxEarlyDataSize: newSessionTicket.maxEarlyDataSize, - earlyALPN: c.clientProtocol, - hasApplicationSettings: c.hasApplicationSettings, - localApplicationSettings: c.localApplicationSettings, - peerApplicationSettings: c.peerApplicationSettings, + sessionTicket: newSessionTicket.ticket, + vers: c.vers, + wireVersion: c.wireVersion, + cipherSuite: cipherSuite, + secret: deriveSessionPSK(cipherSuite, c.wireVersion, c.resumptionSecret, newSessionTicket.ticketNonce), + serverCertificates: c.peerCertificates, + sctList: c.sctList, + ocspResponse: c.ocspResponse, + ticketCreationTime: c.config.time(), + ticketExpiration: c.config.time().Add(time.Duration(newSessionTicket.ticketLifetime) * time.Second), + ticketAgeAdd: newSessionTicket.ticketAgeAdd, + maxEarlyDataSize: newSessionTicket.maxEarlyDataSize, + earlyALPN: c.clientProtocol, + hasApplicationSettings: c.hasApplicationSettings, + localApplicationSettings: c.localApplicationSettings, + peerApplicationSettings: c.peerApplicationSettings, + hasApplicationSettingsOld: c.hasApplicationSettingsOld, + localApplicationSettingsOld: c.localApplicationSettingsOld, + peerApplicationSettingsOld: c.peerApplicationSettingsOld, } cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config) @@ -1858,6 +1863,8 @@ func (c *Conn) ConnectionState() ConnectionState { state.QUICTransportParamsLegacy = c.quicTransportParamsLegacy state.HasApplicationSettings = c.hasApplicationSettings state.PeerApplicationSettings = c.peerApplicationSettings + state.HasApplicationSettingsOld = c.hasApplicationSettingsOld + state.PeerApplicationSettingsOld = c.peerApplicationSettingsOld state.ECHAccepted = c.echAccepted } @@ -1983,17 +1990,20 @@ func (c *Conn) SendNewSessionTicket(nonce []byte) error { } state := sessionState{ - vers: c.vers, - cipherSuite: c.cipherSuite.id, - secret: deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce), - certificates: peerCertificatesRaw, - ticketCreationTime: c.config.time(), - ticketExpiration: c.config.time().Add(time.Duration(m.ticketLifetime) * time.Second), - ticketAgeAdd: uint32(addBuffer[3])<<24 | uint32(addBuffer[2])<<16 | uint32(addBuffer[1])<<8 | uint32(addBuffer[0]), - earlyALPN: []byte(c.clientProtocol), - hasApplicationSettings: c.hasApplicationSettings, - localApplicationSettings: c.localApplicationSettings, - peerApplicationSettings: c.peerApplicationSettings, + vers: c.vers, + cipherSuite: c.cipherSuite.id, + secret: deriveSessionPSK(c.cipherSuite, c.wireVersion, c.resumptionSecret, nonce), + certificates: peerCertificatesRaw, + ticketCreationTime: c.config.time(), + ticketExpiration: c.config.time().Add(time.Duration(m.ticketLifetime) * time.Second), + ticketAgeAdd: uint32(addBuffer[3])<<24 | uint32(addBuffer[2])<<16 | uint32(addBuffer[1])<<8 | uint32(addBuffer[0]), + earlyALPN: []byte(c.clientProtocol), + hasApplicationSettings: c.hasApplicationSettings, + localApplicationSettings: c.localApplicationSettings, + peerApplicationSettings: c.peerApplicationSettings, + hasApplicationSettingsOld: c.hasApplicationSettingsOld, + localApplicationSettingsOld: c.localApplicationSettingsOld, + peerApplicationSettingsOld: c.peerApplicationSettingsOld, } if !c.config.Bugs.SendEmptySessionTicket { diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index f7388b8c26..0f913bf4b1 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go @@ -630,8 +630,15 @@ func (hs *clientHandshakeState) createClientHello(innerHello *clientHelloMsg, ec hello.secureRenegotiation = nil } - for protocol := range c.config.ApplicationSettings { - hello.alpsProtocols = append(hello.alpsProtocols, protocol) + if c.config.ALPSUseNewCodepoint.IncludeNew() { + for protocol := range c.config.ApplicationSettings { + hello.alpsProtocols = append(hello.alpsProtocols, protocol) + } + } + if c.config.ALPSUseNewCodepoint.IncludeOld() { + for protocol := range c.config.ApplicationSettings { + hello.alpsProtocolsOld = append(hello.alpsProtocolsOld, protocol) + } } if maxVersion >= VersionTLS13 { @@ -1406,6 +1413,13 @@ func (hs *clientHandshakeState) doTLS13Handshake(msg any) error { clientEncryptedExtensions.applicationSettings = c.localApplicationSettings } } + if encryptedExtensions.extensions.hasApplicationSettingsOld || (c.config.Bugs.SendApplicationSettingsWithEarlyData && c.hasApplicationSettingsOld) { + hasEncryptedExtensions = true + if !c.config.Bugs.OmitClientApplicationSettings { + clientEncryptedExtensions.hasApplicationSettingsOld = true + clientEncryptedExtensions.applicationSettingsOld = c.localApplicationSettingsOld + } + } if c.config.Bugs.SendExtraClientEncryptedExtension { hasEncryptedExtensions = true clientEncryptedExtensions.customExtension = []byte{0} @@ -2058,7 +2072,11 @@ func (hs *clientHandshakeState) processServerExtensions(serverExtensions *server c.quicTransportParamsLegacy = serverExtensions.quicTransportParamsLegacy } - if serverExtensions.hasApplicationSettings { + if serverExtensions.hasApplicationSettings && serverExtensions.hasApplicationSettingsOld { + return errors.New("tls: server negotiated both old and new application settings together") + } + + if serverExtensions.hasApplicationSettings || serverExtensions.hasApplicationSettingsOld { if c.vers < VersionTLS13 { return errors.New("tls: server sent application settings at invalid version") } @@ -2072,14 +2090,26 @@ func (hs *clientHandshakeState) processServerExtensions(serverExtensions *server if !ok { return errors.New("tls: server sent application settings for invalid protocol") } - c.hasApplicationSettings = true - c.localApplicationSettings = settings - c.peerApplicationSettings = serverExtensions.applicationSettings + + if serverExtensions.hasApplicationSettings { + c.hasApplicationSettings = true + c.localApplicationSettings = settings + c.peerApplicationSettings = serverExtensions.applicationSettings + } + + if serverExtensions.hasApplicationSettingsOld { + c.hasApplicationSettingsOld = true + c.localApplicationSettingsOld = settings + c.peerApplicationSettingsOld = serverExtensions.applicationSettingsOld + } } else if serverExtensions.hasEarlyData { // 0-RTT connections inherit application settings from the session. c.hasApplicationSettings = hs.session.hasApplicationSettings c.localApplicationSettings = hs.session.localApplicationSettings c.peerApplicationSettings = hs.session.peerApplicationSettings + c.hasApplicationSettingsOld = hs.session.hasApplicationSettingsOld + c.localApplicationSettingsOld = hs.session.localApplicationSettingsOld + c.peerApplicationSettingsOld = hs.session.peerApplicationSettingsOld } return nil diff --git a/ssl/test/runner/handshake_messages.go b/ssl/test/runner/handshake_messages.go index 6ea7faaa85..991f08a2ed 100644 --- a/ssl/test/runner/handshake_messages.go +++ b/ssl/test/runner/handshake_messages.go @@ -196,6 +196,7 @@ type clientHelloMsg struct { compressedCertAlgs []uint16 delegatedCredentials bool alpsProtocols []string + alpsProtocolsOld []string outerExtensions []uint16 reorderOuterExtensionsWithoutCompressing bool prefixExtensions []uint16 @@ -524,6 +525,18 @@ func (m *clientHelloMsg) marshalBody(hello *cryptobyte.Builder, typ clientHelloT body: body.BytesOrPanic(), }) } + if len(m.alpsProtocolsOld) > 0 { + body := cryptobyte.NewBuilder(nil) + body.