diff --git a/misc/symbian/ClassiCube_common.mmh b/misc/symbian/ClassiCube_common.mmh index 49ae7b886..961e8cf9e 100644 --- a/misc/symbian/ClassiCube_common.mmh +++ b/misc/symbian/ClassiCube_common.mmh @@ -47,7 +47,7 @@ SOURCEPATH ../../src SOURCE Animations.c Audio.c Audio_Null.c AxisLinesRenderer.c Bitmap.c Block.c BlockPhysics.c Builder.c Camera.c Chat.c Commands.c Deflate.c Drawer.c Drawer2D.c Entity.c EntityComponents.c EntityRenderers.c EnvRenderer.c Event.c ExtMath.c FancyLighting.c Formats.c Game.c GameVersion.c Generator.c Graphics_GL1.c Graphics_SoftGPU.c Gui.c HeldBlockRenderer.c Http_Web.c Http_Worker.c Input.c InputHandler.c Inventory.c IsometricDrawer.c LBackend.c LScreens.c LWeb.c LWidgets.c Launcher.c Lighting.c Logger.c MapRenderer.c MenuOptions.c Menus.c Model.c Options.c PackedCol.c Particle.c Physics.c Picking.c Platform_Posix.c Protocol.c Queue.c Resources.c SSL.c Screens.c SelOutlineRenderer.c SelectionBox.c Server.c Stream.c String.c SystemFonts.c TexturePack.c TouchUI.c Utils.c Vectors.c Widgets.c World.c _autofit.c _cff.c _ftbase.c _ftbitmap.c _ftglyph.c _ftinit.c _ftsynth.c _psaux.c _pshinter.c _psmodule.c _sfnt.c _smooth.c _truetype.c _type1.c Vorbis.c Platform_Symbian.cpp Graphics_GL2.c Window_Symbian.cpp Audio_Symbian.cpp SOURCEPATH ../../third_party/bearssl/src -SOURCE aes_big_cbcdec.c aes_big_cbcenc.c aes_big_ctr.c aes_big_ctrcbc.c aes_big_dec.c aes_big_enc.c aes_common.c aes_ct.c aes_ct64.c aes_ct64_cbcdec.c aes_ct64_cbcenc.c aes_ct64_ctr.c aes_ct64_ctrcbc.c aes_ct64_dec.c aes_ct64_enc.c aes_ct_cbcdec.c aes_ct_cbcenc.c aes_ct_ctr.c aes_ct_ctrcbc.c aes_ct_dec.c aes_ct_enc.c aes_small_cbcdec.c aes_small_cbcenc.c aes_small_ctr.c aes_small_ctrcbc.c aes_small_dec.c aes_small_enc.c aes_x86ni.c aes_x86ni_cbcdec.c aes_x86ni_cbcenc.c aes_x86ni_ctr.c aes_x86ni_ctrcbc.c aesctr_drbg.c asn1enc.c ccm.c ccopy.c chacha20_ct.c chacha20_sse2.c dec16be.c dec16le.c dec32be.c dec32le.c dec64be.c dec64le.c des_ct.c des_ct_cbcdec.c des_ct_cbcenc.c des_support.c des_tab.c des_tab_cbcdec.c des_tab_cbcenc.c dig_oid.c dig_size.c eax.c ec_all_m15.c ec_all_m31.c ec_c25519_i15.c ec_c25519_i31.c ec_c25519_m15.c ec_c25519_m31.c ec_c25519_m62.c ec_c25519_m64.c ec_curve25519.c ec_default.c ec_keygen.c ec_p256_m15.c ec_p256_m31.c ec_p256_m62.c ec_p256_m64.c ec_prime_i15.c ec_prime_i31.c ec_pubkey.c ec_secp256r1.c ec_secp384r1.c ec_secp521r1.c ecdsa_atr.c ecdsa_default_sign_asn1.c ecdsa_default_sign_raw.c ecdsa_default_vrfy_asn1.c ecdsa_default_vrfy_raw.c ecdsa_i15_bits.c ecdsa_i15_sign_asn1.c ecdsa_i15_sign_raw.c ecdsa_i15_vrfy_asn1.c ecdsa_i15_vrfy_raw.c ecdsa_i31_bits.c ecdsa_i31_sign_asn1.c ecdsa_i31_sign_raw.c ecdsa_i31_vrfy_asn1.c ecdsa_i31_vrfy_raw.c ecdsa_rta.c enc16be.c enc16le.c enc32be.c enc32le.c enc64be.c enc64le.c encode_ec_pk8der.c encode_ec_rawder.c encode_rsa_pk8der.c encode_rsa_rawder.c gcm.c ghash_ctmul.c ghash_ctmul32.c ghash_ctmul64.c ghash_pclmul.c hkdf.c hmac.c hmac_ct.c hmac_drbg.c i15_add.c i15_bitlen.c i15_decmod.c i15_decode.c i15_decred.c i15_encode.c i15_fmont.c i15_iszero.c i15_moddiv.c i15_modpow.c i15_modpow2.c i15_montmul.c i15_mulacc.c i15_muladd.c i15_ninv15.c i15_reduce.c i15_rshift.c i15_sub.c i15_tmont.c i31_add.c i31_bitlen.c i31_decmod.c i31_decode.c i31_decred.c i31_encode.c i31_fmont.c i31_iszero.c i31_moddiv.c i31_modpow.c i31_modpow2.c i31_montmul.c i31_mulacc.c i31_muladd.c i31_ninv31.c i31_reduce.c i31_rshift.c i31_sub.c i31_tmont.c i32_add.c i32_bitlen.c i32_decmod.c i32_decode.c i32_decred.c i32_div32.c i32_encode.c i32_fmont.c i32_iszero.c i32_modpow.c i32_montmul.c i32_mulacc.c i32_muladd.c i32_ninv32.c i32_reduce.c i32_sub.c i32_tmont.c i62_modpow2.c md5.c md5sha1.c mgf1.c multihash.c poly1305_ctmul.c poly1305_ctmul32.c poly1305_ctmulq.c poly1305_i15.c prf.c prf_md5sha1.c prf_sha256.c prf_sha384.c rsa_default_keygen.c rsa_default_modulus.c rsa_default_oaep_decrypt.c rsa_default_oaep_encrypt.c rsa_default_pkcs1_sign.c rsa_default_pkcs1_vrfy.c rsa_default_priv.c rsa_default_privexp.c rsa_default_pss_sign.c rsa_default_pss_vrfy.c rsa_default_pub.c rsa_default_pubexp.c rsa_i15_keygen.c rsa_i15_modulus.c rsa_i15_oaep_decrypt.c rsa_i15_oaep_encrypt.c rsa_i15_pkcs1_sign.c rsa_i15_pkcs1_vrfy.c rsa_i15_priv.c rsa_i15_privexp.c rsa_i15_pss_sign.c rsa_i15_pss_vrfy.c rsa_i15_pub.c rsa_i15_pubexp.c rsa_i31_keygen.c rsa_i31_keygen_inner.c rsa_i31_modulus.c rsa_i31_oaep_decrypt.c rsa_i31_oaep_encrypt.c rsa_i31_pkcs1_sign.c rsa_i31_pkcs1_vrfy.c