diff --git a/Package.swift b/Package.swift index 37f56b12..af58a77e 100644 --- a/Package.swift +++ b/Package.swift @@ -22,7 +22,7 @@ import PackageDescription // Sources/CNIOBoringSSL directory. The source repository is at // https://boringssl.googlesource.com/boringssl. // -// BoringSSL Commit: 67818bea6690a230e2f42e8a588e0f54949bbbf1 +// BoringSSL Commit: 3989c99706bf30054798ff82f1cb010e50e385f5 let package = Package( name: "swift-nio-ssl", diff --git a/Sources/CNIOBoringSSL/crypto/bio/bio.c b/Sources/CNIOBoringSSL/crypto/bio/bio.c index 787ac6d5..7c24ff32 100644 --- a/Sources/CNIOBoringSSL/crypto/bio/bio.c +++ b/Sources/CNIOBoringSSL/crypto/bio/bio.c @@ -262,6 +262,8 @@ int BIO_should_io_special(const BIO *bio) { int BIO_get_retry_reason(const BIO *bio) { return bio->retry_reason; } +void BIO_set_retry_reason(BIO *bio, int reason) { bio->retry_reason = reason; } + void BIO_clear_flags(BIO *bio, int flags) { bio->flags &= ~flags; } diff --git a/Sources/CNIOBoringSSL/crypto/trust_token/internal.h b/Sources/CNIOBoringSSL/crypto/trust_token/internal.h index daac5e4b..2eb583b8 100644 --- a/Sources/CNIOBoringSSL/crypto/trust_token/internal.h +++ b/Sources/CNIOBoringSSL/crypto/trust_token/internal.h @@ -30,16 +30,20 @@ extern "C" { #endif -// PMBTokens. -// -// PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215 -// and provides anonymous tokens with private metadata. We implement the -// construction with validity verification, described in appendix H, -// construction 6. +// For the following cryptographic schemes, we use P-384 instead of our usual +// choice of P-256. See Appendix I of +// https://eprint.iacr.org/2020/072/20200324:214215 which describes two attacks +// which may affect smaller curves. In particular, p-1 for P-256 is smooth, +// giving a low complexity for the p-1 attack. P-384's p-1 has a 281-bit prime +// factor, +// 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471. +// This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded +// by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1. + -// PMBTOKEN_NONCE_SIZE is the size of nonces used as part of the PMBToken +// TRUST_TOKEN_NONCE_SIZE is the size of nonces used as part of the Trust_Token // protocol. -#define PMBTOKEN_NONCE_SIZE 64 +#define TRUST_TOKEN_NONCE_SIZE 64 typedef struct { // TODO(https://crbug.com/boringssl/334): These should store |EC_PRECOMP| so @@ -47,7 +51,7 @@ typedef struct { EC_AFFINE pub0; EC_AFFINE pub1; EC_AFFINE pubs; -} PMBTOKEN_CLIENT_KEY; +} TRUST_TOKEN_CLIENT_KEY; typedef struct { EC_SCALAR x0; @@ -62,47 +66,47 @@ typedef struct { EC_PRECOMP pub1_precomp; EC_AFFINE pubs; EC_PRECOMP pubs_precomp; -} PMBTOKEN_ISSUER_KEY; +} TRUST_TOKEN_ISSUER_KEY; -// PMBTOKEN_PRETOKEN represents the intermediate state a client keeps during a -// PMBToken issuance operation. +// TRUST_TOKEN_PRETOKEN represents the intermediate state a client keeps during +// a Trust_Token issuance operation. typedef struct pmb_pretoken_st { - uint8_t t[PMBTOKEN_NONCE_SIZE]; + uint8_t t[TRUST_TOKEN_NONCE_SIZE]; EC_SCALAR r; EC_AFFINE Tp; -} PMBTOKEN_PRETOKEN; +} TRUST_TOKEN_PRETOKEN; + +// TRUST_TOKEN_PRETOKEN_free releases the memory associated with |token|. +OPENSSL_EXPORT void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *token); + +DEFINE_STACK_OF(TRUST_TOKEN_PRETOKEN) -// PMBTOKEN_PRETOKEN_free releases the memory associated with |token|. -OPENSSL_EXPORT void PMBTOKEN_PRETOKEN_free(PMBTOKEN_PRETOKEN *token); -DEFINE_STACK_OF(PMBTOKEN_PRETOKEN) +// PMBTokens. +// +// PMBTokens is described in https://eprint.iacr.org/2020/072/20200324:214215 +// and provides anonymous tokens with private metadata. We implement the +// construction with validity verification, described in appendix H, +// construction 6. // The following functions implement the corresponding |TRUST_TOKENS_METHOD| // functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which // uses P-384. -// -// We use P-384 instead of our usual choice of P-256. See Appendix I which -// describes two attacks which may affect smaller curves. In particular, p-1 for -// P-256 is smooth, giving a low complexity for the p-1 attack. P-384's p-1 has -// a 281-bit prime factor, -// 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471. -// This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded -// by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1. int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public); -int pmbtoken_exp1_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key, +int pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len); -int pmbtoken_exp1_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key, +int pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len); -STACK_OF(PMBTOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count); -int pmbtoken_exp1_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, +STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count); +int pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata); STACK_OF(TRUST_TOKEN) * - pmbtoken_exp1_unblind(const PMBTOKEN_CLIENT_KEY *key, - const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, + pmbtoken_exp1_unblind(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, size_t count, uint32_t key_id); -int pmbtoken_exp1_read(const PMBTOKEN_ISSUER_KEY *key, - uint8_t out_nonce[PMBTOKEN_NONCE_SIZE], +int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], uint8_t *out_private_metadata, const uint8_t *token, size_t token_len); @@ -113,29 +117,21 @@ OPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]); // The following functions implement the corresponding |TRUST_TOKENS_METHOD| // functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which // uses P-384. -// -// We use P-384 instead of our usual choice of P-256. See Appendix I which -// describes two attacks which may affect smaller curves. In particular, p-1 for -// P-256 is smooth, giving a low complexity for the p-1 attack. P-384's p-1 has -// a 281-bit prime factor, -// 3055465788140352002733946906144561090641249606160407884365391979704929268480326390471. -// This lower-bounds the p-1 attack at O(2^140). The p+1 attack is lower-bounded -// by O(p^(1/3)) or O(2^128), so we do not need to check the smoothness of p+1. int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public); -int pmbtoken_exp2_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key, +int pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len); -int pmbtoken_exp2_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key, +int pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len); -STACK_OF(PMBTOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count); -int pmbtoken_exp2_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, +STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count); +int pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata); STACK_OF(TRUST_TOKEN) * - pmbtoken_exp2_unblind(const PMBTOKEN_CLIENT_KEY *key, - const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, + pmbtoken_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, size_t count, uint32_t key_id); -int pmbtoken_exp2_read(const PMBTOKEN_ISSUER_KEY *key, - uint8_t out_nonce[PMBTOKEN_NONCE_SIZE], +int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], uint8_t *out_private_metadata, const uint8_t *token, size_t token_len); @@ -144,6 +140,37 @@ int pmbtoken_exp2_read(const PMBTOKEN_ISSUER_KEY *key, OPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]); +// VOPRF. +// +// VOPRFs are described in https://tools.ietf.org/html/draft-irtf-cfrg-voprf-04 +// and provide anonymous tokens. This implementation uses TrustToken DSTs and +// the DLEQ batching primitive from +// https://eprint.iacr.org/2020/072/20200324:214215. +// VOPRF only uses the |pub|' field of the TRUST_TOKEN_CLIENT_KEY and +// |xs|/|pubs| fields of the TRUST_TOKEN_ISSUER_KEY. + +// The following functions implement the corresponding |TRUST_TOKENS_METHOD| +// functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses +// P-384. +int voprf_exp2_generate_key(CBB *out_private, CBB *out_public); +int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, + const uint8_t *in, size_t len); +int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, + const uint8_t *in, size_t len); +STACK_OF(TRUST_TOKEN_PRETOKEN) * voprf_exp2_blind(CBB *cbb, size_t count); +int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + size_t num_requested, size_t num_to_issue, + uint8_t private_metadata); +STACK_OF(TRUST_TOKEN) * + voprf_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, + CBS *cbs, size_t count, uint32_t key_id); +int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], + uint8_t *out_private_metadata, const uint8_t *token, + size_t token_len); + + // Trust Tokens internals. struct trust_token_method_st { @@ -155,23 +182,23 @@ struct trust_token_method_st { // client_key_from_bytes decodes a client key from |in| and sets |key| // to the resulting key. It returns one on success and zero // on failure. - int (*client_key_from_bytes)(PMBTOKEN_CLIENT_KEY *key, const uint8_t *in, + int (*client_key_from_bytes)(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len); // issuer_key_from_bytes decodes a issuer key from |in| and sets |key| // to the resulting key. It returns one on success and zero // on failure. - int (*issuer_key_from_bytes)(PMBTOKEN_ISSUER_KEY *key, const uint8_t *in, + int (*issuer_key_from_bytes)(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len); // blind generates a new issuance request for |count| tokens. On - // success, it returns a newly-allocated |STACK_OF(PMBTOKEN_PRETOKEN)| and + // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and // writes a request to the issuer to |cbb|. On failure, it returns NULL. The - // |STACK_OF(PMBTOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| when + // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| when // the server responds. // // This function implements the AT.Usr0 operation. - STACK_OF(PMBTOKEN_PRETOKEN) *(*blind)(CBB *cbb, size_t count); + STACK_OF(TRUST_TOKEN_PRETOKEN) * (*blind)(CBB *cbb, size_t count); // sign parses a request for |num_requested| tokens from |cbs| and // issues |num_to_issue| tokens with |key| and a private metadata value of @@ -179,7 +206,7 @@ struct trust_token_method_st { // success and zero on failure. // // This function implements the AT.Sig operation. - int (*sign)(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + int (*sign)(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata); @@ -192,8 +219,8 @@ struct trust_token_method_st { // // This function implements the AT.Usr1 operation. STACK_OF(TRUST_TOKEN) * - (*unblind)(const PMBTOKEN_CLIENT_KEY *key, - const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, CBS *cbs, + (*unblind)(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, size_t count, uint32_t key_id); // read parses a PMBToken from |token| and verifies it using |key|. On @@ -201,8 +228,8 @@ struct trust_token_method_st { // |out_nonce| and |*out_private_metadata|. Otherwise, it returns zero. Note // that, unlike the output of |unblind|, |token| does not have a // four-byte key ID prepended. - int (*read)(const PMBTOKEN_ISSUER_KEY *key, - uint8_t out_nonce[PMBTOKEN_NONCE_SIZE], + int (*read)(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], uint8_t *out_private_metadata, const uint8_t *token, size_t token_len); @@ -219,14 +246,14 @@ struct trust_token_method_st { // Structure representing a single Trust Token public key with the specified ID. struct trust_token_client_key_st { uint32_t id; - PMBTOKEN_CLIENT_KEY key; + TRUST_TOKEN_CLIENT_KEY key; }; // Structure representing a single Trust Token private key with the specified // ID. struct trust_token_issuer_key_st { uint32_t id; - PMBTOKEN_ISSUER_KEY key; + TRUST_TOKEN_ISSUER_KEY key; }; struct trust_token_client_st { @@ -243,7 +270,7 @@ struct trust_token_client_st { size_t num_keys; // pretokens is the intermediate state during an active issuance. - STACK_OF(PMBTOKEN_PRETOKEN)* pretokens; + STACK_OF(TRUST_TOKEN_PRETOKEN)* pretokens; // srr_key is the public key used to verify the signature of the SRR. EVP_PKEY *srr_key; @@ -281,7 +308,7 @@ extern "C++" { BSSL_NAMESPACE_BEGIN -BORINGSSL_MAKE_DELETER(PMBTOKEN_PRETOKEN, PMBTOKEN_PRETOKEN_free) +BORINGSSL_MAKE_DELETER(TRUST_TOKEN_PRETOKEN, TRUST_TOKEN_PRETOKEN_free) BSSL_NAMESPACE_END diff --git a/Sources/CNIOBoringSSL/crypto/trust_token/pmbtoken.c b/Sources/CNIOBoringSSL/crypto/trust_token/pmbtoken.c index 31ada947..040bc332 100644 --- a/Sources/CNIOBoringSSL/crypto/trust_token/pmbtoken.c +++ b/Sources/CNIOBoringSSL/crypto/trust_token/pmbtoken.c @@ -31,10 +31,10 @@ typedef int (*hash_t_func_t)(const EC_GROUP *group, EC_RAW_POINT *out, - const uint8_t t[PMBTOKEN_NONCE_SIZE]); + const uint8_t t[TRUST_TOKEN_NONCE_SIZE]); typedef int (*hash_s_func_t)(const EC_GROUP *group, EC_RAW_POINT *out, const EC_AFFINE *t, - const uint8_t s[PMBTOKEN_NONCE_SIZE]); + const uint8_t s[TRUST_TOKEN_NONCE_SIZE]); typedef int (*hash_c_func_t)(const EC_GROUP *group, EC_SCALAR *out, uint8_t *buf, size_t len); @@ -165,10 +165,6 @@ static int mul_public_3(const EC_GROUP *group, EC_RAW_POINT *out, scalars, 3); } -void PMBTOKEN_PRETOKEN_free(PMBTOKEN_PRETOKEN *pretoken) { - OPENSSL_free(pretoken); -} - static int pmbtoken_generate_key(const PMBTOKEN_METHOD *method, CBB *out_private, CBB *out_public) { const EC_GROUP *group = method->group; @@ -211,7 +207,7 @@ static int pmbtoken_generate_key(const PMBTOKEN_METHOD *method, } static int pmbtoken_client_key_from_bytes(const PMBTOKEN_METHOD *method, - PMBTOKEN_CLIENT_KEY *key, + TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len) { CBS cbs; CBS_init(&cbs, in, len); @@ -230,7 +226,7 @@ static int pmbtoken_client_key_from_bytes(const PMBTOKEN_METHOD *method, } static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method, - PMBTOKEN_ISSUER_KEY *key, + TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len) { const EC_GROUP *group = method->group; CBS cbs, tmp; @@ -269,10 +265,10 @@ static int pmbtoken_issuer_key_from_bytes(const PMBTOKEN_METHOD *method, return 1; } -static STACK_OF(PMBTOKEN_PRETOKEN) * +static STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_blind(const PMBTOKEN_METHOD *method, CBB *cbb, size_t count) { const EC_GROUP *group = method->group; - STACK_OF(PMBTOKEN_PRETOKEN) *pretokens = sk_PMBTOKEN_PRETOKEN_new_null(); + STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = sk_TRUST_TOKEN_PRETOKEN_new_null(); if (pretokens == NULL) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); goto err; @@ -280,11 +276,11 @@ static STACK_OF(PMBTOKEN_PRETOKEN) * for (size_t i = 0; i < count; i++) { // Insert |pretoken| into |pretokens| early to simplify error-handling. - PMBTOKEN_PRETOKEN *pretoken = OPENSSL_malloc(sizeof(PMBTOKEN_PRETOKEN)); + TRUST_TOKEN_PRETOKEN *pretoken = OPENSSL_malloc(sizeof(TRUST_TOKEN_PRETOKEN)); if (pretoken == NULL || - !sk_PMBTOKEN_PRETOKEN_push(pretokens, pretoken)) { + !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); - PMBTOKEN_PRETOKEN_free(pretoken); + TRUST_TOKEN_PRETOKEN_free(pretoken); goto err; } @@ -319,7 +315,7 @@ static STACK_OF(PMBTOKEN_PRETOKEN) * return pretokens; err: - sk_PMBTOKEN_PRETOKEN_pop_free(pretokens, PMBTOKEN_PRETOKEN_free); + sk_TRUST_TOKEN_PRETOKEN_pop_free(pretokens, TRUST_TOKEN_PRETOKEN_free); return NULL; } @@ -455,9 +451,10 @@ static int hash_c_batch(const PMBTOKEN_METHOD *method, EC_SCALAR *out, // DLEQOR2 with only one value (n=1). static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb, - const PMBTOKEN_ISSUER_KEY *priv, const EC_RAW_POINT *T, - const EC_RAW_POINT *S, const EC_RAW_POINT *W, - const EC_RAW_POINT *Ws, uint8_t private_metadata) { + const TRUST_TOKEN_ISSUER_KEY *priv, + const EC_RAW_POINT *T, const EC_RAW_POINT *S, + const EC_RAW_POINT *W, const EC_RAW_POINT *Ws, + uint8_t private_metadata) { const EC_GROUP *group = method->group; // We generate a DLEQ proof for the validity token and a DLEQOR2 proof for the @@ -616,7 +613,7 @@ static int dleq_generate(const PMBTOKEN_METHOD *method, CBB *cbb, } static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs, - const PMBTOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T, + const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T, const EC_RAW_POINT *S, const EC_RAW_POINT *W, const EC_RAW_POINT *Ws) { const EC_GROUP *group = method->group; @@ -735,7 +732,7 @@ static int dleq_verify(const PMBTOKEN_METHOD *method, CBS *cbs, } static int pmbtoken_sign(const PMBTOKEN_METHOD *method, - const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata) { const EC_GROUP *group = method->group; @@ -785,8 +782,8 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, ec_scalar_select(group, &xb, mask, &key->x1, &key->x0); ec_scalar_select(group, &yb, mask, &key->y1, &key->y0); - uint8_t s[PMBTOKEN_NONCE_SIZE]; - RAND_bytes(s, PMBTOKEN_NONCE_SIZE); + uint8_t s[TRUST_TOKEN_NONCE_SIZE]; + RAND_bytes(s, TRUST_TOKEN_NONCE_SIZE); // The |jacobians| and |affines| contain Sp, Wp, and Wsp. EC_RAW_POINT jacobians[3]; EC_AFFINE affines[3]; @@ -796,9 +793,11 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, !ec_point_mul_scalar_batch(group, &jacobians[2], &Tp, &key->xs, &jacobians[0], &key->ys, NULL, NULL) || !ec_jacobian_to_affine_batch(group, affines, jacobians, 3) || - !CBB_add_bytes(cbb, s, PMBTOKEN_NONCE_SIZE) || - !cbb_add_prefixed_point(cbb, group, &affines[1], method->prefix_point) || - !cbb_add_prefixed_point(cbb, group, &affines[2], method->prefix_point)) { + !CBB_add_bytes(cbb, s, TRUST_TOKEN_NONCE_SIZE) || + !cbb_add_prefixed_point(cbb, group, &affines[1], + method->prefix_point) || + !cbb_add_prefixed_point(cbb, group, &affines[2], + method->prefix_point)) { goto err; } @@ -877,11 +876,11 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, static STACK_OF(TRUST_TOKEN) * pmbtoken_unblind(const PMBTOKEN_METHOD *method, - const PMBTOKEN_CLIENT_KEY *key, - const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, CBS *cbs, + const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, size_t count, uint32_t key_id) { const EC_GROUP *group = method->group; - if (count > sk_PMBTOKEN_PRETOKEN_num(pretokens)) { + if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return NULL; } @@ -919,12 +918,12 @@ static STACK_OF(TRUST_TOKEN) * } for (size_t i = 0; i < count; i++) { - const PMBTOKEN_PRETOKEN *pretoken = - sk_PMBTOKEN_PRETOKEN_value(pretokens, i); + const TRUST_TOKEN_PRETOKEN *pretoken = + sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i); - uint8_t s[PMBTOKEN_NONCE_SIZE]; + uint8_t s[TRUST_TOKEN_NONCE_SIZE]; EC_AFFINE Wp_affine, Wsp_affine; - if (!CBS_copy_bytes(cbs, s, PMBTOKEN_NONCE_SIZE) || + if (!CBS_copy_bytes(cbs, s, TRUST_TOKEN_NONCE_SIZE) || !cbs_get_prefixed_point(cbs, group, &Wp_affine, method->prefix_point) || !cbs_get_prefixed_point(cbs, group, &Wsp_affine, method->prefix_point)) { @@ -963,9 +962,10 @@ static STACK_OF(TRUST_TOKEN) * // above. CBB token_cbb; size_t point_len = 1 + 2 * BN_num_bytes(&group->field); - if (!CBB_init(&token_cbb, 4 + PMBTOKEN_NONCE_SIZE + 3 * (2 + point_len)) || + if (!CBB_init(&token_cbb, + 4 + TRUST_TOKEN_NONCE_SIZE + 3 * (2 + point_len)) || !CBB_add_u32(&token_cbb, key_id) || - !CBB_add_bytes(&token_cbb, pretoken->t, PMBTOKEN_NONCE_SIZE) || + !CBB_add_bytes(&token_cbb, pretoken->t, TRUST_TOKEN_NONCE_SIZE) || !cbb_add_prefixed_point(&token_cbb, group, &affines[0], method->prefix_point) || !cbb_add_prefixed_point(&token_cbb, group, &affines[1], @@ -1034,15 +1034,15 @@ static STACK_OF(TRUST_TOKEN) * } static int pmbtoken_read(const PMBTOKEN_METHOD *method, - const PMBTOKEN_ISSUER_KEY *key, - uint8_t out_nonce[PMBTOKEN_NONCE_SIZE], + const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], uint8_t *out_private_metadata, const uint8_t *token, size_t token_len) { const EC_GROUP *group = method->group; CBS cbs; CBS_init(&cbs, token, token_len); EC_AFFINE S, W, Ws; - if (!CBS_copy_bytes(&cbs, out_nonce, PMBTOKEN_NONCE_SIZE) || + if (!CBS_copy_bytes(&cbs, out_nonce, TRUST_TOKEN_NONCE_SIZE) || !cbs_get_prefixed_point(&cbs, group, &S, method->prefix_point) || !cbs_get_prefixed_point(&cbs, group, &W, method->prefix_point) || !cbs_get_prefixed_point(&cbs, group, &Ws, method->prefix_point) || @@ -1101,15 +1101,15 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method, // PMBTokens experiment v1. static int pmbtoken_exp1_hash_t(const EC_GROUP *group, EC_RAW_POINT *out, - const uint8_t t[PMBTOKEN_NONCE_SIZE]) { + const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) { const uint8_t kHashTLabel[] = "PMBTokens Experiment V1 HashT"; return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( - group, out, kHashTLabel, sizeof(kHashTLabel), t, PMBTOKEN_NONCE_SIZE); + group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE); } static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out, const EC_AFFINE *t, - const uint8_t s[PMBTOKEN_NONCE_SIZE]) { + const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) { const uint8_t kHashSLabel[] = "PMBTokens Experiment V1 HashS"; int ret = 0; CBB cbb; @@ -1117,7 +1117,7 @@ static int pmbtoken_exp1_hash_s(const EC_GROUP *group, EC_RAW_POINT *out, size_t len; if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) || - !CBB_add_bytes(&cbb, s, PMBTOKEN_NONCE_SIZE) || + !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) || !CBB_finish(&cbb, &buf, &len) || !ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) { @@ -1182,7 +1182,7 @@ int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public) { return pmbtoken_generate_key(&pmbtoken_exp1_method, out_private, out_public); } -int pmbtoken_exp1_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key, +int pmbtoken_exp1_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len) { if (!pmbtoken_exp1_init_method()) { return 0; @@ -1190,7 +1190,7 @@ int pmbtoken_exp1_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key, return pmbtoken_client_key_from_bytes(&pmbtoken_exp1_method, key, in, len); } -int pmbtoken_exp1_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key, +int pmbtoken_exp1_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len) { if (!pmbtoken_exp1_init_method()) { return 0; @@ -1198,14 +1198,14 @@ int pmbtoken_exp1_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key, return pmbtoken_issuer_key_from_bytes(&pmbtoken_exp1_method, key, in, len); } -STACK_OF(PMBTOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count) { +STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp1_blind(CBB *cbb, size_t count) { if (!pmbtoken_exp1_init_method()) { return NULL; } return pmbtoken_blind(&pmbtoken_exp1_method, cbb, count); } -int pmbtoken_exp1_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, +int pmbtoken_exp1_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata) { if (!pmbtoken_exp1_init_method()) { @@ -1216,8 +1216,8 @@ int pmbtoken_exp1_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, } STACK_OF(TRUST_TOKEN) * - pmbtoken_exp1_unblind(const PMBTOKEN_CLIENT_KEY *key, - const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, + pmbtoken_exp1_unblind(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, size_t count, uint32_t key_id) { if (!pmbtoken_exp1_init_method()) { return NULL; @@ -1226,8 +1226,8 @@ STACK_OF(TRUST_TOKEN) * key_id); } -int pmbtoken_exp1_read(const PMBTOKEN_ISSUER_KEY *key, - uint8_t out_nonce[PMBTOKEN_NONCE_SIZE], +int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], uint8_t *out_private_metadata, const uint8_t *token, size_t token_len) { if (!pmbtoken_exp1_init_method()) { @@ -1251,15 +1251,15 @@ int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]) { // PMBTokens experiment v2. static int pmbtoken_exp2_hash_t(const EC_GROUP *group, EC_RAW_POINT *out, - const uint8_t t[PMBTOKEN_NONCE_SIZE]) { + const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) { const uint8_t kHashTLabel[] = "PMBTokens Experiment V2 HashT"; return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( - group, out, kHashTLabel, sizeof(kHashTLabel), t, PMBTOKEN_NONCE_SIZE); + group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE); } static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_RAW_POINT *out, const EC_AFFINE *t, - const uint8_t s[PMBTOKEN_NONCE_SIZE]) { + const uint8_t s[TRUST_TOKEN_NONCE_SIZE]) { const uint8_t kHashSLabel[] = "PMBTokens Experiment V2 HashS"; int ret = 0; CBB cbb; @@ -1267,7 +1267,7 @@ static int pmbtoken_exp2_hash_s(const EC_GROUP *group, EC_RAW_POINT *out, size_t len; if (!CBB_init(&cbb, 0) || !point_to_cbb(&cbb, group, t) || - !CBB_add_bytes(&cbb, s, PMBTOKEN_NONCE_SIZE) || + !CBB_add_bytes(&cbb, s, TRUST_TOKEN_NONCE_SIZE) || !CBB_finish(&cbb, &buf, &len) || !ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( group, out, kHashSLabel, sizeof(kHashSLabel), buf, len)) { @@ -1332,7 +1332,7 @@ int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public) { return pmbtoken_generate_key(&pmbtoken_exp2_method, out_private, out_public); } -int pmbtoken_exp2_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key, +int pmbtoken_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len) { if (!pmbtoken_exp2_init_method()) { return 0; @@ -1340,7 +1340,7 @@ int pmbtoken_exp2_client_key_from_bytes(PMBTOKEN_CLIENT_KEY *key, return pmbtoken_client_key_from_bytes(&pmbtoken_exp2_method, key, in, len); } -int pmbtoken_exp2_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key, +int pmbtoken_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len) { if (!pmbtoken_exp2_init_method()) { return 0; @@ -1348,14 +1348,14 @@ int pmbtoken_exp2_issuer_key_from_bytes(PMBTOKEN_ISSUER_KEY *key, return pmbtoken_issuer_key_from_bytes(&pmbtoken_exp2_method, key, in, len); } -STACK_OF(PMBTOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count) { +STACK_OF(TRUST_TOKEN_PRETOKEN) * pmbtoken_exp2_blind(CBB *cbb, size_t count) { if (!pmbtoken_exp2_init_method()) { return NULL; } return pmbtoken_blind(&pmbtoken_exp2_method, cbb, count); } -int pmbtoken_exp2_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, +int pmbtoken_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, size_t num_requested, size_t num_to_issue, uint8_t private_metadata) { if (!pmbtoken_exp2_init_method()) { @@ -1366,8 +1366,8 @@ int pmbtoken_exp2_sign(const PMBTOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, } STACK_OF(TRUST_TOKEN) * - pmbtoken_exp2_unblind(const PMBTOKEN_CLIENT_KEY *key, - const STACK_OF(PMBTOKEN_PRETOKEN) * pretokens, + pmbtoken_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, size_t count, uint32_t key_id) { if (!pmbtoken_exp2_init_method()) { return NULL; @@ -1376,8 +1376,8 @@ STACK_OF(TRUST_TOKEN) * key_id); } -int pmbtoken_exp2_read(const PMBTOKEN_ISSUER_KEY *key, - uint8_t out_nonce[PMBTOKEN_NONCE_SIZE], +int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], uint8_t *out_private_metadata, const uint8_t *token, size_t token_len) { if (!pmbtoken_exp2_init_method()) { diff --git a/Sources/CNIOBoringSSL/crypto/trust_token/trust_token.c b/Sources/CNIOBoringSSL/crypto/trust_token/trust_token.c index 41f1cf77..5c42e70a 100644 --- a/Sources/CNIOBoringSSL/crypto/trust_token/trust_token.c +++ b/Sources/CNIOBoringSSL/crypto/trust_token/trust_token.c @@ -43,15 +43,15 @@ const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v1(void) { return &kMethod; } -const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pp(void) { +const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_voprf(void) { static const TRUST_TOKEN_METHOD kMethod = { - pmbtoken_exp2_generate_key, - pmbtoken_exp2_client_key_from_bytes, - pmbtoken_exp2_issuer_key_from_bytes, - pmbtoken_exp2_blind, - pmbtoken_exp2_sign, - pmbtoken_exp2_unblind, - pmbtoken_exp2_read, + voprf_exp2_generate_key, + voprf_exp2_client_key_from_bytes, + voprf_exp2_issuer_key_from_bytes, + voprf_exp2_blind, + voprf_exp2_sign, + voprf_exp2_unblind, + voprf_exp2_read, 0, /* has_private_metadata */ 6, /* max_keys */ 0, /* has_srr */ @@ -75,6 +75,10 @@ const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pmb(void) { return &kMethod; } +void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *pretoken) { + OPENSSL_free(pretoken); +} + TRUST_TOKEN *TRUST_TOKEN_new(const uint8_t *data, size_t len) { TRUST_TOKEN *ret = OPENSSL_malloc(sizeof(TRUST_TOKEN)); if (ret == NULL) { @@ -160,7 +164,7 @@ void TRUST_TOKEN_CLIENT_free(TRUST_TOKEN_CLIENT *ctx) { return; } EVP_PKEY_free(ctx->srr_key); - sk_PMBTOKEN_PRETOKEN_pop_free(ctx->pretokens, PMBTOKEN_PRETOKEN_free); + sk_TRUST_TOKEN_PRETOKEN_pop_free(ctx->pretokens, TRUST_TOKEN_PRETOKEN_free); OPENSSL_free(ctx); } @@ -206,7 +210,7 @@ int TRUST_TOKEN_CLIENT_begin_issuance(TRUST_TOKEN_CLIENT *ctx, uint8_t **out, int ret = 0; CBB request; - STACK_OF(PMBTOKEN_PRETOKEN) *pretokens = NULL; + STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = NULL; if (!CBB_init(&request, 0) || !CBB_add_u16(&request, count)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); @@ -223,14 +227,14 @@ int TRUST_TOKEN_CLIENT_begin_issuance(TRUST_TOKEN_CLIENT *ctx, uint8_t **out, goto err; } - sk_PMBTOKEN_PRETOKEN_pop_free(ctx->pretokens, PMBTOKEN_PRETOKEN_free); + sk_TRUST_TOKEN_PRETOKEN_pop_free(ctx->pretokens, TRUST_TOKEN_PRETOKEN_free); ctx->pretokens = pretokens; pretokens = NULL; ret = 1; err: CBB_cleanup(&request); - sk_PMBTOKEN_PRETOKEN_pop_free(pretokens, PMBTOKEN_PRETOKEN_free); + sk_TRUST_TOKEN_PRETOKEN_pop_free(pretokens, TRUST_TOKEN_PRETOKEN_free); return ret; } @@ -264,7 +268,7 @@ STACK_OF(TRUST_TOKEN) * return NULL; } - if (count > sk_PMBTOKEN_PRETOKEN_num(ctx->pretokens)) { + if (count > sk_TRUST_TOKEN_PRETOKEN_num(ctx->pretokens)) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); return NULL; } @@ -281,7 +285,7 @@ STACK_OF(TRUST_TOKEN) * return NULL; } - sk_PMBTOKEN_PRETOKEN_pop_free(ctx->pretokens, PMBTOKEN_PRETOKEN_free); + sk_TRUST_TOKEN_PRETOKEN_pop_free(ctx->pretokens, TRUST_TOKEN_PRETOKEN_free); ctx->pretokens = NULL; *out_key_index = key_index; @@ -315,30 +319,39 @@ int TRUST_TOKEN_CLIENT_finish_redemption(TRUST_TOKEN_CLIENT *ctx, size_t response_len) { CBS in, srr, sig; CBS_init(&in, response, response_len); + if (!ctx->method->has_srr) { + if (!CBS_stow(&in, out_rr, out_rr_len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + return 0; + } + + *out_sig = NULL; + *out_sig_len = 0; + return 1; + } + if (!CBS_get_u16_length_prefixed(&in, &srr) || - !CBS_get_u16_length_prefixed(&in, &sig)) { + !CBS_get_u16_length_prefixed(&in, &sig) || + CBS_len(&in) != 0) { OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_ERROR); return 0; } - if (ctx->method->has_srr) { - if (ctx->srr_key == NULL) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_NO_SRR_KEY_CONFIGURED); - return 0; - } + if (ctx->srr_key == NULL) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_NO_SRR_KEY_CONFIGURED); + return 0; + } - EVP_MD_CTX md_ctx; - EVP_MD_CTX_init(&md_ctx); - int sig_ok = - EVP_DigestVerifyInit(&md_ctx, NULL, NULL, NULL, ctx->srr_key) && - EVP_DigestVerify(&md_ctx, CBS_data(&sig), CBS_len(&sig), CBS_data(&srr), - CBS_len(&srr)); - EVP_MD_CTX_cleanup(&md_ctx); + EVP_MD_CTX md_ctx; + EVP_MD_CTX_init(&md_ctx); + int sig_ok = EVP_DigestVerifyInit(&md_ctx, NULL, NULL, NULL, ctx->srr_key) && + EVP_DigestVerify(&md_ctx, CBS_data(&sig), CBS_len(&sig), + CBS_data(&srr), CBS_len(&srr)); + EVP_MD_CTX_cleanup(&md_ctx); - if (!sig_ok) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_SRR_SIGNATURE_ERROR); - return 0; - } + if (!sig_ok) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_SRR_SIGNATURE_ERROR); + return 0; } uint8_t *srr_buf = NULL, *sig_buf = NULL; @@ -588,7 +601,7 @@ int TRUST_TOKEN_ISSUER_redeem(const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, const struct trust_token_issuer_key_st *key = trust_token_issuer_get_key(ctx, public_metadata); - uint8_t nonce[PMBTOKEN_NONCE_SIZE]; + uint8_t nonce[TRUST_TOKEN_NONCE_SIZE]; if (key == NULL || !ctx->method->read(&key->key, nonce, &private_metadata, CBS_data(&token_cbs), CBS_len(&token_cbs))) { @@ -672,16 +685,56 @@ int TRUST_TOKEN_ISSUER_redeem(const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, goto err; } - CBB child; - uint8_t *ptr; - if (!CBB_add_u16_length_prefixed(&response, &child) || - !CBB_add_bytes(&child, srr_buf, srr_len) || - !CBB_add_u16_length_prefixed(&response, &child) || - !CBB_reserve(&child, &ptr, sig_len) || - !EVP_DigestSign(&md_ctx, ptr, &sig_len, srr_buf, srr_len) || - !CBB_did_write(&child, sig_len)) { - OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); - goto err; + // Merge SRR and Signature into single string. + // TODO(svaldez): Expose API to construct this from the caller. + if (!ctx->method->has_srr) { + static const char kSRRHeader[] = "body=:"; + static const char kSRRSplit[] = ":, signature=:"; + static const char kSRREnd[] = ":"; + + size_t srr_b64_len, sig_b64_len; + if (!EVP_EncodedLength(&srr_b64_len, srr_len) || + !EVP_EncodedLength(&sig_b64_len, sig_len)) { + goto err; + } + + sig_buf = OPENSSL_malloc(sig_len); + uint8_t *srr_b64_buf = OPENSSL_malloc(srr_b64_len); + uint8_t *sig_b64_buf = OPENSSL_malloc(sig_b64_len); + if (!sig_buf || + !srr_b64_buf || + !sig_b64_buf || + !EVP_DigestSign(&md_ctx, sig_buf, &sig_len, srr_buf, srr_len) || + !CBB_add_bytes(&response, (const uint8_t *)kSRRHeader, + strlen(kSRRHeader)) || + !CBB_add_bytes(&response, srr_b64_buf, + EVP_EncodeBlock(srr_b64_buf, srr_buf, srr_len)) || + !CBB_add_bytes(&response, (const uint8_t *)kSRRSplit, + strlen(kSRRSplit)) || + !CBB_add_bytes(&response, sig_b64_buf, + EVP_EncodeBlock(sig_b64_buf, sig_buf, sig_len)) || + !CBB_add_bytes(&response, (const uint8_t *)kSRREnd, strlen(kSRREnd))) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + OPENSSL_free(srr_b64_buf); + OPENSSL_free(sig_b64_buf); + goto err; + } + + OPENSSL_free(srr_b64_buf); + OPENSSL_free(sig_b64_buf); + } else { + CBB child; + uint8_t *ptr; + if (!CBB_add_u16_length_prefixed(&response, &child) || + !CBB_add_bytes(&child, srr_buf, srr_len) || + !CBB_add_u16_length_prefixed(&response, &child) || + !CBB_reserve(&child, &ptr, sig_len) || + !EVP_DigestSign(&md_ctx, ptr, &sig_len, srr_buf, srr_len) || + !CBB_did_write(&child, sig_len) || + !CBB_flush(&response)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } } if (!CBS_stow(&client_data, &client_data_buf, &client_data_len) || @@ -690,7 +743,7 @@ int TRUST_TOKEN_ISSUER_redeem(const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, goto err; } - TRUST_TOKEN *token = TRUST_TOKEN_new(nonce, PMBTOKEN_NONCE_SIZE); + TRUST_TOKEN *token = TRUST_TOKEN_new(nonce, TRUST_TOKEN_NONCE_SIZE); if (token == NULL) { OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); goto err; diff --git a/Sources/CNIOBoringSSL/crypto/trust_token/voprf.c b/Sources/CNIOBoringSSL/crypto/trust_token/voprf.c new file mode 100644 index 00000000..8277510e --- /dev/null +++ b/Sources/CNIOBoringSSL/crypto/trust_token/voprf.c @@ -0,0 +1,766 @@ +/* Copyright (c) 2020, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + +#include +#include +#include +#include +#include +#include +#include + +#include "../ec_extra/internal.h" +#include "../fipsmodule/ec/internal.h" + +#include "internal.h" + + +typedef int (*hash_to_group_func_t)(const EC_GROUP *group, EC_RAW_POINT *out, + const uint8_t t[TRUST_TOKEN_NONCE_SIZE]); +typedef int (*hash_to_scalar_func_t)(const EC_GROUP *group, EC_SCALAR *out, + uint8_t *buf, size_t len); + +typedef struct { + const EC_GROUP *group; + + // hash_to_group implements the HashToGroup operation for VOPRFs. It returns + // one on success and zero on error. + hash_to_group_func_t hash_to_group; + // hash_to_scalar implements the HashToScalar operation for VOPRFs. It returns + // one on success and zero on error. + hash_to_scalar_func_t hash_to_scalar; +} VOPRF_METHOD; + +static const uint8_t kDefaultAdditionalData[32] = {0}; + +static int voprf_init_method(VOPRF_METHOD *method, int curve_nid, + hash_to_group_func_t hash_to_group, + hash_to_scalar_func_t hash_to_scalar) { + method->group = EC_GROUP_new_by_curve_name(curve_nid); + if (method->group == NULL) { + return 0; + } + + method->hash_to_group = hash_to_group; + method->hash_to_scalar = hash_to_scalar; + + return 1; +} + +static int cbb_add_point(CBB *out, const EC_GROUP *group, + const EC_AFFINE *point) { + size_t len = + ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0); + if (len == 0) { + return 0; + } + + uint8_t *p; + return CBB_add_space(out, &p, len) && + ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p, + len) == len && + CBB_flush(out); +} + +static int cbs_get_point(CBS *cbs, const EC_GROUP *group, EC_AFFINE *out) { + CBS child; + size_t plen = 1 + 2 * BN_num_bytes(&group->field); + if (!CBS_get_bytes(cbs, &child, plen) || + !ec_point_from_uncompressed(group, out, CBS_data(&child), + CBS_len(&child))) { + return 0; + } + return 1; +} + +static int scalar_to_cbb(CBB *out, const EC_GROUP *group, + const EC_SCALAR *scalar) { + uint8_t *buf; + size_t scalar_len = BN_num_bytes(&group->order); + if (!CBB_add_space(out, &buf, scalar_len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + return 0; + } + ec_scalar_to_bytes(group, buf, &scalar_len, scalar); + return 1; +} + +static int scalar_from_cbs(CBS *cbs, const EC_GROUP *group, EC_SCALAR *out) { + size_t scalar_len = BN_num_bytes(&group->order); + CBS tmp; + if (!CBS_get_bytes(cbs, &tmp, scalar_len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return 0; + } + + ec_scalar_from_bytes(group, out, CBS_data(&tmp), CBS_len(&tmp)); + return 1; +} + +static int voprf_generate_key(const VOPRF_METHOD *method, CBB *out_private, + CBB *out_public) { + const EC_GROUP *group = method->group; + EC_RAW_POINT pub; + EC_SCALAR priv; + EC_AFFINE pub_affine; + if (!ec_random_nonzero_scalar(group, &priv, kDefaultAdditionalData) || + !ec_point_mul_scalar_base(group, &pub, &priv) || + !ec_jacobian_to_affine(group, &pub_affine, &pub)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE); + return 0; + } + + if (!scalar_to_cbb(out_private, group, &priv) || + !cbb_add_point(out_public, group, &pub_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL); + return 0; + } + + return 1; +} + +static int voprf_client_key_from_bytes(const VOPRF_METHOD *method, + TRUST_TOKEN_CLIENT_KEY *key, + const uint8_t *in, size_t len) { + const EC_GROUP *group = method->group; + if (!ec_point_from_uncompressed(group, &key->pubs, in, len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return 0; + } + + return 1; +} + +static int voprf_issuer_key_from_bytes(const VOPRF_METHOD *method, + TRUST_TOKEN_ISSUER_KEY *key, + const uint8_t *in, size_t len) { + const EC_GROUP *group = method->group; + if (!ec_scalar_from_bytes(group, &key->xs, in, len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return 0; + } + + // Recompute the public key. + EC_RAW_POINT pub; + if (!ec_point_mul_scalar_base(group, &pub, &key->xs) || + !ec_jacobian_to_affine(group, &key->pubs, &pub)) { + return 0; + } + + return 1; +} + +static STACK_OF(TRUST_TOKEN_PRETOKEN) * + voprf_blind(const VOPRF_METHOD *method, CBB *cbb, size_t count) { + const EC_GROUP *group = method->group; + STACK_OF(TRUST_TOKEN_PRETOKEN) *pretokens = + sk_TRUST_TOKEN_PRETOKEN_new_null(); + if (pretokens == NULL) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + for (size_t i = 0; i < count; i++) { + // Insert |pretoken| into |pretokens| early to simplify error-handling. + TRUST_TOKEN_PRETOKEN *pretoken = + OPENSSL_malloc(sizeof(TRUST_TOKEN_PRETOKEN)); + if (pretoken == NULL || + !