mirror of https://github.com/openssl/openssl
Compare commits
9 Commits
ee5ae437e2
...
8d71efc35a
Author | SHA1 | Date |
---|---|---|
Tomáš Mráz | 8d71efc35a | |
Matt Caswell | ee2b7d5264 | |
Huiyue Xu | 5707984505 | |
Tomas Mraz | b514513cb2 | |
Tomas Mraz | 1e602b4bb5 | |
Tomas Mraz | 601518ba4c | |
Tomas Mraz | edae00b959 | |
Tomas Mraz | 74cfaa7798 | |
Tomas Mraz | 2807a6409c |
|
@ -784,7 +784,14 @@ my %targets = (
|
|||
asm_arch => 'aarch64',
|
||||
perlasm_scheme => "linux64",
|
||||
},
|
||||
|
||||
"linux-arm64ilp32-clang" => { # clang config abi by --target
|
||||
inherit_from => [ "linux-generic32" ],
|
||||
CC => "clang",
|
||||
CXX => "clang++",
|
||||
bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
|
||||
asm_arch => 'aarch64',
|
||||
perlasm_scheme => "linux64",
|
||||
},
|
||||
"linux-mips32" => {
|
||||
# Configure script adds minimally required -march for assembly
|
||||
# support, if no -march was specified at command line.
|
||||
|
|
|
@ -618,14 +618,29 @@ int BN_ucmp(const BIGNUM *a, const BIGNUM *b)
|
|||
int i;
|
||||
BN_ULONG t1, t2, *ap, *bp;
|
||||
|
||||
ap = a->d;
|
||||
bp = b->d;
|
||||
|
||||
if (BN_get_flags(a, BN_FLG_CONSTTIME)
|
||||
&& a->top == b->top) {
|
||||
int res = 0;
|
||||
|
||||
for (i = 0; i < b->top; i++) {
|
||||
res = constant_time_select_int(constant_time_lt_bn(ap[i], bp[i]),
|
||||
-1, res);
|
||||
res = constant_time_select_int(constant_time_lt_bn(bp[i], ap[i]),
|
||||
1, res);
|
||||
}
|
||||
return res;
|
||||
}
|
||||
|
||||
bn_check_top(a);
|
||||
bn_check_top(b);
|
||||
|
||||
i = a->top - b->top;
|
||||
if (i != 0)
|
||||
return i;
|
||||
ap = a->d;
|
||||
bp = b->d;
|
||||
|
||||
for (i = a->top - 1; i >= 0; i--) {
|
||||
t1 = ap[i];
|
||||
t2 = bp[i];
|
||||
|
@ -737,11 +752,10 @@ int BN_is_bit_set(const BIGNUM *a, int n)
|
|||
return (int)(((a->d[i]) >> j) & ((BN_ULONG)1));
|
||||
}
|
||||
|
||||
int BN_mask_bits(BIGNUM *a, int n)
|
||||
int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n)
|
||||
{
|
||||
int b, w;
|
||||
|
||||
bn_check_top(a);
|
||||
if (n < 0)
|
||||
return 0;
|
||||
|
||||
|
@ -755,10 +769,21 @@ int BN_mask_bits(BIGNUM *a, int n)
|
|||
a->top = w + 1;
|
||||
a->d[w] &= ~(BN_MASK2 << b);
|
||||
}
|
||||
bn_correct_top(a);
|
||||
a->flags |= BN_FLG_FIXED_TOP;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int BN_mask_bits(BIGNUM *a, int n)
|
||||
{
|
||||
int ret;
|
||||
|
||||
bn_check_top(a);
|
||||
ret = ossl_bn_mask_bits_fixed_top(a, n);
|
||||
if (ret)
|
||||
bn_correct_top(a);
|
||||
return ret;
|
||||
}
|
||||
|
||||
void BN_set_negative(BIGNUM *a, int b)
|
||||
{
|
||||
if (b && !BN_is_zero(a))
|
||||
|
@ -932,6 +957,22 @@ int BN_is_word(const BIGNUM *a, const BN_ULONG w)
|
|||
return BN_abs_is_word(a, w) && (!w || !a->neg);
|
||||
}
|
||||
|
||||
int ossl_bn_is_word_fixed_top(const BIGNUM *a, const BN_ULONG w)