rsa_i31_priv.c rsa_i31_privexp.c rsa_i31_pss_sign.c rsa_i31_pss_vrfy.c rsa_i31_pub.c rsa_i31_pubexp.c rsa_i32_oaep_decrypt.c rsa_i32_oaep_encrypt.c rsa_i32_pkcs1_sign.c rsa_i32_pkcs1_vrfy.c rsa_i32_priv.c rsa_i32_pss_sign.c rsa_i32_pss_vrfy.c rsa_i32_pub.c rsa_i62_keygen.c rsa_i62_oaep_decrypt.c rsa_i62_oaep_encrypt.c rsa_i62_pkcs1_sign.c rsa_i62_pkcs1_vrfy.c rsa_i62_priv.c rsa_i62_pss_sign.c rsa_i62_pss_vrfy.c rsa_i62_pub.c rsa_oaep_pad.c rsa_oaep_unpad.c rsa_pkcs1_sig_pad.c rsa_pkcs1_sig_unpad.c rsa_pss_sig_pad.c rsa_pss_sig_unpad.c rsa_ssl_decrypt.c settings.c sha1.c sha2big.c sha2small.c shake.c skey_decoder.c ssl_ccert_single_ec.c ssl_ccert_single_rsa.c ssl_client.c ssl_client_default_rsapub.c ssl_client_full.c ssl_engine.c ssl_engine_default_aescbc.c ssl_engine_default_aesccm.c ssl_engine_default_aesgcm.c ssl_engine_default_chapol.c ssl_engine_default_descbc.c ssl_engine_default_ec.c ssl_engine_default_ecdsa.c ssl_engine_default_rsavrfy.c ssl_hashes.c ssl_hs_client.c ssl_io.c ssl_keyexport.c ssl_lru.c ssl_rec_cbc.c ssl_rec_ccm.c ssl_rec_chapol.c ssl_rec_gcm.c ssl_scert_single_ec.c ssl_scert_single_rsa.c sysrng.c x509_decoder.c x509_knownkey.c x509_minimal.c x509_minimal_full.c +SOURCE aes_big_cbcdec.c aes_big_cbcenc.c aes_big_ctr.c aes_big_ctrcbc.c aes_big_dec.c aes_big_enc.c aes_common.c aes_ct64.c aes_ct64_cbcdec.c aes_ct64_cbcenc.c aes_ct64_ctr.c aes_ct64_ctrcbc.c aes_ct64_dec.c aes_ct64_enc.c aes_ct.c aes_ct_cbcdec.c aes_ct_cbcenc.c aes_ct_ctr.c aes_ct_ctrcbc.c aes_ct_dec.c aes_ct_enc.c aesctr_drbg.c aes_small_cbcdec.c aes_small_cbcenc.c aes_small_ctr.c aes_small_ctrcbc.c aes_small_dec.c aes_small_enc.c aes_x86ni.c aes_x86ni_cbcdec.c aes_x86ni_cbcenc.c aes_x86ni_ctr.c aes_x86ni_ctrcbc.c asn1enc.c a.txt ccm.c ccopy.c chacha20_ct.c chacha20_sse2.c config.h dec32be.c dec32le.c dec64be.c dec64le.c dig_oid.c dig_size.c ec_all_m31.c ec_c25519_i31.c ec_c25519_m31.c ec_c25519_m62.c ec_c25519_m64.c ec_curve25519.c ec_default.c ecdsa_atr.c ecdsa_default_vrfy_asn1.c ecdsa_default_vrfy_raw.c ecdsa_i31_bits.c ecdsa_i31_vrfy_asn1.c ecdsa_i31_vrfy_raw.c ec_p256_m31.c ec_p256_m62.c ec_p256_m64.c ec_prime_i31.c ec_secp256r1.c ec_secp384r1.c ec_secp521r1.c enc32be.c enc32le.c enc64be.c enc64le.c gcm.c ghash_ctmul64.c ghash_ctmul.c ghash_pclmul.c hmac.c hmac_ct.c hmac_drbg.c i31_add.c i31_bitlen.c i31_decmod.c i31_decode.c i31_decred.c i31_encode.c i31_fmont.c i31_iszero.c i31_moddiv.c i31_modpow2.c i31_modpow.c i31_montmul.c i31_mulacc.c i31_muladd.c i31_ninv31.c i31_reduce.c i31_rshift.c i31_sub.c i31_tmont.c i32_div32.c i62_modpow2.c inner.h md5.c md5sha1.c mgf1.c multihash.c poly1305_ctmul.c poly1305_ctmulq.c prf.c prf_md5sha1.c prf_sha256.c prf_sha384.c rsa_default_pkcs1_vrfy.c rsa_default_priv.c rsa_default_pub.c rsa_i31_pkcs1_vrfy.c rsa_i31_priv.c rsa_i31_pub.c rsa_i62_pkcs1_vrfy.c rsa_i62_priv.c rsa_i62_pub.c rsa_pkcs1_sig_pad.c rsa_pkcs1_sig_unpad.c sha1.c sha2big.c sha2small.c ssl_client.c ssl_client_default_rsapub.c ssl_client_full.c ssl_engine.c ssl_engine_default_aescbc.c ssl_engine_default_aesccm.c ssl_engine_default_aesgcm.c ssl_engine_default_chapol.c ssl_engine_default_ec.c ssl_engine_default_ecdsa.c ssl_engine_default_rsavrfy.c ssl_hashes.c ssl_hs_client.c ssl_io.c ssl_rec_cbc.c ssl_rec_ccm.c ssl_rec_chapol.c ssl_rec_gcm.c x509_minimal.c x509_minimal_full.c CAPABILITY NetworkServices ReadUserData UserEnvironment WriteUserData diff --git a/third_party/bearssl/inc/bearssl_aead.h b/third_party/bearssl/inc/bearssl_aead.h index 8e35a1fde..d7cf92696 100644 --- a/third_party/bearssl/inc/bearssl_aead.h +++ b/third_party/bearssl/inc/bearssl_aead.h @@ -547,319 +547,6 @@ uint32_t br_gcm_check_tag_trunc(br_gcm_context *ctx, */ extern const br_aead_class br_gcm_vtable; -/** - * \brief Context structure for EAX. - * - * EAX is an AEAD mode that combines a block cipher in CTR mode with - * CBC-MAC using the same block cipher and the same key, to provide - * authenticated encryption: - * - * - Any block cipher with 16-byte blocks can be used with EAX - * (technically, other block sizes are defined as well, but this - * is not implemented by these functions; shorter blocks also - * imply numerous security issues). - * - * - The nonce can have any length, as long as nonce values are - * not reused (thus, if nonces are randomly selected, the nonce - * size should be such that reuse probability is negligible). - * - * - Additional authenticated data length is unlimited. - * - * - Message