diff --git a/example/pubspec.lock b/example/pubspec.lock index 89a62f4c..d4272f37 100644 --- a/example/pubspec.lock +++ b/example/pubspec.lock @@ -198,10 +198,10 @@ packages: dependency: transitive description: name: matcher - sha256: "31bd099b47c10cd1aeb55146a2d46ce0277630ecef3f7dae54ad7873f36696cd" + sha256: dc0b7dc7651697ea4ff3e69ef44b0407ea32c487a39fff6a4004fa585e901861 url: "https://pub.dev" source: hosted - version: "0.12.20" + version: "0.12.19" material_color_utilities: dependency: transitive description: @@ -214,10 +214,10 @@ packages: dependency: transitive description: name: meta - sha256: df0c643f44ad098eb37988027a8e2b2b5a031fd3977f06bbfd3a76637e8df739 + sha256: "1741988757a65eb6b36abe716829688cf01910bbf91c34354ff7ec1c3de2b349" url: "https://pub.dev" source: hosted - version: "1.18.2" + version: "1.18.0" native_toolchain_cmake: dependency: transitive description: @@ -323,10 +323,10 @@ packages: dependency: transitive description: name: test_api - sha256: "2a122cbe059f8b610d3a5415f42e255b6c17b1f21eee1d960f31080237fb4f11" + sha256: "949a932224383300f01be9221c39180316445ecb8e7547f70a41a35bf421fb9e" url: "https://pub.dev" source: hosted - version: "0.7.12" + version: "0.7.11" typed_data: dependency: transitive description: @@ -339,10 +339,10 @@ packages: dependency: transitive description: name: vector_math - sha256: "47a1b32ee755c3fcffa33db52a7258c137f97bdb2209a1075be847809fac4ccf" + sha256: d530bd74fea330e6e364cda7a85019c434070188383e1cd8d9777ee586914c5b url: "https://pub.dev" source: hosted - version: "2.3.0" + version: "2.2.0" vm_service: dependency: transitive description: @@ -357,7 +357,7 @@ packages: path: ".." relative: true source: path - version: "0.6.0" + version: "0.6.1" webdriver: dependency: transitive description: diff --git a/lib/src/third_party/boringssl/generated_bindings.dart b/lib/src/third_party/boringssl/generated_bindings.dart index c3039024..a21f0aa6 100644 --- a/lib/src/third_party/boringssl/generated_bindings.dart +++ b/lib/src/third_party/boringssl/generated_bindings.dart @@ -76,8 +76,8 @@ class BoringSsl { ffi.Pointer Function(String symbolName) lookup, ) : _lookup = lookup; - /// BN_add sets |r| = |a| + |b|, where |r| may be the same pointer as either |a| - /// or |b|. It returns one on success and zero on allocation failure. + /// BN_add sets `r` = `a` + `b`, where `r` may be the same pointer as either `a` + /// or `b`. It returns one on success and zero on allocation failure. int BN_add( ffi.Pointer r, ffi.Pointer a, @@ -105,9 +105,9 @@ class BoringSsl { ) >(); - /// BN_bin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as - /// a big-endian number, and returns |ret|. If |ret| is NULL then a fresh - /// |BIGNUM| is allocated and returned. It returns NULL on allocation + /// BN_bin2bn sets `*ret` to the value of `len` bytes from `in`, interpreted as + /// a big-endian number, and returns `ret`. If `ret` is NULL then a fresh + /// `BIGNUM` is allocated and returned. It returns NULL on allocation /// failure. ffi.Pointer BN_bin2bn( ffi.Pointer in1, @@ -136,9 +136,9 @@ class BoringSsl { ) >(); - /// BN_bn2bin_padded serialises the absolute value of |in| to |out| as a + /// BN_bn2bin_padded serialises the absolute value of `in` to `out` as a /// big-endian integer. The integer is padded with leading zeros up to size - /// |len|. If |len| is smaller than |BN_num_bytes|, the function fails and + /// `len`. If `len` is smaller than `BN_num_bytes`, the function fails and /// returns 0. Otherwise, it returns 1. int BN_bn2bin_padded( ffi.Pointer out, @@ -163,8 +163,8 @@ class BoringSsl { int Function(ffi.Pointer, int, ffi.Pointer) >(); - /// BN_cmp returns a value less than, equal to or greater than zero if |a| is - /// less than, equal to or greater than |b|, respectively. + /// BN_cmp returns a value less than, equal to or greater than zero if `a` is + /// less than, equal to or greater than `b`, respectively. int BN_cmp(ffi.Pointer a, ffi.Pointer b) { return _BN_cmp(a, b); } @@ -180,8 +180,8 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// BN_free frees the data referenced by |bn| and, if |bn| was originally - /// allocated on the heap, frees |bn| also. + /// BN_free frees the data referenced by `bn` and, if `bn` was originally + /// allocated on the heap, frees `bn` also. void BN_free(ffi.Pointer bn) { return _BN_free(bn); } @@ -193,8 +193,8 @@ class BoringSsl { late final _BN_free = _BN_freePtr.asFunction)>(); - /// BN_lshift sets |r| equal to |a| << n. The |a| and |r| arguments may be the - /// same |BIGNUM|. It returns one on success and zero on allocation failure. + /// BN_lshift sets `r` equal to `a` << n. The `a` and `r` arguments may be the + /// same `BIGNUM`. It returns one on success and zero on allocation failure. int BN_lshift(ffi.Pointer r, ffi.Pointer a, int n) { return _BN_lshift(r, a, n); } @@ -220,11 +220,11 @@ class BoringSsl { late final _BN_new = _BN_newPtr.asFunction Function()>(); /// BN_num_bytes returns the minimum number of bytes needed to represent the - /// absolute value of |bn|. + /// absolute value of `bn`. /// - /// While |size_t| is the preferred type for byte counts, callers can assume that - /// |BIGNUM|s are bounded such that this value, and its corresponding bit count, - /// will always fit in |int|. + /// While `size_t` is the preferred type for byte counts, callers can assume that + /// `BIGNUM`s are bounded such that this value, and its corresponding bit count, + /// will always fit in `int`. int BN_num_bytes(ffi.Pointer bn) { return _BN_num_bytes(bn); } @@ -236,7 +236,7 @@ class BoringSsl { late final _BN_num_bytes = _BN_num_bytesPtr.asFunction)>(); - /// BN_set_word sets |bn| to |value|. It returns one on success or zero on + /// BN_set_word sets `bn` to `value`. It returns one on success or zero on /// allocation failure. int BN_set_word(ffi.Pointer bn, int value) { return _BN_set_word(bn, value); @@ -249,8 +249,8 @@ class BoringSsl { late final _BN_set_word = _BN_set_wordPtr.asFunction, int)>(); - /// BN_sub sets |r| = |a| - |b|, where |r| may be the same pointer as either |a| - /// or |b|. It returns one on success and zero on allocation failure. + /// BN_sub sets `r` = `a` - `b`, where `r` may be the same pointer as either `a` + /// or `b`. It returns one on success and zero on allocation failure. int BN_sub( ffi.Pointer r, ffi.Pointer a, @@ -302,13 +302,13 @@ class BoringSsl { late final _BORINGSSL_self_test = _BORINGSSL_self_testPtr.asFunction(); - /// CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects + /// CBB_cleanup frees all resources owned by `cbb` and other `CBB` objects /// writing to the same buffer. This should be used in an error case where a /// serialisation is abandoned. /// - /// This function can only be called on a "top level" |CBB|, i.e. one initialised - /// with |CBB_init| or |CBB_init_fixed|, or a |CBB| set to the zero state with - /// |CBB_zero|. + /// This function can only be called on a "top level" `CBB`, i.e. one initialised + /// with `CBB_init` or `CBB_init_fixed`, or a `CBB` set to the zero state with + /// `CBB_zero`. void CBB_cleanup(ffi.Pointer cbb) { return _CBB_cleanup(cbb); } @@ -320,8 +320,8 @@ class BoringSsl { late final _CBB_cleanup = _CBB_cleanupPtr.asFunction)>(); - /// CBB_data returns a pointer to the bytes written to |cbb|. It does not flush - /// |cbb|. The pointer is valid until the next operation to |cbb|. + /// CBB_data returns a pointer to the bytes written to `cbb`. It does not flush + /// `cbb`. The pointer is valid until the next operation to `cbb`. /// /// To avoid unfinalized length prefixes, it is a fatal error to call this on a /// CBB with any active children. @@ -339,9 +339,9 @@ class BoringSsl { >(); /// CBB_flush causes any pending length prefixes to be written out and any child - /// |CBB| objects of |cbb| to be invalidated. This allows |cbb| to continue to be - /// used after the children go out of scope, e.g. when local |CBB| objects are - /// added as children to a |CBB| that persists after a function returns. This + /// `CBB` objects of `cbb` to be invalidated. This allows `cbb` to continue to be + /// used after the children go out of scope, e.g. when local `CBB` objects are + /// added as children to a `CBB` that persists after a function returns. This /// function returns one on success or zero on error. int CBB_flush(ffi.Pointer cbb) { return _CBB_flush(cbb); @@ -354,8 +354,8 @@ class BoringSsl { late final _CBB_flush = _CBB_flushPtr.asFunction)>(); - /// CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as - /// needed, the |initial_capacity| is just a hint. It returns one on success or + /// CBB_init initialises `cbb` with `initial_capacity`. Since a `CBB` grows as + /// needed, the `initial_capacity` is just a hint. It returns one on success or /// zero on allocation failure. int CBB_init(ffi.Pointer cbb, int initial_capacity) { return _CBB_init(cbb, initial_capacity); @@ -368,8 +368,8 @@ class BoringSsl { late final _CBB_init = _CBB_initPtr.asFunction, int)>(); - /// CBB_len returns the number of bytes written to |cbb|. It does not flush - /// |cbb|. + /// CBB_len returns the number of bytes written to `cbb`. It does not flush + /// `cbb`. /// /// To avoid unfinalized length prefixes, it is a fatal error to call this on a /// CBB with any active children. @@ -384,10 +384,10 @@ class BoringSsl { late final _CBB_len = _CBB_lenPtr.asFunction)>(); - /// CBB_zero sets an uninitialised |cbb| to the zero state. It must be - /// initialised with |CBB_init| or |CBB_init_fixed| before use, but it is safe to - /// call |CBB_cleanup| without a successful |CBB_init|. This may be used for more - /// uniform cleanup of a |CBB|. + /// CBB_zero sets an uninitialised `cbb` to the zero state. It must be + /// initialised with `CBB_init` or `CBB_init_fixed` before use, but it is safe to + /// call `CBB_cleanup` without a successful `CBB_init`. This may be used for more + /// uniform cleanup of a `CBB`. void CBB_zero(ffi.Pointer cbb) { return _CBB_zero(cbb); } @@ -399,9 +399,9 @@ class BoringSsl { late final _CBB_zero = _CBB_zeroPtr.asFunction)>(); - /// CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It - /// takes an amount of time dependent on |len|, but independent of the contents - /// of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a + /// CRYPTO_memcmp returns zero iff the `len` bytes at `a` and `b` are equal. It + /// takes an amount of time dependent on `len`, but independent of the contents + /// of `a` and `b`. Unlike memcmp, it cannot be used to put elements into a /// defined order as the return value when a != b is undefined, other than to be /// non-zero. int CRYPTO_memcmp(ffi.Pointer a, ffi.Pointer b, int len) { @@ -423,12 +423,12 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, int) >(); - /// ECDH_compute_key calculates the shared key between |pub_key| and |priv_key|. - /// If |kdf| is not NULL, then it is called with the bytes of the shared key and - /// the parameter |out|. When |kdf| returns, the value of |*outlen| becomes the + /// ECDH_compute_key calculates the shared key between `pub_key` and `priv_key`. + /// If `kdf` is not NULL, then it is called with the bytes of the shared key and + /// the parameter `out`. When `kdf` returns, the value of `*outlen` becomes the /// return value. Otherwise, as many bytes of the shared key as will fit are - /// copied directly to, at most, |outlen| bytes at |out|. It returns the number - /// of bytes written to |out|, or -1 on error. + /// copied directly to, at most, `outlen` bytes at `out`. It returns the number + /// of bytes written to `out`, or -1 on error. int ECDH_compute_key( ffi.Pointer out, int outlen, @@ -490,7 +490,7 @@ class BoringSsl { ) >(); - /// ECDSA_SIG_free frees |sig| its member |BIGNUM|s. + /// ECDSA_SIG_free frees `sig` its member `BIGNUM`s. void ECDSA_SIG_free(ffi.Pointer sig) { return _ECDSA_SIG_free(sig); } @@ -502,8 +502,8 @@ class BoringSsl { late final _ECDSA_SIG_free = _ECDSA_SIG_freePtr.asFunction)>(); - /// ECDSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two - /// components of |sig|. + /// ECDSA_SIG_get0 sets `*out_r` and `*out_s`, if non-NULL, to the two + /// components of `sig`. void ECDSA_SIG_get0( ffi.Pointer sig, ffi.Pointer> out_r, @@ -531,8 +531,8 @@ class BoringSsl { ) >(); - /// ECDSA_SIG_marshal marshals |sig| as a DER-encoded ECDSA-Sig-Value and appends - /// the result to |cbb|. It returns one on success and zero on error. + /// ECDSA_SIG_marshal marshals `sig` as a DER-encoded ECDSA-Sig-Value and appends + /// the result to `cbb`. It returns one on success and zero on error. int ECDSA_SIG_marshal(ffi.Pointer cbb, ffi.Pointer sig) { return _ECDSA_SIG_marshal(cbb, sig); } @@ -548,7 +548,7 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// ECDSA_SIG_new returns a fresh |ECDSA_SIG| structure or NULL on error. + /// ECDSA_SIG_new returns a fresh `ECDSA_SIG` structure or NULL on error. ffi.Pointer ECDSA_SIG_new() { return _ECDSA_SIG_new(); } @@ -560,8 +560,8 @@ class BoringSsl { late final _ECDSA_SIG_new = _ECDSA_SIG_newPtr.asFunction Function()>(); - /// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and - /// advances |cbs|. It returns a newly-allocated |ECDSA_SIG| or NULL on error. + /// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from `cbs` and + /// advances `cbs`. It returns a newly-allocated `ECDSA_SIG` or NULL on error. ffi.Pointer ECDSA_SIG_parse(ffi.Pointer cbs) { return _ECDSA_SIG_parse(cbs); } @@ -575,11 +575,11 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// EC_GROUP_free releases a reference to |group|, if |group| was created by - /// |EC_GROUP_new_curve_GFp|. If |group| is static, it does nothing. + /// EC_GROUP_free releases a reference to `group`, if `group` was created by + /// `EC_GROUP_new_curve_GFp`. If `group` is static, it does nothing. /// /// This function exists for OpenSSL compatibility, and to manage dynamic - /// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need + /// `EC_GROUP`s constructed by `EC_GROUP_new_curve_GFp`. Callers that do not need /// either may ignore this function. void EC_GROUP_free(ffi.Pointer group) { return _EC_GROUP_free(group); @@ -592,8 +592,8 @@ class BoringSsl { late final _EC_GROUP_free = _EC_GROUP_freePtr.asFunction)>(); - /// EC_GROUP_get0_order returns a pointer to the internal |BIGNUM| object in - /// |group| that specifies the order of the group. + /// EC_GROUP_get0_order returns a pointer to the internal `BIGNUM` object in + /// `group` that specifies the order of the group. ffi.Pointer EC_GROUP_get0_order(ffi.Pointer group) { return _EC_GROUP_get0_order(group); } @@ -607,7 +607,7 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// EC_GROUP_get_curve_name returns a NID that identifies |group|. + /// EC_GROUP_get_curve_name returns a NID that identifies `group`. int EC_GROUP_get_curve_name(ffi.Pointer group) { return _EC_GROUP_get_curve_name(group); } @@ -622,7 +622,7 @@ class BoringSsl { >(); /// EC_GROUP_get_degree returns the number of bits needed to represent an - /// element of the field underlying |group|. + /// element of the field underlying `group`. int EC_GROUP_get_degree(ffi.Pointer group) { return _EC_GROUP_get_degree(group); } @@ -634,22 +634,22 @@ class BoringSsl { late final _EC_GROUP_get_degree = _EC_GROUP_get_degreePtr.asFunction)>(); - /// EC_GROUP_new_by_curve_name returns the |EC_GROUP| object for the elliptic - /// curve specified by |nid|, or NULL on unsupported NID. For OpenSSL + /// EC_GROUP_new_by_curve_name returns the `EC_GROUP` object for the elliptic + /// curve specified by `nid`, or NULL on unsupported NID. For OpenSSL /// compatibility, this function returns a non-const pointer which may be passed - /// to |EC_GROUP_free|. However, the resulting object is actually static and - /// calling |EC_GROUP_free| is optional. + /// to `EC_GROUP_free`. However, the resulting object is actually static and + /// calling `EC_GROUP_free` is optional. /// /// The supported NIDs are: - /// - |NID_secp224r1| (P-224) - /// - |NID_X9_62_prime256v1| (P-256) - /// - |NID_secp384r1| (P-384) - /// - |NID_secp521r1| (P-521) + /// - `NID_secp224r1` (P-224) + /// - `NID_X9_62_prime256v1` (P-256) + /// - `NID_secp384r1` (P-384) + /// - `NID_secp521r1` (P-521) /// /// Calling this function causes all four curves to be linked into the binary. - /// Prefer calling |EC_group_*| to allow the static linker to drop unused curves. + /// Prefer calling `EC_group_*` to allow the static linker to drop unused curves. /// - /// If in doubt, use |NID_X9_62_prime256v1|, or see the curve25519.h header for + /// If in doubt, use `NID_X9_62_prime256v1`, or see the curve25519.h header for /// more modern primitives. ffi.Pointer EC_GROUP_new_by_curve_name(int nid) { return _EC_GROUP_new_by_curve_name(nid); @@ -664,7 +664,7 @@ class BoringSsl { ffi.Pointer Function(int) >(); - /// EC_KEY_check_key performs several checks on |key| (possibly including an + /// EC_KEY_check_key performs several checks on `key` (possibly including an /// expensive check that the public key is in the primary subgroup). It returns /// one if all checks pass and zero otherwise. If it returns zero then detail /// about the problem can be found on the error stack. @@ -679,7 +679,7 @@ class BoringSsl { late final _EC_KEY_check_key = _EC_KEY_check_keyPtr.asFunction)>(); - /// EC_KEY_free frees all the data owned by |key| and |key| itself. + /// EC_KEY_free frees all the data owned by `key` and `key` itself. void EC_KEY_free(ffi.Pointer key) { return _EC_KEY_free(key); } @@ -692,7 +692,7 @@ class BoringSsl { _EC_KEY_freePtr.asFunction)>(); /// EC_KEY_generate_key generates a random, private key, calculates the - /// corresponding public key and stores both in |key|. It returns one on success + /// corresponding public key and stores both in `key`. It returns one on success /// or zero otherwise. int EC_KEY_generate_key(ffi.Pointer key) { return _EC_KEY_generate_key(key); @@ -705,7 +705,7 @@ class BoringSsl { late final _EC_KEY_generate_key = _EC_KEY_generate_keyPtr.asFunction)>(); - /// EC_KEY_get0_group returns a pointer to the |EC_GROUP| object inside |key|. + /// EC_KEY_get0_group returns a pointer to the `EC_GROUP` object inside `key`. ffi.Pointer EC_KEY_get0_group(ffi.Pointer key) { return _EC_KEY_get0_group(key); } @@ -719,7 +719,7 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// EC_KEY_get0_private_key returns a pointer to the private key inside |key|. + /// EC_KEY_get0_private_key returns a pointer to the private key inside `key`. ffi.Pointer EC_KEY_get0_private_key(ffi.Pointer key) { return _EC_KEY_get0_private_key(key); } @@ -734,7 +734,7 @@ class BoringSsl { >(); /// EC_KEY_get0_public_key returns a pointer to the public key point inside - /// |key|. + /// `key`. ffi.Pointer EC_KEY_get0_public_key(ffi.Pointer key) { return _EC_KEY_get0_public_key(key); } @@ -748,8 +748,8 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// EC_KEY_get_enc_flags returns the encoding flags for |key|, which is a - /// bitwise-OR of |EC_PKEY_*| values. + /// EC_KEY_get_enc_flags returns the encoding flags for `key`, which is a + /// bitwise-OR of `EC_PKEY_*` values. int EC_KEY_get_enc_flags(ffi.Pointer key) { return _EC_KEY_get_enc_flags(key); } @@ -761,7 +761,7 @@ class BoringSsl { late final _EC_KEY_get_enc_flags = _EC_KEY_get_enc_flagsPtr.asFunction)>(); - /// EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by |nid| + /// EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by `nid` /// or NULL on error. ffi.Pointer EC_KEY_new_by_curve_name(int nid) { return _EC_KEY_new_by_curve_name(nid); @@ -776,8 +776,8 @@ class BoringSsl { ffi.Pointer Function(int) >(); - /// EC_KEY_set_enc_flags sets the encoding flags for |key|, which is a - /// bitwise-OR of |EC_PKEY_*| values. + /// EC_KEY_set_enc_flags sets the encoding flags for `key`, which is a + /// bitwise-OR of `EC_PKEY_*` values. void EC_KEY_set_enc_flags(ffi.Pointer key, int flags) { return _EC_KEY_set_enc_flags(key, flags); } @@ -793,9 +793,9 @@ class BoringSsl { void Function(ffi.Pointer, int) >(); - /// EC_KEY_set_private_key sets the private key of |key| to |priv|. It returns - /// one on success and zero otherwise. |key| must already have had a group - /// configured (see |EC_KEY_set_group| and |EC_KEY_new_by_curve_name|). + /// EC_KEY_set_private_key sets the private key of `key` to `priv`. It returns + /// one on success and zero otherwise. `key` must already have had a group + /// configured (see `EC_KEY_set_group` and `EC_KEY_new_by_curve_name`). int EC_KEY_set_private_key( ffi.Pointer key, ffi.Pointer priv, @@ -814,10 +814,10 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// EC_KEY_set_public_key sets the public key of |key| to |pub|, by copying it. - /// It returns one on success and zero otherwise. |key| must already have had a - /// group configured (see |EC_KEY_set_group| and |EC_KEY_new_by_curve_name|), and - /// |pub| must also belong to that group, and must not be the point at infinity. + /// EC_KEY_set_public_key sets the public key of `key` to `pub`, by copying it. + /// It returns one on success and zero otherwise. `key` must already have had a + /// group configured (see `EC_KEY_set_group` and `EC_KEY_new_by_curve_name`), and + /// `pub` must also belong to that group, and must not be the point at infinity. int EC_KEY_set_public_key( ffi.Pointer key, ffi.Pointer pub, @@ -836,9 +836,9 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to - /// (|x|, |y|). It returns one on success and zero on error. It's considered an - /// error if |x| and |y| do not represent a point on |key|'s curve. + /// EC_KEY_set_public_key_affine_coordinates sets the public key in `key` to + /// (`x`, `y`). It returns one on success and zero on error. It's considered an + /// error if `x` and `y` do not represent a point on `key`'s curve. int EC_KEY_set_public_key_affine_coordinates( ffi.Pointer key, ffi.Pointer x, @@ -866,7 +866,7 @@ class BoringSsl { ) >(); - /// EC_POINT_free frees |point| and the data that it points to. + /// EC_POINT_free frees `point` and the data that it points to. void EC_POINT_free(ffi.Pointer point) { return _EC_POINT_free(point); } @@ -878,11 +878,11 @@ class BoringSsl { late final _EC_POINT_free = _EC_POINT_freePtr.asFunction)>(); - /// EC_POINT_get_affine_coordinates_GFp sets |x| and |y| to the affine value of - /// |point|. It returns one on success and zero otherwise. |ctx| is ignored and + /// EC_POINT_get_affine_coordinates_GFp sets `x` and `y` to the affine value of + /// `point`. It returns one on success and zero otherwise. `ctx` is ignored and /// may be NULL. /// - /// Either |x| or |y| may be NULL to skip computing that coordinate. This is + /// Either `x` or `y` may be NULL to skip computing that coordinate. This is /// slightly faster in the common case where only the x-coordinate is needed. int EC_POINT_get_affine_coordinates_GFp( ffi.Pointer group, @@ -917,7 +917,7 @@ class BoringSsl { ) >(); - /// EC_POINT_new returns a fresh |EC_POINT| object in the given group, or NULL + /// EC_POINT_new returns a fresh `EC_POINT` object in the given group, or NULL /// on error. ffi.Pointer EC_POINT_new(ffi.Pointer group) { return _EC_POINT_new(group); @@ -934,9 +934,9 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// EC_POINT_oct2point sets |point| from |len| bytes of X9.62 format - /// serialisation in |buf|. It returns one on success and zero on error. |ctx| - /// may be NULL. It's considered an error if |buf| does not represent a point on + /// EC_POINT_oct2point sets `point` from `len` bytes of X9.62 format + /// serialisation in `buf`. It returns one on success and zero on error. `ctx` + /// may be NULL. It's considered an error if `buf` does not represent a point on /// the curve. int EC_POINT_oct2point( ffi.Pointer group, @@ -971,8 +971,8 @@ class BoringSsl { ) >(); - /// EC_POINT_point2cbb behaves like |EC_POINT_point2oct| but appends the - /// serialised point to |cbb|. It returns one on success and zero on error. |ctx| + /// EC_POINT_point2cbb behaves like `EC_POINT_point2oct` but appends the + /// serialised point to `cbb`. It returns one on success and zero on error. `ctx` /// is ignored and may be NULL. int EC_POINT_point2cbb( ffi.Pointer out, @@ -1018,9 +1018,9 @@ class BoringSsl { _ERR_clear_errorPtr.asFunction(); /// ERR_error_string_n generates a human-readable string representing - /// |packed_error|, places it at |buf|, and returns |buf|. It writes at most - /// |len| bytes (including the terminating NUL) and truncates the string if - /// necessary. If |len| is greater than zero then |buf| is always NUL terminated. + /// `packed_error`, places it at `buf`, and returns `buf`. It writes at most + /// `len` bytes (including the terminating NUL) and truncates the string if + /// necessary. If `len` is greater than zero then `buf` is always NUL terminated. /// /// The string will have the following format: /// @@ -1062,7 +1062,7 @@ class BoringSsl { _lookup>('ERR_get_error'); late final _ERR_get_error = _ERR_get_errorPtr.asFunction(); - /// The "peek" functions act like the |ERR_get_error| functions, above, but they + /// The "peek" functions act like the `ERR_get_error` functions, above, but they /// do not remove the error from the queue. int ERR_peek_error() { return _ERR_peek_error(); @@ -1072,8 +1072,8 @@ class BoringSsl { _lookup>('ERR_peek_error'); late final _ERR_peek_error = _ERR_peek_errorPtr.asFunction(); - /// EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on - /// |ctx|. + /// EVP_AEAD_CTX_free calls `EVP_AEAD_CTX_cleanup` and `OPENSSL_free` on + /// `ctx`. void EVP_AEAD_CTX_free(ffi.Pointer ctx) { return _EVP_AEAD_CTX_free(ctx); } @@ -1087,8 +1087,8 @@ class BoringSsl { void Function(ffi.Pointer) >(); - /// EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and - /// returns the |EVP_AEAD_CTX|, or NULL on error. + /// EVP_AEAD_CTX_new allocates an `EVP_AEAD_CTX`, calls `EVP_AEAD_CTX_init` and + /// returns the `EVP_AEAD_CTX`, or NULL on error. ffi.Pointer EVP_AEAD_CTX_new( ffi.Pointer aead, ffi.Pointer key, @@ -1119,25 +1119,25 @@ class BoringSsl { ) >(); - /// EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes - /// from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on + /// EVP_AEAD_CTX_open authenticates `in_len` bytes from `in` and `ad_len` bytes + /// from `ad` and decrypts at most `in_len` bytes into `out`. It returns one on /// success and zero otherwise. /// /// This function may be called concurrently with itself or any other seal/open - /// function on the same |EVP_AEAD_CTX|. + /// function on the same `EVP_AEAD_CTX`. /// - /// At most |in_len| bytes are written to |out|. In order to ensure success, - /// |max_out_len| should be at least |in_len|. On successful return, |*out_len| + /// At most `in_len` bytes are written to `out`. In order to ensure success, + /// `max_out_len` should be at least `in_len`. On successful return, `*out_len` /// is set to the the actual number of bytes written. /// - /// The length of |nonce|, |nonce_len|, must be equal to the result of - /// |EVP_AEAD_nonce_length| for this AEAD. + /// The length of `nonce`, `nonce_len`, must be equal to the result of + /// `EVP_AEAD_nonce_length` for this AEAD. /// - /// |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is - /// insufficient, zero will be returned. If any error occurs, |out| will be - /// filled with zero bytes and |*out_len| set to zero. + /// `EVP_AEAD_CTX_open` never results in a partial output. If `max_out_len` is + /// insufficient, zero will be returned. If any error occurs, `out` will be + /// filled with zero bytes and `*out_len` set to zero. /// - /// If |in| and |out| alias then |out| must be == |in|. + /// If `in` and `out` alias then `out` must be == `in`. int EVP_AEAD_CTX_open( ffi.Pointer ctx, ffi.Pointer out, @@ -1197,26 +1197,26 @@ class BoringSsl { ) >(); - /// EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and - /// authenticates |ad_len| bytes from |ad| and writes the result to |out|. It + /// EVP_AEAD_CTX_seal encrypts and authenticates `in_len` bytes from `in` and + /// authenticates `ad_len` bytes from `ad` and writes the result to `out`. It /// returns one on success and zero otherwise. /// /// This function may be called concurrently with itself or any other seal/open - /// function on the same |EVP_AEAD_CTX|. + /// function on the same `EVP_AEAD_CTX`. /// - /// At most |max_out_len| bytes are written to |out| and, in order to ensure - /// success, |max_out_len| should be |in_len| plus the result of - /// |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the + /// At most `max_out_len` bytes are written to `out` and, in order to ensure + /// success, `max_out_len` should be `in_len` plus the result of + /// `EVP_AEAD_max_overhead`. On successful return, `*out_len` is set to the /// actual number of bytes written. /// - /// The length of |nonce|, |nonce_len|, must be equal to the result of - /// |EVP_AEAD_nonce_length| for this AEAD. + /// The length of `nonce`, `nonce_len`, must be equal to the result of + /// `EVP_AEAD_nonce_length` for this AEAD. /// - /// |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is - /// insufficient, zero will be returned. If any error occurs, |out| will be - /// filled with zero bytes and |*out_len| set to zero. + /// `EVP_AEAD_CTX_seal` never results in a partial output. If `max_out_len` is + /// insufficient, zero will be returned. If any error occurs, `out` will be + /// filled with zero bytes and `*out_len` set to zero. /// - /// If |in| and |out| alias then |out| must be == |in|. + /// If `in` and `out` alias then `out` must be == `in`. int EVP_AEAD_CTX_seal( ffi.Pointer ctx, ffi.Pointer out, @@ -1277,7 +1277,7 @@ class BoringSsl { >(); /// EVP_AEAD_key_length returns the length, in bytes, of the keys used by - /// |aead|. + /// `aead`. int EVP_AEAD_key_length(ffi.Pointer aead) { return _EVP_AEAD_key_length(aead); } @@ -1290,7 +1290,7 @@ class BoringSsl { _EVP_AEAD_key_lengthPtr.asFunction)>(); /// EVP_AEAD_max_overhead returns the maximum number of additional bytes added - /// by the act of sealing data with |aead|. + /// by the act of sealing data with `aead`. int EVP_AEAD_max_overhead(ffi.Pointer aead) { return _EVP_AEAD_max_overhead(aead); } @@ -1304,9 +1304,9 @@ class BoringSsl { int Function(ffi.Pointer) >(); - /// EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This - /// is the largest value that can be passed as |tag_len| to - /// |EVP_AEAD_CTX_init|. + /// EVP_AEAD_max_tag_len returns the maximum tag length when using `aead`. This + /// is the largest value that can be passed as `tag_len` to + /// `EVP_AEAD_CTX_init`. int EVP_AEAD_max_tag_len(ffi.Pointer aead) { return _EVP_AEAD_max_tag_len(aead); } @@ -1321,7 +1321,7 @@ class BoringSsl { >(); /// EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce - /// for |aead|. + /// for `aead`. int EVP_AEAD_nonce_length(ffi.Pointer aead) { return _EVP_AEAD_nonce_length(aead); } @@ -1335,8 +1335,8 @@ class BoringSsl { int Function(ffi.Pointer) >(); - /// EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees - /// |ctx| itself. + /// EVP_CIPHER_CTX_free calls `EVP_CIPHER_CTX_cleanup` on `ctx` and then frees + /// `ctx` itself. void EVP_CIPHER_CTX_free(ffi.Pointer ctx) { return _EVP_CIPHER_CTX_free(ctx); } @@ -1350,8 +1350,9 @@ class BoringSsl { void Function(ffi.Pointer) >(); - /// EVP_CIPHER_CTX_new allocates a fresh |EVP_CIPHER_CTX|, calls - /// |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure. + /// EVP_CIPHER_CTX_new returns a newly-allocated `EVP_CIPHER_CTX` in the zero + /// state, or NULL on allocation failure. The caller must use + /// `EVP_CIPHER_CTX_free` to release the resulting object. ffi.Pointer EVP_CIPHER_CTX_new() { return _EVP_CIPHER_CTX_new(); } @@ -1365,8 +1366,8 @@ class BoringSsl { ffi.Pointer Function() >(); - /// EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one - /// if |cipher| is a stream cipher. + /// EVP_CIPHER_block_size returns the block size, in bytes, for `cipher`, or one + /// if `cipher` is a stream cipher. int EVP_CIPHER_block_size(ffi.Pointer cipher) { return _EVP_CIPHER_block_size(cipher); } @@ -1380,8 +1381,8 @@ class BoringSsl { int Function(ffi.Pointer) >(); - /// EVP_CIPHER_iv_length returns the IV size, in bytes, of |cipher|, or zero if - /// |cipher| doesn't take an IV. + /// EVP_CIPHER_iv_length returns the IV size, in bytes, of `cipher`, or zero if + /// `cipher` doesn't take an IV. int EVP_CIPHER_iv_length(ffi.Pointer cipher) { return _EVP_CIPHER_iv_length(cipher); } @@ -1395,11 +1396,11 @@ class BoringSsl { int Function(ffi.Pointer) >(); - /// EVP_CipherFinal_ex does the same as |EVP_CipherFinal_ex2|, except that no + /// EVP_CipherFinal_ex does the same as `EVP_CipherFinal_ex2`, except that no /// output size is given and thus no bounds checking is performed. /// /// WARNING: This function does not check bounds on out, and correctly sizing - /// the output buffer is difficult. Use |EVP_CipherFinal_ex2| instead. + /// the output buffer is difficult. Use `EVP_CipherFinal_ex2` instead. int EVP_CipherFinal_ex( ffi.Pointer ctx, ffi.Pointer out, @@ -1427,13 +1428,46 @@ class BoringSsl { ) >(); - /// EVP_CipherInit_ex configures |ctx| for a fresh encryption (or decryption, if - /// |enc| is zero) operation using |cipher|. If |ctx| has been previously - /// configured with a cipher then |cipher|, |key| and |iv| may be |NULL| and - /// |enc| may be -1 to reuse the previous values. The operation will use |key| - /// as the key and |iv| as the IV (if any). These should have the correct - /// lengths given by |EVP_CIPHER_key_length| and |EVP_CIPHER_iv_length|. It - /// returns one on success and zero on error. + /// EVP_CipherInit_ex configures `ctx` for a fresh encryption (or decryption, if + /// `enc` is zero) operation using `cipher`. The memory in `ctx` must already + /// have been initialized, e.g. with `EVP_CIPHER_CTX_init` or + /// `EVP_CIPHER_CTX_new`. If non-NULL, `key` and `iv` will be used as the key and + /// IV, respectively. These must point to `EVP_CIPHER_key_length` and + /// `EVP_CIPHER_iv_length` bytes, respectively. It returns one on success and + /// zero on error. + /// + /// This function may be called multiple times on a single `EVP_CIPHER_CTX`, + /// either to reset an existing object, or to configure a single operation in + /// multiple steps. In such cases: + /// + /// - `cipher` may be NULL to reuse the previous cipher state. A non-NULL + /// `cipher` will reset all cipher state, including the key and IV, even if + /// configuring the same `EVP_CIPHER` as before. + /// + /// - `key` and `iv` may be NULL to either reuse the previous value, or leave + /// them unconfigured. + /// + /// - `enc` may be -1 to reuse the previous value. In ciphers that use a + /// different key schedule between encryption and decryption (e.g. CBC and ECB + /// modes), callers must configure `key` and `enc` together. + /// + /// Some example multi-step configuration patterns: + /// + /// - If setting a variable-length key with `EVP_CIPHER_CTX_set_key_length`, + /// first configure only `cipher`, then use `EVP_CIPHER_CTX_set_key_length`, + /// and finally configure `key`, leaving `cipher` NULL. + /// + /// - If setting a variable-length IV with `EVP_CTRL_AEAD_SET_IVLEN`, first + /// configure `cipher` and `key`, then use `EVP_CTRL_AEAD_SET_IVLEN`, and + /// finally configure `iv`, leaving other parameters NULL. + /// + /// - If retaining a long-lived context to reuse the key schedule across + /// operations, first configure only `cipher` and `key` on the long-lived + /// context, then copy the key schedule to a per-operation context with + /// `EVP_CIPHER_CTX_copy`, and finally configure only `iv` on the per-operation + /// context. + /// + /// WARNING: This API is difficult to use correctly. Use `EVP_AEAD` for AEADs. int EVP_CipherInit_ex( ffi.Pointer ctx, ffi.Pointer cipher, @@ -1470,15 +1504,15 @@ class BoringSsl { ) >(); - /// EVP_CipherUpdate does the same as |EVP_CipherUpdate_ex|, except that no + /// EVP_CipherUpdate does the same as `EVP_CipherUpdate_ex`, except that no /// output size is given and thus no bounds checking is performed. /// - /// Additionally, if |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| - /// is NULL, this function instead behaves like |EVP_CipherUpdateAAD|. + /// Additionally, if `ctx` is an AEAD cipher, e.g. `EVP_aes_128_gcm`, and `out` + /// is NULL, this function instead behaves like `EVP_CipherUpdateAAD`. /// - /// WARNING: This function does not check bounds on |out|, and correctly sizing - /// the output buffer is difficult. Use |EVP_CipherUpdate_ex| or - /// |EVP_CipherUpdateAAD| instead. + /// WARNING: This function does not check bounds on `out`, and correctly sizing + /// the output buffer is difficult. Use `EVP_CipherUpdate_ex` or + /// `EVP_CipherUpdateAAD` instead. int EVP_CipherUpdate( ffi.Pointer ctx, ffi.Pointer out, @@ -1512,8 +1546,8 @@ class BoringSsl { ) >(); - /// EVP_DigestFinal acts like |EVP_DigestFinal_ex| except that - /// |EVP_MD_CTX_cleanup| is called on |ctx| before returning. + /// EVP_DigestFinal acts like `EVP_DigestFinal_ex` except that + /// `EVP_MD_CTX_cleanup` is called on `ctx` before returning. int EVP_DigestFinal( ffi.Pointer ctx, ffi.Pointer md_out, @@ -1541,8 +1575,18 @@ class BoringSsl { ) >(); - /// EVP_DigestInit acts like |EVP_DigestInit_ex| except that |ctx| is - /// initialised before use. + /// EVP_DigestInit calls `EVP_MD_CTX_init`, followed by `EVP_DigestInit_ex`. + /// + /// `EVP_MD_CTX_init` is used for initializing uninitialized memory in an + /// `EVP_MD_CTX`, e.g. if it is declared as a local variable on the stack. Thus + /// this function should not be used on objects that have already been + /// initialized. + /// + /// WARNING: This differs from OpenSSL 1.1.x, where `EVP_DigestInit` and + /// `EVP_DigestInit_ex` are largely equivalent. This difference is because + /// BoringSSL, like OpenSSL 1.0.x, still supports stack-allocating `EVP_MD_CTX`. + /// Implementing the OpenSSL 1.1.x semantics would introduce uninitialized reads + /// in those callers. int EVP_DigestInit(ffi.Pointer ctx, ffi.Pointer type) { return _EVP_DigestInit(ctx, type); } @@ -1559,14 +1603,14 @@ class BoringSsl { >(); /// EVP_DigestSignFinal signs the data that has been included by one or more - /// calls to |EVP_DigestSignUpdate|. If |out_sig| is NULL then |*out_sig_len| is + /// calls to `EVP_DigestSignUpdate`. If `out_sig` is NULL then `*out_sig_len` is /// set to the maximum number of output bytes. Otherwise, on entry, - /// |*out_sig_len| must contain the length of the |out_sig| buffer. If the call - /// is successful, the signature is written to |out_sig| and |*out_sig_len| is + /// `*out_sig_len` must contain the length of the `out_sig` buffer. If the call + /// is successful, the signature is written to `out_sig` and `*out_sig_len` is /// set to its length. /// /// This function performs a streaming signing operation and will fail for - /// signature algorithms which do not support this. Use |EVP_DigestSign| for a + /// signature algorithms which do not support this. Use `EVP_DigestSign` for a /// single-shot operation. /// /// It returns one on success, or zero on error. @@ -1597,18 +1641,18 @@ class BoringSsl { ) >(); - /// EVP_DigestSignInit sets up |ctx| for a signing operation with |type| and - /// |pkey|. The |ctx| argument must have been initialised with - /// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing - /// operation will be written to |*pctx|; this can be used to set alternative + /// EVP_DigestSignInit sets up `ctx` for a signing operation with `type` and + /// `pkey`. The `ctx` argument must have been initialised with + /// `EVP_MD_CTX_init`. If `pctx` is not NULL, the `EVP_PKEY_CTX` of the signing + /// operation will be written to `*pctx`; this can be used to set alternative /// signing options. /// /// For single-shot signing algorithms which do not use a pre-hash, such as - /// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is - /// present so the API is uniform. See |EVP_DigestSign|. + /// Ed25519, `type` should be NULL. The `EVP_MD_CTX` itself is unused but is + /// present so the API is uniform. See `EVP_DigestSign`. /// - /// This function does not mutate |pkey| for thread-safety purposes and may be - /// used concurrently with other non-mutating functions on |pkey|. + /// This function does not mutate `pkey` for thread-safety purposes and may be + /// used concurrently with other non-mutating functions on `pkey`. /// /// It returns one on success, or zero on error. int EVP_DigestSignInit( @@ -1644,11 +1688,11 @@ class BoringSsl { ) >(); - /// EVP_DigestSignUpdate appends |len| bytes from |data| to the data which will - /// be signed in |EVP_DigestSignFinal|. It returns one. + /// EVP_DigestSignUpdate appends `len` bytes from `data` to the data which will + /// be signed in `EVP_DigestSignFinal`. It returns one. /// /// This function performs a streaming signing operation and will fail for - /// signature algorithms which do not support this. Use |EVP_DigestSign| for a + /// signature algorithms which do not support this. Use `EVP_DigestSign` for a /// single-shot operation. int EVP_DigestSignUpdate( ffi.Pointer ctx, @@ -1673,8 +1717,8 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, int) >(); - /// EVP_DigestUpdate hashes |len| bytes from |data| into the hashing operation - /// in |ctx|. It returns one. + /// EVP_DigestUpdate hashes `len` bytes from `data` into the hashing operation + /// in `ctx`. It returns one. int EVP_DigestUpdate( ffi.Pointer ctx, ffi.Pointer data, @@ -1698,12 +1742,12 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, int) >(); - /// EVP_DigestVerifyFinal verifies that |sig_len| bytes of |sig| are a valid + /// EVP_DigestVerifyFinal verifies that `sig_len` bytes of `sig` are a valid /// signature for the data that has been included by one or more calls to - /// |EVP_DigestVerifyUpdate|. It returns one on success and zero otherwise. + /// `EVP_DigestVerifyUpdate`. It returns one on success and zero otherwise. /// /// This function performs streaming signature verification and will fail for - /// signature algorithms which do not support this. Use |EVP_DigestVerify| for a + /// signature algorithms which do not support this. Use `EVP_DigestVerify` for a /// single-shot verification. int EVP_DigestVerifyFinal( ffi.Pointer ctx, @@ -1728,18 +1772,18 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, int) >(); - /// EVP_DigestVerifyInit sets up |ctx| for a signature verification operation - /// with |type| and |pkey|. The |ctx| argument must have been initialised with - /// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing - /// operation will be written to |*pctx|; this can be used to set alternative + /// EVP_DigestVerifyInit sets up `ctx` for a signature verification operation + /// with `type` and `pkey`. The `ctx` argument must have been initialised with + /// `EVP_MD_CTX_init`. If `pctx` is not NULL, the `EVP_PKEY_CTX` of the signing + /// operation will be written to `*pctx`; this can be used to set alternative /// signing options. /// /// For single-shot signing algorithms which do not use a pre-hash, such as - /// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is - /// present so the API is uniform. See |EVP_DigestVerify|. + /// Ed25519, `type` should be NULL. The `EVP_MD_CTX` itself is unused but is + /// present so the API is uniform. See `EVP_DigestVerify`. /// - /// This function does not mutate |pkey| for thread-safety purposes and may be - /// used concurrently with other non-mutating functions on |pkey|. + /// This function does not mutate `pkey` for thread-safety purposes and may be + /// used concurrently with other non-mutating functions on `pkey`. /// /// It returns one on success, or zero on error. int EVP_DigestVerifyInit( @@ -1775,11 +1819,11 @@ class BoringSsl { ) >(); - /// EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which - /// will be verified by |EVP_DigestVerifyFinal|. It returns one. + /// EVP_DigestVerifyUpdate appends `len` bytes from `data` to the data which + /// will be verified by `EVP_DigestVerifyFinal`. It returns one. /// /// This function performs streaming signature verification and will fail for - /// signature algorithms which do not support this. Use |EVP_DigestVerify| for a + /// signature algorithms which do not support this. Use `EVP_DigestVerify` for a /// single-shot verification. int EVP_DigestVerifyUpdate( ffi.Pointer ctx, @@ -1804,7 +1848,7 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, int) >(); - /// EVP_MD_CTX_free calls |EVP_MD_CTX_cleanup| and then frees |ctx| itself. + /// EVP_MD_CTX_free calls `EVP_MD_CTX_cleanup` and then frees `ctx` itself. void EVP_MD_CTX_free(ffi.Pointer ctx) { return _EVP_MD_CTX_free(ctx); } @@ -1816,9 +1860,9 @@ class BoringSsl { late final _EVP_MD_CTX_free = _EVP_MD_CTX_freePtr.asFunction)>(); - /// EVP_MD_CTX_new allocates and initialises a fresh |EVP_MD_CTX| and returns - /// it, or NULL on allocation failure. The caller must use |EVP_MD_CTX_free| to - /// release the resulting object. + /// EVP_MD_CTX_new returns a newly-allocated `EVP_MD_CTX` in the zero state, or + /// NULL on allocation failure. The caller must use `EVP_MD_CTX_free` to release + /// the resulting object. ffi.Pointer EVP_MD_CTX_new() { return _EVP_MD_CTX_new(); } @@ -1830,8 +1874,8 @@ class BoringSsl { late final _EVP_MD_CTX_new = _EVP_MD_CTX_newPtr.asFunction Function()>(); - /// EVP_MD_CTX_size returns the digest size of |ctx|, in bytes. It - /// will crash if a digest hasn't been set on |ctx|. + /// EVP_MD_CTX_size returns the digest size of `ctx`, in bytes. It + /// will crash if a digest hasn't been set on `ctx`. int EVP_MD_CTX_size(ffi.Pointer ctx) { return _EVP_MD_CTX_size(ctx); } @@ -1843,7 +1887,7 @@ class BoringSsl { late final _EVP_MD_CTX_size = _EVP_MD_CTX_sizePtr.asFunction)>(); - /// EVP_MD_size returns the digest size of |md|, in bytes. + /// EVP_MD_size returns the digest size of `md`, in bytes. int EVP_MD_size(ffi.Pointer md) { return _EVP_MD_size(md); } @@ -1855,7 +1899,7 @@ class BoringSsl { late final _EVP_MD_size = _EVP_MD_sizePtr.asFunction)>(); - /// EVP_PKEY_CTX_free frees |ctx| and the data it owns. + /// EVP_PKEY_CTX_free frees `ctx` and the data it owns. void EVP_PKEY_CTX_free(ffi.Pointer ctx) { return _EVP_PKEY_CTX_free(ctx); } @@ -1869,7 +1913,7 @@ class BoringSsl { void Function(ffi.Pointer) >(); - /// EVP_PKEY_CTX_new allocates a fresh |EVP_PKEY_CTX| for use with |pkey|. It + /// EVP_PKEY_CTX_new allocates a fresh `EVP_PKEY_CTX` for use with `pkey`. It /// returns the context or NULL on error. ffi.Pointer EVP_PKEY_CTX_new( ffi.Pointer pkey, @@ -1895,9 +1939,9 @@ class BoringSsl { ) >(); - /// EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the - /// label used in OAEP. DANGER: On success, this call takes ownership of |label| - /// and will call |OPENSSL_free| on it when |ctx| is destroyed. + /// EVP_PKEY_CTX_set0_rsa_oaep_label sets `label_len` bytes from `label` as the + /// label used in OAEP. DANGER: On success, this call takes ownership of `label` + /// and will call `OPENSSL_free` on it when `ctx` is destroyed. /// /// Returns one on success or zero on error. int EVP_PKEY_CTX_set0_rsa_oaep_label( @@ -1923,11 +1967,11 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, int) >(); - /// EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns + /// EVP_PKEY_CTX_set_rsa_mgf1_md sets `md` as the digest used in MGF1. Returns /// one on success or zero on error. /// - /// If unset, the default is the signing hash for |RSA_PKCS1_PSS_PADDING| and the - /// OAEP hash for |RSA_PKCS1_OAEP_PADDING|. Callers are recommended to use this + /// If unset, the default is the signing hash for `RSA_PKCS1_PSS_PADDING` and the + /// OAEP hash for `RSA_PKCS1_OAEP_PADDING`. Callers are recommended to use this /// default and not call this function. int EVP_PKEY_CTX_set_rsa_mgf1_md( ffi.Pointer ctx, @@ -1947,7 +1991,7 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding. + /// EVP_PKEY_CTX_set_rsa_oaep_md sets `md` as the digest used in OAEP padding. /// Returns one on success or zero on error. If unset, the default is SHA-1. /// Callers are recommended to overwrite this default. /// @@ -1971,8 +2015,8 @@ class BoringSsl { >(); /// EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one - /// of the |RSA_*_PADDING| values. Returns one on success or zero on error. By - /// default, the padding is |RSA_PKCS1_PADDING|. + /// of the `RSA_*_PADDING` values. Returns one on success or zero on error. By + /// default, the padding is `RSA_PKCS1_PADDING`. int EVP_PKEY_CTX_set_rsa_padding(ffi.Pointer ctx, int padding) { return _EVP_PKEY_CTX_set_rsa_padding(ctx, padding); } @@ -1987,14 +2031,14 @@ class BoringSsl { >(); /// EVP_PKEY_CTX_set_rsa_pss_saltlen sets the length of the salt in a PSS-padded - /// signature. A value of |RSA_PSS_SALTLEN_DIGEST| causes the salt to be the same - /// length as the digest in the signature. A value of |RSA_PSS_SALTLEN_AUTO| + /// signature. A value of `RSA_PSS_SALTLEN_DIGEST` causes the salt to be the same + /// length as the digest in the signature. A value of `RSA_PSS_SALTLEN_AUTO` /// causes the salt to be the maximum length that will fit when signing and /// recovered from the signature when verifying. Otherwise the value gives the /// size of the salt in bytes. /// - /// If unsure, use |RSA_PSS_SALTLEN_DIGEST|, which is the default. Note this - /// differs from OpenSSL, which defaults to |RSA_PSS_SALTLEN_AUTO|. + /// If unsure, use `RSA_PSS_SALTLEN_DIGEST`, which is the default. Note this + /// differs from OpenSSL, which defaults to `RSA_PSS_SALTLEN_AUTO`. /// /// Returns one on success or zero on error. int EVP_PKEY_CTX_set_rsa_pss_saltlen( @@ -2013,13 +2057,13 @@ class BoringSsl { int Function(ffi.Pointer, int) >(); - /// EVP_PKEY_decrypt decrypts |in_len| bytes from |in|. If |out| is NULL, the - /// maximum size of the plaintext is written to |out_len|. Otherwise, |*out_len| - /// must contain the number of bytes of space available at |out|. If sufficient, - /// the ciphertext will be written to |out| and |*out_len| updated with the true + /// EVP_PKEY_decrypt decrypts `in_len` bytes from `in`. If `out` is NULL, the + /// maximum size of the plaintext is written to `out_len`. Otherwise, `*out_len` + /// must contain the number of bytes of space available at `out`. If sufficient, + /// the ciphertext will be written to `out` and `*out_len` updated with the true /// length. /// - /// WARNING: Setting |out| to NULL only gives the maximum size of the + /// WARNING: Setting `out` to NULL only gives the maximum size of the /// plaintext. The actual plaintext may be smaller. /// /// It returns one on success or zero on error. @@ -2056,8 +2100,8 @@ class BoringSsl { ) >(); - /// EVP_PKEY_decrypt_init initialises an |EVP_PKEY_CTX| for a decryption - /// operation. It should be called before |EVP_PKEY_decrypt|. + /// EVP_PKEY_decrypt_init initialises an `EVP_PKEY_CTX` for a decryption + /// operation. It should be called before `EVP_PKEY_decrypt`. /// /// It returns one on success or zero on error. int EVP_PKEY_decrypt_init(ffi.Pointer ctx) { @@ -2073,13 +2117,13 @@ class BoringSsl { int Function(ffi.Pointer) >(); - /// EVP_PKEY_encrypt encrypts |in_len| bytes from |in|. If |out| is NULL, the - /// maximum size of the ciphertext is written to |out_len|. Otherwise, |*out_len| - /// must contain the number of bytes of space available at |out|. If sufficient, - /// the ciphertext will be written to |out| and |*out_len| updated with the true + /// EVP_PKEY_encrypt encrypts `in_len` bytes from `in`. If `out` is NULL, the + /// maximum size of the ciphertext is written to `out_len`. Otherwise, `*out_len` + /// must contain the number of bytes of space available at `out`. If sufficient, + /// the ciphertext will be written to `out` and `*out_len` updated with the true /// length. /// - /// WARNING: Setting |out| to NULL only gives the maximum size of the + /// WARNING: Setting `out` to NULL only gives the maximum size of the /// ciphertext. The actual ciphertext may be smaller. /// /// It returns one on success or zero on error. @@ -2116,8 +2160,8 @@ class BoringSsl { ) >(); - /// EVP_PKEY_encrypt_init initialises an |EVP_PKEY_CTX| for an encryption - /// operation. It should be called before |EVP_PKEY_encrypt|. + /// EVP_PKEY_encrypt_init initialises an `EVP_PKEY_CTX` for an encryption + /// operation. It should be called before `EVP_PKEY_encrypt`. /// /// It returns one on success or zero on error. int EVP_PKEY_encrypt_init(ffi.Pointer ctx) { @@ -2133,7 +2177,7 @@ class BoringSsl { int Function(ffi.Pointer) >(); - /// EVP_PKEY_free decrements the reference count of |pkey| and frees it if the + /// EVP_PKEY_free decrements the reference count of `pkey` and frees it if the /// reference count drops to zero. void EVP_PKEY_free(ffi.Pointer pkey) { return _EVP_PKEY_free(pkey); @@ -2172,12 +2216,12 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*| + /// EVP_PKEY_id returns the type of `pkey`, which is one of the `EVP_PKEY_*` /// values above. These type values generally correspond to the algorithm OID, /// but not the parameters, of a SubjectPublicKeyInfo (RFC 5280) or /// PrivateKeyInfo (RFC 5208) AlgorithmIdentifier. Algorithm parameters can be /// inspected with algorithm-specific accessors, e.g. - /// |EVP_PKEY_get_ec_curve_nid|. + /// `EVP_PKEY_get_ec_curve_nid`. int EVP_PKEY_id(ffi.Pointer pkey) { return _EVP_PKEY_id(pkey); } @@ -2223,29 +2267,29 @@ class BoringSsl { /// Getting and setting concrete key types. /// /// The following functions get and set the underlying key representation in an - /// |EVP_PKEY| object. The |set1| functions take an additional reference to the - /// underlying key and return one on success or zero if |key| is NULL. The - /// |assign| functions adopt the caller's reference and return one on success or - /// zero if |key| is NULL. The |get1| functions return a fresh reference to the - /// underlying object or NULL if |pkey| is not of the correct type. The |get0| + /// `EVP_PKEY` object. The `set1` functions take an additional reference to the + /// underlying key and return one on success or zero if `key` is NULL. The + /// `assign` functions adopt the caller's reference and return one on success or + /// zero if `key` is NULL. The `get1` functions return a fresh reference to the + /// underlying object or NULL if `pkey` is not of the correct type. The `get0` /// functions behave the same but return a non-owning pointer. /// - /// The |get0| and |get1| functions take |const| pointers and are thus + /// The `get0` and `get1` functions take `const` pointers and are thus /// non-mutating for thread-safety purposes, but mutating functions on the - /// returned lower-level objects are considered to also mutate the |EVP_PKEY| and - /// may not be called concurrently with other operations on the |EVP_PKEY|. + /// returned lower-level objects are considered to also mutate the `EVP_PKEY` and + /// may not be called concurrently with other operations on the `EVP_PKEY`. /// /// WARNING: Matching OpenSSL, the RSA functions behave non-uniformly. - /// |EVP_PKEY_set1_RSA| and |EVP_PKEY_assign_RSA| construct an |EVP_PKEY_RSA| - /// key, while the |EVP_PKEY_get0_RSA| and |EVP_PKEY_get1_RSA| will return - /// non-NULL for both |EVP_PKEY_RSA| and |EVP_PKEY_RSA_PSS|. + /// `EVP_PKEY_set1_RSA` and `EVP_PKEY_assign_RSA` construct an `EVP_PKEY_RSA` + /// key, while the `EVP_PKEY_get0_RSA` and `EVP_PKEY_get1_RSA` will return + /// non-NULL for both `EVP_PKEY_RSA` and `EVP_PKEY_RSA_PSS`. /// /// This means callers risk misusing a key if they assume a non-NULL return from - /// |EVP_PKEY_get0_RSA| or |EVP_PKEY_get1_RSA| implies |EVP_PKEY_RSA|. Prefer - /// |EVP_PKEY_id| to check the type of a key. To reduce this risk, BoringSSL does - /// not make |EVP_PKEY_RSA_PSS| available by default, only when callers opt in - /// via |EVP_pkey_rsa_pss_sha256|. This differs from upstream OpenSSL, where - /// callers are exposed to |EVP_PKEY_RSA_PSS| by default. + /// `EVP_PKEY_get0_RSA` or `EVP_PKEY_get1_RSA` implies `EVP_PKEY_RSA`. Prefer + /// `EVP_PKEY_id` to check the type of a key. To reduce this risk, BoringSSL does + /// not make `EVP_PKEY_RSA_PSS` available by default, only when callers opt in + /// via `EVP_pkey_rsa_pss_sha256`. This differs from upstream OpenSSL, where + /// callers are exposed to `EVP_PKEY_RSA_PSS` by default. int EVP_PKEY_set1_RSA(ffi.Pointer pkey, ffi.Pointer key) { return _EVP_PKEY_set1_RSA(pkey, key); } @@ -2261,23 +2305,23 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if - /// successful or zero if the |type| argument is not one of the |EVP_PKEY_*| - /// values supported for use with this function. If |pkey| is NULL, it simply + /// EVP_PKEY_set_type sets the type of `pkey` to `type`. It returns one if + /// successful or zero if the `type` argument is not one of the `EVP_PKEY_*` + /// values supported for use with this function. If `pkey` is NULL, it simply /// reports whether the type is known. /// - /// There are very few cases where this function is useful. Changing |pkey|'s + /// There are very few cases where this function is useful. Changing `pkey`'s /// type clears any previously stored keys, so there is no