|
||||
{
|
||||
int res, i;
|
||||
const BN_ULONG *ap = a->d;
|
||||
|
||||
if (a->neg || a->top == 0)
|
||||
return 0;
|
||||
|
||||
res = constant_time_select_int(constant_time_eq_bn(ap[0], w), 1, 0);
|
||||
|
||||
for (i = 1; i < a->top; i++)
|
||||
res = constant_time_select_int(constant_time_is_zero_bn(ap[i]),
|
||||
res, 0);
|
||||
return res;
|
||||
}
|
||||
|
||||
int BN_is_odd(const BIGNUM *a)
|
||||
{
|
||||
return (a->top > 0) && (a->d[0] & 1);
|
||||
|
|
|
@ -186,8 +186,8 @@ static int bnrand_range(BNRAND_FLAG flag, BIGNUM *r, const BIGNUM *range,
|
|||
} else {
|
||||
do {
|
||||
/* range = 11..._2 or range = 101..._2 */
|
||||
if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY, 0,
|
||||
ctx))
|
||||
if (!bnrand(flag, r, n, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY,
|
||||
strength, ctx))
|
||||
return 0;
|
||||
|
||||
if (!--count) {
|
||||
|
@ -240,17 +240,63 @@ int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
|
|||
# endif
|
||||
#endif
|
||||
|
||||
int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
|
||||
unsigned int strength, BN_CTX *ctx)
|
||||
{
|
||||
int n;
|
||||
int count = 100;
|
||||
|
||||
if (r == NULL) {
|
||||
ERR_raise(ERR_LIB_BN, ERR_R_PASSED_NULL_PARAMETER);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (range->neg || BN_is_zero(range)) {
|
||||
ERR_raise(ERR_LIB_BN, BN_R_INVALID_RANGE);
|
||||
return 0;
|
||||
}
|
||||
|
||||
n = BN_num_bits(range); /* n > 0 */
|
||||
|
||||
/* BN_is_bit_set(range, n - 1) always holds */
|
||||
|
||||
if (n == 1) {
|
||||
BN_zero(r);
|
||||
} else {
|
||||
BN_set_flags(r, BN_FLG_CONSTTIME);
|
||||
do {
|
||||
if (!bnrand(PRIVATE, r, n + 1, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY,
|
||||
strength, ctx))
|
||||
return 0;
|
||||
|
||||
if (!--count) {
|
||||
ERR_raise(ERR_LIB_BN, BN_R_TOO_MANY_ITERATIONS);
|
||||
return 0;
|
||||
}
|
||||
ossl_bn_mask_bits_fixed_top(r, n);
|
||||
}
|
||||
while (BN_ucmp(r, range) >= 0);
|
||||
#ifdef BN_DEBUG
|
||||
/* With BN_DEBUG on a fixed top number cannot be returned */
|
||||
bn_correct_top(r);
|
||||
#endif
|
||||
}
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
/*
|
||||
* BN_generate_dsa_nonce generates a random number 0 <= out < range. Unlike
|
||||
* BN_rand_range, it also includes the contents of |priv| and |message| in
|
||||
* the generation so that an RNG failure isn't fatal as long as |priv|
|
||||
* ossl_bn_gen_dsa_nonce_fixed_top generates a random number 0 <= out < range.
|
||||
* Unlike BN_rand_range, it also includes the contents of |priv| and |message|
|
||||
* in the generation so that an RNG failure isn't fatal as long as |priv|
|
||||
* remains secret. This is intended for use in DSA and ECDSA where an RNG
|
||||
* weakness leads directly to private key exposure unless this function is
|
||||
* used.