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + TRUST_TOKEN_PRETOKEN_free(pretoken); + goto err; + } + + RAND_bytes(pretoken->t, sizeof(pretoken->t)); + + // We sample r in Montgomery form to simplify inverting. + EC_SCALAR r; + if (!ec_random_nonzero_scalar(group, &r, + kDefaultAdditionalData)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + // pretoken->r is rinv. + ec_scalar_inv0_montgomery(group, &pretoken->r, &r); + // Convert both out of Montgomery form. + ec_scalar_from_montgomery(group, &r, &r); + ec_scalar_from_montgomery(group, &pretoken->r, &pretoken->r); + + // Tp is the blinded token in the VOPRF protocol. + EC_RAW_POINT P, Tp; + if (!method->hash_to_group(group, &P, pretoken->t) || + !ec_point_mul_scalar(group, &Tp, &P, &r) || + !ec_jacobian_to_affine(group, &pretoken->Tp, &Tp)) { + goto err; + } + + if (!cbb_add_point(cbb, group, &pretoken->Tp)) { + goto err; + } + } + + return pretokens; + +err: + sk_TRUST_TOKEN_PRETOKEN_pop_free(pretokens, TRUST_TOKEN_PRETOKEN_free); + return NULL; +} + +static int hash_to_scalar_dleq(const VOPRF_METHOD *method, EC_SCALAR *out, + const EC_AFFINE *X, const EC_AFFINE *T, + const EC_AFFINE *W, const EC_AFFINE *K0, + const EC_AFFINE *K1) { + static const uint8_t kDLEQLabel[] = "DLEQ"; + + int ok = 0; + CBB cbb; + CBB_zero(&cbb); + uint8_t *buf = NULL; + size_t len; + if (!CBB_init(&cbb, 0) || + !CBB_add_bytes(&cbb, kDLEQLabel, sizeof(kDLEQLabel)) || + !cbb_add_point(&cbb, method->group, X) || + !cbb_add_point(&cbb, method->group, T) || + !cbb_add_point(&cbb, method->group, W) || + !cbb_add_point(&cbb, method->group, K0) || + !cbb_add_point(&cbb, method->group, K1) || + !CBB_finish(&cbb, &buf, &len) || + !method->hash_to_scalar(method->group, out, buf, len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + ok = 1; + +err: + CBB_cleanup(&cbb); + OPENSSL_free(buf); + return ok; +} + +static int hash_to_scalar_batch(const VOPRF_METHOD *method, EC_SCALAR *out, + const CBB *points, size_t index) { + static const uint8_t kDLEQBatchLabel[] = "DLEQ BATCH"; + if (index > 0xffff) { + // The protocol supports only two-byte batches. + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); + return 0; + } + + int ok = 0; + CBB cbb; + CBB_zero(&cbb); + uint8_t *buf = NULL; + size_t len; + if (!CBB_init(&cbb, 0) || + !CBB_add_bytes(&cbb, kDLEQBatchLabel, sizeof(kDLEQBatchLabel)) || + !CBB_add_bytes(&cbb, CBB_data(points), CBB_len(points)) || + !CBB_add_u16(&cbb, (uint16_t)index) || + !CBB_finish(&cbb, &buf, &len) || + !method->hash_to_scalar(method->group, out, buf, len)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + ok = 1; + +err: + CBB_cleanup(&cbb); + OPENSSL_free(buf); + return ok; +} + +static int dleq_generate(const VOPRF_METHOD *method, CBB *cbb, + const TRUST_TOKEN_ISSUER_KEY *priv, + const EC_RAW_POINT *T, const EC_RAW_POINT *W) { + const EC_GROUP *group = method->group; + + enum { + idx_T, + idx_W, + idx_k0, + idx_k1, + num_idx, + }; + EC_RAW_POINT jacobians[num_idx]; + + // Setup the DLEQ proof. + EC_SCALAR r; + if (// r <- Zp + !ec_random_nonzero_scalar(group, &r, kDefaultAdditionalData) || + // k0;k1 = r*(G;T) + !ec_point_mul_scalar_base(group, &jacobians[idx_k0], &r) || + !ec_point_mul_scalar(group, &jacobians[idx_k1], T, &r)) { + return 0; + } + + EC_AFFINE affines[num_idx]; + jacobians[idx_T] = *T; + jacobians[idx_W] = *W; + if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) { + return 0; + } + + // Compute c = Hc(...). + EC_SCALAR c; + if (!hash_to_scalar_dleq(method, &c, &priv->pubs, &affines[idx_T], + &affines[idx_W], &affines[idx_k0], + &affines[idx_k1])) { + return 0; + } + + + EC_SCALAR c_mont; + ec_scalar_to_montgomery(group, &c_mont, &c); + + // u = r + c*xs + EC_SCALAR u; + ec_scalar_mul_montgomery(group, &u, &priv->xs, &c_mont); + ec_scalar_add(group, &u, &r, &u); + + // Store DLEQ proof in transcript. + if (!scalar_to_cbb(cbb, group, &c) || + !scalar_to_cbb(cbb, group, &u)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + return 0; + } + + return 1; +} + +static int mul_public_2(const EC_GROUP *group, EC_RAW_POINT *out, + const EC_RAW_POINT *p0, const EC_SCALAR *scalar0, + const EC_RAW_POINT *p1, const EC_SCALAR *scalar1) { + EC_RAW_POINT points[2] = {*p0, *p1}; + EC_SCALAR scalars[2] = {*scalar0, *scalar1}; + return ec_point_mul_scalar_public_batch(group, out, /*g_scalar=*/NULL, points, + scalars, 2); +} + +static int dleq_verify(const VOPRF_METHOD *method, CBS *cbs, + const TRUST_TOKEN_CLIENT_KEY *pub, const EC_RAW_POINT *T, + const EC_RAW_POINT *W) { + const EC_GROUP *group = method->group; + + + enum { + idx_T, + idx_W, + idx_k0, + idx_k1, + num_idx, + }; + EC_RAW_POINT jacobians[num_idx]; + + // Decode the DLEQ proof. + EC_SCALAR c, u; + if (!scalar_from_cbs(cbs, group, &c) || + !scalar_from_cbs(cbs, group, &u)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return 0; + } + + // k0;k1 = u*(G;T) - c*(pub;W) + EC_RAW_POINT pubs; + ec_affine_to_jacobian(group, &pubs, &pub->pubs); + EC_SCALAR minus_c; + ec_scalar_neg(group, &minus_c, &c); + if (!ec_point_mul_scalar_public(group, &jacobians[idx_k0], &u, &pubs, + &minus_c) || + !mul_public_2(group, &jacobians[idx_k1], T, &u, W, &minus_c)) { + return 0; + } + + // Check the DLEQ proof. + EC_AFFINE affines[num_idx]; + jacobians[idx_T] = *T; + jacobians[idx_W] = *W; + if (!ec_jacobian_to_affine_batch(group, affines, jacobians, num_idx)) { + return 0; + } + + // Compute c = Hc(...). + EC_SCALAR calculated; + if (!hash_to_scalar_dleq(method, &calculated, &pub->pubs, &affines[idx_T], + &affines[idx_W], &affines[idx_k0], + &affines[idx_k1])) { + return 0; + } + + // c == calculated + if (!ec_scalar_equal_vartime(group, &c, &calculated)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_PROOF); + return 0; + } + + return 1; +} + +static int voprf_sign(const VOPRF_METHOD *method, + const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + size_t num_requested, size_t num_to_issue) { + const EC_GROUP *group = method->group; + if (num_requested < num_to_issue) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); + return 0; + } + + if (num_to_issue > ((size_t)-1) / sizeof(EC_RAW_POINT) || + num_to_issue > ((size_t)-1) / sizeof(EC_SCALAR)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); + return 0; + } + + int ret = 0; + EC_RAW_POINT *BTs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT)); + EC_RAW_POINT *Zs = OPENSSL_malloc(num_to_issue * sizeof(EC_RAW_POINT)); + EC_SCALAR *es = OPENSSL_malloc(num_to_issue * sizeof(EC_SCALAR)); + CBB batch_cbb; + CBB_zero(&batch_cbb); + if (!BTs || + !Zs || + !es || + !CBB_init(&batch_cbb, 0) || + !cbb_add_point(&batch_cbb, method->group, &key->pubs)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + for (size_t i = 0; i < num_to_issue; i++) { + EC_AFFINE BT_affine, Z_affine; + EC_RAW_POINT BT, Z; + if (!cbs_get_point(cbs, group, &BT_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + goto err; + } + ec_affine_to_jacobian(group, &BT, &BT_affine); + if (!ec_point_mul_scalar(group, &Z, &BT, &key->xs) || + !ec_jacobian_to_affine(group, &Z_affine, &Z) || + !cbb_add_point(cbb, group, &Z_affine)) { + goto err; + } + + if (!cbb_add_point(&batch_cbb, group, &BT_affine) || + !cbb_add_point(&batch_cbb, group, &Z_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + BTs[i] = BT; + Zs[i] = Z; + + if (!CBB_flush(cbb)) { + goto err; + } + } + + // The DLEQ batching construction is described in appendix B of + // https://eprint.iacr.org/2020/072/20200324:214215. Note the additional + // computations all act on public inputs. + for (size_t i = 0; i < num_to_issue; i++) { + if (!hash_to_scalar_batch(method, &es[i], &batch_cbb, i)) { + goto err; + } + } + + EC_RAW_POINT BT_batch, Z_batch; + if (!ec_point_mul_scalar_public_batch(group, &BT_batch, + /*g_scalar=*/NULL, BTs, es, + num_to_issue) || + !ec_point_mul_scalar_public_batch(group, &Z_batch, + /*g_scalar=*/NULL, Zs, es, + num_to_issue)) { + goto err; + } + + CBB proof; + if (!CBB_add_u16_length_prefixed(cbb, &proof) || + !dleq_generate(method, &proof, key, &BT_batch, &Z_batch) || + !CBB_flush(cbb)) { + goto err; + } + + // Skip over any unused requests. + size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + if (!CBS_skip(cbs, point_len * (num_requested - num_to_issue))) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + goto err; + } + + ret = 1; + +err: + OPENSSL_free(BTs); + OPENSSL_free(Zs); + OPENSSL_free(es); + CBB_cleanup(&batch_cbb); + return ret; +} + +static STACK_OF(TRUST_TOKEN) * + voprf_unblind(const VOPRF_METHOD *method, const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, CBS *cbs, + size_t count, uint32_t key_id) { + const EC_GROUP *group = method->group; + if (count > sk_TRUST_TOKEN_PRETOKEN_num(pretokens)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + return NULL; + } + + int ok = 0; + STACK_OF(TRUST_TOKEN) *ret = sk_TRUST_TOKEN_new_null(); + if (ret == NULL) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + return NULL; + } + + if (count > ((size_t)-1) / sizeof(EC_RAW_POINT) || + count > ((size_t)-1) / sizeof(EC_SCALAR)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_OVERFLOW); + return 0; + } + EC_RAW_POINT *BTs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT)); + EC_RAW_POINT *Zs = OPENSSL_malloc(count * sizeof(EC_RAW_POINT)); + EC_SCALAR *es = OPENSSL_malloc(count * sizeof(EC_SCALAR)); + CBB batch_cbb; + CBB_zero(&batch_cbb); + if (!BTs || + !Zs || + !es || + !CBB_init(&batch_cbb, 0) || + !cbb_add_point(&batch_cbb, method->group, &key->pubs)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + for (size_t i = 0; i < count; i++) { + const TRUST_TOKEN_PRETOKEN *pretoken = + sk_TRUST_TOKEN_PRETOKEN_value(pretokens, i); + + EC_AFFINE Z_affine; + if (!cbs_get_point(cbs, group, &Z_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_DECODE_FAILURE); + goto err; + } + + ec_affine_to_jacobian(group, &BTs[i], &pretoken->Tp); + ec_affine_to_jacobian(group, &Zs[i], &Z_affine); + + if (!cbb_add_point(&batch_cbb, group, &pretoken->Tp) || + !cbb_add_point(&batch_cbb, group, &Z_affine)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + goto err; + } + + // Unblind the token. + // pretoken->r is rinv. + EC_RAW_POINT N; + EC_AFFINE N_affine; + if (!ec_point_mul_scalar(group, &N, &Zs[i], &pretoken->r) || + !ec_jacobian_to_affine(group, &N_affine, &N)) { + goto err; + } + + // Serialize the token. Include |key_id| to avoid an extra copy in the layer + // above. + CBB token_cbb; + size_t point_len = 1 + 2 * BN_num_bytes(&group->field); + if (!CBB_init(&token_cbb, 4 + TRUST_TOKEN_NONCE_SIZE + (2 + point_len)) || + !CBB_add_u32(&token_cbb, key_id) || + !CBB_add_bytes(&token_cbb, pretoken->t, TRUST_TOKEN_NONCE_SIZE) || + !cbb_add_point(&token_cbb, group, &N_affine) || + !CBB_flush(&token_cbb)) { + CBB_cleanup(&token_cbb); + goto err; + } + + TRUST_TOKEN *token = + TRUST_TOKEN_new(CBB_data(&token_cbb), CBB_len(&token_cbb)); + CBB_cleanup(&token_cbb); + if (token == NULL || + !sk_TRUST_TOKEN_push(ret, token)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE); + TRUST_TOKEN_free(token); + goto err; + } + } + + // The DLEQ batching construction is described in appendix B of + // https://eprint.iacr.org/2020/072/20200324:214215. Note the additional + // computations all act on public inputs. + for (size_t i = 0; i < count; i++) { + if (!hash_to_scalar_batch(method, &es[i], &batch_cbb, i)) { + goto err; + } + } + + EC_RAW_POINT BT_batch, Z_batch; + if (!ec_point_mul_scalar_public_batch(group, &BT_batch, + /*g_scalar=*/NULL, BTs, es, count) || + !ec_point_mul_scalar_public_batch(group, &Z_batch, + /*g_scalar=*/NULL, Zs, es, count)) { + goto err; + } + + CBS proof; + if (!CBS_get_u16_length_prefixed(cbs, &proof) || + !dleq_verify(method, &proof, key, &BT_batch, &Z_batch) || + CBS_len(&proof) != 0) { + goto err; + } + + ok = 1; + +err: + OPENSSL_free(BTs); + OPENSSL_free(Zs); + OPENSSL_free(es); + CBB_cleanup(&batch_cbb); + if (!ok) { + sk_TRUST_TOKEN_pop_free(ret, TRUST_TOKEN_free); + ret = NULL; + } + return ret; +} + +static int voprf_read(const VOPRF_METHOD *method, + const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], + const