benefit to loading a - /// key and then changing its type. Although |pkey| is left with a type + /// key and then changing its type. Although `pkey` is left with a type /// configured, it has no key, and functions which set a key, such as - /// |EVP_PKEY_set1_RSA|, will configure a type anyway. If writing unit tests that + /// `EVP_PKEY_set1_RSA`, will configure a type anyway. If writing unit tests that /// are only sensitive to the type of a key, it is preferable to construct a real /// key, so that tests are more representative of production code. /// /// The only API pattern which requires this function is - /// |EVP_PKEY_set1_tls_encodedpoint| with X25519, which requires a half-empty - /// |EVP_PKEY| that was first configured with |EVP_PKEY_X25519|. Currently, all - /// other values of |type| will result in an error. + /// `EVP_PKEY_set1_tls_encodedpoint` with X25519, which requires a half-empty + /// `EVP_PKEY` that was first configured with `EVP_PKEY_X25519`. Currently, all + /// other values of `type` will result in an error. int EVP_PKEY_set_type(ffi.Pointer pkey, int type) { return _EVP_PKEY_set_type(pkey, type); } @@ -2371,8 +2415,8 @@ class BoringSsl { late final _EVP_aes_256_ctr = _EVP_aes_256_ctrPtr.asFunction Function()>(); - /// EVP_marshal_private_key marshals |key| as a DER-encoded PrivateKeyInfo - /// structure (RFC 5208) and appends the result to |cbb|. It returns one on + /// EVP_marshal_private_key marshals `key` as a DER-encoded PrivateKeyInfo + /// structure (RFC 5208) and appends the result to `cbb`. It returns one on /// success and zero on error. int EVP_marshal_private_key(ffi.Pointer cbb, ffi.Pointer key) { return _EVP_marshal_private_key(cbb, key); @@ -2389,8 +2433,8 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer) >(); - /// EVP_marshal_public_key marshals |key| as a DER-encoded SubjectPublicKeyInfo - /// structure (RFC 5280) and appends the result to |cbb|. It returns one on + /// EVP_marshal_public_key marshals `key` as a DER-encoded SubjectPublicKeyInfo + /// structure (RFC 5280) and appends the result to `cbb`. It returns one on /// success and zero on error. int EVP_marshal_public_key(ffi.Pointer cbb, ffi.Pointer key) { return _EVP_marshal_public_key(cbb, key); @@ -2408,13 +2452,13 @@ class BoringSsl { >(); /// EVP_parse_private_key decodes a DER-encoded PrivateKeyInfo structure (RFC - /// 5208) from |cbs| and advances |cbs|. It returns a newly-allocated |EVP_PKEY| + /// 5208) from `cbs` and advances `cbs`. It returns a newly-allocated `EVP_PKEY` /// or NULL on error. /// - /// Prefer |EVP_PKEY_from_private_key_info| instead. This function has + /// Prefer `EVP_PKEY_from_private_key_info` instead. This function has /// several pitfalls: /// - /// Callers are expected to handle trailing data returned from |cbs|, making more + /// Callers are expected to handle trailing data returned from `cbs`, making more /// common cases error-prone. /// /// There is also no way to pass in supported algorithms. This function instead @@ -2427,7 +2471,7 @@ class BoringSsl { /// it is suitable and validate other desired key properties such as RSA modulus /// size or EC curve. In particular, RSA private key operations scale cubicly, so /// applications accepting RSA private keys from external sources may need to - /// bound key sizes (use |EVP_PKEY_bits| or |RSA_bits|) to avoid a DoS vector. + /// bound key sizes (use `EVP_PKEY_bits` or `RSA_bits`) to avoid a DoS vector. /// /// A PrivateKeyInfo ends with an optional set of attributes. These are silently /// ignored. @@ -2445,13 +2489,13 @@ class BoringSsl { >(); /// EVP_parse_public_key decodes a DER-encoded SubjectPublicKeyInfo structure - /// (RFC 5280) from |cbs| and advances |cbs|. It returns a newly-allocated - /// |EVP_PKEY| or NULL on error. + /// (RFC 5280) from `cbs` and advances `cbs`. It returns a newly-allocated + /// `EVP_PKEY` or NULL on error. /// - /// Prefer |EVP_PKEY_from_subject_public_key_info| instead. This function has + /// Prefer `EVP_PKEY_from_subject_public_key_info` instead. This function has /// several pitfalls: /// - /// Callers are expected to handle trailing data returned from |cbs|, making more + /// Callers are expected to handle trailing data returned from `cbs`, making more /// common cases error-prone. /// /// There is also no way to pass in supported algorithms. This function instead @@ -2513,8 +2557,8 @@ class BoringSsl { _EVP_sha512Ptr.asFunction Function()>(); /// HKDF computes HKDF (as specified by RFC 5869) of initial keying material - /// |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes - /// to |out_key|. It returns one on success and zero on error. + /// `secret` with `salt` and `info` using `digest`, and outputs `out_len` bytes + /// to `out_key`. It returns one on success and zero on error. /// /// HKDF is an Extract-and-Expand algorithm. It does not do any key stretching, /// and as such, is not suited to be used alone to generate a key from a @@ -2574,7 +2618,7 @@ class BoringSsl { ) >(); - /// HMAC_CTX_free calls |HMAC_CTX_cleanup| and then frees |ctx| itself. + /// HMAC_CTX_free calls `HMAC_CTX_cleanup` and then frees `ctx` itself. void HMAC_CTX_free(ffi.Pointer ctx) { return _HMAC_CTX_free(ctx); } @@ -2586,8 +2630,8 @@ class BoringSsl { late final _HMAC_CTX_free = _HMAC_CTX_freePtr.asFunction)>(); - /// HMAC_CTX_new allocates and initialises a new |HMAC_CTX| and returns it, or - /// NULL on allocation failure. The caller must use |HMAC_CTX_free| to release + /// HMAC_CTX_new allocates and initialises a new `HMAC_CTX` and returns it, or + /// NULL on allocation failure. The caller must use `HMAC_CTX_free` to release /// the resulting object. ffi.Pointer HMAC_CTX_new() { return _HMAC_CTX_new(); @@ -2600,10 +2644,10 @@ class BoringSsl { late final _HMAC_CTX_new = _HMAC_CTX_newPtr.asFunction Function()>(); - /// HMAC_Final completes the HMAC operation in |ctx| and writes the result to - /// |out|. If |out_len| is not |NULL| then it writes the length of the result to - /// |*out_len|. On entry, |out| must contain at least |HMAC_size| bytes of - /// space. An output size of |EVP_MAX_MD_SIZE| will always be large enough. It + /// HMAC_Final completes the HMAC operation in `ctx` and writes the result to + /// `out`. If `out_len` is not `NULL` then it writes the length of the result to + /// `*out_len`. On entry, `out` must contain at least `HMAC_size` bytes of + /// space. An output size of `EVP_MAX_MD_SIZE` will always be large enough. It /// returns one on success or zero on allocation failure. int HMAC_Final( ffi.Pointer ctx, @@ -2632,14 +2676,14 @@ class BoringSsl { ) >(); - /// HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash - /// function and |key| as the key. For a non-initial call, |md| may be NULL, in + /// HMAC_Init_ex sets up an initialised `HMAC_CTX` to use `md` as the hash + /// function and `key` as the key. For a non-initial call, `md` may be NULL, in /// which case the previous hash function will be used. If the hash function has - /// not changed and |key| is NULL, |ctx| reuses the previous key. It returns one + /// not changed and `key` is NULL, `ctx` reuses the previous key. It returns one /// on success or zero on allocation failure. /// /// WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL - /// |key| but repeating the previous |md| reuses the previous key rather than the + /// `key` but repeating the previous `md` reuses the previous key rather than the /// empty key. int HMAC_Init_ex( ffi.Pointer ctx, @@ -2674,8 +2718,8 @@ class BoringSsl { ) >(); - /// HMAC_Update hashes |data_len| bytes from |data| into the current HMAC - /// operation in |ctx|. It returns one. + /// HMAC_Update hashes `data_len` bytes from `data` into the current HMAC + /// operation in `ctx`. It returns one. int HMAC_Update( ffi.Pointer ctx, ffi.Pointer data, @@ -2700,7 +2744,7 @@ class BoringSsl { >(); /// HMAC_size returns the size, in bytes, of the HMAC that will be produced by - /// |ctx|. On entry, |ctx| must have been setup with |HMAC_Init_ex|. + /// `ctx`. On entry, `ctx` must have been setup with `HMAC_Init_ex`. int HMAC_size(ffi.Pointer ctx) { return _HMAC_size(ctx); } @@ -2712,9 +2756,9 @@ class BoringSsl { late final _HMAC_size = _HMAC_sizePtr.asFunction)>(); - /// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the - /// memory allocated at |ptr| and frees it along with the private data. - /// It must only be used on on |ptr| values obtained from |OPENSSL_malloc| + /// OPENSSL_free does nothing if `ptr` is NULL. Otherwise it zeros out the + /// memory allocated at `ptr` and frees it along with the private data. + /// It must only be used on on `ptr` values obtained from `OPENSSL_malloc` void OPENSSL_free(ffi.Pointer ptr) { return _OPENSSL_free(ptr); } @@ -2726,10 +2770,10 @@ class BoringSsl { late final _OPENSSL_free = _OPENSSL_freePtr.asFunction)>(); - /// OPENSSL_malloc is similar to a regular |malloc|, but allocates additional - /// private data. The resulting pointer must be freed with |OPENSSL_free|. In - /// the case of a malloc failure, prior to returning NULL |OPENSSL_malloc| will - /// push |ERR_R_MALLOC_FAILURE| onto the openssl error stack. + /// OPENSSL_malloc is similar to a regular `malloc`, but allocates additional + /// private data. The resulting pointer must be freed with `OPENSSL_free`. In + /// the case of a malloc failure, prior to returning NULL `OPENSSL_malloc` will + /// push `ERR_R_MALLOC_FAILURE` onto the openssl error stack. ffi.Pointer OPENSSL_malloc(int size) { return _OPENSSL_malloc(size); } @@ -2741,9 +2785,9 @@ class BoringSsl { late final _OPENSSL_malloc = _OPENSSL_mallocPtr.asFunction Function(int)>(); - /// OPENSSL_memdup returns an allocated, duplicate of |size| bytes from |data| or + /// OPENSSL_memdup returns an allocated, duplicate of `size` bytes from `data` or /// NULL on allocation failure. The memory allocated must be freed with - /// |OPENSSL_free|. + /// `OPENSSL_free`. ffi.Pointer OPENSSL_memdup(ffi.Pointer data, int size) { return _OPENSSL_memdup(data, size); } @@ -2759,8 +2803,8 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer, int) >(); - /// PKCS5_PBKDF2_HMAC computes |iterations| iterations of PBKDF2 of |password| - /// and |salt|, using |digest|, and outputs |key_len| bytes to |out_key|. It + /// PKCS5_PBKDF2_HMAC computes `iterations` iterations of PBKDF2 of `password` + /// and `salt`, using `digest`, and outputs `key_len` bytes to `out_key`. It /// returns one on success and zero on allocation failure or if iterations is 0. int PKCS5_PBKDF2_HMAC( ffi.Pointer password, @@ -2813,8 +2857,8 @@ class BoringSsl { ) >(); - /// RAND_bytes writes |len| bytes of random data to |buf| and returns one. In the - /// event that sufficient random data can not be obtained, |abort| is called. + /// RAND_bytes writes `len` bytes of random data to `buf` and returns one. In the + /// event that sufficient random data can not be obtained, `abort` is called. int RAND_bytes(ffi.Pointer buf, int len) { return _RAND_bytes(buf, len); } @@ -2826,8 +2870,8 @@ class BoringSsl { late final _RAND_bytes = _RAND_bytesPtr.asFunction, int)>(); - /// RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from - /// |rsa| into it. It returns the fresh |RSA| object, or NULL on error. + /// RSAPublicKey_dup allocates a fresh `RSA` and copies the public key from + /// `rsa` into it. It returns the fresh `RSA` object, or NULL on error. ffi.Pointer RSAPublicKey_dup(ffi.Pointer rsa) { return _RSAPublicKey_dup(rsa); } @@ -2841,7 +2885,7 @@ class BoringSsl { ffi.Pointer Function(ffi.Pointer) >(); - /// RSA_check_key performs basic validity tests on |rsa|. It returns one if + /// RSA_check_key performs basic validity tests on `rsa`. It returns one if /// they pass and zero otherwise. Opaque keys and public keys always pass. If it /// returns zero then a more detailed error is available on the error queue. int RSA_check_key(ffi.Pointer rsa) { @@ -2855,7 +2899,7 @@ class BoringSsl { late final _RSA_check_key = _RSA_check_keyPtr.asFunction)>(); - /// RSA_free decrements the reference count of |rsa| and frees it if the + /// RSA_free decrements the reference count of `rsa` and frees it if the /// reference count drops to zero. void RSA_free(ffi.Pointer rsa) { return _RSA_free(rsa); @@ -2869,11 +2913,11 @@ class BoringSsl { _RSA_freePtr.asFunction)>(); /// RSA_generate_key_ex generates a new RSA key where the modulus has size - /// |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value - /// for |e|. If |cb| is not NULL then it is called during the key generation - /// process. In addition to the calls documented for |BN_generate_prime_ex|, it + /// `bits` and the public exponent is `e`. If unsure, `RSA_F4` is a good value + /// for `e`. If `cb` is not NULL then it is called during the key generation + /// process. In addition to the calls documented for `BN_generate_prime_ex`, it /// is called with event=2 when the n'th prime is rejected as unsuitable and - /// with event=3 when a suitable value for |p| is found. + /// with event=3 when a suitable value for `p` is found. /// /// It returns one on success or zero on error. int RSA_generate_key_ex( @@ -2906,9 +2950,9 @@ class BoringSsl { ) >(); - /// RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if - /// non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and - /// q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be + /// RSA_get0_crt_params sets `*out_dmp1`, `*out_dmq1`, and `*out_iqmp`, if + /// non-NULL, to `rsa`'s CRT parameters. These are d (mod p-1), d (mod q-1) and + /// q^-1 (mod p), respectively. If `rsa` is a public key, each parameter will be /// set to NULL. void RSA_get0_crt_params( ffi.Pointer rsa, @@ -2940,8 +2984,8 @@ class BoringSsl { ) >(); - /// RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime - /// factors. If |rsa| is a public key, they will be set to NULL. + /// RSA_get0_factors sets `*out_p` and `*out_q`, if non-NULL, to `rsa`'s prime + /// factors. If `rsa` is a public key, they will be set to NULL. void RSA_get0_factors( ffi.Pointer rsa, ffi.Pointer> out_p, @@ -2969,8 +3013,8 @@ class BoringSsl { ) >(); - /// RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s - /// modulus, public exponent, and private exponent, respectively. If |rsa| is a + /// RSA_get0_key sets `*out_n`, `*out_e`, and `*out_d`, if non-NULL, to `rsa`'s + /// modulus, public exponent, and private exponent, respectively. If `rsa` is a /// public key, the private exponent will be set to NULL. void RSA_get0_key( ffi.Pointer rsa, @@ -3002,8 +3046,8 @@ class BoringSsl { ) >(); - /// RSA_new returns a new, empty |RSA| object or NULL on error. Prefer using - /// |RSA_new_public_key| or |RSA_new_private_key| to import an RSA key. + /// RSA_new returns a new, empty `RSA` object or NULL on error. Prefer using + /// `RSA_new_public_key` or `RSA_new_private_key` to import an RSA key. ffi.Pointer RSA_new() { return _RSA_new(); } @@ -3012,14 +3056,14 @@ class BoringSsl { _lookup Function()>>('RSA_new'); late final _RSA_new = _RSA_newPtr.asFunction Function()>(); - /// RSA_set0_crt_params sets |rsa|'s CRT parameters to |dmp1|, |dmq1|, and - /// |iqmp|, if non-NULL, and takes ownership of them. On success, it takes + /// RSA_set0_crt_params sets `rsa`'s CRT parameters to `dmp1`, `dmq1`, and + /// `iqmp`, if non-NULL, and takes ownership of them. On success, it takes /// ownership of its parameters and returns one. Otherwise, it returns zero. /// - /// Each argument must either be non-NULL or already configured on |rsa|. + /// Each argument must either be non-NULL or already configured on `rsa`. /// - /// It is an error to call this function after |rsa| has been used for a - /// cryptographic operation. Construct a new |RSA| object instead. + /// It is an error to call this function after `rsa` has been used for a + /// cryptographic operation. Construct a new `RSA` object instead. int RSA_set0_crt_params( ffi.Pointer rsa, ffi.Pointer dmp1, @@ -3050,14 +3094,14 @@ class BoringSsl { ) >(); - /// RSA_set0_factors sets |rsa|'s prime factors to |p| and |q|, if non-NULL, and + /// RSA_set0_factors sets `rsa`'s prime factors to `p` and `q`, if non-NULL, and /// takes ownership of them. On success, it takes ownership of each argument and /// returns one. Otherwise, it returns zero. /// - /// Each argument must either be non-NULL or already configured on |rsa|. + /// Each argument must either be non-NULL or already configured on `rsa`. /// - /// It is an error to call this function after |rsa| has been used for a - /// cryptographic operation. Construct a new |RSA| object instead. + /// It is an error to call this function after `rsa` has been used for a + /// cryptographic operation. Construct a new `RSA` object instead. int RSA_set0_factors( ffi.Pointer rsa, ffi.Pointer p, @@ -3081,15 +3125,15 @@ class BoringSsl { int Function(ffi.Pointer, ffi.Pointer, ffi.Pointer) >(); - /// RSA_set0_key sets |rsa|'s modulus, public exponent, and private exponent to - /// |n|, |e|, and |d| respectively, if non-NULL. On success, it takes ownership + /// RSA_set0_key sets `rsa`'s modulus, public exponent, and private exponent to + /// `n`, `e`, and `d` respectively, if non-NULL. On success, it takes ownership /// of each argument and returns one. Otherwise, it returns zero. /// - /// |d| may be NULL, but |n| and |e| must either be non-NULL or already - /// configured on |rsa|. + /// `d` may be NULL, but `n` and `e` must either be non-NULL or already + /// configured on `rsa`. /// - /// It is an error to call this function after |rsa| has been used for a - /// cryptographic operation. Construct a new |RSA| object instead. + /// It is an error to call this function after `rsa` has been used for a + /// cryptographic operation. Construct a new `RSA` object instead. int RSA_set0_key( ffi.Pointer rsa, ffi.Pointer n, @@ -3194,28 +3238,28 @@ final class bignum_ctx extends ffi.Opaque {} /// Private functions final class bignum_st extends ffi.Struct { - /// d is a pointer to an array of |width| |BN_BITS2|-bit chunks in + /// d is a pointer to an array of `width` `BN_BITS2`-bit chunks in /// little-endian order. This stores the absolute value of the number. external ffi.Pointer d; - /// width is the number of elements of |d| which are valid. This value is not - /// necessarily minimal; the most-significant words of |d| may be zero. - /// |width| determines a potentially loose upper-bound on the absolute value - /// of the |BIGNUM|. + /// width is the number of elements of `d` which are valid. This value is not + /// necessarily minimal; the most-significant words of `d` may be zero. + /// `width` determines a potentially loose upper-bound on the absolute value + /// of the `BIGNUM`. /// - /// Functions taking |BIGNUM| inputs must compute the same answer for all - /// possible widths. |bn_minimal_width|, |bn_set_minimal_width|, and other + /// Functions taking `BIGNUM` inputs must compute the same answer for all + /// possible widths. `bn_minimal_width`, `bn_set_minimal_width`, and other /// helpers may be used to recover the minimal width, provided it is not /// secret. If it is secret, use a different algorithm. Functions may output - /// minimal or non-minimal |BIGNUM|s depending on secrecy requirements, but + /// minimal or non-minimal `BIGNUM`s depending on secrecy requirements, but /// those which cause widths to unboundedly grow beyond the minimal value /// should be documented such. /// - /// Note this is different from historical |BIGNUM| semantics. + /// Note this is different from historical `BIGNUM` semantics. @ffi.Int() external int width; - /// dmax is number of elements of |d| which are allocated. + /// dmax is number of elements of `d` which are allocated. @ffi.Int() external int dmax; @@ -3223,17 +3267,17 @@ final class bignum_st extends ffi.Struct { @ffi.Int() external int neg; - /// flags is a bitmask of |BN_FLG_*| values + /// flags is a bitmask of `BN_FLG_*` values @ffi.Int() external int flags; } -/// bn_gencb_st, or |BN_GENCB|, holds a callback function that is used by +/// bn_gencb_st, or `BN_GENCB`, holds a callback function that is used by /// generation functions that can take a very long time to complete. Use -/// |BN_GENCB_set| to initialise a |BN_GENCB| structure. +/// `BN_GENCB_set` to initialise a `BN_GENCB` structure. /// -/// The callback receives the address of that |BN_GENCB| structure as its last -/// argument and the user is free to put an arbitrary pointer in |arg|. The other +/// The callback receives the address of that `BN_GENCB` structure as its last +/// argument and the user is free to put an arbitrary pointer in `arg`. The other /// arguments are set as follows: /// - event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime /// number. @@ -3250,18 +3294,18 @@ final class bn_gencb_st extends ffi.Opaque {} /// CRYPTO ByteBuilder. /// -/// |CBB| objects allow one to build length-prefixed serialisations. A |CBB| +/// `CBB` objects allow one to build length-prefixed serialisations. A `CBB` /// object is associated with a buffer and new buffers are created with -/// |CBB_init|. Several |CBB| objects can point at the same buffer when a -/// length-prefix is pending, however only a single |CBB| can be 'current' at -/// any one time. For example, if one calls |CBB_add_u8_length_prefixed| then -/// the new |CBB| points at the same buffer as the original. But if the original -/// |CBB| is used then the length prefix is written out and the new |CBB| must +/// `CBB_init`. Several `CBB` objects can point at the same buffer when a +/// length-prefix is pending, however only a single `CBB` can be 'current' at +/// any one time. For example, if one calls `CBB_add_u8_length_prefixed` then +/// the new `CBB` points at the same buffer as the original. But if the original +/// `CBB` is used then the length prefix is written out and the new `CBB` must /// not be used again. /// -/// If one needs to force a length prefix to be written out because a |CBB| is -/// going out of scope, use |CBB_flush|. If an operation on a |CBB| fails, it is -/// in an undefined state and must not be used except to call |CBB_cleanup|. +/// If one needs to force a length prefix to be written out because a `CBB` is +/// going out of scope, use `CBB_flush`. If an operation on a `CBB` fails, it is +/// in an undefined state and must not be used except to call `CBB_cleanup`. final class cbb_buffer_st extends ffi.Opaque {} final class cbb_child_st extends ffi.Opaque {} @@ -3284,7 +3328,7 @@ final class ec_point_st extends ffi.Opaque {} /// Low-level signing and verification. /// -/// Low-level functions handle signatures as |ECDSA_SIG| structures which allow +/// Low-level functions handle signatures as `ECDSA_SIG` structures which allow /// the two values in an ECDSA signature to be handled separately. final class ecdsa_sig_st extends ffi.Struct { external ffi.Pointer r; @@ -3309,13 +3353,13 @@ final class env_md_ctx_st extends ffi.Struct { external ffi.Pointer pctx; /// pctx_ops, if not NULL, points to a vtable that contains functions to - /// manipulate |pctx|. + /// manipulate `pctx`. external ffi.Pointer pctx_ops; } final class env_md_st extends ffi.Opaque {} -/// An evp_aead_ctx_st (typedefed as |EVP_AEAD_CTX| in base.h) represents an AEAD +/// An evp_aead_ctx_st (typedefed as `EVP_AEAD_CTX` in base.h) represents an AEAD /// algorithm configured with a specific key and message-independent IV. final class evp_aead_ctx_st extends ffi.Struct { external ffi.Pointer aead; @@ -3346,11 +3390,11 @@ final class evp_cipher_ctx_st extends ffi.Struct { /// application stuff external ffi.Pointer app_data; - /// cipher_data points to the |cipher| specific state. + /// cipher_data points to the `cipher` specific state. external ffi.Pointer cipher_data; /// key_len contains the length of the key, which may differ from - /// |cipher->key_len| if the cipher can take a variable key length. + /// `cipher->key_len` if the cipher can take a variable key length. @ffi.UnsignedInt() external int key_len; @@ -3358,7 +3402,7 @@ final class evp_cipher_ctx_st extends ffi.Struct { @ffi.Int() external int encrypt; - /// flags contains the OR of zero or more |EVP_CIPH_*| flags, above. + /// flags contains the OR of zero or more `EVP_CIPH_*` flags, above. @ffi.Uint32() external int flags; @@ -3376,16 +3420,16 @@ final class evp_cipher_ctx_st extends ffi.Struct { external ffi.Array buf; /// buf_len contains the number of bytes of a partial block contained in - /// |buf|. + /// `buf`. @ffi.Int() external int buf_len; - /// num contains the number of bytes of |iv| which are valid for modes that + /// num contains the number of bytes of `iv` which are valid for modes that /// manage partial blocks themselves. @ffi.UnsignedInt() external int num; - /// final_used is non-zero if the |final| buffer contains plaintext. + /// final_used is non-zero if the `final` buffer contains plaintext. @ffi.Int() external int final_used; diff --git a/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-apple.S b/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-apple.S index eb2ac3bd..cef98f84 100644 --- a/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-apple.S @@ -5,7 +5,9 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .section __DATA,__const + .p2align 4 +aes_gcm_avx2_constants: L$bswap_mask: @@ -153,6 +155,7 @@ _CET_ENDBR .private_extern _gcm_gmult_vpclmulqdq_avx2 .p2align 5 +.alt_entry _gcm_gmult_vpclmulqdq_avx2 _gcm_gmult_vpclmulqdq_avx2: @@ -193,6 +196,7 @@ _CET_ENDBR .private_extern _gcm_ghash_vpclmulqdq_avx2 .p2align 5 +.alt_entry _gcm_ghash_vpclmulqdq_avx2 _gcm_ghash_vpclmulqdq_avx2: @@ -363,6 +367,7 @@ L$ghash_done: .private_extern _aes_gcm_enc_update_vaes_avx2 .p2align 5 +.alt_entry _aes_gcm_enc_update_vaes_avx2 _aes_gcm_enc_update_vaes_avx2: @@ -901,6 +906,7 @@ L$done__func1: .private_extern _aes_gcm_dec_update_vaes_avx2 .p2align 5 +.alt_entry _aes_gcm_dec_update_vaes_avx2 _aes_gcm_dec_update_vaes_avx2: diff --git a/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-linux.S b/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-linux.S index 018397a1..fa47e2ed 100644 --- a/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-linux.S +++ b/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-linux.S @@ -5,7 +5,9 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .section .rodata + .align 16 +aes_gcm_avx2_constants: .Lbswap_mask: diff --git a/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-win.asm b/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-win.asm index 41104322..b50aba74 100644 --- a/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-win.asm +++ b/third_party/boringssl/gen/bcm/aes-gcm-avx2-x86_64-win.asm @@ -12,7 +12,9 @@ default rel %include "boringssl_prefix_symbols_internal_x86_64_win_asm.inc" %endif section .rdata rdata align=8 + ALIGN 16 +aes_gcm_avx2_constants: $L$bswap_mask: diff --git a/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-apple.S b/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-apple.S index 874ec0a4..5d0b391b 100644 --- a/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-apple.S @@ -5,7 +5,9 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__APPLE__) .section __DATA,__const + .p2align 6 +aes_gcm_avx512_constants: L$bswap_mask: @@ -147,6 +149,7 @@ L$precompute_next: .private_extern _gcm_gmult_vpclmulqdq_avx512 .p2align 5 +.alt_entry _gcm_gmult_vpclmulqdq_avx512 _gcm_gmult_vpclmulqdq_avx512: @@ -185,6 +188,7 @@ _CET_ENDBR .private_extern _gcm_ghash_vpclmulqdq_avx512 .p2align 5 +.alt_entry _gcm_ghash_vpclmulqdq_avx512 _gcm_ghash_vpclmulqdq_avx512: @@ -345,6 +349,7 @@ L$aad_done: .private_extern _aes_gcm_enc_update_vaes_avx512 .p2align 5 +.alt_entry _aes_gcm_enc_update_vaes_avx512 _aes_gcm_enc_update_vaes_avx512: @@ -841,6 +846,7 @@ L$done__func1: .private_extern _aes_gcm_dec_update_vaes_avx512 .p2align 5 +.alt_entry _aes_gcm_dec_update_vaes_avx512 _aes_gcm_dec_update_vaes_avx512: diff --git a/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-linux.S b/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-linux.S index bec5e883..d4f1232b 100644 --- a/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-linux.S +++ b/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-linux.S @@ -5,7 +5,9 @@ #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) && defined(__ELF__) .section .rodata + .align 64 +aes_gcm_avx512_constants: .Lbswap_mask: diff --git a/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-win.asm b/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-win.asm index 34f4a4f6..76737918 100644 --- a/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-win.asm +++ b/third_party/boringssl/gen/bcm/aes-gcm-avx512-x86_64-win.asm @@ -12,7 +12,9 @@ default rel %include "boringssl_prefix_symbols_internal_x86_64_win_asm.inc" %endif section .rdata rdata align=8 + ALIGN 64 +aes_gcm_avx512_constants: $L$bswap_mask: diff --git a/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-apple.S b/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-apple.S index e1247bc8..d4a9af16 100644 --- a/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-apple.S @@ -343,6 +343,7 @@ L$6x_done: .private_extern _aesni_gcm_decrypt .p2align 5 +.alt_entry _aesni_gcm_decrypt _aesni_gcm_decrypt: @@ -465,6 +466,7 @@ L$gcm_dec_abort: .p2align 5 +.alt_entry _aesni_ctr32_6x _aesni_ctr32_6x: vmovdqu 0-128(%rcx),%xmm4 @@ -560,6 +562,7 @@ L$handle_ctr32_2: .private_extern _aesni_gcm_encrypt .p2align 5 +.alt_entry _aesni_gcm_encrypt _aesni_gcm_encrypt: @@ -851,7 +854,9 @@ L$gcm_enc_abort: .section __DATA,__const + .p2align 6 +aesni_gcm_constants: L$bswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 L$poly: diff --git a/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-linux.S b/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-linux.S index 774a8d12..c4224116 100644 --- a/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-linux.S +++ b/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-linux.S @@ -866,7 +866,9 @@ _CET_ENDBR .cfi_endproc .size aesni_gcm_encrypt,.-aesni_gcm_encrypt .section .rodata + .align 64 +aesni_gcm_constants: .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 .Lpoly: diff --git a/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-win.asm b/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-win.asm index 3f7241ad..73a19f4c 100644 --- a/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-win.asm +++ b/third_party/boringssl/gen/bcm/aesni-gcm-x86_64-win.asm @@ -949,7 +949,9 @@ $L$SEH_end_aesni_gcm_encrypt_23: section .rdata rdata align=8 + ALIGN 64 +aesni_gcm_constants: $L$bswap_mask: DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 $L$poly: diff --git a/third_party/boringssl/gen/bcm/aesni-x86_64-apple.S b/third_party/boringssl/gen/bcm/aesni-x86_64-apple.S index 958cc5a2..00ba5038 100644 --- a/third_party/boringssl/gen/bcm/aesni-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/aesni-x86_64-apple.S @@ -41,6 +41,7 @@ L$oop_enc1_1: .private_extern _aes_hw_decrypt .p2align 4 +.alt_entry _aes_hw_decrypt _aes_hw_decrypt: _CET_ENDBR @@ -66,6 +67,7 @@ L$oop_dec1_2: .p2align 4 +.alt_entry _aesni_encrypt2 _aesni_encrypt2: movups (%rcx),%xmm0 @@ -97,6 +99,7 @@ L$enc_loop2: .p2align 4 +.alt_entry _aesni_decrypt2 _aesni_decrypt2: movups (%rcx),%xmm0 @@ -128,6 +131,7 @@ L$dec_loop2: .p2align 4 +.alt_entry _aesni_encrypt3 _aesni_encrypt3: movups (%rcx),%xmm0 @@ -164,6 +168,7 @@ L$enc_loop3: .p2align 4 +.alt_entry _aesni_decrypt3 _aesni_decrypt3: movups (%rcx),%xmm0 @@ -200,6 +205,7 @@ L$dec_loop3: .p2align 4 +.alt_entry _aesni_encrypt4 _aesni_encrypt4: movups (%rcx),%xmm0 @@ -242,6 +248,7 @@ L$enc_loop4: .p2align 4 +.alt_entry _aesni_decrypt4 _aesni_decrypt4: movups (%rcx),%xmm0 @@ -284,6 +291,7 @@ L$dec_loop4: .p2align 4 +.alt_entry _aesni_encrypt6 _aesni_encrypt6: movups (%rcx),%xmm0 @@ -340,6 +348,7 @@ L$enc_loop6_enter: .p2align 4 +.alt_entry _aesni_decrypt6 _aesni_decrypt6: movups (%rcx),%xmm0 @@ -396,6 +405,7 @@ L$dec_loop6_enter: .p2align 4 +.alt_entry _aesni_encrypt8 _aesni_encrypt8: movups (%rcx),%xmm0 @@ -462,6 +472,7 @@ L$enc_loop8_enter: .p2align 4 +.alt_entry _aesni_decrypt8 _aesni_decrypt8: movups (%rcx),%xmm0 @@ -530,6 +541,7 @@ L$dec_loop8_enter: .private_extern _aes_hw_ecb_encrypt .p2align 4 +.alt_entry _aes_hw_ecb_encrypt _aes_hw_ecb_encrypt: _CET_ENDBR @@ -876,6 +888,7 @@ L$ecb_ret: .private_extern _aes_hw_ctr32_encrypt_blocks .p2align 4 +.alt_entry _aes_hw_ctr32_encrypt_blocks _aes_hw_ctr32_encrypt_blocks: _CET_ENDBR @@ -1365,6 +1378,7 @@ L$ctr32_epilogue: .private_extern _aes_hw_cbc_encrypt .p2align 4 +.alt_entry _aes_hw_cbc_encrypt _aes_hw_cbc_encrypt: _CET_ENDBR @@ -1908,6 +1922,7 @@ L$cbc_ret: .private_extern _aes_hw_encrypt_key_to_decrypt_key .p2align 4 +.alt_entry _aes_hw_encrypt_key_to_decrypt_key _aes_hw_encrypt_key_to_decrypt_key: _CET_ENDBR @@ -1948,6 +1963,7 @@ L$dec_key_inverse: .private_extern _aes_hw_set_encrypt_key_base .p2align 4 +.alt_entry _aes_hw_set_encrypt_key_base _aes_hw_set_encrypt_key_base: @@ -2164,6 +2180,7 @@ L$key_expansion_256b: .private_extern _aes_hw_set_encrypt_key_alt .p2align 4 +.alt_entry _aes_hw_set_encrypt_key_alt _aes_hw_set_encrypt_key_alt: @@ -2368,7 +2385,9 @@ L$enc_key_ret_alt: .section __DATA,__const + .p2align 6 +aesni_constants: L$bswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 L$increment32: diff --git a/third_party/boringssl/gen/bcm/aesni-x86_64-linux.S b/third_party/boringssl/gen/bcm/aesni-x86_64-linux.S index 4bce582c..a5d92e6c 100644 --- a/third_party/boringssl/gen/bcm/aesni-x86_64-linux.S +++ b/third_party/boringssl/gen/bcm/aesni-x86_64-linux.S @@ -2369,7 +2369,9 @@ _CET_ENDBR .size aes_hw_set_encrypt_key_alt,.-aes_hw_set_encrypt_key_alt .section .rodata + .align 64 +aesni_constants: .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 .Lincrement32: diff --git a/third_party/boringssl/gen/bcm/aesni-x86_64-win.asm b/third_party/boringssl/gen/bcm/aesni-x86_64-win.asm index e7a8613a..69d6835e 100644 --- a/third_party/boringssl/gen/bcm/aesni-x86_64-win.asm +++ b/third_party/boringssl/gen/bcm/aesni-x86_64-win.asm @@ -2472,7 +2472,9 @@ $L$enc_key_ret_alt: $L$SEH_end_aes_hw_set_encrypt_key_alt_4: section .rdata rdata align=8 + ALIGN 64 +aesni_constants: $L$bswap_mask: DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 $L$increment32: diff --git a/third_party/boringssl/gen/bcm/aesv8-armv7-linux.S b/third_party/boringssl/gen/bcm/aesv8-armv7-linux.S index 2b3929a1..da6549f7 100644 --- a/third_party/boringssl/gen/bcm/aesv8-armv7-linux.S +++ b/third_party/boringssl/gen/bcm/aesv8-armv7-linux.S @@ -10,7 +10,9 @@ .fpu neon .code 32 #undef __thumb2__ + .align 5 +aes_hw_constants: .Lrcon: .long 0x01,0x01,0x01,0x01 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d @ rotate-n-splat diff --git a/third_party/boringssl/gen/bcm/aesv8-armv8-apple.S b/third_party/boringssl/gen/bcm/aesv8-armv8-apple.S index e34778be..89acb238 100644 --- a/third_party/boringssl/gen/bcm/aesv8-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/aesv8-armv8-apple.S @@ -9,7 +9,9 @@ .arch_extension crypto .section __TEXT,__const + .align 5 +aes_hw_constants: Lrcon: .long 0x01,0x01,0x01,0x01 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat @@ -187,6 +189,7 @@ Lenc_key_abort: .private_extern _aes_hw_set_decrypt_key .align 5 +.alt_entry _aes_hw_set_decrypt_key _aes_hw_set_decrypt_key: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! @@ -229,6 +232,7 @@ Ldec_key_abort: .private_extern _aes_hw_encrypt .align 5 +.alt_entry _aes_hw_encrypt _aes_hw_encrypt: AARCH64_VALID_CALL_TARGET ldr w3,[x2,#240] @@ -260,6 +264,7 @@ Loop_enc: .private_extern _aes_hw_decrypt .align 5 +.alt_entry _aes_hw_decrypt _aes_hw_decrypt: AARCH64_VALID_CALL_TARGET ldr w3,[x2,#240] @@ -291,6 +296,7 @@ Loop_dec: .private_extern _aes_hw_cbc_encrypt .align 5 +.alt_entry _aes_hw_cbc_encrypt _aes_hw_cbc_encrypt: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET @@ -584,6 +590,7 @@ Lcbc_abort: .private_extern _aes_hw_ctr32_encrypt_blocks .align 5 +.alt_entry _aes_hw_ctr32_encrypt_blocks _aes_hw_ctr32_encrypt_blocks: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET diff --git a/third_party/boringssl/gen/bcm/aesv8-armv8-linux.S b/third_party/boringssl/gen/bcm/aesv8-armv8-linux.S index cbf5c0a6..7d9b33f3 100644 --- a/third_party/boringssl/gen/bcm/aesv8-armv8-linux.S +++ b/third_party/boringssl/gen/bcm/aesv8-armv8-linux.S @@ -8,7 +8,9 @@ .text .arch armv8-a+crypto .section .rodata + .align 5 +aes_hw_constants: .Lrcon: .long 0x01,0x01,0x01,0x01 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat diff --git a/third_party/boringssl/gen/bcm/aesv8-armv8-win.S b/third_party/boringssl/gen/bcm/aesv8-armv8-win.S index 54bd1c51..5af113d5 100644 --- a/third_party/boringssl/gen/bcm/aesv8-armv8-win.S +++ b/third_party/boringssl/gen/bcm/aesv8-armv8-win.S @@ -8,7 +8,9 @@ .text .arch armv8-a+crypto .section .rodata + .align 5 +aes_hw_constants: Lrcon: .long 0x01,0x01,0x01,0x01 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat diff --git a/third_party/boringssl/gen/bcm/aesv8-gcm-armv8-apple.S b/third_party/boringssl/gen/bcm/aesv8-gcm-armv8-apple.S index 6a76daab..e28ae4cb 100644 --- a/third_party/boringssl/gen/bcm/aesv8-gcm-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/aesv8-gcm-armv8-apple.S @@ -747,6 +747,7 @@ Lenc_blocks_less_than_1: // Last partial block handling .private_extern _aes_gcm_dec_kernel .align 4 +.alt_entry _aes_gcm_dec_kernel _aes_gcm_dec_kernel: AARCH64_SIGN_LINK_REGISTER stp x29, x30, [sp, #-224]! @@ -1479,6 +1480,7 @@ Ldec_blocks_less_than_1: // blocks left <= 1 .private_extern _aes_gcm_enc_kernel_eor3 .align 4 +.alt_entry _aes_gcm_enc_kernel_eor3 _aes_gcm_enc_kernel_eor3: AARCH64_SIGN_LINK_REGISTER stp x29, x30, [sp, #-224]! @@ -2195,6 +2197,7 @@ Lenc_blocks_less_than_1_eor3: // Last partial block handling .private_extern _aes_gcm_dec_kernel_eor3 .align 4 +.alt_entry _aes_gcm_dec_kernel_eor3 _aes_gcm_dec_kernel_eor3: AARCH64_SIGN_LINK_REGISTER stp x29, x30, [sp, #-224]! diff --git a/third_party/boringssl/gen/bcm/armv8-mont-apple.S b/third_party/boringssl/gen/bcm/armv8-mont-apple.S index 5e9a8e91..2a156d56 100644 --- a/third_party/boringssl/gen/bcm/armv8-mont-apple.S +++ b/third_party/boringssl/gen/bcm/armv8-mont-apple.S @@ -13,9 +13,9 @@ _bn_mul_mont_words: AARCH64_SIGN_LINK_REGISTER tst x5,#7 - b.eq __bn_sqr8x_mont + b.eq Lsqr8x_mont tst x5,#3 - b.eq __bn_mul4x_mont + b.eq Lmul4x_mont Lmul_mont: stp x29,x30,[sp,#-64]! add x29,sp,#0 @@ -215,14 +215,13 @@ Lcond_copy: AARCH64_VALIDATE_LINK_REGISTER ret - .align 5 -__bn_sqr8x_mont: - // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to +Lsqr8x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lsqr8x_mont is jumped to // only from bn_mul_mont_words which has already signed the return address. cmp x1,x2 - b.ne __bn_mul4x_mont -Lsqr8x_mont: + b.ne Lmul4x_mont + stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -990,10 +989,9 @@ Lsqr8x_done: AARCH64_VALIDATE_LINK_REGISTER ret - .align 5 -__bn_mul4x_mont: - // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to +Lmul4x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lmul4x_mont is jumped to // only from bn_mul_mont_words or __bn_mul8x_mont which have already signed the // return address. stp x29,x30,[sp,#-128]! diff --git a/third_party/boringssl/gen/bcm/armv8-mont-linux.S b/third_party/boringssl/gen/bcm/armv8-mont-linux.S index de02424e..0ddc42aa 100644 --- a/third_party/boringssl/gen/bcm/armv8-mont-linux.S +++ b/third_party/boringssl/gen/bcm/armv8-mont-linux.S @@ -13,9 +13,9 @@ bn_mul_mont_words: AARCH64_SIGN_LINK_REGISTER tst x5,#7 - b.eq __bn_sqr8x_mont + b.eq .Lsqr8x_mont tst x5,#3 - b.eq __bn_mul4x_mont + b.eq .Lmul4x_mont .Lmul_mont: stp x29,x30,[sp,#-64]! add x29,sp,#0 @@ -214,15 +214,14 @@ bn_mul_mont_words: ldr x29,[sp],#64 AARCH64_VALIDATE_LINK_REGISTER ret -.size bn_mul_mont_words,.-bn_mul_mont_words -.type __bn_sqr8x_mont,%function +.type .Lsqr8x_mont,%function .align 5 -__bn_sqr8x_mont: - // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to +.Lsqr8x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lsqr8x_mont is jumped to // only from bn_mul_mont_words which has already signed the return address. cmp x1,x2 - b.ne __bn_mul4x_mont -.Lsqr8x_mont: + b.ne .Lmul4x_mont + stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -989,11 +988,10 @@ __bn_sqr8x_mont: // x30 is popped earlier AARCH64_VALIDATE_LINK_REGISTER ret -.size __bn_sqr8x_mont,.-__bn_sqr8x_mont -.type __bn_mul4x_mont,%function +.type .Lmul4x_mont,%function .align 5 -__bn_mul4x_mont: - // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to +.Lmul4x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lmul4x_mont is jumped to // only from bn_mul_mont_words or __bn_mul8x_mont which have already signed the // return address. stp x29,x30,[sp,#-128]! @@ -1435,7 +1433,7 @@ __bn_mul4x_mont: // x30 is popped earlier AARCH64_VALIDATE_LINK_REGISTER ret -.size __bn_mul4x_mont,.-__bn_mul4x_mont +.size bn_mul_mont_words,.-bn_mul_mont_words .byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 2 .align 4 diff --git a/third_party/boringssl/gen/bcm/armv8-mont-win.S b/third_party/boringssl/gen/bcm/armv8-mont-win.S index adfdba44..798ab5c3 100644 --- a/third_party/boringssl/gen/bcm/armv8-mont-win.S +++ b/third_party/boringssl/gen/bcm/armv8-mont-win.S @@ -15,9 +15,9 @@ bn_mul_mont_words: AARCH64_SIGN_LINK_REGISTER tst x5,#7 - b.eq __bn_sqr8x_mont + b.eq Lsqr8x_mont tst x5,#3 - b.eq __bn_mul4x_mont + b.eq Lmul4x_mont Lmul_mont: stp x29,x30,[sp,#-64]! add x29,sp,#0 @@ -216,17 +216,16 @@ Lcond_copy: ldr x29,[sp],#64 AARCH64_VALIDATE_LINK_REGISTER ret - -.def __bn_sqr8x_mont +.def Lsqr8x_mont .type 32 .endef .align 5 -__bn_sqr8x_mont: - // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_sqr8x_mont is jumped to +Lsqr8x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lsqr8x_mont is jumped to // only from bn_mul_mont_words which has already signed the return address. cmp x1,x2 - b.ne __bn_mul4x_mont -Lsqr8x_mont: + b.ne Lmul4x_mont + stp x29,x30,[sp,#-128]! add x29,sp,#0 stp x19,x20,[sp,#16] @@ -993,13 +992,12 @@ Lsqr8x_done: // x30 is popped earlier AARCH64_VALIDATE_LINK_REGISTER ret - -.def __bn_mul4x_mont +.def Lmul4x_mont .type 32 .endef .align 5 -__bn_mul4x_mont: - // Not adding AARCH64_SIGN_LINK_REGISTER here because __bn_mul4x_mont is jumped to +Lmul4x_mont: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lmul4x_mont is jumped to // only from bn_mul_mont_words or __bn_mul8x_mont which have already signed the // return address. stp x29,x30,[sp,#-128]! diff --git a/third_party/boringssl/gen/bcm/bn-armv8-apple.S b/third_party/boringssl/gen/bcm/bn-armv8-apple.S index d37c48e8..7e02b1a5 100644 --- a/third_party/boringssl/gen/bcm/bn-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/bn-armv8-apple.S @@ -51,6 +51,7 @@ Ladd_exit: .globl _bn_sub_words .private_extern _bn_sub_words .align 4 +.alt_entry _bn_sub_words _bn_sub_words: AARCH64_VALID_CALL_TARGET # Set the carry flag. Arm's borrow bit is flipped from the carry flag, diff --git a/third_party/boringssl/gen/bcm/ghash-neon-armv8-apple.S b/third_party/boringssl/gen/bcm/ghash-neon-armv8-apple.S index 15b822c0..61ff561b 100644 --- a/third_party/boringssl/gen/bcm/ghash-neon-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/ghash-neon-armv8-apple.S @@ -36,6 +36,7 @@ _gcm_init_neon: .private_extern _gcm_gmult_neon .align 4 +.alt_entry _gcm_gmult_neon _gcm_gmult_neon: AARCH64_VALID_CALL_TARGET ld1 {v3.16b}, [x0] // load Xi @@ -56,6 +57,7 @@ _gcm_gmult_neon: .private_extern _gcm_ghash_neon .align 4 +.alt_entry _gcm_ghash_neon _gcm_ghash_neon: AARCH64_VALID_CALL_TARGET ld1 {v0.16b}, [x0] // load Xi @@ -321,7 +323,9 @@ Lgmult_neon: .section __TEXT,__const + .align 4 +ghash_neon_masks: Lmasks: .quad 0x0000ffffffffffff // k48 .quad 0x00000000ffffffff // k32 diff --git a/third_party/boringssl/gen/bcm/ghash-neon-armv8-linux.S b/third_party/boringssl/gen/bcm/ghash-neon-armv8-linux.S index ee57d512..65a98412 100644 --- a/third_party/boringssl/gen/bcm/ghash-neon-armv8-linux.S +++ b/third_party/boringssl/gen/bcm/ghash-neon-armv8-linux.S @@ -321,7 +321,9 @@ gcm_ghash_neon: .size gcm_ghash_neon,.-gcm_ghash_neon .section .rodata + .align 4 +ghash_neon_masks: .Lmasks: .quad 0x0000ffffffffffff // k48 .quad 0x00000000ffffffff // k32 diff --git a/third_party/boringssl/gen/bcm/ghash-neon-armv8-win.S b/third_party/boringssl/gen/bcm/ghash-neon-armv8-win.S index 91814da0..937e5868 100644 --- a/third_party/boringssl/gen/bcm/ghash-neon-armv8-win.S +++ b/third_party/boringssl/gen/bcm/ghash-neon-armv8-win.S @@ -327,7 +327,9 @@ Lgmult_neon: .section .rodata + .align 4 +ghash_neon_masks: Lmasks: .quad 0x0000ffffffffffff // k48 .quad 0x00000000ffffffff // k32 diff --git a/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-apple.S b/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-apple.S index 53af23f8..f66e1fa5 100644 --- a/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-apple.S @@ -205,6 +205,7 @@ L$oop_row_3: .globl _gcm_ghash_ssse3 .private_extern _gcm_ghash_ssse3 .p2align 4 +.alt_entry _gcm_ghash_ssse3 _gcm_ghash_ssse3: @@ -411,7 +412,9 @@ L$oop_row_6: .section __DATA,__const + .p2align 4 +ghash_ssse3_constants: L$reverse_bytes: diff --git a/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-linux.S b/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-linux.S index edce38d0..eea627a6 100644 --- a/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-linux.S +++ b/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-linux.S @@ -411,7 +411,9 @@ _CET_ENDBR .size gcm_ghash_ssse3,.-gcm_ghash_ssse3 .section .rodata + .align 16 +ghash_ssse3_constants: .Lreverse_bytes: diff --git a/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-win.asm b/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-win.asm index 5f78da86..94af7d51 100644 --- a/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-win.asm +++ b/third_party/boringssl/gen/bcm/ghash-ssse3-x86_64-win.asm @@ -440,7 +440,9 @@ $L$SEH_end_gcm_ghash_ssse3_7: section .rdata rdata align=8 + ALIGN 16 +ghash_ssse3_constants: $L$reverse_bytes: diff --git a/third_party/boringssl/gen/bcm/ghash-x86_64-apple.S b/third_party/boringssl/gen/bcm/ghash-x86_64-apple.S index 0cf60d1b..e8d4745a 100644 --- a/third_party/boringssl/gen/bcm/ghash-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/ghash-x86_64-apple.S @@ -171,6 +171,7 @@ L$_init_clmul: .private_extern _gcm_gmult_clmul .p2align 4 +.alt_entry _gcm_gmult_clmul _gcm_gmult_clmul: _CET_ENDBR @@ -226,6 +227,7 @@ L$_gmult_clmul: .private_extern _gcm_ghash_clmul .p2align 5 +.alt_entry _gcm_ghash_clmul _gcm_ghash_clmul: @@ -610,6 +612,7 @@ L$done: .private_extern _gcm_init_avx .p2align 5 +.alt_entry _gcm_init_avx _gcm_init_avx: @@ -723,6 +726,7 @@ L$init_start_avx: .private_extern _gcm_gmult_avx .p2align 5 +.alt_entry _gcm_gmult_avx _gcm_gmult_avx: _CET_ENDBR @@ -733,6 +737,7 @@ _CET_ENDBR .private_extern _gcm_ghash_avx .p2align 5 +.alt_entry _gcm_ghash_avx _gcm_ghash_avx: @@ -1112,7 +1117,9 @@ L$tail_no_xor_avx: .section __DATA,__const + .p2align 6 +ghash_constants: L$bswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 L$0x1c2_polynomial: diff --git a/third_party/boringssl/gen/bcm/ghash-x86_64-linux.S b/third_party/boringssl/gen/bcm/ghash-x86_64-linux.S index f1ffcb82..64d4cbeb 100644 --- a/third_party/boringssl/gen/bcm/ghash-x86_64-linux.S +++ b/third_party/boringssl/gen/bcm/ghash-x86_64-linux.S @@ -1112,7 +1112,9 @@ _CET_ENDBR .size gcm_ghash_avx,.-gcm_ghash_avx .section .rodata + .align 64 +ghash_constants: .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 .L0x1c2_polynomial: diff --git a/third_party/boringssl/gen/bcm/ghash-x86_64-win.asm b/third_party/boringssl/gen/bcm/ghash-x86_64-win.asm index dd732483..a2c71dee 100644 --- a/third_party/boringssl/gen/bcm/ghash-x86_64-win.asm +++ b/third_party/boringssl/gen/bcm/ghash-x86_64-win.asm @@ -1198,7 +1198,9 @@ $L$tail_no_xor_avx: $L$SEH_end_gcm_ghash_avx_14: section .rdata rdata align=8 + ALIGN 64 +ghash_constants: $L$bswap_mask: DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 $L$0x1c2_polynomial: diff --git a/third_party/boringssl/gen/bcm/ghashv8-armv8-apple.S b/third_party/boringssl/gen/bcm/ghashv8-armv8-apple.S index ee458be4..115b94f7 100644 --- a/third_party/boringssl/gen/bcm/ghashv8-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/ghashv8-armv8-apple.S @@ -104,6 +104,7 @@ _gcm_init_v8: .private_extern _gcm_gmult_v8 .align 4 +.alt_entry _gcm_gmult_v8 _gcm_gmult_v8: AARCH64_VALID_CALL_TARGET ld1 {v17.2d},[x0] //load Xi @@ -147,6 +148,7 @@ _gcm_gmult_v8: .private_extern _gcm_ghash_v8 .align 4 +.alt_entry _gcm_ghash_v8 _gcm_ghash_v8: AARCH64_VALID_CALL_TARGET cmp x3,#64 @@ -279,6 +281,7 @@ Ldone_v8: .align 4 +.alt_entry gcm_ghash_v8_4x gcm_ghash_v8_4x: Lgcm_ghash_v8_4x: ld1 {v0.2d},[x0] //load [rotated] Xi diff --git a/third_party/boringssl/gen/bcm/p256-armv8-asm-apple.S b/third_party/boringssl/gen/bcm/p256-armv8-asm-apple.S index 283240fb..60cba773 100644 --- a/third_party/boringssl/gen/bcm/p256-armv8-asm-apple.S +++ b/third_party/boringssl/gen/bcm/p256-armv8-asm-apple.S @@ -4,26 +4,6 @@ #include #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__APPLE__) -.section __TEXT,__const -.align 5 -Lpoly: -.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 -LRR: // 2^512 mod P precomputed for NIST P256 polynomial -.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd -Lone_mont: -.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe -Lone: -.quad 1,0,0,0 -Lord: -.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 -LordK: -.quad 0xccd1c8aaee00bc4f -.