|
||||
*/
|
||||
int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
||||
const BIGNUM *priv, const unsigned char *message,
|
||||
size_t message_len, BN_CTX *ctx)
|
||||
int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
|
||||
const BIGNUM *priv,
|
||||
const unsigned char *message,
|
||||
size_t message_len, BN_CTX *ctx)
|
||||
{
|
||||
EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
|
||||
/*
|
||||
|
@ -260,20 +306,24 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
|||
unsigned char random_bytes[64];
|
||||
unsigned char digest[SHA512_DIGEST_LENGTH];
|
||||
unsigned done, todo;
|
||||
/* We generate |range|+8 bytes of random output. */
|
||||
const unsigned num_k_bytes = BN_num_bytes(range) + 8;
|
||||
/* We generate |range|+1 bytes of random output. */
|
||||
const unsigned num_k_bytes = BN_num_bytes(range) + 1;
|
||||
unsigned char private_bytes[96];
|
||||
unsigned char *k_bytes = NULL;
|
||||
const int max_n = 64; /* Pr(failure to generate) < 2^max_n */
|
||||
int n;
|
||||
int ret = 0;
|
||||
EVP_MD *md = NULL;
|
||||
OSSL_LIB_CTX *libctx = ossl_bn_get_libctx(ctx);
|
||||
|
||||
if (mdctx == NULL)
|
||||
goto err;
|
||||
goto end;
|
||||
|
||||
k_bytes = OPENSSL_malloc(num_k_bytes);
|
||||
if (k_bytes == NULL)
|
||||
goto err;
|
||||
goto end;
|
||||
/* Ensure top byte is set to avoid non-constant time in bin2bn */
|
||||
k_bytes[0] = 0xff;
|
||||
|
||||
/* We copy |priv| into a local buffer to avoid exposing its length. */
|
||||
if (BN_bn2binpad(priv, private_bytes, sizeof(private_bytes)) < 0) {
|
||||
|
@ -283,41 +333,60 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
|||
* length of the private key.
|
||||
*/
|
||||
ERR_raise(ERR_LIB_BN, BN_R_PRIVATE_KEY_TOO_LARGE);
|
||||
goto err;
|
||||
goto end;
|
||||
}
|
||||
|
||||
md = EVP_MD_fetch(libctx, "SHA512", NULL);
|
||||
if (md == NULL) {
|
||||
ERR_raise(ERR_LIB_BN, BN_R_NO_SUITABLE_DIGEST);
|
||||
goto err;
|
||||
goto end;
|
||||
}
|
||||
for (done = 0; done < num_k_bytes;) {
|
||||
if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes), 0) <= 0)
|
||||
goto err;
|
||||
for (n = 0; n < max_n; n++) {
|
||||
unsigned char i = 0;
|
||||
|
||||
if (!EVP_DigestInit_ex(mdctx, md, NULL)
|
||||
|| !EVP_DigestUpdate(mdctx, &done, sizeof(done))
|
||||
|| !EVP_DigestUpdate(mdctx, private_bytes,
|
||||
sizeof(private_bytes))
|
||||
|| !EVP_DigestUpdate(mdctx, message, message_len)
|
||||
|| !EVP_DigestUpdate(mdctx, random_bytes, sizeof(random_bytes))
|
||||
|| !EVP_DigestFinal_ex(mdctx, digest, NULL))
|
||||
goto err;
|
||||
for (done = 1; done < num_k_bytes;) {
|
||||
if (RAND_priv_bytes_ex(libctx, random_bytes, sizeof(random_bytes),
|
||||
0) <= 0)
|
||||
goto end;
|
||||
|
||||
todo = num_k_bytes - done;
|
||||
if (todo > SHA512_DIGEST_LENGTH)
|
||||
todo = SHA512_DIGEST_LENGTH;
|
||||
memcpy(k_bytes + done, digest, todo);
|
||||
done += todo;
|
||||
if (!EVP_DigestInit_ex(mdctx, md, NULL)
|
||||
|| !EVP_DigestUpdate(mdctx, &i, sizeof(i))
|
||||
|| !EVP_DigestUpdate(mdctx, private_bytes,
|
||||
sizeof(private_bytes))
|
||||
|| !EVP_DigestUpdate(mdctx, message, message_len)
|
||||
|| !EVP_DigestUpdate(mdctx, random_bytes,