uint8_t *token, size_t token_len) { + const EC_GROUP *group = method->group; + CBS cbs; + CBS_init(&cbs, token, token_len); + EC_AFFINE Ws; + if (!CBS_copy_bytes(&cbs, out_nonce, TRUST_TOKEN_NONCE_SIZE) || + !cbs_get_point(&cbs, group, &Ws) || + CBS_len(&cbs) != 0) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_INVALID_TOKEN); + return 0; + } + + + EC_RAW_POINT T; + if (!method->hash_to_group(group, &T, out_nonce)) { + return 0; + } + + EC_RAW_POINT Ws_calculated; + if (!ec_point_mul_scalar(group, &Ws_calculated, &T, &key->xs) || + !ec_affine_jacobian_equal(group, &Ws, &Ws_calculated)) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BAD_VALIDITY_CHECK); + return 0; + } + + return 1; +} + + +// VOPRF experiment v2. + +static int voprf_exp2_hash_to_group(const EC_GROUP *group, EC_RAW_POINT *out, + const uint8_t t[TRUST_TOKEN_NONCE_SIZE]) { + const uint8_t kHashTLabel[] = "TrustToken VOPRF Experiment V2 HashToGroup"; + return ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( + group, out, kHashTLabel, sizeof(kHashTLabel), t, TRUST_TOKEN_NONCE_SIZE); +} + +static int voprf_exp2_hash_to_scalar(const EC_GROUP *group, EC_SCALAR *out, + uint8_t *buf, size_t len) { + const uint8_t kHashCLabel[] = "TrustToken VOPRF Experiment V2 HashToScalar"; + return ec_hash_to_scalar_p384_xmd_sha512_draft07( + group, out, kHashCLabel, sizeof(kHashCLabel), buf, len); +} + +static int voprf_exp2_ok = 0; +static VOPRF_METHOD voprf_exp2_method; +static CRYPTO_once_t voprf_exp2_method_once = CRYPTO_ONCE_INIT; + +static void voprf_exp2_init_method_impl(void) { + voprf_exp2_ok = + voprf_init_method(&voprf_exp2_method, NID_secp384r1, + voprf_exp2_hash_to_group, voprf_exp2_hash_to_scalar); +} + +static int voprf_exp2_init_method(void) { + CRYPTO_once(&voprf_exp2_method_once, voprf_exp2_init_method_impl); + if (!voprf_exp2_ok) { + OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_INTERNAL_ERROR); + return 0; + } + return 1; +} + +int voprf_exp2_generate_key(CBB *out_private, CBB *out_public) { + if (!voprf_exp2_init_method()) { + return 0; + } + + return voprf_generate_key(&voprf_exp2_method, out_private, out_public); +} + +int voprf_exp2_client_key_from_bytes(TRUST_TOKEN_CLIENT_KEY *key, + const uint8_t *in, size_t len) { + if (!voprf_exp2_init_method()) { + return 0; + } + return voprf_client_key_from_bytes(&voprf_exp2_method, key, in, len); +} + +int voprf_exp2_issuer_key_from_bytes(TRUST_TOKEN_ISSUER_KEY *key, + const uint8_t *in, size_t len) { + if (!voprf_exp2_init_method()) { + return 0; + } + return voprf_issuer_key_from_bytes(&voprf_exp2_method, key, in, len); +} + +STACK_OF(TRUST_TOKEN_PRETOKEN) * voprf_exp2_blind(CBB *cbb, size_t count) { + if (!voprf_exp2_init_method()) { + return NULL; + } + return voprf_blind(&voprf_exp2_method, cbb, count); +} + +int voprf_exp2_sign(const TRUST_TOKEN_ISSUER_KEY *key, CBB *cbb, CBS *cbs, + size_t num_requested, size_t num_to_issue, + uint8_t private_metadata) { + if (!voprf_exp2_init_method() || private_metadata != 0) { + return 0; + } + return voprf_sign(&voprf_exp2_method, key, cbb, cbs, num_requested, + num_to_issue); +} + +STACK_OF(TRUST_TOKEN) * + voprf_exp2_unblind(const TRUST_TOKEN_CLIENT_KEY *key, + const STACK_OF(TRUST_TOKEN_PRETOKEN) * pretokens, + CBS *cbs, size_t count, uint32_t key_id) { + if (!voprf_exp2_init_method()) { + return NULL; + } + return voprf_unblind(&voprf_exp2_method, key, pretokens, cbs, count, + key_id); +} + +int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, + uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], + uint8_t *out_private_metadata, const uint8_t *token, + size_t token_len) { + if (!voprf_exp2_init_method()) { + return 0; + } + return voprf_read(&voprf_exp2_method, key, out_nonce, token, token_len); +} diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/pcy_data.c b/Sources/CNIOBoringSSL/crypto/x509v3/pcy_data.c index 63c6082a..15eeaffb 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/pcy_data.c +++ b/Sources/CNIOBoringSSL/crypto/x509v3/pcy_data.c @@ -98,13 +98,15 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, } else id = NULL; ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA)); - if (!ret) + if (!ret) { + OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); + ASN1_OBJECT_free(id); return NULL; + } ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); if (!ret->expected_policy_set) { OPENSSL_free(ret); - if (id) - ASN1_OBJECT_free(id); + ASN1_OBJECT_free(id); return NULL; } diff --git a/Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c b/Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c index 4c741282..55f8c9a2 100644 --- a/Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c +++ b/Sources/CNIOBoringSSL/crypto/x509v3/v3_alt.c @@ -288,40 +288,40 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens) { - GENERAL_NAMES *ialt; - GENERAL_NAME *gen; - X509_EXTENSION *ext; - int i; - size_t j; if (ctx && (ctx->flags == CTX_TEST)) return 1; if (!ctx || !ctx->issuer_cert) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_ISSUER_DETAILS); - goto err; + return 0; } - i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1); + int i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1); if (i < 0) return 1; + + int ret = 0; + GENERAL_NAMES *ialt = NULL; + X509_EXTENSION *ext; if (!(ext = X509_get_ext(ctx->issuer_cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_ISSUER_DECODE_ERROR); goto err; } - for (j = 0; j < sk_GENERAL_NAME_num(ialt); j++) { - gen = sk_GENERAL_NAME_value(ialt, j); + for (size_t j = 0; j < sk_GENERAL_NAME_num(ialt); j++) { + GENERAL_NAME *gen = sk_GENERAL_NAME_value(ialt, j); if (!sk_GENERAL_NAME_push(gens, gen)) { OPENSSL_PUT_ERROR(X509V3, ERR_R_MALLOC_FAILURE); goto err; } + /* Ownership of |gen| has moved from |ialt| to |gens|. */ + sk_GENERAL_NAME_set(ialt, j, NULL); } - sk_GENERAL_NAME_free(ialt); - - return 1; - err: - return 0; + ret = 1; +err: + GENERAL_NAMES_free(ialt); + return ret; } static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method, diff --git a/Sources/CNIOBoringSSL/hash.txt b/Sources/CNIOBoringSSL/hash.txt index b4767176..a718e2a8 100644 --- a/Sources/CNIOBoringSSL/hash.txt +++ b/Sources/CNIOBoringSSL/hash.txt @@ -1 +1 @@ -This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision 67818bea6690a230e2f42e8a588e0f54949bbbf1 +This directory is derived from BoringSSL cloned from https://boringssl.googlesource.com/boringssl at revision 3989c99706bf30054798ff82f1cb010e50e385f5 diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h index 5875e3db..f3965ce1 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_base.h @@ -143,7 +143,10 @@ extern "C" { #define OPENSSL_WINDOWS #endif -#if defined(__linux__) +// Trusty isn't Linux but currently defines __linux__. As a workaround, we +// exclude it here. +// TODO(b/169780122): Remove this workaround once Trusty no longer defines it. +#if defined(__linux__) && !defined(TRUSTY) #define OPENSSL_LINUX #endif diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h index a492b152..c1cc57fc 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_bio.h @@ -199,6 +199,10 @@ OPENSSL_EXPORT int BIO_should_io_special(const BIO *bio); // retried. The return value is one of the |BIO_RR_*| values. OPENSSL_EXPORT int BIO_get_retry_reason(const BIO *bio); +// BIO_set_retry_reason sets the special I/O operation that needs to be retried +// to |reason|, which should be one of the |BIO_RR_*| values. +OPENSSL_EXPORT void BIO_set_retry_reason(BIO *bio, int reason); + // BIO_clear_flags ANDs |bio->flags| with the bitwise-complement of |flags|. OPENSSL_EXPORT void BIO_clear_flags(BIO *bio, int flags); diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h index 6fc84902..4d7f38d8 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols.h @@ -286,6 +286,7 @@ #define BIO_set_mem_eof_return BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_mem_eof_return) #define BIO_set_nbio BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_nbio) #define BIO_set_retry_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_read) +#define BIO_set_retry_reason BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_reason) #define BIO_set_retry_special BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_special) #define BIO_set_retry_write BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_retry_write) #define BIO_set_shutdown BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, BIO_set_shutdown) @@ -1434,7 +1435,6 @@ #define PKCS8_parse_encrypted_private_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_parse_encrypted_private_key) #define PKCS8_pkey_get0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_pkey_get0) #define PKCS8_pkey_set0 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PKCS8_pkey_set0) -#define PMBTOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, PMBTOKEN_PRETOKEN_free) #define POLICYINFO_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYINFO_free) #define POLICYINFO_it BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYINFO_it) #define POLICYINFO_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, POLICYINFO_new) @@ -2079,10 +2079,11 @@ #define TRUST_TOKEN_ISSUER_redeem BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_redeem) #define TRUST_TOKEN_ISSUER_set_metadata_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_metadata_key) #define TRUST_TOKEN_ISSUER_set_srr_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_srr_key) +#define TRUST_TOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_PRETOKEN_free) #define TRUST_TOKEN_decode_private_metadata BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_decode_private_metadata) #define TRUST_TOKEN_experiment_v1 BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v1) #define TRUST_TOKEN_experiment_v2_pmb BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_pmb) -#define TRUST_TOKEN_experiment_v2_pp BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_pp) +#define TRUST_TOKEN_experiment_v2_voprf BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_voprf) #define TRUST_TOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_free) #define TRUST_TOKEN_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_generate_key) #define TRUST_TOKEN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, TRUST_TOKEN_new) @@ -3326,6 +3327,13 @@ #define v3_policy_mappings BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_policy_mappings) #define v3_sinfo BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_sinfo) #define v3_skey_id BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, v3_skey_id) +#define voprf_exp2_blind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_blind) +#define voprf_exp2_client_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_client_key_from_bytes) +#define voprf_exp2_generate_key BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_generate_key) +#define voprf_exp2_issuer_key_from_bytes BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_issuer_key_from_bytes) +#define voprf_exp2_read BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_read) +#define voprf_exp2_sign BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_sign) +#define voprf_exp2_unblind BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, voprf_exp2_unblind) #define vpaes_cbc_encrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_cbc_encrypt) #define vpaes_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_ctr32_encrypt_blocks) #define vpaes_decrypt BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, vpaes_decrypt) @@ -3378,29 +3386,29 @@ #define sk_ASN1_STRING_TABLE_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_is_sorted) #define sk_ASN1_STRING_TABLE_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_set_cmp_func) #define sk_ASN1_STRING_TABLE_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_ASN1_STRING_TABLE_deep_copy) -#define sk_PMBTOKEN_PRETOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_call_free_func) -#define sk_PMBTOKEN_PRETOKEN_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_call_copy_func) -#define sk_PMBTOKEN_PRETOKEN_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_call_cmp_func) -#define sk_PMBTOKEN_PRETOKEN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_new) -#define sk_PMBTOKEN_PRETOKEN_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_new_null) -#define sk_PMBTOKEN_PRETOKEN_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_num) -#define sk_PMBTOKEN_PRETOKEN_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_zero) -#define sk_PMBTOKEN_PRETOKEN_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_value) -#define sk_PMBTOKEN_PRETOKEN_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_set) -#define sk_PMBTOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_free) -#define sk_PMBTOKEN_PRETOKEN_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_pop_free) -#define