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.text - -// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], -// const BN_ULONG x2[4]); .globl _ecp_nistz256_mul_mont .private_extern _ecp_nistz256_mul_mont @@ -34,332 +14,153 @@ _ecp_nistz256_mul_mont: add x29,sp,#0 stp x19,x20,[sp,#16] - ldr x3,[x2] // bp[0] - ldp x4,x5,[x1] - ldp x6,x7,[x1,#16] - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_mul_mont - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl _ecp_nistz256_sqr_mont -.private_extern _ecp_nistz256_sqr_mont - -.align 4 -_ecp_nistz256_sqr_mont: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - - ldp x4,x5,[x1] - ldp x6,x7,[x1,#16] - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sqr_mont - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl _ecp_nistz256_div_by_2 -.private_extern _ecp_nistz256_div_by_2 - -.align 4 -_ecp_nistz256_div_by_2: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_div_by_2 - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl _ecp_nistz256_mul_by_2 -.private_extern _ecp_nistz256_mul_by_2 - -.align 4 -_ecp_nistz256_mul_by_2: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - - bl __ecp_nistz256_add_to // ret = a+a // 2*a - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl _ecp_nistz256_mul_by_3 -.private_extern _ecp_nistz256_mul_by_3 + mul x13,x3,x2 // a[0]*b[0] + umulh x8,x3,x2 -.align 4 -_ecp_nistz256_mul_by_3: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - mov x4,x14 - mov x5,x15 - mov x6,x16 - mov x7,x17 - - bl __ecp_nistz256_add_to // ret = a+a // 2*a - - mov x8,x4 - mov x9,x5 - mov x10,x6 - mov x11,x7 - - bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret + mul x14,x4,x2 // a[1]*b[0] + umulh x9,x4,x2 + mul x15,x5,x2 // a[2]*b[0] + umulh x10,x5,x2 -// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], -// const BN_ULONG x2[4]); -.globl _ecp_nistz256_sub -.private_extern _ecp_nistz256_sub - -.align 4 -_ecp_nistz256_sub: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl _ecp_nistz256_neg -.private_extern _ecp_nistz256_neg - -.align 4 -_ecp_nistz256_neg: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 + mul x16,x6,x2 // a[3]*b[0] + umulh x11,x6,x2 + ldr x2,[x1,#8] // b[1] - mov x2,x1 - mov x14,xzr // a = 0 - mov x15,xzr - mov x16,xzr - mov x17,xzr - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded -// to x4-x7 and b[0] - to x3 - -.align 4 -__ecp_nistz256_mul_mont: - mul x14,x4,x3 // a[0]*b[0] - umulh x8,x4,x3 - - mul x15,x5,x3 // a[1]*b[0] - umulh x9,x5,x3 - - mul x16,x6,x3 // a[2]*b[0] - umulh x10,x6,x3 - - mul x17,x7,x3 // a[3]*b[0] - umulh x11,x7,x3 - ldr x3,[x2,#8] // b[1] - - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adc x19,xzr,x11 - mov x20,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 + adcs x16,x16,x10 + adc x17,xzr,x11 + mov x19,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + ldr x2,[x1,#8*(1+1)] // b[1+1] + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 + adcs x15,x15,x9 + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - ldr x3,[x2,#8*(1+1)] // b[1+1] - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adc x19,xzr,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + ldr x2,[x1,#8*(2+1)] // b[2+1] + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - ldr x3,[x2,#8*(2+1)] // b[2+1] - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adc x19,xzr,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr + adc x19,xzr,xzr + mov w7, #-1 // poly1 = 0x00000000ffffffff // last reduction - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - adcs x17,x19,x11 - adc x19,x20,xzr - - adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x19,xzr // did it borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + adcs x16,x17,x11 + adc x17,x19,xzr + + neg x12,x7 // poly3 = 0xffffffff00000001 + adds x8,x13,#1 // subs x8,x13,#-1 // tmp = ret-modulus + sbcs x9,x14,x7 + sbcs x10,x15,xzr + sbcs x11,x16,x12 + sbcs xzr,x17,xzr // did it borrow? + + csel x13,x13,x8,lo // ret = borrow ? ret : ret-modulus + csel x14,x14,x9,lo + csel x15,x15,x10,lo + stp x13,x14,[x0] + csel x16,x16,x11,lo + stp x15,x16,[x0,#16] + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER ret -// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded -// to x4-x7 +.globl _ecp_nistz256_sqr_mont +.private_extern _ecp_nistz256_sqr_mont .align 4 -__ecp_nistz256_sqr_mont: +.alt_entry _ecp_nistz256_sqr_mont +_ecp_nistz256_sqr_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + // | | | | | |a1*a0| | // | | | | |a2*a0| | | // | |a3*a2|a3*a0| | | | @@ -374,834 +175,126 @@ __ecp_nistz256_sqr_mont: // multiplication result, which can't overflow, because it // can never be all ones. - mul x15,x5,x4 // a[1]*a[0] - umulh x9,x5,x4 - mul x16,x6,x4 // a[2]*a[0] - umulh x10,x6,x4 - mul x17,x7,x4 // a[3]*a[0] - umulh x19,x7,x4 + mul x14,x4,x3 // a[1]*a[0] + umulh x9,x4,x3 + mul x15,x5,x3 // a[2]*a[0] + umulh x10,x5,x3 + mul x16,x6,x3 // a[3]*a[0] + umulh x17,x6,x3 - adds x16,x16,x9 // accumulate high parts of multiplication - mul x8,x6,x5 // a[2]*a[1] - umulh x9,x6,x5 - adcs x17,x17,x10 - mul x10,x7,x5 // a[3]*a[1] - umulh x11,x7,x5 - adc x19,x19,xzr // can't overflow + adds x15,x15,x9 // accumulate high parts of multiplication + mul x8,x5,x4 // a[2]*a[1] + umulh x9,x5,x4 + adcs x16,x16,x10 + mul x10,x6,x4 // a[3]*a[1] + umulh x11,x6,x4 + adc x17,x17,xzr // can't overflow - mul x20,x7,x6 // a[3]*a[2] - umulh x1,x7,x6 + mul x19,x6,x5 // a[3]*a[2] + umulh x20,x6,x5 adds x9,x9,x10 // accumulate high parts of multiplication - mul x14,x4,x4 // a[0]*a[0] + mul x13,x3,x3 // a[0]*a[0] adc x10,x11,xzr // can't overflow - adds x17,x17,x8 // accumulate low parts of multiplication + adds x16,x16,x8 // accumulate low parts of multiplication + umulh x3,x3,x3 + adcs x17,x17,x9 + mul x9,x4,x4 // a[1]*a[1] + adcs x19,x19,x10 umulh x4,x4,x4 - adcs x19,x19,x9 - mul x9,x5,x5 // a[1]*a[1] - adcs x20,x20,x10 - umulh x5,x5,x5 - adc x1,x1,xzr // can't overflow + adc x20,x20,xzr // can't overflow - adds x15,x15,x15 // acc[1-6]*=2 - mul x10,x6,x6 // a[2]*a[2] + adds x14,x14,x14 // acc[1-6]*=2 + mul x10,x5,x5 // a[2]*a[2] + adcs x15,x15,x15 + umulh x5,x5,x5 adcs x16,x16,x16 - umulh x6,x6,x6 + mul x11,x6,x6 // a[3]*a[3] adcs x17,x17,x17 - mul x11,x7,x7 // a[3]*a[3] + umulh x6,x6,x6 adcs x19,x19,x19 - umulh x7,x7,x7 adcs x20,x20,x20 - adcs x1,x1,x1 adc x2,xzr,xzr - adds x15,x15,x4 // +a[i]*a[i] - adcs x16,x16,x9 - adcs x17,x17,x5 - adcs x19,x19,x10 - adcs x20,x20,x6 - lsl x8,x14,#32 - adcs x1,x1,x11 - lsr x9,x14,#32 - adc x2,x2,x7 - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - adc x17,x11,xzr // can't overflow - - adds x14,x14,x19 // accumulate upper half - adcs x15,x15,x20 - adcs x16,x16,x1 - adcs x17,x17,x2 - adc x19,xzr,xzr - - adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x19,xzr // did it borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] - - ret - - -// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to -// x4-x7 and x8-x11. This is done because it's used in multiple -// contexts, e.g. in multiplication by 2 and 3... - -.align 4 -__ecp_nistz256_add_to: - adds x14,x14,x8 // ret = a+b + adds x14,x14,x3 // +a[i]*a[i] adcs x15,x15,x9 - adcs x16,x16,x10 - adcs x17,x17,x11 - adc x1,xzr,xzr // zap x1 - - adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x1,xzr // did subtraction borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] - - ret - - - -.align 4 -__ecp_nistz256_sub_from: - ldp x8,x9,[x2] - ldp x10,x11,[x2,#16] - subs x14,x14,x8 // ret = a-b - sbcs x15,x15,x9 - sbcs x16,x16,x10 - sbcs x17,x17,x11 - sbc x1,xzr,xzr // zap x1 - - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adc x11,x17,x13 - cmp x1,xzr // did subtraction borrow? - - csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret - csel x15,x15,x9,eq - csel x16,x16,x10,eq - stp x14,x15,[x0] - csel x17,x17,x11,eq - stp x16,x17,[x0,#16] - - ret - - - -.align 4 -__ecp_nistz256_sub_morf: - ldp x8,x9,[x2] - ldp x10,x11,[x2,#16] - subs x14,x8,x14 // ret = b-a - sbcs x15,x9,x15 - sbcs x16,x10,x16 - sbcs x17,x11,x17 - sbc x1,xzr,xzr // zap x1 - - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adc x11,x17,x13 - cmp x1,xzr // did subtraction borrow? - - csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret - csel x15,x15,x9,eq - csel x16,x16,x10,eq - stp x14,x15,[x0] - csel x17,x17,x11,eq - stp x16,x17,[x0,#16] - - ret - - - -.align 4 -__ecp_nistz256_div_by_2: - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adcs x11,x17,x13 - adc x1,xzr,xzr // zap x1 - tst x14,#1 // is a even? - - csel x14,x14,x8,eq // ret = even ? a : a+modulus - csel x15,x15,x9,eq - csel x16,x16,x10,eq - csel x17,x17,x11,eq - csel x1,xzr,x1,eq - - lsr x14,x14,#1 // ret >>= 1 - orr x14,x14,x15,lsl#63 - lsr x15,x15,#1 - orr x15,x15,x16,lsl#63 - lsr x16,x16,#1 - orr x16,x16,x17,lsl#63 - lsr x17,x17,#1 - stp x14,x15,[x0] - orr x17,x17,x1,lsl#63 - stp x16,x17,[x0,#16] - - ret - -.globl _ecp_nistz256_point_double -.private_extern _ecp_nistz256_point_double - -.align 5 -_ecp_nistz256_point_double: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - sub sp,sp,#32*4 - -Ldouble_shortcut: - ldp x14,x15,[x1,#32] - mov x21,x0 - ldp x16,x17,[x1,#48] - mov x22,x1 - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - mov x8,x14 - ldr x13,[x13,#24] - mov x9,x15 - ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[x22,#64+16] - add x0,sp,#0 - bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y); - - add x0,sp,#64 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); - - ldp x8,x9,[x22] - ldp x10,x11,[x22,#16] - mov x4,x14 // put Zsqr aside for p256_sub - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x0,sp,#32 - bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x); - - add x2,x22,#0 - mov x14,x4 // restore Zsqr - mov x15,x5 - ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont - mov x16,x6 - mov x17,x7 - ldp x6,x7,[sp,#0+16] - add x0,sp,#64 - bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); - - add x0,sp,#0 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); - - ldr x3,[x22,#32] - ldp x4,x5,[x22,#64] - ldp x6,x7,[x22,#64+16] - add x2,x22,#32 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); - - mov x8,x14 - mov x9,x15 - ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[sp,#0+16] - add x0,x21,#64 - bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0); - - add x0,sp,#96 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); - - ldr x3,[sp,#64] // forward load for p256_mul_mont - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x0,x21,#32 - bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); - - add x2,sp,#64 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); - - mov x8,x14 // duplicate M - mov x9,x15 - mov x10,x16 - mov x11,x17 - mov x4,x14 // put M aside - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x0,sp,#32 - bl __ecp_nistz256_add_to - mov x8,x4 // restore M - mov x9,x5 - ldr x3,[x22] // forward load for p256_mul_mont - mov x10,x6 - ldp x4,x5,[sp,#0] - mov x11,x7 - ldp x6,x7,[sp,#0+16] - bl __ecp_nistz256_add_to // p256_mul_by_3(M, M); - - add x2,x22,#0 - add x0,sp,#0 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); - - mov x8,x14 - mov x9,x15 - ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[sp,#32+16] - add x0,sp,#96 - bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S); - - add x0,x21,#0 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); - - add x2,sp,#96 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); - - add x2,sp,#0 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); - - ldr x3,[sp,#32] - mov x4,x14 // copy S - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x2,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); - - add x2,x21,#32 - add x0,x21,#32 - bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); - - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x29,x30,[sp],#96 - AARCH64_VALIDATE_LINK_REGISTER - ret - -.globl _ecp_nistz256_point_add -.private_extern _ecp_nistz256_point_add - -.align 5 -_ecp_nistz256_point_add: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - stp x23,x24,[sp,#48] - stp x25,x26,[sp,#64] - stp x27,x28,[sp,#80] - sub sp,sp,#32*12 - - ldp x4,x5,[x2,#64] // in2_z - ldp x6,x7,[x2,#64+16] - mov x21,x0 - mov x22,x1 - mov x23,x2 - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - orr x8,x4,x5 - orr x10,x6,x7 - orr x25,x8,x10 - cmp x25,#0 - csetm x25,ne // ~in2infty - add x0,sp,#192 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); - - ldp x4,x5,[x22,#64] // in1_z - ldp x6,x7,[x22,#64+16] - orr x8,x4,x5 - orr x10,x6,x7 - orr x24,x8,x10 - cmp x24,#0 - csetm x24,ne // ~in1infty - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); - - ldr x3,[x23,#64] - ldp x4,x5,[sp,#192] - ldp x6,x7,[sp,#192+16] - add x2,x23,#64 - add x0,sp,#320 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,x22,#64 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); - - ldr x3,[x22,#32] - ldp x4,x5,[sp,#320] - ldp x6,x7,[sp,#320+16] - add x2,x22,#32 - add x0,sp,#320 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); - - ldr x3,[x23,#32] - ldp x4,x5,[sp,#352] - ldp x6,x7,[sp,#352+16] - add x2,x23,#32 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); - - add x2,sp,#320 - ldr x3,[sp,#192] // forward load for p256_mul_mont - ldp x4,x5,[x22] - ldp x6,x7,[x22,#16] - add x0,sp,#160 - bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); - - orr x14,x14,x15 // see if result is zero - orr x16,x16,x17 - orr x26,x14,x16 // ~is_equal(S1,S2) - - add x2,sp,#192 - add x0,sp,#256 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); - - ldr x3,[sp,#128] - ldp x4,x5,[x23] - ldp x6,x7,[x23,#16] - add x2,sp,#128 - add x0,sp,#288 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); - - add x2,sp,#256 - ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont - ldp x6,x7,[sp,#160+16] - add x0,sp,#96 - bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); - - orr x14,x14,x15 // see if result is zero - orr x16,x16,x17 - orr x14,x14,x16 // ~is_equal(U1,U2) - - mvn x27,x24 // -1/0 -> 0/-1 - mvn x28,x25 // -1/0 -> 0/-1 - orr x14,x14,x27 - orr x14,x14,x28 - orr x14,x14,x26 - cbnz x14,Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) - -Ladd_double: - mov x1,x22 - mov x0,x21 - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames - b Ldouble_shortcut + adcs x16,x16,x4 + adcs x17,x17,x10 + adcs x19,x19,x5 + lsl x8,x13,#32 + adcs x20,x20,x11 + lsr x9,x13,#32 + adc x2,x2,x6 + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + adc x16,x11,xzr // can't overflow + + mov w7, #-1 // poly1 = 0x00000000ffffffff + adds x13,x13,x17 // accumulate upper half + adcs x14,x14,x19 + adcs x15,x15,x20 + adcs x16,x16,x2 + adc x17,xzr,xzr + + neg x12,x7 // poly3 = 0xffffffff00000001 + adds x8,x13,#1 // subs x8,x13,#-1 // tmp = ret-modulus + sbcs x9,x14,x7 + sbcs x10,x15,xzr + sbcs x11,x16,x12 + sbcs xzr,x17,xzr // did it borrow? + + csel x13,x13,x8,lo // ret = borrow ? ret : ret-modulus + csel x14,x14,x9,lo + csel x15,x15,x10,lo + stp x13,x14,[x0] + csel x16,x16,x11,lo + stp x15,x16,[x0,#16] -.align 4 -Ladd_proceed: - add x0,sp,#192 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#96] - ldp x6,x7,[sp,#96+16] - add x2,x22,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); - - ldp x4,x5,[sp,#96] - ldp x6,x7,[sp,#96+16] - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); - - ldr x3,[x23,#64] - ldp x4,x5,[sp,#64] - ldp x6,x7,[sp,#64+16] - add x2,x23,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); - - ldr x3,[sp,#96] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,sp,#96 - add x0,sp,#224 - bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); - - ldr x3,[sp,#128] - ldp x4,x5,[sp,#256] - ldp x6,x7,[sp,#256+16] - add x2,sp,#128 - add x0,sp,#288 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); - - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - add x0,sp,#128 - bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); - - add x2,sp,#192 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); - - add x2,sp,#224 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); - - add x2,sp,#288 - ldr x3,[sp,#224] // forward load for p256_mul_mont - ldp x4,x5,[sp,#320] - ldp x6,x7,[sp,#320+16] - add x0,sp,#32 - bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); - - add x2,sp,#224 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); - - ldr x3,[sp,#160] - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x2,sp,#160 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); - - add x2,sp,#352 - bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); - - ldp x4,x5,[sp,#0] // res - ldp x6,x7,[sp,#0+16] - ldp x8,x9,[x23] // in2 - ldp x10,x11,[x23,#16] - ldp x14,x15,[x22,#0] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#0+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+0+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+0+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#0+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#0+48] - stp x14,x15,[x21,#0] - stp x16,x17,[x21,#0+16] - ldp x14,x15,[x22,#32] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#32+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+32+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+32+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#32+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#32+48] - stp x14,x15,[x21,#32] - stp x16,x17,[x21,#32+16] - ldp x14,x15,[x22,#64] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#64+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - csel x14,x8,x14,ne - csel x15,x9,x15,ne - csel x16,x10,x16,ne - csel x17,x11,x17,ne - stp x14,x15,[x21,#64] - stp x16,x17,[x21,#64+16] - -Ladd_done: - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 AARCH64_VALIDATE_LINK_REGISTER ret -.globl _ecp_nistz256_point_add_affine -.private_extern _ecp_nistz256_point_add_affine +.section __TEXT,__const .align 5 -_ecp_nistz256_point_add_affine: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - stp x23,x24,[sp,#48] - stp x25,x26,[sp,#64] - sub sp,sp,#32*10 - - mov x21,x0 - mov x22,x1 - mov x23,x2 - adrp x13,Lpoly@PAGE - add x13,x13,Lpoly@PAGEOFF - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - ldp x4,x5,[x1,#64] // in1_z - ldp x6,x7,[x1,#64+16] - orr x8,x4,x5 - orr x10,x6,x7 - orr x24,x8,x10 - cmp x24,#0 - csetm x24,ne // ~in1infty - - ldp x14,x15,[x2] // in2_x - ldp x16,x17,[x2,#16] - ldp x8,x9,[x2,#32] // in2_y - ldp x10,x11,[x2,#48] - orr x14,x14,x15 - orr x16,x16,x17 - orr x8,x8,x9 - orr x10,x10,x11 - orr x14,x14,x16 - orr x8,x8,x10 - orr x25,x14,x8 - cmp x25,#0 - csetm x25,ne // ~in2infty - - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); - - mov x4,x14 - mov x5,x15 - mov x6,x16 - mov x7,x17 - ldr x3,[x23] - add x2,x23,#0 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); - - add x2,x22,#0 - ldr x3,[x22,#64] // forward load for p256_mul_mont - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x0,sp,#160 - bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); - - add x2,x22,#64 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#160] - ldp x6,x7,[sp,#160+16] - add x2,x22,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); - - ldr x3,[x23,#32] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,x23,#32 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); - - add x2,x22,#32 - ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont - ldp x6,x7,[sp,#160+16] - add x0,sp,#192 - bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); - - add x0,sp,#224 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); - - ldp x4,x5,[sp,#192] - ldp x6,x7,[sp,#192+16] - add x0,sp,#288 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); - - ldr x3,[sp,#160] - ldp x4,x5,[sp,#224] - ldp x6,x7,[sp,#224+16] - add x2,sp,#160 - add x0,sp,#256 - bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); - - ldr x3,[x22] - ldp x4,x5,[sp,#224] - ldp x6,x7,[sp,#224+16] - add x2,x22,#0 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); - - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - add x0,sp,#224 - bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); - - add x2,sp,#288 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); - - add x2,sp,#256 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); - - add x2,sp,#96 - ldr x3,[x22,#32] // forward load for p256_mul_mont - ldp x4,x5,[sp,#256] - ldp x6,x7,[sp,#256+16] - add x0,sp,#32 - bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); - - add x2,x22,#32 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); - - ldr x3,[sp,#192] - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x2,sp,#192 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); - - add x2,sp,#128 - bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); - - ldp x4,x5,[sp,#0] // res - ldp x6,x7,[sp,#0+16] - ldp x8,x9,[x23] // in2 - ldp x10,x11,[x23,#16] - ldp x14,x15,[x22,#0] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#0+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+0+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+0+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#0+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#0+48] - stp x14,x15,[x21,#0] - stp x16,x17,[x21,#0+16] - adrp x23,Lone_mont@PAGE-64 - add x23,x23,Lone_mont@PAGEOFF-64 - ldp x14,x15,[x22,#32] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#32+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+32+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+32+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#32+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#32+48] - stp x14,x15,[x21,#32] - stp x16,x17,[x21,#32+16] - ldp x14,x15,[x22,#64] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#64+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - csel x14,x8,x14,ne - csel x15,x9,x15,ne - csel x16,x10,x16,ne - csel x17,x11,x17,ne - stp x14,x15,[x21,#64] - stp x16,x17,[x21,#64+16] - - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x29,x30,[sp],#80 - AARCH64_VALIDATE_LINK_REGISTER - ret +p256_constants: +Lord: +.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 +LordK: +.quad 0xccd1c8aaee00bc4f +.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.text -//////////////////////////////////////////////////////////////////////// // void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4], // uint64_t b[4]); .globl _ecp_nistz256_ord_mul_mont @@ -1225,7 +318,7 @@ _ecp_nistz256_ord_mul_mont: ldp x12,x13,[x23,#0] ldp x21,x22,[x23,#16] - ldr x23,[x23,#32] + ldr x23,[x23,#32] // LordK mul x14,x4,x3 // a[0]*b[0] umulh x8,x4,x3 @@ -1420,6 +513,7 @@ _ecp_nistz256_ord_mul_mont: .private_extern _ecp_nistz256_ord_sqr_mont .align 4 +.alt_entry _ecp_nistz256_ord_sqr_mont _ecp_nistz256_ord_sqr_mont: AARCH64_VALID_CALL_TARGET // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. @@ -1606,119 +700,4 @@ Loop_ord_sqr: ldr x29,[sp],#64 ret -//////////////////////////////////////////////////////////////////////// -// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index); -.globl _ecp_nistz256_select_w5 -.private_extern _ecp_nistz256_select_w5 - -.align 4 -_ecp_nistz256_select_w5: - AARCH64_VALID_CALL_TARGET - - // x10 := x0 - // w9 := 0; loop counter and incremented internal index - mov x10, x0 - mov w9, #0 - - // [v16-v21] := 0 - movi v16.16b, #0 - movi v17.16b, #0 - movi v18.16b, #0 - movi v19.16b, #0 - movi v20.16b, #0 - movi v21.16b, #0 - -Lselect_w5_loop: - // Loop 16 times. - - // Increment index (loop counter); tested at the end of the loop - add w9, w9, #1 - - // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1 - // and advance x1 to point to the next entry - ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 - - // x11 := (w9 == w2)? All 1s : All 0s - cmp w9, w2 - csetm x11, eq - - // continue loading ... - ld1 {v26.2d, v27.2d}, [x1],#32 - - // duplicate mask_64 into Mask (all 0s or all 1s) - dup v3.2d, x11 - - // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] - // i.e., values in output registers will remain the same if w9 != w2 - bit v16.16b, v22.16b, v3.16b - bit v17.16b, v23.16b, v3.16b - - bit v18.16b, v24.16b, v3.16b - bit v19.16b, v25.16b, v3.16b - - bit v20.16b, v26.16b, v3.16b - bit v21.16b, v27.16b, v3.16b - - // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back - tbz w9, #4, Lselect_w5_loop - - // Write [v16-v21] to memory at the output pointer - st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64 - st1 {v20.2d, v21.2d}, [x10] - - ret - - - -//////////////////////////////////////////////////////////////////////// -// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index); -.globl _ecp_nistz256_select_w7 -.private_extern _ecp_nistz256_select_w7 - -.align 4 -_ecp_nistz256_select_w7: - AARCH64_VALID_CALL_TARGET - - // w9 := 0; loop counter and incremented internal index - mov w9, #0 - - // [v16-v21] := 0 - movi v16.16b, #0 - movi v17.16b, #0 - movi v18.16b, #0 - movi v19.16b, #0 - -Lselect_w7_loop: - // Loop 64 times. - - // Increment index (loop counter); tested at the end of the loop - add w9, w9, #1 - - // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1 - // and advance x1 to point to the next entry - ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 - - // x11 := (w9 == w2)? All 1s : All 0s - cmp w9, w2 - csetm x11, eq - - // duplicate mask_64 into Mask (all 0s or all 1s) - dup v3.2d, x11 - - // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] - // i.e., values in output registers will remain the same if w9 != w2 - bit v16.16b, v22.16b, v3.16b - bit v17.16b, v23.16b, v3.16b - - bit v18.16b, v24.16b, v3.16b - bit v19.16b, v25.16b, v3.16b - - // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back - tbz w9, #6, Lselect_w7_loop - - // Write [v16-v19] to memory at the output pointer - st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0] - - ret - #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__APPLE__) diff --git a/third_party/boringssl/gen/bcm/p256-armv8-asm-linux.S b/third_party/boringssl/gen/bcm/p256-armv8-asm-linux.S index 1d63f024..e7c83bc0 100644 --- a/third_party/boringssl/gen/bcm/p256-armv8-asm-linux.S +++ b/third_party/boringssl/gen/bcm/p256-armv8-asm-linux.S @@ -4,26 +4,6 @@ #include #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(__ELF__) -.section .rodata -.align 5 -.Lpoly: -.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 -.LRR: // 2^512 mod P precomputed for NIST P256 polynomial -.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd -.Lone_mont: -.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe -.Lone: -.quad 1,0,0,0 -.Lord: -.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 -.LordK: -.quad 0xccd1c8aaee00bc4f -.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.text - -// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], -// const BN_ULONG x2[4]); .globl ecp_nistz256_mul_mont .hidden ecp_nistz256_mul_mont .type ecp_nistz256_mul_mont,%function @@ -34,332 +14,152 @@ ecp_nistz256_mul_mont: add x29,sp,#0 stp x19,x20,[sp,#16] - ldr x3,[x2] // bp[0] - ldp x4,x5,[x1] - ldp x6,x7,[x1,#16] - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_mul_mont - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont - -// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_sqr_mont -.hidden ecp_nistz256_sqr_mont -.type ecp_nistz256_sqr_mont,%function -.align 4 -ecp_nistz256_sqr_mont: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - - ldp x4,x5,[x1] - ldp x6,x7,[x1,#16] - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sqr_mont - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont - -// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_div_by_2 -.hidden ecp_nistz256_div_by_2 -.type ecp_nistz256_div_by_2,%function -.align 4 -ecp_nistz256_div_by_2: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_div_by_2 - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_div_by_2,.-ecp_nistz256_div_by_2 - -// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_mul_by_2 -.hidden ecp_nistz256_mul_by_2 -.type ecp_nistz256_mul_by_2,%function -.align 4 -ecp_nistz256_mul_by_2: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 + mul x13,x3,x2 // a[0]*b[0] + umulh x8,x3,x2 - bl __ecp_nistz256_add_to // ret = a+a // 2*a + mul x14,x4,x2 // a[1]*b[0] + umulh x9,x4,x2 - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_mul_by_2,.-ecp_nistz256_mul_by_2 + mul x15,x5,x2 // a[2]*b[0] + umulh x10,x5,x2 -// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_mul_by_3 -.hidden ecp_nistz256_mul_by_3 -.type ecp_nistz256_mul_by_3,%function -.align 4 -ecp_nistz256_mul_by_3: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 + mul x16,x6,x2 // a[3]*b[0] + umulh x11,x6,x2 + ldr x2,[x1,#8] // b[1] - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - mov x4,x14 - mov x5,x15 - mov x6,x16 - mov x7,x17 - - bl __ecp_nistz256_add_to // ret = a+a // 2*a - - mov x8,x4 - mov x9,x5 - mov x10,x6 - mov x11,x7 - - bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_mul_by_3,.-ecp_nistz256_mul_by_3 - -// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], -// const BN_ULONG x2[4]); -.globl ecp_nistz256_sub -.hidden ecp_nistz256_sub -.type ecp_nistz256_sub,%function -.align 4 -ecp_nistz256_sub: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_sub,.-ecp_nistz256_sub - -// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_neg -.hidden ecp_nistz256_neg -.type ecp_nistz256_neg,%function -.align 4 -ecp_nistz256_neg: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - mov x2,x1 - mov x14,xzr // a = 0 - mov x15,xzr - mov x16,xzr - mov x17,xzr - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_neg,.-ecp_nistz256_neg - -// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded -// to x4-x7 and b[0] - to x3 -.type __ecp_nistz256_mul_mont,%function -.align 4 -__ecp_nistz256_mul_mont: - mul x14,x4,x3 // a[0]*b[0] - umulh x8,x4,x3 - - mul x15,x5,x3 // a[1]*b[0] - umulh x9,x5,x3 - - mul x16,x6,x3 // a[2]*b[0] - umulh x10,x6,x3 - - mul x17,x7,x3 // a[3]*b[0] - umulh x11,x7,x3 - ldr x3,[x2,#8] // b[1] - - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adc x19,xzr,x11 - mov x20,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 + adcs x16,x16,x10 + adc x17,xzr,x11 + mov x19,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + ldr x2,[x1,#8*(1+1)] // b[1+1] + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 + adcs x15,x15,x9 + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - ldr x3,[x2,#8*(1+1)] // b[1+1] - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adc x19,xzr,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + ldr x2,[x1,#8*(2+1)] // b[2+1] + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - ldr x3,[x2,#8*(2+1)] // b[2+1] - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adc x19,xzr,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr + adc x19,xzr,xzr + mov w7, #-1 // poly1 = 0x00000000ffffffff // last reduction - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - adcs x17,x19,x11 - adc x19,x20,xzr - - adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x19,xzr // did it borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + adcs x16,x17,x11 + adc x17,x19,xzr + + neg x12,x7 // poly3 = 0xffffffff00000001 + adds x8,x13,#1 // subs x8,x13,#-1 // tmp = ret-modulus + sbcs x9,x14,x7 + sbcs x10,x15,xzr + sbcs x11,x16,x12 + sbcs xzr,x17,xzr // did it borrow? + + csel x13,x13,x8,lo // ret = borrow ? ret : ret-modulus + csel x14,x14,x9,lo + csel x15,x15,x10,lo + stp x13,x14,[x0] + csel x16,x16,x11,lo + stp x15,x16,[x0,#16] + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER ret -.size __ecp_nistz256_mul_mont,.-__ecp_nistz256_mul_mont +.size ecp_nistz256_mul_mont,.-ecp_nistz256_mul_mont -// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded -// to x4-x7 -.type __ecp_nistz256_sqr_mont,%function +.globl ecp_nistz256_sqr_mont +.hidden ecp_nistz256_sqr_mont +.type ecp_nistz256_sqr_mont,%function .align 4 -__ecp_nistz256_sqr_mont: +ecp_nistz256_sqr_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + // | | | | | |a1*a0| | // | | | | |a2*a0| | | // | |a3*a2|a3*a0| | | | @@ -374,834 +174,126 @@ __ecp_nistz256_sqr_mont: // multiplication result, which can't overflow, because it // can never be all ones. - mul x15,x5,x4 // a[1]*a[0] - umulh x9,x5,x4 - mul x16,x6,x4 // a[2]*a[0] - umulh x10,x6,x4 - mul x17,x7,x4 // a[3]*a[0] - umulh x19,x7,x4 + mul x14,x4,x3 // a[1]*a[0] + umulh x9,x4,x3 + mul x15,x5,x3 // a[2]*a[0] + umulh x10,x5,x3 + mul x16,x6,x3 // a[3]*a[0] + umulh x17,x6,x3 - adds x16,x16,x9 // accumulate high parts of multiplication - mul x8,x6,x5 // a[2]*a[1] - umulh x9,x6,x5 - adcs x17,x17,x10 - mul x10,x7,x5 // a[3]*a[1] - umulh x11,x7,x5 - adc x19,x19,xzr // can't overflow + adds x15,x15,x9 // accumulate high parts of multiplication + mul x8,x5,x4 // a[2]*a[1] + umulh x9,x5,x4 + adcs x16,x16,x10 + mul x10,x6,x4 // a[3]*a[1] + umulh x11,x6,x4 + adc x17,x17,xzr // can't overflow - mul x20,x7,x6 // a[3]*a[2] - umulh x1,x7,x6 + mul x19,x6,x5 // a[3]*a[2] + umulh x20,x6,x5 adds x9,x9,x10 // accumulate high parts of multiplication - mul x14,x4,x4 // a[0]*a[0] + mul x13,x3,x3 // a[0]*a[0] adc x10,x11,xzr // can't overflow - adds x17,x17,x8 // accumulate low parts of multiplication + adds x16,x16,x8 // accumulate low parts of multiplication + umulh x3,x3,x3 + adcs x17,x17,x9 + mul x9,x4,x4 // a[1]*a[1] + adcs x19,x19,x10 umulh x4,x4,x4 - adcs x19,x19,x9 - mul x9,x5,x5 // a[1]*a[1] - adcs x20,x20,x10 - umulh x5,x5,x5 - adc x1,x1,xzr // can't overflow + adc x20,x20,xzr // can't overflow - adds x15,x15,x15 // acc[1-6]*=2 - mul x10,x6,x6 // a[2]*a[2] + adds x14,x14,x14 // acc[1-6]*=2 + mul x10,x5,x5 // a[2]*a[2] + adcs x15,x15,x15 + umulh x5,x5,x5 adcs x16,x16,x16 - umulh x6,x6,x6 + mul x11,x6,x6 // a[3]*a[3] adcs x17,x17,x17 - mul x11,x7,x7 // a[3]*a[3] + umulh x6,x6,x6 adcs x19,x19,x19 - umulh x7,x7,x7 adcs x20,x20,x20 - adcs x1,x1,x1 adc x2,xzr,xzr - adds x15,x15,x4 // +a[i]*a[i] - adcs x16,x16,x9 - adcs x17,x17,x5 - adcs x19,x19,x10 - adcs x20,x20,x6 - lsl x8,x14,#32 - adcs x1,x1,x11 - lsr x9,x14,#32 - adc x2,x2,x7 - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - adc x17,x11,xzr // can't overflow - - adds x14,x14,x19 // accumulate upper half - adcs x15,x15,x20 - adcs x16,x16,x1 - adcs x17,x17,x2 - adc x19,xzr,xzr - - adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x19,xzr // did it borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] - - ret -.size __ecp_nistz256_sqr_mont,.-__ecp_nistz256_sqr_mont - -// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to -// x4-x7 and x8-x11. This is done because it's used in multiple -// contexts, e.g. in multiplication by 2 and 3... -.type __ecp_nistz256_add_to,%function -.align 4 -__ecp_nistz256_add_to: - adds x14,x14,x8 // ret = a+b + adds x14,x14,x3 // +a[i]*a[i] adcs x15,x15,x9 - adcs x16,x16,x10 - adcs x17,x17,x11 - adc x1,xzr,xzr // zap x1 - - adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x1,xzr // did subtraction borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] - - ret -.size __ecp_nistz256_add_to,.-__ecp_nistz256_add_to - -.type __ecp_nistz256_sub_from,%function -.align 4 -__ecp_nistz256_sub_from: - ldp x8,x9,[x2] - ldp x10,x11,[x2,#16] - subs x14,x14,x8 // ret = a-b - sbcs x15,x15,x9 - sbcs x16,x16,x10 - sbcs x17,x17,x11 - sbc x1,xzr,xzr // zap x1 - - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adc x11,x17,x13 - cmp x1,xzr // did subtraction borrow? - - csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret - csel x15,x15,x9,eq - csel x16,x16,x10,eq - stp x14,x15,[x0] - csel x17,x17,x11,eq - stp x16,x17,[x0,#16] - - ret -.size __ecp_nistz256_sub_from,.-__ecp_nistz256_sub_from - -.type __ecp_nistz256_sub_morf,%function -.align 4 -__ecp_nistz256_sub_morf: - ldp x8,x9,[x2] - ldp x10,x11,[x2,#16] - subs x14,x8,x14 // ret = b-a - sbcs x15,x9,x15 - sbcs x16,x10,x16 - sbcs x17,x11,x17 - sbc x1,xzr,xzr // zap x1 - - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adc x11,x17,x13 - cmp x1,xzr // did subtraction borrow? - - csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret - csel x15,x15,x9,eq - csel x16,x16,x10,eq - stp x14,x15,[x0] - csel x17,x17,x11,eq - stp x16,x17,[x0,#16] - - ret -.size __ecp_nistz256_sub_morf,.-__ecp_nistz256_sub_morf - -.type __ecp_nistz256_div_by_2,%function -.align 4 -__ecp_nistz256_div_by_2: - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adcs x11,x17,x13 - adc x1,xzr,xzr // zap x1 - tst x14,#1 // is a even? - - csel x14,x14,x8,eq // ret = even ? a : a+modulus - csel x15,x15,x9,eq - csel x16,x16,x10,eq - csel x17,x17,x11,eq - csel x1,xzr,x1,eq - - lsr x14,x14,#1 // ret >>= 1 - orr x14,x14,x15,lsl#63 - lsr x15,x15,#1 - orr x15,x15,x16,lsl#63 - lsr x16,x16,#1 - orr x16,x16,x17,lsl#63 - lsr x17,x17,#1 - stp x14,x15,[x0] - orr x17,x17,x1,lsl#63 - stp x16,x17,[x0,#16] + adcs x16,x16,x4 + adcs x17,x17,x10 + adcs x19,x19,x5 + lsl x8,x13,#32 + adcs x20,x20,x11 + lsr x9,x13,#32 + adc x2,x2,x6 + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + adc x16,x11,xzr // can't overflow + + mov w7, #-1 // poly1 = 0x00000000ffffffff + adds x13,x13,x17 // accumulate upper half + adcs x14,x14,x19 + adcs x15,x15,x20 + adcs x16,x16,x2 + adc x17,xzr,xzr + + neg x12,x7 // poly3 = 0xffffffff00000001 + adds x8,x13,#1 // subs x8,x13,#-1 // tmp = ret-modulus + sbcs x9,x14,x7 + sbcs x10,x15,xzr + sbcs x11,x16,x12 + sbcs xzr,x17,xzr // did it borrow? + + csel x13,x13,x8,lo // ret = borrow ? ret : ret-modulus + csel x14,x14,x9,lo + csel x15,x15,x10,lo + stp x13,x14,[x0] + csel x16,x16,x11,lo + stp x15,x16,[x0,#16] - ret -.size __ecp_nistz256_div_by_2,.-__ecp_nistz256_div_by_2 -.globl ecp_nistz256_point_double -.hidden ecp_nistz256_point_double -.type ecp_nistz256_point_double,%function -.align 5 -ecp_nistz256_point_double: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - sub sp,sp,#32*4 - -.Ldouble_shortcut: - ldp x14,x15,[x1,#32] - mov x21,x0 - ldp x16,x17,[x1,#48] - mov x22,x1 - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - mov x8,x14 - ldr x13,[x13,#24] - mov x9,x15 - ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[x22,#64+16] - add x0,sp,#0 - bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y); - - add x0,sp,#64 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); - - ldp x8,x9,[x22] - ldp x10,x11,[x22,#16] - mov x4,x14 // put Zsqr aside for p256_sub - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x0,sp,#32 - bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x); - - add x2,x22,#0 - mov x14,x4 // restore Zsqr - mov x15,x5 - ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont - mov x16,x6 - mov x17,x7 - ldp x6,x7,[sp,#0+16] - add x0,sp,#64 - bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); - - add x0,sp,#0 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); - - ldr x3,[x22,#32] - ldp x4,x5,[x22,#64] - ldp x6,x7,[x22,#64+16] - add x2,x22,#32 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); - - mov x8,x14 - mov x9,x15 - ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[sp,#0+16] - add x0,x21,#64 - bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0); - - add x0,sp,#96 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); - - ldr x3,[sp,#64] // forward load for p256_mul_mont - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x0,x21,#32 - bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); - - add x2,sp,#64 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); - - mov x8,x14 // duplicate M - mov x9,x15 - mov x10,x16 - mov x11,x17 - mov x4,x14 // put M aside - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x0,sp,#32 - bl __ecp_nistz256_add_to - mov x8,x4 // restore M - mov x9,x5 - ldr x3,[x22] // forward load for p256_mul_mont - mov x10,x6 - ldp x4,x5,[sp,#0] - mov x11,x7 - ldp x6,x7,[sp,#0+16] - bl __ecp_nistz256_add_to // p256_mul_by_3(M, M); - - add x2,x22,#0 - add x0,sp,#0 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); - - mov x8,x14 - mov x9,x15 - ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[sp,#32+16] - add x0,sp,#96 - bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S); - - add x0,x21,#0 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); - - add x2,sp,#96 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); - - add x2,sp,#0 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); - - ldr x3,[sp,#32] - mov x4,x14 // copy S - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x2,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); - - add x2,x21,#32 - add x0,x21,#32 - bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); - - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x29,x30,[sp],#96 + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 AARCH64_VALIDATE_LINK_REGISTER ret -.size ecp_nistz256_point_double,.-ecp_nistz256_point_double -.globl ecp_nistz256_point_add -.hidden ecp_nistz256_point_add -.type ecp_nistz256_point_add,%function -.align 5 -ecp_nistz256_point_add: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - stp x23,x24,[sp,#48] - stp x25,x26,[sp,#64] - stp x27,x28,[sp,#80] - sub sp,sp,#32*12 - - ldp x4,x5,[x2,#64] // in2_z - ldp x6,x7,[x2,#64+16] - mov x21,x0 - mov x22,x1 - mov x23,x2 - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - orr x8,x4,x5 - orr x10,x6,x7 - orr x25,x8,x10 - cmp x25,#0 - csetm x25,ne // ~in2infty - add x0,sp,#192 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); - - ldp x4,x5,[x22,#64] // in1_z - ldp x6,x7,[x22,#64+16] - orr x8,x4,x5 - orr x10,x6,x7 - orr x24,x8,x10 - cmp x24,#0 - csetm x24,ne // ~in1infty - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); - - ldr x3,[x23,#64] - ldp x4,x5,[sp,#192] - ldp x6,x7,[sp,#192+16] - add x2,x23,#64 - add x0,sp,#320 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,x22,#64 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); - - ldr x3,[x22,#32] - ldp x4,x5,[sp,#320] - ldp x6,x7,[sp,#320+16] - add x2,x22,#32 - add x0,sp,#320 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); - - ldr x3,[x23,#32] - ldp x4,x5,[sp,#352] - ldp x6,x7,[sp,#352+16] - add x2,x23,#32 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); - - add x2,sp,#320 - ldr x3,[sp,#192] // forward load for p256_mul_mont - ldp x4,x5,[x22] - ldp x6,x7,[x22,#16] - add x0,sp,#160 - bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); - - orr x14,x14,x15 // see if result is zero - orr x16,x16,x17 - orr x26,x14,x16 // ~is_equal(S1,S2) - - add x2,sp,#192 - add x0,sp,#256 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); - - ldr x3,[sp,#128] - ldp x4,x5,[x23] - ldp x6,x7,[x23,#16] - add x2,sp,#128 - add x0,sp,#288 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); - - add x2,sp,#256 - ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont - ldp x6,x7,[sp,#160+16] - add x0,sp,#96 - bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); - - orr x14,x14,x15 // see if result is zero - orr x16,x16,x17 - orr x14,x14,x16 // ~is_equal(U1,U2) - - mvn x27,x24 // -1/0 -> 0/-1 - mvn x28,x25 // -1/0 -> 0/-1 - orr x14,x14,x27 - orr x14,x14,x28 - orr x14,x14,x26 - cbnz x14,.Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) - -.Ladd_double: - mov x1,x22 - mov x0,x21 - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames - b .Ldouble_shortcut +.size ecp_nistz256_sqr_mont,.-ecp_nistz256_sqr_mont +.section .rodata -.align 4 -.Ladd_proceed: - add x0,sp,#192 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#96] - ldp x6,x7,[sp,#96+16] - add x2,x22,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); - - ldp x4,x5,[sp,#96] - ldp x6,x7,[sp,#96+16] - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); - - ldr x3,[x23,#64] - ldp x4,x5,[sp,#64] - ldp x6,x7,[sp,#64+16] - add x2,x23,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); - - ldr x3,[sp,#96] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,sp,#96 - add x0,sp,#224 - bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); - - ldr x3,[sp,#128] - ldp x4,x5,[sp,#256] - ldp x6,x7,[sp,#256+16] - add x2,sp,#128 - add x0,sp,#288 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); - - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - add x0,sp,#128 - bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); - - add x2,sp,#192 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); - - add x2,sp,#224 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); - - add x2,sp,#288 - ldr x3,[sp,#224] // forward load for p256_mul_mont - ldp x4,x5,[sp,#320] - ldp x6,x7,[sp,#320+16] - add x0,sp,#32 - bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); - - add x2,sp,#224 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); - - ldr x3,[sp,#160] - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x2,sp,#160 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); - - add x2,sp,#352 - bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); - - ldp x4,x5,[sp,#0] // res - ldp x6,x7,[sp,#0+16] - ldp x8,x9,[x23] // in2 - ldp x10,x11,[x23,#16] - ldp x14,x15,[x22,#0] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#0+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+0+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+0+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#0+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#0+48] - stp x14,x15,[x21,#0] - stp x16,x17,[x21,#0+16] - ldp x14,x15,[x22,#32] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#32+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+32+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+32+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#32+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#32+48] - stp x14,x15,[x21,#32] - stp x16,x17,[x21,#32+16] - ldp x14,x15,[x22,#64] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#64+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - csel x14,x8,x14,ne - csel x15,x9,x15,ne - csel x16,x10,x16,ne - csel x17,x11,x17,ne - stp x14,x15,[x21,#64] - stp x16,x17,[x21,#64+16] - -.Ladd_done: - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_point_add,.-ecp_nistz256_point_add -.globl ecp_nistz256_point_add_affine -.hidden ecp_nistz256_point_add_affine -.type ecp_nistz256_point_add_affine,%function .align 5 -ecp_nistz256_point_add_affine: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - stp x23,x24,[sp,#48] - stp x25,x26,[sp,#64] - sub sp,sp,#32*10 - - mov x21,x0 - mov x22,x1 - mov x23,x2 - adrp x13,.Lpoly - add x13,x13,:lo12:.Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - ldp x4,x5,[x1,#64] // in1_z - ldp x6,x7,[x1,#64+16] - orr x8,x4,x5 - orr x10,x6,x7 - orr x24,x8,x10 - cmp x24,#0 - csetm x24,ne // ~in1infty - - ldp x14,x15,[x2] // in2_x - ldp x16,x17,[x2,#16] - ldp x8,x9,[x2,#32] // in2_y - ldp x10,x11,[x2,#48] - orr x14,x14,x15 - orr x16,x16,x17 - orr x8,x8,x9 - orr x10,x10,x11 - orr x14,x14,x16 - orr x8,x8,x10 - orr x25,x14,x8 - cmp x25,#0 - csetm x25,ne // ~in2infty - - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); - - mov x4,x14 - mov x5,x15 - mov x6,x16 - mov x7,x17 - ldr x3,[x23] - add x2,x23,#0 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); - - add x2,x22,#0 - ldr x3,[x22,#64] // forward load for p256_mul_mont - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x0,sp,#160 - bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); - - add x2,x22,#64 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#160] - ldp x6,x7,[sp,#160+16] - add x2,x22,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); - - ldr x3,[x23,#32] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,x23,#32 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); - - add x2,x22,#32 - ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont - ldp x6,x7,[sp,#160+16] - add x0,sp,#192 - bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); - - add x0,sp,#224 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); - - ldp x4,x5,[sp,#192] - ldp x6,x7,[sp,#192+16] - add x0,sp,#288 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); - - ldr x3,[sp,#160] - ldp x4,x5,[sp,#224] - ldp x6,x7,[sp,#224+16] - add x2,sp,#160 - add x0,sp,#256 - bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); - - ldr x3,[x22] - ldp x4,x5,[sp,#224] - ldp x6,x7,[sp,#224+16] - add x2,x22,#0 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); - - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - add x0,sp,#224 - bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); - - add x2,sp,#288 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); - - add x2,sp,#256 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); - - add x2,sp,#96 - ldr x3,[x22,#32] // forward load for p256_mul_mont - ldp x4,x5,[sp,#256] - ldp x6,x7,[sp,#256+16] - add x0,sp,#32 - bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); - - add x2,x22,#32 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); - - ldr x3,[sp,#192] - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x2,sp,#192 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); - - add x2,sp,#128 - bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); - - ldp x4,x5,[sp,#0] // res - ldp x6,x7,[sp,#0+16] - ldp x8,x9,[x23] // in2 - ldp x10,x11,[x23,#16] - ldp x14,x15,[x22,#0] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#0+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+0+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+0+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#0+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#0+48] - stp x14,x15,[x21,#0] - stp x16,x17,[x21,#0+16] - adrp x23,.Lone_mont-64 - add x23,x23,:lo12:.Lone_mont-64 - ldp x14,x15,[x22,#32] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#32+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+32+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+32+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#32+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#32+48] - stp x14,x15,[x21,#32] - stp x16,x17,[x21,#32+16] - ldp x14,x15,[x22,#64] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#64+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - csel x14,x8,x14,ne - csel x15,x9,x15,ne - csel x16,x10,x16,ne - csel x17,x11,x17,ne - stp x14,x15,[x21,#64] - stp x16,x17,[x21,#64+16] - - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x29,x30,[sp],#80 - AARCH64_VALIDATE_LINK_REGISTER - ret -.size ecp_nistz256_point_add_affine,.-ecp_nistz256_point_add_affine -//////////////////////////////////////////////////////////////////////// +p256_constants: +.Lord: +.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 +.LordK: +.quad 0xccd1c8aaee00bc4f +.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.text + // void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4], // uint64_t b[4]); .globl ecp_nistz256_ord_mul_mont @@ -1225,7 +317,7 @@ ecp_nistz256_ord_mul_mont: ldp x12,x13,[x23,#0] ldp x21,x22,[x23,#16] - ldr x23,[x23,#32] + ldr x23,[x23,#32] // .LordK mul x14,x4,x3 // a[0]*b[0] umulh x8,x4,x3 @@ -1606,119 +698,4 @@ ecp_nistz256_ord_sqr_mont: ldr x29,[sp],#64 ret .size ecp_nistz256_ord_sqr_mont,.-ecp_nistz256_ord_sqr_mont -//////////////////////////////////////////////////////////////////////// -// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index); -.globl ecp_nistz256_select_w5 -.hidden ecp_nistz256_select_w5 -.type ecp_nistz256_select_w5,%function -.align 4 -ecp_nistz256_select_w5: - AARCH64_VALID_CALL_TARGET - - // x10 := x0 - // w9 := 0; loop counter and incremented internal index - mov x10, x0 - mov w9, #0 - - // [v16-v21] := 0 - movi v16.16b, #0 - movi v17.16b, #0 - movi v18.16b, #0 - movi v19.16b, #0 - movi v20.16b, #0 - movi v21.16b, #0 - -.Lselect_w5_loop: - // Loop 16 times. - - // Increment index (loop counter); tested at the end of the loop - add w9, w9, #1 - - // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1 - // and advance x1 to point to the next entry - ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 - - // x11 := (w9 == w2)? All 1s : All 0s - cmp w9, w2 - csetm x11, eq - - // continue loading ... - ld1 {v26.2d, v27.2d}, [x1],#32 - - // duplicate mask_64 into Mask (all 0s or all 1s) - dup v3.2d, x11 - - // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] - // i.e., values in output registers will remain the same if w9 != w2 - bit v16.16b, v22.16b, v3.16b - bit v17.16b, v23.16b, v3.16b - - bit v18.16b, v24.16b, v3.16b - bit v19.16b, v25.16b, v3.16b - - bit v20.16b, v26.16b, v3.16b - bit v21.16b, v27.16b, v3.16b - - // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back - tbz w9, #4, .Lselect_w5_loop - - // Write [v16-v21] to memory at the output pointer - st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64 - st1 {v20.2d, v21.2d}, [x10] - - ret -.size ecp_nistz256_select_w5,.-ecp_nistz256_select_w5 - - -//////////////////////////////////////////////////////////////////////// -// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index); -.globl ecp_nistz256_select_w7 -.hidden ecp_nistz256_select_w7 -.type ecp_nistz256_select_w7,%function -.align 4 -ecp_nistz256_select_w7: - AARCH64_VALID_CALL_TARGET - - // w9 := 0; loop counter and incremented internal index - mov w9, #0 - - // [v16-v21] := 0 - movi v16.16b, #0 - movi v17.16b, #0 - movi v18.16b, #0 - movi v19.16b, #0 - -.Lselect_w7_loop: - // Loop 64 times. - - // Increment index (loop counter); tested at the end of the loop - add w9, w9, #1 - - // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1 - // and advance x1 to point to the next entry - ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 - - // x11 := (w9 == w2)? All 1s : All 0s - cmp w9, w2 - csetm x11, eq - - // duplicate mask_64 into Mask (all 0s or all 1s) - dup v3.2d, x11 - - // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] - // i.e., values in output registers will remain the same if w9 != w2 - bit v16.16b, v22.16b, v3.16b - bit v17.16b, v23.16b, v3.16b - - bit v18.16b, v24.16b, v3.16b - bit v19.16b, v25.16b, v3.16b - - // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back - tbz w9, #6, .Lselect_w7_loop - - // Write [v16-v19] to memory at the output pointer - st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0] - - ret -.size ecp_nistz256_select_w7,.-ecp_nistz256_select_w7 #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(__ELF__) diff --git a/third_party/boringssl/gen/bcm/p256-armv8-asm-win.S b/third_party/boringssl/gen/bcm/p256-armv8-asm-win.S index f15b8ab0..71f0d94d 100644 --- a/third_party/boringssl/gen/bcm/p256-armv8-asm-win.S +++ b/third_party/boringssl/gen/bcm/p256-armv8-asm-win.S @@ -4,26 +4,6 @@ #include #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) && defined(_WIN32) -.section .rodata -.align 5 -Lpoly: -.quad 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 -LRR: // 2^512 mod P precomputed for NIST P256 polynomial -.quad 0x0000000000000003,0xfffffffbffffffff,0xfffffffffffffffe,0x00000004fffffffd -Lone_mont: -.quad 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe -Lone: -.quad 1,0,0,0 -Lord: -.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 -LordK: -.quad 0xccd1c8aaee00bc4f -.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 2 -.text - -// void ecp_nistz256_mul_mont(BN_ULONG x0[4],const BN_ULONG x1[4], -// const BN_ULONG x2[4]); .globl ecp_nistz256_mul_mont .def ecp_nistz256_mul_mont @@ -36,348 +16,154 @@ ecp_nistz256_mul_mont: add x29,sp,#0 stp x19,x20,[sp,#16] - ldr x3,[x2] // bp[0] - ldp x4,x5,[x1] - ldp x6,x7,[x1,#16] - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_mul_mont - - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_sqr_mont(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_sqr_mont - -.def ecp_nistz256_sqr_mont - .type 32 -.endef -.align 4 -ecp_nistz256_sqr_mont: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-32]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - - ldp x4,x5,[x1] - ldp x6,x7,[x1,#16] - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] + mul x13,x3,x2 // a[0]*b[0] + umulh x8,x3,x2 - bl __ecp_nistz256_sqr_mont + mul x14,x4,x2 // a[1]*b[0] + umulh x9,x4,x2 - ldp x19,x20,[sp,#16] - ldp x29,x30,[sp],#32 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_div_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_div_by_2 + mul x15,x5,x2 // a[2]*b[0] + umulh x10,x5,x2 -.def ecp_nistz256_div_by_2 - .type 32 -.endef -.align 4 -ecp_nistz256_div_by_2: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 + mul x16,x6,x2 // a[3]*b[0] + umulh x11,x6,x2 + ldr x2,[x1,#8] // b[1] - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_div_by_2 - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_mul_by_2(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_mul_by_2 - -.def ecp_nistz256_mul_by_2 - .type 32 -.endef -.align 4 -ecp_nistz256_mul_by_2: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - - bl __ecp_nistz256_add_to // ret = a+a // 2*a - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_mul_by_3(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_mul_by_3 - -.def ecp_nistz256_mul_by_3 - .type 32 -.endef -.align 4 -ecp_nistz256_mul_by_3: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - mov x4,x14 - mov x5,x15 - mov x6,x16 - mov x7,x17 - - bl __ecp_nistz256_add_to // ret = a+a // 2*a - - mov x8,x4 - mov x9,x5 - mov x10,x6 - mov x11,x7 - - bl __ecp_nistz256_add_to // ret += a // 2*a+a=3*a - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_sub(BN_ULONG x0[4],const BN_ULONG x1[4], -// const BN_ULONG x2[4]); -.globl ecp_nistz256_sub - -.def ecp_nistz256_sub - .type 32 -.endef -.align 4 -ecp_nistz256_sub: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - ldp x14,x15,[x1] - ldp x16,x17,[x1,#16] - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// void ecp_nistz256_neg(BN_ULONG x0[4],const BN_ULONG x1[4]); -.globl ecp_nistz256_neg - -.def ecp_nistz256_neg - .type 32 -.endef -.align 4 -ecp_nistz256_neg: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-16]! - add x29,sp,#0 - - mov x2,x1 - mov x14,xzr // a = 0 - mov x15,xzr - mov x16,xzr - mov x17,xzr - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - bl __ecp_nistz256_sub_from - - ldp x29,x30,[sp],#16 - AARCH64_VALIDATE_LINK_REGISTER - ret - - -// note that __ecp_nistz256_mul_mont expects a[0-3] input pre-loaded -// to x4-x7 and b[0] - to x3 -.def __ecp_nistz256_mul_mont - .type 32 -.endef -.align 4 -__ecp_nistz256_mul_mont: - mul x14,x4,x3 // a[0]*b[0] - umulh x8,x4,x3 - - mul x15,x5,x3 // a[1]*b[0] - umulh x9,x5,x3 - - mul x16,x6,x3 // a[2]*b[0] - umulh x10,x6,x3 - - mul x17,x7,x3 // a[3]*b[0] - umulh x11,x7,x3 - ldr x3,[x2,#8] // b[1] - - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adc x19,xzr,x11 - mov x20,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 + adcs x15,x15,x9 + lsr x9,x13,#32 + adcs x16,x16,x10 + adc x17,xzr,x11 + mov x19,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + ldr x2,[x1,#8*(1+1)] // b[1+1] + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - ldr x3,[x2,#8*(1+1)] // b[1+1] - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adc x19,xzr,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + ldr x2,[x1,#8*(2+1)] // b[2+1] + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - ldr x3,[x2,#8*(2+1)] // b[2+1] - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - mul x8,x4,x3 // lo(a[0]*b[i]) - adcs x15,x16,x9 - mul x9,x5,x3 // lo(a[1]*b[i]) - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - mul x10,x6,x3 // lo(a[2]*b[i]) - adcs x17,x19,x11 - mul x11,x7,x3 // lo(a[3]*b[i]) - adc x19,x20,xzr - - adds x14,x14,x8 // accumulate low parts of multiplication - umulh x8,x4,x3 // hi(a[0]*b[i]) + adc x19,xzr,xzr + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + mul x8,x3,x2 // lo(a[0]*b[i]) + adcs x14,x15,x9 + mul x9,x4,x2 // lo(a[1]*b[i]) + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + mul x10,x5,x2 // lo(a[2]*b[i]) + adcs x16,x17,x11 + mul x11,x6,x2 // lo(a[3]*b[i]) + adc x17,x19,xzr + + adds x13,x13,x8 // accumulate low parts of multiplication + umulh x8,x3,x2 // hi(a[0]*b[i]) + adcs x14,x14,x9 + umulh x9,x4,x2 // hi(a[1]*b[i]) + adcs x15,x15,x10 + umulh x10,x5,x2 // hi(a[2]*b[i]) + adcs x16,x16,x11 + umulh x11,x6,x2 // hi(a[3]*b[i]) + adc x17,x17,xzr + adds x14,x14,x8 // accumulate high parts of multiplication + lsl x8,x13,#32 adcs x15,x15,x9 - umulh x9,x5,x3 // hi(a[1]*b[i]) + lsr x9,x13,#32 adcs x16,x16,x10 - umulh x10,x6,x3 // hi(a[2]*b[i]) adcs x17,x17,x11 - umulh x11,x7,x3 // hi(a[3]*b[i]) - adc x19,x19,xzr - adds x15,x15,x8 // accumulate high parts of multiplication - lsl x8,x14,#32 - adcs x16,x16,x9 - lsr x9,x14,#32 - adcs x17,x17,x10 - adcs x19,x19,x11 - adc x20,xzr,xzr + adc x19,xzr,xzr + mov w7, #-1 // poly1 = 0x00000000ffffffff // last reduction - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - adcs x17,x19,x11 - adc x19,x20,xzr - - adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x19,xzr // did it borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + adcs x16,x17,x11 + adc x17,x19,xzr + + neg x12,x7 // poly3 = 0xffffffff00000001 + adds x8,x13,#1 // subs x8,x13,#-1 // tmp = ret-modulus + sbcs x9,x14,x7 + sbcs x10,x15,xzr + sbcs x11,x16,x12 + sbcs xzr,x17,xzr // did it borrow? + + csel x13,x13,x8,lo // ret = borrow ? ret : ret-modulus + csel x14,x14,x9,lo + csel x15,x15,x10,lo + stp x13,x14,[x0] + csel x16,x16,x11,lo + stp x15,x16,[x0,#16] + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 + AARCH64_VALIDATE_LINK_REGISTER ret -// note that __ecp_nistz256_sqr_mont expects a[0-3] input pre-loaded -// to x4-x7 -.def __ecp_nistz256_sqr_mont +.globl ecp_nistz256_sqr_mont + +.def ecp_nistz256_sqr_mont .type 32 .endef .align 4 -__ecp_nistz256_sqr_mont: +ecp_nistz256_sqr_mont: + AARCH64_SIGN_LINK_REGISTER + stp x29,x30,[sp,#-32]! + add x29,sp,#0 + stp x19,x20,[sp,#16] + // | | | | | |a1*a0| | // | | | | |a2*a0| | | // | |a3*a2|a3*a0| | | | @@ -392,848 +178,126 @@ __ecp_nistz256_sqr_mont: // multiplication result, which can't overflow, because it // can never be all ones. - mul x15,x5,x4 // a[1]*a[0] - umulh x9,x5,x4 - mul x16,x6,x4 // a[2]*a[0] - umulh x10,x6,x4 - mul x17,x7,x4 // a[3]*a[0] - umulh x19,x7,x4 + mul x14,x4,x3 // a[1]*a[0] + umulh x9,x4,x3 + mul x15,x5,x3 // a[2]*a[0] + umulh x10,x5,x3 + mul x16,x6,x3 // a[3]*a[0] + umulh x17,x6,x3 - adds x16,x16,x9 // accumulate high parts of multiplication - mul x8,x6,x5 // a[2]*a[1] - umulh x9,x6,x5 - adcs x17,x17,x10 - mul x10,x7,x5 // a[3]*a[1] - umulh x11,x7,x5 - adc x19,x19,xzr // can't overflow + adds x15,x15,x9 // accumulate high parts of multiplication + mul x8,x5,x4 // a[2]*a[1] + umulh x9,x5,x4 + adcs x16,x16,x10 + mul x10,x6,x4 // a[3]*a[1] + umulh x11,x6,x4 + adc x17,x17,xzr // can't overflow - mul x20,x7,x6 // a[3]*a[2] - umulh x1,x7,x6 + mul x19,x6,x5 // a[3]*a[2] + umulh x20,x6,x5 adds x9,x9,x10 // accumulate high parts of multiplication - mul x14,x4,x4 // a[0]*a[0] + mul x13,x3,x3 // a[0]*a[0] adc x10,x11,xzr // can't overflow - adds x17,x17,x8 // accumulate low parts of multiplication + adds x16,x16,x8 // accumulate low parts of multiplication + umulh x3,x3,x3 + adcs x17,x17,x9 + mul x9,x4,x4 // a[1]*a[1] + adcs x19,x19,x10 umulh x4,x4,x4 - adcs x19,x19,x9 - mul x9,x5,x5 // a[1]*a[1] - adcs x20,x20,x10 - umulh x5,x5,x5 - adc x1,x1,xzr // can't overflow + adc x20,x20,xzr // can't overflow - adds x15,x15,x15 // acc[1-6]*=2 - mul x10,x6,x6 // a[2]*a[2] + adds x14,x14,x14 // acc[1-6]*=2 + mul x10,x5,x5 // a[2]*a[2] + adcs x15,x15,x15 + umulh x5,x5,x5 adcs x16,x16,x16 - umulh x6,x6,x6 + mul x11,x6,x6 // a[3]*a[3] adcs x17,x17,x17 - mul x11,x7,x7 // a[3]*a[3] + umulh x6,x6,x6 adcs x19,x19,x19 - umulh x7,x7,x7 adcs x20,x20,x20 - adcs x1,x1,x1 adc x2,xzr,xzr - adds x15,x15,x4 // +a[i]*a[i] - adcs x16,x16,x9 - adcs x17,x17,x5 - adcs x19,x19,x10 - adcs x20,x20,x6 - lsl x8,x14,#32 - adcs x1,x1,x11 - lsr x9,x14,#32 - adc x2,x2,x7 - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - lsl x8,x14,#32 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - lsr x9,x14,#32 - adc x17,x11,xzr // can't overflow - subs x10,x14,x8 // "*0xffff0001" - sbc x11,x14,x9 - adds x14,x15,x8 // +=acc[0]<<96 and omit acc[0] - adcs x15,x16,x9 - adcs x16,x17,x10 // +=acc[0]*0xffff0001 - adc x17,x11,xzr // can't overflow - - adds x14,x14,x19 // accumulate upper half - adcs x15,x15,x20 - adcs x16,x16,x1 - adcs x17,x17,x2 - adc x19,xzr,xzr - - adds x8,x14,#1 // subs x8,x14,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x19,xzr // did it borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] - - ret - - -// Note that __ecp_nistz256_add_to expects both input vectors pre-loaded to -// x4-x7 and x8-x11. This is done because it's used in multiple -// contexts, e.g. in multiplication by 2 and 3... -.def __ecp_nistz256_add_to - .type 32 -.endef -.align 4 -__ecp_nistz256_add_to: - adds x14,x14,x8 // ret = a+b + adds x14,x14,x3 // +a[i]*a[i] adcs x15,x15,x9 - adcs x16,x16,x10 - adcs x17,x17,x11 - adc x1,xzr,xzr // zap x1 - - adds x8,x14,#1 // subs x8,x4,#-1 // tmp = ret-modulus - sbcs x9,x15,x12 - sbcs x10,x16,xzr - sbcs x11,x17,x13 - sbcs xzr,x1,xzr // did subtraction borrow? - - csel x14,x14,x8,lo // ret = borrow ? ret : ret-modulus - csel x15,x15,x9,lo - csel x16,x16,x10,lo - stp x14,x15,[x0] - csel x17,x17,x11,lo - stp x16,x17,[x0,#16] - - ret - - -.def __ecp_nistz256_sub_from - .type 32 -.endef -.align 4 -__ecp_nistz256_sub_from: - ldp x8,x9,[x2] - ldp x10,x11,[x2,#16] - subs x14,x14,x8 // ret = a-b - sbcs x15,x15,x9 - sbcs x16,x16,x10 - sbcs x17,x17,x11 - sbc x1,xzr,xzr // zap x1 - - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adc x11,x17,x13 - cmp x1,xzr // did subtraction borrow? - - csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret - csel x15,x15,x9,eq - csel x16,x16,x10,eq - stp x14,x15,[x0] - csel x17,x17,x11,eq - stp x16,x17,[x0,#16] - - ret - - -.def __ecp_nistz256_sub_morf - .type 32 -.endef -.align 4 -__ecp_nistz256_sub_morf: - ldp x8,x9,[x2] - ldp x10,x11,[x2,#16] - subs x14,x8,x14 // ret = b-a - sbcs x15,x9,x15 - sbcs x16,x10,x16 - sbcs x17,x11,x17 - sbc x1,xzr,xzr // zap x1 - - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = ret+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adc x11,x17,x13 - cmp x1,xzr // did subtraction borrow? - - csel x14,x14,x8,eq // ret = borrow ? ret+modulus : ret - csel x15,x15,x9,eq - csel x16,x16,x10,eq - stp x14,x15,[x0] - csel x17,x17,x11,eq - stp x16,x17,[x0,#16] - - ret - - -.def __ecp_nistz256_div_by_2 - .type 32 -.endef -.align 4 -__ecp_nistz256_div_by_2: - subs x8,x14,#1 // adds x8,x4,#-1 // tmp = a+modulus - adcs x9,x15,x12 - adcs x10,x16,xzr - adcs x11,x17,x13 - adc x1,xzr,xzr // zap x1 - tst x14,#1 // is a even? - - csel x14,x14,x8,eq // ret = even ? a : a+modulus - csel x15,x15,x9,eq - csel x16,x16,x10,eq - csel x17,x17,x11,eq - csel x1,xzr,x1,eq - - lsr x14,x14,#1 // ret >>= 1 - orr x14,x14,x15,lsl#63 - lsr x15,x15,#1 - orr x15,x15,x16,lsl#63 - lsr x16,x16,#1 - orr x16,x16,x17,lsl#63 - lsr x17,x17,#1 - stp x14,x15,[x0] - orr x17,x17,x1,lsl#63 - stp x16,x17,[x0,#16] - - ret - -.globl ecp_nistz256_point_double - -.def ecp_nistz256_point_double - .type 32 -.endef -.align 5 -ecp_nistz256_point_double: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - sub sp,sp,#32*4 - -Ldouble_shortcut: - ldp x14,x15,[x1,#32] - mov x21,x0 - ldp x16,x17,[x1,#48] - mov x22,x1 - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - mov x8,x14 - ldr x13,[x13,#24] - mov x9,x15 - ldp x4,x5,[x22,#64] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[x22,#64+16] - add x0,sp,#0 - bl __ecp_nistz256_add_to // p256_mul_by_2(S, in_y); - - add x0,sp,#64 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Zsqr, in_z); - - ldp x8,x9,[x22] - ldp x10,x11,[x22,#16] - mov x4,x14 // put Zsqr aside for p256_sub - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x0,sp,#32 - bl __ecp_nistz256_add_to // p256_add(M, Zsqr, in_x); - - add x2,x22,#0 - mov x14,x4 // restore Zsqr - mov x15,x5 - ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont - mov x16,x6 - mov x17,x7 - ldp x6,x7,[sp,#0+16] - add x0,sp,#64 - bl __ecp_nistz256_sub_morf // p256_sub(Zsqr, in_x, Zsqr); - - add x0,sp,#0 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(S, S); - - ldr x3,[x22,#32] - ldp x4,x5,[x22,#64] - ldp x6,x7,[x22,#64+16] - add x2,x22,#32 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(tmp0, in_z, in_y); - - mov x8,x14 - mov x9,x15 - ldp x4,x5,[sp,#0] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[sp,#0+16] - add x0,x21,#64 - bl __ecp_nistz256_add_to // p256_mul_by_2(res_z, tmp0); - - add x0,sp,#96 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(tmp0, S); - - ldr x3,[sp,#64] // forward load for p256_mul_mont - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x0,x21,#32 - bl __ecp_nistz256_div_by_2 // p256_div_by_2(res_y, tmp0); - - add x2,sp,#64 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(M, M, Zsqr); - - mov x8,x14 // duplicate M - mov x9,x15 - mov x10,x16 - mov x11,x17 - mov x4,x14 // put M aside - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x0,sp,#32 - bl __ecp_nistz256_add_to - mov x8,x4 // restore M - mov x9,x5 - ldr x3,[x22] // forward load for p256_mul_mont - mov x10,x6 - ldp x4,x5,[sp,#0] - mov x11,x7 - ldp x6,x7,[sp,#0+16] - bl __ecp_nistz256_add_to // p256_mul_by_3(M, M); - - add x2,x22,#0 - add x0,sp,#0 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, in_x); - - mov x8,x14 - mov x9,x15 - ldp x4,x5,[sp,#32] // forward load for p256_sqr_mont - mov x10,x16 - mov x11,x17 - ldp x6,x7,[sp,#32+16] - add x0,sp,#96 - bl __ecp_nistz256_add_to // p256_mul_by_2(tmp0, S); - - add x0,x21,#0 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(res_x, M); - - add x2,sp,#96 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, tmp0); - - add x2,sp,#0 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(S, S, res_x); - - ldr x3,[sp,#32] - mov x4,x14 // copy S - mov x5,x15 - mov x6,x16 - mov x7,x17 - add x2,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S, S, M); - - add x2,x21,#32 - add x0,x21,#32 - bl __ecp_nistz256_sub_from // p256_sub(res_y, S, res_y); - - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x29,x30,[sp],#96 - AARCH64_VALIDATE_LINK_REGISTER - ret - -.globl ecp_nistz256_point_add - -.def ecp_nistz256_point_add - .type 32 -.endef -.align 5 -ecp_nistz256_point_add: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-96]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - stp x23,x24,[sp,#48] - stp x25,x26,[sp,#64] - stp x27,x28,[sp,#80] - sub sp,sp,#32*12 - - ldp x4,x5,[x2,#64] // in2_z - ldp x6,x7,[x2,#64+16] - mov x21,x0 - mov x22,x1 - mov x23,x2 - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - orr x8,x4,x5 - orr x10,x6,x7 - orr x25,x8,x10 - cmp x25,#0 - csetm x25,ne // ~in2infty - add x0,sp,#192 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z2sqr, in2_z); - - ldp x4,x5,[x22,#64] // in1_z - ldp x6,x7,[x22,#64+16] - orr x8,x4,x5 - orr x10,x6,x7 - orr x24,x8,x10 - cmp x24,#0 - csetm x24,ne // ~in1infty - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); - - ldr x3,[x23,#64] - ldp x4,x5,[sp,#192] - ldp x6,x7,[sp,#192+16] - add x2,x23,#64 - add x0,sp,#320 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, Z2sqr, in2_z); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,x22,#64 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); - - ldr x3,[x22,#32] - ldp x4,x5,[sp,#320] - ldp x6,x7,[sp,#320+16] - add x2,x22,#32 - add x0,sp,#320 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S1, S1, in1_y); - - ldr x3,[x23,#32] - ldp x4,x5,[sp,#352] - ldp x6,x7,[sp,#352+16] - add x2,x23,#32 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); - - add x2,sp,#320 - ldr x3,[sp,#192] // forward load for p256_mul_mont - ldp x4,x5,[x22] - ldp x6,x7,[x22,#16] - add x0,sp,#160 - bl __ecp_nistz256_sub_from // p256_sub(R, S2, S1); - - orr x14,x14,x15 // see if result is zero - orr x16,x16,x17 - orr x26,x14,x16 // ~is_equal(S1,S2) - - add x2,sp,#192 - add x0,sp,#256 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U1, in1_x, Z2sqr); - - ldr x3,[sp,#128] - ldp x4,x5,[x23] - ldp x6,x7,[x23,#16] - add x2,sp,#128 - add x0,sp,#288 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in2_x, Z1sqr); - - add x2,sp,#256 - ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont - ldp x6,x7,[sp,#160+16] - add x0,sp,#96 - bl __ecp_nistz256_sub_from // p256_sub(H, U2, U1); - - orr x14,x14,x15 // see if result is zero - orr x16,x16,x17 - orr x14,x14,x16 // ~is_equal(U1,U2) - - mvn x27,x24 // -1/0 -> 0/-1 - mvn x28,x25 // -1/0 -> 0/-1 - orr x14,x14,x27 - orr x14,x14,x28 - orr x14,x14,x26 - cbnz x14,Ladd_proceed // if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2)) - -Ladd_double: - mov x1,x22 - mov x0,x21 - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - add sp,sp,#256 // #256 is from #32*(12-4). difference in stack frames - b Ldouble_shortcut + adcs x16,x16,x4 + adcs x17,x17,x10 + adcs x19,x19,x5 + lsl x8,x13,#32 + adcs x20,x20,x11 + lsr x9,x13,#32 + adc x2,x2,x6 + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + lsl x8,x13,#32 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + lsr x9,x13,#32 + adc x16,x11,xzr // can't overflow + subs x10,x13,x8 // "*0xffff0001" + sbc x11,x13,x9 + adds x13,x14,x8 // +=acc[0]<<96 and omit acc[0] + adcs x14,x15,x9 + adcs x15,x16,x10 // +=acc[0]*0xffff0001 + adc x16,x11,xzr // can't overflow + + mov w7, #-1 // poly1 = 0x00000000ffffffff + adds x13,x13,x17 // accumulate upper half + adcs x14,x14,x19 + adcs x15,x15,x20 + adcs x16,x16,x2 + adc x17,xzr,xzr + + neg x12,x7 // poly3 = 0xffffffff00000001 + adds x8,x13,#1 // subs x8,x13,#-1 // tmp = ret-modulus + sbcs x9,x14,x7 + sbcs x10,x15,xzr + sbcs x11,x16,x12 + sbcs xzr,x17,xzr // did it borrow? + + csel x13,x13,x8,lo // ret = borrow ? ret : ret-modulus + csel x14,x14,x9,lo + csel x15,x15,x10,lo + stp x13,x14,[x0] + csel x16,x16,x11,lo + stp x15,x16,[x0,#16] -.align 4 -Ladd_proceed: - add x0,sp,#192 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#96] - ldp x6,x7,[sp,#96+16] - add x2,x22,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); - - ldp x4,x5,[sp,#96] - ldp x6,x7,[sp,#96+16] - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); - - ldr x3,[x23,#64] - ldp x4,x5,[sp,#64] - ldp x6,x7,[sp,#64+16] - add x2,x23,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, res_z, in2_z); - - ldr x3,[sp,#96] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,sp,#96 - add x0,sp,#224 - bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); - - ldr x3,[sp,#128] - ldp x4,x5,[sp,#256] - ldp x6,x7,[sp,#256+16] - add x2,sp,#128 - add x0,sp,#288 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, U1, Hsqr); - - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - add x0,sp,#128 - bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); - - add x2,sp,#192 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); - - add x2,sp,#224 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); - - add x2,sp,#288 - ldr x3,[sp,#224] // forward load for p256_mul_mont - ldp x4,x5,[sp,#320] - ldp x6,x7,[sp,#320+16] - add x0,sp,#32 - bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); - - add x2,sp,#224 - add x0,sp,#352 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S1, Hcub); - - ldr x3,[sp,#160] - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x2,sp,#160 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); - - add x2,sp,#352 - bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); - - ldp x4,x5,[sp,#0] // res - ldp x6,x7,[sp,#0+16] - ldp x8,x9,[x23] // in2 - ldp x10,x11,[x23,#16] - ldp x14,x15,[x22,#0] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#0+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+0+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+0+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#0+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#0+48] - stp x14,x15,[x21,#0] - stp x16,x17,[x21,#0+16] - ldp x14,x15,[x22,#32] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#32+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+32+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+32+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#32+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#32+48] - stp x14,x15,[x21,#32] - stp x16,x17,[x21,#32+16] - ldp x14,x15,[x22,#64] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#64+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - csel x14,x8,x14,ne - csel x15,x9,x15,ne - csel x16,x10,x16,ne - csel x17,x11,x17,ne - stp x14,x15,[x21,#64] - stp x16,x17,[x21,#64+16] - -Ladd_done: - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x27,x28,[x29,#80] - ldp x29,x30,[sp],#96 + ldp x19,x20,[sp,#16] + ldp x29,x30,[sp],#32 AARCH64_VALIDATE_LINK_REGISTER ret -.globl ecp_nistz256_point_add_affine +.section .rodata -.def ecp_nistz256_point_add_affine - .type 32 -.endef .align 5 -ecp_nistz256_point_add_affine: - AARCH64_SIGN_LINK_REGISTER - stp x29,x30,[sp,#-80]! - add x29,sp,#0 - stp x19,x20,[sp,#16] - stp x21,x22,[sp,#32] - stp x23,x24,[sp,#48] - stp x25,x26,[sp,#64] - sub sp,sp,#32*10 - - mov x21,x0 - mov x22,x1 - mov x23,x2 - adrp x13,Lpoly - add x13,x13,:lo12:Lpoly - ldr x12,[x13,#8] - ldr x13,[x13,#24] - - ldp x4,x5,[x1,#64] // in1_z - ldp x6,x7,[x1,#64+16] - orr x8,x4,x5 - orr x10,x6,x7 - orr x24,x8,x10 - cmp x24,#0 - csetm x24,ne // ~in1infty - - ldp x14,x15,[x2] // in2_x - ldp x16,x17,[x2,#16] - ldp x8,x9,[x2,#32] // in2_y - ldp x10,x11,[x2,#48] - orr x14,x14,x15 - orr x16,x16,x17 - orr x8,x8,x9 - orr x10,x10,x11 - orr x14,x14,x16 - orr x8,x8,x10 - orr x25,x14,x8 - cmp x25,#0 - csetm x25,ne // ~in2infty - - add x0,sp,#128 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Z1sqr, in1_z); - - mov x4,x14 - mov x5,x15 - mov x6,x16 - mov x7,x17 - ldr x3,[x23] - add x2,x23,#0 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, Z1sqr, in2_x); - - add x2,x22,#0 - ldr x3,[x22,#64] // forward load for p256_mul_mont - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x0,sp,#160 - bl __ecp_nistz256_sub_from // p256_sub(H, U2, in1_x); - - add x2,x22,#64 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, Z1sqr, in1_z); - - ldr x3,[x22,#64] - ldp x4,x5,[sp,#160] - ldp x6,x7,[sp,#160+16] - add x2,x22,#64 - add x0,sp,#64 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_z, H, in1_z); - - ldr x3,[x23,#32] - ldp x4,x5,[sp,#128] - ldp x6,x7,[sp,#128+16] - add x2,x23,#32 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, S2, in2_y); - - add x2,x22,#32 - ldp x4,x5,[sp,#160] // forward load for p256_sqr_mont - ldp x6,x7,[sp,#160+16] - add x0,sp,#192 - bl __ecp_nistz256_sub_from // p256_sub(R, S2, in1_y); - - add x0,sp,#224 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Hsqr, H); - - ldp x4,x5,[sp,#192] - ldp x6,x7,[sp,#192+16] - add x0,sp,#288 - bl __ecp_nistz256_sqr_mont // p256_sqr_mont(Rsqr, R); - - ldr x3,[sp,#160] - ldp x4,x5,[sp,#224] - ldp x6,x7,[sp,#224+16] - add x2,sp,#160 - add x0,sp,#256 - bl __ecp_nistz256_mul_mont // p256_mul_mont(Hcub, Hsqr, H); - - ldr x3,[x22] - ldp x4,x5,[sp,#224] - ldp x6,x7,[sp,#224+16] - add x2,x22,#0 - add x0,sp,#96 - bl __ecp_nistz256_mul_mont // p256_mul_mont(U2, in1_x, Hsqr); - - mov x8,x14 - mov x9,x15 - mov x10,x16 - mov x11,x17 - add x0,sp,#224 - bl __ecp_nistz256_add_to // p256_mul_by_2(Hsqr, U2); - - add x2,sp,#288 - add x0,sp,#0 - bl __ecp_nistz256_sub_morf // p256_sub(res_x, Rsqr, Hsqr); - - add x2,sp,#256 - bl __ecp_nistz256_sub_from // p256_sub(res_x, res_x, Hcub); - - add x2,sp,#96 - ldr x3,[x22,#32] // forward load for p256_mul_mont - ldp x4,x5,[sp,#256] - ldp x6,x7,[sp,#256+16] - add x0,sp,#32 - bl __ecp_nistz256_sub_morf // p256_sub(res_y, U2, res_x); - - add x2,x22,#32 - add x0,sp,#128 - bl __ecp_nistz256_mul_mont // p256_mul_mont(S2, in1_y, Hcub); - - ldr x3,[sp,#192] - ldp x4,x5,[sp,#32] - ldp x6,x7,[sp,#32+16] - add x2,sp,#192 - add x0,sp,#32 - bl __ecp_nistz256_mul_mont // p256_mul_mont(res_y, res_y, R); - - add x2,sp,#128 - bl __ecp_nistz256_sub_from // p256_sub(res_y, res_y, S2); - - ldp x4,x5,[sp,#0] // res - ldp x6,x7,[sp,#0+16] - ldp x8,x9,[x23] // in2 - ldp x10,x11,[x23,#16] - ldp x14,x15,[x22,#0] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#0+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+0+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+0+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#0+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#0+48] - stp x14,x15,[x21,#0] - stp x16,x17,[x21,#0+16] - adrp x23,Lone_mont-64 - add x23,x23,:lo12:Lone_mont-64 - ldp x14,x15,[x22,#32] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#32+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - ldp x4,x5,[sp,#0+32+32] // res - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - ldp x6,x7,[sp,#0+32+48] - csel x14,x8,x14,ne - csel x15,x9,x15,ne - ldp x8,x9,[x23,#32+32] // in2 - csel x16,x10,x16,ne - csel x17,x11,x17,ne - ldp x10,x11,[x23,#32+48] - stp x14,x15,[x21,#32] - stp x16,x17,[x21,#32+16] - ldp x14,x15,[x22,#64] // in1 - cmp x24,#0 // ~, remember? - ldp x16,x17,[x22,#64+16] - csel x8,x4,x8,ne - csel x9,x5,x9,ne - csel x10,x6,x10,ne - csel x11,x7,x11,ne - cmp x25,#0 // ~, remember? - csel x14,x8,x14,ne - csel x15,x9,x15,ne - csel x16,x10,x16,ne - csel x17,x11,x17,ne - stp x14,x15,[x21,#64] - stp x16,x17,[x21,#64+16] - - add sp,x29,#0 // destroy frame - ldp x19,x20,[x29,#16] - ldp x21,x22,[x29,#32] - ldp x23,x24,[x29,#48] - ldp x25,x26,[x29,#64] - ldp x29,x30,[sp],#80 - AARCH64_VALIDATE_LINK_REGISTER - ret +p256_constants: +Lord: +.quad 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 +LordK: +.quad 0xccd1c8aaee00bc4f +.byte 69,67,80,95,78,73,83,84,90,50,53,54,32,102,111,114,32,65,82,77,118,56,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.align 2 +.text -//////////////////////////////////////////////////////////////////////// // void ecp_nistz256_ord_mul_mont(uint64_t res[4], uint64_t a[4], // uint64_t b[4]); .globl ecp_nistz256_ord_mul_mont @@ -1259,7 +323,7 @@ ecp_nistz256_ord_mul_mont: ldp x12,x13,[x23,#0] ldp x21,x22,[x23,#16] - ldr x23,[x23,#32] + ldr x23,[x23,#32] // LordK mul x14,x4,x3 // a[0]*b[0] umulh x8,x4,x3 @@ -1642,123 +706,4 @@ Loop_ord_sqr: ldr x29,[sp],#64 ret -//////////////////////////////////////////////////////////////////////// -// void ecp_nistz256_select_w5(uint64_t *val, uint64_t *in_t, int index); -.globl ecp_nistz256_select_w5 - -.def ecp_nistz256_select_w5 - .type 32 -.endef -.align 4 -ecp_nistz256_select_w5: - AARCH64_VALID_CALL_TARGET - - // x10 := x0 - // w9 := 0; loop counter and incremented internal index - mov x10, x0 - mov w9, #0 - - // [v16-v21] := 0 - movi v16.16b, #0 - movi v17.16b, #0 - movi v18.16b, #0 - movi v19.16b, #0 - movi v20.16b, #0 - movi v21.16b, #0 - -Lselect_w5_loop: - // Loop 16 times. - - // Increment index (loop counter); tested at the end of the loop - add w9, w9, #1 - - // [v22-v27] := Load a (3*256-bit = 6*128-bit) table entry starting at x1 - // and advance x1 to point to the next entry - ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 - - // x11 := (w9 == w2)? All 1s : All 0s - cmp w9, w2 - csetm x11, eq - - // continue loading ... - ld1 {v26.2d, v27.2d}, [x1],#32 - - // duplicate mask_64 into Mask (all 0s or all 1s) - dup v3.2d, x11 - - // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] - // i.e., values in output registers will remain the same if w9 != w2 - bit v16.16b, v22.16b, v3.16b - bit v17.16b, v23.16b, v3.16b - - bit v18.16b, v24.16b, v3.16b - bit v19.16b, v25.16b, v3.16b - - bit v20.16b, v26.16b, v3.16b - bit v21.16b, v27.16b, v3.16b - - // If bit #4 is not 0 (i.e. idx_ctr < 16) loop back - tbz w9, #4, Lselect_w5_loop - - // Write [v16-v21] to memory at the output pointer - st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x10],#64 - st1 {v20.2d, v21.2d}, [x10] - - ret - - - -//////////////////////////////////////////////////////////////////////// -// void ecp_nistz256_select_w7(uint64_t *val, uint64_t *in_t, int index); -.globl ecp_nistz256_select_w7 - -.def ecp_nistz256_select_w7 - .type 32 -.endef -.align 4 -ecp_nistz256_select_w7: - AARCH64_VALID_CALL_TARGET - - // w9 := 0; loop counter and incremented internal index - mov w9, #0 - - // [v16-v21] := 0 - movi v16.16b, #0 - movi v17.16b, #0 - movi v18.16b, #0 - movi v19.16b, #0 - -Lselect_w7_loop: - // Loop 64 times. - - // Increment index (loop counter); tested at the end of the loop - add w9, w9, #1 - - // [v22-v25] := Load a (2*256-bit = 4*128-bit) table entry starting at x1 - // and advance x1 to point to the next entry - ld1 {v22.2d, v23.2d, v24.2d, v25.2d}, [x1],#64 - - // x11 := (w9 == w2)? All 1s : All 0s - cmp w9, w2 - csetm x11, eq - - // duplicate mask_64 into Mask (all 0s or all 1s) - dup v3.2d, x11 - - // [v16-v19] := (Mask == all 1s)? [v22-v25] : [v16-v19] - // i.e., values in output registers will remain the same if w9 != w2 - bit v16.16b, v22.16b, v3.16b - bit v17.16b, v23.16b, v3.16b - - bit v18.16b, v24.16b, v3.16b - bit v19.16b, v25.16b, v3.16b - - // If bit #6 is not 0 (i.e. idx_ctr < 64) loop back - tbz w9, #6, Lselect_w7_loop - - // Write [v16-v19] to memory at the output pointer - st1 {v16.2d, v17.2d, v18.2d, v19.2d}, [x0] - - ret - #endif // !OPENSSL_NO_ASM && defined(OPENSSL_AARCH64) && defined(_WIN32) diff --git a/third_party/boringssl/gen/bcm/p256-x86_64-asm-apple.S b/third_party/boringssl/gen/bcm/p256-x86_64-asm-apple.S index 80ffa014..ab368c9e 100644 --- a/third_party/boringssl/gen/bcm/p256-x86_64-asm-apple.S +++ b/third_party/boringssl/gen/bcm/p256-x86_64-asm-apple.S @@ -7,21 +7,7 @@ .text -.section __DATA,__const -.p2align 6 -L$poly: -.quad 0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, 0xffffffff00000001 - -L$One: -.long 1,1,1,1,1,1,1,1 -L$Two: -.long 2,2,2,2,2,2,2,2 -L$Three: -.long 3,3,3,3,3,3,3,3 -L$ONE_mont: -.quad 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, 0x00000000fffffffe - - +p256_constants: L$ord: .quad 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000 L$ordK: @@ -30,64 +16,6 @@ L$ordK: -.globl _ecp_nistz256_neg -.private_extern _ecp_nistz256_neg - -.p2align 5 -_ecp_nistz256_neg: - -_CET_ENDBR - pushq %r12 - - pushq %r13 - -L$neg_body: - - xorq %r8,%r8 - xorq %r9,%r9 - xorq %r10,%r10 - xorq %r11,%r11 - xorq %r13,%r13 - - subq 0(%rsi),%r8 - sbbq 8(%rsi),%r9 - sbbq 16(%rsi),%r10 - movq %r8,%rax - sbbq 24(%rsi),%r11 - leaq L$poly(%rip),%rsi - movq %r9,%rdx - sbbq $0,%r13 - - addq 0(%rsi),%r8 - movq %r10,%rcx - adcq 8(%rsi),%r9 - adcq 16(%rsi),%r10 - movq %r11,%r12 - adcq 24(%rsi),%r11 - testq %r13,%r13 - - cmovzq %rax,%r8 - cmovzq %rdx,%r9 - movq %r8,0(%rdi) - cmovzq %rcx,%r10 - movq %r9,8(%rdi) - cmovzq %r12,%r11 - movq %r10,16(%rdi) - movq %r11,24(%rdi) - - movq 0(%rsp),%r13 - - movq 8(%rsp),%r12 - - leaq 16(%rsp),%rsp - -L$neg_epilogue: - ret - - - - - @@ -95,6 +23,7 @@ L$neg_epilogue: .private_extern _ecp_nistz256_ord_mul_mont_nohw .p2align 5 +.alt_entry _ecp_nistz256_ord_mul_mont_nohw _ecp_nistz256_ord_mul_mont_nohw: _CET_ENDBR @@ -419,6 +348,7 @@ L$ord_mul_epilogue: .private_extern _ecp_nistz256_ord_sqr_mont_nohw .p2align 5 +.alt_entry _ecp_nistz256_ord_sqr_mont_nohw _ecp_nistz256_ord_sqr_mont_nohw: _CET_ENDBR @@ -707,6 +637,7 @@ L$ord_sqr_epilogue: .private_extern _ecp_nistz256_ord_mul_mont_adx .p2align 5 +.alt_entry _ecp_nistz256_ord_mul_mont_adx _ecp_nistz256_ord_mul_mont_adx: L$ecp_nistz256_ord_mul_mont_adx: @@ -946,6 +877,7 @@ L$ord_mulx_epilogue: .private_extern _ecp_nistz256_ord_sqr_mont_adx .p2align 5 +.alt_entry _ecp_nistz256_ord_sqr_mont_adx _ecp_nistz256_ord_sqr_mont_adx: _CET_ENDBR @@ -1152,3362 +1084,4 @@ L$ord_sqrx_epilogue: ret - - - - - - -.globl _ecp_nistz256_mul_mont_nohw -.private_extern _ecp_nistz256_mul_mont_nohw - -.p2align 5 -_ecp_nistz256_mul_mont_nohw: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - -L$mul_body: - movq %rdx,%rbx - movq 0(%rdx),%rax - movq 0(%rsi),%r9 - movq 8(%rsi),%r10 - movq 16(%rsi),%r11 - movq 24(%rsi),%r12 - - call __ecp_nistz256_mul_montq - - movq 0(%rsp),%r15 - - movq 8(%rsp),%r14 - - movq 16(%rsp),%r13 - - movq 24(%rsp),%r12 - - movq 32(%rsp),%rbx - - movq 40(%rsp),%rbp - - leaq 48(%rsp),%rsp - -L$mul_epilogue: - ret - - - - -.p2align 5 -__ecp_nistz256_mul_montq: - - - - movq %rax,%rbp - mulq %r9 - movq L$poly+8(%rip),%r14 - movq %rax,%r8 - movq %rbp,%rax - movq %rdx,%r9 - - mulq %r10 - movq L$poly+24(%rip),%r15 - addq %rax,%r9 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%r10 - - mulq %r11 - addq %rax,%r10 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%r11 - - mulq %r12 - addq %rax,%r11 - movq %r8,%rax - adcq $0,%rdx - xorq %r13,%r13 - movq %rdx,%r12 - - - - - - - - - - - movq %r8,%rbp - shlq $32,%r8 - mulq %r15 - shrq $32,%rbp - addq %r8,%r9 - adcq %rbp,%r10 - adcq %rax,%r11 - movq 8(%rbx),%rax - adcq %rdx,%r12 - adcq $0,%r13 - xorq %r8,%r8 - - - - movq %rax,%rbp - mulq 0(%rsi) - addq %rax,%r9 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 8(%rsi) - addq %rcx,%r10 - adcq $0,%rdx - addq %rax,%r10 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 16(%rsi) - addq %rcx,%r11 - adcq $0,%rdx - addq %rax,%r11 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 24(%rsi) - addq %rcx,%r12 - adcq $0,%rdx - addq %rax,%r12 - movq %r9,%rax - adcq %rdx,%r13 - adcq $0,%r8 - - - - movq %r9,%rbp - shlq $32,%r9 - mulq %r15 - shrq $32,%rbp - addq %r9,%r10 - adcq %rbp,%r11 - adcq %rax,%r12 - movq 16(%rbx),%rax - adcq %rdx,%r13 - adcq $0,%r8 - xorq %r9,%r9 - - - - movq %rax,%rbp - mulq 0(%rsi) - addq %rax,%r10 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 8(%rsi) - addq %rcx,%r11 - adcq $0,%rdx - addq %rax,%r11 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 16(%rsi) - addq %rcx,%r12 - adcq $0,%rdx - addq %rax,%r12 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 24(%rsi) - addq %rcx,%r13 - adcq $0,%rdx - addq %rax,%r13 - movq %r10,%rax - adcq %rdx,%r8 - adcq $0,%r9 - - - - movq %r10,%rbp - shlq $32,%r10 - mulq %r15 - shrq $32,%rbp - addq %r10,%r11 - adcq %rbp,%r12 - adcq %rax,%r13 - movq 24(%rbx),%rax - adcq %rdx,%r8 - adcq $0,%r9 - xorq %r10,%r10 - - - - movq %rax,%rbp - mulq 0(%rsi) - addq %rax,%r11 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 8(%rsi) - addq %rcx,%r12 - adcq $0,%rdx - addq %rax,%r12 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 16(%rsi) - addq %rcx,%r13 - adcq $0,%rdx - addq %rax,%r13 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 24(%rsi) - addq %rcx,%r8 - adcq $0,%rdx - addq %rax,%r8 - movq %r11,%rax - adcq %rdx,%r9 - adcq $0,%r10 - - - - movq %r11,%rbp - shlq $32,%r11 - mulq %r15 - shrq $32,%rbp - addq %r11,%r12 - adcq %rbp,%r13 - movq %r12,%rcx - adcq %rax,%r8 - adcq %rdx,%r9 - movq %r13,%rbp - adcq $0,%r10 - - - - subq $-1,%r12 - movq %r8,%rbx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%rdx - sbbq %r15,%r9 - sbbq $0,%r10 - - cmovcq %rcx,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rbx,%r8 - movq %r13,8(%rdi) - cmovcq %rdx,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - - - - - - - - - -.globl _ecp_nistz256_sqr_mont_nohw -.private_extern _ecp_nistz256_sqr_mont_nohw - -.p2align 5 -_ecp_nistz256_sqr_mont_nohw: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - -L$sqr_body: - movq 0(%rsi),%rax - movq 8(%rsi),%r14 - movq 16(%rsi),%r15 - movq 24(%rsi),%r8 - - call __ecp_nistz256_sqr_montq - - movq 0(%rsp),%r15 - - movq 8(%rsp),%r14 - - movq 16(%rsp),%r13 - - movq 24(%rsp),%r12 - - movq 32(%rsp),%rbx - - movq 40(%rsp),%rbp - - leaq 48(%rsp),%rsp - -L$sqr_epilogue: - ret - - - - -.p2align 5 -__ecp_nistz256_sqr_montq: - - movq %rax,%r13 - mulq %r14 - movq %rax,%r9 - movq %r15,%rax - movq %rdx,%r10 - - mulq %r13 - addq %rax,%r10 - movq %r8,%rax - adcq $0,%rdx - movq %rdx,%r11 - - mulq %r13 - addq %rax,%r11 - movq %r15,%rax - adcq $0,%rdx - movq %rdx,%r12 - - - mulq %r14 - addq %rax,%r11 - movq %r8,%rax - adcq $0,%rdx - movq %rdx,%rbp - - mulq %r14 - addq %rax,%r12 - movq %r8,%rax - adcq $0,%rdx - addq %rbp,%r12 - movq %rdx,%r13 - adcq $0,%r13 - - - mulq %r15 - xorq %r15,%r15 - addq %rax,%r13 - movq 0(%rsi),%rax - movq %rdx,%r14 - adcq $0,%r14 - - addq %r9,%r9 - adcq %r10,%r10 - adcq %r11,%r11 - adcq %r12,%r12 - adcq %r13,%r13 - adcq %r14,%r14 - adcq $0,%r15 - - mulq %rax - movq %rax,%r8 - movq 8(%rsi),%rax - movq %rdx,%rcx - - mulq %rax - addq %rcx,%r9 - adcq %rax,%r10 - movq 16(%rsi),%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq %rax - addq %rcx,%r11 - adcq %rax,%r12 - movq 24(%rsi),%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq %rax - addq %rcx,%r13 - adcq %rax,%r14 - movq %r8,%rax - adcq %rdx,%r15 - - movq L$poly+8(%rip),%rsi - movq L$poly+24(%rip),%rbp - - - - - movq %r8,%rcx - shlq $32,%r8 - mulq %rbp - shrq $32,%rcx - addq %r8,%r9 - adcq %rcx,%r10 - adcq %rax,%r11 - movq %r9,%rax - adcq $0,%rdx - - - - movq %r9,%rcx - shlq $32,%r9 - movq %rdx,%r8 - mulq %rbp - shrq $32,%rcx - addq %r9,%r10 - adcq %rcx,%r11 - adcq %rax,%r8 - movq %r10,%rax - adcq $0,%rdx - - - - movq %r10,%rcx - shlq $32,%r10 - movq %rdx,%r9 - mulq %rbp - shrq $32,%rcx - addq %r10,%r11 - adcq %rcx,%r8 - adcq %rax,%r9 - movq %r11,%rax - adcq $0,%rdx - - - - movq %r11,%rcx - shlq $32,%r11 - movq %rdx,%r10 - mulq %rbp - shrq $32,%rcx - addq %r11,%r8 - adcq %rcx,%r9 - adcq %rax,%r10 - adcq $0,%rdx - xorq %r11,%r11 - - - - addq %r8,%r12 - adcq %r9,%r13 - movq %r12,%r8 - adcq %r10,%r14 - adcq %rdx,%r15 - movq %r13,%r9 - adcq $0,%r11 - - subq $-1,%r12 - movq %r14,%r10 - sbbq %rsi,%r13 - sbbq $0,%r14 - movq %r15,%rcx - sbbq %rbp,%r15 - sbbq $0,%r11 - - cmovcq %r8,%r12 - cmovcq %r9,%r13 - movq %r12,0(%rdi) - cmovcq %r10,%r14 - movq %r13,8(%rdi) - cmovcq %rcx,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - - ret - - -.globl _ecp_nistz256_mul_mont_adx -.private_extern _ecp_nistz256_mul_mont_adx - -.p2align 5 -_ecp_nistz256_mul_mont_adx: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - -L$mulx_body: - movq %rdx,%rbx - movq 0(%rdx),%rdx - movq 0(%rsi),%r9 - movq 8(%rsi),%r10 - movq 16(%rsi),%r11 - movq 24(%rsi),%r12 - leaq -128(%rsi),%rsi - - call __ecp_nistz256_mul_montx - - movq 0(%rsp),%r15 - - movq 8(%rsp),%r14 - - movq 16(%rsp),%r13 - - movq 24(%rsp),%r12 - - movq 32(%rsp),%rbx - - movq 40(%rsp),%rbp - - leaq 48(%rsp),%rsp - -L$mulx_epilogue: - ret - - - - -.p2align 5 -__ecp_nistz256_mul_montx: - - - - mulxq %r9,%r8,%r9 - mulxq %r10,%rcx,%r10 - movq $32,%r14 - xorq %r13,%r13 - mulxq %r11,%rbp,%r11 - movq L$poly+24(%rip),%r15 - adcq %rcx,%r9 - mulxq %r12,%rcx,%r12 - movq %r8,%rdx - adcq %rbp,%r10 - shlxq %r14,%r8,%rbp - adcq %rcx,%r11 - shrxq %r14,%r8,%rcx - adcq $0,%r12 - - - - addq %rbp,%r9 - adcq %rcx,%r10 - - mulxq %r15,%rcx,%rbp - movq 8(%rbx),%rdx - adcq %rcx,%r11 - adcq %rbp,%r12 - adcq $0,%r13 - xorq %r8,%r8 - - - - mulxq 0+128(%rsi),%rcx,%rbp - adcxq %rcx,%r9 - adoxq %rbp,%r10 - - mulxq 8+128(%rsi),%rcx,%rbp - adcxq %rcx,%r10 - adoxq %rbp,%r11 - - mulxq 16+128(%rsi),%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq 24+128(%rsi),%rcx,%rbp - movq %r9,%rdx - adcxq %rcx,%r12 - shlxq %r14,%r9,%rcx - adoxq %rbp,%r13 - shrxq %r14,%r9,%rbp - - adcxq %r8,%r13 - adoxq %r8,%r8 - adcq $0,%r8 - - - - addq %rcx,%r10 - adcq %rbp,%r11 - - mulxq %r15,%rcx,%rbp - movq 16(%rbx),%rdx - adcq %rcx,%r12 - adcq %rbp,%r13 - adcq $0,%r8 - xorq %r9,%r9 - - - - mulxq 0+128(%rsi),%rcx,%rbp - adcxq %rcx,%r10 - adoxq %rbp,%r11 - - mulxq 8+128(%rsi),%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq 16+128(%rsi),%rcx,%rbp - adcxq %rcx,%r12 - adoxq %rbp,%r13 - - mulxq 24+128(%rsi),%rcx,%rbp - movq %r10,%rdx - adcxq %rcx,%r13 - shlxq %r14,%r10,%rcx - adoxq %rbp,%r8 - shrxq %r14,%r10,%rbp - - adcxq %r9,%r8 - adoxq %r9,%r9 - adcq $0,%r9 - - - - addq %rcx,%r11 - adcq %rbp,%r12 - - mulxq %r15,%rcx,%rbp - movq 24(%rbx),%rdx - adcq %rcx,%r13 - adcq %rbp,%r8 - adcq $0,%r9 - xorq %r10,%r10 - - - - mulxq 0+128(%rsi),%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq 8+128(%rsi),%rcx,%rbp - adcxq %rcx,%r12 - adoxq %rbp,%r13 - - mulxq 16+128(%rsi),%rcx,%rbp - adcxq %rcx,%r13 - adoxq %rbp,%r8 - - mulxq 24+128(%rsi),%rcx,%rbp - movq %r11,%rdx - adcxq %rcx,%r8 - shlxq %r14,%r11,%rcx - adoxq %rbp,%r9 - shrxq %r14,%r11,%rbp - - adcxq %r10,%r9 - adoxq %r10,%r10 - adcq $0,%r10 - - - - addq %rcx,%r12 - adcq %rbp,%r13 - - mulxq %r15,%rcx,%rbp - movq %r12,%rbx - movq L$poly+8(%rip),%r14 - adcq %rcx,%r8 - movq %r13,%rdx - adcq %rbp,%r9 - adcq $0,%r10 - - - - xorl %eax,%eax - movq %r8,%rcx - sbbq $-1,%r12 - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%rbp - sbbq %r15,%r9 - sbbq $0,%r10 - - cmovcq %rbx,%r12 - cmovcq %rdx,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %rbp,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - - -.globl _ecp_nistz256_sqr_mont_adx -.private_extern _ecp_nistz256_sqr_mont_adx - -.p2align 5 -_ecp_nistz256_sqr_mont_adx: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - -L$sqrx_body: - movq 0(%rsi),%rdx - movq 8(%rsi),%r14 - movq 16(%rsi),%r15 - movq 24(%rsi),%r8 - leaq -128(%rsi),%rsi - - call __ecp_nistz256_sqr_montx - - movq 0(%rsp),%r15 - - movq 8(%rsp),%r14 - - movq 16(%rsp),%r13 - - movq 24(%rsp),%r12 - - movq 32(%rsp),%rbx - - movq 40(%rsp),%rbp - - leaq 48(%rsp),%rsp - -L$sqrx_epilogue: - ret - - - - -.p2align 5 -__ecp_nistz256_sqr_montx: - - mulxq %r14,%r9,%r10 - mulxq %r15,%rcx,%r11 - xorl %eax,%eax - adcq %rcx,%r10 - mulxq %r8,%rbp,%r12 - movq %r14,%rdx - adcq %rbp,%r11 - adcq $0,%r12 - xorq %r13,%r13 - - - mulxq %r15,%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq %r8,%rcx,%rbp - movq %r15,%rdx - adcxq %rcx,%r12 - adoxq %rbp,%r13 - adcq $0,%r13 - - - mulxq %r8,%rcx,%r14 - movq 0+128(%rsi),%rdx - xorq %r15,%r15 - adcxq %r9,%r9 - adoxq %rcx,%r13 - adcxq %r10,%r10 - adoxq %r15,%r14 - - mulxq %rdx,%r8,%rbp - movq 8+128(%rsi),%rdx - adcxq %r11,%r11 - adoxq %rbp,%r9 - adcxq %r12,%r12 - mulxq %rdx,%rcx,%rax - movq 16+128(%rsi),%rdx - adcxq %r13,%r13 - adoxq %rcx,%r10 - adcxq %r14,%r14 -.byte 0x67 - mulxq %rdx,%rcx,%rbp - movq 24+128(%rsi),%rdx - adoxq %rax,%r11 - adcxq %r15,%r15 - adoxq %rcx,%r12 - movq $32,%rsi - adoxq %rbp,%r13 -.byte 0x67,0x67 - mulxq %rdx,%rcx,%rax - movq L$poly+24(%rip),%rdx - adoxq %rcx,%r14 - shlxq %rsi,%r8,%rcx - adoxq %rax,%r15 - shrxq %rsi,%r8,%rax - movq %rdx,%rbp - - - addq %rcx,%r9 - adcq %rax,%r10 - - mulxq %r8,%rcx,%r8 - adcq %rcx,%r11 - shlxq %rsi,%r9,%rcx - adcq $0,%r8 - shrxq %rsi,%r9,%rax - - - addq %rcx,%r10 - adcq %rax,%r11 - - mulxq %r9,%rcx,%r9 - adcq %rcx,%r8 - shlxq %rsi,%r10,%rcx - adcq $0,%r9 - shrxq %rsi,%r10,%rax - - - addq %rcx,%r11 - adcq %rax,%r8 - - mulxq %r10,%rcx,%r10 - adcq %rcx,%r9 - shlxq %rsi,%r11,%rcx - adcq $0,%r10 - shrxq %rsi,%r11,%rax - - - addq %rcx,%r8 - adcq %rax,%r9 - - mulxq %r11,%rcx,%r11 - adcq %rcx,%r10 - adcq $0,%r11 - - xorq %rdx,%rdx - addq %r8,%r12 - movq L$poly+8(%rip),%rsi - adcq %r9,%r13 - movq %r12,%r8 - adcq %r10,%r14 - adcq %r11,%r15 - movq %r13,%r9 - adcq $0,%rdx - - subq $-1,%r12 - movq %r14,%r10 - sbbq %rsi,%r13 - sbbq $0,%r14 - movq %r15,%r11 - sbbq %rbp,%r15 - sbbq $0,%rdx - - cmovcq %r8,%r12 - cmovcq %r9,%r13 - movq %r12,0(%rdi) - cmovcq %r10,%r14 - movq %r13,8(%rdi) - cmovcq %r11,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - - ret - - - - -.globl _ecp_nistz256_select_w5_nohw -.private_extern _ecp_nistz256_select_w5_nohw - -.p2align 5 -_ecp_nistz256_select_w5_nohw: - -_CET_ENDBR - movdqa L$One(%rip),%xmm0 - movd %edx,%xmm1 - - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - pxor %xmm6,%xmm6 - pxor %xmm7,%xmm7 - - movdqa %xmm0,%xmm8 - pshufd $0,%xmm1,%xmm1 - - movq $16,%rax -L$select_loop_sse_w5: - - movdqa %xmm8,%xmm15 - paddd %xmm0,%xmm8 - pcmpeqd %xmm1,%xmm15 - - movdqa 0(%rsi),%xmm9 - movdqa 16(%rsi),%xmm10 - movdqa 32(%rsi),%xmm11 - movdqa 48(%rsi),%xmm12 - movdqa 64(%rsi),%xmm13 - movdqa 80(%rsi),%xmm14 - leaq 96(%rsi),%rsi - - pand %xmm15,%xmm9 - pand %xmm15,%xmm10 - por %xmm9,%xmm2 - pand %xmm15,%xmm11 - por %xmm10,%xmm3 - pand %xmm15,%xmm12 - por %xmm11,%xmm4 - pand %xmm15,%xmm13 - por %xmm12,%xmm5 - pand %xmm15,%xmm14 - por %xmm13,%xmm6 - por %xmm14,%xmm7 - - decq %rax - jnz L$select_loop_sse_w5 - - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - movdqu %xmm4,32(%rdi) - movdqu %xmm5,48(%rdi) - movdqu %xmm6,64(%rdi) - movdqu %xmm7,80(%rdi) - ret - -L$SEH_end_ecp_nistz256_select_w5_nohw: - - - - -.globl _ecp_nistz256_select_w7_nohw -.private_extern _ecp_nistz256_select_w7_nohw - -.p2align 5 -_ecp_nistz256_select_w7_nohw: - -_CET_ENDBR - movdqa L$One(%rip),%xmm8 - movd %edx,%xmm1 - - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - - movdqa %xmm8,%xmm0 - pshufd $0,%xmm1,%xmm1 - movq $64,%rax - -L$select_loop_sse_w7: - movdqa %xmm8,%xmm15 - paddd %xmm0,%xmm8 - movdqa 0(%rsi),%xmm9 - movdqa 16(%rsi),%xmm10 - pcmpeqd %xmm1,%xmm15 - movdqa 32(%rsi),%xmm11 - movdqa 48(%rsi),%xmm12 - leaq 64(%rsi),%rsi - - pand %xmm15,%xmm9 - pand %xmm15,%xmm10 - por %xmm9,%xmm2 - pand %xmm15,%xmm11 - por %xmm10,%xmm3 - pand %xmm15,%xmm12 - por %xmm11,%xmm4 - prefetcht0 255(%rsi) - por %xmm12,%xmm5 - - decq %rax - jnz L$select_loop_sse_w7 - - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - movdqu %xmm4,32(%rdi) - movdqu %xmm5,48(%rdi) - ret - -L$SEH_end_ecp_nistz256_select_w7_nohw: - - - -.globl _ecp_nistz256_select_w5_avx2 -.private_extern _ecp_nistz256_select_w5_avx2 - -.p2align 5 -_ecp_nistz256_select_w5_avx2: - -_CET_ENDBR - vzeroupper - vmovdqa L$Two(%rip),%ymm0 - - vpxor %ymm2,%ymm2,%ymm2 - vpxor %ymm3,%ymm3,%ymm3 - vpxor %ymm4,%ymm4,%ymm4 - - vmovdqa L$One(%rip),%ymm5 - vmovdqa L$Two(%rip),%ymm10 - - vmovd %edx,%xmm1 - vpermd %ymm1,%ymm2,%ymm1 - - movq $8,%rax -L$select_loop_avx2_w5: - - vmovdqa 0(%rsi),%ymm6 - vmovdqa 32(%rsi),%ymm7 - vmovdqa 64(%rsi),%ymm8 - - vmovdqa 96(%rsi),%ymm11 - vmovdqa 128(%rsi),%ymm12 - vmovdqa 160(%rsi),%ymm13 - - vpcmpeqd %ymm1,%ymm5,%ymm9 - vpcmpeqd %ymm1,%ymm10,%ymm14 - - vpaddd %ymm0,%ymm5,%ymm5 - vpaddd %ymm0,%ymm10,%ymm10 - leaq 192(%rsi),%rsi - - vpand %ymm9,%ymm6,%ymm6 - vpand %ymm9,%ymm7,%ymm7 - vpand %ymm9,%ymm8,%ymm8 - vpand %ymm14,%ymm11,%ymm11 - vpand %ymm14,%ymm12,%ymm12 - vpand %ymm14,%ymm13,%ymm13 - - vpxor %ymm6,%ymm2,%ymm2 - vpxor %ymm7,%ymm3,%ymm3 - vpxor %ymm8,%ymm4,%ymm4 - vpxor %ymm11,%ymm2,%ymm2 - vpxor %ymm12,%ymm3,%ymm3 - vpxor %ymm13,%ymm4,%ymm4 - - decq %rax - jnz L$select_loop_avx2_w5 - - vmovdqu %ymm2,0(%rdi) - vmovdqu %ymm3,32(%rdi) - vmovdqu %ymm4,64(%rdi) - vzeroupper - ret - -L$SEH_end_ecp_nistz256_select_w5_avx2: - - - - -.globl _ecp_nistz256_select_w7_avx2 -.private_extern _ecp_nistz256_select_w7_avx2 - -.p2align 5 -_ecp_nistz256_select_w7_avx2: - -_CET_ENDBR - vzeroupper - vmovdqa L$Three(%rip),%ymm0 - - vpxor %ymm2,%ymm2,%ymm2 - vpxor %ymm3,%ymm3,%ymm3 - - vmovdqa L$One(%rip),%ymm4 - vmovdqa L$Two(%rip),%ymm8 - vmovdqa L$Three(%rip),%ymm12 - - vmovd %edx,%xmm1 - vpermd %ymm1,%ymm2,%ymm1 - - - movq $21,%rax -L$select_loop_avx2_w7: - - vmovdqa 0(%rsi),%ymm5 - vmovdqa 32(%rsi),%ymm6 - - vmovdqa 64(%rsi),%ymm9 - vmovdqa 96(%rsi),%ymm10 - - vmovdqa 128(%rsi),%ymm13 - vmovdqa 160(%rsi),%ymm14 - - vpcmpeqd %ymm1,%ymm4,%ymm7 - vpcmpeqd %ymm1,%ymm8,%ymm11 - vpcmpeqd %ymm1,%ymm12,%ymm15 - - vpaddd %ymm0,%ymm4,%ymm4 - vpaddd %ymm0,%ymm8,%ymm8 - vpaddd %ymm0,%ymm12,%ymm12 - leaq 192(%rsi),%rsi - - vpand %ymm7,%ymm5,%ymm5 - vpand %ymm7,%ymm6,%ymm6 - vpand %ymm11,%ymm9,%ymm9 - vpand %ymm11,%ymm10,%ymm10 - vpand %ymm15,%ymm13,%ymm13 - vpand %ymm15,%ymm14,%ymm14 - - vpxor %ymm5,%ymm2,%ymm2 - vpxor %ymm6,%ymm3,%ymm3 - vpxor %ymm9,%ymm2,%ymm2 - vpxor %ymm10,%ymm3,%ymm3 - vpxor %ymm13,%ymm2,%ymm2 - vpxor %ymm14,%ymm3,%ymm3 - - decq %rax - jnz L$select_loop_avx2_w7 - - - vmovdqa 0(%rsi),%ymm5 - vmovdqa 32(%rsi),%ymm6 - - vpcmpeqd %ymm1,%ymm4,%ymm7 - - vpand %ymm7,%ymm5,%ymm5 - vpand %ymm7,%ymm6,%ymm6 - - vpxor %ymm5,%ymm2,%ymm2 - vpxor %ymm6,%ymm3,%ymm3 - - vmovdqu %ymm2,0(%rdi) - vmovdqu %ymm3,32(%rdi) - vzeroupper - ret - -L$SEH_end_ecp_nistz256_select_w7_avx2: - - -.p2align 5 -__ecp_nistz256_add_toq: - - xorq %r11,%r11 - addq 0(%rbx),%r12 - adcq 8(%rbx),%r13 - movq %r12,%rax - adcq 16(%rbx),%r8 - adcq 24(%rbx),%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - - - -.p2align 5 -__ecp_nistz256_sub_fromq: - - subq 0(%rbx),%r12 - sbbq 8(%rbx),%r13 - movq %r12,%rax - sbbq 16(%rbx),%r8 - sbbq 24(%rbx),%r9 - movq %r13,%rbp - sbbq %r11,%r11 - - addq $-1,%r12 - movq %r8,%rcx - adcq %r14,%r13 - adcq $0,%r8 - movq %r9,%r10 - adcq %r15,%r9 - testq %r11,%r11 - - cmovzq %rax,%r12 - cmovzq %rbp,%r13 - movq %r12,0(%rdi) - cmovzq %rcx,%r8 - movq %r13,8(%rdi) - cmovzq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - - - -.p2align 5 -__ecp_nistz256_subq: - - subq %r12,%rax - sbbq %r13,%rbp - movq %rax,%r12 - sbbq %r8,%rcx - sbbq %r9,%r10 - movq %rbp,%r13 - sbbq %r11,%r11 - - addq $-1,%rax - movq %rcx,%r8 - adcq %r14,%rbp - adcq $0,%rcx - movq %r10,%r9 - adcq %r15,%r10 - testq %r11,%r11 - - cmovnzq %rax,%r12 - cmovnzq %rbp,%r13 - cmovnzq %rcx,%r8 - cmovnzq %r10,%r9 - - ret - - - - -.p2align 5 -__ecp_nistz256_mul_by_2q: - - xorq %r11,%r11 - addq %r12,%r12 - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - -.globl _ecp_nistz256_point_double_nohw -.private_extern _ecp_nistz256_point_double_nohw - -.p2align 5 -_ecp_nistz256_point_double_nohw: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - - subq $160+8,%rsp - -L$point_doubleq_body: - -L$point_double_shortcutq: - movdqu 0(%rsi),%xmm0 - movq %rsi,%rbx - movdqu 16(%rsi),%xmm1 - movq 32+0(%rsi),%r12 - movq 32+8(%rsi),%r13 - movq 32+16(%rsi),%r8 - movq 32+24(%rsi),%r9 - movq L$poly+8(%rip),%r14 - movq L$poly+24(%rip),%r15 - movdqa %xmm0,96(%rsp) - movdqa %xmm1,96+16(%rsp) - leaq 32(%rdi),%r10 - leaq 64(%rdi),%r11 - movq %rdi,%xmm0 - movq %r10,%xmm1 - movq %r11,%xmm2 - - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_by_2q - - movq 64+0(%rsi),%rax - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - leaq 64-0(%rsi),%rsi - leaq 64(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 0+0(%rsp),%rax - movq 8+0(%rsp),%r14 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 0(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 32(%rbx),%rax - movq 64+0(%rbx),%r9 - movq 64+8(%rbx),%r10 - movq 64+16(%rbx),%r11 - movq 64+24(%rbx),%r12 - leaq 64-0(%rbx),%rsi - leaq 32(%rbx),%rbx - movq %xmm2,%rdi - call __ecp_nistz256_mul_montq - call __ecp_nistz256_mul_by_2q - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_toq - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 0+0(%rsp),%rax - movq 8+0(%rsp),%r14 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - movq %xmm1,%rdi - call __ecp_nistz256_sqr_montq - xorq %r9,%r9 - movq %r12,%rax - addq $-1,%r12 - movq %r13,%r10 - adcq %rsi,%r13 - movq %r14,%rcx - adcq $0,%r14 - movq %r15,%r8 - adcq %rbp,%r15 - adcq $0,%r9 - xorq %rsi,%rsi - testq $1,%rax - - cmovzq %rax,%r12 - cmovzq %r10,%r13 - cmovzq %rcx,%r14 - cmovzq %r8,%r15 - cmovzq %rsi,%r9 - - movq %r13,%rax - shrq $1,%r12 - shlq $63,%rax - movq %r14,%r10 - shrq $1,%r13 - orq %rax,%r12 - shlq $63,%r10 - movq %r15,%rcx - shrq $1,%r14 - orq %r10,%r13 - shlq $63,%rcx - movq %r12,0(%rdi) - shrq $1,%r15 - movq %r13,8(%rdi) - shlq $63,%r9 - orq %rcx,%r14 - orq %r9,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - movq 64(%rsp),%rax - leaq 64(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2q - - leaq 32(%rsp),%rbx - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_toq - - movq 96(%rsp),%rax - leaq 96(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2q - - movq 0+32(%rsp),%rax - movq 8+32(%rsp),%r14 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r15 - movq 24+32(%rsp),%r8 - movq %xmm0,%rdi - call __ecp_nistz256_sqr_montq - - leaq 128(%rsp),%rbx - movq %r14,%r8 - movq %r15,%r9 - movq %rsi,%r14 - movq %rbp,%r15 - call __ecp_nistz256_sub_fromq - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 0(%rsp),%rdi - call __ecp_nistz256_subq - - movq 32(%rsp),%rax - leaq 32(%rsp),%rbx - movq %r12,%r14 - xorl %ecx,%ecx - movq %r12,0+0(%rsp) - movq %r13,%r10 - movq %r13,0+8(%rsp) - cmovzq %r8,%r11 - movq %r8,0+16(%rsp) - leaq 0-0(%rsp),%rsi - cmovzq %r9,%r12 - movq %r9,0+24(%rsp) - movq %r14,%r9 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq %xmm1,%rbx - movq %xmm1,%rdi - call __ecp_nistz256_sub_fromq - - leaq 160+56(%rsp),%rsi - - movq -48(%rsi),%r15 - - movq -40(%rsi),%r14 - - movq -32(%rsi),%r13 - - movq -24(%rsi),%r12 - - movq -16(%rsi),%rbx - - movq -8(%rsi),%rbp - - leaq (%rsi),%rsp - -L$point_doubleq_epilogue: - ret - - -.globl _ecp_nistz256_point_add_nohw -.private_extern _ecp_nistz256_point_add_nohw - -.p2align 5 -_ecp_nistz256_point_add_nohw: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - - subq $576+8,%rsp - -L$point_addq_body: - - movdqu 0(%rsi),%xmm0 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq %rsi,%rbx - movq %rdx,%rsi - movdqa %xmm0,384(%rsp) - movdqa %xmm1,384+16(%rsp) - movdqa %xmm2,416(%rsp) - movdqa %xmm3,416+16(%rsp) - movdqa %xmm4,448(%rsp) - movdqa %xmm5,448+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rsi),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rsi),%xmm3 - movq 64+0(%rsi),%rax - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,480(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,480+16(%rsp) - movdqu 64(%rsi),%xmm0 - movdqu 80(%rsi),%xmm1 - movdqa %xmm2,512(%rsp) - movdqa %xmm3,512+16(%rsp) - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm0,%xmm1 - movq %rdi,%xmm0 - - leaq 64-0(%rsi),%rsi - movq %rax,544+0(%rsp) - movq %r14,544+8(%rsp) - movq %r15,544+16(%rsp) - movq %r8,544+24(%rsp) - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm1,%xmm4 - por %xmm1,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - movq 64+0(%rbx),%rax - movq 64+8(%rbx),%r14 - movq 64+16(%rbx),%r15 - movq 64+24(%rbx),%r8 - movq %rbx,%xmm1 - - leaq 64-0(%rbx),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 544(%rsp),%rax - leaq 544(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq 0+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 448(%rsp),%rax - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 416(%rsp),%rax - leaq 416(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq 0+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 512(%rsp),%rax - leaq 512(%rsp),%rbx - movq 0+256(%rsp),%r9 - movq 8+256(%rsp),%r10 - leaq 0+256(%rsp),%rsi - movq 16+256(%rsp),%r11 - movq 24+256(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 224(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - orq %r13,%r12 - movdqa %xmm4,%xmm2 - orq %r8,%r12 - orq %r9,%r12 - por %xmm5,%xmm2 - movq %r12,%xmm3 - - movq 384(%rsp),%rax - leaq 384(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq 0+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 480(%rsp),%rax - leaq 480(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 160(%rsp),%rbx - leaq 0(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - orq %r13,%r12 - orq %r8,%r12 - orq %r9,%r12 - - movq %xmm2,%r8 - movq %xmm3,%r9 - orq %r8,%r12 -.byte 0x3e - jnz L$add_proceedq - - - - testq %r9,%r9 - jz L$add_doubleq - - - - - - - movq %xmm0,%rdi - pxor %xmm0,%xmm0 - movdqu %xmm0,0(%rdi) - movdqu %xmm0,16(%rdi) - movdqu %xmm0,32(%rdi) - movdqu %xmm0,48(%rdi) - movdqu %xmm0,64(%rdi) - movdqu %xmm0,80(%rdi) - jmp L$add_doneq - -.p2align 5 -L$add_doubleq: - movq %xmm1,%rsi - movq %xmm0,%rdi - addq $416,%rsp - - jmp L$point_double_shortcutq - - -.p2align 5 -L$add_proceedq: - movq 0+64(%rsp),%rax - movq 8+64(%rsp),%r14 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 448(%rsp),%rax - leaq 448(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 0+0(%rsp),%rax - movq 8+0(%rsp),%r14 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 544(%rsp),%rax - leaq 544(%rsp),%rbx - movq 0+352(%rsp),%r9 - movq 8+352(%rsp),%r10 - leaq 0+352(%rsp),%rsi - movq 16+352(%rsp),%r11 - movq 24+352(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 0(%rsp),%rax - leaq 0(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 160(%rsp),%rax - leaq 160(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montq - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 96(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subq - - leaq 128(%rsp),%rbx - leaq 288(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 192+0(%rsp),%rax - movq 192+8(%rsp),%rbp - movq 192+16(%rsp),%rcx - movq 192+24(%rsp),%r10 - leaq 320(%rsp),%rdi - - call __ecp_nistz256_subq - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 128(%rsp),%rax - leaq 128(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq 0+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 320(%rsp),%rax - leaq 320(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 320(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 256(%rsp),%rbx - leaq 320(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 352(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 352+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 544(%rsp),%xmm2 - pand 544+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 480(%rsp),%xmm2 - pand 480+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 320(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 320+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 512(%rsp),%xmm2 - pand 512+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - -L$add_doneq: - leaq 576+56(%rsp),%rsi - - movq -48(%rsi),%r15 - - movq -40(%rsi),%r14 - - movq -32(%rsi),%r13 - - movq -24(%rsi),%r12 - - movq -16(%rsi),%rbx - - movq -8(%rsi),%rbp - - leaq (%rsi),%rsp - -L$point_addq_epilogue: - ret - - -.globl _ecp_nistz256_point_add_affine_nohw -.private_extern _ecp_nistz256_point_add_affine_nohw - -.p2align 5 -_ecp_nistz256_point_add_affine_nohw: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - - subq $480+8,%rsp - -L$add_affineq_body: - - movdqu 0(%rsi),%xmm0 - movq %rdx,%rbx - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq 64+0(%rsi),%rax - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,320(%rsp) - movdqa %xmm1,320+16(%rsp) - movdqa %xmm2,352(%rsp) - movdqa %xmm3,352+16(%rsp) - movdqa %xmm4,384(%rsp) - movdqa %xmm5,384+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rbx),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rbx),%xmm1 - movdqu 32(%rbx),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rbx),%xmm3 - movdqa %xmm0,416(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,416+16(%rsp) - por %xmm0,%xmm1 - movq %rdi,%xmm0 - movdqa %xmm2,448(%rsp) - movdqa %xmm3,448+16(%rsp) - por %xmm2,%xmm3 - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm1,%xmm3 - - leaq 64-0(%rsi),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm3,%xmm4 - movq 0(%rbx),%rax - - movq %r12,%r9 - por %xmm3,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - movq %r13,%r10 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - movq %r14,%r11 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - - leaq 32-0(%rsp),%rsi - movq %r15,%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 320(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 384(%rsp),%rax - leaq 384(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 384(%rsp),%rax - leaq 384(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 288(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 448(%rsp),%rax - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 352(%rsp),%rbx - leaq 96(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 0+64(%rsp),%rax - movq 8+64(%rsp),%r14 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 128(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 0+96(%rsp),%rax - movq 8+96(%rsp),%r14 - leaq 0+96(%rsp),%rsi - movq 16+96(%rsp),%r15 - movq 24+96(%rsp),%r8 - leaq 192(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 128(%rsp),%rax - leaq 128(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 320(%rsp),%rax - leaq 320(%rsp),%rbx - movq 0+128(%rsp),%r9 - movq 8+128(%rsp),%r10 - leaq 0+128(%rsp),%rsi - movq 16+128(%rsp),%r11 - movq 24+128(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 192(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subq - - leaq 160(%rsp),%rbx - leaq 224(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 64(%rsp),%rdi - - call __ecp_nistz256_subq - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 352(%rsp),%rax - leaq 352(%rsp),%rbx - movq 0+160(%rsp),%r9 - movq 8+160(%rsp),%r10 - leaq 0+160(%rsp),%rsi - movq 16+160(%rsp),%r11 - movq 24+160(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 96(%rsp),%rax - leaq 96(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 64(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 32(%rsp),%rbx - leaq 256(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand L$ONE_mont(%rip),%xmm2 - pand L$ONE_mont+16(%rip),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 224(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 224+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 320(%rsp),%xmm2 - pand 320+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 256(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 256+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 352(%rsp),%xmm2 - pand 352+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - - leaq 480+56(%rsp),%rsi - - movq -48(%rsi),%r15 - - movq -40(%rsi),%r14 - - movq -32(%rsi),%r13 - - movq -24(%rsi),%r12 - - movq -16(%rsi),%rbx - - movq -8(%rsi),%rbp - - leaq (%rsi),%rsp - -L$add_affineq_epilogue: - ret - - - -.p2align 5 -__ecp_nistz256_add_tox: - - xorq %r11,%r11 - adcq 0(%rbx),%r12 - adcq 8(%rbx),%r13 - movq %r12,%rax - adcq 16(%rbx),%r8 - adcq 24(%rbx),%r9 - movq %r13,%rbp - adcq $0,%r11 - - xorq %r10,%r10 - sbbq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - - - -.p2align 5 -__ecp_nistz256_sub_fromx: - - xorq %r11,%r11 - sbbq 0(%rbx),%r12 - sbbq 8(%rbx),%r13 - movq %r12,%rax - sbbq 16(%rbx),%r8 - sbbq 24(%rbx),%r9 - movq %r13,%rbp - sbbq $0,%r11 - - xorq %r10,%r10 - adcq $-1,%r12 - movq %r8,%rcx - adcq %r14,%r13 - adcq $0,%r8 - movq %r9,%r10 - adcq %r15,%r9 - - btq $0,%r11 - cmovncq %rax,%r12 - cmovncq %rbp,%r13 - movq %r12,0(%rdi) - cmovncq %rcx,%r8 - movq %r13,8(%rdi) - cmovncq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - - - -.p2align 5 -__ecp_nistz256_subx: - - xorq %r11,%r11 - sbbq %r12,%rax - sbbq %r13,%rbp - movq %rax,%r12 - sbbq %r8,%rcx - sbbq %r9,%r10 - movq %rbp,%r13 - sbbq $0,%r11 - - xorq %r9,%r9 - adcq $-1,%rax - movq %rcx,%r8 - adcq %r14,%rbp - adcq $0,%rcx - movq %r10,%r9 - adcq %r15,%r10 - - btq $0,%r11 - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - cmovcq %rcx,%r8 - cmovcq %r10,%r9 - - ret - - - - -.p2align 5 -__ecp_nistz256_mul_by_2x: - - xorq %r11,%r11 - adcq %r12,%r12 - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - xorq %r10,%r10 - sbbq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret - - -.globl _ecp_nistz256_point_double_adx -.private_extern _ecp_nistz256_point_double_adx - -.p2align 5 -_ecp_nistz256_point_double_adx: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - - subq $160+8,%rsp - -L$point_doublex_body: - -L$point_double_shortcutx: - movdqu 0(%rsi),%xmm0 - movq %rsi,%rbx - movdqu 16(%rsi),%xmm1 - movq 32+0(%rsi),%r12 - movq 32+8(%rsi),%r13 - movq 32+16(%rsi),%r8 - movq 32+24(%rsi),%r9 - movq L$poly+8(%rip),%r14 - movq L$poly+24(%rip),%r15 - movdqa %xmm0,96(%rsp) - movdqa %xmm1,96+16(%rsp) - leaq 32(%rdi),%r10 - leaq 64(%rdi),%r11 - movq %rdi,%xmm0 - movq %r10,%xmm1 - movq %r11,%xmm2 - - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_by_2x - - movq 64+0(%rsi),%rdx - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - leaq 64-128(%rsi),%rsi - leaq 64(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 0+0(%rsp),%rdx - movq 8+0(%rsp),%r14 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 0(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 32(%rbx),%rdx - movq 64+0(%rbx),%r9 - movq 64+8(%rbx),%r10 - movq 64+16(%rbx),%r11 - movq 64+24(%rbx),%r12 - leaq 64-128(%rbx),%rsi - leaq 32(%rbx),%rbx - movq %xmm2,%rdi - call __ecp_nistz256_mul_montx - call __ecp_nistz256_mul_by_2x - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_tox - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 0+0(%rsp),%rdx - movq 8+0(%rsp),%r14 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - movq %xmm1,%rdi - call __ecp_nistz256_sqr_montx - xorq %r9,%r9 - movq %r12,%rax - addq $-1,%r12 - movq %r13,%r10 - adcq %rsi,%r13 - movq %r14,%rcx - adcq $0,%r14 - movq %r15,%r8 - adcq %rbp,%r15 - adcq $0,%r9 - xorq %rsi,%rsi - testq $1,%rax - - cmovzq %rax,%r12 - cmovzq %r10,%r13 - cmovzq %rcx,%r14 - cmovzq %r8,%r15 - cmovzq %rsi,%r9 - - movq %r13,%rax - shrq $1,%r12 - shlq $63,%rax - movq %r14,%r10 - shrq $1,%r13 - orq %rax,%r12 - shlq $63,%r10 - movq %r15,%rcx - shrq $1,%r14 - orq %r10,%r13 - shlq $63,%rcx - movq %r12,0(%rdi) - shrq $1,%r15 - movq %r13,8(%rdi) - shlq $63,%r9 - orq %rcx,%r14 - orq %r9,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - movq 64(%rsp),%rdx - leaq 64(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2x - - leaq 32(%rsp),%rbx - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_tox - - movq 96(%rsp),%rdx - leaq 96(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2x - - movq 0+32(%rsp),%rdx - movq 8+32(%rsp),%r14 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r15 - movq 24+32(%rsp),%r8 - movq %xmm0,%rdi - call __ecp_nistz256_sqr_montx - - leaq 128(%rsp),%rbx - movq %r14,%r8 - movq %r15,%r9 - movq %rsi,%r14 - movq %rbp,%r15 - call __ecp_nistz256_sub_fromx - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 0(%rsp),%rdi - call __ecp_nistz256_subx - - movq 32(%rsp),%rdx - leaq 32(%rsp),%rbx - movq %r12,%r14 - xorl %ecx,%ecx - movq %r12,0+0(%rsp) - movq %r13,%r10 - movq %r13,0+8(%rsp) - cmovzq %r8,%r11 - movq %r8,0+16(%rsp) - leaq 0-128(%rsp),%rsi - cmovzq %r9,%r12 - movq %r9,0+24(%rsp) - movq %r14,%r9 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq %xmm1,%rbx - movq %xmm1,%rdi - call __ecp_nistz256_sub_fromx - - leaq 160+56(%rsp),%rsi - - movq -48(%rsi),%r15 - - movq -40(%rsi),%r14 - - movq -32(%rsi),%r13 - - movq -24(%rsi),%r12 - - movq -16(%rsi),%rbx - - movq -8(%rsi),%rbp - - leaq (%rsi),%rsp - -L$point_doublex_epilogue: - ret - - -.globl _ecp_nistz256_point_add_adx -.private_extern _ecp_nistz256_point_add_adx - -.p2align 5 -_ecp_nistz256_point_add_adx: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - - subq $576+8,%rsp - -L$point_addx_body: - - movdqu 0(%rsi),%xmm0 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq %rsi,%rbx - movq %rdx,%rsi - movdqa %xmm0,384(%rsp) - movdqa %xmm1,384+16(%rsp) - movdqa %xmm2,416(%rsp) - movdqa %xmm3,416+16(%rsp) - movdqa %xmm4,448(%rsp) - movdqa %xmm5,448+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rsi),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rsi),%xmm3 - movq 64+0(%rsi),%rdx - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,480(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,480+16(%rsp) - movdqu 64(%rsi),%xmm0 - movdqu 80(%rsi),%xmm1 - movdqa %xmm2,512(%rsp) - movdqa %xmm3,512+16(%rsp) - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm0,%xmm1 - movq %rdi,%xmm0 - - leaq 64-128(%rsi),%rsi - movq %rdx,544+0(%rsp) - movq %r14,544+8(%rsp) - movq %r15,544+16(%rsp) - movq %r8,544+24(%rsp) - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm1,%xmm4 - por %xmm1,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - movq 64+0(%rbx),%rdx - movq 64+8(%rbx),%r14 - movq 64+16(%rbx),%r15 - movq 64+24(%rbx),%r8 - movq %rbx,%xmm1 - - leaq 64-128(%rbx),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 544(%rsp),%rdx - leaq 544(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq -128+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 448(%rsp),%rdx - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 416(%rsp),%rdx - leaq 416(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq -128+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 512(%rsp),%rdx - leaq 512(%rsp),%rbx - movq 0+256(%rsp),%r9 - movq 8+256(%rsp),%r10 - leaq -128+256(%rsp),%rsi - movq 16+256(%rsp),%r11 - movq 24+256(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 224(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - orq %r13,%r12 - movdqa %xmm4,%xmm2 - orq %r8,%r12 - orq %r9,%r12 - por %xmm5,%xmm2 - movq %r12,%xmm3 - - movq 384(%rsp),%rdx - leaq 384(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq -128+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 480(%rsp),%rdx - leaq 480(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 160(%rsp),%rbx - leaq 0(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - orq %r13,%r12 - orq %r8,%r12 - orq %r9,%r12 - - movq %xmm2,%r8 - movq %xmm3,%r9 - orq %r8,%r12 -.byte 0x3e - jnz L$add_proceedx - - - - testq %r9,%r9 - jz L$add_doublex - - - - - - - movq %xmm0,%rdi - pxor %xmm0,%xmm0 - movdqu %xmm0,0(%rdi) - movdqu %xmm0,16(%rdi) - movdqu %xmm0,32(%rdi) - movdqu %xmm0,48(%rdi) - movdqu %xmm0,64(%rdi) - movdqu %xmm0,80(%rdi) - jmp L$add_donex - -.p2align 5 -L$add_doublex: - movq %xmm1,%rsi - movq %xmm0,%rdi - addq $416,%rsp - - jmp L$point_double_shortcutx - - -.p2align 5 -L$add_proceedx: - movq 0+64(%rsp),%rdx - movq 8+64(%rsp),%r14 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 448(%rsp),%rdx - leaq 448(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 0+0(%rsp),%rdx - movq 8+0(%rsp),%r14 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 544(%rsp),%rdx - leaq 544(%rsp),%rbx - movq 0+352(%rsp),%r9 - movq 8+352(%rsp),%r10 - leaq -128+352(%rsp),%rsi - movq 16+352(%rsp),%r11 - movq 24+352(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 0(%rsp),%rdx - leaq 0(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 160(%rsp),%rdx - leaq 160(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montx - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 96(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subx - - leaq 128(%rsp),%rbx - leaq 288(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 192+0(%rsp),%rax - movq 192+8(%rsp),%rbp - movq 192+16(%rsp),%rcx - movq 192+24(%rsp),%r10 - leaq 320(%rsp),%rdi - - call __ecp_nistz256_subx - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 128(%rsp),%rdx - leaq 128(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq -128+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 320(%rsp),%rdx - leaq 320(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 320(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 256(%rsp),%rbx - leaq 320(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 352(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 352+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 544(%rsp),%xmm2 - pand 544+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 480(%rsp),%xmm2 - pand 480+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 320(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 320+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 512(%rsp),%xmm2 - pand 512+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - -L$add_donex: - leaq 576+56(%rsp),%rsi - - movq -48(%rsi),%r15 - - movq -40(%rsi),%r14 - - movq -32(%rsi),%r13 - - movq -24(%rsi),%r12 - - movq -16(%rsi),%rbx - - movq -8(%rsi),%rbp - - leaq (%rsi),%rsp - -L$point_addx_epilogue: - ret - - -.globl _ecp_nistz256_point_add_affine_adx -.private_extern _ecp_nistz256_point_add_affine_adx - -.p2align 5 -_ecp_nistz256_point_add_affine_adx: - -_CET_ENDBR - pushq %rbp - - pushq %rbx - - pushq %r12 - - pushq %r13 - - pushq %r14 - - pushq %r15 - - subq $480+8,%rsp - -L$add_affinex_body: - - movdqu 0(%rsi),%xmm0 - movq %rdx,%rbx - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq 64+0(%rsi),%rdx - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,320(%rsp) - movdqa %xmm1,320+16(%rsp) - movdqa %xmm2,352(%rsp) - movdqa %xmm3,352+16(%rsp) - movdqa %xmm4,384(%rsp) - movdqa %xmm5,384+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rbx),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rbx),%xmm1 - movdqu 32(%rbx),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rbx),%xmm3 - movdqa %xmm0,416(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,416+16(%rsp) - por %xmm0,%xmm1 - movq %rdi,%xmm0 - movdqa %xmm2,448(%rsp) - movdqa %xmm3,448+16(%rsp) - por %xmm2,%xmm3 - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm1,%xmm3 - - leaq 64-128(%rsi),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm3,%xmm4 - movq 0(%rbx),%rdx - - movq %r12,%r9 - por %xmm3,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - movq %r13,%r10 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - movq %r14,%r11 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - - leaq 32-128(%rsp),%rsi - movq %r15,%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 320(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 384(%rsp),%rdx - leaq 384(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 384(%rsp),%rdx - leaq 384(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 288(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 448(%rsp),%rdx - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 352(%rsp),%rbx - leaq 96(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 0+64(%rsp),%rdx - movq 8+64(%rsp),%r14 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 128(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 0+96(%rsp),%rdx - movq 8+96(%rsp),%r14 - leaq -128+96(%rsp),%rsi - movq 16+96(%rsp),%r15 - movq 24+96(%rsp),%r8 - leaq 192(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 128(%rsp),%rdx - leaq 128(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 320(%rsp),%rdx - leaq 320(%rsp),%rbx - movq 0+128(%rsp),%r9 - movq 8+128(%rsp),%r10 - leaq -128+128(%rsp),%rsi - movq 16+128(%rsp),%r11 - movq 24+128(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 192(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subx - - leaq 160(%rsp),%rbx - leaq 224(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 64(%rsp),%rdi - - call __ecp_nistz256_subx - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 352(%rsp),%rdx - leaq 352(%rsp),%rbx - movq 0+160(%rsp),%r9 - movq 8+160(%rsp),%r10 - leaq -128+160(%rsp),%rsi - movq 16+160(%rsp),%r11 - movq 24+160(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 96(%rsp),%rdx - leaq 96(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 64(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 32(%rsp),%rbx - leaq 256(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand L$ONE_mont(%rip),%xmm2 - pand L$ONE_mont+16(%rip),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 224(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 224+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 320(%rsp),%xmm2 - pand 320+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 256(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 256+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 352(%rsp),%xmm2 - pand 352+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - - leaq 480+56(%rsp),%rsi - - movq -48(%rsi),%r15 - - movq -40(%rsi),%r14 - - movq -32(%rsi),%r13 - - movq -24(%rsi),%r12 - - movq -16(%rsi),%rbx - - movq -8(%rsi),%rbp - - leaq (%rsi),%rsp - -L$add_affinex_epilogue: - ret - - #endif diff --git a/third_party/boringssl/gen/bcm/p256-x86_64-asm-linux.S b/third_party/boringssl/gen/bcm/p256-x86_64-asm-linux.S index c54d5772..474b13bf 100644 --- a/third_party/boringssl/gen/bcm/p256-x86_64-asm-linux.S +++ b/third_party/boringssl/gen/bcm/p256-x86_64-asm-linux.S @@ -7,21 +7,7 @@ .text -.section .rodata -.align 64 -.Lpoly: -.quad 0xffffffffffffffff, 0x00000000ffffffff, 0x0000000000000000, 0xffffffff00000001 - -.LOne: -.long 1,1,1,1,1,1,1,1 -.LTwo: -.long 2,2,2,2,2,2,2,2 -.LThree: -.long 3,3,3,3,3,3,3,3 -.LONE_mont: -.quad 0x0000000000000001, 0xffffffff00000000, 0xffffffffffffffff, 0x00000000fffffffe - - +p256_constants: .Lord: .quad 0xf3b9cac2fc632551, 0xbce6faada7179e84, 0xffffffffffffffff, 0xffffffff00000000 .LordK: @@ -30,66 +16,6 @@ -.globl ecp_nistz256_neg -.hidden ecp_nistz256_neg -.type ecp_nistz256_neg,@function -.align 32 -ecp_nistz256_neg: -.cfi_startproc -_CET_ENDBR - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-16 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-24 -.Lneg_body: - - xorq %r8,%r8 - xorq %r9,%r9 - xorq %r10,%r10 - xorq %r11,%r11 - xorq %r13,%r13 - - subq 0(%rsi),%r8 - sbbq 8(%rsi),%r9 - sbbq 16(%rsi),%r10 - movq %r8,%rax - sbbq 24(%rsi),%r11 - leaq .Lpoly(%rip),%rsi - movq %r9,%rdx - sbbq $0,%r13 - - addq 0(%rsi),%r8 - movq %r10,%rcx - adcq 8(%rsi),%r9 - adcq 16(%rsi),%r10 - movq %r11,%r12 - adcq 24(%rsi),%r11 - testq %r13,%r13 - - cmovzq %rax,%r8 - cmovzq %rdx,%r9 - movq %r8,0(%rdi) - cmovzq %rcx,%r10 - movq %r9,8(%rdi) - cmovzq %r12,%r11 - movq %r10,16(%rdi) - movq %r11,24(%rdi) - - movq 0(%rsp),%r13 -.cfi_restore %r13 - movq 8(%rsp),%r12 -.cfi_restore %r12 - leaq 16(%rsp),%rsp -.cfi_adjust_cfa_offset -16 -.Lneg_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_neg,.-ecp_nistz256_neg - - - @@ -1178,3422 +1104,4 @@ _CET_ENDBR ret .cfi_endproc .size ecp_nistz256_ord_sqr_mont_adx,.-ecp_nistz256_ord_sqr_mont_adx - - - - - - -.globl ecp_nistz256_mul_mont_nohw -.hidden ecp_nistz256_mul_mont_nohw -.type ecp_nistz256_mul_mont_nohw,@function -.align 32 -ecp_nistz256_mul_mont_nohw: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 -.Lmul_body: - movq %rdx,%rbx - movq 0(%rdx),%rax - movq 0(%rsi),%r9 - movq 8(%rsi),%r10 - movq 16(%rsi),%r11 - movq 24(%rsi),%r12 - - call __ecp_nistz256_mul_montq - - movq 0(%rsp),%r15 -.cfi_restore %r15 - movq 8(%rsp),%r14 -.cfi_restore %r14 - movq 16(%rsp),%r13 -.cfi_restore %r13 - movq 24(%rsp),%r12 -.cfi_restore %r12 - movq 32(%rsp),%rbx -.cfi_restore %rbx - movq 40(%rsp),%rbp -.cfi_restore %rbp - leaq 48(%rsp),%rsp -.cfi_adjust_cfa_offset -48 -.Lmul_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_mul_mont_nohw,.-ecp_nistz256_mul_mont_nohw - -.type __ecp_nistz256_mul_montq,@function -.align 32 -__ecp_nistz256_mul_montq: -.cfi_startproc - - - movq %rax,%rbp - mulq %r9 - movq .Lpoly+8(%rip),%r14 - movq %rax,%r8 - movq %rbp,%rax - movq %rdx,%r9 - - mulq %r10 - movq .Lpoly+24(%rip),%r15 - addq %rax,%r9 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%r10 - - mulq %r11 - addq %rax,%r10 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%r11 - - mulq %r12 - addq %rax,%r11 - movq %r8,%rax - adcq $0,%rdx - xorq %r13,%r13 - movq %rdx,%r12 - - - - - - - - - - - movq %r8,%rbp - shlq $32,%r8 - mulq %r15 - shrq $32,%rbp - addq %r8,%r9 - adcq %rbp,%r10 - adcq %rax,%r11 - movq 8(%rbx),%rax - adcq %rdx,%r12 - adcq $0,%r13 - xorq %r8,%r8 - - - - movq %rax,%rbp - mulq 0(%rsi) - addq %rax,%r9 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 8(%rsi) - addq %rcx,%r10 - adcq $0,%rdx - addq %rax,%r10 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 16(%rsi) - addq %rcx,%r11 - adcq $0,%rdx - addq %rax,%r11 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 24(%rsi) - addq %rcx,%r12 - adcq $0,%rdx - addq %rax,%r12 - movq %r9,%rax - adcq %rdx,%r13 - adcq $0,%r8 - - - - movq %r9,%rbp - shlq $32,%r9 - mulq %r15 - shrq $32,%rbp - addq %r9,%r10 - adcq %rbp,%r11 - adcq %rax,%r12 - movq 16(%rbx),%rax - adcq %rdx,%r13 - adcq $0,%r8 - xorq %r9,%r9 - - - - movq %rax,%rbp - mulq 0(%rsi) - addq %rax,%r10 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 8(%rsi) - addq %rcx,%r11 - adcq $0,%rdx - addq %rax,%r11 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 16(%rsi) - addq %rcx,%r12 - adcq $0,%rdx - addq %rax,%r12 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 24(%rsi) - addq %rcx,%r13 - adcq $0,%rdx - addq %rax,%r13 - movq %r10,%rax - adcq %rdx,%r8 - adcq $0,%r9 - - - - movq %r10,%rbp - shlq $32,%r10 - mulq %r15 - shrq $32,%rbp - addq %r10,%r11 - adcq %rbp,%r12 - adcq %rax,%r13 - movq 24(%rbx),%rax - adcq %rdx,%r8 - adcq $0,%r9 - xorq %r10,%r10 - - - - movq %rax,%rbp - mulq 0(%rsi) - addq %rax,%r11 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 8(%rsi) - addq %rcx,%r12 - adcq $0,%rdx - addq %rax,%r12 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 16(%rsi) - addq %rcx,%r13 - adcq $0,%rdx - addq %rax,%r13 - movq %rbp,%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq 24(%rsi) - addq %rcx,%r8 - adcq $0,%rdx - addq %rax,%r8 - movq %r11,%rax - adcq %rdx,%r9 - adcq $0,%r10 - - - - movq %r11,%rbp - shlq $32,%r11 - mulq %r15 - shrq $32,%rbp - addq %r11,%r12 - adcq %rbp,%r13 - movq %r12,%rcx - adcq %rax,%r8 - adcq %rdx,%r9 - movq %r13,%rbp - adcq $0,%r10 - - - - subq $-1,%r12 - movq %r8,%rbx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%rdx - sbbq %r15,%r9 - sbbq $0,%r10 - - cmovcq %rcx,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rbx,%r8 - movq %r13,8(%rdi) - cmovcq %rdx,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_mul_montq,.-__ecp_nistz256_mul_montq - - - - - - - - -.globl ecp_nistz256_sqr_mont_nohw -.hidden ecp_nistz256_sqr_mont_nohw -.type ecp_nistz256_sqr_mont_nohw,@function -.align 32 -ecp_nistz256_sqr_mont_nohw: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 -.Lsqr_body: - movq 0(%rsi),%rax - movq 8(%rsi),%r14 - movq 16(%rsi),%r15 - movq 24(%rsi),%r8 - - call __ecp_nistz256_sqr_montq - - movq 0(%rsp),%r15 -.cfi_restore %r15 - movq 8(%rsp),%r14 -.cfi_restore %r14 - movq 16(%rsp),%r13 -.cfi_restore %r13 - movq 24(%rsp),%r12 -.cfi_restore %r12 - movq 32(%rsp),%rbx -.cfi_restore %rbx - movq 40(%rsp),%rbp -.cfi_restore %rbp - leaq 48(%rsp),%rsp -.cfi_adjust_cfa_offset -48 -.Lsqr_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_sqr_mont_nohw,.-ecp_nistz256_sqr_mont_nohw - -.type __ecp_nistz256_sqr_montq,@function -.align 32 -__ecp_nistz256_sqr_montq: -.cfi_startproc - movq %rax,%r13 - mulq %r14 - movq %rax,%r9 - movq %r15,%rax - movq %rdx,%r10 - - mulq %r13 - addq %rax,%r10 - movq %r8,%rax - adcq $0,%rdx - movq %rdx,%r11 - - mulq %r13 - addq %rax,%r11 - movq %r15,%rax - adcq $0,%rdx - movq %rdx,%r12 - - - mulq %r14 - addq %rax,%r11 - movq %r8,%rax - adcq $0,%rdx - movq %rdx,%rbp - - mulq %r14 - addq %rax,%r12 - movq %r8,%rax - adcq $0,%rdx - addq %rbp,%r12 - movq %rdx,%r13 - adcq $0,%r13 - - - mulq %r15 - xorq %r15,%r15 - addq %rax,%r13 - movq 0(%rsi),%rax - movq %rdx,%r14 - adcq $0,%r14 - - addq %r9,%r9 - adcq %r10,%r10 - adcq %r11,%r11 - adcq %r12,%r12 - adcq %r13,%r13 - adcq %r14,%r14 - adcq $0,%r15 - - mulq %rax - movq %rax,%r8 - movq 8(%rsi),%rax - movq %rdx,%rcx - - mulq %rax - addq %rcx,%r9 - adcq %rax,%r10 - movq 16(%rsi),%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq %rax - addq %rcx,%r11 - adcq %rax,%r12 - movq 24(%rsi),%rax - adcq $0,%rdx - movq %rdx,%rcx - - mulq %rax - addq %rcx,%r13 - adcq %rax,%r14 - movq %r8,%rax - adcq %rdx,%r15 - - movq .Lpoly+8(%rip),%rsi - movq .Lpoly+24(%rip),%rbp - - - - - movq %r8,%rcx - shlq $32,%r8 - mulq %rbp - shrq $32,%rcx - addq %r8,%r9 - adcq %rcx,%r10 - adcq %rax,%r11 - movq %r9,%rax - adcq $0,%rdx - - - - movq %r9,%rcx - shlq $32,%r9 - movq %rdx,%r8 - mulq %rbp - shrq $32,%rcx - addq %r9,%r10 - adcq %rcx,%r11 - adcq %rax,%r8 - movq %r10,%rax - adcq $0,%rdx - - - - movq %r10,%rcx - shlq $32,%r10 - movq %rdx,%r9 - mulq %rbp - shrq $32,%rcx - addq %r10,%r11 - adcq %rcx,%r8 - adcq %rax,%r9 - movq %r11,%rax - adcq $0,%rdx - - - - movq %r11,%rcx - shlq $32,%r11 - movq %rdx,%r10 - mulq %rbp - shrq $32,%rcx - addq %r11,%r8 - adcq %rcx,%r9 - adcq %rax,%r10 - adcq $0,%rdx - xorq %r11,%r11 - - - - addq %r8,%r12 - adcq %r9,%r13 - movq %r12,%r8 - adcq %r10,%r14 - adcq %rdx,%r15 - movq %r13,%r9 - adcq $0,%r11 - - subq $-1,%r12 - movq %r14,%r10 - sbbq %rsi,%r13 - sbbq $0,%r14 - movq %r15,%rcx - sbbq %rbp,%r15 - sbbq $0,%r11 - - cmovcq %r8,%r12 - cmovcq %r9,%r13 - movq %r12,0(%rdi) - cmovcq %r10,%r14 - movq %r13,8(%rdi) - cmovcq %rcx,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_sqr_montq,.-__ecp_nistz256_sqr_montq -.globl ecp_nistz256_mul_mont_adx -.hidden ecp_nistz256_mul_mont_adx -.type ecp_nistz256_mul_mont_adx,@function -.align 32 -ecp_nistz256_mul_mont_adx: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 -.Lmulx_body: - movq %rdx,%rbx - movq 0(%rdx),%rdx - movq 0(%rsi),%r9 - movq 8(%rsi),%r10 - movq 16(%rsi),%r11 - movq 24(%rsi),%r12 - leaq -128(%rsi),%rsi - - call __ecp_nistz256_mul_montx - - movq 0(%rsp),%r15 -.cfi_restore %r15 - movq 8(%rsp),%r14 -.cfi_restore %r14 - movq 16(%rsp),%r13 -.cfi_restore %r13 - movq 24(%rsp),%r12 -.cfi_restore %r12 - movq 32(%rsp),%rbx -.cfi_restore %rbx - movq 40(%rsp),%rbp -.cfi_restore %rbp - leaq 48(%rsp),%rsp -.cfi_adjust_cfa_offset -48 -.Lmulx_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_mul_mont_adx,.-ecp_nistz256_mul_mont_adx - -.type __ecp_nistz256_mul_montx,@function -.align 32 -__ecp_nistz256_mul_montx: -.cfi_startproc - - - mulxq %r9,%r8,%r9 - mulxq %r10,%rcx,%r10 - movq $32,%r14 - xorq %r13,%r13 - mulxq %r11,%rbp,%r11 - movq .Lpoly+24(%rip),%r15 - adcq %rcx,%r9 - mulxq %r12,%rcx,%r12 - movq %r8,%rdx - adcq %rbp,%r10 - shlxq %r14,%r8,%rbp - adcq %rcx,%r11 - shrxq %r14,%r8,%rcx - adcq $0,%r12 - - - - addq %rbp,%r9 - adcq %rcx,%r10 - - mulxq %r15,%rcx,%rbp - movq 8(%rbx),%rdx - adcq %rcx,%r11 - adcq %rbp,%r12 - adcq $0,%r13 - xorq %r8,%r8 - - - - mulxq 0+128(%rsi),%rcx,%rbp - adcxq %rcx,%r9 - adoxq %rbp,%r10 - - mulxq 8+128(%rsi),%rcx,%rbp - adcxq %rcx,%r10 - adoxq %rbp,%r11 - - mulxq 16+128(%rsi),%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq 24+128(%rsi),%rcx,%rbp - movq %r9,%rdx - adcxq %rcx,%r12 - shlxq %r14,%r9,%rcx - adoxq %rbp,%r13 - shrxq %r14,%r9,%rbp - - adcxq %r8,%r13 - adoxq %r8,%r8 - adcq $0,%r8 - - - - addq %rcx,%r10 - adcq %rbp,%r11 - - mulxq %r15,%rcx,%rbp - movq 16(%rbx),%rdx - adcq %rcx,%r12 - adcq %rbp,%r13 - adcq $0,%r8 - xorq %r9,%r9 - - - - mulxq 0+128(%rsi),%rcx,%rbp - adcxq %rcx,%r10 - adoxq %rbp,%r11 - - mulxq 8+128(%rsi),%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq 16+128(%rsi),%rcx,%rbp - adcxq %rcx,%r12 - adoxq %rbp,%r13 - - mulxq 24+128(%rsi),%rcx,%rbp - movq %r10,%rdx - adcxq %rcx,%r13 - shlxq %r14,%r10,%rcx - adoxq %rbp,%r8 - shrxq %r14,%r10,%rbp - - adcxq %r9,%r8 - adoxq %r9,%r9 - adcq $0,%r9 - - - - addq %rcx,%r11 - adcq %rbp,%r12 - - mulxq %r15,%rcx,%rbp - movq 24(%rbx),%rdx - adcq %rcx,%r13 - adcq %rbp,%r8 - adcq $0,%r9 - xorq %r10,%r10 - - - - mulxq 0+128(%rsi),%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq 8+128(%rsi),%rcx,%rbp - adcxq %rcx,%r12 - adoxq %rbp,%r13 - - mulxq 16+128(%rsi),%rcx,%rbp - adcxq %rcx,%r13 - adoxq %rbp,%r8 - - mulxq 24+128(%rsi),%rcx,%rbp - movq %r11,%rdx - adcxq %rcx,%r8 - shlxq %r14,%r11,%rcx - adoxq %rbp,%r9 - shrxq %r14,%r11,%rbp - - adcxq %r10,%r9 - adoxq %r10,%r10 - adcq $0,%r10 - - - - addq %rcx,%r12 - adcq %rbp,%r13 - - mulxq %r15,%rcx,%rbp - movq %r12,%rbx - movq .Lpoly+8(%rip),%r14 - adcq %rcx,%r8 - movq %r13,%rdx - adcq %rbp,%r9 - adcq $0,%r10 - - - - xorl %eax,%eax - movq %r8,%rcx - sbbq $-1,%r12 - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%rbp - sbbq %r15,%r9 - sbbq $0,%r10 - - cmovcq %rbx,%r12 - cmovcq %rdx,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %rbp,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_mul_montx,.-__ecp_nistz256_mul_montx - -.globl ecp_nistz256_sqr_mont_adx -.hidden ecp_nistz256_sqr_mont_adx -.type ecp_nistz256_sqr_mont_adx,@function -.align 32 -ecp_nistz256_sqr_mont_adx: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 -.Lsqrx_body: - movq 0(%rsi),%rdx - movq 8(%rsi),%r14 - movq 16(%rsi),%r15 - movq 24(%rsi),%r8 - leaq -128(%rsi),%rsi - - call __ecp_nistz256_sqr_montx - - movq 0(%rsp),%r15 -.cfi_restore %r15 - movq 8(%rsp),%r14 -.cfi_restore %r14 - movq 16(%rsp),%r13 -.cfi_restore %r13 - movq 24(%rsp),%r12 -.cfi_restore %r12 - movq 32(%rsp),%rbx -.cfi_restore %rbx - movq 40(%rsp),%rbp -.cfi_restore %rbp - leaq 48(%rsp),%rsp -.cfi_adjust_cfa_offset -48 -.Lsqrx_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_sqr_mont_adx,.-ecp_nistz256_sqr_mont_adx - -.type __ecp_nistz256_sqr_montx,@function -.align 32 -__ecp_nistz256_sqr_montx: -.cfi_startproc - mulxq %r14,%r9,%r10 - mulxq %r15,%rcx,%r11 - xorl %eax,%eax - adcq %rcx,%r10 - mulxq %r8,%rbp,%r12 - movq %r14,%rdx - adcq %rbp,%r11 - adcq $0,%r12 - xorq %r13,%r13 - - - mulxq %r15,%rcx,%rbp - adcxq %rcx,%r11 - adoxq %rbp,%r12 - - mulxq %r8,%rcx,%rbp - movq %r15,%rdx - adcxq %rcx,%r12 - adoxq %rbp,%r13 - adcq $0,%r13 - - - mulxq %r8,%rcx,%r14 - movq 0+128(%rsi),%rdx - xorq %r15,%r15 - adcxq %r9,%r9 - adoxq %rcx,%r13 - adcxq %r10,%r10 - adoxq %r15,%r14 - - mulxq %rdx,%r8,%rbp - movq 8+128(%rsi),%rdx - adcxq %r11,%r11 - adoxq %rbp,%r9 - adcxq %r12,%r12 - mulxq %rdx,%rcx,%rax - movq 16+128(%rsi),%rdx - adcxq %r13,%r13 - adoxq %rcx,%r10 - adcxq %r14,%r14 -.byte 0x67 - mulxq %rdx,%rcx,%rbp - movq 24+128(%rsi),%rdx - adoxq %rax,%r11 - adcxq %r15,%r15 - adoxq %rcx,%r12 - movq $32,%rsi - adoxq %rbp,%r13 -.byte 0x67,0x67 - mulxq %rdx,%rcx,%rax - movq .Lpoly+24(%rip),%rdx - adoxq %rcx,%r14 - shlxq %rsi,%r8,%rcx - adoxq %rax,%r15 - shrxq %rsi,%r8,%rax - movq %rdx,%rbp - - - addq %rcx,%r9 - adcq %rax,%r10 - - mulxq %r8,%rcx,%r8 - adcq %rcx,%r11 - shlxq %rsi,%r9,%rcx - adcq $0,%r8 - shrxq %rsi,%r9,%rax - - - addq %rcx,%r10 - adcq %rax,%r11 - - mulxq %r9,%rcx,%r9 - adcq %rcx,%r8 - shlxq %rsi,%r10,%rcx - adcq $0,%r9 - shrxq %rsi,%r10,%rax - - - addq %rcx,%r11 - adcq %rax,%r8 - - mulxq %r10,%rcx,%r10 - adcq %rcx,%r9 - shlxq %rsi,%r11,%rcx - adcq $0,%r10 - shrxq %rsi,%r11,%rax - - - addq %rcx,%r8 - adcq %rax,%r9 - - mulxq %r11,%rcx,%r11 - adcq %rcx,%r10 - adcq $0,%r11 - - xorq %rdx,%rdx - addq %r8,%r12 - movq .Lpoly+8(%rip),%rsi - adcq %r9,%r13 - movq %r12,%r8 - adcq %r10,%r14 - adcq %r11,%r15 - movq %r13,%r9 - adcq $0,%rdx - - subq $-1,%r12 - movq %r14,%r10 - sbbq %rsi,%r13 - sbbq $0,%r14 - movq %r15,%r11 - sbbq %rbp,%r15 - sbbq $0,%rdx - - cmovcq %r8,%r12 - cmovcq %r9,%r13 - movq %r12,0(%rdi) - cmovcq %r10,%r14 - movq %r13,8(%rdi) - cmovcq %r11,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_sqr_montx,.-__ecp_nistz256_sqr_montx - - -.globl ecp_nistz256_select_w5_nohw -.hidden ecp_nistz256_select_w5_nohw -.type ecp_nistz256_select_w5_nohw,@function -.align 32 -ecp_nistz256_select_w5_nohw: -.cfi_startproc -_CET_ENDBR - movdqa .LOne(%rip),%xmm0 - movd %edx,%xmm1 - - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - pxor %xmm6,%xmm6 - pxor %xmm7,%xmm7 - - movdqa %xmm0,%xmm8 - pshufd $0,%xmm1,%xmm1 - - movq $16,%rax -.Lselect_loop_sse_w5: - - movdqa %xmm8,%xmm15 - paddd %xmm0,%xmm8 - pcmpeqd %xmm1,%xmm15 - - movdqa 0(%rsi),%xmm9 - movdqa 16(%rsi),%xmm10 - movdqa 32(%rsi),%xmm11 - movdqa 48(%rsi),%xmm12 - movdqa 64(%rsi),%xmm13 - movdqa 80(%rsi),%xmm14 - leaq 96(%rsi),%rsi - - pand %xmm15,%xmm9 - pand %xmm15,%xmm10 - por %xmm9,%xmm2 - pand %xmm15,%xmm11 - por %xmm10,%xmm3 - pand %xmm15,%xmm12 - por %xmm11,%xmm4 - pand %xmm15,%xmm13 - por %xmm12,%xmm5 - pand %xmm15,%xmm14 - por %xmm13,%xmm6 - por %xmm14,%xmm7 - - decq %rax - jnz .Lselect_loop_sse_w5 - - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - movdqu %xmm4,32(%rdi) - movdqu %xmm5,48(%rdi) - movdqu %xmm6,64(%rdi) - movdqu %xmm7,80(%rdi) - ret -.cfi_endproc -.LSEH_end_ecp_nistz256_select_w5_nohw: -.size ecp_nistz256_select_w5_nohw,.-ecp_nistz256_select_w5_nohw - - - -.globl ecp_nistz256_select_w7_nohw -.hidden ecp_nistz256_select_w7_nohw -.type ecp_nistz256_select_w7_nohw,@function -.align 32 -ecp_nistz256_select_w7_nohw: -.cfi_startproc -_CET_ENDBR - movdqa .LOne(%rip),%xmm8 - movd %edx,%xmm1 - - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - - movdqa %xmm8,%xmm0 - pshufd $0,%xmm1,%xmm1 - movq $64,%rax - -.Lselect_loop_sse_w7: - movdqa %xmm8,%xmm15 - paddd %xmm0,%xmm8 - movdqa 0(%rsi),%xmm9 - movdqa 16(%rsi),%xmm10 - pcmpeqd %xmm1,%xmm15 - movdqa 32(%rsi),%xmm11 - movdqa 48(%rsi),%xmm12 - leaq 64(%rsi),%rsi - - pand %xmm15,%xmm9 - pand %xmm15,%xmm10 - por %xmm9,%xmm2 - pand %xmm15,%xmm11 - por %xmm10,%xmm3 - pand %xmm15,%xmm12 - por %xmm11,%xmm4 - prefetcht0 255(%rsi) - por %xmm12,%xmm5 - - decq %rax - jnz .Lselect_loop_sse_w7 - - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - movdqu %xmm4,32(%rdi) - movdqu %xmm5,48(%rdi) - ret -.cfi_endproc -.LSEH_end_ecp_nistz256_select_w7_nohw: -.size ecp_nistz256_select_w7_nohw,.-ecp_nistz256_select_w7_nohw - - -.globl ecp_nistz256_select_w5_avx2 -.hidden ecp_nistz256_select_w5_avx2 -.type ecp_nistz256_select_w5_avx2,@function -.align 32 -ecp_nistz256_select_w5_avx2: -.cfi_startproc -_CET_ENDBR - vzeroupper - vmovdqa .LTwo(%rip),%ymm0 - - vpxor %ymm2,%ymm2,%ymm2 - vpxor %ymm3,%ymm3,%ymm3 - vpxor %ymm4,%ymm4,%ymm4 - - vmovdqa .LOne(%rip),%ymm5 - vmovdqa .LTwo(%rip),%ymm10 - - vmovd %edx,%xmm1 - vpermd %ymm1,%ymm2,%ymm1 - - movq $8,%rax -.Lselect_loop_avx2_w5: - - vmovdqa 0(%rsi),%ymm6 - vmovdqa 32(%rsi),%ymm7 - vmovdqa 64(%rsi),%ymm8 - - vmovdqa 96(%rsi),%ymm11 - vmovdqa 128(%rsi),%ymm12 - vmovdqa 160(%rsi),%ymm13 - - vpcmpeqd %ymm1,%ymm5,%ymm9 - vpcmpeqd %ymm1,%ymm10,%ymm14 - - vpaddd %ymm0,%ymm5,%ymm5 - vpaddd %ymm0,%ymm10,%ymm10 - leaq 192(%rsi),%rsi - - vpand %ymm9,%ymm6,%ymm6 - vpand %ymm9,%ymm7,%ymm7 - vpand %ymm9,%ymm8,%ymm8 - vpand %ymm14,%ymm11,%ymm11 - vpand %ymm14,%ymm12,%ymm12 - vpand %ymm14,%ymm13,%ymm13 - - vpxor %ymm6,%ymm2,%ymm2 - vpxor %ymm7,%ymm3,%ymm3 - vpxor %ymm8,%ymm4,%ymm4 - vpxor %ymm11,%ymm2,%ymm2 - vpxor %ymm12,%ymm3,%ymm3 - vpxor %ymm13,%ymm4,%ymm4 - - decq %rax - jnz .Lselect_loop_avx2_w5 - - vmovdqu %ymm2,0(%rdi) - vmovdqu %ymm3,32(%rdi) - vmovdqu %ymm4,64(%rdi) - vzeroupper - ret -.cfi_endproc -.LSEH_end_ecp_nistz256_select_w5_avx2: -.size ecp_nistz256_select_w5_avx2,.-ecp_nistz256_select_w5_avx2 - - - -.globl ecp_nistz256_select_w7_avx2 -.hidden ecp_nistz256_select_w7_avx2 -.type ecp_nistz256_select_w7_avx2,@function -.align 32 -ecp_nistz256_select_w7_avx2: -.cfi_startproc -_CET_ENDBR - vzeroupper - vmovdqa .LThree(%rip),%ymm0 - - vpxor %ymm2,%ymm2,%ymm2 - vpxor %ymm3,%ymm3,%ymm3 - - vmovdqa .LOne(%rip),%ymm4 - vmovdqa .LTwo(%rip),%ymm8 - vmovdqa .LThree(%rip),%ymm12 - - vmovd %edx,%xmm1 - vpermd %ymm1,%ymm2,%ymm1 - - - movq $21,%rax -.Lselect_loop_avx2_w7: - - vmovdqa 0(%rsi),%ymm5 - vmovdqa 32(%rsi),%ymm6 - - vmovdqa 64(%rsi),%ymm9 - vmovdqa 96(%rsi),%ymm10 - - vmovdqa 128(%rsi),%ymm13 - vmovdqa 160(%rsi),%ymm14 - - vpcmpeqd %ymm1,%ymm4,%ymm7 - vpcmpeqd %ymm1,%ymm8,%ymm11 - vpcmpeqd %ymm1,%ymm12,%ymm15 - - vpaddd %ymm0,%ymm4,%ymm4 - vpaddd %ymm0,%ymm8,%ymm8 - vpaddd %ymm0,%ymm12,%ymm12 - leaq 192(%rsi),%rsi - - vpand %ymm7,%ymm5,%ymm5 - vpand %ymm7,%ymm6,%ymm6 - vpand %ymm11,%ymm9,%ymm9 - vpand %ymm11,%ymm10,%ymm10 - vpand %ymm15,%ymm13,%ymm13 - vpand %ymm15,%ymm14,%ymm14 - - vpxor %ymm5,%ymm2,%ymm2 - vpxor %ymm6,%ymm3,%ymm3 - vpxor %ymm9,%ymm2,%ymm2 - vpxor %ymm10,%ymm3,%ymm3 - vpxor %ymm13,%ymm2,%ymm2 - vpxor %ymm14,%ymm3,%ymm3 - - decq %rax - jnz .Lselect_loop_avx2_w7 - - - vmovdqa 0(%rsi),%ymm5 - vmovdqa 32(%rsi),%ymm6 - - vpcmpeqd %ymm1,%ymm4,%ymm7 - - vpand %ymm7,%ymm5,%ymm5 - vpand %ymm7,%ymm6,%ymm6 - - vpxor %ymm5,%ymm2,%ymm2 - vpxor %ymm6,%ymm3,%ymm3 - - vmovdqu %ymm2,0(%rdi) - vmovdqu %ymm3,32(%rdi) - vzeroupper - ret -.cfi_endproc -.LSEH_end_ecp_nistz256_select_w7_avx2: -.size ecp_nistz256_select_w7_avx2,.-ecp_nistz256_select_w7_avx2 -.type __ecp_nistz256_add_toq,@function -.align 32 -__ecp_nistz256_add_toq: -.cfi_startproc - xorq %r11,%r11 - addq 0(%rbx),%r12 - adcq 8(%rbx),%r13 - movq %r12,%rax - adcq 16(%rbx),%r8 - adcq 24(%rbx),%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_add_toq,.-__ecp_nistz256_add_toq - -.type __ecp_nistz256_sub_fromq,@function -.align 32 -__ecp_nistz256_sub_fromq: -.cfi_startproc - subq 0(%rbx),%r12 - sbbq 8(%rbx),%r13 - movq %r12,%rax - sbbq 16(%rbx),%r8 - sbbq 24(%rbx),%r9 - movq %r13,%rbp - sbbq %r11,%r11 - - addq $-1,%r12 - movq %r8,%rcx - adcq %r14,%r13 - adcq $0,%r8 - movq %r9,%r10 - adcq %r15,%r9 - testq %r11,%r11 - - cmovzq %rax,%r12 - cmovzq %rbp,%r13 - movq %r12,0(%rdi) - cmovzq %rcx,%r8 - movq %r13,8(%rdi) - cmovzq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_sub_fromq,.-__ecp_nistz256_sub_fromq - -.type __ecp_nistz256_subq,@function -.align 32 -__ecp_nistz256_subq: -.cfi_startproc - subq %r12,%rax - sbbq %r13,%rbp - movq %rax,%r12 - sbbq %r8,%rcx - sbbq %r9,%r10 - movq %rbp,%r13 - sbbq %r11,%r11 - - addq $-1,%rax - movq %rcx,%r8 - adcq %r14,%rbp - adcq $0,%rcx - movq %r10,%r9 - adcq %r15,%r10 - testq %r11,%r11 - - cmovnzq %rax,%r12 - cmovnzq %rbp,%r13 - cmovnzq %rcx,%r8 - cmovnzq %r10,%r9 - - ret -.cfi_endproc -.size __ecp_nistz256_subq,.-__ecp_nistz256_subq - -.type __ecp_nistz256_mul_by_2q,@function -.align 32 -__ecp_nistz256_mul_by_2q: -.cfi_startproc - xorq %r11,%r11 - addq %r12,%r12 - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_mul_by_2q,.-__ecp_nistz256_mul_by_2q -.globl ecp_nistz256_point_double_nohw -.hidden ecp_nistz256_point_double_nohw -.type ecp_nistz256_point_double_nohw,@function -.align 32 -ecp_nistz256_point_double_nohw: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 - subq $160+8,%rsp -.cfi_adjust_cfa_offset 32*5+8 -.Lpoint_doubleq_body: - -.Lpoint_double_shortcutq: - movdqu 0(%rsi),%xmm0 - movq %rsi,%rbx - movdqu 16(%rsi),%xmm1 - movq 32+0(%rsi),%r12 - movq 32+8(%rsi),%r13 - movq 32+16(%rsi),%r8 - movq 32+24(%rsi),%r9 - movq .Lpoly+8(%rip),%r14 - movq .Lpoly+24(%rip),%r15 - movdqa %xmm0,96(%rsp) - movdqa %xmm1,96+16(%rsp) - leaq 32(%rdi),%r10 - leaq 64(%rdi),%r11 - movq %rdi,%xmm0 - movq %r10,%xmm1 - movq %r11,%xmm2 - - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_by_2q - - movq 64+0(%rsi),%rax - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - leaq 64-0(%rsi),%rsi - leaq 64(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 0+0(%rsp),%rax - movq 8+0(%rsp),%r14 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 0(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 32(%rbx),%rax - movq 64+0(%rbx),%r9 - movq 64+8(%rbx),%r10 - movq 64+16(%rbx),%r11 - movq 64+24(%rbx),%r12 - leaq 64-0(%rbx),%rsi - leaq 32(%rbx),%rbx - movq %xmm2,%rdi - call __ecp_nistz256_mul_montq - call __ecp_nistz256_mul_by_2q - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_toq - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 0+0(%rsp),%rax - movq 8+0(%rsp),%r14 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - movq %xmm1,%rdi - call __ecp_nistz256_sqr_montq - xorq %r9,%r9 - movq %r12,%rax - addq $-1,%r12 - movq %r13,%r10 - adcq %rsi,%r13 - movq %r14,%rcx - adcq $0,%r14 - movq %r15,%r8 - adcq %rbp,%r15 - adcq $0,%r9 - xorq %rsi,%rsi - testq $1,%rax - - cmovzq %rax,%r12 - cmovzq %r10,%r13 - cmovzq %rcx,%r14 - cmovzq %r8,%r15 - cmovzq %rsi,%r9 - - movq %r13,%rax - shrq $1,%r12 - shlq $63,%rax - movq %r14,%r10 - shrq $1,%r13 - orq %rax,%r12 - shlq $63,%r10 - movq %r15,%rcx - shrq $1,%r14 - orq %r10,%r13 - shlq $63,%rcx - movq %r12,0(%rdi) - shrq $1,%r15 - movq %r13,8(%rdi) - shlq $63,%r9 - orq %rcx,%r14 - orq %r9,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - movq 64(%rsp),%rax - leaq 64(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2q - - leaq 32(%rsp),%rbx - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_toq - - movq 96(%rsp),%rax - leaq 96(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2q - - movq 0+32(%rsp),%rax - movq 8+32(%rsp),%r14 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r15 - movq 24+32(%rsp),%r8 - movq %xmm0,%rdi - call __ecp_nistz256_sqr_montq - - leaq 128(%rsp),%rbx - movq %r14,%r8 - movq %r15,%r9 - movq %rsi,%r14 - movq %rbp,%r15 - call __ecp_nistz256_sub_fromq - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 0(%rsp),%rdi - call __ecp_nistz256_subq - - movq 32(%rsp),%rax - leaq 32(%rsp),%rbx - movq %r12,%r14 - xorl %ecx,%ecx - movq %r12,0+0(%rsp) - movq %r13,%r10 - movq %r13,0+8(%rsp) - cmovzq %r8,%r11 - movq %r8,0+16(%rsp) - leaq 0-0(%rsp),%rsi - cmovzq %r9,%r12 - movq %r9,0+24(%rsp) - movq %r14,%r9 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq %xmm1,%rbx - movq %xmm1,%rdi - call __ecp_nistz256_sub_fromq - - leaq 160+56(%rsp),%rsi -.cfi_def_cfa %rsi,8 - movq -48(%rsi),%r15 -.cfi_restore %r15 - movq -40(%rsi),%r14 -.cfi_restore %r14 - movq -32(%rsi),%r13 -.cfi_restore %r13 - movq -24(%rsi),%r12 -.cfi_restore %r12 - movq -16(%rsi),%rbx -.cfi_restore %rbx - movq -8(%rsi),%rbp -.cfi_restore %rbp - leaq (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Lpoint_doubleq_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_point_double_nohw,.-ecp_nistz256_point_double_nohw -.globl ecp_nistz256_point_add_nohw -.hidden ecp_nistz256_point_add_nohw -.type ecp_nistz256_point_add_nohw,@function -.align 32 -ecp_nistz256_point_add_nohw: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 - subq $576+8,%rsp -.cfi_adjust_cfa_offset 32*18+8 -.Lpoint_addq_body: - - movdqu 0(%rsi),%xmm0 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq %rsi,%rbx - movq %rdx,%rsi - movdqa %xmm0,384(%rsp) - movdqa %xmm1,384+16(%rsp) - movdqa %xmm2,416(%rsp) - movdqa %xmm3,416+16(%rsp) - movdqa %xmm4,448(%rsp) - movdqa %xmm5,448+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rsi),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rsi),%xmm3 - movq 64+0(%rsi),%rax - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,480(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,480+16(%rsp) - movdqu 64(%rsi),%xmm0 - movdqu 80(%rsi),%xmm1 - movdqa %xmm2,512(%rsp) - movdqa %xmm3,512+16(%rsp) - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm0,%xmm1 - movq %rdi,%xmm0 - - leaq 64-0(%rsi),%rsi - movq %rax,544+0(%rsp) - movq %r14,544+8(%rsp) - movq %r15,544+16(%rsp) - movq %r8,544+24(%rsp) - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm1,%xmm4 - por %xmm1,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - movq 64+0(%rbx),%rax - movq 64+8(%rbx),%r14 - movq 64+16(%rbx),%r15 - movq 64+24(%rbx),%r8 - movq %rbx,%xmm1 - - leaq 64-0(%rbx),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 544(%rsp),%rax - leaq 544(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq 0+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 448(%rsp),%rax - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 416(%rsp),%rax - leaq 416(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq 0+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 512(%rsp),%rax - leaq 512(%rsp),%rbx - movq 0+256(%rsp),%r9 - movq 8+256(%rsp),%r10 - leaq 0+256(%rsp),%rsi - movq 16+256(%rsp),%r11 - movq 24+256(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 224(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - orq %r13,%r12 - movdqa %xmm4,%xmm2 - orq %r8,%r12 - orq %r9,%r12 - por %xmm5,%xmm2 - movq %r12,%xmm3 - - movq 384(%rsp),%rax - leaq 384(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq 0+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 480(%rsp),%rax - leaq 480(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 160(%rsp),%rbx - leaq 0(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - orq %r13,%r12 - orq %r8,%r12 - orq %r9,%r12 - - movq %xmm2,%r8 - movq %xmm3,%r9 - orq %r8,%r12 -.byte 0x3e - jnz .Ladd_proceedq - - - - testq %r9,%r9 - jz .Ladd_doubleq - - - - - - - movq %xmm0,%rdi - pxor %xmm0,%xmm0 - movdqu %xmm0,0(%rdi) - movdqu %xmm0,16(%rdi) - movdqu %xmm0,32(%rdi) - movdqu %xmm0,48(%rdi) - movdqu %xmm0,64(%rdi) - movdqu %xmm0,80(%rdi) - jmp .Ladd_doneq - -.align 32 -.Ladd_doubleq: - movq %xmm1,%rsi - movq %xmm0,%rdi - addq $416,%rsp -.cfi_adjust_cfa_offset -416 - jmp .Lpoint_double_shortcutq -.cfi_adjust_cfa_offset 416 - -.align 32 -.Ladd_proceedq: - movq 0+64(%rsp),%rax - movq 8+64(%rsp),%r14 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 448(%rsp),%rax - leaq 448(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 0+0(%rsp),%rax - movq 8+0(%rsp),%r14 - leaq 0+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 544(%rsp),%rax - leaq 544(%rsp),%rbx - movq 0+352(%rsp),%r9 - movq 8+352(%rsp),%r10 - leaq 0+352(%rsp),%rsi - movq 16+352(%rsp),%r11 - movq 24+352(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 0(%rsp),%rax - leaq 0(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 160(%rsp),%rax - leaq 160(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montq - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 96(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subq - - leaq 128(%rsp),%rbx - leaq 288(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 192+0(%rsp),%rax - movq 192+8(%rsp),%rbp - movq 192+16(%rsp),%rcx - movq 192+24(%rsp),%r10 - leaq 320(%rsp),%rdi - - call __ecp_nistz256_subq - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 128(%rsp),%rax - leaq 128(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq 0+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 320(%rsp),%rax - leaq 320(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 320(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 256(%rsp),%rbx - leaq 320(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 352(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 352+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 544(%rsp),%xmm2 - pand 544+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 480(%rsp),%xmm2 - pand 480+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 320(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 320+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 512(%rsp),%xmm2 - pand 512+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - -.Ladd_doneq: - leaq 576+56(%rsp),%rsi -.cfi_def_cfa %rsi,8 - movq -48(%rsi),%r15 -.cfi_restore %r15 - movq -40(%rsi),%r14 -.cfi_restore %r14 - movq -32(%rsi),%r13 -.cfi_restore %r13 - movq -24(%rsi),%r12 -.cfi_restore %r12 - movq -16(%rsi),%rbx -.cfi_restore %rbx - movq -8(%rsi),%rbp -.cfi_restore %rbp - leaq (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Lpoint_addq_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_point_add_nohw,.-ecp_nistz256_point_add_nohw -.globl ecp_nistz256_point_add_affine_nohw -.hidden ecp_nistz256_point_add_affine_nohw -.type ecp_nistz256_point_add_affine_nohw,@function -.align 32 -ecp_nistz256_point_add_affine_nohw: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 - subq $480+8,%rsp -.cfi_adjust_cfa_offset 32*15+8 -.Ladd_affineq_body: - - movdqu 0(%rsi),%xmm0 - movq %rdx,%rbx - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq 64+0(%rsi),%rax - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,320(%rsp) - movdqa %xmm1,320+16(%rsp) - movdqa %xmm2,352(%rsp) - movdqa %xmm3,352+16(%rsp) - movdqa %xmm4,384(%rsp) - movdqa %xmm5,384+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rbx),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rbx),%xmm1 - movdqu 32(%rbx),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rbx),%xmm3 - movdqa %xmm0,416(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,416+16(%rsp) - por %xmm0,%xmm1 - movq %rdi,%xmm0 - movdqa %xmm2,448(%rsp) - movdqa %xmm3,448+16(%rsp) - por %xmm2,%xmm3 - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm1,%xmm3 - - leaq 64-0(%rsi),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm3,%xmm4 - movq 0(%rbx),%rax - - movq %r12,%r9 - por %xmm3,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - movq %r13,%r10 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - movq %r14,%r11 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - - leaq 32-0(%rsp),%rsi - movq %r15,%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 320(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 384(%rsp),%rax - leaq 384(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 384(%rsp),%rax - leaq 384(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 288(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 448(%rsp),%rax - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq 0+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 352(%rsp),%rbx - leaq 96(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 0+64(%rsp),%rax - movq 8+64(%rsp),%r14 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 128(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 0+96(%rsp),%rax - movq 8+96(%rsp),%r14 - leaq 0+96(%rsp),%rsi - movq 16+96(%rsp),%r15 - movq 24+96(%rsp),%r8 - leaq 192(%rsp),%rdi - call __ecp_nistz256_sqr_montq - - movq 128(%rsp),%rax - leaq 128(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 320(%rsp),%rax - leaq 320(%rsp),%rbx - movq 0+128(%rsp),%r9 - movq 8+128(%rsp),%r10 - leaq 0+128(%rsp),%rsi - movq 16+128(%rsp),%r11 - movq 24+128(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montq - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 192(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subq - - leaq 160(%rsp),%rbx - leaq 224(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 64(%rsp),%rdi - - call __ecp_nistz256_subq - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 352(%rsp),%rax - leaq 352(%rsp),%rbx - movq 0+160(%rsp),%r9 - movq 8+160(%rsp),%r10 - leaq 0+160(%rsp),%rsi - movq 16+160(%rsp),%r11 - movq 24+160(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montq - - movq 96(%rsp),%rax - leaq 96(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq 0+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 64(%rsp),%rdi - call __ecp_nistz256_mul_montq - - leaq 32(%rsp),%rbx - leaq 256(%rsp),%rdi - call __ecp_nistz256_sub_fromq - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand .LONE_mont(%rip),%xmm2 - pand .LONE_mont+16(%rip),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 224(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 224+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 320(%rsp),%xmm2 - pand 320+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 256(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 256+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 352(%rsp),%xmm2 - pand 352+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - - leaq 480+56(%rsp),%rsi -.cfi_def_cfa %rsi,8 - movq -48(%rsi),%r15 -.cfi_restore %r15 - movq -40(%rsi),%r14 -.cfi_restore %r14 - movq -32(%rsi),%r13 -.cfi_restore %r13 - movq -24(%rsi),%r12 -.cfi_restore %r12 - movq -16(%rsi),%rbx -.cfi_restore %rbx - movq -8(%rsi),%rbp -.cfi_restore %rbp - leaq (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Ladd_affineq_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_point_add_affine_nohw,.-ecp_nistz256_point_add_affine_nohw -.type __ecp_nistz256_add_tox,@function -.align 32 -__ecp_nistz256_add_tox: -.cfi_startproc - xorq %r11,%r11 - adcq 0(%rbx),%r12 - adcq 8(%rbx),%r13 - movq %r12,%rax - adcq 16(%rbx),%r8 - adcq 24(%rbx),%r9 - movq %r13,%rbp - adcq $0,%r11 - - xorq %r10,%r10 - sbbq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_add_tox,.-__ecp_nistz256_add_tox - -.type __ecp_nistz256_sub_fromx,@function -.align 32 -__ecp_nistz256_sub_fromx: -.cfi_startproc - xorq %r11,%r11 - sbbq 0(%rbx),%r12 - sbbq 8(%rbx),%r13 - movq %r12,%rax - sbbq 16(%rbx),%r8 - sbbq 24(%rbx),%r9 - movq %r13,%rbp - sbbq $0,%r11 - - xorq %r10,%r10 - adcq $-1,%r12 - movq %r8,%rcx - adcq %r14,%r13 - adcq $0,%r8 - movq %r9,%r10 - adcq %r15,%r9 - - btq $0,%r11 - cmovncq %rax,%r12 - cmovncq %rbp,%r13 - movq %r12,0(%rdi) - cmovncq %rcx,%r8 - movq %r13,8(%rdi) - cmovncq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_sub_fromx,.-__ecp_nistz256_sub_fromx - -.type __ecp_nistz256_subx,@function -.align 32 -__ecp_nistz256_subx: -.cfi_startproc - xorq %r11,%r11 - sbbq %r12,%rax - sbbq %r13,%rbp - movq %rax,%r12 - sbbq %r8,%rcx - sbbq %r9,%r10 - movq %rbp,%r13 - sbbq $0,%r11 - - xorq %r9,%r9 - adcq $-1,%rax - movq %rcx,%r8 - adcq %r14,%rbp - adcq $0,%rcx - movq %r10,%r9 - adcq %r15,%r10 - - btq $0,%r11 - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - cmovcq %rcx,%r8 - cmovcq %r10,%r9 - - ret -.cfi_endproc -.size __ecp_nistz256_subx,.-__ecp_nistz256_subx - -.type __ecp_nistz256_mul_by_2x,@function -.align 32 -__ecp_nistz256_mul_by_2x: -.cfi_startproc - xorq %r11,%r11 - adcq %r12,%r12 - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - xorq %r10,%r10 - sbbq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - cmovcq %rbp,%r13 - movq %r12,0(%rdi) - cmovcq %rcx,%r8 - movq %r13,8(%rdi) - cmovcq %r10,%r9 - movq %r8,16(%rdi) - movq %r9,24(%rdi) - - ret -.cfi_endproc -.size __ecp_nistz256_mul_by_2x,.-__ecp_nistz256_mul_by_2x -.globl ecp_nistz256_point_double_adx -.hidden ecp_nistz256_point_double_adx -.type ecp_nistz256_point_double_adx,@function -.align 32 -ecp_nistz256_point_double_adx: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 - subq $160+8,%rsp -.cfi_adjust_cfa_offset 32*5+8 -.Lpoint_doublex_body: - -.Lpoint_double_shortcutx: - movdqu 0(%rsi),%xmm0 - movq %rsi,%rbx - movdqu 16(%rsi),%xmm1 - movq 32+0(%rsi),%r12 - movq 32+8(%rsi),%r13 - movq 32+16(%rsi),%r8 - movq 32+24(%rsi),%r9 - movq .Lpoly+8(%rip),%r14 - movq .Lpoly+24(%rip),%r15 - movdqa %xmm0,96(%rsp) - movdqa %xmm1,96+16(%rsp) - leaq 32(%rdi),%r10 - leaq 64(%rdi),%r11 - movq %rdi,%xmm0 - movq %r10,%xmm1 - movq %r11,%xmm2 - - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_by_2x - - movq 64+0(%rsi),%rdx - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - leaq 64-128(%rsi),%rsi - leaq 64(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 0+0(%rsp),%rdx - movq 8+0(%rsp),%r14 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 0(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 32(%rbx),%rdx - movq 64+0(%rbx),%r9 - movq 64+8(%rbx),%r10 - movq 64+16(%rbx),%r11 - movq 64+24(%rbx),%r12 - leaq 64-128(%rbx),%rsi - leaq 32(%rbx),%rbx - movq %xmm2,%rdi - call __ecp_nistz256_mul_montx - call __ecp_nistz256_mul_by_2x - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_tox - - movq 96+0(%rsp),%r12 - movq 96+8(%rsp),%r13 - leaq 64(%rsp),%rbx - movq 96+16(%rsp),%r8 - movq 96+24(%rsp),%r9 - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 0+0(%rsp),%rdx - movq 8+0(%rsp),%r14 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - movq %xmm1,%rdi - call __ecp_nistz256_sqr_montx - xorq %r9,%r9 - movq %r12,%rax - addq $-1,%r12 - movq %r13,%r10 - adcq %rsi,%r13 - movq %r14,%rcx - adcq $0,%r14 - movq %r15,%r8 - adcq %rbp,%r15 - adcq $0,%r9 - xorq %rsi,%rsi - testq $1,%rax - - cmovzq %rax,%r12 - cmovzq %r10,%r13 - cmovzq %rcx,%r14 - cmovzq %r8,%r15 - cmovzq %rsi,%r9 - - movq %r13,%rax - shrq $1,%r12 - shlq $63,%rax - movq %r14,%r10 - shrq $1,%r13 - orq %rax,%r12 - shlq $63,%r10 - movq %r15,%rcx - shrq $1,%r14 - orq %r10,%r13 - shlq $63,%rcx - movq %r12,0(%rdi) - shrq $1,%r15 - movq %r13,8(%rdi) - shlq $63,%r9 - orq %rcx,%r14 - orq %r9,%r15 - movq %r14,16(%rdi) - movq %r15,24(%rdi) - movq 64(%rsp),%rdx - leaq 64(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2x - - leaq 32(%rsp),%rbx - leaq 32(%rsp),%rdi - call __ecp_nistz256_add_tox - - movq 96(%rsp),%rdx - leaq 96(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_by_2x - - movq 0+32(%rsp),%rdx - movq 8+32(%rsp),%r14 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r15 - movq 24+32(%rsp),%r8 - movq %xmm0,%rdi - call __ecp_nistz256_sqr_montx - - leaq 128(%rsp),%rbx - movq %r14,%r8 - movq %r15,%r9 - movq %rsi,%r14 - movq %rbp,%r15 - call __ecp_nistz256_sub_fromx - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 0(%rsp),%rdi - call __ecp_nistz256_subx - - movq 32(%rsp),%rdx - leaq 32(%rsp),%rbx - movq %r12,%r14 - xorl %ecx,%ecx - movq %r12,0+0(%rsp) - movq %r13,%r10 - movq %r13,0+8(%rsp) - cmovzq %r8,%r11 - movq %r8,0+16(%rsp) - leaq 0-128(%rsp),%rsi - cmovzq %r9,%r12 - movq %r9,0+24(%rsp) - movq %r14,%r9 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq %xmm1,%rbx - movq %xmm1,%rdi - call __ecp_nistz256_sub_fromx - - leaq 160+56(%rsp),%rsi -.cfi_def_cfa %rsi,8 - movq -48(%rsi),%r15 -.cfi_restore %r15 - movq -40(%rsi),%r14 -.cfi_restore %r14 - movq -32(%rsi),%r13 -.cfi_restore %r13 - movq -24(%rsi),%r12 -.cfi_restore %r12 - movq -16(%rsi),%rbx -.cfi_restore %rbx - movq -8(%rsi),%rbp -.cfi_restore %rbp - leaq (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Lpoint_doublex_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_point_double_adx,.-ecp_nistz256_point_double_adx -.globl ecp_nistz256_point_add_adx -.hidden ecp_nistz256_point_add_adx -.type ecp_nistz256_point_add_adx,@function -.align 32 -ecp_nistz256_point_add_adx: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 - subq $576+8,%rsp -.cfi_adjust_cfa_offset 32*18+8 -.Lpoint_addx_body: - - movdqu 0(%rsi),%xmm0 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq %rsi,%rbx - movq %rdx,%rsi - movdqa %xmm0,384(%rsp) - movdqa %xmm1,384+16(%rsp) - movdqa %xmm2,416(%rsp) - movdqa %xmm3,416+16(%rsp) - movdqa %xmm4,448(%rsp) - movdqa %xmm5,448+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rsi),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rsi),%xmm3 - movq 64+0(%rsi),%rdx - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,480(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,480+16(%rsp) - movdqu 64(%rsi),%xmm0 - movdqu 80(%rsi),%xmm1 - movdqa %xmm2,512(%rsp) - movdqa %xmm3,512+16(%rsp) - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm0,%xmm1 - movq %rdi,%xmm0 - - leaq 64-128(%rsi),%rsi - movq %rdx,544+0(%rsp) - movq %r14,544+8(%rsp) - movq %r15,544+16(%rsp) - movq %r8,544+24(%rsp) - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm1,%xmm4 - por %xmm1,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - movq 64+0(%rbx),%rdx - movq 64+8(%rbx),%r14 - movq 64+16(%rbx),%r15 - movq 64+24(%rbx),%r8 - movq %rbx,%xmm1 - - leaq 64-128(%rbx),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 544(%rsp),%rdx - leaq 544(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq -128+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 448(%rsp),%rdx - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 416(%rsp),%rdx - leaq 416(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq -128+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 224(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 512(%rsp),%rdx - leaq 512(%rsp),%rbx - movq 0+256(%rsp),%r9 - movq 8+256(%rsp),%r10 - leaq -128+256(%rsp),%rsi - movq 16+256(%rsp),%r11 - movq 24+256(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 224(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - orq %r13,%r12 - movdqa %xmm4,%xmm2 - orq %r8,%r12 - orq %r9,%r12 - por %xmm5,%xmm2 - movq %r12,%xmm3 - - movq 384(%rsp),%rdx - leaq 384(%rsp),%rbx - movq 0+96(%rsp),%r9 - movq 8+96(%rsp),%r10 - leaq -128+96(%rsp),%rsi - movq 16+96(%rsp),%r11 - movq 24+96(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 480(%rsp),%rdx - leaq 480(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 160(%rsp),%rbx - leaq 0(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - orq %r13,%r12 - orq %r8,%r12 - orq %r9,%r12 - - movq %xmm2,%r8 - movq %xmm3,%r9 - orq %r8,%r12 -.byte 0x3e - jnz .Ladd_proceedx - - - - testq %r9,%r9 - jz .Ladd_doublex - - - - - - - movq %xmm0,%rdi - pxor %xmm0,%xmm0 - movdqu %xmm0,0(%rdi) - movdqu %xmm0,16(%rdi) - movdqu %xmm0,32(%rdi) - movdqu %xmm0,48(%rdi) - movdqu %xmm0,64(%rdi) - movdqu %xmm0,80(%rdi) - jmp .Ladd_donex - -.align 32 -.Ladd_doublex: - movq %xmm1,%rsi - movq %xmm0,%rdi - addq $416,%rsp -.cfi_adjust_cfa_offset -416 - jmp .Lpoint_double_shortcutx -.cfi_adjust_cfa_offset 416 - -.align 32 -.Ladd_proceedx: - movq 0+64(%rsp),%rdx - movq 8+64(%rsp),%r14 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 96(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 448(%rsp),%rdx - leaq 448(%rsp),%rbx - movq 0+0(%rsp),%r9 - movq 8+0(%rsp),%r10 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r11 - movq 24+0(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 0+0(%rsp),%rdx - movq 8+0(%rsp),%r14 - leaq -128+0(%rsp),%rsi - movq 16+0(%rsp),%r15 - movq 24+0(%rsp),%r8 - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 544(%rsp),%rdx - leaq 544(%rsp),%rbx - movq 0+352(%rsp),%r9 - movq 8+352(%rsp),%r10 - leaq -128+352(%rsp),%rsi - movq 16+352(%rsp),%r11 - movq 24+352(%rsp),%r12 - leaq 352(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 0(%rsp),%rdx - leaq 0(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 128(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 160(%rsp),%rdx - leaq 160(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 192(%rsp),%rdi - call __ecp_nistz256_mul_montx - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 96(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subx - - leaq 128(%rsp),%rbx - leaq 288(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 192+0(%rsp),%rax - movq 192+8(%rsp),%rbp - movq 192+16(%rsp),%rcx - movq 192+24(%rsp),%r10 - leaq 320(%rsp),%rdi - - call __ecp_nistz256_subx - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 128(%rsp),%rdx - leaq 128(%rsp),%rbx - movq 0+224(%rsp),%r9 - movq 8+224(%rsp),%r10 - leaq -128+224(%rsp),%rsi - movq 16+224(%rsp),%r11 - movq 24+224(%rsp),%r12 - leaq 256(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 320(%rsp),%rdx - leaq 320(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 320(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 256(%rsp),%rbx - leaq 320(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 352(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 352+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 544(%rsp),%xmm2 - pand 544+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 480(%rsp),%xmm2 - pand 480+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 320(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 320+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 512(%rsp),%xmm2 - pand 512+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - -.Ladd_donex: - leaq 576+56(%rsp),%rsi -.cfi_def_cfa %rsi,8 - movq -48(%rsi),%r15 -.cfi_restore %r15 - movq -40(%rsi),%r14 -.cfi_restore %r14 - movq -32(%rsi),%r13 -.cfi_restore %r13 - movq -24(%rsi),%r12 -.cfi_restore %r12 - movq -16(%rsi),%rbx -.cfi_restore %rbx - movq -8(%rsi),%rbp -.cfi_restore %rbp - leaq (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Lpoint_addx_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_point_add_adx,.-ecp_nistz256_point_add_adx -.globl ecp_nistz256_point_add_affine_adx -.hidden ecp_nistz256_point_add_affine_adx -.type ecp_nistz256_point_add_affine_adx,@function -.align 32 -ecp_nistz256_point_add_affine_adx: -.cfi_startproc -_CET_ENDBR - pushq %rbp -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbp,-16 - pushq %rbx -.cfi_adjust_cfa_offset 8 -.cfi_offset %rbx,-24 - pushq %r12 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r12,-32 - pushq %r13 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r13,-40 - pushq %r14 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r14,-48 - pushq %r15 -.cfi_adjust_cfa_offset 8 -.cfi_offset %r15,-56 - subq $480+8,%rsp -.cfi_adjust_cfa_offset 32*15+8 -.Ladd_affinex_body: - - movdqu 0(%rsi),%xmm0 - movq %rdx,%rbx - movdqu 16(%rsi),%xmm1 - movdqu 32(%rsi),%xmm2 - movdqu 48(%rsi),%xmm3 - movdqu 64(%rsi),%xmm4 - movdqu 80(%rsi),%xmm5 - movq 64+0(%rsi),%rdx - movq 64+8(%rsi),%r14 - movq 64+16(%rsi),%r15 - movq 64+24(%rsi),%r8 - movdqa %xmm0,320(%rsp) - movdqa %xmm1,320+16(%rsp) - movdqa %xmm2,352(%rsp) - movdqa %xmm3,352+16(%rsp) - movdqa %xmm4,384(%rsp) - movdqa %xmm5,384+16(%rsp) - por %xmm4,%xmm5 - - movdqu 0(%rbx),%xmm0 - pshufd $0xb1,%xmm5,%xmm3 - movdqu 16(%rbx),%xmm1 - movdqu 32(%rbx),%xmm2 - por %xmm3,%xmm5 - movdqu 48(%rbx),%xmm3 - movdqa %xmm0,416(%rsp) - pshufd $0x1e,%xmm5,%xmm4 - movdqa %xmm1,416+16(%rsp) - por %xmm0,%xmm1 - movq %rdi,%xmm0 - movdqa %xmm2,448(%rsp) - movdqa %xmm3,448+16(%rsp) - por %xmm2,%xmm3 - por %xmm4,%xmm5 - pxor %xmm4,%xmm4 - por %xmm1,%xmm3 - - leaq 64-128(%rsi),%rsi - leaq 32(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - pcmpeqd %xmm4,%xmm5 - pshufd $0xb1,%xmm3,%xmm4 - movq 0(%rbx),%rdx - - movq %r12,%r9 - por %xmm3,%xmm4 - pshufd $0,%xmm5,%xmm5 - pshufd $0x1e,%xmm4,%xmm3 - movq %r13,%r10 - por %xmm3,%xmm4 - pxor %xmm3,%xmm3 - movq %r14,%r11 - pcmpeqd %xmm3,%xmm4 - pshufd $0,%xmm4,%xmm4 - - leaq 32-128(%rsp),%rsi - movq %r15,%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 320(%rsp),%rbx - leaq 64(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 384(%rsp),%rdx - leaq 384(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 384(%rsp),%rdx - leaq 384(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 288(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 448(%rsp),%rdx - leaq 448(%rsp),%rbx - movq 0+32(%rsp),%r9 - movq 8+32(%rsp),%r10 - leaq -128+32(%rsp),%rsi - movq 16+32(%rsp),%r11 - movq 24+32(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 352(%rsp),%rbx - leaq 96(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 0+64(%rsp),%rdx - movq 8+64(%rsp),%r14 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r15 - movq 24+64(%rsp),%r8 - leaq 128(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 0+96(%rsp),%rdx - movq 8+96(%rsp),%r14 - leaq -128+96(%rsp),%rsi - movq 16+96(%rsp),%r15 - movq 24+96(%rsp),%r8 - leaq 192(%rsp),%rdi - call __ecp_nistz256_sqr_montx - - movq 128(%rsp),%rdx - leaq 128(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 160(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 320(%rsp),%rdx - leaq 320(%rsp),%rbx - movq 0+128(%rsp),%r9 - movq 8+128(%rsp),%r10 - leaq -128+128(%rsp),%rsi - movq 16+128(%rsp),%r11 - movq 24+128(%rsp),%r12 - leaq 0(%rsp),%rdi - call __ecp_nistz256_mul_montx - - - - - xorq %r11,%r11 - addq %r12,%r12 - leaq 192(%rsp),%rsi - adcq %r13,%r13 - movq %r12,%rax - adcq %r8,%r8 - adcq %r9,%r9 - movq %r13,%rbp - adcq $0,%r11 - - subq $-1,%r12 - movq %r8,%rcx - sbbq %r14,%r13 - sbbq $0,%r8 - movq %r9,%r10 - sbbq %r15,%r9 - sbbq $0,%r11 - - cmovcq %rax,%r12 - movq 0(%rsi),%rax - cmovcq %rbp,%r13 - movq 8(%rsi),%rbp - cmovcq %rcx,%r8 - movq 16(%rsi),%rcx - cmovcq %r10,%r9 - movq 24(%rsi),%r10 - - call __ecp_nistz256_subx - - leaq 160(%rsp),%rbx - leaq 224(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq 0+0(%rsp),%rax - movq 0+8(%rsp),%rbp - movq 0+16(%rsp),%rcx - movq 0+24(%rsp),%r10 - leaq 64(%rsp),%rdi - - call __ecp_nistz256_subx - - movq %r12,0(%rdi) - movq %r13,8(%rdi) - movq %r8,16(%rdi) - movq %r9,24(%rdi) - movq 352(%rsp),%rdx - leaq 352(%rsp),%rbx - movq 0+160(%rsp),%r9 - movq 8+160(%rsp),%r10 - leaq -128+160(%rsp),%rsi - movq 16+160(%rsp),%r11 - movq 24+160(%rsp),%r12 - leaq 32(%rsp),%rdi - call __ecp_nistz256_mul_montx - - movq 96(%rsp),%rdx - leaq 96(%rsp),%rbx - movq 0+64(%rsp),%r9 - movq 8+64(%rsp),%r10 - leaq -128+64(%rsp),%rsi - movq 16+64(%rsp),%r11 - movq 24+64(%rsp),%r12 - leaq 64(%rsp),%rdi - call __ecp_nistz256_mul_montx - - leaq 32(%rsp),%rbx - leaq 256(%rsp),%rdi - call __ecp_nistz256_sub_fromx - - movq %xmm0,%rdi - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 288(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 288+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand .LONE_mont(%rip),%xmm2 - pand .LONE_mont+16(%rip),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 384(%rsp),%xmm2 - pand 384+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,64(%rdi) - movdqu %xmm3,80(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 224(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 224+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 416(%rsp),%xmm2 - pand 416+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 320(%rsp),%xmm2 - pand 320+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,0(%rdi) - movdqu %xmm3,16(%rdi) - - movdqa %xmm5,%xmm0 - movdqa %xmm5,%xmm1 - pandn 256(%rsp),%xmm0 - movdqa %xmm5,%xmm2 - pandn 256+16(%rsp),%xmm1 - movdqa %xmm5,%xmm3 - pand 448(%rsp),%xmm2 - pand 448+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - - movdqa %xmm4,%xmm0 - movdqa %xmm4,%xmm1 - pandn %xmm2,%xmm0 - movdqa %xmm4,%xmm2 - pandn %xmm3,%xmm1 - movdqa %xmm4,%xmm3 - pand 352(%rsp),%xmm2 - pand 352+16(%rsp),%xmm3 - por %xmm0,%xmm2 - por %xmm1,%xmm3 - movdqu %xmm2,32(%rdi) - movdqu %xmm3,48(%rdi) - - leaq 480+56(%rsp),%rsi -.cfi_def_cfa %rsi,8 - movq -48(%rsi),%r15 -.cfi_restore %r15 - movq -40(%rsi),%r14 -.cfi_restore %r14 - movq -32(%rsi),%r13 -.cfi_restore %r13 - movq -24(%rsi),%r12 -.cfi_restore %r12 - movq -16(%rsi),%rbx -.cfi_restore %rbx - movq -8(%rsi),%rbp -.cfi_restore %rbp - leaq (%rsi),%rsp -.cfi_def_cfa_register %rsp -.Ladd_affinex_epilogue: - ret -.cfi_endproc -.size ecp_nistz256_point_add_affine_adx,.