|
||||
sizeof(random_bytes))
|
||||
|| !EVP_DigestFinal_ex(mdctx, digest, NULL))
|
||||
goto end;
|
||||
|
||||
todo = num_k_bytes - done;
|
||||
if (todo > SHA512_DIGEST_LENGTH)
|
||||
todo = SHA512_DIGEST_LENGTH;
|
||||
memcpy(k_bytes + done, digest, todo);
|
||||
done += todo;
|
||||
++i;
|
||||
}
|
||||
|
||||
if (!BN_bin2bn(k_bytes, num_k_bytes, out))
|
||||
goto end;
|
||||
|
||||
/* Clear out the top bits and rejection filter into range */
|
||||
BN_set_flags(out, BN_FLG_CONSTTIME);
|
||||
ossl_bn_mask_bits_fixed_top(out, BN_num_bits(range));
|
||||
|
||||
if (BN_ucmp(out, range) < 0) {
|
||||
ret = 1;
|
||||
#ifdef BN_DEBUG
|
||||
/* With BN_DEBUG on a fixed top number cannot be returned */
|
||||
bn_correct_top(out);
|
||||
#endif
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
/* Failed to generate anything */
|
||||
ERR_raise(ERR_LIB_BN, ERR_R_INTERNAL_ERROR);
|
||||
|
||||
if (!BN_bin2bn(k_bytes, num_k_bytes, out))
|
||||
goto err;
|
||||
if (BN_mod(out, out, range, ctx) != 1)
|
||||
goto err;
|
||||
ret = 1;
|
||||
|
||||
err:
|
||||
end:
|
||||
EVP_MD_CTX_free(mdctx);
|
||||
EVP_MD_free(md);
|
||||
OPENSSL_clear_free(k_bytes, num_k_bytes);
|
||||
|
@ -326,3 +395,20 @@ int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
|||
OPENSSL_cleanse(private_bytes, sizeof(private_bytes));
|
||||
return ret;
|
||||
}
|
||||
|
||||
int BN_generate_dsa_nonce(BIGNUM *out, const BIGNUM *range,
|
||||
const BIGNUM *priv, const unsigned char *message,
|
||||
size_t message_len, BN_CTX *ctx)
|
||||
{
|
||||
int ret;
|
||||
|
||||
ret = ossl_bn_gen_dsa_nonce_fixed_top(out, range, priv, message,
|
||||
message_len, ctx);
|
||||
/*
|
||||
* This call makes the BN_generate_dsa_nonce non-const-time, thus we
|
||||
* do not use it internally. But fixed_top BNs currently cannot be returned
|
||||
* from public API calls.
|
||||
*/
|
||||
bn_correct_top(out);
|
||||
return ret;
|
||||
}
|
||||
|
|
|
@ -156,6 +156,9 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
|
|||
return 0;
|
||||
}
|
||||
|
||||
bn_check_top(r);
|
||||
bn_check_top(a);
|
||||
|
||||
ret = bn_rshift_fixed_top(r, a, n);
|
||||
|
||||
bn_correct_top(r);
|
||||
|
@ -177,9 +180,6 @@ int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n)
|
|||
BN_ULONG *t, *f;
|
||||
BN_ULONG l, m, mask;
|
||||
|
||||
bn_check_top(r);
|
||||
bn_check_top(a);
|
||||
|
||||
assert(n >= 0);
|
||||
|
||||
nw = n / BN_BITS2;
|
||||
|
|
|
@ -262,12 +262,13 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
|
|||
* We calculate k from SHA512(private_key + H(message) + random).
|
||||
* This protects the private key from a weak PRNG.
|
||||
*/
|
||||
if (!BN_generate_dsa_nonce(k, dsa->params.q, dsa->priv_key, dgst,
|
||||
dlen, ctx))
|
||||
if (!ossl_bn_gen_dsa_nonce_fixed_top(k, dsa->params.q,
|
||||
dsa->priv_key, dgst,
|
||||
dlen, ctx))
|
||||
goto err;
|
||||
} else if (!BN_priv_rand_range_ex(k, dsa->params.q, 0, ctx))
|
||||
} else if (!ossl_bn_priv_rand_range_fixed_top(k, dsa->params.q, 0, ctx))
|
||||
goto err;
|
||||
} while (BN_is_zero(k));
|
||||
} while (ossl_bn_is_word_fixed_top(k, 0));
|
||||
|
||||