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { + for _, s := range m.alpsProtocolsOld { + addUint8LengthPrefixedBytes(protocolNameList, []byte(s)) + } + }) + extensions = append(extensions, extension{ + id: extensionApplicationSettingsOld, + body: body.BytesOrPanic(), + }) + } // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 if len(m.pskIdentities) > 0 { @@ -745,6 +758,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { m.customExtension = "" m.delegatedCredentials = false m.alpsProtocols = nil + m.alpsProtocolsOld = nil if len(reader) == 0 { // ClientHello is optionally followed by extension data @@ -1032,6 +1046,18 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { } m.alpsProtocols = append(m.alpsProtocols, string(protocol)) } + case extensionApplicationSettingsOld: + var protocols cryptobyte.String + if !body.ReadUint16LengthPrefixed(&protocols) || len(body) != 0 { + return false + } + for len(protocols) > 0 { + var protocol []byte + if !readUint8LengthPrefixedBytes(&protocols, &protocol) || len(protocol) == 0 { + return false + } + m.alpsProtocolsOld = append(m.alpsProtocolsOld, string(protocol)) + } } if isGREASEValue(extension) { @@ -1412,6 +1438,8 @@ type serverExtensions struct { serverNameAck bool applicationSettings []byte hasApplicationSettings bool + applicationSettingsOld []byte + hasApplicationSettingsOld bool echRetryConfigs []byte } @@ -1539,6 +1567,10 @@ func (m *serverExtensions) marshal(extensions *cryptobyte.Builder) { extensions.AddUint16(extensionApplicationSettings) addUint16LengthPrefixedBytes(extensions, m.applicationSettings) } + if m.hasApplicationSettingsOld { + extensions.AddUint16(extensionApplicationSettingsOld) + addUint16LengthPrefixedBytes(extensions, m.applicationSettingsOld) + } if len(m.echRetryConfigs) > 0 { extensions.AddUint16(extensionEncryptedClientHello) addUint16LengthPrefixedBytes(extensions, m.echRetryConfigs) @@ -1649,6 +1681,9 @@ func (m *serverExtensions) unmarshal(data cryptobyte.String, version uint16) boo case extensionApplicationSettings: m.hasApplicationSettings = true m.applicationSettings = body + case extensionApplicationSettingsOld: + m.hasApplicationSettingsOld = true + m.applicationSettingsOld = body case extensionEncryptedClientHello: if version < VersionTLS13 { return false @@ -1681,10 +1716,12 @@ func (m *serverExtensions) unmarshal(data cryptobyte.String, version uint16) boo } type clientEncryptedExtensionsMsg struct { - raw []byte - applicationSettings []byte - hasApplicationSettings bool - customExtension []byte + raw []byte + applicationSettings []byte + hasApplicationSettings bool + applicationSettingsOld []byte + hasApplicationSettingsOld bool + customExtension []byte } func (m *clientEncryptedExtensionsMsg) marshal() (x []byte) { @@ -1700,6 +1737,10 @@ func (m *clientEncryptedExtensionsMsg) marshal() (x []byte) { extensions.AddUint16(extensionApplicationSettings) addUint16LengthPrefixedBytes(extensions, m.applicationSettings) } + if m.hasApplicationSettingsOld { + extensions.AddUint16(extensionApplicationSettingsOld) + addUint16LengthPrefixedBytes(extensions, m.applicationSettingsOld) + } if len(m.customExtension) > 0 { extensions.AddUint16(extensionCustom) addUint16LengthPrefixedBytes(extensions, m.customExtension) @@ -1736,6 +1777,9 @@ func (m *clientEncryptedExtensionsMsg) unmarshal(data []byte) bool { case extensionApplicationSettings: m.hasApplicationSettings = true m.applicationSettings = body + case extensionApplicationSettingsOld: + m.hasApplicationSettingsOld = true + m.applicationSettingsOld = body default: // Unknown extensions are illegal in EncryptedExtensions. return false diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index da39432868..3eb930ccd5 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go @@ -903,7 +903,9 @@ ResendHelloRetryRequest: if hs.sessionState.cipherSuite == hs.suite.id && c.clientProtocol == string(hs.sessionState.earlyALPN) && c.hasApplicationSettings == hs.sessionState.hasApplicationSettings && - bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) { + bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) && + c.hasApplicationSettingsOld == hs.sessionState.hasApplicationSettingsOld && + bytes.Equal(c.localApplicationSettingsOld, hs.sessionState.localApplicationSettingsOld) { encryptedExtensions.extensions.hasEarlyData = true } if config.Bugs.AlwaysAcceptEarlyData { @@ -918,6 +920,8 @@ ResendHelloRetryRequest: if !config.Bugs.SendApplicationSettingsWithEarlyData { encryptedExtensions.extensions.hasApplicationSettings = false encryptedExtensions.extensions.applicationSettings = nil + encryptedExtensions.extensions.hasApplicationSettingsOld = false + encryptedExtensions.extensions.applicationSettingsOld = nil } sessionCipher := cipherSuiteFromID(hs.sessionState.cipherSuite) @@ -1254,8 +1258,8 @@ ResendHelloRetryRequest: return err } - // If we sent an ALPS extension, the client must respond with one. - if encryptedExtensions.extensions.hasApplicationSettings { + // If we sent an ALPS extension, the client must respond with a single EncryptedExtensions. + if encryptedExtensions.extensions.hasApplicationSettings || encryptedExtensions.extensions.hasApplicationSettingsOld { msg, err := c.readHandshake() if err != nil { return err @@ -1267,14 +1271,35 @@ ResendHelloRetryRequest: } hs.writeClientHash(clientEncryptedExtensions.marshal()) - if !clientEncryptedExtensions.hasApplicationSettings { - c.sendAlert(alertMissingExtension) - return errors.New("tls: client didn't provide application settings") + // Expect client send new application settings not old. + if encryptedExtensions.extensions.hasApplicationSettings { + if !clientEncryptedExtensions.hasApplicationSettings { + c.sendAlert(alertMissingExtension) + return errors.New("tls: client didn't provide new application settings") + } + if clientEncryptedExtensions.hasApplicationSettingsOld { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: client shouldn't provide old application settings") + } + c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings + } + + // Expect client send old application settings not new. + if encryptedExtensions.extensions.hasApplicationSettingsOld { + if !clientEncryptedExtensions.hasApplicationSettingsOld { + c.sendAlert(alertMissingExtension) + return errors.New("tls: client didn't provide old application settings") + } + if clientEncryptedExtensions.hasApplicationSettings { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: client shouldn't provide new application settings") + } + c.peerApplicationSettingsOld = clientEncryptedExtensions.applicationSettingsOld } - c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings } else if encryptedExtensions.extensions.hasEarlyData { // 0-RTT sessions carry application settings over. c.peerApplicationSettings = hs.sessionState.peerApplicationSettings + c.peerApplicationSettingsOld = hs.sessionState.peerApplicationSettingsOld } // If we requested a client certificate, then the client must send a @@ -1587,7 +1612,7 @@ func (hs *serverHandshakeState) processClientExtensions(serverExtensions *server c.usedALPN = true } - var alpsAllowed bool + var alpsAllowed, alpsAllowedOld bool if c.vers >= VersionTLS13 { for _, proto := range hs.clientHello.alpsProtocols { if proto == c.clientProtocol { @@ -1595,10 +1620,24 @@ func (hs *serverHandshakeState) processClientExtensions(serverExtensions *server break } } + for _, proto := range hs.clientHello.alpsProtocolsOld { + if proto == c.clientProtocol { + alpsAllowedOld = true + break + } + } + } + + if c.config.Bugs.AlwaysNegotiateApplicationSettingsBoth { + alpsAllowed = true + alpsAllowedOld = true } - if c.config.Bugs.AlwaysNegotiateApplicationSettings { + if c.config.Bugs.AlwaysNegotiateApplicationSettingsNew { alpsAllowed = true } + if c.config.Bugs.AlwaysNegotiateApplicationSettingsOld { + alpsAllowedOld = true + } if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowed { c.hasApplicationSettings = true c.localApplicationSettings = settings @@ -1606,6 +1645,13 @@ func (hs *serverHandshakeState) processClientExtensions(serverExtensions *server serverExtensions.hasApplicationSettings = true serverExtensions.applicationSettings = settings } + if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowedOld { + c.hasApplicationSettingsOld = true + c.localApplicationSettingsOld = settings + // Note these fields may later be cleared we accept 0-RTT. + serverExtensions.hasApplicationSettingsOld = true + serverExtensions.applicationSettingsOld = settings + } } if len(c.config.Bugs.SendALPN) > 0 { diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 9c42c16a65..85c10577f8 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go @@ -579,6 +579,10 @@ type connectionExpectations struct { // peerApplicationSettings are the expected application settings for the // connection. If nil, no application settings are expected. peerApplicationSettings []byte + // peerApplicationSettingsOld are the expected application settings for + // the connection that are to be sent by the peer using old codepoint. + // If nil, no application settings are expected. + peerApplicationSettingsOld []byte // echAccepted is whether ECH should have been accepted on this connection. echAccepted bool } @@ -979,6 +983,17 @@ func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, tr return errors.New("application settings unexpectedly negotiated") } + if expectations.peerApplicationSettingsOld != nil { + if !connState.HasApplicationSettingsOld { + return errors.New("old application settings should have been negotiated") + } + if !bytes.Equal(connState.PeerApplicationSettingsOld, expectations.peerApplicationSettingsOld) { + return fmt.Errorf("old peer application settings mismatch: got %q, wanted %q", connState.PeerApplicationSettingsOld, expectations.peerApplicationSettingsOld) + } + } else if connState.HasApplicationSettingsOld { + return errors.New("old application settings unexpectedly negotiated") + } + if p := connState.SRTPProtectionProfile; p != expectations.srtpProtectionProfile { return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, expectations.srtpProtectionProfile) } @@ -7294,598 +7309,809 @@ func addExtensionTests() { // Test ALPS. if ver.version >= VersionTLS13 { - // Test that client and server can negotiate ALPS, including - // different values on resumption. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Basic-Client-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim1"), - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: []byte("shim2"), - }, - flags: []string{ + // Test basic client with different ALPS codepoint. + for _, alpsCodePoint := range []ALPSUseCodepoint{ALPSUseCodepointNew, ALPSUseCodepointOld} { + flags := []string{} + expectations := connectionExpectations{ + peerApplicationSettingsOld: []byte("shim1"), + } + resumeExpectations := &connectionExpectations{ + peerApplicationSettingsOld: []byte("shim2"), + } + + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettings: []byte("shim2"), + } + } + + flags = append(flags, "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", "-on-initial-application-settings", "proto,shim1", "-on-initial-expect-peer-application-settings", "runner1", "-on-resume-application-settings", "proto,shim2", - "-on-resume-expect-peer-application-settings", "runner2", - }, - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Basic-Server-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim1"), - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: []byte("shim2"), - }, - flags: []string{ - "-select-alpn", "proto", - "-on-initial-application-settings", "proto,shim1", - "-on-initial-expect-peer-application-settings", "runner1", - "-on-resume-application-settings", "proto,shim2", - "-on-resume-expect-peer-application-settings", "runner2", - }, - }) - - // Test that the server can defer its ALPS configuration to the ALPN - // selection callback. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Basic-Server-Defer-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim1"), - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: []byte("shim2"), - }, - flags: []string{ - "-select-alpn", "proto", - "-defer-alps", - "-on-initial-application-settings", "proto,shim1", - "-on-initial-expect-peer-application-settings", "runner1", - "-on-resume-application-settings", "proto,shim2", - "-on-resume-expect-peer-application-settings", "runner2", - }, - }) - - // Test the client and server correctly handle empty settings. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Empty-Client-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte{}}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte{}, - }, - flags: []string{ - "-advertise-alpn", "\x05proto", - "-expect-alpn", "proto", - "-application-settings", "proto,", - "-expect-peer-application-settings", "", - }, - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Empty-Server-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte{}}, - }, - resumeSession: true, - expectations: connectionExpectations{ - peerApplicationSettings: []byte{}, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,", - "-expect-peer-application-settings", "", - }, - }) + "-on-resume-expect-peer-application-settings", "runner2") - // Test the client rejects application settings from the server on - // protocols it doesn't have them. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-UnsupportedProtocol-Client-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto1"}, - ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, - Bugs: ProtocolBugs{ - AlwaysNegotiateApplicationSettings: true, + // Test that server can negotiate ALPS, including different values + // on resumption. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-Basic-Client-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - // The client supports ALPS with "proto2", but not "proto1". - flags: []string{ - "-advertise-alpn", "\x06proto1\x06proto2", - "-application-settings", "proto2,shim", - "-expect-alpn", "proto1", - }, - // The server sends ALPS with "proto1", which is invalid. - shouldFail: true, - expectedError: ":INVALID_ALPN_PROTOCOL:", - expectedLocalError: "remote error: illegal parameter", - }) - - // Test the server declines ALPS if it doesn't support it for the - // specified protocol. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-UnsupportedProtocol-Server-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto1"}, - ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, - }, - // The server supports ALPS with "proto2", but not "proto1". - flags: []string{ - "-select-alpn", "proto1", - "-application-settings", "proto2,shim", - }, - }) - - // Test that the server rejects a missing application_settings extension. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-OmitClientApplicationSettings-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, - Bugs: ProtocolBugs{ - OmitClientApplicationSettings: true, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - // The runner is a client, so it only processes the shim's alert - // after checking connection state. - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim"), - }, - shouldFail: true, - expectedError: ":MISSING_EXTENSION:", - expectedLocalError: "remote error: missing extension", - }) + resumeSession: true, + expectations: expectations, + resumeExpectations: resumeExpectations, + flags: flags, + }) - // Test that the server rejects a missing EncryptedExtensions message. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-OmitClientEncryptedExtensions-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, - Bugs: ProtocolBugs{ - OmitClientEncryptedExtensions: true, - }, - }, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - // The runner is a client, so it only processes the shim's alert - // after checking connection state. - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim"), - }, - shouldFail: true, - expectedError: ":UNEXPECTED_MESSAGE:", - expectedLocalError: "remote error: unexpected message", - }) + // Test basic server with different ALPS codepoint. + flags = []string{} + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettingsOld: []byte("shim2"), + } - // Test that the server rejects an unexpected EncryptedExtensions message. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "UnexpectedClientEncryptedExtensions-" + suffix, - config: Config{ - MaxVersion: ver.version, - Bugs: ProtocolBugs{ - AlwaysSendClientEncryptedExtensions: true, - }, - }, - shouldFail: true, - expectedError: ":UNEXPECTED_MESSAGE:", - expectedLocalError: "remote error: unexpected message", - }) + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettings: []byte("shim2"), + } + } - // Test that the server rejects an unexpected extension in an - // expected EncryptedExtensions message. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ExtraClientEncryptedExtension-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, - Bugs: ProtocolBugs{ - SendExtraClientEncryptedExtension: true, - }, - }, - flags: []string{ + flags = append(flags, "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - // The runner is a client, so it only processes the shim's alert - // after checking connection state. - expectations: connectionExpectations{ - peerApplicationSettings: []byte("shim"), - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - expectedLocalError: "remote error: unsupported extension", - }) - - // Test that ALPS is carried over on 0-RTT. - for _, empty := range []bool{false, true} { - maybeEmpty := "" - runnerSettings := "runner" - shimSettings := "shim" - if empty { - maybeEmpty = "Empty-" - runnerSettings = "" - shimSettings = "" - } + "-on-initial-application-settings", "proto,shim1", + "-on-initial-expect-peer-application-settings", "runner1", + "-on-resume-application-settings", "proto,shim2", + "-on-resume-expect-peer-application-settings", "runner2") + // Test that server can negotiate ALPS, including different values + // on resumption. testCases = append(testCases, testCase{ protocol: protocol, - testType: clientTest, - name: "ALPS-EarlyData-Client-" + maybeEmpty + suffix, + testType: serverTest, + name: fmt.Sprintf("ALPS-Basic-Server-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, - }, - resumeSession: true, - earlyData: true, - flags: []string{ - "-advertise-alpn", "\x05proto", - "-expect-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: alpsCodePoint, }, + resumeSession: true, + expectations: expectations, + resumeExpectations: resumeExpectations, + flags: flags, }) + + // Try different ALPS codepoint for all the existing tests. + alpsFlags := []string{} + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettingsOld: []byte("shim2"), + } + if alpsCodePoint == ALPSUseCodepointNew { + alpsFlags = append(alpsFlags, "-alps-use-new-codepoint") + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim1"), + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettings: []byte("shim2"), + } + } + + // Test that the server can defer its ALPS configuration to the ALPN + // selection callback. testCases = append(testCases, testCase{ protocol: protocol, testType: serverTest, - name: "ALPS-EarlyData-Server-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-Basic-Server-Defer-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, - }, - resumeSession: true, - earlyData: true, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: alpsCodePoint, }, + resumeSession: true, + expectations: expectations, + resumeExpectations: resumeExpectations, + flags: append([]string{ + "-select-alpn", "proto", + "-defer-alps", + "-on-initial-application-settings", "proto,shim1", + "-on-initial-expect-peer-application-settings", "runner1", + "-on-resume-application-settings", "proto,shim2", + "-on-resume-expect-peer-application-settings", "runner2", + }, alpsFlags...), }) - // Sending application settings in 0-RTT handshakes is forbidden. + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte{}, + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: []byte{}, + } + } + // Test the client and server correctly handle empty settings. testCases = append(testCases, testCase{ protocol: protocol, testType: clientTest, - name: "ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Client-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-Empty-Client-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, - Bugs: ProtocolBugs{ - SendApplicationSettingsWithEarlyData: true, - }, + ApplicationSettings: map[string][]byte{"proto": []byte{}}, + ALPSUseNewCodepoint: alpsCodePoint, }, resumeSession: true, - earlyData: true, - flags: []string{ + expectations: expectations, + flags: append([]string{ "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, - }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), - }, + "-application-settings", "proto,", + "-expect-peer-application-settings", "", + }, alpsFlags...), + }) + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-Empty-Server-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte{}}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + expectations: expectations, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto,", + "-expect-peer-application-settings", "", + }, alpsFlags...), + }) + + bugs := ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointNew { + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + // Test the client rejects application settings from the server on + // protocols it doesn't have them. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-UnsupportedProtocol-Client-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto1"}, + ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, + }, + // The client supports ALPS with "proto2", but not "proto1". + flags: append([]string{ + "-advertise-alpn", "\x06proto1\x06proto2", + "-application-settings", "proto2,shim", + "-expect-alpn", "proto1", + }, alpsFlags...), + // The server sends ALPS with "proto1", which is invalid. shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:", + expectedError: ":INVALID_ALPN_PROTOCOL:", expectedLocalError: "remote error: illegal parameter", }) + + // Test client rejects application settings from the server when + // server sends the wrong ALPS codepoint. + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointOld { + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-WrongServerCodepoint-Client-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte{}}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, + }, + flags: append([]string{ + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + "-application-settings", "proto,", + "-expect-peer-application-settings", "", + }, alpsFlags...), + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) + + // Test server ignore wrong codepoint from client. + clientSends := ALPSUseCodepointNew + if alpsCodePoint == ALPSUseCodepointNew { + clientSends = ALPSUseCodepointOld + } + testCases = append(testCases, testCase{ protocol: protocol, testType: serverTest, - name: "ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-" + maybeEmpty + suffix, + name: fmt.Sprintf("ALPS-IgnoreClientWrongCodepoint-Server-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner1")}, + ALPSUseNewCodepoint: clientSends, + }, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner2")}, + ALPSUseNewCodepoint: clientSends, + }, + resumeSession: true, + flags: append([]string{ + "-select-alpn", "proto", + "-on-initial-application-settings", "proto,shim1", + "-on-resume-application-settings", "proto,shim2", + }, alpsFlags...), + }) + + // Test the server declines ALPS if it doesn't support it for the + // specified protocol. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-UnsupportedProtocol-Server-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto1"}, + ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + // The server supports ALPS with "proto2", but not "proto1". + flags: append([]string{ + "-select-alpn", "proto1", + "-application-settings", "proto2,shim", + }, alpsFlags...), + }) + + // Test the client rejects application settings from the server when + // it always negotiate both codepoint. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-UnsupportedProtocol-Client-ServerBoth-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto1"}, + ApplicationSettings: map[string][]byte{"proto1": []byte("runner")}, Bugs: ProtocolBugs{ - SendApplicationSettingsWithEarlyData: true, + AlwaysNegotiateApplicationSettingsBoth: true, }, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeSession: true, - earlyData: true, - flags: []string{ + flags: append([]string{ + "-advertise-alpn", "\x06proto1\x06proto2", + "-application-settings", "proto1,shim", + "-expect-alpn", "proto1", + }, alpsFlags...), + // The server sends ALPS with both application settings, which is invalid. + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) + + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte("shim"), + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: []byte("shim"), + } + } + + // Test that the server rejects a missing application_settings extension. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-OmitClientApplicationSettings-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + Bugs: ProtocolBugs{ + OmitClientApplicationSettings: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, + }, + flags: append([]string{ "-select-alpn", "proto", - "-application-settings", "proto," + shimSettings, - "-expect-peer-application-settings", runnerSettings, + "-application-settings", "proto,shim", + }, alpsFlags...), + // The runner is a client, so it only processes the shim's alert + // after checking connection state. + expectations: expectations, + shouldFail: true, + expectedError: ":MISSING_EXTENSION:", + expectedLocalError: "remote error: missing extension", + }) + + // Test that the server rejects a missing EncryptedExtensions message. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-OmitClientEncryptedExtensions-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + Bugs: ProtocolBugs{ + OmitClientEncryptedExtensions: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, - expectations: connectionExpectations{ - peerApplicationSettings: []byte(shimSettings), + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto,shim", + }, alpsFlags...), + // The runner is a client, so it only processes the shim's alert + // after checking connection state. + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_MESSAGE:", + expectedLocalError: "remote error: unexpected message", + }) + + // Test that the server rejects an unexpected EncryptedExtensions message. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("UnexpectedClientEncryptedExtensions-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + Bugs: ProtocolBugs{ + AlwaysSendClientEncryptedExtensions: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, shouldFail: true, expectedError: ":UNEXPECTED_MESSAGE:", expectedLocalError: "remote error: unexpected message", }) - } - // Test that the client and server each decline early data if local - // ALPS preferences has changed for the current connection. - alpsMismatchTests := []struct { - name string - initialSettings, resumeSettings []byte - }{ - {"DifferentValues", []byte("settings1"), []byte("settings2")}, - {"OnOff", []byte("settings"), nil}, - {"OffOn", nil, []byte("settings")}, - // The empty settings value should not be mistaken for ALPS not - // being negotiated. - {"OnEmpty", []byte("settings"), []byte{}}, - {"EmptyOn", []byte{}, []byte("settings")}, - {"EmptyOff", []byte{}, nil}, - {"OffEmpty", nil, []byte{}}, - } - for _, test := range alpsMismatchTests { - flags := []string{"-on-resume-expect-early-data-reason", "alps_mismatch"} - if test.initialSettings != nil { - flags = append(flags, "-on-initial-application-settings", "proto,"+string(test.initialSettings)) - flags = append(flags, "-on-initial-expect-peer-application-settings", "runner") - } - if test.resumeSettings != nil { - flags = append(flags, "-on-resume-application-settings", "proto,"+string(test.resumeSettings)) - flags = append(flags, "-on-resume-expect-peer-application-settings", "runner") - } + // Test that the server rejects an unexpected extension in an + // expected EncryptedExtensions message. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ExtraClientEncryptedExtension-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + Bugs: ProtocolBugs{ + SendExtraClientEncryptedExtension: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, + }, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto,shim", + }, alpsFlags...), + // The runner is a client, so it only processes the shim's alert + // after checking connection state. + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) - // The client should not offer early data if the session is - // inconsistent with the new configuration. Note that if - // the session did not negotiate ALPS (test.initialSettings - // is nil), the client always offers early data. - if test.initialSettings != nil { + // Test that ALPS is carried over on 0-RTT. + for _, empty := range []bool{false, true} { + maybeEmpty := "" + runnerSettings := "runner" + shimSettings := "shim" + if empty { + maybeEmpty = "Empty-" + runnerSettings = "" + shimSettings = "" + } + + expectations = connectionExpectations{ + peerApplicationSettingsOld: []byte(shimSettings), + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: []byte(shimSettings), + } + } testCases = append(testCases, testCase{ protocol: protocol, testType: clientTest, - name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Client-%s", test.name, suffix), + name: fmt.Sprintf("ALPS-EarlyData-Client-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, - MaxEarlyDataSize: 16384, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ALPSUseNewCodepoint: alpsCodePoint, }, resumeSession: true, + earlyData: true, flags: append([]string{ - "-enable-early-data", - "-expect-ticket-supports-early-data", - "-expect-no-offer-early-data", "-advertise-alpn", "\x05proto", "-expect-alpn", "proto", - }, flags...), - expectations: connectionExpectations{ - peerApplicationSettings: test.initialSettings, + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + }) + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-EarlyData-Server-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + }) + + // Sending application settings in 0-RTT handshakes is forbidden. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Client-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + Bugs: ProtocolBugs{ + SendApplicationSettingsWithEarlyData: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeExpectations: &connectionExpectations{ + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION_ON_EARLY_DATA:", + expectedLocalError: "remote error: illegal parameter", + }) + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-%s-%s-%s", alpsCodePoint, maybeEmpty, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte(runnerSettings)}, + Bugs: ProtocolBugs{ + SendApplicationSettingsWithEarlyData: true, + }, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-select-alpn", "proto", + "-application-settings", "proto," + shimSettings, + "-expect-peer-application-settings", runnerSettings, + }, alpsFlags...), + expectations: expectations, + shouldFail: true, + expectedError: ":UNEXPECTED_MESSAGE:", + expectedLocalError: "remote error: unexpected message", + }) + } + + // Test that the client and server each decline early data if local + // ALPS preferences has changed for the current connection. + alpsMismatchTests := []struct { + name string + initialSettings, resumeSettings []byte + }{ + {"DifferentValues", []byte("settings1"), []byte("settings2")}, + {"OnOff", []byte("settings"), nil}, + {"OffOn", nil, []byte("settings")}, + // The empty settings value should not be mistaken for ALPS not + // being negotiated. + {"OnEmpty", []byte("settings"), []byte{}}, + {"EmptyOn", []byte{}, []byte("settings")}, + {"EmptyOff", []byte{}, nil}, + {"OffEmpty", nil, []byte{}}, + } + for _, test := range alpsMismatchTests { + flags := []string{"-on-resume-expect-early-data-reason", "alps_mismatch"} + flags = append(flags, alpsFlags...) + if test.initialSettings != nil { + flags = append(flags, "-on-initial-application-settings", "proto,"+string(test.initialSettings)) + flags = append(flags, "-on-initial-expect-peer-application-settings", "runner") + } + if test.resumeSettings != nil { + flags = append(flags, "-on-resume-application-settings", "proto,"+string(test.resumeSettings)) + flags = append(flags, "-on-resume-expect-peer-application-settings", "runner") + } + + expectations = connectionExpectations{ + peerApplicationSettingsOld: test.initialSettings, + } + resumeExpectations = &connectionExpectations{ + peerApplicationSettingsOld: test.resumeSettings, + } + if alpsCodePoint == ALPSUseCodepointNew { + expectations = connectionExpectations{ + peerApplicationSettings: test.initialSettings, + } + resumeExpectations = &connectionExpectations{ peerApplicationSettings: test.resumeSettings, + } + } + // The client should not offer early data if the session is + // inconsistent with the new configuration. Note that if + // the session did not negotiate ALPS (test.initialSettings + // is nil), the client always offers early data. + if test.initialSettings != nil { + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Client-%s-%s", test.name, alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + MaxEarlyDataSize: 16384, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + flags: append([]string{ + "-enable-early-data", + "-expect-ticket-supports-early-data", + "-expect-no-offer-early-data", + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + }, flags...), + expectations: expectations, + resumeExpectations: resumeExpectations, + }) + } + + // The server should reject early data if the session is + // inconsistent with the new selection. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Server-%s-%s", test.name, alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, }, + resumeSession: true, + earlyData: true, + expectEarlyDataRejected: true, + flags: append([]string{ + "-select-alpn", "proto", + }, flags...), + expectations: expectations, + resumeExpectations: resumeExpectations, }) } - // The server should reject early data if the session is - // inconsistent with the new selection. + // Test that 0-RTT continues working when the shim configures + // ALPS but the peer does not. + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-EarlyData-Client-ServerDecline-%s-%s", alpsCodePoint, suffix), + skipQUICALPNConfig: true, + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"proto"}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + earlyData: true, + flags: append([]string{ + "-advertise-alpn", "\x05proto", + "-expect-alpn", "proto", + "-application-settings", "proto,shim", + }, alpsFlags...), + }) testCases = append(testCases, testCase{ protocol: protocol, testType: serverTest, - name: fmt.Sprintf("ALPS-EarlyData-Mismatch-%s-Server-%s", test.name, suffix), + name: fmt.Sprintf("ALPS-EarlyData-Server-ClientNoOffe-%s-%s", alpsCodePoint, suffix), skipQUICALPNConfig: true, config: Config{ MaxVersion: ver.version, NextProtos: []string{"proto"}, - ApplicationSettings: map[string][]byte{"proto": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, }, - resumeSession: true, - earlyData: true, - expectEarlyDataRejected: true, + resumeSession: true, + earlyData: true, flags: append([]string{ "-select-alpn", "proto", - }, flags...), - expectations: connectionExpectations{ - peerApplicationSettings: test.initialSettings, - }, - resumeExpectations: &connectionExpectations{ - peerApplicationSettings: test.resumeSettings, - }, + "-application-settings", "proto,shim", + }, alpsFlags...), }) } - - // Test that 0-RTT continues working when the shim configures - // ALPS but the peer does not. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-EarlyData-Client-ServerDecline-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - }, - resumeSession: true, - earlyData: true, - flags: []string{ - "-advertise-alpn", "\x05proto", - "-expect-alpn", "proto", - "-application-settings", "proto,shim", - }, - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-EarlyData-Server-ClientNoOffer-" + suffix, - skipQUICALPNConfig: true, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"proto"}, - }, - resumeSession: true, - earlyData: true, - flags: []string{ - "-select-alpn", "proto", - "-application-settings", "proto,shim", - }, - }) } else { // Test the client rejects the ALPS extension if the server // negotiated TLS 1.2 or below. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Reject-Client-" + suffix, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"foo"}, - ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, - Bugs: ProtocolBugs{ - AlwaysNegotiateApplicationSettings: true, - }, - }, - flags: []string{ + for _, alpsCodePoint := range []ALPSUseCodepoint{ALPSUseCodepointNew, ALPSUseCodepointOld} { + flags := []string{ "-advertise-alpn", "\x03foo", "-expect-alpn", "foo", "-application-settings", "foo,shim", - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - expectedLocalError: "remote error: unsupported extension", - }) - testCases = append(testCases, testCase{ - protocol: protocol, - testType: clientTest, - name: "ALPS-Reject-Client-Resume-" + suffix, - config: Config{ - MaxVersion: ver.version, - }, - resumeConfig: &Config{ - MaxVersion: ver.version, - NextProtos: []string{"foo"}, - ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, - Bugs: ProtocolBugs{ - AlwaysNegotiateApplicationSettings: true, + } + bugs := ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-Reject-Client-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"foo"}, + ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, }, - }, - resumeSession: true, - flags: []string{ + flags: flags, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) + + flags = []string{ "-on-resume-advertise-alpn", "\x03foo", "-on-resume-expect-alpn", "foo", "-on-resume-application-settings", "foo,shim", - }, - shouldFail: true, - expectedError: ":UNEXPECTED_EXTENSION:", - expectedLocalError: "remote error: unsupported extension", - }) + } + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsOld: true, + } + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + bugs = ProtocolBugs{ + AlwaysNegotiateApplicationSettingsNew: true, + } + } + testCases = append(testCases, testCase{ + protocol: protocol, + testType: clientTest, + name: fmt.Sprintf("ALPS-Reject-Client-Resume-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + }, + resumeConfig: &Config{ + MaxVersion: ver.version, + NextProtos: []string{"foo"}, + ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, + Bugs: bugs, + ALPSUseNewCodepoint: alpsCodePoint, + }, + resumeSession: true, + flags: flags, + shouldFail: true, + expectedError: ":UNEXPECTED_EXTENSION:", + expectedLocalError: "remote error: unsupported extension", + }) - // Test the server declines ALPS if it negotiates TLS 1.2 or below. - testCases = append(testCases, testCase{ - protocol: protocol, - testType: serverTest, - name: "ALPS-Decline-Server-" + suffix, - config: Config{ - MaxVersion: ver.version, - NextProtos: []string{"foo"}, - ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, - }, - // Test both TLS 1.2 full and resumption handshakes. - resumeSession: true, - flags: []string{ + // Test the server declines ALPS if it negotiates TLS 1.2 or below. + flags = []string{ "-select-alpn", "foo", "-application-settings", "foo,shim", - }, - // If not specified, runner and shim both implicitly expect ALPS - // is not negotiated. - }) + } + if alpsCodePoint == ALPSUseCodepointNew { + flags = append(flags, "-alps-use-new-codepoint") + } + testCases = append(testCases, testCase{ + protocol: protocol, + testType: serverTest, + name: fmt.Sprintf("ALPS-Decline-Server-%s-%s", alpsCodePoint, suffix), + config: Config{ + MaxVersion: ver.version, + NextProtos: []string{"foo"}, + ApplicationSettings: map[string][]byte{"foo": []byte("runner")}, + ALPSUseNewCodepoint: alpsCodePoint, + }, + // Test both TLS 1.2 full and resumption handshakes. + resumeSession: true, + flags: flags, + // If not specified, runner and shim both implicitly expect ALPS + // is not negotiated. + }) + } } // Test QUIC transport params @@ -8477,6 +8703,7 @@ func addExtensionTests() { test.config.ApplicationSettings = map[string][]byte{"proto": []byte("runner")} test.flags = append(test.flags, "-application-settings", "proto,shim", + "-alps-use-new-codepoint", "-expect-peer-application-settings", "runner") test.expectations.peerApplicationSettings = []byte("shim") } diff --git a/ssl/test/runner/ssl_transfer/test_case_names.txt b/ssl/test/runner/ssl_transfer/test_case_names.txt index dc8297f16d..ba8334a9df 100644 --- a/ssl/test/runner/ssl_transfer/test_case_names.txt +++ b/ssl/test/runner/ssl_transfer/test_case_names.txt @@ -6,23 +6,42 @@ ALPNServer-Preferred-Swapped-TLS-TLS12 ALPNServer-Preferred-TLS-TLS12 ALPNServer-TLS-TLS12 ALPNServer-TLS-TLS13 -ALPS-Basic-Server-Defer-TLS-TLS13 -ALPS-Basic-Server-TLS-TLS13 -ALPS-Decline-Server-TLS-TLS12 -ALPS-EarlyData-Mismatch-DifferentValues-Server-TLS-TLS13 -ALPS-EarlyData-Mismatch-EmptyOff-Server-TLS-TLS13 -ALPS-EarlyData-Mismatch-EmptyOn-Server-TLS-TLS13 -ALPS-EarlyData-Mismatch-OffEmpty-Server-TLS-TLS13 -ALPS-EarlyData-Mismatch-OffOn-Server-TLS-TLS13 -ALPS-EarlyData-Mismatch-OnEmpty-Server-TLS-TLS13 -ALPS-EarlyData-Mismatch-OnOff-Server-TLS-TLS13 -ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-Empty-TLS-TLS13 -ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-TLS-TLS13 -ALPS-EarlyData-Server-ClientNoOffer-TLS-TLS13 -ALPS-EarlyData-Server-Empty-TLS-TLS13 -ALPS-EarlyData-Server-TLS-TLS13 -ALPS-Empty-Server-TLS-TLS13 -ALPS-UnsupportedProtocol-Server-TLS-TLS13 +ALPS-Basic-Server-Defer-New-TLS-TLS13 +ALPS-Basic-Server-Defer-Old-TLS-TLS13 +ALPS-Basic-Server-New-TLS-TLS13 +ALPS-Basic-Server-Old-TLS-TLS13 +ALPS-Decline-Server-New-TLS-TLS12 +ALPS-Decline-Server-Old-TLS-TLS12 +ALPS-EarlyData-Mismatch-DifferentValues-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-DifferentValues-Server-Old-TLS-TLS13 +ALPS-EarlyData-Mismatch-EmptyOff-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-EmptyOff-Server-Old-TLS-TLS13 +ALPS-EarlyData-Mismatch-EmptyOn-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-EmptyOn-Server-Old-TLS-TLS13 +ALPS-EarlyData-Mismatch-OffEmpty-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-OffEmpty-Server-Old-TLS-TLS13 +ALPS-EarlyData-Mismatch-OffOn-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-OffOn-Server-Old-TLS-TLS13 +ALPS-EarlyData-Mismatch-OnEmpty-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-OnEmpty-Server-Old-TLS-TLS13 +ALPS-EarlyData-Mismatch-OnOff-Server-New-TLS-TLS13 +ALPS-EarlyData-Mismatch-OnOff-Server-Old-TLS-TLS13 +ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-New--TLS-TLS13 +ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-New-Empty--TLS-TLS13 +ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-Old--TLS-TLS13 +ALPS-EarlyData-SendApplicationSettingsWithEarlyData-Server-Old-Empty--TLS-TLS13 +ALPS-EarlyData-Server-ClientNoOffe-New-TLS-TLS13 +ALPS-EarlyData-Server-ClientNoOffe-Old-TLS-TLS13 +ALPS-EarlyData-Server-New--TLS-TLS13 +ALPS-EarlyData-Server-New-Empty--TLS-TLS13 +ALPS-EarlyData-Server-Old--TLS-TLS13 +ALPS-EarlyData-Server-Old-Empty--TLS-TLS13 +ALPS-Empty-Server-New-TLS-TLS13 +ALPS-Empty-Server-Old-TLS-TLS13 +ALPS-IgnoreClientWrongCodepoint-Server-New-TLS-TLS13 +ALPS-IgnoreClientWrongCodepoint-Server-Old-TLS-TLS13 +ALPS-UnsupportedProtocol-Server-New-TLS-TLS13 +ALPS-UnsupportedProtocol-Server-Old-TLS-TLS13 Alert Basic-Server-ECDHE-ECDSA-TLS-Async Basic-Server-ECDHE-ECDSA-TLS-Async-ImplicitHandshake diff --git a/ssl/test/runner/ticket.go b/ssl/test/runner/ticket.go index f0a8bf18ad..51842d1008 100644 --- a/ssl/test/runner/ticket.go +++ b/ssl/test/runner/ticket.go @@ -20,20 +20,23 @@ import ( // sessionState contains the information that is serialized into a session // ticket in order to later resume a connection. type sessionState struct { - vers uint16 - cipherSuite uint16 - secret []byte - handshakeHash []byte - certificates [][]byte - extendedMasterSecret bool - earlyALPN []byte - ticketCreationTime time.Time - ticketExpiration time.Time - ticketFlags uint32 - ticketAgeAdd uint32 - hasApplicationSettings bool - localApplicationSettings []byte - peerApplicationSettings []byte + vers uint16 + cipherSuite uint16 + secret []byte + handshakeHash []byte + certificates [][]byte + extendedMasterSecret bool + earlyALPN []byte + ticketCreationTime time.Time + ticketExpiration time.Time + ticketFlags uint32 + ticketAgeAdd uint32 + hasApplicationSettings bool + localApplicationSettings []byte + peerApplicationSettings []byte + hasApplicationSettingsOld bool + localApplicationSettingsOld []byte + peerApplicationSettingsOld []byte } func (s *sessionState) marshal() []byte { @@ -70,6 +73,14 @@ func (s *sessionState) marshal() []byte { msg.AddUint8(0) } + if s.hasApplicationSettingsOld { + msg.AddUint8(1) + addUint16LengthPrefixedBytes(msg, s.localApplicationSettingsOld) + addUint16LengthPrefixedBytes(msg, s.peerApplicationSettingsOld) + } else { + msg.AddUint8(0) + } + return msg.BytesOrPanic() } @@ -135,6 +146,17 @@ func (s *sessionState) unmarshal(data []byte) bool { } } + if !readBool(&reader, &s.hasApplicationSettingsOld) { + return false + } + + if s.hasApplicationSettingsOld { + if !readUint16LengthPrefixedBytes(&reader, &s.localApplicationSettingsOld) || + !readUint16LengthPrefixedBytes(&reader, &s.peerApplicationSettingsOld) { + return false + } + } + if len(reader) > 0 { return false } diff --git a/ssl/test/test_config.cc b/ssl/test/test_config.cc index 8b9f980d3c..ab1fef091f 100644 --- a/ssl/test/test_config.cc +++ b/ssl/test/test_config.cc @@ -270,6 +270,8 @@ std::vector SortedFlags() { &TestConfig::application_settings), OptionalStringFlag("-expect-peer-application-settings", &TestConfig::expect_peer_application_settings), + BoolFlag("-alps-use-new-codepoint", + &TestConfig::alps_use_new_codepoint), Base64Flag("-quic-transport-params", &TestConfig::quic_transport_params), Base64Flag("-expect-quic-transport-params", &TestConfig::expect_quic_transport_params), @@ -2079,6 +2081,9 @@ bssl::UniquePtr TestConfig::NewSSL( if (max_send_fragment > 0) { SSL_set_max_send_fragment(ssl.get(), max_send_fragment); } + if (alps_use_new_codepoint) { + SSL_set_alps_use_new_codepoint(ssl.get(), 1); + } if (quic_use_legacy_codepoint != -1) { SSL_set_quic_use_legacy_codepoint(ssl.get(), quic_use_legacy_codepoint); } diff --git a/ssl/test/test_config.h b/ssl/test/test_config.h index c2435024a3..98120e5c05 100644 --- a/ssl/test/test_config.h +++ b/ssl/test/test_config.h @@ -82,6 +82,7 @@ struct TestConfig { bool defer_alps = false; std::vector> application_settings; std::unique_ptr expect_peer_application_settings; + bool alps_use_new_codepoint = false; std::string quic_transport_params; std::string expect_quic_transport_params; // Set quic_use_legacy_codepoint to 0 or 1 to configure, -1 uses default. diff --git a/ssl/tls13_client.cc b/ssl/tls13_client.cc index 819d9556b6..71f7496d1e 100644 --- a/ssl/tls13_client.cc +++ b/ssl/tls13_client.cc @@ -812,10 +812,14 @@ static enum ssl_hs_wait_t do_send_client_encrypted_extensions( !ssl->s3->early_data_accepted) { ScopedCBB cbb; CBB body, extensions, extension; + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_ENCRYPTED_EXTENSIONS) || !CBB_add_u16_length_prefixed(&body, &extensions) || - !CBB_add_u16(&extensions, TLSEXT_TYPE_application_settings) || + !CBB_add_u16(&extensions, extension_type) || !CBB_add_u16_length_prefixed(&extensions, &extension) || !CBB_add_bytes(&extension, hs->new_session->local_application_settings.data(), diff --git a/ssl/tls13_server.cc b/ssl/tls13_server.cc index 90520fa537..4d8e1e14ac 100644 --- a/ssl/tls13_server.cc +++ b/ssl/tls13_server.cc @@ -1073,7 +1073,11 @@ static enum ssl_hs_wait_t do_read_client_encrypted_extensions( return ssl_hs_error; } - SSLExtension application_settings(TLSEXT_TYPE_application_settings); + uint16_t extension_type = TLSEXT_TYPE_application_settings_old; + if (hs->config->alps_use_new_codepoint) { + extension_type = TLSEXT_TYPE_application_settings; + } + SSLExtension application_settings(extension_type); uint8_t alert = SSL_AD_DECODE_ERROR; if (!ssl_parse_extensions(&extensions, &alert, {&application_settings}, /*ignore_unknown=*/false)) {