-ecp_nistz256_point_add_affine_adx #endif diff --git a/third_party/boringssl/gen/bcm/p256-x86_64-asm-win.asm b/third_party/boringssl/gen/bcm/p256-x86_64-asm-win.asm index 729e8ece..b8d0680e 100644 --- a/third_party/boringssl/gen/bcm/p256-x86_64-asm-win.asm +++ b/third_party/boringssl/gen/bcm/p256-x86_64-asm-win.asm @@ -15,21 +15,7 @@ section .text code align=64 -section .rdata rdata align=8 -ALIGN 64 -$L$poly: - DQ 0xffffffffffffffff,0x00000000ffffffff,0x0000000000000000,0xffffffff00000001 - -$L$One: - DD 1,1,1,1,1,1,1,1 -$L$Two: - DD 2,2,2,2,2,2,2,2 -$L$Three: - DD 3,3,3,3,3,3,3,3 -$L$ONE_mont: - DQ 0x0000000000000001,0xffffffff00000000,0xffffffffffffffff,0x00000000fffffffe - - +p256_constants: $L$ord: DQ 0xf3b9cac2fc632551,0xbce6faada7179e84,0xffffffffffffffff,0xffffffff00000000 $L$ordK: @@ -39,73 +25,6 @@ section .text -global ecp_nistz256_neg - -ALIGN 32 -ecp_nistz256_neg: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_neg: - mov rdi,rcx - mov rsi,rdx - - - -_CET_ENDBR - push r12 - - push r13 - -$L$neg_body: - - xor r8,r8 - xor r9,r9 - xor r10,r10 - xor r11,r11 - xor r13,r13 - - sub r8,QWORD[rsi] - sbb r9,QWORD[8+rsi] - sbb r10,QWORD[16+rsi] - mov rax,r8 - sbb r11,QWORD[24+rsi] - lea rsi,[$L$poly] - mov rdx,r9 - sbb r13,0 - - add r8,QWORD[rsi] - mov rcx,r10 - adc r9,QWORD[8+rsi] - adc r10,QWORD[16+rsi] - mov r12,r11 - adc r11,QWORD[24+rsi] - test r13,r13 - - cmovz r8,rax - cmovz r9,rdx - mov QWORD[rdi],r8 - cmovz r10,rcx - mov QWORD[8+rdi],r9 - cmovz r11,r12 - mov QWORD[16+rdi],r10 - mov QWORD[24+rdi],r11 - - mov r13,QWORD[rsp] - - mov r12,QWORD[8+rsp] - - lea rsp,[16+rsp] - -$L$neg_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_neg: - - - @@ -1210,3763 +1129,157 @@ $L$ord_sqrx_epilogue: ret $L$SEH_end_ecp_nistz256_ord_sqr_mont_adx: +EXTERN __imp_RtlVirtualUnwind - - - - -global ecp_nistz256_mul_mont_nohw - -ALIGN 32 -ecp_nistz256_mul_mont_nohw: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_mul_mont_nohw: - mov rdi,rcx - mov rsi,rdx - mov rdx,r8 - - - -_CET_ENDBR - push rbp - +ALIGN 16 +short_handler: + push rsi + push rdi push rbx - + push rbp push r12 - push r13 - push r14 - push r15 + pushfq + sub rsp,64 -$L$mul_body: - mov rbx,rdx - mov rax,QWORD[rdx] - mov r9,QWORD[rsi] - mov r10,QWORD[8+rsi] - mov r11,QWORD[16+rsi] - mov r12,QWORD[24+rsi] - - call __ecp_nistz256_mul_montq - - mov r15,QWORD[rsp] - - mov r14,QWORD[8+rsp] - - mov r13,QWORD[16+rsp] - - mov r12,QWORD[24+rsp] - - mov rbx,QWORD[32+rsp] - - mov rbp,QWORD[40+rsp] - - lea rsp,[48+rsp] + mov rax,QWORD[120+r8] + mov rbx,QWORD[248+r8] -$L$mul_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret + mov rsi,QWORD[8+r9] + mov r11,QWORD[56+r9] -$L$SEH_end_ecp_nistz256_mul_mont_nohw: + mov r10d,DWORD[r11] + lea r10,[r10*1+rsi] + cmp rbx,r10 + jb NEAR $L$common_seh_tail + mov rax,QWORD[152+r8] -ALIGN 32 -__ecp_nistz256_mul_montq: + mov r10d,DWORD[4+r11] + lea r10,[r10*1+rsi] + cmp rbx,r10 + jae NEAR $L$common_seh_tail + lea rax,[16+rax] + mov r12,QWORD[((-8))+rax] + mov r13,QWORD[((-16))+rax] + mov QWORD[216+r8],r12 + mov QWORD[224+r8],r13 - mov rbp,rax - mul r9 - mov r14,QWORD[(($L$poly+8))] - mov r8,rax - mov rax,rbp - mov r9,rdx + jmp NEAR $L$common_seh_tail - mul r10 - mov r15,QWORD[(($L$poly+24))] - add r9,rax - mov rax,rbp - adc rdx,0 - mov r10,rdx - mul r11 - add r10,rax - mov rax,rbp - adc rdx,0 - mov r11,rdx - mul r12 - add r11,rax - mov rax,r8 - adc rdx,0 - xor r13,r13 - mov r12,rdx +ALIGN 16 +full_handler: + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + mov rax,QWORD[120+r8] + mov rbx,QWORD[248+r8] + mov rsi,QWORD[8+r9] + mov r11,QWORD[56+r9] + mov r10d,DWORD[r11] + lea r10,[r10*1+rsi] + cmp rbx,r10 + jb NEAR $L$common_seh_tail + mov rax,QWORD[152+r8] + mov r10d,DWORD[4+r11] + lea r10,[r10*1+rsi] + cmp rbx,r10 + jae NEAR $L$common_seh_tail + mov r10d,DWORD[8+r11] + lea rax,[r10*1+rax] + mov rbp,QWORD[((-8))+rax] + mov rbx,QWORD[((-16))+rax] + mov r12,QWORD[((-24))+rax] + mov r13,QWORD[((-32))+rax] + mov r14,QWORD[((-40))+rax] + mov r15,QWORD[((-48))+rax] + mov QWORD[144+r8],rbx + mov QWORD[160+r8],rbp + mov QWORD[216+r8],r12 + mov QWORD[224+r8],r13 + mov QWORD[232+r8],r14 + mov QWORD[240+r8],r15 +$L$common_seh_tail: + mov rdi,QWORD[8+rax] + mov rsi,QWORD[16+rax] + mov QWORD[152+r8],rax + mov QWORD[168+r8],rsi + mov QWORD[176+r8],rdi + mov rdi,QWORD[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0xa548f3fc - mov rbp,r8 - shl r8,32 - mul r15 - shr rbp,32 - add r9,r8 - adc r10,rbp - adc r11,rax - mov rax,QWORD[8+rbx] - adc r12,rdx - adc r13,0 - xor r8,r8 + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD[8+rsi] + mov r8,QWORD[rsi] + mov r9,QWORD[16+rsi] + mov r10,QWORD[40+rsi] + lea r11,[56+rsi] + lea r12,[24+rsi] + mov QWORD[32+rsp],r10 + mov QWORD[40+rsp],r11 + mov QWORD[48+rsp],r12 + mov QWORD[56+rsp],rcx + call QWORD[__imp_RtlVirtualUnwind] + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + ret - mov rbp,rax - mul QWORD[rsi] - add r9,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx +section .pdata rdata align=4 +ALIGN 4 + DD $L$SEH_begin_ecp_nistz256_ord_mul_mont_nohw wrt ..imagebase + DD $L$SEH_end_ecp_nistz256_ord_mul_mont_nohw wrt ..imagebase + DD $L$SEH_info_ecp_nistz256_ord_mul_mont_nohw wrt ..imagebase - mul QWORD[8+rsi] - add r10,rcx - adc rdx,0 - add r10,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx + DD $L$SEH_begin_ecp_nistz256_ord_sqr_mont_nohw wrt ..imagebase + DD $L$SEH_end_ecp_nistz256_ord_sqr_mont_nohw wrt ..imagebase + DD $L$SEH_info_ecp_nistz256_ord_sqr_mont_nohw wrt ..imagebase + DD $L$SEH_begin_ecp_nistz256_ord_mul_mont_adx wrt ..imagebase + DD $L$SEH_end_ecp_nistz256_ord_mul_mont_adx wrt ..imagebase + DD $L$SEH_info_ecp_nistz256_ord_mul_mont_adx wrt ..imagebase - mul QWORD[16+rsi] - add r11,rcx - adc rdx,0 - add r11,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[24+rsi] - add r12,rcx - adc rdx,0 - add r12,rax - mov rax,r9 - adc r13,rdx - adc r8,0 - - - - mov rbp,r9 - shl r9,32 - mul r15 - shr rbp,32 - add r10,r9 - adc r11,rbp - adc r12,rax - mov rax,QWORD[16+rbx] - adc r13,rdx - adc r8,0 - xor r9,r9 - - - - mov rbp,rax - mul QWORD[rsi] - add r10,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[8+rsi] - add r11,rcx - adc rdx,0 - add r11,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[16+rsi] - add r12,rcx - adc rdx,0 - add r12,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[24+rsi] - add r13,rcx - adc rdx,0 - add r13,rax - mov rax,r10 - adc r8,rdx - adc r9,0 - - - - mov rbp,r10 - shl r10,32 - mul r15 - shr rbp,32 - add r11,r10 - adc r12,rbp - adc r13,rax - mov rax,QWORD[24+rbx] - adc r8,rdx - adc r9,0 - xor r10,r10 - - - - mov rbp,rax - mul QWORD[rsi] - add r11,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[8+rsi] - add r12,rcx - adc rdx,0 - add r12,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[16+rsi] - add r13,rcx - adc rdx,0 - add r13,rax - mov rax,rbp - adc rdx,0 - mov rcx,rdx - - mul QWORD[24+rsi] - add r8,rcx - adc rdx,0 - add r8,rax - mov rax,r11 - adc r9,rdx - adc r10,0 - - - - mov rbp,r11 - shl r11,32 - mul r15 - shr rbp,32 - add r12,r11 - adc r13,rbp - mov rcx,r12 - adc r8,rax - adc r9,rdx - mov rbp,r13 - adc r10,0 - - - - sub r12,-1 - mov rbx,r8 - sbb r13,r14 - sbb r8,0 - mov rdx,r9 - sbb r9,r15 - sbb r10,0 - - cmovc r12,rcx - cmovc r13,rbp - mov QWORD[rdi],r12 - cmovc r8,rbx - mov QWORD[8+rdi],r13 - cmovc r9,rdx - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - - - - - - - - - -global ecp_nistz256_sqr_mont_nohw - -ALIGN 32 -ecp_nistz256_sqr_mont_nohw: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_sqr_mont_nohw: - mov rdi,rcx - mov rsi,rdx - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - -$L$sqr_body: - mov rax,QWORD[rsi] - mov r14,QWORD[8+rsi] - mov r15,QWORD[16+rsi] - mov r8,QWORD[24+rsi] - - call __ecp_nistz256_sqr_montq - - mov r15,QWORD[rsp] - - mov r14,QWORD[8+rsp] - - mov r13,QWORD[16+rsp] - - mov r12,QWORD[24+rsp] - - mov rbx,QWORD[32+rsp] - - mov rbp,QWORD[40+rsp] - - lea rsp,[48+rsp] - -$L$sqr_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_sqr_mont_nohw: - - -ALIGN 32 -__ecp_nistz256_sqr_montq: - - mov r13,rax - mul r14 - mov r9,rax - mov rax,r15 - mov r10,rdx - - mul r13 - add r10,rax - mov rax,r8 - adc rdx,0 - mov r11,rdx - - mul r13 - add r11,rax - mov rax,r15 - adc rdx,0 - mov r12,rdx - - - mul r14 - add r11,rax - mov rax,r8 - adc rdx,0 - mov rbp,rdx - - mul r14 - add r12,rax - mov rax,r8 - adc rdx,0 - add r12,rbp - mov r13,rdx - adc r13,0 - - - mul r15 - xor r15,r15 - add r13,rax - mov rax,QWORD[rsi] - mov r14,rdx - adc r14,0 - - add r9,r9 - adc r10,r10 - adc r11,r11 - adc r12,r12 - adc r13,r13 - adc r14,r14 - adc r15,0 - - mul rax - mov r8,rax - mov rax,QWORD[8+rsi] - mov rcx,rdx - - mul rax - add r9,rcx - adc r10,rax - mov rax,QWORD[16+rsi] - adc rdx,0 - mov rcx,rdx - - mul rax - add r11,rcx - adc r12,rax - mov rax,QWORD[24+rsi] - adc rdx,0 - mov rcx,rdx - - mul rax - add r13,rcx - adc r14,rax - mov rax,r8 - adc r15,rdx - - mov rsi,QWORD[(($L$poly+8))] - mov rbp,QWORD[(($L$poly+24))] - - - - - mov rcx,r8 - shl r8,32 - mul rbp - shr rcx,32 - add r9,r8 - adc r10,rcx - adc r11,rax - mov rax,r9 - adc rdx,0 - - - - mov rcx,r9 - shl r9,32 - mov r8,rdx - mul rbp - shr rcx,32 - add r10,r9 - adc r11,rcx - adc r8,rax - mov rax,r10 - adc rdx,0 - - - - mov rcx,r10 - shl r10,32 - mov r9,rdx - mul rbp - shr rcx,32 - add r11,r10 - adc r8,rcx - adc r9,rax - mov rax,r11 - adc rdx,0 - - - - mov rcx,r11 - shl r11,32 - mov r10,rdx - mul rbp - shr rcx,32 - add r8,r11 - adc r9,rcx - adc r10,rax - adc rdx,0 - xor r11,r11 - - - - add r12,r8 - adc r13,r9 - mov r8,r12 - adc r14,r10 - adc r15,rdx - mov r9,r13 - adc r11,0 - - sub r12,-1 - mov r10,r14 - sbb r13,rsi - sbb r14,0 - mov rcx,r15 - sbb r15,rbp - sbb r11,0 - - cmovc r12,r8 - cmovc r13,r9 - mov QWORD[rdi],r12 - cmovc r14,r10 - mov QWORD[8+rdi],r13 - cmovc r15,rcx - mov QWORD[16+rdi],r14 - mov QWORD[24+rdi],r15 - - ret - - -global ecp_nistz256_mul_mont_adx - -ALIGN 32 -ecp_nistz256_mul_mont_adx: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_mul_mont_adx: - mov rdi,rcx - mov rsi,rdx - mov rdx,r8 - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - -$L$mulx_body: - mov rbx,rdx - mov rdx,QWORD[rdx] - mov r9,QWORD[rsi] - mov r10,QWORD[8+rsi] - mov r11,QWORD[16+rsi] - mov r12,QWORD[24+rsi] - lea rsi,[((-128))+rsi] - - call __ecp_nistz256_mul_montx - - mov r15,QWORD[rsp] - - mov r14,QWORD[8+rsp] - - mov r13,QWORD[16+rsp] - - mov r12,QWORD[24+rsp] - - mov rbx,QWORD[32+rsp] - - mov rbp,QWORD[40+rsp] - - lea rsp,[48+rsp] - -$L$mulx_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_mul_mont_adx: - - -ALIGN 32 -__ecp_nistz256_mul_montx: - - - - mulx r9,r8,r9 - mulx r10,rcx,r10 - mov r14,32 - xor r13,r13 - mulx r11,rbp,r11 - mov r15,QWORD[(($L$poly+24))] - adc r9,rcx - mulx r12,rcx,r12 - mov rdx,r8 - adc r10,rbp - shlx rbp,r8,r14 - adc r11,rcx - shrx rcx,r8,r14 - adc r12,0 - - - - add r9,rbp - adc r10,rcx - - mulx rbp,rcx,r15 - mov rdx,QWORD[8+rbx] - adc r11,rcx - adc r12,rbp - adc r13,0 - xor r8,r8 - - - - mulx rbp,rcx,QWORD[((0+128))+rsi] - adcx r9,rcx - adox r10,rbp - - mulx rbp,rcx,QWORD[((8+128))+rsi] - adcx r10,rcx - adox r11,rbp - - mulx rbp,rcx,QWORD[((16+128))+rsi] - adcx r11,rcx - adox r12,rbp - - mulx rbp,rcx,QWORD[((24+128))+rsi] - mov rdx,r9 - adcx r12,rcx - shlx rcx,r9,r14 - adox r13,rbp - shrx rbp,r9,r14 - - adcx r13,r8 - adox r8,r8 - adc r8,0 - - - - add r10,rcx - adc r11,rbp - - mulx rbp,rcx,r15 - mov rdx,QWORD[16+rbx] - adc r12,rcx - adc r13,rbp - adc r8,0 - xor r9,r9 - - - - mulx rbp,rcx,QWORD[((0+128))+rsi] - adcx r10,rcx - adox r11,rbp - - mulx rbp,rcx,QWORD[((8+128))+rsi] - adcx r11,rcx - adox r12,rbp - - mulx rbp,rcx,QWORD[((16+128))+rsi] - adcx r12,rcx - adox r13,rbp - - mulx rbp,rcx,QWORD[((24+128))+rsi] - mov rdx,r10 - adcx r13,rcx - shlx rcx,r10,r14 - adox r8,rbp - shrx rbp,r10,r14 - - adcx r8,r9 - adox r9,r9 - adc r9,0 - - - - add r11,rcx - adc r12,rbp - - mulx rbp,rcx,r15 - mov rdx,QWORD[24+rbx] - adc r13,rcx - adc r8,rbp - adc r9,0 - xor r10,r10 - - - - mulx rbp,rcx,QWORD[((0+128))+rsi] - adcx r11,rcx - adox r12,rbp - - mulx rbp,rcx,QWORD[((8+128))+rsi] - adcx r12,rcx - adox r13,rbp - - mulx rbp,rcx,QWORD[((16+128))+rsi] - adcx r13,rcx - adox r8,rbp - - mulx rbp,rcx,QWORD[((24+128))+rsi] - mov rdx,r11 - adcx r8,rcx - shlx rcx,r11,r14 - adox r9,rbp - shrx rbp,r11,r14 - - adcx r9,r10 - adox r10,r10 - adc r10,0 - - - - add r12,rcx - adc r13,rbp - - mulx rbp,rcx,r15 - mov rbx,r12 - mov r14,QWORD[(($L$poly+8))] - adc r8,rcx - mov rdx,r13 - adc r9,rbp - adc r10,0 - - - - xor eax,eax - mov rcx,r8 - sbb r12,-1 - sbb r13,r14 - sbb r8,0 - mov rbp,r9 - sbb r9,r15 - sbb r10,0 - - cmovc r12,rbx - cmovc r13,rdx - mov QWORD[rdi],r12 - cmovc r8,rcx - mov QWORD[8+rdi],r13 - cmovc r9,rbp - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - - -global ecp_nistz256_sqr_mont_adx - -ALIGN 32 -ecp_nistz256_sqr_mont_adx: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_sqr_mont_adx: - mov rdi,rcx - mov rsi,rdx - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - -$L$sqrx_body: - mov rdx,QWORD[rsi] - mov r14,QWORD[8+rsi] - mov r15,QWORD[16+rsi] - mov r8,QWORD[24+rsi] - lea rsi,[((-128))+rsi] - - call __ecp_nistz256_sqr_montx - - mov r15,QWORD[rsp] - - mov r14,QWORD[8+rsp] - - mov r13,QWORD[16+rsp] - - mov r12,QWORD[24+rsp] - - mov rbx,QWORD[32+rsp] - - mov rbp,QWORD[40+rsp] - - lea rsp,[48+rsp] - -$L$sqrx_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_sqr_mont_adx: - - -ALIGN 32 -__ecp_nistz256_sqr_montx: - - mulx r10,r9,r14 - mulx r11,rcx,r15 - xor eax,eax - adc r10,rcx - mulx r12,rbp,r8 - mov rdx,r14 - adc r11,rbp - adc r12,0 - xor r13,r13 - - - mulx rbp,rcx,r15 - adcx r11,rcx - adox r12,rbp - - mulx rbp,rcx,r8 - mov rdx,r15 - adcx r12,rcx - adox r13,rbp - adc r13,0 - - - mulx r14,rcx,r8 - mov rdx,QWORD[((0+128))+rsi] - xor r15,r15 - adcx r9,r9 - adox r13,rcx - adcx r10,r10 - adox r14,r15 - - mulx rbp,r8,rdx - mov rdx,QWORD[((8+128))+rsi] - adcx r11,r11 - adox r9,rbp - adcx r12,r12 - mulx rax,rcx,rdx - mov rdx,QWORD[((16+128))+rsi] - adcx r13,r13 - adox r10,rcx - adcx r14,r14 - DB 0x67 - mulx rbp,rcx,rdx - mov rdx,QWORD[((24+128))+rsi] - adox r11,rax - adcx r15,r15 - adox r12,rcx - mov rsi,32 - adox r13,rbp - DB 0x67,0x67 - mulx rax,rcx,rdx - mov rdx,QWORD[(($L$poly+24))] - adox r14,rcx - shlx rcx,r8,rsi - adox r15,rax - shrx rax,r8,rsi - mov rbp,rdx - - - add r9,rcx - adc r10,rax - - mulx r8,rcx,r8 - adc r11,rcx - shlx rcx,r9,rsi - adc r8,0 - shrx rax,r9,rsi - - - add r10,rcx - adc r11,rax - - mulx r9,rcx,r9 - adc r8,rcx - shlx rcx,r10,rsi - adc r9,0 - shrx rax,r10,rsi - - - add r11,rcx - adc r8,rax - - mulx r10,rcx,r10 - adc r9,rcx - shlx rcx,r11,rsi - adc r10,0 - shrx rax,r11,rsi - - - add r8,rcx - adc r9,rax - - mulx r11,rcx,r11 - adc r10,rcx - adc r11,0 - - xor rdx,rdx - add r12,r8 - mov rsi,QWORD[(($L$poly+8))] - adc r13,r9 - mov r8,r12 - adc r14,r10 - adc r15,r11 - mov r9,r13 - adc rdx,0 - - sub r12,-1 - mov r10,r14 - sbb r13,rsi - sbb r14,0 - mov r11,r15 - sbb r15,rbp - sbb rdx,0 - - cmovc r12,r8 - cmovc r13,r9 - mov QWORD[rdi],r12 - cmovc r14,r10 - mov QWORD[8+rdi],r13 - cmovc r15,r11 - mov QWORD[16+rdi],r14 - mov QWORD[24+rdi],r15 - - ret - - - - -global ecp_nistz256_select_w5_nohw - -ALIGN 32 -ecp_nistz256_select_w5_nohw: - -_CET_ENDBR - lea rax,[((-136))+rsp] -$L$SEH_begin_ecp_nistz256_select_w5_nohw: - DB 0x48,0x8d,0x60,0xe0 - DB 0x0f,0x29,0x70,0xe0 - DB 0x0f,0x29,0x78,0xf0 - DB 0x44,0x0f,0x29,0x00 - DB 0x44,0x0f,0x29,0x48,0x10 - DB 0x44,0x0f,0x29,0x50,0x20 - DB 0x44,0x0f,0x29,0x58,0x30 - DB 0x44,0x0f,0x29,0x60,0x40 - DB 0x44,0x0f,0x29,0x68,0x50 - DB 0x44,0x0f,0x29,0x70,0x60 - DB 0x44,0x0f,0x29,0x78,0x70 - movdqa xmm0,XMMWORD[$L$One] - movd xmm1,r8d - - pxor xmm2,xmm2 - pxor xmm3,xmm3 - pxor xmm4,xmm4 - pxor xmm5,xmm5 - pxor xmm6,xmm6 - pxor xmm7,xmm7 - - movdqa xmm8,xmm0 - pshufd xmm1,xmm1,0 - - mov rax,16 -$L$select_loop_sse_w5: - - movdqa xmm15,xmm8 - paddd xmm8,xmm0 - pcmpeqd xmm15,xmm1 - - movdqa xmm9,XMMWORD[rdx] - movdqa xmm10,XMMWORD[16+rdx] - movdqa xmm11,XMMWORD[32+rdx] - movdqa xmm12,XMMWORD[48+rdx] - movdqa xmm13,XMMWORD[64+rdx] - movdqa xmm14,XMMWORD[80+rdx] - lea rdx,[96+rdx] - - pand xmm9,xmm15 - pand xmm10,xmm15 - por xmm2,xmm9 - pand xmm11,xmm15 - por xmm3,xmm10 - pand xmm12,xmm15 - por xmm4,xmm11 - pand xmm13,xmm15 - por xmm5,xmm12 - pand xmm14,xmm15 - por xmm6,xmm13 - por xmm7,xmm14 - - dec rax - jnz NEAR $L$select_loop_sse_w5 - - movdqu XMMWORD[rcx],xmm2 - movdqu XMMWORD[16+rcx],xmm3 - movdqu XMMWORD[32+rcx],xmm4 - movdqu XMMWORD[48+rcx],xmm5 - movdqu XMMWORD[64+rcx],xmm6 - movdqu XMMWORD[80+rcx],xmm7 - movaps xmm6,XMMWORD[rsp] - movaps xmm7,XMMWORD[16+rsp] - movaps xmm8,XMMWORD[32+rsp] - movaps xmm9,XMMWORD[48+rsp] - movaps xmm10,XMMWORD[64+rsp] - movaps xmm11,XMMWORD[80+rsp] - movaps xmm12,XMMWORD[96+rsp] - movaps xmm13,XMMWORD[112+rsp] - movaps xmm14,XMMWORD[128+rsp] - movaps xmm15,XMMWORD[144+rsp] - lea rsp,[168+rsp] - ret - -$L$SEH_end_ecp_nistz256_select_w5_nohw: - - - - -global ecp_nistz256_select_w7_nohw - -ALIGN 32 -ecp_nistz256_select_w7_nohw: - -_CET_ENDBR - lea rax,[((-136))+rsp] -$L$SEH_begin_ecp_nistz256_select_w7_nohw: - DB 0x48,0x8d,0x60,0xe0 - DB 0x0f,0x29,0x70,0xe0 - DB 0x0f,0x29,0x78,0xf0 - DB 0x44,0x0f,0x29,0x00 - DB 0x44,0x0f,0x29,0x48,0x10 - DB 0x44,0x0f,0x29,0x50,0x20 - DB 0x44,0x0f,0x29,0x58,0x30 - DB 0x44,0x0f,0x29,0x60,0x40 - DB 0x44,0x0f,0x29,0x68,0x50 - DB 0x44,0x0f,0x29,0x70,0x60 - DB 0x44,0x0f,0x29,0x78,0x70 - movdqa xmm8,XMMWORD[$L$One] - movd xmm1,r8d - - pxor xmm2,xmm2 - pxor xmm3,xmm3 - pxor xmm4,xmm4 - pxor xmm5,xmm5 - - movdqa xmm0,xmm8 - pshufd xmm1,xmm1,0 - mov rax,64 - -$L$select_loop_sse_w7: - movdqa xmm15,xmm8 - paddd xmm8,xmm0 - movdqa xmm9,XMMWORD[rdx] - movdqa xmm10,XMMWORD[16+rdx] - pcmpeqd xmm15,xmm1 - movdqa xmm11,XMMWORD[32+rdx] - movdqa xmm12,XMMWORD[48+rdx] - lea rdx,[64+rdx] - - pand xmm9,xmm15 - pand xmm10,xmm15 - por xmm2,xmm9 - pand xmm11,xmm15 - por xmm3,xmm10 - pand xmm12,xmm15 - por xmm4,xmm11 - prefetcht0 [255+rdx] - por xmm5,xmm12 - - dec rax - jnz NEAR $L$select_loop_sse_w7 - - movdqu XMMWORD[rcx],xmm2 - movdqu XMMWORD[16+rcx],xmm3 - movdqu XMMWORD[32+rcx],xmm4 - movdqu XMMWORD[48+rcx],xmm5 - movaps xmm6,XMMWORD[rsp] - movaps xmm7,XMMWORD[16+rsp] - movaps xmm8,XMMWORD[32+rsp] - movaps xmm9,XMMWORD[48+rsp] - movaps xmm10,XMMWORD[64+rsp] - movaps xmm11,XMMWORD[80+rsp] - movaps xmm12,XMMWORD[96+rsp] - movaps xmm13,XMMWORD[112+rsp] - movaps xmm14,XMMWORD[128+rsp] - movaps xmm15,XMMWORD[144+rsp] - lea rsp,[168+rsp] - ret - -$L$SEH_end_ecp_nistz256_select_w7_nohw: - - - -global ecp_nistz256_select_w5_avx2 - -ALIGN 32 -ecp_nistz256_select_w5_avx2: - -_CET_ENDBR - vzeroupper - lea rax,[((-136))+rsp] - mov r11,rsp -$L$SEH_begin_ecp_nistz256_select_w5_avx2: - DB 0x48,0x8d,0x60,0xe0 - DB 0xc5,0xf8,0x29,0x70,0xe0 - DB 0xc5,0xf8,0x29,0x78,0xf0 - DB 0xc5,0x78,0x29,0x40,0x00 - DB 0xc5,0x78,0x29,0x48,0x10 - DB 0xc5,0x78,0x29,0x50,0x20 - DB 0xc5,0x78,0x29,0x58,0x30 - DB 0xc5,0x78,0x29,0x60,0x40 - DB 0xc5,0x78,0x29,0x68,0x50 - DB 0xc5,0x78,0x29,0x70,0x60 - DB 0xc5,0x78,0x29,0x78,0x70 - vmovdqa ymm0,YMMWORD[$L$Two] - - vpxor ymm2,ymm2,ymm2 - vpxor ymm3,ymm3,ymm3 - vpxor ymm4,ymm4,ymm4 - - vmovdqa ymm5,YMMWORD[$L$One] - vmovdqa ymm10,YMMWORD[$L$Two] - - vmovd xmm1,r8d - vpermd ymm1,ymm2,ymm1 - - mov rax,8 -$L$select_loop_avx2_w5: - - vmovdqa ymm6,YMMWORD[rdx] - vmovdqa ymm7,YMMWORD[32+rdx] - vmovdqa ymm8,YMMWORD[64+rdx] - - vmovdqa ymm11,YMMWORD[96+rdx] - vmovdqa ymm12,YMMWORD[128+rdx] - vmovdqa ymm13,YMMWORD[160+rdx] - - vpcmpeqd ymm9,ymm5,ymm1 - vpcmpeqd ymm14,ymm10,ymm1 - - vpaddd ymm5,ymm5,ymm0 - vpaddd ymm10,ymm10,ymm0 - lea rdx,[192+rdx] - - vpand ymm6,ymm6,ymm9 - vpand ymm7,ymm7,ymm9 - vpand ymm8,ymm8,ymm9 - vpand ymm11,ymm11,ymm14 - vpand ymm12,ymm12,ymm14 - vpand ymm13,ymm13,ymm14 - - vpxor ymm2,ymm2,ymm6 - vpxor ymm3,ymm3,ymm7 - vpxor ymm4,ymm4,ymm8 - vpxor ymm2,ymm2,ymm11 - vpxor ymm3,ymm3,ymm12 - vpxor ymm4,ymm4,ymm13 - - dec rax - jnz NEAR $L$select_loop_avx2_w5 - - vmovdqu YMMWORD[rcx],ymm2 - vmovdqu YMMWORD[32+rcx],ymm3 - vmovdqu YMMWORD[64+rcx],ymm4 - vzeroupper - movaps xmm6,XMMWORD[rsp] - movaps xmm7,XMMWORD[16+rsp] - movaps xmm8,XMMWORD[32+rsp] - movaps xmm9,XMMWORD[48+rsp] - movaps xmm10,XMMWORD[64+rsp] - movaps xmm11,XMMWORD[80+rsp] - movaps xmm12,XMMWORD[96+rsp] - movaps xmm13,XMMWORD[112+rsp] - movaps xmm14,XMMWORD[128+rsp] - movaps xmm15,XMMWORD[144+rsp] - lea rsp,[r11] - ret - -$L$SEH_end_ecp_nistz256_select_w5_avx2: - - - - -global ecp_nistz256_select_w7_avx2 - -ALIGN 32 -ecp_nistz256_select_w7_avx2: - -_CET_ENDBR - vzeroupper - mov r11,rsp - lea rax,[((-136))+rsp] -$L$SEH_begin_ecp_nistz256_select_w7_avx2: - DB 0x48,0x8d,0x60,0xe0 - DB 0xc5,0xf8,0x29,0x70,0xe0 - DB 0xc5,0xf8,0x29,0x78,0xf0 - DB 0xc5,0x78,0x29,0x40,0x00 - DB 0xc5,0x78,0x29,0x48,0x10 - DB 0xc5,0x78,0x29,0x50,0x20 - DB 0xc5,0x78,0x29,0x58,0x30 - DB 0xc5,0x78,0x29,0x60,0x40 - DB 0xc5,0x78,0x29,0x68,0x50 - DB 0xc5,0x78,0x29,0x70,0x60 - DB 0xc5,0x78,0x29,0x78,0x70 - vmovdqa ymm0,YMMWORD[$L$Three] - - vpxor ymm2,ymm2,ymm2 - vpxor ymm3,ymm3,ymm3 - - vmovdqa ymm4,YMMWORD[$L$One] - vmovdqa ymm8,YMMWORD[$L$Two] - vmovdqa ymm12,YMMWORD[$L$Three] - - vmovd xmm1,r8d - vpermd ymm1,ymm2,ymm1 - - - mov rax,21 -$L$select_loop_avx2_w7: - - vmovdqa ymm5,YMMWORD[rdx] - vmovdqa ymm6,YMMWORD[32+rdx] - - vmovdqa ymm9,YMMWORD[64+rdx] - vmovdqa ymm10,YMMWORD[96+rdx] - - vmovdqa ymm13,YMMWORD[128+rdx] - vmovdqa ymm14,YMMWORD[160+rdx] - - vpcmpeqd ymm7,ymm4,ymm1 - vpcmpeqd ymm11,ymm8,ymm1 - vpcmpeqd ymm15,ymm12,ymm1 - - vpaddd ymm4,ymm4,ymm0 - vpaddd ymm8,ymm8,ymm0 - vpaddd ymm12,ymm12,ymm0 - lea rdx,[192+rdx] - - vpand ymm5,ymm5,ymm7 - vpand ymm6,ymm6,ymm7 - vpand ymm9,ymm9,ymm11 - vpand ymm10,ymm10,ymm11 - vpand ymm13,ymm13,ymm15 - vpand ymm14,ymm14,ymm15 - - vpxor ymm2,ymm2,ymm5 - vpxor ymm3,ymm3,ymm6 - vpxor ymm2,ymm2,ymm9 - vpxor ymm3,ymm3,ymm10 - vpxor ymm2,ymm2,ymm13 - vpxor ymm3,ymm3,ymm14 - - dec rax - jnz NEAR $L$select_loop_avx2_w7 - - - vmovdqa ymm5,YMMWORD[rdx] - vmovdqa ymm6,YMMWORD[32+rdx] - - vpcmpeqd ymm7,ymm4,ymm1 - - vpand ymm5,ymm5,ymm7 - vpand ymm6,ymm6,ymm7 - - vpxor ymm2,ymm2,ymm5 - vpxor ymm3,ymm3,ymm6 - - vmovdqu YMMWORD[rcx],ymm2 - vmovdqu YMMWORD[32+rcx],ymm3 - vzeroupper - movaps xmm6,XMMWORD[rsp] - movaps xmm7,XMMWORD[16+rsp] - movaps xmm8,XMMWORD[32+rsp] - movaps xmm9,XMMWORD[48+rsp] - movaps xmm10,XMMWORD[64+rsp] - movaps xmm11,XMMWORD[80+rsp] - movaps xmm12,XMMWORD[96+rsp] - movaps xmm13,XMMWORD[112+rsp] - movaps xmm14,XMMWORD[128+rsp] - movaps xmm15,XMMWORD[144+rsp] - lea rsp,[r11] - ret - -$L$SEH_end_ecp_nistz256_select_w7_avx2: - - -ALIGN 32 -__ecp_nistz256_add_toq: - - xor r11,r11 - add r12,QWORD[rbx] - adc r13,QWORD[8+rbx] - mov rax,r12 - adc r8,QWORD[16+rbx] - adc r9,QWORD[24+rbx] - mov rbp,r13 - adc r11,0 - - sub r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - cmovc r13,rbp - mov QWORD[rdi],r12 - cmovc r8,rcx - mov QWORD[8+rdi],r13 - cmovc r9,r10 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - - - -ALIGN 32 -__ecp_nistz256_sub_fromq: - - sub r12,QWORD[rbx] - sbb r13,QWORD[8+rbx] - mov rax,r12 - sbb r8,QWORD[16+rbx] - sbb r9,QWORD[24+rbx] - mov rbp,r13 - sbb r11,r11 - - add r12,-1 - mov rcx,r8 - adc r13,r14 - adc r8,0 - mov r10,r9 - adc r9,r15 - test r11,r11 - - cmovz r12,rax - cmovz r13,rbp - mov QWORD[rdi],r12 - cmovz r8,rcx - mov QWORD[8+rdi],r13 - cmovz r9,r10 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - - - -ALIGN 32 -__ecp_nistz256_subq: - - sub rax,r12 - sbb rbp,r13 - mov r12,rax - sbb rcx,r8 - sbb r10,r9 - mov r13,rbp - sbb r11,r11 - - add rax,-1 - mov r8,rcx - adc rbp,r14 - adc rcx,0 - mov r9,r10 - adc r10,r15 - test r11,r11 - - cmovnz r12,rax - cmovnz r13,rbp - cmovnz r8,rcx - cmovnz r9,r10 - - ret - - - - -ALIGN 32 -__ecp_nistz256_mul_by_2q: - - xor r11,r11 - add r12,r12 - adc r13,r13 - mov rax,r12 - adc r8,r8 - adc r9,r9 - mov rbp,r13 - adc r11,0 - - sub r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - cmovc r13,rbp - mov QWORD[rdi],r12 - cmovc r8,rcx - mov QWORD[8+rdi],r13 - cmovc r9,r10 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - -global ecp_nistz256_point_double_nohw - -ALIGN 32 -ecp_nistz256_point_double_nohw: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_point_double_nohw: - mov rdi,rcx - mov rsi,rdx - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - - sub rsp,32*5+8 - -$L$point_doubleq_body: - -$L$point_double_shortcutq: - movdqu xmm0,XMMWORD[rsi] - mov rbx,rsi - movdqu xmm1,XMMWORD[16+rsi] - mov r12,QWORD[((32+0))+rsi] - mov r13,QWORD[((32+8))+rsi] - mov r8,QWORD[((32+16))+rsi] - mov r9,QWORD[((32+24))+rsi] - mov r14,QWORD[(($L$poly+8))] - mov r15,QWORD[(($L$poly+24))] - movdqa XMMWORD[96+rsp],xmm0 - movdqa XMMWORD[(96+16)+rsp],xmm1 - lea r10,[32+rdi] - lea r11,[64+rdi] - movq xmm0,rdi - movq xmm1,r10 - movq xmm2,r11 - - lea rdi,[rsp] - call __ecp_nistz256_mul_by_2q - - mov rax,QWORD[((64+0))+rsi] - mov r14,QWORD[((64+8))+rsi] - mov r15,QWORD[((64+16))+rsi] - mov r8,QWORD[((64+24))+rsi] - lea rsi,[((64-0))+rsi] - lea rdi,[64+rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[((0+0))+rsp] - mov r14,QWORD[((8+0))+rsp] - lea rsi,[((0+0))+rsp] - mov r15,QWORD[((16+0))+rsp] - mov r8,QWORD[((24+0))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[32+rbx] - mov r9,QWORD[((64+0))+rbx] - mov r10,QWORD[((64+8))+rbx] - mov r11,QWORD[((64+16))+rbx] - mov r12,QWORD[((64+24))+rbx] - lea rsi,[((64-0))+rbx] - lea rbx,[32+rbx] - movq rdi,xmm2 - call __ecp_nistz256_mul_montq - call __ecp_nistz256_mul_by_2q - - mov r12,QWORD[((96+0))+rsp] - mov r13,QWORD[((96+8))+rsp] - lea rbx,[64+rsp] - mov r8,QWORD[((96+16))+rsp] - mov r9,QWORD[((96+24))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_add_toq - - mov r12,QWORD[((96+0))+rsp] - mov r13,QWORD[((96+8))+rsp] - lea rbx,[64+rsp] - mov r8,QWORD[((96+16))+rsp] - mov r9,QWORD[((96+24))+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_sub_fromq - - mov rax,QWORD[((0+0))+rsp] - mov r14,QWORD[((8+0))+rsp] - lea rsi,[((0+0))+rsp] - mov r15,QWORD[((16+0))+rsp] - mov r8,QWORD[((24+0))+rsp] - movq rdi,xmm1 - call __ecp_nistz256_sqr_montq - xor r9,r9 - mov rax,r12 - add r12,-1 - mov r10,r13 - adc r13,rsi - mov rcx,r14 - adc r14,0 - mov r8,r15 - adc r15,rbp - adc r9,0 - xor rsi,rsi - test rax,1 - - cmovz r12,rax - cmovz r13,r10 - cmovz r14,rcx - cmovz r15,r8 - cmovz r9,rsi - - mov rax,r13 - shr r12,1 - shl rax,63 - mov r10,r14 - shr r13,1 - or r12,rax - shl r10,63 - mov rcx,r15 - shr r14,1 - or r13,r10 - shl rcx,63 - mov QWORD[rdi],r12 - shr r15,1 - mov QWORD[8+rdi],r13 - shl r9,63 - or r14,rcx - or r15,r9 - mov QWORD[16+rdi],r14 - mov QWORD[24+rdi],r15 - mov rax,QWORD[64+rsp] - lea rbx,[64+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montq - - lea rdi,[128+rsp] - call __ecp_nistz256_mul_by_2q - - lea rbx,[32+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_add_toq - - mov rax,QWORD[96+rsp] - lea rbx,[96+rsp] - mov r9,QWORD[((0+0))+rsp] - mov r10,QWORD[((8+0))+rsp] - lea rsi,[((0+0))+rsp] - mov r11,QWORD[((16+0))+rsp] - mov r12,QWORD[((24+0))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_mul_montq - - lea rdi,[128+rsp] - call __ecp_nistz256_mul_by_2q - - mov rax,QWORD[((0+32))+rsp] - mov r14,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r15,QWORD[((16+32))+rsp] - mov r8,QWORD[((24+32))+rsp] - movq rdi,xmm0 - call __ecp_nistz256_sqr_montq - - lea rbx,[128+rsp] - mov r8,r14 - mov r9,r15 - mov r14,rsi - mov r15,rbp - call __ecp_nistz256_sub_fromq - - mov rax,QWORD[((0+0))+rsp] - mov rbp,QWORD[((0+8))+rsp] - mov rcx,QWORD[((0+16))+rsp] - mov r10,QWORD[((0+24))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_subq - - mov rax,QWORD[32+rsp] - lea rbx,[32+rsp] - mov r14,r12 - xor ecx,ecx - mov QWORD[((0+0))+rsp],r12 - mov r10,r13 - mov QWORD[((0+8))+rsp],r13 - cmovz r11,r8 - mov QWORD[((0+16))+rsp],r8 - lea rsi,[((0-0))+rsp] - cmovz r12,r9 - mov QWORD[((0+24))+rsp],r9 - mov r9,r14 - lea rdi,[rsp] - call __ecp_nistz256_mul_montq - - movq rbx,xmm1 - movq rdi,xmm1 - call __ecp_nistz256_sub_fromq - - lea rsi,[((160+56))+rsp] - - mov r15,QWORD[((-48))+rsi] - - mov r14,QWORD[((-40))+rsi] - - mov r13,QWORD[((-32))+rsi] - - mov r12,QWORD[((-24))+rsi] - - mov rbx,QWORD[((-16))+rsi] - - mov rbp,QWORD[((-8))+rsi] - - lea rsp,[rsi] - -$L$point_doubleq_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_point_double_nohw: -global ecp_nistz256_point_add_nohw - -ALIGN 32 -ecp_nistz256_point_add_nohw: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_point_add_nohw: - mov rdi,rcx - mov rsi,rdx - mov rdx,r8 - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - - sub rsp,32*18+8 - -$L$point_addq_body: - - movdqu xmm0,XMMWORD[rsi] - movdqu xmm1,XMMWORD[16+rsi] - movdqu xmm2,XMMWORD[32+rsi] - movdqu xmm3,XMMWORD[48+rsi] - movdqu xmm4,XMMWORD[64+rsi] - movdqu xmm5,XMMWORD[80+rsi] - mov rbx,rsi - mov rsi,rdx - movdqa XMMWORD[384+rsp],xmm0 - movdqa XMMWORD[(384+16)+rsp],xmm1 - movdqa XMMWORD[416+rsp],xmm2 - movdqa XMMWORD[(416+16)+rsp],xmm3 - movdqa XMMWORD[448+rsp],xmm4 - movdqa XMMWORD[(448+16)+rsp],xmm5 - por xmm5,xmm4 - - movdqu xmm0,XMMWORD[rsi] - pshufd xmm3,xmm5,0xb1 - movdqu xmm1,XMMWORD[16+rsi] - movdqu xmm2,XMMWORD[32+rsi] - por xmm5,xmm3 - movdqu xmm3,XMMWORD[48+rsi] - mov rax,QWORD[((64+0))+rsi] - mov r14,QWORD[((64+8))+rsi] - mov r15,QWORD[((64+16))+rsi] - mov r8,QWORD[((64+24))+rsi] - movdqa XMMWORD[480+rsp],xmm0 - pshufd xmm4,xmm5,0x1e - movdqa XMMWORD[(480+16)+rsp],xmm1 - movdqu xmm0,XMMWORD[64+rsi] - movdqu xmm1,XMMWORD[80+rsi] - movdqa XMMWORD[512+rsp],xmm2 - movdqa XMMWORD[(512+16)+rsp],xmm3 - por xmm5,xmm4 - pxor xmm4,xmm4 - por xmm1,xmm0 - movq xmm0,rdi - - lea rsi,[((64-0))+rsi] - mov QWORD[((544+0))+rsp],rax - mov QWORD[((544+8))+rsp],r14 - mov QWORD[((544+16))+rsp],r15 - mov QWORD[((544+24))+rsp],r8 - lea rdi,[96+rsp] - call __ecp_nistz256_sqr_montq - - pcmpeqd xmm5,xmm4 - pshufd xmm4,xmm1,0xb1 - por xmm4,xmm1 - pshufd xmm5,xmm5,0 - pshufd xmm3,xmm4,0x1e - por xmm4,xmm3 - pxor xmm3,xmm3 - pcmpeqd xmm4,xmm3 - pshufd xmm4,xmm4,0 - mov rax,QWORD[((64+0))+rbx] - mov r14,QWORD[((64+8))+rbx] - mov r15,QWORD[((64+16))+rbx] - mov r8,QWORD[((64+24))+rbx] - movq xmm1,rbx - - lea rsi,[((64-0))+rbx] - lea rdi,[32+rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[544+rsp] - lea rbx,[544+rsp] - mov r9,QWORD[((0+96))+rsp] - mov r10,QWORD[((8+96))+rsp] - lea rsi,[((0+96))+rsp] - mov r11,QWORD[((16+96))+rsp] - mov r12,QWORD[((24+96))+rsp] - lea rdi,[224+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[448+rsp] - lea rbx,[448+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[416+rsp] - lea rbx,[416+rsp] - mov r9,QWORD[((0+224))+rsp] - mov r10,QWORD[((8+224))+rsp] - lea rsi,[((0+224))+rsp] - mov r11,QWORD[((16+224))+rsp] - mov r12,QWORD[((24+224))+rsp] - lea rdi,[224+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[512+rsp] - lea rbx,[512+rsp] - mov r9,QWORD[((0+256))+rsp] - mov r10,QWORD[((8+256))+rsp] - lea rsi,[((0+256))+rsp] - mov r11,QWORD[((16+256))+rsp] - mov r12,QWORD[((24+256))+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_mul_montq - - lea rbx,[224+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_sub_fromq - - or r12,r13 - movdqa xmm2,xmm4 - or r12,r8 - or r12,r9 - por xmm2,xmm5 - movq xmm3,r12 - - mov rax,QWORD[384+rsp] - lea rbx,[384+rsp] - mov r9,QWORD[((0+96))+rsp] - mov r10,QWORD[((8+96))+rsp] - lea rsi,[((0+96))+rsp] - mov r11,QWORD[((16+96))+rsp] - mov r12,QWORD[((24+96))+rsp] - lea rdi,[160+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[480+rsp] - lea rbx,[480+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[192+rsp] - call __ecp_nistz256_mul_montq - - lea rbx,[160+rsp] - lea rdi,[rsp] - call __ecp_nistz256_sub_fromq - - or r12,r13 - or r12,r8 - or r12,r9 - - movq r8,xmm2 - movq r9,xmm3 - or r12,r8 - DB 0x3e - jnz NEAR $L$add_proceedq - - - - test r9,r9 - jz NEAR $L$add_doubleq - - - - - - - movq rdi,xmm0 - pxor xmm0,xmm0 - movdqu XMMWORD[rdi],xmm0 - movdqu XMMWORD[16+rdi],xmm0 - movdqu XMMWORD[32+rdi],xmm0 - movdqu XMMWORD[48+rdi],xmm0 - movdqu XMMWORD[64+rdi],xmm0 - movdqu XMMWORD[80+rdi],xmm0 - jmp NEAR $L$add_doneq - -ALIGN 32 -$L$add_doubleq: - movq rsi,xmm1 - movq rdi,xmm0 - add rsp,416 - - jmp NEAR $L$point_double_shortcutq - - -ALIGN 32 -$L$add_proceedq: - mov rax,QWORD[((0+64))+rsp] - mov r14,QWORD[((8+64))+rsp] - lea rsi,[((0+64))+rsp] - mov r15,QWORD[((16+64))+rsp] - mov r8,QWORD[((24+64))+rsp] - lea rdi,[96+rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[448+rsp] - lea rbx,[448+rsp] - mov r9,QWORD[((0+0))+rsp] - mov r10,QWORD[((8+0))+rsp] - lea rsi,[((0+0))+rsp] - mov r11,QWORD[((16+0))+rsp] - mov r12,QWORD[((24+0))+rsp] - lea rdi,[352+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[((0+0))+rsp] - mov r14,QWORD[((8+0))+rsp] - lea rsi,[((0+0))+rsp] - mov r15,QWORD[((16+0))+rsp] - mov r8,QWORD[((24+0))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[544+rsp] - lea rbx,[544+rsp] - mov r9,QWORD[((0+352))+rsp] - mov r10,QWORD[((8+352))+rsp] - lea rsi,[((0+352))+rsp] - mov r11,QWORD[((16+352))+rsp] - mov r12,QWORD[((24+352))+rsp] - lea rdi,[352+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[rsp] - lea rbx,[rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[128+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[160+rsp] - lea rbx,[160+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[192+rsp] - call __ecp_nistz256_mul_montq - - - - - xor r11,r11 - add r12,r12 - lea rsi,[96+rsp] - adc r13,r13 - mov rax,r12 - adc r8,r8 - adc r9,r9 - mov rbp,r13 - adc r11,0 - - sub r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - mov rax,QWORD[rsi] - cmovc r13,rbp - mov rbp,QWORD[8+rsi] - cmovc r8,rcx - mov rcx,QWORD[16+rsi] - cmovc r9,r10 - mov r10,QWORD[24+rsi] - - call __ecp_nistz256_subq - - lea rbx,[128+rsp] - lea rdi,[288+rsp] - call __ecp_nistz256_sub_fromq - - mov rax,QWORD[((192+0))+rsp] - mov rbp,QWORD[((192+8))+rsp] - mov rcx,QWORD[((192+16))+rsp] - mov r10,QWORD[((192+24))+rsp] - lea rdi,[320+rsp] - - call __ecp_nistz256_subq - - mov QWORD[rdi],r12 - mov QWORD[8+rdi],r13 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - mov rax,QWORD[128+rsp] - lea rbx,[128+rsp] - mov r9,QWORD[((0+224))+rsp] - mov r10,QWORD[((8+224))+rsp] - lea rsi,[((0+224))+rsp] - mov r11,QWORD[((16+224))+rsp] - mov r12,QWORD[((24+224))+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[320+rsp] - lea rbx,[320+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((0+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[320+rsp] - call __ecp_nistz256_mul_montq - - lea rbx,[256+rsp] - lea rdi,[320+rsp] - call __ecp_nistz256_sub_fromq - - movq rdi,xmm0 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[352+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((352+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[544+rsp] - pand xmm3,XMMWORD[((544+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[448+rsp] - pand xmm3,XMMWORD[((448+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[64+rdi],xmm2 - movdqu XMMWORD[80+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[288+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((288+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[480+rsp] - pand xmm3,XMMWORD[((480+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[384+rsp] - pand xmm3,XMMWORD[((384+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[rdi],xmm2 - movdqu XMMWORD[16+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[320+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((320+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[512+rsp] - pand xmm3,XMMWORD[((512+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[416+rsp] - pand xmm3,XMMWORD[((416+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[32+rdi],xmm2 - movdqu XMMWORD[48+rdi],xmm3 - -$L$add_doneq: - lea rsi,[((576+56))+rsp] - - mov r15,QWORD[((-48))+rsi] - - mov r14,QWORD[((-40))+rsi] - - mov r13,QWORD[((-32))+rsi] - - mov r12,QWORD[((-24))+rsi] - - mov rbx,QWORD[((-16))+rsi] - - mov rbp,QWORD[((-8))+rsi] - - lea rsp,[rsi] - -$L$point_addq_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_point_add_nohw: -global ecp_nistz256_point_add_affine_nohw - -ALIGN 32 -ecp_nistz256_point_add_affine_nohw: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_point_add_affine_nohw: - mov rdi,rcx - mov rsi,rdx - mov rdx,r8 - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - - sub rsp,32*15+8 - -$L$add_affineq_body: - - movdqu xmm0,XMMWORD[rsi] - mov rbx,rdx - movdqu xmm1,XMMWORD[16+rsi] - movdqu xmm2,XMMWORD[32+rsi] - movdqu xmm3,XMMWORD[48+rsi] - movdqu xmm4,XMMWORD[64+rsi] - movdqu xmm5,XMMWORD[80+rsi] - mov rax,QWORD[((64+0))+rsi] - mov r14,QWORD[((64+8))+rsi] - mov r15,QWORD[((64+16))+rsi] - mov r8,QWORD[((64+24))+rsi] - movdqa XMMWORD[320+rsp],xmm0 - movdqa XMMWORD[(320+16)+rsp],xmm1 - movdqa XMMWORD[352+rsp],xmm2 - movdqa XMMWORD[(352+16)+rsp],xmm3 - movdqa XMMWORD[384+rsp],xmm4 - movdqa XMMWORD[(384+16)+rsp],xmm5 - por xmm5,xmm4 - - movdqu xmm0,XMMWORD[rbx] - pshufd xmm3,xmm5,0xb1 - movdqu xmm1,XMMWORD[16+rbx] - movdqu xmm2,XMMWORD[32+rbx] - por xmm5,xmm3 - movdqu xmm3,XMMWORD[48+rbx] - movdqa XMMWORD[416+rsp],xmm0 - pshufd xmm4,xmm5,0x1e - movdqa XMMWORD[(416+16)+rsp],xmm1 - por xmm1,xmm0 - movq xmm0,rdi - movdqa XMMWORD[448+rsp],xmm2 - movdqa XMMWORD[(448+16)+rsp],xmm3 - por xmm3,xmm2 - por xmm5,xmm4 - pxor xmm4,xmm4 - por xmm3,xmm1 - - lea rsi,[((64-0))+rsi] - lea rdi,[32+rsp] - call __ecp_nistz256_sqr_montq - - pcmpeqd xmm5,xmm4 - pshufd xmm4,xmm3,0xb1 - mov rax,QWORD[rbx] - - mov r9,r12 - por xmm4,xmm3 - pshufd xmm5,xmm5,0 - pshufd xmm3,xmm4,0x1e - mov r10,r13 - por xmm4,xmm3 - pxor xmm3,xmm3 - mov r11,r14 - pcmpeqd xmm4,xmm3 - pshufd xmm4,xmm4,0 - - lea rsi,[((32-0))+rsp] - mov r12,r15 - lea rdi,[rsp] - call __ecp_nistz256_mul_montq - - lea rbx,[320+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_sub_fromq - - mov rax,QWORD[384+rsp] - lea rbx,[384+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[384+rsp] - lea rbx,[384+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((0+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[288+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[448+rsp] - lea rbx,[448+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((0+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montq - - lea rbx,[352+rsp] - lea rdi,[96+rsp] - call __ecp_nistz256_sub_fromq - - mov rax,QWORD[((0+64))+rsp] - mov r14,QWORD[((8+64))+rsp] - lea rsi,[((0+64))+rsp] - mov r15,QWORD[((16+64))+rsp] - mov r8,QWORD[((24+64))+rsp] - lea rdi,[128+rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[((0+96))+rsp] - mov r14,QWORD[((8+96))+rsp] - lea rsi,[((0+96))+rsp] - mov r15,QWORD[((16+96))+rsp] - mov r8,QWORD[((24+96))+rsp] - lea rdi,[192+rsp] - call __ecp_nistz256_sqr_montq - - mov rax,QWORD[128+rsp] - lea rbx,[128+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((0+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[160+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[320+rsp] - lea rbx,[320+rsp] - mov r9,QWORD[((0+128))+rsp] - mov r10,QWORD[((8+128))+rsp] - lea rsi,[((0+128))+rsp] - mov r11,QWORD[((16+128))+rsp] - mov r12,QWORD[((24+128))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_mul_montq - - - - - xor r11,r11 - add r12,r12 - lea rsi,[192+rsp] - adc r13,r13 - mov rax,r12 - adc r8,r8 - adc r9,r9 - mov rbp,r13 - adc r11,0 - - sub r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - mov rax,QWORD[rsi] - cmovc r13,rbp - mov rbp,QWORD[8+rsi] - cmovc r8,rcx - mov rcx,QWORD[16+rsi] - cmovc r9,r10 - mov r10,QWORD[24+rsi] - - call __ecp_nistz256_subq - - lea rbx,[160+rsp] - lea rdi,[224+rsp] - call __ecp_nistz256_sub_fromq - - mov rax,QWORD[((0+0))+rsp] - mov rbp,QWORD[((0+8))+rsp] - mov rcx,QWORD[((0+16))+rsp] - mov r10,QWORD[((0+24))+rsp] - lea rdi,[64+rsp] - - call __ecp_nistz256_subq - - mov QWORD[rdi],r12 - mov QWORD[8+rdi],r13 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - mov rax,QWORD[352+rsp] - lea rbx,[352+rsp] - mov r9,QWORD[((0+160))+rsp] - mov r10,QWORD[((8+160))+rsp] - lea rsi,[((0+160))+rsp] - mov r11,QWORD[((16+160))+rsp] - mov r12,QWORD[((24+160))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montq - - mov rax,QWORD[96+rsp] - lea rbx,[96+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((0+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_mul_montq - - lea rbx,[32+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_sub_fromq - - movq rdi,xmm0 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[288+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((288+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[$L$ONE_mont] - pand xmm3,XMMWORD[(($L$ONE_mont+16))] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[384+rsp] - pand xmm3,XMMWORD[((384+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[64+rdi],xmm2 - movdqu XMMWORD[80+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[224+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((224+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[416+rsp] - pand xmm3,XMMWORD[((416+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[320+rsp] - pand xmm3,XMMWORD[((320+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[rdi],xmm2 - movdqu XMMWORD[16+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[256+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((256+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[448+rsp] - pand xmm3,XMMWORD[((448+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[352+rsp] - pand xmm3,XMMWORD[((352+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[32+rdi],xmm2 - movdqu XMMWORD[48+rdi],xmm3 - - lea rsi,[((480+56))+rsp] - - mov r15,QWORD[((-48))+rsi] - - mov r14,QWORD[((-40))+rsi] - - mov r13,QWORD[((-32))+rsi] - - mov r12,QWORD[((-24))+rsi] - - mov rbx,QWORD[((-16))+rsi] - - mov rbp,QWORD[((-8))+rsi] - - lea rsp,[rsi] - -$L$add_affineq_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_point_add_affine_nohw: - -ALIGN 32 -__ecp_nistz256_add_tox: - - xor r11,r11 - adc r12,QWORD[rbx] - adc r13,QWORD[8+rbx] - mov rax,r12 - adc r8,QWORD[16+rbx] - adc r9,QWORD[24+rbx] - mov rbp,r13 - adc r11,0 - - xor r10,r10 - sbb r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - cmovc r13,rbp - mov QWORD[rdi],r12 - cmovc r8,rcx - mov QWORD[8+rdi],r13 - cmovc r9,r10 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - - - -ALIGN 32 -__ecp_nistz256_sub_fromx: - - xor r11,r11 - sbb r12,QWORD[rbx] - sbb r13,QWORD[8+rbx] - mov rax,r12 - sbb r8,QWORD[16+rbx] - sbb r9,QWORD[24+rbx] - mov rbp,r13 - sbb r11,0 - - xor r10,r10 - adc r12,-1 - mov rcx,r8 - adc r13,r14 - adc r8,0 - mov r10,r9 - adc r9,r15 - - bt r11,0 - cmovnc r12,rax - cmovnc r13,rbp - mov QWORD[rdi],r12 - cmovnc r8,rcx - mov QWORD[8+rdi],r13 - cmovnc r9,r10 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - - - -ALIGN 32 -__ecp_nistz256_subx: - - xor r11,r11 - sbb rax,r12 - sbb rbp,r13 - mov r12,rax - sbb rcx,r8 - sbb r10,r9 - mov r13,rbp - sbb r11,0 - - xor r9,r9 - adc rax,-1 - mov r8,rcx - adc rbp,r14 - adc rcx,0 - mov r9,r10 - adc r10,r15 - - bt r11,0 - cmovc r12,rax - cmovc r13,rbp - cmovc r8,rcx - cmovc r9,r10 - - ret - - - - -ALIGN 32 -__ecp_nistz256_mul_by_2x: - - xor r11,r11 - adc r12,r12 - adc r13,r13 - mov rax,r12 - adc r8,r8 - adc r9,r9 - mov rbp,r13 - adc r11,0 - - xor r10,r10 - sbb r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - cmovc r13,rbp - mov QWORD[rdi],r12 - cmovc r8,rcx - mov QWORD[8+rdi],r13 - cmovc r9,r10 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - - ret - - -global ecp_nistz256_point_double_adx - -ALIGN 32 -ecp_nistz256_point_double_adx: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_point_double_adx: - mov rdi,rcx - mov rsi,rdx - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - - sub rsp,32*5+8 - -$L$point_doublex_body: - -$L$point_double_shortcutx: - movdqu xmm0,XMMWORD[rsi] - mov rbx,rsi - movdqu xmm1,XMMWORD[16+rsi] - mov r12,QWORD[((32+0))+rsi] - mov r13,QWORD[((32+8))+rsi] - mov r8,QWORD[((32+16))+rsi] - mov r9,QWORD[((32+24))+rsi] - mov r14,QWORD[(($L$poly+8))] - mov r15,QWORD[(($L$poly+24))] - movdqa XMMWORD[96+rsp],xmm0 - movdqa XMMWORD[(96+16)+rsp],xmm1 - lea r10,[32+rdi] - lea r11,[64+rdi] - movq xmm0,rdi - movq xmm1,r10 - movq xmm2,r11 - - lea rdi,[rsp] - call __ecp_nistz256_mul_by_2x - - mov rdx,QWORD[((64+0))+rsi] - mov r14,QWORD[((64+8))+rsi] - mov r15,QWORD[((64+16))+rsi] - mov r8,QWORD[((64+24))+rsi] - lea rsi,[((64-128))+rsi] - lea rdi,[64+rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[((0+0))+rsp] - mov r14,QWORD[((8+0))+rsp] - lea rsi,[((-128+0))+rsp] - mov r15,QWORD[((16+0))+rsp] - mov r8,QWORD[((24+0))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[32+rbx] - mov r9,QWORD[((64+0))+rbx] - mov r10,QWORD[((64+8))+rbx] - mov r11,QWORD[((64+16))+rbx] - mov r12,QWORD[((64+24))+rbx] - lea rsi,[((64-128))+rbx] - lea rbx,[32+rbx] - movq rdi,xmm2 - call __ecp_nistz256_mul_montx - call __ecp_nistz256_mul_by_2x - - mov r12,QWORD[((96+0))+rsp] - mov r13,QWORD[((96+8))+rsp] - lea rbx,[64+rsp] - mov r8,QWORD[((96+16))+rsp] - mov r9,QWORD[((96+24))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_add_tox - - mov r12,QWORD[((96+0))+rsp] - mov r13,QWORD[((96+8))+rsp] - lea rbx,[64+rsp] - mov r8,QWORD[((96+16))+rsp] - mov r9,QWORD[((96+24))+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_sub_fromx - - mov rdx,QWORD[((0+0))+rsp] - mov r14,QWORD[((8+0))+rsp] - lea rsi,[((-128+0))+rsp] - mov r15,QWORD[((16+0))+rsp] - mov r8,QWORD[((24+0))+rsp] - movq rdi,xmm1 - call __ecp_nistz256_sqr_montx - xor r9,r9 - mov rax,r12 - add r12,-1 - mov r10,r13 - adc r13,rsi - mov rcx,r14 - adc r14,0 - mov r8,r15 - adc r15,rbp - adc r9,0 - xor rsi,rsi - test rax,1 - - cmovz r12,rax - cmovz r13,r10 - cmovz r14,rcx - cmovz r15,r8 - cmovz r9,rsi - - mov rax,r13 - shr r12,1 - shl rax,63 - mov r10,r14 - shr r13,1 - or r12,rax - shl r10,63 - mov rcx,r15 - shr r14,1 - or r13,r10 - shl rcx,63 - mov QWORD[rdi],r12 - shr r15,1 - mov QWORD[8+rdi],r13 - shl r9,63 - or r14,rcx - or r15,r9 - mov QWORD[16+rdi],r14 - mov QWORD[24+rdi],r15 - mov rdx,QWORD[64+rsp] - lea rbx,[64+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montx - - lea rdi,[128+rsp] - call __ecp_nistz256_mul_by_2x - - lea rbx,[32+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_add_tox - - mov rdx,QWORD[96+rsp] - lea rbx,[96+rsp] - mov r9,QWORD[((0+0))+rsp] - mov r10,QWORD[((8+0))+rsp] - lea rsi,[((-128+0))+rsp] - mov r11,QWORD[((16+0))+rsp] - mov r12,QWORD[((24+0))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_mul_montx - - lea rdi,[128+rsp] - call __ecp_nistz256_mul_by_2x - - mov rdx,QWORD[((0+32))+rsp] - mov r14,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r15,QWORD[((16+32))+rsp] - mov r8,QWORD[((24+32))+rsp] - movq rdi,xmm0 - call __ecp_nistz256_sqr_montx - - lea rbx,[128+rsp] - mov r8,r14 - mov r9,r15 - mov r14,rsi - mov r15,rbp - call __ecp_nistz256_sub_fromx - - mov rax,QWORD[((0+0))+rsp] - mov rbp,QWORD[((0+8))+rsp] - mov rcx,QWORD[((0+16))+rsp] - mov r10,QWORD[((0+24))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_subx - - mov rdx,QWORD[32+rsp] - lea rbx,[32+rsp] - mov r14,r12 - xor ecx,ecx - mov QWORD[((0+0))+rsp],r12 - mov r10,r13 - mov QWORD[((0+8))+rsp],r13 - cmovz r11,r8 - mov QWORD[((0+16))+rsp],r8 - lea rsi,[((0-128))+rsp] - cmovz r12,r9 - mov QWORD[((0+24))+rsp],r9 - mov r9,r14 - lea rdi,[rsp] - call __ecp_nistz256_mul_montx - - movq rbx,xmm1 - movq rdi,xmm1 - call __ecp_nistz256_sub_fromx - - lea rsi,[((160+56))+rsp] - - mov r15,QWORD[((-48))+rsi] - - mov r14,QWORD[((-40))+rsi] - - mov r13,QWORD[((-32))+rsi] - - mov r12,QWORD[((-24))+rsi] - - mov rbx,QWORD[((-16))+rsi] - - mov rbp,QWORD[((-8))+rsi] - - lea rsp,[rsi] - -$L$point_doublex_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_point_double_adx: -global ecp_nistz256_point_add_adx - -ALIGN 32 -ecp_nistz256_point_add_adx: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_point_add_adx: - mov rdi,rcx - mov rsi,rdx - mov rdx,r8 - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - - sub rsp,32*18+8 - -$L$point_addx_body: - - movdqu xmm0,XMMWORD[rsi] - movdqu xmm1,XMMWORD[16+rsi] - movdqu xmm2,XMMWORD[32+rsi] - movdqu xmm3,XMMWORD[48+rsi] - movdqu xmm4,XMMWORD[64+rsi] - movdqu xmm5,XMMWORD[80+rsi] - mov rbx,rsi - mov rsi,rdx - movdqa XMMWORD[384+rsp],xmm0 - movdqa XMMWORD[(384+16)+rsp],xmm1 - movdqa XMMWORD[416+rsp],xmm2 - movdqa XMMWORD[(416+16)+rsp],xmm3 - movdqa XMMWORD[448+rsp],xmm4 - movdqa XMMWORD[(448+16)+rsp],xmm5 - por xmm5,xmm4 - - movdqu xmm0,XMMWORD[rsi] - pshufd xmm3,xmm5,0xb1 - movdqu xmm1,XMMWORD[16+rsi] - movdqu xmm2,XMMWORD[32+rsi] - por xmm5,xmm3 - movdqu xmm3,XMMWORD[48+rsi] - mov rdx,QWORD[((64+0))+rsi] - mov r14,QWORD[((64+8))+rsi] - mov r15,QWORD[((64+16))+rsi] - mov r8,QWORD[((64+24))+rsi] - movdqa XMMWORD[480+rsp],xmm0 - pshufd xmm4,xmm5,0x1e - movdqa XMMWORD[(480+16)+rsp],xmm1 - movdqu xmm0,XMMWORD[64+rsi] - movdqu xmm1,XMMWORD[80+rsi] - movdqa XMMWORD[512+rsp],xmm2 - movdqa XMMWORD[(512+16)+rsp],xmm3 - por xmm5,xmm4 - pxor xmm4,xmm4 - por xmm1,xmm0 - movq xmm0,rdi - - lea rsi,[((64-128))+rsi] - mov QWORD[((544+0))+rsp],rdx - mov QWORD[((544+8))+rsp],r14 - mov QWORD[((544+16))+rsp],r15 - mov QWORD[((544+24))+rsp],r8 - lea rdi,[96+rsp] - call __ecp_nistz256_sqr_montx - - pcmpeqd xmm5,xmm4 - pshufd xmm4,xmm1,0xb1 - por xmm4,xmm1 - pshufd xmm5,xmm5,0 - pshufd xmm3,xmm4,0x1e - por xmm4,xmm3 - pxor xmm3,xmm3 - pcmpeqd xmm4,xmm3 - pshufd xmm4,xmm4,0 - mov rdx,QWORD[((64+0))+rbx] - mov r14,QWORD[((64+8))+rbx] - mov r15,QWORD[((64+16))+rbx] - mov r8,QWORD[((64+24))+rbx] - movq xmm1,rbx - - lea rsi,[((64-128))+rbx] - lea rdi,[32+rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[544+rsp] - lea rbx,[544+rsp] - mov r9,QWORD[((0+96))+rsp] - mov r10,QWORD[((8+96))+rsp] - lea rsi,[((-128+96))+rsp] - mov r11,QWORD[((16+96))+rsp] - mov r12,QWORD[((24+96))+rsp] - lea rdi,[224+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[448+rsp] - lea rbx,[448+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[416+rsp] - lea rbx,[416+rsp] - mov r9,QWORD[((0+224))+rsp] - mov r10,QWORD[((8+224))+rsp] - lea rsi,[((-128+224))+rsp] - mov r11,QWORD[((16+224))+rsp] - mov r12,QWORD[((24+224))+rsp] - lea rdi,[224+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[512+rsp] - lea rbx,[512+rsp] - mov r9,QWORD[((0+256))+rsp] - mov r10,QWORD[((8+256))+rsp] - lea rsi,[((-128+256))+rsp] - mov r11,QWORD[((16+256))+rsp] - mov r12,QWORD[((24+256))+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_mul_montx - - lea rbx,[224+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_sub_fromx - - or r12,r13 - movdqa xmm2,xmm4 - or r12,r8 - or r12,r9 - por xmm2,xmm5 - movq xmm3,r12 - - mov rdx,QWORD[384+rsp] - lea rbx,[384+rsp] - mov r9,QWORD[((0+96))+rsp] - mov r10,QWORD[((8+96))+rsp] - lea rsi,[((-128+96))+rsp] - mov r11,QWORD[((16+96))+rsp] - mov r12,QWORD[((24+96))+rsp] - lea rdi,[160+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[480+rsp] - lea rbx,[480+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[192+rsp] - call __ecp_nistz256_mul_montx - - lea rbx,[160+rsp] - lea rdi,[rsp] - call __ecp_nistz256_sub_fromx - - or r12,r13 - or r12,r8 - or r12,r9 - - movq r8,xmm2 - movq r9,xmm3 - or r12,r8 - DB 0x3e - jnz NEAR $L$add_proceedx - - - - test r9,r9 - jz NEAR $L$add_doublex - - - - - - - movq rdi,xmm0 - pxor xmm0,xmm0 - movdqu XMMWORD[rdi],xmm0 - movdqu XMMWORD[16+rdi],xmm0 - movdqu XMMWORD[32+rdi],xmm0 - movdqu XMMWORD[48+rdi],xmm0 - movdqu XMMWORD[64+rdi],xmm0 - movdqu XMMWORD[80+rdi],xmm0 - jmp NEAR $L$add_donex - -ALIGN 32 -$L$add_doublex: - movq rsi,xmm1 - movq rdi,xmm0 - add rsp,416 - - jmp NEAR $L$point_double_shortcutx - - -ALIGN 32 -$L$add_proceedx: - mov rdx,QWORD[((0+64))+rsp] - mov r14,QWORD[((8+64))+rsp] - lea rsi,[((-128+64))+rsp] - mov r15,QWORD[((16+64))+rsp] - mov r8,QWORD[((24+64))+rsp] - lea rdi,[96+rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[448+rsp] - lea rbx,[448+rsp] - mov r9,QWORD[((0+0))+rsp] - mov r10,QWORD[((8+0))+rsp] - lea rsi,[((-128+0))+rsp] - mov r11,QWORD[((16+0))+rsp] - mov r12,QWORD[((24+0))+rsp] - lea rdi,[352+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[((0+0))+rsp] - mov r14,QWORD[((8+0))+rsp] - lea rsi,[((-128+0))+rsp] - mov r15,QWORD[((16+0))+rsp] - mov r8,QWORD[((24+0))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[544+rsp] - lea rbx,[544+rsp] - mov r9,QWORD[((0+352))+rsp] - mov r10,QWORD[((8+352))+rsp] - lea rsi,[((-128+352))+rsp] - mov r11,QWORD[((16+352))+rsp] - mov r12,QWORD[((24+352))+rsp] - lea rdi,[352+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[rsp] - lea rbx,[rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[128+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[160+rsp] - lea rbx,[160+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[192+rsp] - call __ecp_nistz256_mul_montx - - - - - xor r11,r11 - add r12,r12 - lea rsi,[96+rsp] - adc r13,r13 - mov rax,r12 - adc r8,r8 - adc r9,r9 - mov rbp,r13 - adc r11,0 - - sub r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - mov rax,QWORD[rsi] - cmovc r13,rbp - mov rbp,QWORD[8+rsi] - cmovc r8,rcx - mov rcx,QWORD[16+rsi] - cmovc r9,r10 - mov r10,QWORD[24+rsi] - - call __ecp_nistz256_subx - - lea rbx,[128+rsp] - lea rdi,[288+rsp] - call __ecp_nistz256_sub_fromx - - mov rax,QWORD[((192+0))+rsp] - mov rbp,QWORD[((192+8))+rsp] - mov rcx,QWORD[((192+16))+rsp] - mov r10,QWORD[((192+24))+rsp] - lea rdi,[320+rsp] - - call __ecp_nistz256_subx - - mov QWORD[rdi],r12 - mov QWORD[8+rdi],r13 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - mov rdx,QWORD[128+rsp] - lea rbx,[128+rsp] - mov r9,QWORD[((0+224))+rsp] - mov r10,QWORD[((8+224))+rsp] - lea rsi,[((-128+224))+rsp] - mov r11,QWORD[((16+224))+rsp] - mov r12,QWORD[((24+224))+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[320+rsp] - lea rbx,[320+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((-128+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[320+rsp] - call __ecp_nistz256_mul_montx - - lea rbx,[256+rsp] - lea rdi,[320+rsp] - call __ecp_nistz256_sub_fromx - - movq rdi,xmm0 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[352+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((352+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[544+rsp] - pand xmm3,XMMWORD[((544+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[448+rsp] - pand xmm3,XMMWORD[((448+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[64+rdi],xmm2 - movdqu XMMWORD[80+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[288+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((288+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[480+rsp] - pand