length is unlimited. - * - * - The authentication tag has length 16 bytes. - * - * The EAX initialisation function receives as parameter an - * _initialised_ block cipher implementation context, with the secret - * key already set. A pointer to that context will be kept within the - * EAX context structure. It is up to the caller to allocate and - * initialise that block cipher context. - */ -typedef struct { - /** \brief Pointer to vtable for this context. */ - const br_aead_class *vtable; - -#ifndef BR_DOXYGEN_IGNORE - const br_block_ctrcbc_class **bctx; - unsigned char L2[16]; - unsigned char L4[16]; - unsigned char nonce[16]; - unsigned char head[16]; - unsigned char ctr[16]; - unsigned char cbcmac[16]; - unsigned char buf[16]; - size_t ptr; -#endif -} br_eax_context; - -/** - * \brief EAX captured state. - * - * Some internal values computed by EAX may be captured at various - * points, and reused for another EAX run with the same secret key, - * for lower per-message overhead. Captured values do not depend on - * the nonce. - */ -typedef struct { -#ifndef BR_DOXYGEN_IGNORE - unsigned char st[3][16]; -#endif -} br_eax_state; - -/** - * \brief Initialize an EAX context. - * - * A block cipher implementation, with its initialised context - * structure, is provided. The block cipher MUST use 16-byte blocks in - * CTR + CBC-MAC mode, and its secret key MUST have been already set in - * the provided context. The parameters are linked in the EAX context. - * - * After this function has been called, the `br_eax_reset()` function must - * be called, to provide the nonce for EAX computation. - * - * \param ctx EAX context structure. - * \param bctx block cipher context (already initialised with secret key). - */ -void br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx); - -/** - * \brief Capture pre-AAD state. - * - * This function precomputes key-dependent data, and stores it in the - * provided `st` structure. This structure should then be used with - * `br_eax_reset_pre_aad()`, or updated with `br_eax_get_aad_mac()` - * and then used with `br_eax_reset_post_aad()`. - * - * The EAX context structure is unmodified by this call. - * - * \param ctx EAX context structure. - * \param st recipient for captured state. - */ -void br_eax_capture(const br_eax_context *ctx, br_eax_state *st); - -/** - * \brief Reset an EAX context. - * - * This function resets an already initialised EAX context for a new - * computation run. Implementations and keys are conserved. This function - * can be called at any time; it cancels any ongoing EAX computation that - * uses the provided context structure. - * - * It is critical to EAX security that nonce values are not repeated for - * the same encryption key. Nonces can have arbitrary length. If nonces - * are randomly generated, then a nonce length of at least 128 bits (16 - * bytes) is recommended, to make nonce reuse probability sufficiently - * low. - * - * \param ctx EAX context structure. - * \param nonce EAX nonce to use. - * \param len EAX nonce length (in bytes). - */ -void br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len); - -/** - * \brief Reset an EAX context with a pre-AAD captured state. - * - * This function is an alternative to `br_eax_reset()`, that reuses a - * previously captured state structure for lower per-message overhead. - * The state should have been populated with `br_eax_capture_state()` - * but not updated with `br_eax_get_aad_mac()`. - * - * After this function is called, additional authenticated data MUST - * be injected. At least one byte of additional authenticated data - * MUST be provided with `br_eax_aad_inject()`; computation result will - * be incorrect if `br_eax_flip()` is called right away. - * - * After injection of the AAD and call to `br_eax_flip()`, at least - * one message byte must be provided. Empty messages are not supported - * with this reset mode. - * - * \param ctx EAX context structure. - * \param st pre-AAD captured state. - * \param nonce EAX nonce to use. - * \param len EAX nonce length (in bytes). - */ -void br_eax_reset_pre_aad(br_eax_context *ctx, const br_eax_state *st, - const void *nonce, size_t len); - -/** - * \brief Reset an EAX context with a post-AAD captured state. - * - * This function is an alternative to `br_eax_reset()`, that reuses a - * previously captured state structure for lower per-message overhead. - * The state should have been populated