BN_set_flags(k, BN_FLG_CONSTTIME);
|
||||
BN_set_flags(l, BN_FLG_CONSTTIME);
|
||||
|
|
|
@ -145,18 +145,18 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
|
|||
/* get random k */
|
||||
do {
|
||||
if (dgst != NULL) {
|
||||
if (!BN_generate_dsa_nonce(k, order, priv_key,
|
||||
dgst, dlen, ctx)) {
|
||||
if (!ossl_bn_gen_dsa_nonce_fixed_top(k, order, priv_key,
|
||||
dgst, dlen, ctx)) {
|
||||
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
} else {
|
||||
if (!BN_priv_rand_range_ex(k, order, 0, ctx)) {
|
||||
if (!ossl_bn_priv_rand_range_fixed_top(k, order, 0, ctx)) {
|
||||
ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
} while (BN_is_zero(k));
|
||||
} while (ossl_bn_is_word_fixed_top(k, 0));
|
||||
|
||||
/* compute r the x-coordinate of generator * k */
|
||||
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
|
||||
|
|
|
@ -87,6 +87,14 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
|||
int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n);
|
||||
int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
|
||||
const BIGNUM *d, BN_CTX *ctx);
|
||||
int ossl_bn_mask_bits_fixed_top(BIGNUM *a, int n);
|
||||
int ossl_bn_is_word_fixed_top(const BIGNUM *a, BN_ULONG w);
|
||||
int ossl_bn_priv_rand_range_fixed_top(BIGNUM *r, const BIGNUM *range,
|
||||
unsigned int strength, BN_CTX *ctx);
|
||||
int ossl_bn_gen_dsa_nonce_fixed_top(BIGNUM *out, const BIGNUM *range,
|
||||
const BIGNUM *priv,
|
||||
const unsigned char *message,
|
||||
size_t message_len, BN_CTX *ctx);
|
||||
|
||||
#define BN_PRIMETEST_COMPOSITE 0
|
||||
#define BN_PRIMETEST_COMPOSITE_WITH_FACTOR 1
|
||||
|
|
|
@ -140,6 +140,29 @@ static ossl_inline uint64_t constant_time_lt_64(uint64_t a, uint64_t b)
|
|||
return constant_time_msb_64(a ^ ((a ^ b) | ((a - b) ^ b)));
|
||||
}
|
||||
|
||||
#ifdef BN_ULONG
|
||||
static ossl_inline BN_ULONG constant_time_msb_bn(BN_ULONG a)
|
||||
{
|
||||
return 0 - (a >> (sizeof(a) * 8 - 1));
|
||||
}
|
||||
|
||||
static ossl_inline BN_ULONG constant_time_lt_bn(BN_ULONG a, BN_ULONG b)
|
||||
{
|
||||
return constant_time_msb_bn(a ^ ((a ^ b) | ((a - b) ^ b)));
|
||||
}
|
||||
|
||||
static ossl_inline BN_ULONG constant_time_is_zero_bn(BN_ULONG a)
|
||||
{
|
||||
return constant_time_msb_bn(~a & (a - 1));
|
||||
}
|
||||
|
||||
static ossl_inline BN_ULONG constant_time_eq_bn(BN_ULONG a,
|
||||
BN_ULONG b)
|
||||
{
|
||||
return constant_time_is_zero_bn(a ^ b);
|
||||
}
|
||||
#endif
|
||||
|
||||
static ossl_inline unsigned int constant_time_ge(unsigned int a,
|
||||
unsigned int b)
|
||||
{
|
||||
|
|
|
@ -1400,14 +1400,14 @@ static const unsigned char ecd_prime_pub[] = {
|
|||
0x82
|
||||
};
|
||||
static const unsigned char ecdsa_prime_expected_sig[] = {
|
||||
0x30, 0x3d, 0x02, 0x1d, 0x00, 0xd2, 0x4a, 0xc9,
|
||||
0x4f, 0xaf, 0xdb, 0x62, 0xfc, 0x41, 0x4a, 0x81,
|
||||
0x2a, 0x9f, 0xcf, 0xa3, 0xda, 0xfe, 0xa3, 0x49,
|
||||
0xbd, 0xea, 0xbf, 0x2a, 0x51, 0xb4, 0x0b, 0xc3,
|
||||
0xbc, 0x02, 0x1c, 0x7f, 0x30, 0xb7, 0xad, 0xab,
|
||||
0x09, 0x6e, 0x3c, 0xad, 0x7f, 0xf9, 0x5e, 0xaa,
|
||||
0xe2, 0x38, 0xe5, 0x29, 0x16, 0xc4, 0xc8, 0x77,
|
||||
0xa1, 0xf8, 0x60, 0x77, 0x39, 0x7a, 0xec