sk_PMBTOKEN_PRETOKEN_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_insert) -#define sk_PMBTOKEN_PRETOKEN_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_delete) -#define sk_PMBTOKEN_PRETOKEN_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_delete_ptr) -#define sk_PMBTOKEN_PRETOKEN_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_find) -#define sk_PMBTOKEN_PRETOKEN_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_shift) -#define sk_PMBTOKEN_PRETOKEN_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_push) -#define sk_PMBTOKEN_PRETOKEN_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_pop) -#define sk_PMBTOKEN_PRETOKEN_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_dup) -#define sk_PMBTOKEN_PRETOKEN_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_sort) -#define sk_PMBTOKEN_PRETOKEN_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_is_sorted) -#define sk_PMBTOKEN_PRETOKEN_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_set_cmp_func) -#define sk_PMBTOKEN_PRETOKEN_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_PMBTOKEN_PRETOKEN_deep_copy) +#define sk_TRUST_TOKEN_PRETOKEN_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_free_func) +#define sk_TRUST_TOKEN_PRETOKEN_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_copy_func) +#define sk_TRUST_TOKEN_PRETOKEN_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_call_cmp_func) +#define sk_TRUST_TOKEN_PRETOKEN_new BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_new) +#define sk_TRUST_TOKEN_PRETOKEN_new_null BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_new_null) +#define sk_TRUST_TOKEN_PRETOKEN_num BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_num) +#define sk_TRUST_TOKEN_PRETOKEN_zero BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_zero) +#define sk_TRUST_TOKEN_PRETOKEN_value BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_value) +#define sk_TRUST_TOKEN_PRETOKEN_set BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_set) +#define sk_TRUST_TOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_free) +#define sk_TRUST_TOKEN_PRETOKEN_pop_free BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_pop_free) +#define sk_TRUST_TOKEN_PRETOKEN_insert BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_insert) +#define sk_TRUST_TOKEN_PRETOKEN_delete BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_delete) +#define sk_TRUST_TOKEN_PRETOKEN_delete_ptr BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_delete_ptr) +#define sk_TRUST_TOKEN_PRETOKEN_find BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_find) +#define sk_TRUST_TOKEN_PRETOKEN_shift BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_shift) +#define sk_TRUST_TOKEN_PRETOKEN_push BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_push) +#define sk_TRUST_TOKEN_PRETOKEN_pop BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_pop) +#define sk_TRUST_TOKEN_PRETOKEN_dup BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_dup) +#define sk_TRUST_TOKEN_PRETOKEN_sort BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_sort) +#define sk_TRUST_TOKEN_PRETOKEN_is_sorted BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_is_sorted) +#define sk_TRUST_TOKEN_PRETOKEN_set_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_set_cmp_func) +#define sk_TRUST_TOKEN_PRETOKEN_deep_copy BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_TRUST_TOKEN_PRETOKEN_deep_copy) #define sk_CRYPTO_EX_DATA_FUNCS_call_free_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_call_free_func) #define sk_CRYPTO_EX_DATA_FUNCS_call_copy_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_call_copy_func) #define sk_CRYPTO_EX_DATA_FUNCS_call_cmp_func BORINGSSL_ADD_PREFIX(BORINGSSL_PREFIX, sk_CRYPTO_EX_DATA_FUNCS_call_cmp_func) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h index 0ac5a4fe..91b4ce67 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_boringssl_prefix_symbols_asm.h @@ -291,6 +291,7 @@ #define _BIO_set_mem_eof_return BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_mem_eof_return) #define _BIO_set_nbio BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_nbio) #define _BIO_set_retry_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_read) +#define _BIO_set_retry_reason BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_reason) #define _BIO_set_retry_special BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_special) #define _BIO_set_retry_write BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_retry_write) #define _BIO_set_shutdown BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, BIO_set_shutdown) @@ -1439,7 +1440,6 @@ #define _PKCS8_parse_encrypted_private_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_parse_encrypted_private_key) #define _PKCS8_pkey_get0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_pkey_get0) #define _PKCS8_pkey_set0 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PKCS8_pkey_set0) -#define _PMBTOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, PMBTOKEN_PRETOKEN_free) #define _POLICYINFO_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYINFO_free) #define _POLICYINFO_it BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYINFO_it) #define _POLICYINFO_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, POLICYINFO_new) @@ -2084,10 +2084,11 @@ #define _TRUST_TOKEN_ISSUER_redeem BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_redeem) #define _TRUST_TOKEN_ISSUER_set_metadata_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_metadata_key) #define _TRUST_TOKEN_ISSUER_set_srr_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_ISSUER_set_srr_key) +#define _TRUST_TOKEN_PRETOKEN_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_PRETOKEN_free) #define _TRUST_TOKEN_decode_private_metadata BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_decode_private_metadata) #define _TRUST_TOKEN_experiment_v1 BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v1) #define _TRUST_TOKEN_experiment_v2_pmb BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_pmb) -#define _TRUST_TOKEN_experiment_v2_pp BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_pp) +#define _TRUST_TOKEN_experiment_v2_voprf BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_experiment_v2_voprf) #define _TRUST_TOKEN_free BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_free) #define _TRUST_TOKEN_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_generate_key) #define _TRUST_TOKEN_new BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, TRUST_TOKEN_new) @@ -3331,6 +3332,13 @@ #define _v3_policy_mappings BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_policy_mappings) #define _v3_sinfo BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_sinfo) #define _v3_skey_id BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, v3_skey_id) +#define _voprf_exp2_blind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_blind) +#define _voprf_exp2_client_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_client_key_from_bytes) +#define _voprf_exp2_generate_key BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_generate_key) +#define _voprf_exp2_issuer_key_from_bytes BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_issuer_key_from_bytes) +#define _voprf_exp2_read BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_read) +#define _voprf_exp2_sign BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_sign) +#define _voprf_exp2_unblind BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, voprf_exp2_unblind) #define _vpaes_cbc_encrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_cbc_encrypt) #define _vpaes_ctr32_encrypt_blocks BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_ctr32_encrypt_blocks) #define _vpaes_decrypt BORINGSSL_ADD_PREFIX_MAC_ASM(BORINGSSL_PREFIX, vpaes_decrypt) diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h index 448834b8..d50ec4e2 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_des.h @@ -65,6 +65,12 @@ extern "C" { // DES. +// +// This module is deprecated and retained for legacy reasons only. It is slow +// and may leak key material with timing or cache side channels. Moreover, +// single-keyed DES is broken and can be brute-forced in under a day. +// +// Use a modern cipher, such as AES-GCM or ChaCha20-Poly1305, instead. typedef struct DES_cblock_st { diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h index 05f6eba1..2016fb79 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_pem.h @@ -62,64 +62,63 @@ #include "CNIOBoringSSL_cipher.h" #include "CNIOBoringSSL_digest.h" #include "CNIOBoringSSL_evp.h" -#include "CNIOBoringSSL_stack.h" #include "CNIOBoringSSL_pkcs7.h" +#include "CNIOBoringSSL_stack.h" #include "CNIOBoringSSL_x509.h" -/* For compatibility with open-iscsi, which assumes that it can get - * |OPENSSL_malloc| from pem.h or err.h */ +// For compatibility with open-iscsi, which assumes that it can get +// |OPENSSL_malloc| from pem.h or err.h #include "CNIOBoringSSL_crypto.h" -#ifdef __cplusplus +#ifdef __cplusplus extern "C" { #endif -#define PEM_BUFSIZE 1024 - -#define PEM_STRING_X509_OLD "X509 CERTIFICATE" -#define PEM_STRING_X509 "CERTIFICATE" -#define PEM_STRING_X509_PAIR "CERTIFICATE PAIR" -#define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE" -#define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST" -#define PEM_STRING_X509_REQ "CERTIFICATE REQUEST" -#define PEM_STRING_X509_CRL "X509 CRL" -#define PEM_STRING_EVP_PKEY "ANY PRIVATE KEY" -#define PEM_STRING_PUBLIC "PUBLIC KEY" -#define PEM_STRING_RSA "RSA PRIVATE KEY" -#define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" -#define PEM_STRING_DSA "DSA PRIVATE KEY" -#define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY" +#define PEM_BUFSIZE 1024 + +#define PEM_STRING_X509_OLD "X509 CERTIFICATE" +#define PEM_STRING_X509 "CERTIFICATE" +#define PEM_STRING_X509_PAIR "CERTIFICATE PAIR" +#define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE" +#define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST" +#define PEM_STRING_X509_REQ "CERTIFICATE REQUEST" +#define PEM_STRING_X509_CRL "X509 CRL" +#define PEM_STRING_EVP_PKEY "ANY PRIVATE KEY" +#define PEM_STRING_PUBLIC "PUBLIC KEY" +#define PEM_STRING_RSA "RSA PRIVATE KEY" +#define PEM_STRING_RSA_PUBLIC "RSA PUBLIC KEY" +#define PEM_STRING_DSA "DSA PRIVATE KEY" +#define PEM_STRING_DSA_PUBLIC "DSA PUBLIC KEY" #define PEM_STRING_EC "EC PRIVATE KEY" -#define PEM_STRING_PKCS7 "PKCS7" -#define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA" -#define PEM_STRING_PKCS8 "ENCRYPTED PRIVATE KEY" -#define PEM_STRING_PKCS8INF "PRIVATE KEY" -#define PEM_STRING_DHPARAMS "DH PARAMETERS" -#define PEM_STRING_SSL_SESSION "SSL SESSION PARAMETERS" -#define PEM_STRING_DSAPARAMS "DSA PARAMETERS" +#define PEM_STRING_PKCS7 "PKCS7" +#define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA" +#define PEM_STRING_PKCS8 "ENCRYPTED PRIVATE KEY" +#define PEM_STRING_PKCS8INF "PRIVATE KEY" +#define PEM_STRING_DHPARAMS "DH PARAMETERS" +#define PEM_STRING_SSL_SESSION "SSL SESSION PARAMETERS" +#define PEM_STRING_DSAPARAMS "DSA PARAMETERS" #define PEM_STRING_ECDSA_PUBLIC "ECDSA PUBLIC KEY" -#define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" -#define PEM_STRING_CMS "CMS" +#define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY" +#define PEM_STRING_CMS "CMS" -/* enc_type is one off */ -#define PEM_TYPE_ENCRYPTED 10 -#define PEM_TYPE_MIC_ONLY 20 -#define PEM_TYPE_MIC_CLEAR 30 -#define PEM_TYPE_CLEAR 40 +// enc_type is one off +#define PEM_TYPE_ENCRYPTED 10 +#define PEM_TYPE_MIC_ONLY 20 +#define PEM_TYPE_MIC_CLEAR 30 +#define PEM_TYPE_CLEAR 40 -/* These macros make the PEM_read/PEM_write functions easier to maintain and - * write. Now they are all implemented with either: - * IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...) - */ +// These macros make the PEM_read/PEM_write functions easier to maintain and +// write. Now they are all implemented with either: +// IMPLEMENT_PEM_rw(...) or IMPLEMENT_PEM_rw_cb(...) #ifdef OPENSSL_NO_FP_API -#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/ -#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/ -#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) /**/ -#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/ -#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_read_fp(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_fp(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) // +#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) // #else @@ -228,133 +227,178 @@ extern "C" { } #define IMPLEMENT_PEM_write(name, type, str, asn1) \ - IMPLEMENT_PEM_write_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_write_fp(name, type, str, asn1) + IMPLEMENT_PEM_write_bio(name, type, str, asn1) \ + IMPLEMENT_PEM_write_fp(name, type, str, asn1) #define IMPLEMENT_PEM_write_const(name, type, str, asn1) \ - IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \ - IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) + IMPLEMENT_PEM_write_bio_const(name, type, str, asn1) \ + IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) #define IMPLEMENT_PEM_write_cb(name, type, str, asn1) \ - IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) + IMPLEMENT_PEM_write_cb_bio(name, type, str, asn1) \ + IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) #define IMPLEMENT_PEM_write_cb_const(name, type, str, asn1) \ - IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \ - IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) + IMPLEMENT_PEM_write_cb_bio_const(name, type, str, asn1) \ + IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) #define IMPLEMENT_PEM_read(name, type, str, asn1) \ - IMPLEMENT_PEM_read_bio(name, type, str, asn1) \ - IMPLEMENT_PEM_read_fp(name, type, str, asn1) + IMPLEMENT_PEM_read_bio(name, type, str, asn1) \ + IMPLEMENT_PEM_read_fp(name, type, str, asn1) #define IMPLEMENT_PEM_rw(name, type, str, asn1) \ - IMPLEMENT_PEM_read(name, type, str, asn1) \ - IMPLEMENT_PEM_write(name, type, str, asn1) + IMPLEMENT_PEM_read(name, type, str, asn1) \ + IMPLEMENT_PEM_write(name, type, str, asn1) #define IMPLEMENT_PEM_rw_const(name, type, str, asn1) \ - IMPLEMENT_PEM_read(name, type, str, asn1) \ - IMPLEMENT_PEM_write_const(name, type, str, asn1) + IMPLEMENT_PEM_read(name, type, str, asn1) \ + IMPLEMENT_PEM_write_const(name, type, str, asn1) #define IMPLEMENT_PEM_rw_cb(name, type, str, asn1) \ - IMPLEMENT_PEM_read(name, type, str, asn1) \ - IMPLEMENT_PEM_write_cb(name, type, str, asn1) + IMPLEMENT_PEM_read(name, type, str, asn1) \ + IMPLEMENT_PEM_write_cb(name, type, str, asn1) -/* These are the same except they are for the declarations */ +// These are the same except they are for the declarations #if defined(OPENSSL_NO_FP_API) -#define DECLARE_PEM_read_fp(name, type) /**/ -#define DECLARE_PEM_write_fp(name, type) /**/ -#define DECLARE_PEM_write_cb_fp(name, type) /**/ +#define DECLARE_PEM_read_fp(name, type) // +#define DECLARE_PEM_write_fp(name, type) // +#define DECLARE_PEM_write_cb_fp(name, type) // #else -#define DECLARE_PEM_read_fp(name, type) \ - OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, pem_password_cb *cb, void *u); +#define DECLARE_PEM_read_fp(name, type) \ + OPENSSL_EXPORT type *PEM_read_##name(FILE *fp, type **x, \ + pem_password_cb *cb, void *u); #define DECLARE_PEM_write_fp(name, type) \ - OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x); + OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x); #define DECLARE_PEM_write_fp_const(name, type) \ - OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x); + OPENSSL_EXPORT int PEM_write_##name(FILE *fp, const type *x); -#define DECLARE_PEM_write_cb_fp(name, type) \ - OPENSSL_EXPORT int PEM_write_##name(FILE *fp, type *x, const EVP_CIPHER *enc, \ - unsigned char *kstr, int klen, pem_password_cb *cb, void *u); +#define DECLARE_PEM_write_cb_fp(name, type) \ + OPENSSL_EXPORT int PEM_write_##name( \ + FILE *fp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ + pem_password_cb *cb, void *u); #endif -#define DECLARE_PEM_read_bio(name, type) \ - OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, pem_password_cb *cb, void *u); +#define DECLARE_PEM_read_bio(name, type) \ + OPENSSL_EXPORT type *PEM_read_bio_##name(BIO *bp, type **x, \ + pem_password_cb *cb, void *u); #define DECLARE_PEM_write_bio(name, type) \ - OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x); + OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x); #define DECLARE_PEM_write_bio_const(name, type) \ - OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x); + OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, const type *x); -#define DECLARE_PEM_write_cb_bio(name, type) \ - OPENSSL_EXPORT int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ - unsigned char *kstr, int klen, pem_password_cb *cb, void *u); +#define DECLARE_PEM_write_cb_bio(name, type) \ + OPENSSL_EXPORT int PEM_write_bio_##name( \ + BIO *bp, type *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, \ + pem_password_cb *cb, void *u); #define DECLARE_PEM_write(name, type) \ - DECLARE_PEM_write_bio(name, type) \ - DECLARE_PEM_write_fp(name, type) + DECLARE_PEM_write_bio(name, type) \ + DECLARE_PEM_write_fp(name, type) #define DECLARE_PEM_write_const(name, type) \ - DECLARE_PEM_write_bio_const(name, type) \ - DECLARE_PEM_write_fp_const(name, type) + DECLARE_PEM_write_bio_const(name, type) \ + DECLARE_PEM_write_fp_const(name, type) #define DECLARE_PEM_write_cb(name, type) \ - DECLARE_PEM_write_cb_bio(name, type) \ - DECLARE_PEM_write_cb_fp(name, type) + DECLARE_PEM_write_cb_bio(name, type) \ + DECLARE_PEM_write_cb_fp(name, type) #define DECLARE_PEM_read(name, type) \ - DECLARE_PEM_read_bio(name, type) \ - DECLARE_PEM_read_fp(name, type) + DECLARE_PEM_read_bio(name, type) \ + DECLARE_PEM_read_fp(name, type) #define DECLARE_PEM_rw(name, type) \ - DECLARE_PEM_read(name, type) \ - DECLARE_PEM_write(name, type) + DECLARE_PEM_read(name, type) \ + DECLARE_PEM_write(name, type) #define DECLARE_PEM_rw_const(name, type) \ - DECLARE_PEM_read(name, type) \ - DECLARE_PEM_write_const(name, type) + DECLARE_PEM_read(name, type) \ + DECLARE_PEM_write_const(name, type) #define DECLARE_PEM_rw_cb(name, type) \ - DECLARE_PEM_read(name, type) \ - DECLARE_PEM_write_cb(name, type) + DECLARE_PEM_read(name, type) \ + DECLARE_PEM_write_cb(name, type) -/* "userdata": new with OpenSSL 0.9.4 */ +// "userdata": new with OpenSSL 0.9.4 typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); -OPENSSL_EXPORT int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher); -OPENSSL_EXPORT int PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data,long *len, pem_password_cb *callback,void *u); - -OPENSSL_EXPORT int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data,long *len); -OPENSSL_EXPORT int PEM_write_bio(BIO *bp,const char *name, const char *hdr, const unsigned char *data, long len); -OPENSSL_EXPORT int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char *name, BIO *bp, pem_password_cb *cb, void *u); -OPENSSL_EXPORT void * PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, BIO *bp, void **x, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d,const char *name,BIO *bp, void *x, const EVP_CIPHER *enc,unsigned char *kstr,int klen, pem_password_cb *cb, void *u); - -OPENSSL_EXPORT STACK_OF(X509_INFO) * PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int PEM_X509_INFO_write_bio(BIO *bp,X509_INFO *xi, EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cd, void *u); - -OPENSSL_EXPORT int PEM_read(FILE *fp, char **name, char **header, unsigned char **data,long *len); -OPENSSL_EXPORT int PEM_write(FILE *fp, const char *name, const char *hdr, const unsigned char *data, long len); -OPENSSL_EXPORT void * PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d,const char *name,FILE *fp, void *x,const EVP_CIPHER *enc,unsigned char *kstr, int klen,pem_password_cb *callback, void *u); -OPENSSL_EXPORT STACK_OF(X509_INFO) * PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); - -/* PEM_def_callback treats |userdata| as a string and copies it into |buf|, - * assuming its |size| is sufficient. Returns the length of the string, or 0 - * if there is not enough room. If either |buf| or |userdata| is NULL, 0 is - * returned. Note that this is different from OpenSSL, which prompts for a - * password. */ -OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, void *userdata); -OPENSSL_EXPORT void PEM_proc_type(char *buf, int type); -OPENSSL_EXPORT void PEM_dek_info(char *buf, const char *type, int len, char *str); +OPENSSL_EXPORT int PEM_get_EVP_CIPHER_INFO(char *header, + EVP_CIPHER_INFO *cipher); +OPENSSL_EXPORT int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, + long *len, pem_password_cb *callback, void *u); + +// PEM_read_bio reads from |bp|, until the next PEM block. If one is found, it +// returns one and sets |*name|, |*header|, and |*data| to newly-allocated +// buffers containing the PEM type, the header block, and the decoded data, +// respectively. |*name| and |*header| are NUL-terminated C strings, while +// |*data| has |*len| bytes. The caller must release each of |*name|, |*header|, +// and |*data| with |OPENSSL_free| when done. If no PEM block is found, this +// function returns zero and pushes |PEM_R_NO_START_LINE| to the error queue. If +// one is found, but there is an error decoding it, it returns zero and pushes +// some other error to the error queue. +OPENSSL_EXPORT int PEM_read_bio(BIO *bp, char **name, char **header, + unsigned char **data, long *len); + +// PEM_write_bio writes a PEM block to |bp|, containing |len| bytes from |data| +// as data. |name| and |hdr| are NUL-terminated C strings containing the PEM +// type and header block, respectively. This function returns zero on error and +// the number of bytes written on success. +OPENSSL_EXPORT int PEM_write_bio(BIO *bp, const char *name, const char *hdr, + const unsigned char *data, long len); + +OPENSSL_EXPORT int PEM_bytes_read_bio(unsigned char **pdata, long *plen, + char **pnm, const char *name, BIO *bp, + pem_password_cb *cb, void *u); +OPENSSL_EXPORT void *PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, + BIO *bp, void **x, pem_password_cb *cb, + void *u); +OPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, + BIO *bp, void *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u); + +OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio( + BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); +OPENSSL_EXPORT int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, + EVP_CIPHER *enc, unsigned char *kstr, + int klen, pem_password_cb *cd, + void *u); + +OPENSSL_EXPORT int PEM_read(FILE *fp, char **name, char **header, + unsigned char **data, long *len); +OPENSSL_EXPORT int PEM_write(FILE *fp, const char *name, const char *hdr, + const unsigned char *data, long len); +OPENSSL_EXPORT void *PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, + void **x, pem_password_cb *cb, void *u); +OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, + void *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *callback, void *u); +OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, + STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, + void *u); + +// PEM_def_callback treats |userdata| as a string and copies it into |buf|, +// assuming its |size| is sufficient. Returns the length of the string, or 0 +// if there is not enough room. If either |buf| or |userdata| is NULL, 0 is +// returned. Note that this is different from OpenSSL, which prompts for a +// password. +OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, + void *userdata); +OPENSSL_EXPORT void PEM_proc_type(char *buf, int type); +OPENSSL_EXPORT void PEM_dek_info(char *buf, const char *type, int len, + char *str); DECLARE_PEM_rw(X509, X509) @@ -397,22 +441,46 @@ DECLARE_PEM_rw_cb(PrivateKey, EVP_PKEY) DECLARE_PEM_rw(PUBKEY, EVP_PKEY) -OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid, char *kstr, int klen, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, const EVP_CIPHER *, char *, int, pem_password_cb *, void *); -OPENSSL_EXPORT int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid, char *kstr, int klen, pem_password_cb *cb, void *u); -OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u); - -OPENSSL_EXPORT int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid, char *kstr, int klen, pem_password_cb *cb, void *u); -OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid, char *kstr, int klen, pem_password_cb *cb, void *u); - -OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, pem_password_cb *cb, void *u); - -OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPHER *enc, char *kstr,int klen, pem_password_cb *cd, void *u); - - -#ifdef __cplusplus +OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, + int nid, char *kstr, + int klen, + pem_password_cb *cb, + void *u); +OPENSSL_EXPORT int PEM_write_bio_PKCS8PrivateKey(BIO *, EVP_PKEY *, + const EVP_CIPHER *, char *, + int, pem_password_cb *, + void *); +OPENSSL_EXPORT int i2d_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY *x, + const EVP_CIPHER *enc, char *kstr, + int klen, pem_password_cb *cb, + void *u); +OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_bio(BIO *bp, EVP_PKEY *x, int nid, + char *kstr, int klen, + pem_password_cb *cb, void *u); +OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_bio(BIO *bp, EVP_PKEY **x, + pem_password_cb *cb, void *u); + +OPENSSL_EXPORT int i2d_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY *x, + const EVP_CIPHER *enc, char *kstr, + int klen, pem_password_cb *cb, + void *u); +OPENSSL_EXPORT int i2d_PKCS8PrivateKey_nid_fp(FILE *fp, EVP_PKEY *x, int nid, + char *kstr, int klen, + pem_password_cb *cb, void *u); +OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid, + char *kstr, int klen, + pem_password_cb *cb, void *u); + +OPENSSL_EXPORT EVP_PKEY *d2i_PKCS8PrivateKey_fp(FILE *fp, EVP_PKEY **x, + pem_password_cb *cb, void *u); + +OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, + const EVP_CIPHER *enc, char *kstr, + int klen, pem_password_cb *cd, + void *u); + + +#ifdef __cplusplus } #endif @@ -432,4 +500,4 @@ OPENSSL_EXPORT int PEM_write_PKCS8PrivateKey(FILE *fp,EVP_PKEY *x,const EVP_CIPH #define PEM_R_UNSUPPORTED_CIPHER 113 #define PEM_R_UNSUPPORTED_ENCRYPTION 114 -#endif /* OPENSSL_HEADER_PEM_H */ +#endif // OPENSSL_HEADER_PEM_H diff --git a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_trust_token.h b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_trust_token.h index 736c3b2c..bb1abebe 100644 --- a/Sources/CNIOBoringSSL/include/CNIOBoringSSL_trust_token.h +++ b/Sources/CNIOBoringSSL/include/CNIOBoringSSL_trust_token.h @@ -40,13 +40,11 @@ extern "C" { // PMBTokens and P-384. OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v1(void); -// TRUST_TOKEN_experiment_v2_pp is an experimental Trust Tokens protocol using -// PMBTokens (with no private metadata) and P-384 with up to 6 keys, without RR -// verification. +// TRUST_TOKEN_experiment_v2_voprf is an experimental Trust Tokens protocol +// using VOPRFs and P-384 with up to 6 keys, without RR verification. // // This version is incomplete and should not be used. -// TODO(svaldez): Update to use the PrivacyPass primitive -OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_pp(void); +OPENSSL_EXPORT const TRUST_TOKEN_METHOD *TRUST_TOKEN_experiment_v2_voprf(void); // TRUST_TOKEN_experiment_v2_pmb is an experimental Trust Tokens protocol using // PMBTokens and P-384 with up to 3 keys, without RR verification. @@ -165,12 +163,8 @@ OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_redemption( // |*out_rr| and |*out_rr_len| (respectively, |*out_sig| and |*out_sig_len|) // to a newly-allocated buffer containing the SRR (respectively, the SRR // signature). In other versions, it sets |*out_rr| and |*out_rr_len| -// (respectively, |*out_sig| and |*out_sig_len|) to a newly-allocated buffer -// containing the SRR (respectively, the SRR signature). It returns one on -// success or zero on failure. -// -// TODO(svaldez): Return the entire response in |*out_rr| and omit |*out_sig| in -// non-|TRUST_TOKEN_experiment_v1| versions. +// to a newly-allocated buffer containing |response| and leaves all validation +// to the caller. It returns one on success or zero on failure. OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_finish_redemption( TRUST_TOKEN_CLIENT *ctx, uint8_t **out_rr, size_t *out_rr_len, uint8_t **out_sig, size_t *out_sig_len, const uint8_t *response, diff --git a/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc b/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc index 139ffbb9..3443a3b8 100644 --- a/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc +++ b/Sources/CNIOBoringSSL/include/boringssl_prefix_symbols_nasm.inc @@ -283,6 +283,7 @@ %xdefine _BIO_set_mem_eof_return _ %+ BORINGSSL_PREFIX %+ _BIO_set_mem_eof_return %xdefine _BIO_set_nbio _ %+ BORINGSSL_PREFIX %+ _BIO_set_nbio %xdefine _BIO_set_retry_read _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_read +%xdefine _BIO_set_retry_reason _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_reason %xdefine _BIO_set_retry_special _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_special %xdefine _BIO_set_retry_write _ %+ BORINGSSL_PREFIX %+ _BIO_set_retry_write %xdefine _BIO_set_shutdown _ %+ BORINGSSL_PREFIX %+ _BIO_set_shutdown @@ -1432,7 +1433,6 @@ %xdefine _PKCS8_parse_encrypted_private_key _ %+ BORINGSSL_PREFIX %+ _PKCS8_parse_encrypted_private_key %xdefine _PKCS8_pkey_get0 _ %+ BORINGSSL_PREFIX %+ _PKCS8_pkey_get0 %xdefine _PKCS8_pkey_set0 _ %+ BORINGSSL_PREFIX %+ _PKCS8_pkey_set0 -%xdefine _PMBTOKEN_PRETOKEN_free _ %+ BORINGSSL_PREFIX %+ _PMBTOKEN_PRETOKEN_free %xdefine _POLICYINFO_free _ %+ BORINGSSL_PREFIX %+ _POLICYINFO_free %xdefine _POLICYINFO_it _ %+ BORINGSSL_PREFIX %+ _POLICYINFO_it %xdefine _POLICYINFO_new _ %+ BORINGSSL_PREFIX %+ _POLICYINFO_new @@ -2077,10 +2077,11 @@ %xdefine _TRUST_TOKEN_ISSUER_redeem _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_redeem %xdefine _TRUST_TOKEN_ISSUER_set_metadata_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_metadata_key %xdefine _TRUST_TOKEN_ISSUER_set_srr_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_srr_key +%xdefine _TRUST_TOKEN_PRETOKEN_free _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_PRETOKEN_free %xdefine _TRUST_TOKEN_decode_private_metadata _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_decode_private_metadata %xdefine _TRUST_TOKEN_experiment_v1 _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v1 %xdefine _TRUST_TOKEN_experiment_v2_pmb _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_pmb -%xdefine _TRUST_TOKEN_experiment_v2_pp _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_pp +%xdefine _TRUST_TOKEN_experiment_v2_voprf _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_voprf %xdefine _TRUST_TOKEN_free _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_free %xdefine _TRUST_TOKEN_generate_key _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_generate_key %xdefine _TRUST_TOKEN_new _ %+ BORINGSSL_PREFIX %+ _TRUST_TOKEN_new @@ -3324,6 +3325,13 @@ %xdefine _v3_policy_mappings _ %+ BORINGSSL_PREFIX %+ _v3_policy_mappings %xdefine _v3_sinfo _ %+ BORINGSSL_PREFIX %+ _v3_sinfo %xdefine _v3_skey_id _ %+ BORINGSSL_PREFIX %+ _v3_skey_id +%xdefine _voprf_exp2_blind _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_blind +%xdefine _voprf_exp2_client_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_client_key_from_bytes +%xdefine _voprf_exp2_generate_key _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_generate_key +%xdefine _voprf_exp2_issuer_key_from_bytes _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_issuer_key_from_bytes +%xdefine _voprf_exp2_read _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_read +%xdefine _voprf_exp2_sign _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_sign +%xdefine _voprf_exp2_unblind _ %+ BORINGSSL_PREFIX %+ _voprf_exp2_unblind %xdefine _vpaes_cbc_encrypt _ %+ BORINGSSL_PREFIX %+ _vpaes_cbc_encrypt %xdefine _vpaes_ctr32_encrypt_blocks _ %+ BORINGSSL_PREFIX %+ _vpaes_ctr32_encrypt_blocks %xdefine _vpaes_decrypt _ %+ BORINGSSL_PREFIX %+ _vpaes_decrypt @@ -3623,6 +3631,7 @@ %xdefine BIO_set_mem_eof_return BORINGSSL_PREFIX %+ _BIO_set_mem_eof_return %xdefine BIO_set_nbio BORINGSSL_PREFIX %+ _BIO_set_nbio %xdefine BIO_set_retry_read BORINGSSL_PREFIX %+ _BIO_set_retry_read +%xdefine BIO_set_retry_reason BORINGSSL_PREFIX %+ _BIO_set_retry_reason %xdefine BIO_set_retry_special BORINGSSL_PREFIX %+ _BIO_set_retry_special %xdefine BIO_set_retry_write BORINGSSL_PREFIX %+ _BIO_set_retry_write %xdefine BIO_set_shutdown BORINGSSL_PREFIX %+ _BIO_set_shutdown @@ -4772,7 +4781,6 @@ %xdefine PKCS8_parse_encrypted_private_key BORINGSSL_PREFIX %+ _PKCS8_parse_encrypted_private_key %xdefine PKCS8_pkey_get0 BORINGSSL_PREFIX %+ _PKCS8_pkey_get0 %xdefine PKCS8_pkey_set0 BORINGSSL_PREFIX %+ _PKCS8_pkey_set0 -%xdefine PMBTOKEN_PRETOKEN_free BORINGSSL_PREFIX %+ _PMBTOKEN_PRETOKEN_free %xdefine POLICYINFO_free BORINGSSL_PREFIX %+ _POLICYINFO_free %xdefine POLICYINFO_it BORINGSSL_PREFIX %+ _POLICYINFO_it %xdefine POLICYINFO_new BORINGSSL_PREFIX %+ _POLICYINFO_new @@ -5417,10 +5425,11 @@ %xdefine TRUST_TOKEN_ISSUER_redeem BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_redeem %xdefine TRUST_TOKEN_ISSUER_set_metadata_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_metadata_key %xdefine TRUST_TOKEN_ISSUER_set_srr_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_ISSUER_set_srr_key +%xdefine TRUST_TOKEN_PRETOKEN_free BORINGSSL_PREFIX %+ _TRUST_TOKEN_PRETOKEN_free %xdefine TRUST_TOKEN_decode_private_metadata BORINGSSL_PREFIX %+ _TRUST_TOKEN_decode_private_metadata %xdefine TRUST_TOKEN_experiment_v1 BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v1 %xdefine TRUST_TOKEN_experiment_v2_pmb BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_pmb -%xdefine TRUST_TOKEN_experiment_v2_pp BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_pp +%xdefine TRUST_TOKEN_experiment_v2_voprf BORINGSSL_PREFIX %+ _TRUST_TOKEN_experiment_v2_voprf %xdefine TRUST_TOKEN_free BORINGSSL_PREFIX %+ _TRUST_TOKEN_free %xdefine TRUST_TOKEN_generate_key BORINGSSL_PREFIX %+ _TRUST_TOKEN_generate_key %xdefine TRUST_TOKEN_new BORINGSSL_PREFIX %+ _TRUST_TOKEN_new @@ -6664,6 +6673,13 @@ %xdefine v3_policy_mappings BORINGSSL_PREFIX %+ _v3_policy_mappings %xdefine v3_sinfo BORINGSSL_PREFIX %+ _v3_sinfo %xdefine v3_skey_id BORINGSSL_PREFIX %+ _v3_skey_id +%xdefine voprf_exp2_blind BORINGSSL_PREFIX %+ _voprf_exp2_blind +%xdefine voprf_exp2_client_key_from_bytes BORINGSSL_PREFIX %+ _voprf_exp2_client_key_from_bytes +%xdefine voprf_exp2_generate_key BORINGSSL_PREFIX %+ _voprf_exp2_generate_key +%xdefine voprf_exp2_issuer_key_from_bytes BORINGSSL_PREFIX %+ _voprf_exp2_issuer_key_from_bytes +%xdefine voprf_exp2_read BORINGSSL_PREFIX %+ _voprf_exp2_read +%xdefine voprf_exp2_sign BORINGSSL_PREFIX %+ _voprf_exp2_sign +%xdefine voprf_exp2_unblind BORINGSSL_PREFIX %+ _voprf_exp2_unblind %xdefine vpaes_cbc_encrypt BORINGSSL_PREFIX %+ _vpaes_cbc_encrypt %xdefine vpaes_ctr32_encrypt_blocks BORINGSSL_PREFIX %+ _vpaes_ctr32_encrypt_blocks %xdefine vpaes_decrypt BORINGSSL_PREFIX %+ _vpaes_decrypt diff --git a/Sources/CNIOBoringSSL/ssl/bio_ssl.cc b/Sources/CNIOBoringSSL/ssl/bio_ssl.cc index 7e6323be..9c26b15c 100644 --- a/Sources/CNIOBoringSSL/ssl/bio_ssl.cc +++ b/Sources/CNIOBoringSSL/ssl/bio_ssl.cc @@ -37,12 +37,12 @@ static int ssl_read(BIO *bio, char *out, int outl) { case SSL_ERROR_WANT_ACCEPT: BIO_set_retry_special(bio); - bio->retry_reason = BIO_RR_ACCEPT; + BIO_set_retry_reason(bio, BIO_RR_ACCEPT); break; case SSL_ERROR_WANT_CONNECT: BIO_set_retry_special(bio); - bio->retry_reason = BIO_RR_CONNECT; + BIO_set_retry_reason(bio, BIO_RR_CONNECT); break; case SSL_ERROR_NONE: @@ -77,7 +77,7 @@ static int ssl_write(BIO *bio, const char *out, int outl) { case SSL_ERROR_WANT_CONNECT: BIO_set_retry_special(bio); - bio->retry_reason = BIO_RR_CONNECT; + BIO_set_retry_reason(bio, BIO_RR_CONNECT); break; case SSL_ERROR_NONE: @@ -98,6 +98,17 @@ static long ssl_ctrl(BIO *bio, int cmd, long num, void *ptr) { switch (cmd) { case BIO_C_SET_SSL: + if (ssl != NULL) { + // OpenSSL allows reusing an SSL BIO with a different SSL object. We do + // not support this. + OPENSSL_PUT_ERROR(SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + // Note this differs from upstream OpenSSL, which synchronizes + // |bio->next_bio| with |ssl|'s rbio here, and on |BIO_CTRL_PUSH|. We call + // into the corresponding |BIO| directly. (We can implement the upstream + // behavior if it ends up necessary.) bio->shutdown = num; bio->ptr = ptr; bio->init = 1; @@ -117,9 +128,11 @@ static long ssl_ctrl(BIO *bio, int cmd, long num, void *ptr) { return SSL_pending(ssl); case BIO_CTRL_FLUSH: { + BIO *wbio = SSL_get_wbio(ssl); BIO_clear_retry_flags(bio); - long ret = BIO_ctrl(SSL_get_wbio(ssl), cmd, num, ptr); - BIO_copy_next_retry(bio); + long ret = BIO_ctrl(wbio, cmd, num, ptr); + BIO_set_flags(bio, BIO_get_retry_flags(wbio)); + BIO_set_retry_reason(bio, BIO_get_retry_reason(wbio)); return ret; } diff --git a/Sources/CNIOBoringSSL/ssl/ssl_session.cc b/Sources/CNIOBoringSSL/ssl/ssl_session.cc index 8a93f932..cd090309 100644 --- a/Sources/CNIOBoringSSL/ssl/ssl_session.cc +++ b/Sources/CNIOBoringSSL/ssl/ssl_session.cc @@ -364,12 +364,6 @@ int ssl_get_new_session(SSL_HANDSHAKE *hs, int is_server) { session->is_server = is_server; session->ssl_version = ssl->version; session->is_quic = ssl->quic_method != nullptr; - if (is_server && ssl->enable_early_data && session->is_quic) { - if (!session->quic_early_data_context.CopyFrom( - hs->config->quic_early_data_context)) { - return 0; - } - } // Fill in the time from the |SSL_CTX|'s clock. struct OPENSSL_timeval now; diff --git a/Sources/CNIOBoringSSL/ssl/tls13_server.cc b/Sources/CNIOBoringSSL/ssl/tls13_server.cc index bebad75f..41c92dd6 100644 --- a/Sources/CNIOBoringSSL/ssl/tls13_server.cc +++ b/Sources/CNIOBoringSSL/ssl/tls13_server.cc @@ -431,6 +431,15 @@ static enum ssl_hs_wait_t do_select_session(SSL_HANDSHAKE *hs) { return ssl_hs_error; } + // Copy the QUIC early data context to the session. + if (ssl->enable_early_data && ssl->quic_method) { + if (!hs->new_session->quic_early_data_context.CopyFrom( + hs->config->quic_early_data_context)) { + ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + return ssl_hs_error; + } + } + if (ssl->ctx->dos_protection_cb != NULL && ssl->ctx->dos_protection_cb(&client_hello) == 0) { // Connection rejected for DOS reasons.