with `br_eax_capture_state()` - * and then updated with `br_eax_get_aad_mac()`. - * - * After this function is called, message data MUST be injected. The - * `br_eax_flip()` function MUST NOT be called. At least one byte of - * message data MUST be provided with `br_eax_run()`; empty messages - * are not supported with this reset mode. - * - * \param ctx EAX context structure. - * \param st post-AAD captured state. - * \param nonce EAX nonce to use. - * \param len EAX nonce length (in bytes). - */ -void br_eax_reset_post_aad(br_eax_context *ctx, const br_eax_state *st, - const void *nonce, size_t len); - -/** - * \brief Inject additional authenticated data into EAX. - * - * The provided data is injected into a running EAX computation. Additional - * data must be injected _before_ the call to `br_eax_flip()`. - * Additional data can be injected in several chunks of arbitrary length; - * the total amount of additional authenticated data is unlimited. - * - * \param ctx EAX context structure. - * \param data pointer to additional authenticated data. - * \param len length of additional authenticated data (in bytes). - */ -void br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len); - -/** - * \brief Finish injection of additional authenticated data into EAX. - * - * This function MUST be called before beginning the actual encryption - * or decryption (with `br_eax_run()`), even if no additional authenticated - * data was injected. No additional authenticated data may be injected - * after this function call. - * - * \param ctx EAX context structure. - */ -void br_eax_flip(br_eax_context *ctx); - -/** - * \brief Obtain a copy of the MAC on additional authenticated data. - * - * This function may be called only after `br_eax_flip()`; it copies the - * AAD-specific MAC value into the provided state. The MAC value depends - * on the secret key and the additional data itself, but not on the - * nonce. The updated state `st` is meant to be used as parameter for a - * further `br_eax_reset_post_aad()` call. - * - * \param ctx EAX context structure. - * \param st captured state to update. - */ -static inline void -br_eax_get_aad_mac(const br_eax_context *ctx, br_eax_state *st) -{ - memcpy(st->st[1], ctx->head, sizeof ctx->head); -} - -/** - * \brief Encrypt or decrypt some data with EAX. - * - * Data encryption or decryption can be done after `br_eax_flip()` - * has been called on the context. If `encrypt` is non-zero, then the - * provided data shall be plaintext, and it is encrypted in place. - * Otherwise, the data shall be ciphertext, and it is decrypted in place. - * - * Data may be provided in several chunks of arbitrary length. - * - * \param ctx EAX context structure. - * \param encrypt non-zero for encryption, zero for decryption. - * \param data data to encrypt or decrypt. - * \param len data length (in bytes). - */ -void br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len); - -/** - * \brief Compute EAX authentication tag. - * - * Compute the EAX authentication tag. The tag is a 16-byte value which - * is written in the provided `tag` buffer. This call terminates the - * EAX run: no data may be processed with that EAX context afterwards, - * until `br_eax_reset()` is called to initiate a new EAX run. - * - * The tag value must normally be sent along with the encrypted data. - * When decrypting, the tag value must be recomputed and compared with - * the received tag: if the two tag values differ, then either the tag - * or the encrypted data was altered in transit. As an alternative to - * this function, the `br_eax_check_tag()` function can be used to - * compute and check the tag value. - * - * \param ctx EAX context structure. - * \param tag destination buffer for the tag (16 bytes). - */ -void br_eax_get_tag(br_eax_context *ctx, void *tag); - -/** - * \brief Compute and check EAX authentication tag. - * - * This function is an alternative to `br_eax_get_tag()`, normally used - * on the receiving end (i.e. when decrypting value). The tag value is - * recomputed and compared with the provided tag value. If they match, 1 - * is returned; on mismatch, 0 is returned. A returned value of 0 means - * that the data or the tag was altered in transit, normally leading to - * wholesale rejection of the complete message. - * - * \param ctx EAX context structure. - * \param tag tag value to compare with (16 bytes). - * \return 1 on success (exact match of tag value), 