|
||||
0x30, 0x3d, 0x02, 0x1c, 0x48, 0x4f, 0x3c, 0x97,
|
||||
0x5b, 0xfa, 0x40, 0x6c, 0xdb, 0xd6, 0x70, 0xb5,
|
||||
0xbd, 0x2d, 0xd0, 0xc6, 0x22, 0x93, 0x5a, 0x88,
|
||||
0x56, 0xd0, 0xaf, 0x0a, 0x94, 0x92, 0x20, 0x01,
|
||||
0x02, 0x1d, 0x00, 0xa4, 0x80, 0xe0, 0x47, 0x88,
|
||||
0x8a, 0xef, 0x2a, 0x47, 0x9d, 0x81, 0x9a, 0xbf,
|
||||
0x45, 0xc3, 0x6f, 0x9e, 0x2e, 0xc1, 0x44, 0x9f,
|
||||
0xfd, 0x79, 0xdb, 0x90, 0x3e, 0xb9, 0xb2
|
||||
};
|
||||
static const ST_KAT_PARAM ecdsa_prime_key[] = {
|
||||
ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name),
|
||||
|
@ -1435,15 +1435,15 @@ static const unsigned char ecd_bin_pub[] = {
|
|||
0x99, 0xb6, 0x8f, 0x80, 0x46
|
||||
};
|
||||
static const unsigned char ecdsa_bin_expected_sig[] = {
|
||||
0x30, 0x3f, 0x02, 0x1d, 0x08, 0x11, 0x7c, 0xcd,
|
||||
0xf4, 0xa1, 0x31, 0x9a, 0xc1, 0xfd, 0x50, 0x0e,
|
||||
0x5d, 0xa9, 0xb6, 0x0e, 0x95, 0x49, 0xe1, 0xbd,
|
||||
0x44, 0xe3, 0x5b, 0xa9, 0x35, 0x94, 0xa5, 0x2f,
|
||||
0xae, 0x02, 0x1e, 0x00, 0xe3, 0xba, 0xb8, 0x8f,
|
||||
0x4b, 0x05, 0x76, 0x88, 0x1e, 0x49, 0xd6, 0x62,
|
||||
0x76, 0xd3, 0x22, 0x4d, 0xa3, 0x7b, 0x04, 0xcc,
|
||||
0xfa, 0x7b, 0x41, 0x9b, 0x8c, 0xaf, 0x1b, 0x6d,
|
||||
0xbd
|
||||
0x30, 0x3f, 0x02, 0x1d, 0x58, 0xe9, 0xd0, 0x84,
|
||||
0x5c, 0xad, 0x29, 0x03, 0xf6, 0xa6, 0xbc, 0xe0,
|
||||
0x24, 0x6d, 0x9e, 0x79, 0x5d, 0x1e, 0xe8, 0x5a,
|
||||
0xc3, 0x31, 0x0a, 0xa9, 0xfb, 0xe3, 0x99, 0x54,
|
||||
0x11, 0x02, 0x1e, 0x00, 0xa3, 0x44, 0x28, 0xa3,
|
||||
0x70, 0x97, 0x98, 0x17, 0xd7, 0xa6, 0xad, 0x91,
|
||||
0xaf, 0x41, 0x69, 0xb6, 0x06, 0x99, 0x39, 0xc7,
|
||||
0x63, 0xa4, 0x6a, 0x81, 0xe4, 0x9a, 0x9d, 0x15,
|
||||
0x8b
|
||||
};
|
||||
static const ST_KAT_PARAM ecdsa_bin_key[] = {
|
||||
ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_bin_curve_name),
|
||||
|
@ -1571,14 +1571,14 @@ static const unsigned char dsa_priv[] = {
|
|||
0x40, 0x7e, 0x5c, 0xb7
|
||||
};
|
||||
static const unsigned char dsa_expected_sig[] = {
|
||||
0x30, 0x3c, 0x02, 0x1c, 0x70, 0xa4, 0x77, 0xb6,
|
||||
0x02, 0xb5, 0xd3, 0x07, 0x21, 0x22, 0x2d, 0xe3,
|
||||
0x4f, 0x7d, 0xfd, 0xfd, 0x6b, 0x4f, 0x03, 0x27,
|
||||
0x4c, 0xd3, 0xb2, 0x8c, 0x7c, 0xc5, 0xc4, 0xdf,
|
||||
0x02, 0x1c, 0x11, 0x52, 0x65, 0x16, 0x9f, 0xbd,
|
||||
0x4c, 0xe5, 0xab, 0xb2, 0x01, 0xd0, 0x7a, 0x30,
|
||||
0x5c, 0xc5, 0xba, 0x22, 0xc6, 0x62, 0x7e, 0xa6,
|
||||
0x7d, 0x98, 0x96, 0xc9, 0x77, 0x00
|
||||
0x30, 0x3c, 0x02, 0x1c, 0x69, 0xc6, 0xd6, 0x9e,
|
||||
0x2b, 0x91, 0xea, 0x72, 0xb3, 0x8b, 0x7c, 0x57,
|
||||
0x48, 0x75, 0xb7, 0x65, 0xc0, 0xb4, 0xf7, 0xbb,
|
||||
0x08, 0xa4, 0x95, 0x77, 0xfc, 0xa7, 0xed, 0x31,
|
||||
0x02, 0x1c, 0x4c, 0x2c, 0xff, 0xc6, 0x55, 0xeb,
|
||||
0x8f, 0xa7, 0x4f, 0x27, 0xd8, 0xec, 0xfd, 0x62,
|
||||
0x73, 0xf2, 0xd1, 0x55, 0xa5, 0xf0, 0x41, 0x68,
|
||||
0x34, 0x8d, 0x9e, 0x88, 0x08, 0x06
|
||||
};
|
||||
|
||||
static const ST_KAT_PARAM dsa_key[] = {
|
||||
|
|
|
@ -3496,6 +3496,25 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
|
|||
return 1;
|
||||
}
|
||||
|
||||
static int check_early_data_timeout(time_t timer)
|
||||
{
|
||||
int res = 0;
|
||||
|
||||
/*
|
||||