0 otherwise. - */ -uint32_t br_eax_check_tag(br_eax_context *ctx, const void *tag); - -/** - * \brief Compute EAX authentication tag (with truncation). - * - * This function is similar to `br_eax_get_tag()`, except that it allows - * the tag to be truncated to a smaller length. The intended tag length - * is provided as `len` (in bytes); it MUST be no more than 16, but - * it may be smaller. Note that decreasing tag length mechanically makes - * forgeries easier; NIST SP 800-38D specifies that the tag length shall - * lie between 12 and 16 bytes (inclusive), but may be truncated down to - * 4 or 8 bytes, for specific applications that can tolerate it. It must - * also be noted that successful forgeries leak information on the - * authentication key, making subsequent forgeries easier. Therefore, - * tag truncation, and in particular truncation to sizes lower than 12 - * bytes, shall be envisioned only with great care. - * - * The tag is written in the provided `tag` buffer. This call terminates - * the EAX run: no data may be processed with that EAX context - * afterwards, until `br_eax_reset()` is called to initiate a new EAX - * run. - * - * The tag value must normally be sent along with the encrypted data. - * When decrypting, the tag value must be recomputed and compared with - * the received tag: if the two tag values differ, then either the tag - * or the encrypted data was altered in transit. As an alternative to - * this function, the `br_eax_check_tag_trunc()` function can be used to - * compute and check the tag value. - * - * \param ctx EAX context structure. - * \param tag destination buffer for the tag. - * \param len tag length (16 bytes or less). - */ -void br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len); - -/** - * \brief Compute and check EAX authentication tag (with truncation). - * - * This function is an alternative to `br_eax_get_tag_trunc()`, normally used - * on the receiving end (i.e. when decrypting value). The tag value is - * recomputed and compared with the provided tag value. If they match, 1 - * is returned; on mismatch, 0 is returned. A returned value of 0 means - * that the data or the tag was altered in transit, normally leading to - * wholesale rejection of the complete message. - * - * Tag length MUST be 16 bytes or less. The normal EAX tag length is 16 - * bytes. See `br_check_tag_trunc()` for some discussion on the potential - * perils of truncating authentication tags. - * - * \param ctx EAX context structure. - * \param tag tag value to compare with. - * \param len tag length (in bytes). - * \return 1 on success (exact match of tag value), 0 otherwise. - */ -uint32_t br_eax_check_tag_trunc(br_eax_context *ctx, - const void *tag, size_t len); - -/** - * \brief Class instance for EAX. - */ -extern const br_aead_class br_eax_vtable; - /** * \brief Context structure for CCM. * diff --git a/third_party/bearssl/src/dec16be.c b/third_party/bearssl/src/dec16be.c deleted file mode 100644 index 4f3f7f4a0..000000000 --- a/third_party/bearssl/src/dec16be.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include "inner.h" - -/* see inner.h */ -void -br_range_dec16be(uint16_t *v, size_t num, const void *src) -{ - const unsigned char *buf; - - buf = src; - while (num -- > 0) { - *v ++ = br_dec16be(buf); - buf += 2; - } -} diff --git a/third_party/bearssl/src/dec16le.c b/third_party/bearssl/src/dec16le.c deleted file mode 100644 index 84d85364a..000000000 --- a/third_party/bearssl/src/dec16le.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include "inner.h" - -/* see inner.h */ -void -br_range_dec16le(uint16_t *v, size_t num, const void *src) -{ - const unsigned char *buf; - - buf = src; - while (num -- > 0) { - *v ++ = br_dec16le(buf); - buf += 2; - } -} diff --git a/third_party/bearssl/src/eax.c b/third_party/bearssl/src/eax.c deleted file mode 100644 index bcc704a7f..000000000 --- a/third_party/bearssl/src/eax.c +++ /dev/null @@ -1,525 +0,0 @@ -/* - * Copyright (c) 2017 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include "inner.h" - -/* - * Implementation Notes - * ==================== - * - * The combined CTR + CBC-MAC functions can only handle full blocks, - * so some buffering is necessary. Moreover, EAX has a special padding - * rule for CBC-MAC, which implies that we cannot compute the MAC over - * the last received full block until we know whether we are at the - * end of the data or not. - * - * - 'ptr' contains a value from 1 to 16, which is the number of bytes - * accumulated in buf[] that still needs to be processed with the - * current OMAC computation. Beware that this can go to 16: a - * complete block cannot be processed until it is known whether it - * is the last block or not. However, it can never be 0, because - * OMAC^t works on an input that is at least one-block long. - * - * - When processing the message itself, CTR encryption/decryption is - * also done at the same time. The first 'ptr' bytes of buf[] then - * contains the encrypted bytes, while the last '16 - ptr' bytes of - * buf[] are the remnants of the stream block, to be used against - * the next input bytes, when available. - * - * - The current counter and running CBC-MAC values are kept in 'ctr' - * and 'cbcmac', respectively. - * - * - The derived keys for padding are kept in L2 and L4 (double and - * quadruple of Enc_K(0^n), in GF(2^128), respectively). - */ - -/* - * Start an OMAC computation; the first block is the big-endian - * representation of the provided value ('val' must fit on one byte). - * We make it a delayed block because it may also be the last one, - */ -static void -omac_start(br_eax_context *ctx, unsigned val) -{ - memset(ctx->cbcmac, 0, sizeof ctx->cbcmac); - memset(ctx->buf, 0, sizeof ctx->buf); - ctx->buf[15] = val; - ctx->ptr = 16; -} - -/* - * Double a value in finite field GF(2^128), defined with modulus - * X^128+X^7+X^2+X+1. - */ -static void -double_gf128(unsigned char *dst, const unsigned char *src) -{ - unsigned cc; - int i; - - cc = 0x87 & -((unsigned)src[0] >> 7); - for (i = 15; i >= 0; i --) { - unsigned z; - - z = (src[i] << 1) ^ cc; - cc = z >> 8; - dst[i] = (unsigned char)z; - } -} - -/* - * Apply padding to the last block, currently in ctx->buf (with - * ctx->ptr bytes), and finalize OMAC computation. - */ -static void -do_pad(br_eax_context *ctx) -{ - unsigned char *pad; - size_t ptr, u; - - ptr = ctx->ptr; - if (ptr == 16) { - pad = ctx->L2; - } else { - ctx->buf[ptr ++] = 0x80; - memset(ctx->buf + ptr, 0x00, 16 - ptr); - pad = ctx->L4; - } - for (u = 0; u < sizeof ctx->buf; u ++) { - ctx->buf[u] ^= pad[u]; - } - (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, ctx->buf, sizeof ctx->buf); -} - -/* - * Apply CBC-MAC on the provided data, with buffering management. - * - * Upon entry, two situations are acceptable: - * - * ctx->ptr == 0: there is no data to process in ctx->buf - * ctx->ptr == 16: there is a full block of unprocessed data in ctx->buf - * - * Upon exit, ctx->ptr may be zero only if it was already zero on entry, - * and len == 0. In all other situations, ctx->ptr will be non-zero on - * exit (and may have value 16). - */ -static void -do_cbcmac_chunk(br_eax_context *ctx, const void *data, size_t len) -{ - size_t ptr; - - if (len == 0) { - return; - } - ptr = len & (size_t)15; - if (ptr == 0) { - len -= 16; - ptr = 16; - } else { - len -= ptr; - } - if (ctx->ptr == 16) { - (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, - ctx->buf, sizeof ctx->buf); - } - (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, data, len); - memcpy(ctx->buf, (const unsigned char *)data + len, ptr); - ctx->ptr = ptr; -} - -/* see bearssl_aead.h */ -void -br_eax_init(br_eax_context *ctx, const br_block_ctrcbc_class **bctx) -{ - unsigned char tmp[16], iv[16]; - - ctx->vtable = &br_eax_vtable; - ctx->bctx = bctx; - - /* - * Encrypt a whole-zero block to compute L2 and L4. - */ - memset(tmp, 0, sizeof tmp); - memset(iv, 0, sizeof iv); - (*bctx)->ctr(bctx, iv, tmp, sizeof tmp); - double_gf128(ctx->L2, tmp); - double_gf128(ctx->L4, ctx->L2); -} - -/* see bearssl_aead.h */ -void -br_eax_capture(const br_eax_context *ctx, br_eax_state *st) -{ - /* - * We capture the three OMAC* states _after_ processing the - * initial block (assuming that nonce, message and AAD are - * all non-empty). - */ - int i; - - memset(st->st, 0, sizeof st->st); - for (i = 0; i < 3; i ++) { - unsigned char tmp[16]; - - memset(tmp, 0, sizeof tmp); - tmp[15] = (unsigned char)i; - (*ctx->bctx)->mac(ctx->bctx, st->st[i], tmp, sizeof tmp); - } -} - -/* see bearssl_aead.h */ -void -br_eax_reset(br_eax_context *ctx, const void *nonce, size_t len) -{ - /* - * Process nonce with OMAC^0. - */ - omac_start(ctx, 0); - do_cbcmac_chunk(ctx, nonce, len); - do_pad(ctx); - memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac); - - /* - * Start OMAC^1 for the AAD ("header" in the EAX specification). - */ - omac_start(ctx, 1); - - /* - * We use ctx->head[0] as temporary flag to mark that we are - * using a "normal" reset(). - */ - ctx->head[0] = 0; -} - -/* see bearssl_aead.h */ -void -br_eax_reset_pre_aad(br_eax_context *ctx, const br_eax_state *st, - const void *nonce, size_t len) -{ - if (len == 0) { - omac_start(ctx, 0); - } else { - memcpy(ctx->cbcmac, st->st[0], sizeof ctx->cbcmac); - ctx->ptr = 0; - do_cbcmac_chunk(ctx, nonce, len); - } - do_pad(ctx); - memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac); - - memcpy(ctx->cbcmac, st->st[1], sizeof ctx->cbcmac); - ctx->ptr = 0; - - memcpy(ctx->ctr, st->st[2], sizeof ctx->ctr); - - /* - * We use ctx->head[0] as a flag to indicate that we use a - * a recorded state, with ctx->ctr containing the preprocessed - * first block for OMAC^2. - */ - ctx->head[0] = 1; -} - -/* see bearssl_aead.h */ -void -br_eax_reset_post_aad(br_eax_context *ctx, const br_eax_state *st, - const void *nonce, size_t len) -{ - if (len == 0) { - omac_start(ctx, 0); - } else { - memcpy(ctx->cbcmac, st->st[0], sizeof ctx->cbcmac); - ctx->ptr = 0; - do_cbcmac_chunk(ctx, nonce, len); - } - do_pad(ctx); - memcpy(ctx->nonce, ctx->cbcmac, sizeof ctx->cbcmac); - memcpy(ctx->ctr, ctx->nonce, sizeof ctx->nonce); - - memcpy(ctx->head, st->st[1], sizeof ctx->head); - - memcpy(ctx->cbcmac, st->st[2], sizeof ctx->cbcmac); - ctx->ptr = 0; -} - -/* see bearssl_aead.h */ -void -br_eax_aad_inject(br_eax_context *ctx, const void *data, size_t len) -{ - size_t ptr; - - ptr = ctx->ptr; - - /* - * If there is a partial block, first complete it. - */ - if (ptr < 16) { - size_t clen; - - clen = 16 - ptr; - if (len <= clen) { - memcpy(ctx->buf + ptr, data, len); - ctx->ptr = ptr + len; - return; - } - memcpy(ctx->buf + ptr, data, clen); - data = (const unsigned char *)data + clen; - len -= clen; - } - - /* - * We now have a full block in buf[], and this is not the last - * block. - */ - do_cbcmac_chunk(ctx, data, len); -} - -/* see bearssl_aead.h */ -void -br_eax_flip(br_eax_context *ctx) -{ - int from_capture; - - /* - * ctx->head[0] may be non-zero if the context was reset with - * a pre-AAD captured state. In that case, ctx->ctr[] contains - * the state for OMAC^2 _after_ processing the first block. - */ - from_capture = ctx->head[0]; - - /* - * Complete the OMAC computation on the AAD. - */ - do_pad(ctx); - memcpy(ctx->head, ctx->cbcmac, sizeof ctx->cbcmac); - - /* - * Start OMAC^2 for the encrypted data. - * If the context was initialized from a captured state, then - * the OMAC^2 value is in the ctr[] array. - */ - if (from_capture) { - memcpy(ctx->cbcmac, ctx->ctr, sizeof ctx->cbcmac); - ctx->ptr = 0; - } else { - omac_start(ctx, 2); - } - - /* - * Initial counter value for CTR is the processed nonce. - */ - memcpy(ctx->ctr, ctx->nonce, sizeof ctx->nonce); -} - -/* see bearssl_aead.h */ -void -br_eax_run(br_eax_context *ctx, int encrypt, void *data, size_t len) -{ - unsigned char *dbuf; - size_t ptr; - - /* - * Ensure that there is actual data to process. - */ - if (len == 0) { - return; - } - - dbuf = data; - ptr = ctx->ptr; - - /* - * We may have ptr == 0 here if we initialized from a captured - * state. In that case, there is no partially consumed block - * or unprocessed data. - */ - if (ptr != 0 && ptr != 16) { - /* - * We have a partially consumed block. - */ - size_t u, clen; - - clen = 16 - ptr; - if (len <= clen) { - clen = len; - } - if (encrypt) { - for (u = 0; u < clen; u ++) { - ctx->buf[ptr + u] ^= dbuf[u]; - } - memcpy(dbuf, ctx->buf + ptr, clen); - } else { - for (u = 0; u < clen; u ++) { - unsigned dx, sx; - - sx = ctx->buf[ptr + u]; - dx = dbuf[u]; - ctx->buf[ptr + u] = dx; - dbuf[u] = sx ^ dx; - } - } - - if (len <= clen) { - ctx->ptr = ptr + clen; - return; - } - dbuf += clen; - len -= clen; - } - - /* - * We now have a complete encrypted block in buf[] that must still - * be processed with OMAC, and this is not the final buf. - * Exception: when ptr == 0, no block has been produced yet. - */ - if (ptr != 0) { - (*ctx->bctx)->mac(ctx->bctx, ctx->cbcmac, - ctx->buf, sizeof ctx->buf); - } - - /* - * Do CTR encryption or decryption and CBC-MAC for all full blocks - * except the last. - */ - ptr = len & (size_t)15; - if (ptr == 0) { - len -= 16; - ptr = 16; - } else { - len -= ptr; - } - if (encrypt) { - (*ctx->bctx)->encrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, - dbuf, len); - } else { - (*ctx->bctx)->decrypt(ctx->bctx, ctx->ctr, ctx->cbcmac, - dbuf, len); - } - dbuf += len; - - /* - * Compute next block of CTR stream, and use it to finish - * encrypting or decrypting the data. - */ - memset(ctx->buf, 0, sizeof ctx->buf); - (*ctx->bctx)->ctr(ctx->bctx, ctx->ctr, ctx->buf, sizeof ctx->buf); - if (encrypt) { - size_t u; - - for (u = 0; u < ptr; u ++) { - ctx->buf[u] ^= dbuf[u]; - } - memcpy(dbuf, ctx->buf, ptr); - } else { - size_t u; - - for (u = 0; u < ptr; u ++) { - unsigned dx, sx; - - sx = ctx->buf[u]; - dx = dbuf[u]; - ctx->buf[u] = dx; - dbuf[u] = sx ^ dx; - } - } - ctx->ptr = ptr; -} - -/* - * Complete tag computation. The final tag is written in ctx->cbcmac. - */ -static void -do_final(br_eax_context *ctx) -{ - size_t u; - - do_pad(ctx); - - /* - * Authentication tag is the XOR of the three OMAC outputs for - * the nonce, AAD and encrypted data. - */ - for (u = 0; u < 16; u ++) { - ctx->cbcmac[u] ^= ctx->nonce[u] ^ ctx->head[u]; - } -} - -/* see bearssl_aead.h */ -void -br_eax_get_tag(br_eax_context *ctx, void *tag) -{ - do_final(ctx); - memcpy(tag, ctx->cbcmac, sizeof ctx->cbcmac); -} - -/* see bearssl_aead.h */ -void -br_eax_get_tag_trunc(br_eax_context *ctx, void *tag, size_t len) -{ - do_final(ctx); - memcpy(tag, ctx->cbcmac, len); -} - -/* see bearssl_aead.h */ -uint32_t -br_eax_check_tag_trunc(br_eax_context *ctx, const void *tag, size_t len) -{ - unsigned char tmp[16]; - size_t u; - int x; - - br_eax_get_tag(ctx, tmp); - x = 0; - for (u = 0; u < len; u ++) { - x |= tmp[u] ^ ((const unsigned char *)tag)[u]; - } - return EQ0(x); -} - -/* see bearssl_aead.h */ -uint32_t -br_eax_check_tag(br_eax_context *ctx, const void *tag) -{ - return br_eax_check_tag_trunc(ctx, tag, 16); -} - -/* see bearssl_aead.h */ -const br_aead_class br_eax_vtable = { - 16, - (void (*)(const br_aead_class **, const void *, size_t)) - &br_eax_reset, - (void (*)(const br_aead_class **, const void *, size_t)) - &br_eax_aad_inject, - (void (*)(const br_aead_class **)) - &br_eax_flip, - (void (*)(const br_aead_class **, int, void *, size_t)) - &br_eax_run, - (void (*)(const br_aead_class **, void *)) - &br_eax_get_tag, - (uint32_t (*)(const br_aead_class **, const void *)) - &br_eax_check_tag, - (void (*)(const br_aead_class **, void *, size_t)) - &br_eax_get_tag_trunc, - (uint32_t (*)(const br_aead_class **, const void *, size_t)) - &br_eax_check_tag_trunc -}; diff --git a/third_party/bearssl/src/enc16be.c b/third_party/bearssl/src/enc16be.c deleted file mode 100644 index 6e0665219..000000000 --- a/third_party/bearssl/src/enc16be.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include "inner.h" - -/* see inner.h */ -void -br_range_enc16be(void *dst, const uint16_t *v, size_t num) -{ - unsigned char *buf; - - buf = dst; - while (num -- > 0) { - br_enc16be(buf, *v ++); - buf += 2; - } -} diff --git a/third_party/bearssl/src/enc16le.c b/third_party/bearssl/src/enc16le.c deleted file mode 100644 index 3e5049a03..000000000 --- a/third_party/bearssl/src/enc16le.c +++ /dev/null @@ -1,38 +0,0 @@ -/* - * Copyright (c) 2016 Thomas Pornin - * - * Permission is hereby granted, free of charge, to any person obtaining - * a copy of this software and associated documentation files (the - * "Software"), to deal in the Software without restriction, including - * without limitation the rights to use, copy, modify, merge, publish, - * distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to - * the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include "inner.h" - -/* see inner.h */ -void -br_range_enc16le(void *dst, const uint16_t *v, size_t num) -{ - unsigned char *buf; - - buf = dst; - while (num -- > 0) { - br_enc16le(buf, *v ++); - buf += 2; - } -} diff --git a/third_party/bearssl/src/inner.h b/third_party/bearssl/src/inner.h index 44e382fc1..3a8f463fc 100644 --- a/third_party/bearssl/src/inner.h +++ b/third_party/bearssl/src/inner.h @@ -638,11 +638,6 @@ br_dec64be(const void *src) /* * Range decoding and encoding (for several successive values). */ -void br_range_dec16le(uint16_t *v, size_t num, const void *src); -void br_range_dec16be(uint16_t *v, size_t num, const void *src); -void br_range_enc16le(void *dst, const uint16_t *v, size_t num); -void br_range_enc16be(void *dst, const uint16_t *v, size_t num); - void br_range_dec32le(uint32_t *v, size_t num, const void *src); void br_range_dec32be(uint32_t *v, size_t num, const void *src); void br_range_enc32le(void *dst, const uint32_t *v, size_t num);