* Early data is time sensitive. We have an approx 8 second allowance
|
||||
* between writing the early data and reading it. If we exceed that time
|
||||
* then this test will fail. This can sometimes (rarely) occur in normal CI
|
||||
* operation. We can try and detect this and just ignore the result of this
|
||||
* test if it has taken too long. We assume anything over 7 seconds is too
|
||||
* long
|
||||
*/
|
||||
timer = time(NULL) - timer;
|
||||
if (timer >= 7)
|
||||
res = TEST_skip("Test took too long, ignoring result");
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
static int test_early_data_read_write(int idx)
|
||||
{
|
||||
SSL_CTX *cctx = NULL, *sctx = NULL;
|
||||
|
@ -3505,6 +3524,7 @@ static int test_early_data_read_write(int idx)
|
|||
unsigned char buf[20], data[1024];
|
||||
size_t readbytes, written, eoedlen, rawread, rawwritten;
|
||||
BIO *rbio;
|
||||
time_t timer;
|
||||
|
||||
if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
|
||||
&serverssl, &sess, idx,
|
||||
|
@ -3512,13 +3532,20 @@ static int test_early_data_read_write(int idx)
|
|||
goto end;
|
||||
|
||||
/* Write and read some early data */
|
||||
timer = time(NULL);
|
||||
if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
|
||||
&written))
|
||||
|| !TEST_size_t_eq(written, strlen(MSG1))
|
||||
|| !TEST_int_eq(SSL_read_early_data(serverssl, buf,
|
||||
sizeof(buf), &readbytes),
|
||||
SSL_READ_EARLY_DATA_SUCCESS)
|
||||
|| !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
|
||||
|| !TEST_size_t_eq(written, strlen(MSG1)))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
|
||||
&readbytes),
|
||||
SSL_READ_EARLY_DATA_SUCCESS)) {
|
||||
testresult = check_early_data_timeout(timer);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
|
||||
|| !TEST_int_eq(SSL_get_early_data_status(serverssl),
|
||||
SSL_EARLY_DATA_ACCEPTED))
|
||||
goto end;
|
||||
|
@ -3735,6 +3762,7 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt)
|
|||
SSL_SESSION *sess = NULL;
|
||||
size_t readbytes, written;
|
||||
unsigned char buf[20];
|
||||
time_t timer;
|
||||
|
||||
allow_ed_cb_called = 0;
|
||||
|
||||
|
@ -3789,6 +3817,7 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt)
|
|||
goto end;
|
||||
|
||||
/* Write and read some early data */
|
||||
timer = time(NULL);
|
||||
if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
|
||||
&written))
|
||||
|| !TEST_size_t_eq(written, strlen(MSG1)))
|
||||
|
@ -3809,8 +3838,11 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt)
|
|||
/* In this case the callback decides to accept the early data */
|
||||
if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
|
||||
&readbytes),
|
||||
SSL_READ_EARLY_DATA_SUCCESS)
|
||||
|| !TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
|
||||
SSL_READ_EARLY_DATA_SUCCESS)) {
|
||||
testresult = check_early_data_timeout(timer);
|
||||
goto end;
|
||||
}
|
||||
if (!TEST_mem_eq(MSG1, strlen(MSG1), buf, readbytes)
|
||||
/*
|
||||
* Server will have sent its flight so client can now send
|
||||
* end of early data and complete its half of the handshake
|
||||
|
@ -4327,13 +4359,19 @@ static int test_early_data_psk(int idx)
|
|||
|| !TEST_int_eq(ERR_GET_REASON(ERR_get_error()), err))
|
||||
goto end;
|
||||
} else {
|
||||
time_t timer = time(NULL);
|
||||
|
||||
if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
|
||||
&written)))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
|
||||
&readbytes), readearlyres)
|
||||
|| (readearlyres == SSL_READ_EARLY_DATA_SUCCESS
|
||||
&readbytes), readearlyres)) {
|
||||
testresult = check_early_data_timeout(timer);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if ((readearlyres == SSL_READ_EARLY_DATA_SUCCESS
|
||||
&& !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1)))
|
||||
|| !TEST_int_eq(SSL_get_early_data_status(serverssl), edstatus)
|
||||
|| !TEST_int_eq(SSL_connect(clientssl), connectres))
|
||||
|
@ -4371,6 +4409,7 @@ static int test_early_data_psk_with_all_ciphers(int idx)
|
|||
unsigned char buf[20];
|
||||
size_t readbytes, written;
|
||||
const SSL_CIPHER *cipher;
|
||||
time_t timer;
|
||||
const char *cipher_str[] = {
|
||||
TLS1_3_RFC_AES_128_GCM_SHA256,
|
||||
TLS1_3_RFC_AES_256_GCM_SHA384,
|
||||
|
@ -4422,14 +4461,19 @@ static int test_early_data_psk_with_all_ciphers(int idx)
|
|||
goto end;
|
||||
|
||||
SSL_set_connect_state(clientssl);
|
||||
timer = time(NULL);
|
||||
if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
|
||||
&written)))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
|
||||
&readbytes),
|
||||
SSL_READ_EARLY_DATA_SUCCESS)
|
||||
|| !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
|
||||
SSL_READ_EARLY_DATA_SUCCESS)) {
|
||||
testresult = check_early_data_timeout(timer);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
|
||||
|| !TEST_int_eq(SSL_get_early_data_status(serverssl),
|
||||
SSL_EARLY_DATA_ACCEPTED)
|
||||
|| !TEST_int_eq(SSL_connect(clientssl), 1)
|
||||
|
@ -7473,6 +7517,7 @@ static int test_info_callback(int tst)
|
|||
SSL_SESSION *sess = NULL;
|
||||
size_t written, readbytes;
|
||||
unsigned char buf[80];
|
||||
time_t timer;
|
||||
|
||||
/* early_data tests */
|
||||
if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
|
||||
|
@ -7487,13 +7532,20 @@ static int test_info_callback(int tst)
|
|||
sslapi_info_callback);
|
||||
|
||||
/* Write and read some early data and then complete the connection */
|
||||
timer = time(NULL);
|
||||
if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
|
||||
&written))
|
||||
|| !TEST_size_t_eq(written, strlen(MSG1))
|
||||
|| !TEST_int_eq(SSL_read_early_data(serverssl, buf,
|
||||
sizeof(buf), &readbytes),
|
||||
SSL_READ_EARLY_DATA_SUCCESS)
|
||||
|| !TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
|
||||
|| !TEST_size_t_eq(written, strlen(MSG1)))
|
||||
goto end;
|
||||
|
||||
if (!TEST_int_eq(SSL_read_early_data(serverssl, buf,
|
||||
sizeof(buf), &readbytes),
|
||||
SSL_READ_EARLY_DATA_SUCCESS)) {
|
||||
testresult = check_early_data_timeout(timer);
|
||||
goto end;
|
||||
}
|
||||
|
||||
if (!TEST_mem_eq(MSG1, readbytes, buf, strlen(MSG1))
|
||||
|| !TEST_int_eq(SSL_get_early_data_status(serverssl),
|
||||
SSL_EARLY_DATA_ACCEPTED)
|
||||
|| !TEST_true(create_ssl_connection(serverssl, clientssl,
|
||||
|
|
Loading…
Reference in New Issue