xmm3,XMMWORD[((480+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[384+rsp] - pand xmm3,XMMWORD[((384+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[rdi],xmm2 - movdqu XMMWORD[16+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[320+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((320+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[512+rsp] - pand xmm3,XMMWORD[((512+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[416+rsp] - pand xmm3,XMMWORD[((416+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[32+rdi],xmm2 - movdqu XMMWORD[48+rdi],xmm3 - -$L$add_donex: - lea rsi,[((576+56))+rsp] - - mov r15,QWORD[((-48))+rsi] - - mov r14,QWORD[((-40))+rsi] - - mov r13,QWORD[((-32))+rsi] - - mov r12,QWORD[((-24))+rsi] - - mov rbx,QWORD[((-16))+rsi] - - mov rbp,QWORD[((-8))+rsi] - - lea rsp,[rsi] - -$L$point_addx_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_point_add_adx: -global ecp_nistz256_point_add_affine_adx - -ALIGN 32 -ecp_nistz256_point_add_affine_adx: - mov QWORD[8+rsp],rdi ;WIN64 prologue - mov QWORD[16+rsp],rsi - mov rax,rsp -$L$SEH_begin_ecp_nistz256_point_add_affine_adx: - mov rdi,rcx - mov rsi,rdx - mov rdx,r8 - - - -_CET_ENDBR - push rbp - - push rbx - - push r12 - - push r13 - - push r14 - - push r15 - - sub rsp,32*15+8 - -$L$add_affinex_body: - - movdqu xmm0,XMMWORD[rsi] - mov rbx,rdx - movdqu xmm1,XMMWORD[16+rsi] - movdqu xmm2,XMMWORD[32+rsi] - movdqu xmm3,XMMWORD[48+rsi] - movdqu xmm4,XMMWORD[64+rsi] - movdqu xmm5,XMMWORD[80+rsi] - mov rdx,QWORD[((64+0))+rsi] - mov r14,QWORD[((64+8))+rsi] - mov r15,QWORD[((64+16))+rsi] - mov r8,QWORD[((64+24))+rsi] - movdqa XMMWORD[320+rsp],xmm0 - movdqa XMMWORD[(320+16)+rsp],xmm1 - movdqa XMMWORD[352+rsp],xmm2 - movdqa XMMWORD[(352+16)+rsp],xmm3 - movdqa XMMWORD[384+rsp],xmm4 - movdqa XMMWORD[(384+16)+rsp],xmm5 - por xmm5,xmm4 - - movdqu xmm0,XMMWORD[rbx] - pshufd xmm3,xmm5,0xb1 - movdqu xmm1,XMMWORD[16+rbx] - movdqu xmm2,XMMWORD[32+rbx] - por xmm5,xmm3 - movdqu xmm3,XMMWORD[48+rbx] - movdqa XMMWORD[416+rsp],xmm0 - pshufd xmm4,xmm5,0x1e - movdqa XMMWORD[(416+16)+rsp],xmm1 - por xmm1,xmm0 - movq xmm0,rdi - movdqa XMMWORD[448+rsp],xmm2 - movdqa XMMWORD[(448+16)+rsp],xmm3 - por xmm3,xmm2 - por xmm5,xmm4 - pxor xmm4,xmm4 - por xmm3,xmm1 - - lea rsi,[((64-128))+rsi] - lea rdi,[32+rsp] - call __ecp_nistz256_sqr_montx - - pcmpeqd xmm5,xmm4 - pshufd xmm4,xmm3,0xb1 - mov rdx,QWORD[rbx] - - mov r9,r12 - por xmm4,xmm3 - pshufd xmm5,xmm5,0 - pshufd xmm3,xmm4,0x1e - mov r10,r13 - por xmm4,xmm3 - pxor xmm3,xmm3 - mov r11,r14 - pcmpeqd xmm4,xmm3 - pshufd xmm4,xmm4,0 - - lea rsi,[((32-128))+rsp] - mov r12,r15 - lea rdi,[rsp] - call __ecp_nistz256_mul_montx - - lea rbx,[320+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_sub_fromx - - mov rdx,QWORD[384+rsp] - lea rbx,[384+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[384+rsp] - lea rbx,[384+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((-128+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[288+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[448+rsp] - lea rbx,[448+rsp] - mov r9,QWORD[((0+32))+rsp] - mov r10,QWORD[((8+32))+rsp] - lea rsi,[((-128+32))+rsp] - mov r11,QWORD[((16+32))+rsp] - mov r12,QWORD[((24+32))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montx - - lea rbx,[352+rsp] - lea rdi,[96+rsp] - call __ecp_nistz256_sub_fromx - - mov rdx,QWORD[((0+64))+rsp] - mov r14,QWORD[((8+64))+rsp] - lea rsi,[((-128+64))+rsp] - mov r15,QWORD[((16+64))+rsp] - mov r8,QWORD[((24+64))+rsp] - lea rdi,[128+rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[((0+96))+rsp] - mov r14,QWORD[((8+96))+rsp] - lea rsi,[((-128+96))+rsp] - mov r15,QWORD[((16+96))+rsp] - mov r8,QWORD[((24+96))+rsp] - lea rdi,[192+rsp] - call __ecp_nistz256_sqr_montx - - mov rdx,QWORD[128+rsp] - lea rbx,[128+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((-128+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[160+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[320+rsp] - lea rbx,[320+rsp] - mov r9,QWORD[((0+128))+rsp] - mov r10,QWORD[((8+128))+rsp] - lea rsi,[((-128+128))+rsp] - mov r11,QWORD[((16+128))+rsp] - mov r12,QWORD[((24+128))+rsp] - lea rdi,[rsp] - call __ecp_nistz256_mul_montx - - - - - xor r11,r11 - add r12,r12 - lea rsi,[192+rsp] - adc r13,r13 - mov rax,r12 - adc r8,r8 - adc r9,r9 - mov rbp,r13 - adc r11,0 - - sub r12,-1 - mov rcx,r8 - sbb r13,r14 - sbb r8,0 - mov r10,r9 - sbb r9,r15 - sbb r11,0 - - cmovc r12,rax - mov rax,QWORD[rsi] - cmovc r13,rbp - mov rbp,QWORD[8+rsi] - cmovc r8,rcx - mov rcx,QWORD[16+rsi] - cmovc r9,r10 - mov r10,QWORD[24+rsi] - - call __ecp_nistz256_subx - - lea rbx,[160+rsp] - lea rdi,[224+rsp] - call __ecp_nistz256_sub_fromx - - mov rax,QWORD[((0+0))+rsp] - mov rbp,QWORD[((0+8))+rsp] - mov rcx,QWORD[((0+16))+rsp] - mov r10,QWORD[((0+24))+rsp] - lea rdi,[64+rsp] - - call __ecp_nistz256_subx - - mov QWORD[rdi],r12 - mov QWORD[8+rdi],r13 - mov QWORD[16+rdi],r8 - mov QWORD[24+rdi],r9 - mov rdx,QWORD[352+rsp] - lea rbx,[352+rsp] - mov r9,QWORD[((0+160))+rsp] - mov r10,QWORD[((8+160))+rsp] - lea rsi,[((-128+160))+rsp] - mov r11,QWORD[((16+160))+rsp] - mov r12,QWORD[((24+160))+rsp] - lea rdi,[32+rsp] - call __ecp_nistz256_mul_montx - - mov rdx,QWORD[96+rsp] - lea rbx,[96+rsp] - mov r9,QWORD[((0+64))+rsp] - mov r10,QWORD[((8+64))+rsp] - lea rsi,[((-128+64))+rsp] - mov r11,QWORD[((16+64))+rsp] - mov r12,QWORD[((24+64))+rsp] - lea rdi,[64+rsp] - call __ecp_nistz256_mul_montx - - lea rbx,[32+rsp] - lea rdi,[256+rsp] - call __ecp_nistz256_sub_fromx - - movq rdi,xmm0 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[288+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((288+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[$L$ONE_mont] - pand xmm3,XMMWORD[(($L$ONE_mont+16))] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[384+rsp] - pand xmm3,XMMWORD[((384+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[64+rdi],xmm2 - movdqu XMMWORD[80+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[224+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((224+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[416+rsp] - pand xmm3,XMMWORD[((416+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[320+rsp] - pand xmm3,XMMWORD[((320+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[rdi],xmm2 - movdqu XMMWORD[16+rdi],xmm3 - - movdqa xmm0,xmm5 - movdqa xmm1,xmm5 - pandn xmm0,XMMWORD[256+rsp] - movdqa xmm2,xmm5 - pandn xmm1,XMMWORD[((256+16))+rsp] - movdqa xmm3,xmm5 - pand xmm2,XMMWORD[448+rsp] - pand xmm3,XMMWORD[((448+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - - movdqa xmm0,xmm4 - movdqa xmm1,xmm4 - pandn xmm0,xmm2 - movdqa xmm2,xmm4 - pandn xmm1,xmm3 - movdqa xmm3,xmm4 - pand xmm2,XMMWORD[352+rsp] - pand xmm3,XMMWORD[((352+16))+rsp] - por xmm2,xmm0 - por xmm3,xmm1 - movdqu XMMWORD[32+rdi],xmm2 - movdqu XMMWORD[48+rdi],xmm3 - - lea rsi,[((480+56))+rsp] - - mov r15,QWORD[((-48))+rsi] - - mov r14,QWORD[((-40))+rsi] - - mov r13,QWORD[((-32))+rsi] - - mov r12,QWORD[((-24))+rsi] - - mov rbx,QWORD[((-16))+rsi] - - mov rbp,QWORD[((-8))+rsi] - - lea rsp,[rsi] - -$L$add_affinex_epilogue: - mov rdi,QWORD[8+rsp] ;WIN64 epilogue - mov rsi,QWORD[16+rsp] - ret - -$L$SEH_end_ecp_nistz256_point_add_affine_adx: -EXTERN __imp_RtlVirtualUnwind - - -ALIGN 16 -short_handler: - push rsi - push rdi - push rbx - push rbp - push r12 - push r13 - push r14 - push r15 - pushfq - sub rsp,64 - - mov rax,QWORD[120+r8] - mov rbx,QWORD[248+r8] - - mov rsi,QWORD[8+r9] - mov r11,QWORD[56+r9] - - mov r10d,DWORD[r11] - lea r10,[r10*1+rsi] - cmp rbx,r10 - jb NEAR $L$common_seh_tail - - mov rax,QWORD[152+r8] - - mov r10d,DWORD[4+r11] - lea r10,[r10*1+rsi] - cmp rbx,r10 - jae NEAR $L$common_seh_tail - - lea rax,[16+rax] - - mov r12,QWORD[((-8))+rax] - mov r13,QWORD[((-16))+rax] - mov QWORD[216+r8],r12 - mov QWORD[224+r8],r13 - - jmp NEAR $L$common_seh_tail - - - -ALIGN 16 -full_handler: - push rsi - push rdi - push rbx - push rbp - push r12 - push r13 - push r14 - push r15 - pushfq - sub rsp,64 - - mov rax,QWORD[120+r8] - mov rbx,QWORD[248+r8] - - mov rsi,QWORD[8+r9] - mov r11,QWORD[56+r9] - - mov r10d,DWORD[r11] - lea r10,[r10*1+rsi] - cmp rbx,r10 - jb NEAR $L$common_seh_tail - - mov rax,QWORD[152+r8] - - mov r10d,DWORD[4+r11] - lea r10,[r10*1+rsi] - cmp rbx,r10 - jae NEAR $L$common_seh_tail - - mov r10d,DWORD[8+r11] - lea rax,[r10*1+rax] - - mov rbp,QWORD[((-8))+rax] - mov rbx,QWORD[((-16))+rax] - mov r12,QWORD[((-24))+rax] - mov r13,QWORD[((-32))+rax] - mov r14,QWORD[((-40))+rax] - mov r15,QWORD[((-48))+rax] - mov QWORD[144+r8],rbx - mov QWORD[160+r8],rbp - mov QWORD[216+r8],r12 - mov QWORD[224+r8],r13 - mov QWORD[232+r8],r14 - mov QWORD[240+r8],r15 - -$L$common_seh_tail: - mov rdi,QWORD[8+rax] - mov rsi,QWORD[16+rax] - mov QWORD[152+r8],rax - mov QWORD[168+r8],rsi - mov QWORD[176+r8],rdi - - mov rdi,QWORD[40+r9] - mov rsi,r8 - mov ecx,154 - DD 0xa548f3fc - - mov rsi,r9 - xor rcx,rcx - mov rdx,QWORD[8+rsi] - mov r8,QWORD[rsi] - mov r9,QWORD[16+rsi] - mov r10,QWORD[40+rsi] - lea r11,[56+rsi] - lea r12,[24+rsi] - mov QWORD[32+rsp],r10 - mov QWORD[40+rsp],r11 - mov QWORD[48+rsp],r12 - mov QWORD[56+rsp],rcx - call QWORD[__imp_RtlVirtualUnwind] - - mov eax,1 - add rsp,64 - popfq - pop r15 - pop r14 - pop r13 - pop r12 - pop rbp - pop rbx - pop rdi - pop rsi - ret - - -section .pdata rdata align=4 -ALIGN 4 - DD $L$SEH_begin_ecp_nistz256_neg wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_neg wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_neg wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_ord_mul_mont_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_ord_mul_mont_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_ord_mul_mont_nohw wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_ord_sqr_mont_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_ord_sqr_mont_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_ord_sqr_mont_nohw wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_ord_mul_mont_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_ord_mul_mont_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_ord_mul_mont_adx wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_ord_sqr_mont_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_ord_sqr_mont_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_ord_sqr_mont_adx wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_mul_mont_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_mul_mont_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_mul_mont_nohw wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_sqr_mont_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_sqr_mont_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_sqr_mont_nohw wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_mul_mont_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_mul_mont_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_mul_mont_adx wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_sqr_mont_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_sqr_mont_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_sqr_mont_adx wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_select_w5_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_select_w5_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_select_wX_nohw wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_select_w7_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_select_w7_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_select_wX_nohw wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_select_w5_avx2 wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_select_w5_avx2 wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_select_wX_avx2 wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_select_w7_avx2 wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_select_w7_avx2 wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_select_wX_avx2 wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_point_double_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_point_double_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_point_double_nohw wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_point_add_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_point_add_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_point_add_nohw wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_point_add_affine_nohw wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_point_add_affine_nohw wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_point_add_affine_nohw wrt ..imagebase - DD $L$SEH_begin_ecp_nistz256_point_double_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_point_double_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_point_double_adx wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_point_add_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_point_add_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_point_add_adx wrt ..imagebase - - DD $L$SEH_begin_ecp_nistz256_point_add_affine_adx wrt ..imagebase - DD $L$SEH_end_ecp_nistz256_point_add_affine_adx wrt ..imagebase - DD $L$SEH_info_ecp_nistz256_point_add_affine_adx wrt ..imagebase + DD $L$SEH_begin_ecp_nistz256_ord_sqr_mont_adx wrt ..imagebase + DD $L$SEH_end_ecp_nistz256_ord_sqr_mont_adx wrt ..imagebase + DD $L$SEH_info_ecp_nistz256_ord_sqr_mont_adx wrt ..imagebase section .xdata rdata align=8 ALIGN 8 -$L$SEH_info_ecp_nistz256_neg: - DB 9,0,0,0 - DD short_handler wrt ..imagebase - DD $L$neg_body wrt ..imagebase,$L$neg_epilogue wrt ..imagebase $L$SEH_info_ecp_nistz256_ord_mul_mont_nohw: DB 9,0,0,0 DD full_handler wrt ..imagebase @@ -4987,86 +1300,6 @@ $L$SEH_info_ecp_nistz256_ord_sqr_mont_adx: DD full_handler wrt ..imagebase DD $L$ord_sqrx_body wrt ..imagebase,$L$ord_sqrx_epilogue wrt ..imagebase DD 48,0 -$L$SEH_info_ecp_nistz256_mul_mont_nohw: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$mul_body wrt ..imagebase,$L$mul_epilogue wrt ..imagebase - DD 48,0 -$L$SEH_info_ecp_nistz256_sqr_mont_nohw: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$sqr_body wrt ..imagebase,$L$sqr_epilogue wrt ..imagebase - DD 48,0 -$L$SEH_info_ecp_nistz256_mul_mont_adx: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$mulx_body wrt ..imagebase,$L$mulx_epilogue wrt ..imagebase - DD 48,0 -$L$SEH_info_ecp_nistz256_sqr_mont_adx: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$sqrx_body wrt ..imagebase,$L$sqrx_epilogue wrt ..imagebase - DD 48,0 -$L$SEH_info_ecp_nistz256_select_wX_nohw: - DB 0x01,0x33,0x16,0x00 - DB 0x33,0xf8,0x09,0x00 - DB 0x2e,0xe8,0x08,0x00 - DB 0x29,0xd8,0x07,0x00 - DB 0x24,0xc8,0x06,0x00 - DB 0x1f,0xb8,0x05,0x00 - DB 0x1a,0xa8,0x04,0x00 - DB 0x15,0x98,0x03,0x00 - DB 0x10,0x88,0x02,0x00 - DB 0x0c,0x78,0x01,0x00 - DB 0x08,0x68,0x00,0x00 - DB 0x04,0x01,0x15,0x00 -ALIGN 8 -$L$SEH_info_ecp_nistz256_select_wX_avx2: - DB 0x01,0x36,0x17,0x0b - DB 0x36,0xf8,0x09,0x00 - DB 0x31,0xe8,0x08,0x00 - DB 0x2c,0xd8,0x07,0x00 - DB 0x27,0xc8,0x06,0x00 - DB 0x22,0xb8,0x05,0x00 - DB 0x1d,0xa8,0x04,0x00 - DB 0x18,0x98,0x03,0x00 - DB 0x13,0x88,0x02,0x00 - DB 0x0e,0x78,0x01,0x00 - DB 0x09,0x68,0x00,0x00 - DB 0x04,0x01,0x15,0x00 - DB 0x00,0xb3,0x00,0x00 -ALIGN 8 -$L$SEH_info_ecp_nistz256_point_double_nohw: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$point_doubleq_body wrt ..imagebase,$L$point_doubleq_epilogue wrt ..imagebase - DD 32*5+56,0 -$L$SEH_info_ecp_nistz256_point_add_nohw: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$point_addq_body wrt ..imagebase,$L$point_addq_epilogue wrt ..imagebase - DD 32*18+56,0 -$L$SEH_info_ecp_nistz256_point_add_affine_nohw: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$add_affineq_body wrt ..imagebase,$L$add_affineq_epilogue wrt ..imagebase - DD 32*15+56,0 -ALIGN 8 -$L$SEH_info_ecp_nistz256_point_double_adx: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$point_doublex_body wrt ..imagebase,$L$point_doublex_epilogue wrt ..imagebase - DD 32*5+56,0 -$L$SEH_info_ecp_nistz256_point_add_adx: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$point_addx_body wrt ..imagebase,$L$point_addx_epilogue wrt ..imagebase - DD 32*18+56,0 -$L$SEH_info_ecp_nistz256_point_add_affine_adx: - DB 9,0,0,0 - DD full_handler wrt ..imagebase - DD $L$add_affinex_body wrt ..imagebase,$L$add_affinex_epilogue wrt ..imagebase - DD 32*15+56,0 %else ; Work around https://bugzilla.nasm.us/show_bug.cgi?id=3392738 ret diff --git a/third_party/boringssl/gen/bcm/rdrand-x86_64-apple.S b/third_party/boringssl/gen/bcm/rdrand-x86_64-apple.S index 4f990d95..1b76d7ce 100644 --- a/third_party/boringssl/gen/bcm/rdrand-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/rdrand-x86_64-apple.S @@ -33,6 +33,7 @@ _CET_ENDBR .private_extern _CRYPTO_rdrand_multiple8_buf .p2align 4 +.alt_entry _CRYPTO_rdrand_multiple8_buf _CRYPTO_rdrand_multiple8_buf: _CET_ENDBR diff --git a/third_party/boringssl/gen/bcm/rsaz-avx2-apple.S b/third_party/boringssl/gen/bcm/rsaz-avx2-apple.S index 36723091..803be098 100644 --- a/third_party/boringssl/gen/bcm/rsaz-avx2-apple.S +++ b/third_party/boringssl/gen/bcm/rsaz-avx2-apple.S @@ -665,6 +665,7 @@ L$sqr_1024_epilogue: .private_extern _rsaz_1024_mul_avx2 .p2align 6 +.alt_entry _rsaz_1024_mul_avx2 _rsaz_1024_mul_avx2: _CET_ENDBR @@ -1222,6 +1223,7 @@ L$mul_1024_epilogue: .private_extern _rsaz_1024_red2norm_avx2 .p2align 5 +.alt_entry _rsaz_1024_red2norm_avx2 _rsaz_1024_red2norm_avx2: _CET_ENDBR @@ -1423,6 +1425,7 @@ _CET_ENDBR .private_extern _rsaz_1024_norm2red_avx2 .p2align 5 +.alt_entry _rsaz_1024_norm2red_avx2 _rsaz_1024_norm2red_avx2: _CET_ENDBR @@ -1584,6 +1587,7 @@ _CET_ENDBR .private_extern _rsaz_1024_scatter5_avx2 .p2align 5 +.alt_entry _rsaz_1024_scatter5_avx2 _rsaz_1024_scatter5_avx2: _CET_ENDBR @@ -1613,6 +1617,7 @@ L$oop_scatter_1024: .private_extern _rsaz_1024_gather5_avx2 .p2align 5 +.alt_entry _rsaz_1024_gather5_avx2 _rsaz_1024_gather5_avx2: _CET_ENDBR @@ -1733,7 +1738,9 @@ L$oop_gather_1024: L$SEH_end_rsaz_1024_gather5: .section __DATA,__const + .p2align 6 +rsaz_avx2_constants: L$and_mask: .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff L$scatter_permd: diff --git a/third_party/boringssl/gen/bcm/rsaz-avx2-linux.S b/third_party/boringssl/gen/bcm/rsaz-avx2-linux.S index 65a6c2e8..8374df4c 100644 --- a/third_party/boringssl/gen/bcm/rsaz-avx2-linux.S +++ b/third_party/boringssl/gen/bcm/rsaz-avx2-linux.S @@ -1733,7 +1733,9 @@ _CET_ENDBR .LSEH_end_rsaz_1024_gather5: .size rsaz_1024_gather5_avx2,.-rsaz_1024_gather5_avx2 .section .rodata + .align 64 +rsaz_avx2_constants: .Land_mask: .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff .Lscatter_permd: diff --git a/third_party/boringssl/gen/bcm/rsaz-avx2-win.asm b/third_party/boringssl/gen/bcm/rsaz-avx2-win.asm index a518277c..0dfaee66 100644 --- a/third_party/boringssl/gen/bcm/rsaz-avx2-win.asm +++ b/third_party/boringssl/gen/bcm/rsaz-avx2-win.asm @@ -1832,7 +1832,9 @@ $L$oop_gather_1024: $L$SEH_end_rsaz_1024_gather5: section .rdata rdata align=8 + ALIGN 64 +rsaz_avx2_constants: $L$and_mask: DQ 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff $L$scatter_permd: diff --git a/third_party/boringssl/gen/bcm/sha1-armv8-apple.S b/third_party/boringssl/gen/bcm/sha1-armv8-apple.S index 5744697f..547ca655 100644 --- a/third_party/boringssl/gen/bcm/sha1-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/sha1-armv8-apple.S @@ -1073,6 +1073,7 @@ Loop: .private_extern _sha1_block_data_order_hw .align 6 +.alt_entry _sha1_block_data_order_hw _sha1_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET @@ -1204,7 +1205,9 @@ Loop_hw: ret .section __TEXT,__const + .align 6 +sha1_constants: Lconst: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 //K_00_19 .long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 //K_20_39 diff --git a/third_party/boringssl/gen/bcm/sha1-armv8-linux.S b/third_party/boringssl/gen/bcm/sha1-armv8-linux.S index d6fb410f..9afcfdf2 100644 --- a/third_party/boringssl/gen/bcm/sha1-armv8-linux.S +++ b/third_party/boringssl/gen/bcm/sha1-armv8-linux.S @@ -1204,7 +1204,9 @@ sha1_block_data_order_hw: ret .size sha1_block_data_order_hw,.-sha1_block_data_order_hw .section .rodata + .align 6 +sha1_constants: .Lconst: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 //K_00_19 .long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 //K_20_39 diff --git a/third_party/boringssl/gen/bcm/sha1-armv8-win.S b/third_party/boringssl/gen/bcm/sha1-armv8-win.S index b8161b92..ccff4e88 100644 --- a/third_party/boringssl/gen/bcm/sha1-armv8-win.S +++ b/third_party/boringssl/gen/bcm/sha1-armv8-win.S @@ -1208,7 +1208,9 @@ Loop_hw: ret .section .rodata + .align 6 +sha1_constants: Lconst: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 //K_00_19 .long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 //K_20_39 diff --git a/third_party/boringssl/gen/bcm/sha1-x86_64-apple.S b/third_party/boringssl/gen/bcm/sha1-x86_64-apple.S index 32b3bc76..41e95c9d 100644 --- a/third_party/boringssl/gen/bcm/sha1-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/sha1-x86_64-apple.S @@ -1247,6 +1247,7 @@ L$epilogue: .private_extern _sha1_block_data_order_hw .p2align 5 +.alt_entry _sha1_block_data_order_hw _sha1_block_data_order_hw: _CET_ENDBR @@ -1419,6 +1420,7 @@ L$oop_shaext: .private_extern _sha1_block_data_order_ssse3 .p2align 4 +.alt_entry _sha1_block_data_order_ssse3 _sha1_block_data_order_ssse3: _CET_ENDBR @@ -2609,6 +2611,7 @@ L$epilogue_ssse3: .private_extern _sha1_block_data_order_avx .p2align 4 +.alt_entry _sha1_block_data_order_avx _sha1_block_data_order_avx: _CET_ENDBR @@ -3739,6 +3742,7 @@ L$epilogue_avx: .private_extern _sha1_block_data_order_avx2 .p2align 4 +.alt_entry _sha1_block_data_order_avx2 _sha1_block_data_order_avx2: _CET_ENDBR diff --git a/third_party/boringssl/gen/bcm/sha256-armv8-apple.S b/third_party/boringssl/gen/bcm/sha256-armv8-apple.S index 0cb6f72b..eb4af0a8 100644 --- a/third_party/boringssl/gen/bcm/sha256-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/sha256-armv8-apple.S @@ -1020,7 +1020,9 @@ Loop_16_xx: .section __TEXT,__const + .align 6 +sha256_constants: LK256: .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 @@ -1050,6 +1052,7 @@ LK256: .private_extern _sha256_block_data_order_hw .align 6 +.alt_entry _sha256_block_data_order_hw _sha256_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET diff --git a/third_party/boringssl/gen/bcm/sha256-armv8-linux.S b/third_party/boringssl/gen/bcm/sha256-armv8-linux.S index d2901be0..072263a6 100644 --- a/third_party/boringssl/gen/bcm/sha256-armv8-linux.S +++ b/third_party/boringssl/gen/bcm/sha256-armv8-linux.S @@ -1020,7 +1020,9 @@ sha256_block_data_order_nohw: .size sha256_block_data_order_nohw,.-sha256_block_data_order_nohw .section .rodata + .align 6 +sha256_constants: .type .LK256,%object .LK256: .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 diff --git a/third_party/boringssl/gen/bcm/sha256-armv8-win.S b/third_party/boringssl/gen/bcm/sha256-armv8-win.S index c603cf8b..ca668894 100644 --- a/third_party/boringssl/gen/bcm/sha256-armv8-win.S +++ b/third_party/boringssl/gen/bcm/sha256-armv8-win.S @@ -1022,7 +1022,9 @@ Loop_16_xx: .section .rodata + .align 6 +sha256_constants: LK256: .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 diff --git a/third_party/boringssl/gen/bcm/sha256-x86_64-apple.S b/third_party/boringssl/gen/bcm/sha256-x86_64-apple.S index 367f0d33..814dd256 100644 --- a/third_party/boringssl/gen/bcm/sha256-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/sha256-x86_64-apple.S @@ -1768,6 +1768,7 @@ K256: .private_extern _sha256_block_data_order_hw .p2align 6 +.alt_entry _sha256_block_data_order_hw _sha256_block_data_order_hw: _CET_ENDBR @@ -1979,6 +1980,7 @@ L$oop_shaext: .private_extern _sha256_block_data_order_ssse3 .p2align 6 +.alt_entry _sha256_block_data_order_ssse3 _sha256_block_data_order_ssse3: _CET_ENDBR @@ -3094,6 +3096,7 @@ L$epilogue_ssse3: .private_extern _sha256_block_data_order_avx .p2align 6 +.alt_entry _sha256_block_data_order_avx _sha256_block_data_order_avx: _CET_ENDBR diff --git a/third_party/boringssl/gen/bcm/sha512-armv8-apple.S b/third_party/boringssl/gen/bcm/sha512-armv8-apple.S index b6403a9c..173a769e 100644 --- a/third_party/boringssl/gen/bcm/sha512-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/sha512-armv8-apple.S @@ -1020,7 +1020,9 @@ Loop_16_xx: .section __TEXT,__const + .align 6 +sha512_constants: LK512: .quad 0x428a2f98d728ae22,0x7137449123ef65cd @@ -1074,6 +1076,7 @@ LK512: .private_extern _sha512_block_data_order_hw .align 6 +.alt_entry _sha512_block_data_order_hw _sha512_block_data_order_hw: // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. AARCH64_VALID_CALL_TARGET diff --git a/third_party/boringssl/gen/bcm/sha512-armv8-linux.S b/third_party/boringssl/gen/bcm/sha512-armv8-linux.S index f046a5c4..451d696d 100644 --- a/third_party/boringssl/gen/bcm/sha512-armv8-linux.S +++ b/third_party/boringssl/gen/bcm/sha512-armv8-linux.S @@ -1020,7 +1020,9 @@ sha512_block_data_order_nohw: .size sha512_block_data_order_nohw,.-sha512_block_data_order_nohw .section .rodata + .align 6 +sha512_constants: .type .LK512,%object .LK512: .quad 0x428a2f98d728ae22,0x7137449123ef65cd diff --git a/third_party/boringssl/gen/bcm/sha512-armv8-win.S b/third_party/boringssl/gen/bcm/sha512-armv8-win.S index 0d5ad5b9..a6a5be04 100644 --- a/third_party/boringssl/gen/bcm/sha512-armv8-win.S +++ b/third_party/boringssl/gen/bcm/sha512-armv8-win.S @@ -1022,7 +1022,9 @@ Loop_16_xx: .section .rodata + .align 6 +sha512_constants: LK512: .quad 0x428a2f98d728ae22,0x7137449123ef65cd diff --git a/third_party/boringssl/gen/bcm/sha512-x86_64-apple.S b/third_party/boringssl/gen/bcm/sha512-x86_64-apple.S index 58f27a48..9d9d3d01 100644 --- a/third_party/boringssl/gen/bcm/sha512-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/sha512-x86_64-apple.S @@ -1812,6 +1812,7 @@ K512: .private_extern _sha512_block_data_order_avx .p2align 6 +.alt_entry _sha512_block_data_order_avx _sha512_block_data_order_avx: _CET_ENDBR diff --git a/third_party/boringssl/gen/bcm/vpaes-armv8-apple.S b/third_party/boringssl/gen/bcm/vpaes-armv8-apple.S index d932f510..171c2986 100644 --- a/third_party/boringssl/gen/bcm/vpaes-armv8-apple.S +++ b/third_party/boringssl/gen/bcm/vpaes-armv8-apple.S @@ -133,6 +133,7 @@ _vpaes_encrypt_preheat: ## .align 4 +.alt_entry _vpaes_encrypt_core _vpaes_encrypt_core: mov x9, x2 ldr w8, [x2,#240] // pull rounds @@ -205,6 +206,7 @@ Lenc_entry: .private_extern _vpaes_encrypt .align 4 +.alt_entry _vpaes_encrypt _vpaes_encrypt: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! @@ -222,6 +224,7 @@ _vpaes_encrypt: .align 4 +.alt_entry _vpaes_encrypt_2x _vpaes_encrypt_2x: mov x9, x2 ldr w8, [x2,#240] // pull rounds @@ -328,6 +331,7 @@ Lenc_2x_entry: .align 4 +.alt_entry _vpaes_decrypt_preheat _vpaes_decrypt_preheat: adrp x10, Lk_inv@PAGE add x10, x10, Lk_inv@PAGEOFF @@ -348,6 +352,7 @@ _vpaes_decrypt_preheat: ## .align 4 +.alt_entry _vpaes_decrypt_core _vpaes_decrypt_core: mov x9, x2 ldr w8, [x2,#240] // pull rounds @@ -444,6 +449,7 @@ Ldec_entry: .private_extern _vpaes_decrypt .align 4 +.alt_entry _vpaes_decrypt _vpaes_decrypt: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! @@ -462,6 +468,7 @@ _vpaes_decrypt: // v14-v15 input, v0-v1 output .align 4 +.alt_entry _vpaes_decrypt_2x _vpaes_decrypt_2x: mov x9, x2 ldr w8, [x2,#240] // pull rounds @@ -602,6 +609,7 @@ Ldec_2x_entry: ######################################################## .align 4 +.alt_entry _vpaes_key_preheat _vpaes_key_preheat: adrp x10, Lk_inv@PAGE add x10, x10, Lk_inv@PAGEOFF @@ -624,6 +632,7 @@ _vpaes_key_preheat: .align 4 +.alt_entry _vpaes_schedule_core _vpaes_schedule_core: AARCH64_SIGN_LINK_REGISTER stp x29, x30, [sp,#-16]! @@ -815,6 +824,7 @@ Lschedule_mangle_last_dec: ## .align 4 +.alt_entry _vpaes_schedule_192_smear _vpaes_schedule_192_smear: movi v1.16b, #0 dup v0.4s, v7.s[3] @@ -848,6 +858,7 @@ _vpaes_schedule_192_smear: ## .align 4 +.alt_entry _vpaes_schedule_round _vpaes_schedule_round: // extract rcon from xmm8 movi v4.16b, #0 // vpxor %xmm4, %xmm4, %xmm4 @@ -862,6 +873,7 @@ _vpaes_schedule_round: // fall through... // low round: same as high round, but no rotation and no rcon. +.alt_entry _vpaes_schedule_low_round _vpaes_schedule_low_round: // smear xmm7 ext v1.16b, v4.16b, v7.16b, #12 // vpslldq $4, %xmm7, %xmm1 @@ -904,6 +916,7 @@ _vpaes_schedule_low_round: ## .align 4 +.alt_entry _vpaes_schedule_transform _vpaes_schedule_transform: and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 ushr v0.16b, v0.16b, #4 // vpsrlb $4, %xmm0, %xmm0 @@ -940,6 +953,7 @@ _vpaes_schedule_transform: ## .align 4 +.alt_entry _vpaes_schedule_mangle _vpaes_schedule_mangle: mov v4.16b, v0.16b // vmovdqa %xmm0, %xmm4 # save xmm0 for later // vmovdqa .Lk_mc_forward(%rip),%xmm5 @@ -1008,6 +1022,7 @@ Lschedule_mangle_both: .private_extern _vpaes_set_encrypt_key .align 4 +.alt_entry _vpaes_set_encrypt_key _vpaes_set_encrypt_key: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! @@ -1033,6 +1048,7 @@ _vpaes_set_encrypt_key: .private_extern _vpaes_set_decrypt_key .align 4 +.alt_entry _vpaes_set_decrypt_key _vpaes_set_decrypt_key: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! @@ -1061,11 +1077,12 @@ _vpaes_set_decrypt_key: .private_extern _vpaes_cbc_encrypt .align 4 +.alt_entry _vpaes_cbc_encrypt _vpaes_cbc_encrypt: AARCH64_SIGN_LINK_REGISTER cbz x2, Lcbc_abort cmp w5, #0 // check direction - b.eq vpaes_cbc_decrypt + b.eq Lcbc_decrypt stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1093,11 +1110,9 @@ Lcbc_abort: AARCH64_VALIDATE_LINK_REGISTER ret - - .align 4 -vpaes_cbc_decrypt: - // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to +Lcbc_decrypt: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lcbc_decrypt is jumped to // only from vpaes_cbc_encrypt which has already signed the return address. stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1147,6 +1162,7 @@ Lcbc_dec_done: .private_extern _vpaes_ctr32_encrypt_blocks .align 4 +.alt_entry _vpaes_ctr32_encrypt_blocks _vpaes_ctr32_encrypt_blocks: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-16]! diff --git a/third_party/boringssl/gen/bcm/vpaes-armv8-linux.S b/third_party/boringssl/gen/bcm/vpaes-armv8-linux.S index 010ccd2a..d043fc8a 100644 --- a/third_party/boringssl/gen/bcm/vpaes-armv8-linux.S +++ b/third_party/boringssl/gen/bcm/vpaes-armv8-linux.S @@ -1065,7 +1065,7 @@ vpaes_cbc_encrypt: AARCH64_SIGN_LINK_REGISTER cbz x2, .Lcbc_abort cmp w5, #0 // check direction - b.eq vpaes_cbc_decrypt + b.eq .Lcbc_decrypt stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1092,12 +1092,10 @@ vpaes_cbc_encrypt: .Lcbc_abort: AARCH64_VALIDATE_LINK_REGISTER ret -.size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt -.type vpaes_cbc_decrypt,%function .align 4 -vpaes_cbc_decrypt: - // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to +.Lcbc_decrypt: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lcbc_decrypt is jumped to // only from vpaes_cbc_encrypt which has already signed the return address. stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1142,7 +1140,7 @@ vpaes_cbc_decrypt: ldp x29,x30,[sp],#16 AARCH64_VALIDATE_LINK_REGISTER ret -.size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt +.size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt .globl vpaes_ctr32_encrypt_blocks .hidden vpaes_ctr32_encrypt_blocks .type vpaes_ctr32_encrypt_blocks,%function diff --git a/third_party/boringssl/gen/bcm/vpaes-armv8-win.S b/third_party/boringssl/gen/bcm/vpaes-armv8-win.S index 6160e9f7..76286348 100644 --- a/third_party/boringssl/gen/bcm/vpaes-armv8-win.S +++ b/third_party/boringssl/gen/bcm/vpaes-armv8-win.S @@ -1099,7 +1099,7 @@ vpaes_cbc_encrypt: AARCH64_SIGN_LINK_REGISTER cbz x2, Lcbc_abort cmp w5, #0 // check direction - b.eq vpaes_cbc_decrypt + b.eq Lcbc_decrypt stp x29,x30,[sp,#-16]! add x29,sp,#0 @@ -1127,13 +1127,9 @@ Lcbc_abort: AARCH64_VALIDATE_LINK_REGISTER ret - -.def vpaes_cbc_decrypt - .type 32 -.endef .align 4 -vpaes_cbc_decrypt: - // Not adding AARCH64_SIGN_LINK_REGISTER here because vpaes_cbc_decrypt is jumped to +Lcbc_decrypt: + // Not adding AARCH64_SIGN_LINK_REGISTER here because .Lcbc_decrypt is jumped to // only from vpaes_cbc_encrypt which has already signed the return address. stp x29,x30,[sp,#-16]! add x29,sp,#0 diff --git a/third_party/boringssl/gen/bcm/vpaes-x86_64-apple.S b/third_party/boringssl/gen/bcm/vpaes-x86_64-apple.S index bfcc030f..ef762301 100644 --- a/third_party/boringssl/gen/bcm/vpaes-x86_64-apple.S +++ b/third_party/boringssl/gen/bcm/vpaes-x86_64-apple.S @@ -139,6 +139,7 @@ L$enc_entry: .p2align 4 +.alt_entry _vpaes_encrypt_core_2x _vpaes_encrypt_core_2x: movq %rdx,%r9 @@ -290,6 +291,7 @@ L$enc2x_entry: .p2align 4 +.alt_entry _vpaes_decrypt_core _vpaes_decrypt_core: movq %rdx,%r9 @@ -398,6 +400,7 @@ L$dec_entry: .p2align 4 +.alt_entry _vpaes_schedule_core _vpaes_schedule_core: @@ -585,6 +588,7 @@ L$schedule_mangle_last_dec: .p2align 4 +.alt_entry _vpaes_schedule_192_smear _vpaes_schedule_192_smear: pshufd $0x80,%xmm6,%xmm1 @@ -618,6 +622,7 @@ _vpaes_schedule_192_smear: .p2align 4 +.alt_entry _vpaes_schedule_round _vpaes_schedule_round: @@ -633,6 +638,7 @@ _vpaes_schedule_round: +.alt_entry _vpaes_schedule_low_round _vpaes_schedule_low_round: movdqa %xmm7,%xmm1 @@ -687,6 +693,7 @@ _vpaes_schedule_low_round: .p2align 4 +.alt_entry _vpaes_schedule_transform _vpaes_schedule_transform: movdqa %xmm9,%xmm1 @@ -727,6 +734,7 @@ _vpaes_schedule_transform: .p2align 4 +.alt_entry _vpaes_schedule_mangle _vpaes_schedule_mangle: movdqa %xmm0,%xmm4 @@ -803,6 +811,7 @@ L$schedule_mangle_both: .private_extern _vpaes_set_encrypt_key .p2align 4 +.alt_entry _vpaes_set_encrypt_key _vpaes_set_encrypt_key: _CET_ENDBR @@ -828,6 +837,7 @@ _CET_ENDBR .private_extern _vpaes_set_decrypt_key .p2align 4 +.alt_entry _vpaes_set_decrypt_key _vpaes_set_decrypt_key: _CET_ENDBR @@ -853,6 +863,7 @@ _CET_ENDBR .private_extern _vpaes_encrypt .p2align 4 +.alt_entry _vpaes_encrypt _vpaes_encrypt: _CET_ENDBR @@ -872,6 +883,7 @@ _CET_ENDBR .private_extern _vpaes_decrypt .p2align 4 +.alt_entry _vpaes_decrypt _vpaes_decrypt: _CET_ENDBR @@ -886,6 +898,7 @@ _CET_ENDBR .private_extern _vpaes_cbc_encrypt .p2align 4 +.alt_entry _vpaes_cbc_encrypt _vpaes_cbc_encrypt: _CET_ENDBR @@ -930,6 +943,7 @@ L$cbc_abort: .private_extern _vpaes_ctr32_encrypt_blocks .p2align 4 +.alt_entry _vpaes_ctr32_encrypt_blocks _vpaes_ctr32_encrypt_blocks: _CET_ENDBR @@ -998,6 +1012,7 @@ L$ctr32_abort: .p2align 4 +.alt_entry _vpaes_preheat _vpaes_preheat: leaq L$k_s0F(%rip),%r10 diff --git a/third_party/boringssl/gen/bcm/x86_64-mont-apple.S b/third_party/boringssl/gen/bcm/x86_64-mont-apple.S index 27a168d7..716ce608 100644 --- a/third_party/boringssl/gen/bcm/x86_64-mont-apple.S +++ b/third_party/boringssl/gen/bcm/x86_64-mont-apple.S @@ -252,6 +252,7 @@ L$mul_epilogue: .private_extern _bn_mul4x_mont .p2align 4 +.alt_entry _bn_mul4x_mont _bn_mul4x_mont: _CET_ENDBR @@ -688,6 +689,7 @@ L$mul4x_epilogue: .private_extern _bn_sqr8x_mont .p2align 5 +.alt_entry _bn_sqr8x_mont _bn_sqr8x_mont: _CET_ENDBR @@ -876,6 +878,7 @@ L$sqr8x_epilogue: .private_extern _bn_mulx4x_mont .p2align 5 +.alt_entry _bn_mulx4x_mont _bn_mulx4x_mont: _CET_ENDBR diff --git a/third_party/boringssl/gen/bcm/x86_64-mont5-apple.S b/third_party/boringssl/gen/bcm/x86_64-mont5-apple.S index cd7d797b..102f0ba1 100644 --- a/third_party/boringssl/gen/bcm/x86_64-mont5-apple.S +++ b/third_party/boringssl/gen/bcm/x86_64-mont5-apple.S @@ -448,6 +448,7 @@ L$mul_epilogue: .private_extern _bn_mul4x_mont_gather5 .p2align 5 +.alt_entry _bn_mul4x_mont_gather5 _bn_mul4x_mont_gather5: _CET_ENDBR @@ -554,6 +555,7 @@ L$mul4x_epilogue: .p2align 5 +.alt_entry mul4x_internal mul4x_internal: shlq $5,%r9 @@ -1085,6 +1087,7 @@ L$inner4x: .private_extern _bn_power5_nohw .p2align 5 +.alt_entry _bn_power5_nohw _bn_power5_nohw: _CET_ENDBR @@ -1222,7 +1225,9 @@ L$power5_epilogue: .private_extern _bn_sqr8x_internal .p2align 5 +.alt_entry _bn_sqr8x_internal _bn_sqr8x_internal: +.alt_entry __bn_sqr8x_internal __bn_sqr8x_internal: _CET_ENDBR @@ -1741,6 +1746,7 @@ L$sqr4x_shift_n_add: movq %rbx,-16(%rdi) movq %r8,-8(%rdi) movq %xmm2,%rbp +.alt_entry __bn_sqr8x_reduction __bn_sqr8x_reduction: xorq %rax,%rax leaq (%r9,%rbp,1),%rcx @@ -2004,6 +2010,7 @@ L$8x_no_tail: .p2align 5 +.alt_entry __bn_post4x_internal __bn_post4x_internal: movq 0(%rbp),%r12 @@ -2062,6 +2069,7 @@ L$sqr4x_sub_entry: .private_extern _bn_mulx4x_mont_gather5 .p2align 5 +.alt_entry _bn_mulx4x_mont_gather5 _bn_mulx4x_mont_gather5: _CET_ENDBR @@ -2176,6 +2184,7 @@ L$mulx4x_epilogue: .p2align 5 +.alt_entry mulx4x_internal mulx4x_internal: movq %r9,8(%rsp) @@ -2604,6 +2613,7 @@ L$mulx4x_inner: .private_extern _bn_powerx5 .p2align 5 +.alt_entry _bn_powerx5 _bn_powerx5: _CET_ENDBR @@ -2745,7 +2755,9 @@ L$powerx5_epilogue: .private_extern _bn_sqrx8x_internal .p2align 5 +.alt_entry _bn_sqrx8x_internal _bn_sqrx8x_internal: +.alt_entry __bn_sqrx8x_internal __bn_sqrx8x_internal: _CET_ENDBR @@ -3152,6 +3164,7 @@ L$sqrx4x_shift_n_add_break: movq %rbx,56(%rdi) leaq 64(%rdi),%rdi movq %xmm2,%rbp +.alt_entry __bn_sqrx8x_reduction __bn_sqrx8x_reduction: xorl %eax,%eax movq 32+8(%rsp),%rbx @@ -3364,6 +3377,7 @@ L$sqrx8x_no_tail: .p2align 5 +.alt_entry __bn_postx4x_internal __bn_postx4x_internal: movq 0(%rbp),%r12 @@ -3419,6 +3433,7 @@ L$sqrx4x_sub_entry: .private_extern _bn_scatter5 .p2align 4 +.alt_entry _bn_scatter5 _bn_scatter5: _CET_ENDBR @@ -3450,6 +3465,7 @@ L$scatter_epilogue: .private_extern _bn_gather5 .p2align 5 +.alt_entry _bn_gather5 _bn_gather5: L$SEH_begin_bn_gather5: @@ -3617,7 +3633,9 @@ L$SEH_end_bn_gather5: .section __DATA,__const + .p2align 6 +mont5_increments: L$inc: .long 0,0, 1,1 .long 2,2, 2,2 diff --git a/third_party/boringssl/gen/bcm/x86_64-mont5-linux.S b/third_party/boringssl/gen/bcm/x86_64-mont5-linux.S index a147041d..0a71a861 100644 --- a/third_party/boringssl/gen/bcm/x86_64-mont5-linux.S +++ b/third_party/boringssl/gen/bcm/x86_64-mont5-linux.S @@ -3617,7 +3617,9 @@ _CET_ENDBR .cfi_endproc .size bn_gather5,.-bn_gather5 .section .rodata + .align 64 +mont5_increments: .Linc: .long 0,0, 1,1 .long 2,2, 2,2 diff --git a/third_party/boringssl/gen/bcm/x86_64-mont5-win.asm b/third_party/boringssl/gen/bcm/x86_64-mont5-win.asm index 5d5ec364..1afb44ff 100644 --- a/third_party/boringssl/gen/bcm/x86_64-mont5-win.asm +++ b/third_party/boringssl/gen/bcm/x86_64-mont5-win.asm @@ -3686,7 +3686,9 @@ $L$SEH_end_bn_gather5: section .rdata rdata align=8 + ALIGN 64 +mont5_increments: $L$inc: DD 0,0,1,1 DD 2,2,2,2 diff --git a/third_party/boringssl/gen/crypto/aes128gcmsiv-x86_64-apple.S b/third_party/boringssl/gen/crypto/aes128gcmsiv-x86_64-apple.S index 81e2f071..c3fcf6d6 100644 --- a/third_party/boringssl/gen/crypto/aes128gcmsiv-x86_64-apple.S +++ b/third_party/boringssl/gen/crypto/aes128gcmsiv-x86_64-apple.S @@ -9,33 +9,47 @@ .p2align 4 one: .quad 1,0 +.alt_entry two two: .quad 2,0 +.alt_entry three three: .quad 3,0 +.alt_entry four four: .quad 4,0 +.alt_entry five five: .quad 5,0 +.alt_entry six six: .quad 6,0 +.alt_entry seven seven: .quad 7,0 +.alt_entry eight eight: .quad 8,0 +.alt_entry OR_MASK OR_MASK: .long 0x00000000,0x00000000,0x00000000,0x80000000 +.alt_entry poly poly: .quad 0x1, 0xc200000000000000 +.alt_entry mask mask: .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d +.alt_entry con1 con1: .long 1,1,1,1 +.alt_entry con2 con2: .long 0x1b,0x1b,0x1b,0x1b +.alt_entry con3 con3: .byte -1,-1,-1,-1,-1,-1,-1,-1,4,5,6,7,4,5,6,7 +.alt_entry and_mask and_mask: .long 0,0xffffffff, 0xffffffff, 0xffffffff .text @@ -69,6 +83,7 @@ GFMUL: .private_extern _aesgcmsiv_htable_init .p2align 4 +.alt_entry _aesgcmsiv_htable_init _aesgcmsiv_htable_init: _CET_ENDBR @@ -96,6 +111,7 @@ _CET_ENDBR .private_extern _aesgcmsiv_htable6_init .p2align 4 +.alt_entry _aesgcmsiv_htable6_init _aesgcmsiv_htable6_init: _CET_ENDBR @@ -119,6 +135,7 @@ _CET_ENDBR .private_extern _aesgcmsiv_htable_polyval .p2align 4 +.alt_entry _aesgcmsiv_htable_polyval _aesgcmsiv_htable_polyval: _CET_ENDBR @@ -337,6 +354,7 @@ L$htable_polyval_out: .private_extern _aesgcmsiv_polyval_horner .p2align 4 +.alt_entry _aesgcmsiv_polyval_horner _aesgcmsiv_polyval_horner: _CET_ENDBR @@ -371,6 +389,7 @@ L$polyval_horner_loop: .private_extern _aes128gcmsiv_aes_ks .p2align 4 +.alt_entry _aes128gcmsiv_aes_ks _aes128gcmsiv_aes_ks: _CET_ENDBR @@ -428,6 +447,7 @@ L$ks128_loop: .private_extern _aes256gcmsiv_aes_ks .p2align 4 +.alt_entry _aes256gcmsiv_aes_ks _aes256gcmsiv_aes_ks: _CET_ENDBR @@ -476,6 +496,7 @@ L$ks256_loop: .private_extern _aes128gcmsiv_aes_ks_enc_x1 .p2align 4 +.alt_entry _aes128gcmsiv_aes_ks_enc_x1 _aes128gcmsiv_aes_ks_enc_x1: _CET_ENDBR @@ -619,6 +640,7 @@ _CET_ENDBR .private_extern _aes128gcmsiv_kdf .p2align 4 +.alt_entry _aes128gcmsiv_kdf _aes128gcmsiv_kdf: _CET_ENDBR @@ -713,6 +735,7 @@ _CET_ENDBR .private_extern _aes128gcmsiv_enc_msg_x4 .p2align 4 +.alt_entry _aes128gcmsiv_enc_msg_x4 _aes128gcmsiv_enc_msg_x4: _CET_ENDBR @@ -889,6 +912,7 @@ L$128_enc_msg_x4_out: .private_extern _aes128gcmsiv_enc_msg_x8 .p2align 4 +.alt_entry _aes128gcmsiv_enc_msg_x8 _aes128gcmsiv_enc_msg_x8: _CET_ENDBR @@ -1145,6 +1169,7 @@ L$128_enc_msg_x8_out: .private_extern _aes128gcmsiv_dec .p2align 4 +.alt_entry _aes128gcmsiv_dec _aes128gcmsiv_dec: _CET_ENDBR @@ -1639,6 +1664,7 @@ L$128_dec_out: .private_extern _aes128gcmsiv_ecb_enc_block .p2align 4 +.alt_entry _aes128gcmsiv_ecb_enc_block _aes128gcmsiv_ecb_enc_block: _CET_ENDBR @@ -1665,6 +1691,7 @@ _CET_ENDBR .private_extern _aes256gcmsiv_aes_ks_enc_x1 .p2align 4 +.alt_entry _aes256gcmsiv_aes_ks_enc_x1 _aes256gcmsiv_aes_ks_enc_x1: _CET_ENDBR @@ -1849,6 +1876,7 @@ _CET_ENDBR .private_extern _aes256gcmsiv_ecb_enc_block .p2align 4 +.alt_entry _aes256gcmsiv_ecb_enc_block _aes256gcmsiv_ecb_enc_block: _CET_ENDBR @@ -1876,6 +1904,7 @@ _CET_ENDBR .private_extern _aes256gcmsiv_enc_msg_x4 .p2align 4 +.alt_entry _aes256gcmsiv_enc_msg_x4 _aes256gcmsiv_enc_msg_x4: _CET_ENDBR @@ -2078,6 +2107,7 @@ L$256_enc_msg_x4_out: .private_extern _aes256gcmsiv_enc_msg_x8 .p2align 4 +.alt_entry _aes256gcmsiv_enc_msg_x8 _aes256gcmsiv_enc_msg_x8: _CET_ENDBR @@ -2368,6 +2398,7 @@ L$256_enc_msg_x8_out: .private_extern _aes256gcmsiv_dec .p2align 4 +.alt_entry _aes256gcmsiv_dec _aes256gcmsiv_dec: _CET_ENDBR @@ -2930,6 +2961,7 @@ L$256_dec_out: .private_extern _aes256gcmsiv_kdf .p2align 4 +.alt_entry _aes256gcmsiv_kdf _aes256gcmsiv_kdf: _CET_ENDBR diff --git a/third_party/boringssl/gen/crypto/chacha-armv4-linux.S b/third_party/boringssl/gen/crypto/chacha-armv4-linux.S index 6532e00d..b144aadc 100644 --- a/third_party/boringssl/gen/crypto/chacha-armv4-linux.S +++ b/third_party/boringssl/gen/crypto/chacha-armv4-linux.S @@ -23,6 +23,7 @@ #endif .align 5 +chacha_constants: .Lsigma: .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 @ endian-neutral .Lone: diff --git a/third_party/boringssl/gen/crypto/chacha-armv8-apple.S b/third_party/boringssl/gen/crypto/chacha-armv8-apple.S index 452bf496..63d95711 100644 --- a/third_party/boringssl/gen/crypto/chacha-armv8-apple.S +++ b/third_party/boringssl/gen/crypto/chacha-armv8-apple.S @@ -7,6 +7,7 @@ .section __TEXT,__const .align 5 +chacha_constants: Lsigma: .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral Lone: @@ -298,6 +299,7 @@ Loop_tail: .private_extern _ChaCha20_ctr32_neon .align 5 +.alt_entry _ChaCha20_ctr32_neon _ChaCha20_ctr32_neon: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! @@ -795,6 +797,7 @@ Ldone_neon: .align 5 +.alt_entry ChaCha20_512_neon ChaCha20_512_neon: AARCH64_SIGN_LINK_REGISTER stp x29,x30,[sp,#-96]! diff --git a/third_party/boringssl/gen/crypto/chacha-armv8-linux.S b/third_party/boringssl/gen/crypto/chacha-armv8-linux.S index 6ecff537..c65b06d3 100644 --- a/third_party/boringssl/gen/crypto/chacha-armv8-linux.S +++ b/third_party/boringssl/gen/crypto/chacha-armv8-linux.S @@ -7,6 +7,7 @@ .section .rodata .align 5 +chacha_constants: .Lsigma: .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral .Lone: diff --git a/third_party/boringssl/gen/crypto/chacha-armv8-win.S b/third_party/boringssl/gen/crypto/chacha-armv8-win.S index ea1da282..62b7774e 100644 --- a/third_party/boringssl/gen/crypto/chacha-armv8-win.S +++ b/third_party/boringssl/gen/crypto/chacha-armv8-win.S @@ -7,6 +7,7 @@ .section .rodata .align 5 +chacha_constants: Lsigma: .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral Lone: diff --git a/third_party/boringssl/gen/crypto/chacha-x86_64-apple.S b/third_party/boringssl/gen/crypto/chacha-x86_64-apple.S index 09481e37..a6f6c693 100644 --- a/third_party/boringssl/gen/crypto/chacha-x86_64-apple.S +++ b/third_party/boringssl/gen/crypto/chacha-x86_64-apple.S @@ -7,7 +7,9 @@ .text .section __DATA,__const + .p2align 6 +chacha_constants: L$zero: .long 0,0,0,0 L$one: @@ -319,6 +321,7 @@ L$no_data: .private_extern _ChaCha20_ctr32_ssse3 .p2align 5 +.alt_entry _ChaCha20_ctr32_ssse3 _ChaCha20_ctr32_ssse3: _CET_ENDBR @@ -454,6 +457,7 @@ L$ssse3_epilogue: .private_extern _ChaCha20_ctr32_ssse3_4x .p2align 5 +.alt_entry _ChaCha20_ctr32_ssse3_4x _ChaCha20_ctr32_ssse3_4x: _CET_ENDBR @@ -996,6 +1000,7 @@ L$4x_epilogue: .private_extern _ChaCha20_ctr32_avx2 .p2align 5 +.alt_entry _ChaCha20_ctr32_avx2 _ChaCha20_ctr32_avx2: _CET_ENDBR diff --git a/third_party/boringssl/gen/crypto/chacha-x86_64-linux.S b/third_party/boringssl/gen/crypto/chacha-x86_64-linux.S index 8ea190d1..eec46bcc 100644 --- a/third_party/boringssl/gen/crypto/chacha-x86_64-linux.S +++ b/third_party/boringssl/gen/crypto/chacha-x86_64-linux.S @@ -7,7 +7,9 @@ .text .section .rodata + .align 64 +chacha_constants: .Lzero: .long 0,0,0,0 .Lone: diff --git a/third_party/boringssl/gen/crypto/chacha-x86_64-win.asm b/third_party/boringssl/gen/crypto/chacha-x86_64-win.asm index ca5b73c5..1becf715 100644 --- a/third_party/boringssl/gen/crypto/chacha-x86_64-win.asm +++ b/third_party/boringssl/gen/crypto/chacha-x86_64-win.asm @@ -15,7 +15,9 @@ section .text code align=64 section .rdata rdata align=8 + ALIGN 64 +chacha_constants: $L$zero: DD 0,0,0,0 $L$one: diff --git a/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-apple.S b/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-apple.S index d3a8c95b..a01db47b 100644 --- a/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-apple.S +++ b/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-apple.S @@ -7,6 +7,7 @@ .section __TEXT,__const .align 7 +chacha20_poly1305_constants: Lchacha20_consts: .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' Linc: @@ -20,6 +21,7 @@ Lclamp: .align 6 +chacha20_poly1305_helpers: Lpoly_hash_ad_internal: .cfi_startproc cbnz x4, Lpoly_hash_intro @@ -118,6 +120,7 @@ Lpoly_hash_ad_ret: .private_extern _chacha20_poly1305_seal .align 6 +.alt_entry _chacha20_poly1305_seal _chacha20_poly1305_seal: AARCH64_SIGN_LINK_REGISTER .cfi_startproc @@ -1474,6 +1477,7 @@ Lseal_128_rounds: .private_extern _chacha20_poly1305_open .align 6 +.alt_entry _chacha20_poly1305_open _chacha20_poly1305_open: AARCH64_SIGN_LINK_REGISTER .cfi_startproc diff --git a/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-linux.S b/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-linux.S index 0ab662fb..bf8df2d2 100644 --- a/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-linux.S +++ b/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-linux.S @@ -7,6 +7,7 @@ .section .rodata .align 7 +chacha20_poly1305_constants: .Lchacha20_consts: .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' .Linc: @@ -20,6 +21,7 @@ .type .Lpoly_hash_ad_internal,%function .align 6 +chacha20_poly1305_helpers: .Lpoly_hash_ad_internal: .cfi_startproc cbnz x4, .Lpoly_hash_intro diff --git a/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-win.S b/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-win.S index fa86675f..00af636a 100644 --- a/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-win.S +++ b/third_party/boringssl/gen/crypto/chacha20_poly1305_armv8-win.S @@ -7,6 +7,7 @@ .section .rodata .align 7 +chacha20_poly1305_constants: Lchacha20_consts: .byte 'e','x','p','a','n','d',' ','3','2','-','b','y','t','e',' ','k' Linc: @@ -22,6 +23,7 @@ Lclamp: .type 32 .endef .align 6 +chacha20_poly1305_helpers: Lpoly_hash_ad_internal: .cfi_startproc cbnz x4, Lpoly_hash_intro diff --git a/third_party/boringssl/gen/crypto/chacha20_poly1305_x86_64-apple.S b/third_party/boringssl/gen/crypto/chacha20_poly1305_x86_64-apple.S index 4044212e..56f17afa 100644 --- a/third_party/boringssl/gen/crypto/chacha20_poly1305_x86_64-apple.S +++ b/third_party/boringssl/gen/crypto/chacha20_poly1305_x86_64-apple.S @@ -216,6 +216,7 @@ L$hash_ad_done: .private_extern _chacha20_poly1305_open_sse41 .p2align 6 +.alt_entry _chacha20_poly1305_open_sse41 _chacha20_poly1305_open_sse41: _CET_ENDBR @@ -2083,6 +2084,7 @@ L$open_sse_128_xor_hash: .private_extern _chacha20_poly1305_seal_sse41 .p2align 6 +.alt_entry _chacha20_poly1305_seal_sse41 _chacha20_poly1305_seal_sse41: _CET_ENDBR @@ -3747,6 +3749,7 @@ L$process_extra_hash_loop: leaq 16(%rsi),%rsi subq $1,%r8 jmp L$process_extra_hash_loop +.alt_entry process_extra_in_trailer process_extra_in_trailer: andq $15,%rcx movq %rcx,%rbx @@ -4065,6 +4068,7 @@ L$seal_sse_128_rounds: .private_extern _chacha20_poly1305_open_avx2 .p2align 6 +.alt_entry _chacha20_poly1305_open_avx2 _chacha20_poly1305_open_avx2: _CET_ENDBR @@ -6231,6 +6235,7 @@ L$open_avx2_320_rounds: .private_extern _chacha20_poly1305_seal_avx2 .p2align 6 +.alt_entry _chacha20_poly1305_seal_avx2 _chacha20_poly1305_seal_avx2: _CET_ENDBR diff --git a/third_party/boringssl/gen/test_support/trampoline-armv8-apple.S b/third_party/boringssl/gen/test_support/trampoline-armv8-apple.S index b32c707e..e0056481 100644 --- a/third_party/boringssl/gen/test_support/trampoline-armv8-apple.S +++ b/third_party/boringssl/gen/test_support/trampoline-armv8-apple.S @@ -128,6 +128,7 @@ Lx29_ok: .globl _abi_test_clobber_x0 .private_extern _abi_test_clobber_x0 .align 4 +.alt_entry _abi_test_clobber_x0 _abi_test_clobber_x0: AARCH64_VALID_CALL_TARGET mov x0, xzr @@ -137,6 +138,7 @@ _abi_test_clobber_x0: .globl _abi_test_clobber_x1 .private_extern _abi_test_clobber_x1 .align 4 +.alt_entry _abi_test_clobber_x1 _abi_test_clobber_x1: AARCH64_VALID_CALL_TARGET mov x1, xzr @@ -146,6 +148,7 @@ _abi_test_clobber_x1: .globl _abi_test_clobber_x2 .private_extern _abi_test_clobber_x2 .align 4 +.alt_entry _abi_test_clobber_x2 _abi_test_clobber_x2: AARCH64_VALID_CALL_TARGET mov x2, xzr @@ -155,6 +158,7 @@ _abi_test_clobber_x2: .globl _abi_test_clobber_x3 .private_extern _abi_test_clobber_x3 .align 4 +.alt_entry _abi_test_clobber_x3 _abi_test_clobber_x3: AARCH64_VALID_CALL_TARGET mov x3, xzr @@ -164,6 +168,7 @@ _abi_test_clobber_x3: .globl _abi_test_clobber_x4 .private_extern _abi_test_clobber_x4 .align 4 +.alt_entry _abi_test_clobber_x4 _abi_test_clobber_x4: AARCH64_VALID_CALL_TARGET mov x4, xzr @@ -173,6 +178,7 @@ _abi_test_clobber_x4: .globl _abi_test_clobber_x5 .private_extern _abi_test_clobber_x5 .align 4 +.alt_entry _abi_test_clobber_x5 _abi_test_clobber_x5: AARCH64_VALID_CALL_TARGET mov x5, xzr @@ -182,6 +188,7 @@ _abi_test_clobber_x5: .globl _abi_test_clobber_x6 .private_extern _abi_test_clobber_x6 .align 4 +.alt_entry _abi_test_clobber_x6 _abi_test_clobber_x6: AARCH64_VALID_CALL_TARGET mov x6, xzr @@ -191,6 +198,7 @@ _abi_test_clobber_x6: .globl _abi_test_clobber_x7 .private_extern _abi_test_clobber_x7 .align 4 +.alt_entry _abi_test_clobber_x7 _abi_test_clobber_x7: AARCH64_VALID_CALL_TARGET mov x7, xzr @@ -200,6 +208,7 @@ _abi_test_clobber_x7: .globl _abi_test_clobber_x8 .private_extern _abi_test_clobber_x8 .align 4 +.alt_entry _abi_test_clobber_x8 _abi_test_clobber_x8: AARCH64_VALID_CALL_TARGET mov x8, xzr @@ -209,6 +218,7 @@ _abi_test_clobber_x8: .globl _abi_test_clobber_x9 .private_extern _abi_test_clobber_x9 .align 4 +.alt_entry _abi_test_clobber_x9 _abi_test_clobber_x9: AARCH64_VALID_CALL_TARGET mov x9, xzr @@ -218,6 +228,7 @@ _abi_test_clobber_x9: .globl _abi_test_clobber_x10 .private_extern _abi_test_clobber_x10 .align 4 +.alt_entry _abi_test_clobber_x10 _abi_test_clobber_x10: AARCH64_VALID_CALL_TARGET mov x10, xzr @@ -227,6 +238,7 @@ _abi_test_clobber_x10: .globl _abi_test_clobber_x11 .private_extern _abi_test_clobber_x11 .align 4 +.alt_entry _abi_test_clobber_x11 _abi_test_clobber_x11: AARCH64_VALID_CALL_TARGET mov x11, xzr @@ -236,6 +248,7 @@ _abi_test_clobber_x11: .globl _abi_test_clobber_x12 .private_extern _abi_test_clobber_x12 .align 4 +.alt_entry _abi_test_clobber_x12 _abi_test_clobber_x12: AARCH64_VALID_CALL_TARGET mov x12, xzr @@ -245,6 +258,7 @@ _abi_test_clobber_x12: .globl _abi_test_clobber_x13 .private_extern _abi_test_clobber_x13 .align 4 +.alt_entry _abi_test_clobber_x13 _abi_test_clobber_x13: AARCH64_VALID_CALL_TARGET mov x13, xzr @@ -254,6 +268,7 @@ _abi_test_clobber_x13: .globl _abi_test_clobber_x14 .private_extern _abi_test_clobber_x14 .align 4 +.alt_entry _abi_test_clobber_x14 _abi_test_clobber_x14: AARCH64_VALID_CALL_TARGET mov x14, xzr @@ -263,6 +278,7 @@ _abi_test_clobber_x14: .globl _abi_test_clobber_x15 .private_extern _abi_test_clobber_x15 .align 4 +.alt_entry _abi_test_clobber_x15 _abi_test_clobber_x15: AARCH64_VALID_CALL_TARGET mov x15, xzr @@ -272,6 +288,7 @@ _abi_test_clobber_x15: .globl _abi_test_clobber_x16 .private_extern _abi_test_clobber_x16 .align 4 +.alt_entry _abi_test_clobber_x16 _abi_test_clobber_x16: AARCH64_VALID_CALL_TARGET mov x16, xzr @@ -281,6 +298,7 @@ _abi_test_clobber_x16: .globl _abi_test_clobber_x17 .private_extern _abi_test_clobber_x17 .align 4 +.alt_entry _abi_test_clobber_x17 _abi_test_clobber_x17: AARCH64_VALID_CALL_TARGET mov x17, xzr @@ -290,6 +308,7 @@ _abi_test_clobber_x17: .globl _abi_test_clobber_x19 .private_extern _abi_test_clobber_x19 .align 4 +.alt_entry _abi_test_clobber_x19 _abi_test_clobber_x19: AARCH64_VALID_CALL_TARGET mov x19, xzr @@ -299,6 +318,7 @@ _abi_test_clobber_x19: .globl _abi_test_clobber_x20 .private_extern _abi_test_clobber_x20 .align 4 +.alt_entry _abi_test_clobber_x20 _abi_test_clobber_x20: AARCH64_VALID_CALL_TARGET mov x20, xzr @@ -308,6 +328,7 @@ _abi_test_clobber_x20: .globl _abi_test_clobber_x21 .private_extern _abi_test_clobber_x21 .align 4 +.alt_entry _abi_test_clobber_x21 _abi_test_clobber_x21: AARCH64_VALID_CALL_TARGET mov x21, xzr @@ -317,6 +338,7 @@ _abi_test_clobber_x21: .globl _abi_test_clobber_x22 .private_extern _abi_test_clobber_x22 .align 4 +.alt_entry _abi_test_clobber_x22 _abi_test_clobber_x22: AARCH64_VALID_CALL_TARGET mov x22, xzr @@ -326,6 +348,7 @@ _abi_test_clobber_x22: .globl _abi_test_clobber_x23 .private_extern _abi_test_clobber_x23 .align 4 +.alt_entry _abi_test_clobber_x23 _abi_test_clobber_x23: AARCH64_VALID_CALL_TARGET mov x23, xzr @@ -335,6 +358,7 @@ _abi_test_clobber_x23: .globl _abi_test_clobber_x24 .private_extern _abi_test_clobber_x24 .align 4 +.alt_entry _abi_test_clobber_x24 _abi_test_clobber_x24: AARCH64_VALID_CALL_TARGET mov x24, xzr @@ -344,6 +368,7 @@ _abi_test_clobber_x24: .globl _abi_test_clobber_x25 .private_extern _abi_test_clobber_x25 .align 4 +.alt_entry _abi_test_clobber_x25 _abi_test_clobber_x25: AARCH64_VALID_CALL_TARGET mov x25, xzr @@ -353,6 +378,7 @@ _abi_test_clobber_x25: .globl _abi_test_clobber_x26 .private_extern _abi_test_clobber_x26 .align 4 +.alt_entry _abi_test_clobber_x26 _abi_test_clobber_x26: AARCH64_VALID_CALL_TARGET mov x26, xzr @@ -362,6 +388,7 @@ _abi_test_clobber_x26: .globl _abi_test_clobber_x27 .private_extern _abi_test_clobber_x27 .align 4 +.alt_entry _abi_test_clobber_x27 _abi_test_clobber_x27: AARCH64_VALID_CALL_TARGET mov x27, xzr @@ -371,6 +398,7 @@ _abi_test_clobber_x27: .globl _abi_test_clobber_x28 .private_extern _abi_test_clobber_x28 .align 4 +.alt_entry _abi_test_clobber_x28 _abi_test_clobber_x28: AARCH64_VALID_CALL_TARGET mov x28, xzr @@ -380,6 +408,7 @@ _abi_test_clobber_x28: .globl _abi_test_clobber_x29 .private_extern _abi_test_clobber_x29 .align 4 +.alt_entry _abi_test_clobber_x29 _abi_test_clobber_x29: AARCH64_VALID_CALL_TARGET mov x29, xzr @@ -389,6 +418,7 @@ _abi_test_clobber_x29: .globl _abi_test_clobber_d0 .private_extern _abi_test_clobber_d0 .align 4 +.alt_entry _abi_test_clobber_d0 _abi_test_clobber_d0: AARCH64_VALID_CALL_TARGET fmov d0, xzr @@ -398,6 +428,7 @@ _abi_test_clobber_d0: .globl _abi_test_clobber_d1 .private_extern _abi_test_clobber_d1 .align 4 +.alt_entry _abi_test_clobber_d1 _abi_test_clobber_d1: AARCH64_VALID_CALL_TARGET fmov d1, xzr @@ -407,6 +438,7 @@ _abi_test_clobber_d1: .globl _abi_test_clobber_d2 .private_extern _abi_test_clobber_d2 .align 4 +.alt_entry _abi_test_clobber_d2 _abi_test_clobber_d2: AARCH64_VALID_CALL_TARGET fmov d2, xzr @@ -416,6 +448,7 @@ _abi_test_clobber_d2: .globl _abi_test_clobber_d3 .private_extern _abi_test_clobber_d3 .align 4 +.alt_entry _abi_test_clobber_d3 _abi_test_clobber_d3: AARCH64_VALID_CALL_TARGET fmov d3, xzr @@ -425,6 +458,7 @@ _abi_test_clobber_d3: .globl _abi_test_clobber_d4 .private_extern _abi_test_clobber_d4 .align 4 +.alt_entry _abi_test_clobber_d4 _abi_test_clobber_d4: AARCH64_VALID_CALL_TARGET fmov d4, xzr @@ -434,6 +468,7 @@ _abi_test_clobber_d4: .globl _abi_test_clobber_d5 .private_extern _abi_test_clobber_d5 .align 4 +.alt_entry _abi_test_clobber_d5 _abi_test_clobber_d5: AARCH64_VALID_CALL_TARGET fmov d5, xzr @@ -443,6 +478,7 @@ _abi_test_clobber_d5: .globl _abi_test_clobber_d6 .private_extern _abi_test_clobber_d6 .align 4 +.alt_entry _abi_test_clobber_d6 _abi_test_clobber_d6: AARCH64_VALID_CALL_TARGET fmov d6, xzr @@ -452,6 +488,7 @@ _abi_test_clobber_d6: .globl _abi_test_clobber_d7 .private_extern _abi_test_clobber_d7 .align 4 +.alt_entry _abi_test_clobber_d7 _abi_test_clobber_d7: AARCH64_VALID_CALL_TARGET fmov d7, xzr @@ -461,6 +498,7 @@ _abi_test_clobber_d7: .globl _abi_test_clobber_d8 .private_extern _abi_test_clobber_d8 .align 4 +.alt_entry _abi_test_clobber_d8 _abi_test_clobber_d8: AARCH64_VALID_CALL_TARGET fmov d8, xzr @@ -470,6 +508,7 @@ _abi_test_clobber_d8: .globl _abi_test_clobber_d9 .private_extern _abi_test_clobber_d9 .align 4 +.alt_entry _abi_test_clobber_d9 _abi_test_clobber_d9: AARCH64_VALID_CALL_TARGET fmov d9, xzr @@ -479,6 +518,7 @@ _abi_test_clobber_d9: .globl _abi_test_clobber_d10 .private_extern _abi_test_clobber_d10 .align 4 +.alt_entry _abi_test_clobber_d10 _abi_test_clobber_d10: AARCH64_VALID_CALL_TARGET fmov d10, xzr @@ -488,6 +528,7 @@ _abi_test_clobber_d10: .globl _abi_test_clobber_d11 .private_extern _abi_test_clobber_d11 .align 4 +.alt_entry _abi_test_clobber_d11 _abi_test_clobber_d11: AARCH64_VALID_CALL_TARGET fmov d11, xzr @@ -497,6 +538,7 @@ _abi_test_clobber_d11: .globl _abi_test_clobber_d12 .private_extern _abi_test_clobber_d12 .align 4 +.alt_entry _abi_test_clobber_d12 _abi_test_clobber_d12: AARCH64_VALID_CALL_TARGET fmov d12, xzr @@ -506,6 +548,7 @@ _abi_test_clobber_d12: .globl _abi_test_clobber_d13 .private_extern _abi_test_clobber_d13 .align 4 +.alt_entry _abi_test_clobber_d13 _abi_test_clobber_d13: AARCH64_VALID_CALL_TARGET fmov d13, xzr @@ -515,6 +558,7 @@ _abi_test_clobber_d13: .globl _abi_test_clobber_d14 .private_extern _abi_test_clobber_d14 .align 4 +.alt_entry _abi_test_clobber_d14 _abi_test_clobber_d14: AARCH64_VALID_CALL_TARGET fmov d14, xzr @@ -524,6 +568,7 @@ _abi_test_clobber_d14: .globl _abi_test_clobber_d15 .private_extern _abi_test_clobber_d15 .align 4 +.alt_entry _abi_test_clobber_d15 _abi_test_clobber_d15: AARCH64_VALID_CALL_TARGET fmov d15, xzr @@ -533,6 +578,7 @@ _abi_test_clobber_d15: .globl _abi_test_clobber_d16 .private_extern _abi_test_clobber_d16 .align 4 +.alt_entry _abi_test_clobber_d16 _abi_test_clobber_d16: AARCH64_VALID_CALL_TARGET fmov d16, xzr @@ -542,6 +588,7 @@ _abi_test_clobber_d16: .globl _abi_test_clobber_d17 .private_extern _abi_test_clobber_d17 .align 4 +.alt_entry _abi_test_clobber_d17 _abi_test_clobber_d17: AARCH64_VALID_CALL_TARGET fmov d17, xzr @@ -551,6 +598,7 @@ _abi_test_clobber_d17: .globl _abi_test_clobber_d18 .private_extern _abi_test_clobber_d18 .align 4 +.alt_entry _abi_test_clobber_d18 _abi_test_clobber_d18: AARCH64_VALID_CALL_TARGET fmov d18, xzr @@ -560,6 +608,7 @@ _abi_test_clobber_d18: .globl _abi_test_clobber_d19 .private_extern _abi_test_clobber_d19 .align 4 +.alt_entry _abi_test_clobber_d19 _abi_test_clobber_d19: AARCH64_VALID_CALL_TARGET fmov d19, xzr @@ -569,6 +618,7 @@ _abi_test_clobber_d19: .globl _abi_test_clobber_d20 .private_extern _abi_test_clobber_d20 .align 4 +.alt_entry _abi_test_clobber_d20 _abi_test_clobber_d20: AARCH64_VALID_CALL_TARGET fmov d20, xzr @@ -578,6 +628,7 @@ _abi_test_clobber_d20: .globl _abi_test_clobber_d21 .private_extern _abi_test_clobber_d21 .align 4 +.alt_entry _abi_test_clobber_d21 _abi_test_clobber_d21: AARCH64_VALID_CALL_TARGET fmov d21, xzr @@ -587,6 +638,7 @@ _abi_test_clobber_d21: .globl _abi_test_clobber_d22 .private_extern _abi_test_clobber_d22 .align 4 +.alt_entry _abi_test_clobber_d22 _abi_test_clobber_d22: AARCH64_VALID_CALL_TARGET fmov d22, xzr @@ -596,6 +648,7 @@ _abi_test_clobber_d22: .globl _abi_test_clobber_d23 .private_extern _abi_test_clobber_d23 .align 4 +.alt_entry _abi_test_clobber_d23 _abi_test_clobber_d23: AARCH64_VALID_CALL_TARGET fmov d23, xzr @@ -605,6 +658,7 @@ _abi_test_clobber_d23: .globl _abi_test_clobber_d24 .private_extern _abi_test_clobber_d24 .align 4 +.alt_entry _abi_test_clobber_d24 _abi_test_clobber_d24: AARCH64_VALID_CALL_TARGET fmov d24, xzr @@ -614,6 +668,7 @@ _abi_test_clobber_d24: .globl _abi_test_clobber_d25 .private_extern _abi_test_clobber_d25 .align 4 +.alt_entry _abi_test_clobber_d25 _abi_test_clobber_d25: AARCH64_VALID_CALL_TARGET fmov d25, xzr @@ -623,6 +678,7 @@ _abi_test_clobber_d25: .globl _abi_test_clobber_d26 .private_extern _abi_test_clobber_d26 .align 4 +.alt_entry _abi_test_clobber_d26 _abi_test_clobber_d26: AARCH64_VALID_CALL_TARGET fmov d26, xzr @@ -632,6 +688,7 @@ _abi_test_clobber_d26: .globl _abi_test_clobber_d27 .private_extern _abi_test_clobber_d27 .align 4 +.alt_entry _abi_test_clobber_d27 _abi_test_clobber_d27: AARCH64_VALID_CALL_TARGET fmov d27, xzr @@ -641,6 +698,7 @@ _abi_test_clobber_d27: .globl _abi_test_clobber_d28 .private_extern _abi_test_clobber_d28 .align 4 +.alt_entry _abi_test_clobber_d28 _abi_test_clobber_d28: AARCH64_VALID_CALL_TARGET fmov d28, xzr @@ -650,6 +708,7 @@ _abi_test_clobber_d28: .globl _abi_test_clobber_d29 .private_extern _abi_test_clobber_d29 .align 4 +.alt_entry _abi_test_clobber_d29 _abi_test_clobber_d29: AARCH64_VALID_CALL_TARGET fmov d29, xzr @@ -659,6 +718,7 @@ _abi_test_clobber_d29: .globl _abi_test_clobber_d30 .private_extern _abi_test_clobber_d30 .align 4 +.alt_entry _abi_test_clobber_d30 _abi_test_clobber_d30: AARCH64_VALID_CALL_TARGET fmov d30, xzr @@ -668,6 +728,7 @@ _abi_test_clobber_d30: .globl _abi_test_clobber_d31 .private_extern _abi_test_clobber_d31 .align 4 +.alt_entry _abi_test_clobber_d31 _abi_test_clobber_d31: AARCH64_VALID_CALL_TARGET fmov d31, xzr @@ -677,6 +738,7 @@ _abi_test_clobber_d31: .globl _abi_test_clobber_v8_upper .private_extern _abi_test_clobber_v8_upper .align 4 +.alt_entry _abi_test_clobber_v8_upper _abi_test_clobber_v8_upper: AARCH64_VALID_CALL_TARGET fmov v8.d[1], xzr @@ -686,6 +748,7 @@ _abi_test_clobber_v8_upper: .globl _abi_test_clobber_v9_upper .private_extern _abi_test_clobber_v9_upper .align 4 +.alt_entry _abi_test_clobber_v9_upper _abi_test_clobber_v9_upper: AARCH64_VALID_CALL_TARGET fmov v9.d[1], xzr @@ -695,6 +758,7 @@ _abi_test_clobber_v9_upper: .globl _abi_test_clobber_v10_upper .private_extern _abi_test_clobber_v10_upper .align 4 +.alt_entry _abi_test_clobber_v10_upper _abi_test_clobber_v10_upper: AARCH64_VALID_CALL_TARGET fmov v10.d[1], xzr @@ -704,6 +768,7 @@ _abi_test_clobber_v10_upper: .globl _abi_test_clobber_v11_upper .private_extern _abi_test_clobber_v11_upper .align 4 +.alt_entry _abi_test_clobber_v11_upper _abi_test_clobber_v11_upper: AARCH64_VALID_CALL_TARGET fmov v11.d[1], xzr @@ -713,6 +778,7 @@ _abi_test_clobber_v11_upper: .globl _abi_test_clobber_v12_upper .private_extern _abi_test_clobber_v12_upper .align 4 +.alt_entry _abi_test_clobber_v12_upper _abi_test_clobber_v12_upper: AARCH64_VALID_CALL_TARGET fmov v12.d[1], xzr @@ -722,6 +788,7 @@ _abi_test_clobber_v12_upper: .globl _abi_test_clobber_v13_upper .private_extern _abi_test_clobber_v13_upper .align 4 +.alt_entry _abi_test_clobber_v13_upper _abi_test_clobber_v13_upper: AARCH64_VALID_CALL_TARGET fmov v13.d[1], xzr @@ -731,6 +798,7 @@ _abi_test_clobber_v13_upper: .globl _abi_test_clobber_v14_upper .private_extern _abi_test_clobber_v14_upper .align 4 +.alt_entry _abi_test_clobber_v14_upper _abi_test_clobber_v14_upper: AARCH64_VALID_CALL_TARGET fmov v14.d[1], xzr @@ -740,6 +808,7 @@ _abi_test_clobber_v14_upper: .globl _abi_test_clobber_v15_upper .private_extern _abi_test_clobber_v15_upper .align 4 +.alt_entry _abi_test_clobber_v15_upper _abi_test_clobber_v15_upper: AARCH64_VALID_CALL_TARGET fmov v15.d[1], xzr diff --git a/third_party/boringssl/gen/test_support/trampoline-x86_64-apple.S b/third_party/boringssl/gen/test_support/trampoline-x86_64-apple.S index 5d60e67a..4d414b09 100644 --- a/third_party/boringssl/gen/test_support/trampoline-x86_64-apple.S +++ b/third_party/boringssl/gen/test_support/trampoline-x86_64-apple.S @@ -127,11 +127,13 @@ L$args_done: nop .globl _abi_test_unwind_start .private_extern _abi_test_unwind_start +.alt_entry _abi_test_unwind_start _abi_test_unwind_start: call *%rax .globl _abi_test_unwind_return .private_extern _abi_test_unwind_return +.alt_entry _abi_test_unwind_return _abi_test_unwind_return: @@ -142,6 +144,7 @@ _abi_test_unwind_return: popfq .globl _abi_test_unwind_stop .private_extern _abi_test_unwind_stop +.alt_entry _abi_test_unwind_stop _abi_test_unwind_stop: jmp L$call_done @@ -182,6 +185,7 @@ L$call_done: .private_extern _abi_test_clobber_rax .p2align 4 +.alt_entry _abi_test_clobber_rax _abi_test_clobber_rax: _CET_ENDBR xorq %rax,%rax @@ -191,6 +195,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_rbx .p2align 4 +.alt_entry _abi_test_clobber_rbx _abi_test_clobber_rbx: _CET_ENDBR xorq %rbx,%rbx @@ -200,6 +205,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_rcx .p2align 4 +.alt_entry _abi_test_clobber_rcx _abi_test_clobber_rcx: _CET_ENDBR xorq %rcx,%rcx @@ -209,6 +215,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_rdx .p2align 4 +.alt_entry _abi_test_clobber_rdx _abi_test_clobber_rdx: _CET_ENDBR xorq %rdx,%rdx @@ -218,6 +225,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_rdi .p2align 4 +.alt_entry _abi_test_clobber_rdi _abi_test_clobber_rdi: _CET_ENDBR xorq %rdi,%rdi @@ -227,6 +235,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_rsi .p2align 4 +.alt_entry _abi_test_clobber_rsi _abi_test_clobber_rsi: _CET_ENDBR xorq %rsi,%rsi @@ -236,6 +245,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_rbp .p2align 4 +.alt_entry _abi_test_clobber_rbp _abi_test_clobber_rbp: _CET_ENDBR xorq %rbp,%rbp @@ -245,6 +255,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r8 .p2align 4 +.alt_entry _abi_test_clobber_r8 _abi_test_clobber_r8: _CET_ENDBR xorq %r8,%r8 @@ -254,6 +265,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r9 .p2align 4 +.alt_entry _abi_test_clobber_r9 _abi_test_clobber_r9: _CET_ENDBR xorq %r9,%r9 @@ -263,6 +275,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r10 .p2align 4 +.alt_entry _abi_test_clobber_r10 _abi_test_clobber_r10: _CET_ENDBR xorq %r10,%r10 @@ -272,6 +285,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r11 .p2align 4 +.alt_entry _abi_test_clobber_r11 _abi_test_clobber_r11: _CET_ENDBR xorq %r11,%r11 @@ -281,6 +295,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r12 .p2align 4 +.alt_entry _abi_test_clobber_r12 _abi_test_clobber_r12: _CET_ENDBR xorq %r12,%r12 @@ -290,6 +305,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r13 .p2align 4 +.alt_entry _abi_test_clobber_r13 _abi_test_clobber_r13: _CET_ENDBR xorq %r13,%r13 @@ -299,6 +315,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r14 .p2align 4 +.alt_entry _abi_test_clobber_r14 _abi_test_clobber_r14: _CET_ENDBR xorq %r14,%r14 @@ -308,6 +325,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_r15 .p2align 4 +.alt_entry _abi_test_clobber_r15 _abi_test_clobber_r15: _CET_ENDBR xorq %r15,%r15 @@ -317,6 +335,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm0 .p2align 4 +.alt_entry _abi_test_clobber_xmm0 _abi_test_clobber_xmm0: _CET_ENDBR pxor %xmm0,%xmm0 @@ -326,6 +345,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm1 .p2align 4 +.alt_entry _abi_test_clobber_xmm1 _abi_test_clobber_xmm1: _CET_ENDBR pxor %xmm1,%xmm1 @@ -335,6 +355,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm2 .p2align 4 +.alt_entry _abi_test_clobber_xmm2 _abi_test_clobber_xmm2: _CET_ENDBR pxor %xmm2,%xmm2 @@ -344,6 +365,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm3 .p2align 4 +.alt_entry _abi_test_clobber_xmm3 _abi_test_clobber_xmm3: _CET_ENDBR pxor %xmm3,%xmm3 @@ -353,6 +375,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm4 .p2align 4 +.alt_entry _abi_test_clobber_xmm4 _abi_test_clobber_xmm4: _CET_ENDBR pxor %xmm4,%xmm4 @@ -362,6 +385,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm5 .p2align 4 +.alt_entry _abi_test_clobber_xmm5 _abi_test_clobber_xmm5: _CET_ENDBR pxor %xmm5,%xmm5 @@ -371,6 +395,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm6 .p2align 4 +.alt_entry _abi_test_clobber_xmm6 _abi_test_clobber_xmm6: _CET_ENDBR pxor %xmm6,%xmm6 @@ -380,6 +405,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm7 .p2align 4 +.alt_entry _abi_test_clobber_xmm7 _abi_test_clobber_xmm7: _CET_ENDBR pxor %xmm7,%xmm7 @@ -389,6 +415,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm8 .p2align 4 +.alt_entry _abi_test_clobber_xmm8 _abi_test_clobber_xmm8: _CET_ENDBR pxor %xmm8,%xmm8 @@ -398,6 +425,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm9 .p2align 4 +.alt_entry _abi_test_clobber_xmm9 _abi_test_clobber_xmm9: _CET_ENDBR pxor %xmm9,%xmm9 @@ -407,6 +435,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm10 .p2align 4 +.alt_entry _abi_test_clobber_xmm10 _abi_test_clobber_xmm10: _CET_ENDBR pxor %xmm10,%xmm10 @@ -416,6 +445,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm11 .p2align 4 +.alt_entry _abi_test_clobber_xmm11 _abi_test_clobber_xmm11: _CET_ENDBR pxor %xmm11,%xmm11 @@ -425,6 +455,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm12 .p2align 4 +.alt_entry _abi_test_clobber_xmm12 _abi_test_clobber_xmm12: _CET_ENDBR pxor %xmm12,%xmm12 @@ -434,6 +465,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm13 .p2align 4 +.alt_entry _abi_test_clobber_xmm13 _abi_test_clobber_xmm13: _CET_ENDBR pxor %xmm13,%xmm13 @@ -443,6 +475,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm14 .p2align 4 +.alt_entry _abi_test_clobber_xmm14 _abi_test_clobber_xmm14: _CET_ENDBR pxor %xmm14,%xmm14 @@ -452,6 +485,7 @@ _CET_ENDBR .private_extern _abi_test_clobber_xmm15 .p2align 4 +.alt_entry _abi_test_clobber_xmm15 _abi_test_clobber_xmm15: _CET_ENDBR pxor %xmm15,%xmm15 @@ -464,6 +498,7 @@ _CET_ENDBR .private_extern _abi_test_bad_unwind_wrong_register .p2align 4 +.alt_entry _abi_test_bad_unwind_wrong_register _abi_test_bad_unwind_wrong_register: @@ -490,6 +525,7 @@ _CET_ENDBR .private_extern _abi_test_bad_unwind_temporary .p2align 4 +.alt_entry _abi_test_bad_unwind_temporary _abi_test_bad_unwind_temporary: @@ -521,6 +557,7 @@ _CET_ENDBR .globl _abi_test_get_and_clear_direction_flag .private_extern _abi_test_get_and_clear_direction_flag +.alt_entry _abi_test_get_and_clear_direction_flag _abi_test_get_and_clear_direction_flag: _CET_ENDBR pushfq @@ -536,6 +573,7 @@ _CET_ENDBR .globl _abi_test_set_direction_flag .private_extern _abi_test_set_direction_flag +.alt_entry _abi_test_set_direction_flag _abi_test_set_direction_flag: _CET_ENDBR std diff --git a/third_party/boringssl/sources.cmake b/third_party/boringssl/sources.cmake index 90437ae9..4d61827f 100644 --- a/third_party/boringssl/sources.cmake +++ b/third_party/boringssl/sources.cmake @@ -167,7 +167,6 @@ set(crypto_sources ${BORINGSSL_ROOT}src/crypto/rand/forkunsafe.cc ${BORINGSSL_ROOT}src/crypto/rand/getentropy.cc ${BORINGSSL_ROOT}src/crypto/rand/ios.cc - ${BORINGSSL_ROOT}src/crypto/rand/passive.cc ${BORINGSSL_ROOT}src/crypto/rand/rand.cc ${BORINGSSL_ROOT}src/crypto/rand/trusty.cc ${BORINGSSL_ROOT}src/crypto/rand/urandom.cc diff --git a/third_party/boringssl/src/crypto/asn1/a_bitstr.cc b/third_party/boringssl/src/crypto/asn1/a_bitstr.cc index a071589e..60e76eb0 100644 --- a/third_party/boringssl/src/crypto/asn1/a_bitstr.cc +++ b/third_party/boringssl/src/crypto/asn1/a_bitstr.cc @@ -32,7 +32,7 @@ using namespace bssl; static void set_unused_bits(ASN1_BIT_STRING *str, uint8_t unused_bits) { assert(unused_bits < 8); assert(unused_bits == 0 || str->length > 0); - // |ASN1_STRING_FLAG_BITS_LEFT| and the bottom 3 bits encode |padding|. + // `ASN1_STRING_FLAG_BITS_LEFT` and the bottom 3 bits encode `padding`. str->flags &= ~0x07; str->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits; } diff --git a/third_party/boringssl/src/crypto/asn1/a_gentm.cc b/third_party/boringssl/src/crypto/asn1/a_gentm.cc index 1dd22be0..72615723 100644 --- a/third_party/boringssl/src/crypto/asn1/a_gentm.cc +++ b/third_party/boringssl/src/crypto/asn1/a_gentm.cc @@ -107,7 +107,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, int ret = snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02dZ", data.tm_year + 1900, data.tm_mon + 1, data.tm_mday, data.tm_hour, data.tm_min, data.tm_sec); - // |snprintf| must write exactly 15 bytes (plus the NUL) to the buffer. + // `snprintf` must write exactly 15 bytes (plus the NUL) to the buffer. BSSL_CHECK(ret == static_cast(sizeof(buf) - 1)); int free_s = 0; diff --git a/third_party/boringssl/src/crypto/asn1/a_int.cc b/third_party/boringssl/src/crypto/asn1/a_int.cc index 216c9daa..9edbde20 100644 --- a/third_party/boringssl/src/crypto/asn1/a_int.cc +++ b/third_party/boringssl/src/crypto/asn1/a_int.cc @@ -42,8 +42,8 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) { int ret = ASN1_STRING_cmp(x, y); if (neg) { - // This could be |-ret|, but |ASN1_STRING_cmp| is not forbidden from - // returning |INT_MIN|. + // This could be `-ret`, but `ASN1_STRING_cmp` is not forbidden from + // returning `INT_MIN`. if (ret < 0) { return 1; } else if (ret > 0) { @@ -56,7 +56,7 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) { return ret; } -// negate_twos_complement negates |len| bytes from |buf| in-place, interpreted +// negate_twos_complement negates `len` bytes from `buf` in-place, interpreted // as a signed, big-endian two's complement value. static void negate_twos_complement(uint8_t *buf, size_t len) { uint8_t borrow = 0; @@ -96,7 +96,7 @@ int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, unsigned char **outp) { return 0; } - // |ASN1_INTEGER|s should be represented minimally, but it is possible to + // `ASN1_INTEGER`s should be represented minimally, but it is possible to // construct invalid ones. Skip leading zeros so this does not produce an // invalid encoding or break invariants. CBS cbs; @@ -159,7 +159,7 @@ static int asn1_parse_integer_contents(Span in, return 0; } - // Convert to |ASN1_INTEGER|'s sign-and-magnitude representation. First, + // Convert to `ASN1_INTEGER`'s sign-and-magnitude representation. First, // determine the size needed for a minimal result. if (is_negative) { // 0xff00...01 through 0xff7f..ff have a two's complement of 0x00ff...ff @@ -353,7 +353,7 @@ static int asn1_string_get_int64(int64_t *out, const ASN1_STRING *a, int type) { } int64_t i64; int fits_in_i64; - // Check |v != 0| to handle manually-constructed negative zeros. + // Check `v != 0` to handle manually-constructed negative zeros. if ((a->type & V_ASN1_NEG) && v != 0) { i64 = (int64_t)(0u - v); fits_in_i64 = i64 < 0; diff --git a/third_party/boringssl/src/crypto/asn1/a_mbstr.cc b/third_party/boringssl/src/crypto/asn1/a_mbstr.cc index c70bb3b5..946ab52a 100644 --- a/third_party/boringssl/src/crypto/asn1/a_mbstr.cc +++ b/third_party/boringssl/src/crypto/asn1/a_mbstr.cc @@ -82,7 +82,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, return -1; } - // Check |minsize| and |maxsize| and work out the minimal type, if any. + // Check `minsize` and `maxsize` and work out the minimal type, if any. CBS cbs; CBS_init(&cbs, in, len); size_t utf8_len = 0, nchar = 0; @@ -209,7 +209,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, } } if (/* OpenSSL historically NUL-terminated this value with a single byte, - * even for |MBSTRING_BMP| and |MBSTRING_UNIV|. */ + * even for `MBSTRING_BMP` and `MBSTRING_UNIV`. */ !CBB_add_u8(&cbb, 0) || // !CBB_finish(&cbb, &data, &data_len) || // data_len < 1 || // diff --git a/third_party/boringssl/src/crypto/asn1/a_object.cc b/third_party/boringssl/src/crypto/asn1/a_object.cc index 125058ab..c88ca4f1 100644 --- a/third_party/boringssl/src/crypto/asn1/a_object.cc +++ b/third_party/boringssl/src/crypto/asn1/a_object.cc @@ -117,7 +117,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **out, const unsigned char **inp, ASN1_OBJECT_create(NID_undef, CBS_data(cbs), CBS_len(cbs), /*sn=*/nullptr, /*ln=*/nullptr); if (ret != nullptr) { - // |c2i_ASN1_OBJECT| consumes its whole input on success. + // `c2i_ASN1_OBJECT` consumes its whole input on success. BSSL_CHECK(CBS_skip(cbs, CBS_len(cbs))); } return ret; @@ -158,12 +158,12 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a) { return; } if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS) { - OPENSSL_free((void *)a->sn); - OPENSSL_free((void *)a->ln); + OPENSSL_free(const_cast(a->sn)); + OPENSSL_free(const_cast(a->ln)); a->sn = a->ln = nullptr; } if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA) { - OPENSSL_free((void *)a->data); + OPENSSL_free(const_cast(a->data)); a->data = nullptr; a->length = 0; } diff --git a/third_party/boringssl/src/crypto/asn1/a_strex.cc b/third_party/boringssl/src/crypto/asn1/a_strex.cc index 663865ce..e57fde14 100644 --- a/third_party/boringssl/src/crypto/asn1/a_strex.cc +++ b/third_party/boringssl/src/crypto/asn1/a_strex.cc @@ -38,7 +38,7 @@ using namespace bssl; ASN1_STRFLGS_ESC_MSB) static int maybe_write(BIO *out, const void *buf, int len) { - // If |out| is NULL, ignore the output but report the length. + // If `out` is NULL, ignore the output but report the length. return out == nullptr || BIO_write(out, buf, len) == len; } @@ -46,7 +46,7 @@ static int is_control_character(unsigned char c) { return c < 32 || c == 127; } static int do_esc_char(uint32_t c, unsigned long flags, char *do_quotes, BIO *out, int is_first, int is_last) { - // |c| is a |uint32_t| because, depending on |ASN1_STRFLGS_UTF8_CONVERT|, + // `c` is a `uint32_t` because, depending on `ASN1_STRFLGS_UTF8_CONVERT`, // we may be escaping bytes or Unicode codepoints. char buf[16]; // Large enough for "\\W01234567". unsigned char u8 = (unsigned char)c; @@ -195,7 +195,7 @@ static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) { } ScopedCBB cbb; - // Roughly estimate the encoded size with |str->length| to reduce unnecessary + // Roughly estimate the encoded size with `str->length` to reduce unnecessary // reallocations. (Tag, length, miscellaneous type-dependent overhead.) if (!CBB_init(cbb.get(), 4 + str->length) || !asn1_marshal_any_string(cbb.get(), str)) { @@ -208,12 +208,12 @@ static int do_dump(unsigned long flags, BIO *out, const ASN1_STRING *str) { return outlen + 1; } -// string_type_to_encoding returns the |MBSTRING_*| constant for the encoding -// used by the |ASN1_STRING| type |type|, or -1 if |tag| is not a string +// string_type_to_encoding returns the `MBSTRING_*` constant for the encoding +// used by the `ASN1_STRING` type `type`, or -1 if `tag` is not a string // type. static int string_type_to_encoding(int type) { // This function is sometimes passed ASN.1 universal types and sometimes - // passed |ASN1_STRING| type values + // passed `ASN1_STRING` type values switch (type) { case V_ASN1_UTF8STRING: return MBSTRING_UTF8; @@ -224,7 +224,7 @@ static int string_type_to_encoding(int type) { case V_ASN1_UTCTIME: case V_ASN1_GENERALIZEDTIME: case V_ASN1_ISO64STRING: - // |MBSTRING_ASC| refers to Latin-1, not ASCII. + // `MBSTRING_ASC` refers to Latin-1, not ASCII. return MBSTRING_ASC; case V_ASN1_UNIVERSALSTRING: return MBSTRING_UNIV; @@ -251,7 +251,7 @@ int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, outlen++; } - // Decide what to do with |str|, either dump the contents or display it. + // Decide what to do with `str`, either dump the contents or display it. int encoding; if (flags & ASN1_STRFLGS_DUMP_ALL) { // Dump everything. @@ -302,7 +302,7 @@ int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags) { BIO *bio = nullptr; if (fp != nullptr) { - // If |fp| is NULL, this function returns the number of bytes without + // If `fp` is NULL, this function returns the number of bytes without // writing. bio = BIO_new_fp(fp, BIO_NOCLOSE); if (bio == nullptr) { diff --git a/third_party/boringssl/src/crypto/asn1/a_strnid.cc b/third_party/boringssl/src/crypto/asn1/a_strnid.cc index 7ebf30a7..65a3226e 100644 --- a/third_party/boringssl/src/crypto/asn1/a_strnid.cc +++ b/third_party/boringssl/src/crypto/asn1/a_strnid.cc @@ -149,8 +149,8 @@ static const ASN1_STRING_TABLE *asn1_string_table_get(int nid) { tbl = lh_ASN1_STRING_TABLE_retrieve(string_tables, &key); } string_tables_lock.UnlockRead(); - // Note returning |tbl| without the lock is only safe because - // |ASN1_STRING_TABLE_add| cannot modify or delete existing entries. If we + // Note returning `tbl` without the lock is only safe because + // `ASN1_STRING_TABLE_add` cannot modify or delete existing entries. If we // wish to support that, this function must copy the result under a lock. return tbl; } diff --git a/third_party/boringssl/src/crypto/asn1/a_time.cc b/third_party/boringssl/src/crypto/asn1/a_time.cc index 9d642d4a..ccddadbf 100644 --- a/third_party/boringssl/src/crypto/asn1/a_time.cc +++ b/third_party/boringssl/src/crypto/asn1/a_time.cc @@ -108,7 +108,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *in, } } else { assert(in->type == V_ASN1_UTCTIME); - // |ASN1_TIME_check| implies a bound on the string's lengths. In particular, + // `ASN1_TIME_check` implies a bound on the string's lengths. In particular, // the longest possible UTCTime is "YYMMDDHHMMSS+HHMM", with the (invalid) // timezone offsets. static constexpr size_t kMaxUTCTimeLength = 17; diff --git a/third_party/boringssl/src/crypto/asn1/a_type.cc b/third_party/boringssl/src/crypto/asn1/a_type.cc index 03ac9bf4..c0f47464 100644 --- a/third_party/boringssl/src/crypto/asn1/a_type.cc +++ b/third_party/boringssl/src/crypto/asn1/a_type.cc @@ -52,8 +52,8 @@ const void *bssl::asn1_type_value_as_pointer(const ASN1_TYPE *a) { } void bssl::asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) { - // |ASN1_STRING| types are almost the same as |ASN1_TYPE| types, except that - // the negative flag is not reflected into |ASN1_TYPE|. + // `ASN1_STRING` types are almost the same as `ASN1_TYPE` types, except that + // the negative flag is not reflected into `ASN1_TYPE`. int type = str->type; if (type == V_ASN1_NEG_INTEGER) { type = V_ASN1_INTEGER; @@ -61,8 +61,8 @@ void bssl::asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str) { type = V_ASN1_ENUMERATED; } - // These types are not |ASN1_STRING| types and use a different - // representation when stored in |ASN1_TYPE|. + // These types are not `ASN1_STRING` types and use a different + // representation when stored in `ASN1_TYPE`. assert(type != V_ASN1_NULL && type != V_ASN1_OBJECT && type != V_ASN1_BOOLEAN); ASN1_TYPE_set(a, type, str); @@ -231,7 +231,7 @@ int bssl::asn1_parse_any_as_string(CBS *cbs, ASN1_STRING *out) { } // Reject unexpectedly constructed or primitive universal types, rather than - // encoding them as an opaque |V_ASN1_OTHER|. As of X.680 (02/2021), tag + // encoding them as an opaque `V_ASN1_OTHER`. As of X.680 (02/2021), tag // numbers 0-36 have been allocated, except 15. Of these, only 8 (EXTERNAL), // 11 (EMBEDDED PDV), 16 (SEQUENCE), 17 (SET), and 29 (CHARACTER STRING) are // constructed. @@ -255,15 +255,15 @@ int bssl::asn1_parse_any_as_string(CBS *cbs, ASN1_STRING *out) { } // Historically, parsing high universal tag numbers made OpenSSL's - // |ASN1_STRING| representation ambiguous. We've since fixed this with - // |V_ASN1_OTHER| but, for now, continue to enforce the limit. + // `ASN1_STRING` representation ambiguous. We've since fixed this with + // `V_ASN1_OTHER` but, for now, continue to enforce the limit. if (tag_class == CBS_ASN1_UNIVERSAL && number > V_ASN1_MAX_UNIVERSAL) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_DECODE_ERROR); return 0; } - // These types are just parsed as |V_ASN1_OTHER| here. Check the contents - // before the generic |V_ASN1_OTHER| path. + // These types are just parsed as `V_ASN1_OTHER` here. Check the contents + // before the generic `V_ASN1_OTHER` path. CBS body = elem; BSSL_CHECK(CBS_skip(&body, header_len)); switch (tag) { @@ -333,7 +333,7 @@ int bssl::asn1_parse_any_as_string(CBS *cbs, ASN1_STRING *out) { return 1; default: // All unrecognized types, or types that cannot be represented as - // |ASN1_STRING|, are represented as the whole element. + // `ASN1_STRING`, are represented as the whole element. if (!ASN1_STRING_set(out, CBS_data(&elem), CBS_len(&elem))) { return 0; } @@ -379,12 +379,12 @@ int bssl::asn1_marshal_any(CBB *out, const ASN1_TYPE *in) { case V_ASN1_SEQUENCE: case V_ASN1_SET: case V_ASN1_OTHER: - // If |in->type| and the underlying |ASN1_STRING| type don't match, use - // |in->type|. See b/446993031. + // If `in->type` and the underlying `ASN1_STRING` type don't match, use + // `in->type`. See b/446993031. return asn1_marshal_string_with_type(out, in->value.asn1_string, in->type); default: - // |ASN1_TYPE|s can have type -1 when default-constructed. + // `ASN1_TYPE`s can have type -1 when default-constructed. OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE); return 0; } @@ -424,7 +424,7 @@ static int asn1_marshal_string_with_type(CBB *out, const ASN1_STRING *in, return CBB_add_bytes(out, ASN1_STRING_get0_data(in), ASN1_STRING_length(in)); default: - // |ASN1_TYPE|s can have type -1 when default-constructed. + // `ASN1_TYPE`s can have type -1 when default-constructed. OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE); return 0; } diff --git a/third_party/boringssl/src/crypto/asn1/a_utctm.cc b/third_party/boringssl/src/crypto/asn1/a_utctm.cc index 16a14067..1f4d7d0b 100644 --- a/third_party/boringssl/src/crypto/asn1/a_utctm.cc +++ b/third_party/boringssl/src/crypto/asn1/a_utctm.cc @@ -105,7 +105,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, int64_t posix_time, int ret = snprintf(buf, sizeof(buf), "%02d%02d%02d%02d%02d%02dZ", data.tm_year % 100, data.tm_mon + 1, data.tm_mday, data.tm_hour, data.tm_min, data.tm_sec); - // |snprintf| must write exactly 15 bytes (plus the NUL) to the buffer. + // `snprintf` must write exactly 15 bytes (plus the NUL) to the buffer. BSSL_CHECK(ret == static_cast(sizeof(buf) - 1)); int free_s = 0; diff --git a/third_party/boringssl/src/crypto/asn1/asn1_lib.cc b/third_party/boringssl/src/crypto/asn1/asn1_lib.cc index c129c6b4..0a05db4e 100644 --- a/third_party/boringssl/src/crypto/asn1/asn1_lib.cc +++ b/third_party/boringssl/src/crypto/asn1/asn1_lib.cc @@ -63,13 +63,13 @@ OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_FORMAT) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNKNOWN_TAG) OPENSSL_DECLARE_ERROR_REASON(ASN1, UNSUPPORTED_TYPE) -// Limit |ASN1_STRING|s to 64 MiB of data. Most of this module, as well as +// Limit `ASN1_STRING`s to 64 MiB of data. Most of this module, as well as // downstream code, does not correctly handle overflow. We cap string fields -// more tightly than strictly necessary to fit in |int|. This is not expected to +// more tightly than strictly necessary to fit in `int`. This is not expected to // impact real world uses of this field. // // In particular, this limit is small enough that the bit count of a BIT STRING -// comfortably fits in an |int|, with room for arithmetic. +// comfortably fits in an `int`, with room for arithmetic. #define ASN1_STRING_MAX (64 * 1024 * 1024) static void asn1_put_length(unsigned char **pp, int length); @@ -270,7 +270,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *_data, ossl_ssize_t len_s) { if (data != nullptr) { OPENSSL_memcpy(str->data, data, len); // Historically, OpenSSL would NUL-terminate most (but not all) - // |ASN1_STRING|s, in case anyone accidentally passed |str->data| into a + // `ASN1_STRING`s, in case anyone accidentally passed `str->data` into a // function expecting a C string. We retain this behavior for compatibility, // but code must not rely on this. See CVE-2021-3712. str->data[len] = '\0'; diff --git a/third_party/boringssl/src/crypto/asn1/internal.h b/third_party/boringssl/src/crypto/asn1/internal.h index 970de107..6013057f 100644 --- a/third_party/boringssl/src/crypto/asn1/internal.h +++ b/third_party/boringssl/src/crypto/asn1/internal.h @@ -25,22 +25,22 @@ BSSL_NAMESPACE_BEGIN // Wrapper functions for time functions. -// OPENSSL_gmtime converts a time_t value in |time| which must be in the range -// of year 0000 to 9999 to a broken out time value in |tm|. On success |tm| is +// OPENSSL_gmtime converts a time_t value in `time` which must be in the range +// of year 0000 to 9999 to a broken out time value in `tm`. On success `tm` is // returned. On failure NULL is returned. OPENSSL_EXPORT struct tm *OPENSSL_gmtime(const time_t *time, struct tm *result); -// OPENSSL_gmtime_adj returns one on success, and updates |tm| by adding -// |offset_day| days and |offset_sec| seconds. It returns zero on failure. |tm| +// OPENSSL_gmtime_adj returns one on success, and updates `tm` by adding +// `offset_day` days and `offset_sec` seconds. It returns zero on failure. `tm` // must be in the range of year 0000 to 9999 both before and after the update or // a failure will be returned. OPENSSL_EXPORT int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, int64_t offset_sec); -// OPENSSL_gmtime_diff calculates the difference between |from| and |to|. It +// OPENSSL_gmtime_diff calculates the difference between `from` and `to`. It // returns one, and outputs the difference as a number of days and seconds in -// |*out_days| and |*out_secs| on success. It returns zero on failure. Both -// |from| and |to| must be in the range of year 0000 to 9999 or a failure will +// `*out_days` and `*out_secs` on success. It returns zero on failure. Both +// `from` and `to` must be in the range of year 0000 to 9999 or a failure will // be returned. OPENSSL_EXPORT int OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from, @@ -57,10 +57,10 @@ OPENSSL_EXPORT int OPENSSL_gmtime_diff(int *out_days, int *out_secs, BSSL_NAMESPACE_END -// An asn1_object_st (aka |ASN1_OBJECT|) represents an ASN.1 OBJECT IDENTIFIER. -// Note: Mutating an |ASN1_OBJECT| is only permitted when initializing it. The -// library maintains a table of static |ASN1_OBJECT|s, which may be referenced -// by non-const |ASN1_OBJECT| pointers. Code which receives an |ASN1_OBJECT| +// An asn1_object_st (aka `ASN1_OBJECT`) represents an ASN.1 OBJECT IDENTIFIER. +// Note: Mutating an `ASN1_OBJECT` is only permitted when initializing it. The +// library maintains a table of static `ASN1_OBJECT`s, which may be referenced +// by non-const `ASN1_OBJECT` pointers. Code which receives an `ASN1_OBJECT` // pointer externally must assume it is immutable, even if the pointer is not // const. struct asn1_object_st { @@ -75,40 +75,40 @@ BSSL_NAMESPACE_BEGIN ASN1_OBJECT *ASN1_OBJECT_new(); -// asn1_parse_object parses a DER-encoded ASN.1 OBJECT IDENTIFIER from |cbs| and -// write the result to |out|. If |tag| is non-zero, the value is implicitly -// tagged with |tag|. On success, it returns a newly-allocated |ASN1_OBJECT| -// with the result and advances |cbs| past the parsed element. +// asn1_parse_object parses a DER-encoded ASN.1 OBJECT IDENTIFIER from `cbs` and +// write the result to `out`. If `tag` is non-zero, the value is implicitly +// tagged with `tag`. On success, it returns a newly-allocated `ASN1_OBJECT` +// with the result and advances `cbs` past the parsed element. // // TODO(crbug.com/boringssl/414361735): This should return a bssl::UniquePtr, // but cannot until it is made C++ linkage. ASN1_OBJECT *asn1_parse_object(CBS *cbs, CBS_ASN1_TAG tag); -// asn1_marshal_object marshals |in| as a DER-encoded, ASN.1 OBJECT IDENTIFIER -// and writes the result to |out|. It returns one on success and zero on error. -// If |tag| is non-zero, the tag is replaced with |tag|. +// asn1_marshal_object marshals `in` as a DER-encoded, ASN.1 OBJECT IDENTIFIER +// and writes the result to `out`. It returns one on success and zero on error. +// If `tag` is non-zero, the tag is replaced with `tag`. int asn1_marshal_object(CBB *out, const ASN1_OBJECT *in, CBS_ASN1_TAG tag); // Strings. -// asn1_is_printable returns one if |value| is a valid Unicode codepoint for an +// asn1_is_printable returns one if `value` is a valid Unicode codepoint for an // ASN.1 PrintableString, and zero otherwise. int asn1_is_printable(uint32_t value); -// asn1_string_init initializes |str|, which may be uninitialized, with type -// |type|. +// asn1_string_init initializes `str`, which may be uninitialized, with type +// `type`. void asn1_string_init(ASN1_STRING *str, int type); -// asn1_string_cleanup releases memory associated with |str|'s value, without -// freeing |str| itself. +// asn1_string_cleanup releases memory associated with `str`'s value, without +// freeing `str` itself. void asn1_string_cleanup(ASN1_STRING *str); // The following functions parse a DER-encoded ASN.1 value of the specified -// type from |cbs| and write the result to |*out|. If |tag| is non-zero, the -// value is implicitly tagged with |tag|. On success, they return one and -// advance |cbs| past the parsed element. On entry, |*out| must contain an -// |ASN1_STRING| in some valid state. +// type from `cbs` and write the result to `*out`. If `tag` is non-zero, the +// value is implicitly tagged with `tag`. On success, they return one and +// advance `cbs` past the parsed element. On entry, `*out` must contain an +// `ASN1_STRING` in some valid state. int asn1_parse_bit_string(CBS *cbs, ASN1_BIT_STRING *out, CBS_ASN1_TAG tag); int asn1_parse_integer(CBS *cbs, ASN1_INTEGER *out, CBS_ASN1_TAG tag); int asn1_parse_enumerated(CBS *cbs, ASN1_ENUMERATED *out, CBS_ASN1_TAG tag); @@ -123,25 +123,25 @@ int asn1_parse_generalized_time(CBS *cbs, ASN1_GENERALIZEDTIME *out, int asn1_parse_utc_time(CBS *cbs, ASN1_UTCTIME *out, CBS_ASN1_TAG tag, int allow_timezone_offset); -// asn1_parse_bit_string_with_bad_length behaves like |asn1_parse_bit_string| +// asn1_parse_bit_string_with_bad_length behaves like `asn1_parse_bit_string` // but tolerates BER non-minimal, definite lengths. int asn1_parse_bit_string_with_bad_length(CBS *cbs, ASN1_BIT_STRING *out); -// asn1_marshal_bit_string marshals |in| as a DER-encoded, ASN.1 BIT STRING and -// writes the result to |out|. It returns one on success and zero on error. If -// |tag| is non-zero, the tag is replaced with |tag|. +// asn1_marshal_bit_string marshals `in` as a DER-encoded, ASN.1 BIT STRING and +// writes the result to `out`. It returns one on success and zero on error. If +// `tag` is non-zero, the tag is replaced with `tag`. int asn1_marshal_bit_string(CBB *out, const ASN1_BIT_STRING *in, CBS_ASN1_TAG tag); -// asn1_marshal_integer marshals |in| as a DER-encoded, ASN.1 INTEGER and writes -// the result to |out|. It returns one on success and zero on error. If |tag| is -// non-zero, the tag is replaced with |tag|. This can also be used to marshal an +// asn1_marshal_integer marshals `in` as a DER-encoded, ASN.1 INTEGER and writes +// the result to `out`. It returns one on success and zero on error. If `tag` is +// non-zero, the tag is replaced with `tag`. This can also be used to marshal an // ASN.1 ENUMERATED value by overriding the tag. int asn1_marshal_integer(CBB *out, const ASN1_INTEGER *in, CBS_ASN1_TAG tag); -// asn1_marshal_octet_string marshals |in| as a DER-encoded, ASN.1 OCTET STRING -// and writes the result to |out|. It returns one on success and zero on error. -// If |tag| is non-zero, the tag is replaced with |tag|. +// asn1_marshal_octet_string marshals `in` as a DER-encoded, ASN.1 OCTET STRING +// and writes the result to `out`. It returns one on success and zero on error. +// If `tag` is non-zero, the tag is replaced with `tag`. // // This function may be used to marshal other string-based universal types whose // encoding is that of an implicitly-tagged OCTET STRING, e.g. UTF8String. @@ -159,37 +159,37 @@ int asn1_marshal_time(CBB *cbb, const ASN1_TIME *in); // The ASN.1 ANY type. -// asn1_type_value_as_pointer returns |a|'s value in pointer form. This is +// asn1_type_value_as_pointer returns `a`'s value in pointer form. This is // usually the value object but, for BOOLEAN values, is 0 or 0xff cast to // a pointer. const void *asn1_type_value_as_pointer(const ASN1_TYPE *a); -// asn1_type_set0_string sets |a|'s value to the object represented by |str| and -// takes ownership of |str|. +// asn1_type_set0_string sets `a`'s value to the object represented by `str` and +// takes ownership of `str`. void asn1_type_set0_string(ASN1_TYPE *a, ASN1_STRING *str); -// asn1_type_cleanup releases memory associated with |a|'s value, without -// freeing |a| itself. +// asn1_type_cleanup releases memory associated with `a`'s value, without +// freeing `a` itself. void asn1_type_cleanup(ASN1_TYPE *a); -// asn1_parse_any parses a DER-encoded ASN.1 value of any type from |cbs| and -// writes the result to |*out|. On success, it advances |cbs| past the parsed -// element and returns one. On entry, |*out| must contain an |ASN1_TYPE| in some +// asn1_parse_any parses a DER-encoded ASN.1 value of any type from `cbs` and +// writes the result to `*out`. On success, it advances `cbs` past the parsed +// element and returns one. On entry, `*out` must contain an `ASN1_TYPE` in some // valid state. int asn1_parse_any(CBS *cbs, ASN1_TYPE *out); -// asn1_parse_any_as_string behaves like |asn1_parse_any| but represents the -// value as an |ASN1_STRING|. Types which are not represented with -// |ASN1_STRING|, such as |ASN1_OBJECT|, are represented with type -// |V_ASN1_OTHER|. +// asn1_parse_any_as_string behaves like `asn1_parse_any` but represents the +// value as an `ASN1_STRING`. Types which are not represented with +// `ASN1_STRING`, such as `ASN1_OBJECT`, are represented with type +// `V_ASN1_OTHER`. int asn1_parse_any_as_string(CBS *cbs, ASN1_STRING *out); -// asn1_marshal_any marshals |in| as a DER-encoded ASN.1 value and writes the -// result to |out|. It returns one on success and zeron on error. +// asn1_marshal_any marshals `in` as a DER-encoded ASN.1 value and writes the +// result to `out`. It returns one on success and zeron on error. int asn1_marshal_any(CBB *out, const ASN1_TYPE *in); -// asn1_marshal_any_string marshals |in| as a DER-encoded ASN.1 value and writes -// the result to |out|. It returns one on success and zeron on error. +// asn1_marshal_any_string marshals `in` as a DER-encoded ASN.1 value and writes +// the result to `out`. It returns one on success and zeron on error. int asn1_marshal_any_string(CBB *out, const ASN1_STRING *in); @@ -198,9 +198,9 @@ int asn1_marshal_any_string(CBB *out, const ASN1_STRING *in); // ASN1_ENCODING is used to save the received encoding of an ASN.1 type. This // avoids problems with invalid encodings that break signatures. typedef struct ASN1_ENCODING_st { - // enc is the saved DER encoding. Its ownership is determined by |buf|. + // enc is the saved DER encoding. Its ownership is determined by `buf`. uint8_t *enc; - // len is the length of |enc|. If zero, there is no saved encoding. + // len is the length of `enc`. If zero, there is no saved encoding. size_t len; } ASN1_ENCODING; @@ -209,40 +209,40 @@ void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it); void ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); -// ASN1_item_ex_d2i parses |len| bytes from |*in| as a structure of type |it| -// and writes the result to |*pval|. If |tag| is non-negative, |it| is -// implicitly tagged with the tag specified by |tag| and |aclass|. If |opt| is +// ASN1_item_ex_d2i parses `len` bytes from `*in` as a structure of type `it` +// and writes the result to `*pval`. If `tag` is non-negative, `it` is +// implicitly tagged with the tag specified by `tag` and `aclass`. If `opt` is // non-zero, the value is optional. // -// This function returns one and advances |*in| if an object was successfully +// This function returns one and advances `*in` if an object was successfully // parsed, -1 if an optional value was successfully skipped, and zero on error. int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt); -// ASN1_item_ex_i2d encodes |*pval| as a value of type |it| to |out| under the +// ASN1_item_ex_i2d encodes `*pval` as a value of type `it` to `out` under the // i2d output convention. It returns a non-zero length on success and -1 on -// error. If |tag| is -1. the tag and class come from |it|. Otherwise, the tag -// number is |tag| and the class is |aclass|. This is used for implicit tagging. +// error. If `tag` is -1. the tag and class come from `it`. Otherwise, the tag +// number is `tag` and the class is `aclass`. This is used for implicit tagging. // This function treats a missing value as an error, not an optional field. int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it); -// asn1_get_choice_selector returns the CHOICE selector value for |*pval|, which -// must of type |it|. +// asn1_get_choice_selector returns the CHOICE selector value for `*pval`, which +// must of type `it`. int asn1_get_choice_selector(ASN1_VALUE **pval, const ASN1_ITEM *it); int asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it); -// asn1_get_field_ptr returns a pointer to the field in |*pval| corresponding to -// |tt|. +// asn1_get_field_ptr returns a pointer to the field in `*pval` corresponding to +// `tt`. ASN1_VALUE **asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); -// asn1_do_adb returns the |ASN1_TEMPLATE| for the ANY DEFINED BY field |tt|, -// based on the selector INTEGER or OID in |*pval|. If |tt| is not an ADB field, -// it returns |tt|. If the selector does not match any value, it returns NULL. -// If |nullerr| is non-zero, it will additionally push an error to the error +// asn1_do_adb returns the `ASN1_TEMPLATE` for the ANY DEFINED BY field `tt`, +// based on the selector INTEGER or OID in `*pval`. If `tt` is not an ADB field, +// it returns `tt`. If the selector does not match any value, it returns NULL. +// If `nullerr` is non-zero, it will additionally push an error to the error // queue when there is no match. const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int nullerr); @@ -253,19 +253,19 @@ int asn1_refcount_dec_and_test_zero(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it); void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it); -// asn1_enc_restore, if |*pval| has a saved encoding, writes it to |out| under -// the i2d output convention, sets |*len| to the length, and returns one. If it +// asn1_enc_restore, if `*pval` has a saved encoding, writes it to `out` under +// the i2d output convention, sets `*len` to the length, and returns one. If it // has no saved encoding, it returns zero. int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it); -// asn1_enc_save saves |inlen| bytes from |in| as |*pval|'s saved encoding. It -// returns one on success and zero on error. If |buf| is non-NULL, |in| must -// point into |buf|. +// asn1_enc_save saves `inlen` bytes from `in` as `*pval`'s saved encoding. It +// returns one on success and zero on error. If `buf` is non-NULL, `in` must +// point into `buf`. int asn1_enc_save(ASN1_VALUE **pval, const uint8_t *in, size_t inlen, const ASN1_ITEM *it); -// asn1_encoding_clear clears the cached encoding in |enc|. +// asn1_encoding_clear clears the cached encoding in `enc`. void asn1_encoding_clear(ASN1_ENCODING *enc); typedef struct { @@ -276,8 +276,8 @@ typedef struct { unsigned long flags; } ASN1_STRING_TABLE; -// asn1_get_string_table_for_testing sets |*out_ptr| and |*out_len| to the table -// of built-in |ASN1_STRING_TABLE| values. It is exported for testing. +// asn1_get_string_table_for_testing sets `*out_ptr` and `*out_len` to the table +// of built-in `ASN1_STRING_TABLE` values. It is exported for testing. OPENSSL_EXPORT void asn1_get_string_table_for_testing( const ASN1_STRING_TABLE **out_ptr, size_t *out_len); @@ -287,14 +287,14 @@ typedef ASN1_VALUE *ASN1_d2i_func(ASN1_VALUE **a, const unsigned char **in, long length); typedef int ASN1_i2d_func(ASN1_VALUE *a, unsigned char **in); -// An ASN1_ex_parse function should parse a value from |cbs| and set |*pval| to -// the result. It should return one on success and zero on failure. If |opt| is +// An ASN1_ex_parse function should parse a value from `cbs` and set `*pval` to +// the result. It should return one on success and zero on failure. If `opt` is // non-zero, the field may be optional. If an optional element is missing, the -// function should return one and consume zero bytes from |cbs|. +// function should return one and consume zero bytes from `cbs`. // -// If |opt| is non-zero, the function can assume that |*pval| is nullptr on -// entry. Otherwise, |*pval| may either be nullptr, or the result of -// |ASN1_ex_new_func|. The function may either write into the existing object, +// If `opt` is non-zero, the function can assume that `*pval` is nullptr on +// entry. Otherwise, `*pval` may either be nullptr, or the result of +// `ASN1_ex_new_func`. The function may either write into the existing object, // if any, or unconditionally make a new one. (The existing object comes from // tasn_new.cc recursively filling in objects before parsing into them.) typedef int ASN1_ex_parse(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, @@ -347,16 +347,16 @@ typedef struct ASN1_EXTERN_FUNCS_st { \ IMPLEMENT_EXTERN_ASN1(name, name##_extern_funcs) -// ASN1_TIME is an |ASN1_ITEM| whose ASN.1 type is X.509 Time (RFC 5280) and C -// type is |ASN1_TIME*|. +// ASN1_TIME is an `ASN1_ITEM` whose ASN.1 type is X.509 Time (RFC 5280) and C +// type is `ASN1_TIME*`. DECLARE_ASN1_ITEM(ASN1_TIME) -// DIRECTORYSTRING is an |ASN1_ITEM| whose ASN.1 type is X.509 DirectoryString -// (RFC 5280) and C type is |ASN1_STRING*|. +// DIRECTORYSTRING is an `ASN1_ITEM` whose ASN.1 type is X.509 DirectoryString +// (RFC 5280) and C type is `ASN1_STRING*`. DECLARE_ASN1_ITEM(DIRECTORYSTRING) -// DISPLAYTEXT is an |ASN1_ITEM| whose ASN.1 type is X.509 DisplayText (RFC -// 5280) and C type is |ASN1_STRING*|. +// DISPLAYTEXT is an `ASN1_ITEM` whose ASN.1 type is X.509 DisplayText (RFC +// 5280) and C type is `ASN1_STRING*`. DECLARE_ASN1_ITEM(DISPLAYTEXT) BSSL_NAMESPACE_END diff --git a/third_party/boringssl/src/crypto/asn1/tasn_dec.cc b/third_party/boringssl/src/crypto/asn1/tasn_dec.cc index 20701dff..9107e2e9 100644 --- a/third_party/boringssl/src/crypto/asn1/tasn_dec.cc +++ b/third_party/boringssl/src/crypto/asn1/tasn_dec.cc @@ -110,7 +110,7 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, } // If the caller supplied an output pointer, free the old one and replace it - // with |ret|. This differs from OpenSSL slightly in that we don't support + // with `ret`. This differs from OpenSSL slightly in that we don't support // object reuse. We run this on both success and failure. On failure, even // with object reuse, OpenSSL destroys the previous object. if (pval != nullptr) { @@ -124,10 +124,10 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, // tag mismatch return -1 to handle OPTIONAL // // TODO(davidben): Historically, all functions in this file had to account for -// |*pval| containing an arbitrary existing value. This is no longer the case -// because |ASN1_item_d2i| now always starts from NULL. As part of rewriting +// `*pval` containing an arbitrary existing value. This is no longer the case +// because `ASN1_item_d2i` now always starts from NULL. As part of rewriting // this function, take the simplified assumptions into account. Though we must -// still account for the internal calls to |ASN1_item_ex_new|. +// still account for the internal calls to `ASN1_item_ex_new`. static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, @@ -148,7 +148,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, goto err; } - // Bound |len| to comfortably fit in an int. Lengths in this module often + // Bound `len` to comfortably fit in an int. Lengths in this module often // switch between int and long without overflow checks. if (len > INT_MAX / 2) { len = INT_MAX / 2; @@ -229,7 +229,7 @@ static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, // Check whether the function skipped an optional element. // // TODO(crbug.com/42290418): Switch the rest of this function to - // |asn1_ex_parse|'s calling convention. + // `asn1_ex_parse`'s calling convention. return CBS_len(&cbs) == CBS_len(©) ? -1 : 1; } @@ -640,14 +640,14 @@ static ASN1_STRING *ensure_string(ASN1_VALUE **pval) { static int asn1_d2i_ex_primitive_cbs(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, int tag, int aclass, char opt) { - // Historically, |it->funcs| for primitive types contained an - // |ASN1_PRIMITIVE_FUNCS| table of callbacks. + // Historically, `it->funcs` for primitive types contained an + // `ASN1_PRIMITIVE_FUNCS` table of callbacks. assert(it->funcs == nullptr); int utype; assert(it->itype == ASN1_ITYPE_PRIMITIVE || it->itype == ASN1_ITYPE_MSTRING); if (it->itype == ASN1_ITYPE_MSTRING) { - // MSTRING passes utype in |tag|, normally used for implicit tagging. + // MSTRING passes utype in `tag`, normally used for implicit tagging. utype = tag; tag = -1; } else { @@ -682,9 +682,9 @@ static int asn1_d2i_ex_primitive_cbs(ASN1_VALUE **pval, CBS *cbs, aclass = V_ASN1_UNIVERSAL; } - // All edge cases of |utype| should have been handled already. |utype| is now - // either a primitive |ASN1_ITEM|, handled by |DECLARE_ASN1_ITEM|, or a - // multistring option with a corresponding |B_ASN1_*| constant. + // All edge cases of `utype` should have been handled already. `utype` is now + // either a primitive `ASN1_ITEM`, handled by `DECLARE_ASN1_ITEM`, or a + // multistring option with a corresponding `B_ASN1_*` constant. assert(utype >= 0 && utype <= V_ASN1_MAX_UNIVERSAL); CBS_ASN1_TAG cbs_tag = (static_cast(aclass) << CBS_ASN1_TAG_SHIFT) | @@ -697,7 +697,7 @@ static int asn1_d2i_ex_primitive_cbs(ASN1_VALUE **pval, CBS *cbs, return -1; // Omitted OPTIONAL value. } - // Handle non-|ASN1_STRING| types. + // Handle non-`ASN1_STRING` types. switch (utype) { case V_ASN1_OBJECT: { UniquePtr obj(asn1_parse_object(cbs, cbs_tag)); @@ -728,7 +728,7 @@ static int asn1_d2i_ex_primitive_cbs(ASN1_VALUE **pval, CBS *cbs, return 0; } // TODO(crbug.com/42290221): Reject invalid BOOLEAN encodings and just - // call |CBS_get_asn1_bool|. + // call `CBS_get_asn1_bool`. if (CBS_len(&child) != 1) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_BOOLEAN_IS_WRONG_LENGTH); return 0; @@ -740,7 +740,7 @@ static int asn1_d2i_ex_primitive_cbs(ASN1_VALUE **pval, CBS *cbs, } } - // All other types as an |ASN1_STRING| representation. + // All other types as an `ASN1_STRING` representation. ASN1_STRING *str = ensure_string(pval); if (str == nullptr) { return 0; @@ -761,7 +761,7 @@ static int asn1_d2i_ex_primitive_cbs(ASN1_VALUE **pval, CBS *cbs, return asn1_parse_utf8_string(cbs, str, cbs_tag); case V_ASN1_UTCTIME: // TODO(crbug.com/42290221): Reject timezone offsets. We need to parse - // invalid timestamps in |X509| objects, but that parser no longer uses + // invalid timestamps in `X509` objects, but that parser no longer uses // this code. return asn1_parse_utc_time(cbs, str, cbs_tag, /*allow_timezone_offset=*/1); diff --git a/third_party/boringssl/src/crypto/asn1/tasn_enc.cc b/third_party/boringssl/src/crypto/asn1/tasn_enc.cc index 1d1ad97f..20b9a3ea 100644 --- a/third_party/boringssl/src/crypto/asn1/tasn_enc.cc +++ b/third_party/boringssl/src/crypto/asn1/tasn_enc.cc @@ -78,21 +78,21 @@ int bssl::ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, return ret; } -// asn1_item_ex_i2d_opt behaves like |ASN1_item_ex_i2d| but, if |optional| is -// non-zero and |*pval| is omitted, it returns zero and writes no bytes. +// asn1_item_ex_i2d_opt behaves like `ASN1_item_ex_i2d` but, if `optional` is +// non-zero and `*pval` is omitted, it returns zero and writes no bytes. int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass, int optional) { const ASN1_TEMPLATE *tt = nullptr; int i, seqcontlen, seqlen; - // Historically, |aclass| was repurposed to pass additional flags into the + // Historically, `aclass` was repurposed to pass additional flags into the // encoding process. assert((aclass & ASN1_TFLG_TAG_CLASS) == aclass); - // If not overriding the tag, |aclass| is ignored and should be zero. + // If not overriding the tag, `aclass` is ignored and should be zero. assert(tag != -1 || aclass == 0); - // All fields are pointers, except for boolean |ASN1_ITYPE_PRIMITIVE|s. + // All fields are pointers, except for boolean `ASN1_ITYPE_PRIMITIVE`s. // Optional primitives are handled later. if ((it->itype != ASN1_ITYPE_PRIMITIVE) && !*pval) { if (optional) { @@ -105,7 +105,7 @@ int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out, switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: if (it->templates) { - // This is an |ASN1_ITEM_TEMPLATE|. + // This is an `ASN1_ITEM_TEMPLATE`. if (it->templates->flags & ASN1_TFLG_OPTIONAL) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_BAD_TEMPLATE); return -1; @@ -155,8 +155,8 @@ int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out, reinterpret_cast(it->funcs); int ret = ef->asn1_ex_i2d(pval, out, it); if (ret == 0) { - // |asn1_ex_i2d| should never return zero. We have already checked - // for optional values generically, and |ASN1_ITYPE_EXTERN| fields + // `asn1_ex_i2d` should never return zero. We have already checked + // for optional values generically, and `ASN1_ITYPE_EXTERN` fields // must be pointers. OPENSSL_PUT_ERROR(ASN1, ERR_R_INTERNAL_ERROR); return -1; @@ -227,9 +227,9 @@ int asn1_item_ex_i2d_opt(ASN1_VALUE **pval, unsigned char **out, } } -// asn1_template_ex_i2d behaves like |asn1_item_ex_i2d_opt| but uses an -// |ASN1_TEMPLATE| instead of an |ASN1_ITEM|. An |ASN1_TEMPLATE| wraps an -// |ASN1_ITEM| with modifiers such as tagging, SEQUENCE or SET, etc. +// asn1_template_ex_i2d behaves like `asn1_item_ex_i2d_opt` but uses an +// `ASN1_TEMPLATE` instead of an `ASN1_ITEM`. An `ASN1_TEMPLATE` wraps an +// `ASN1_ITEM` with modifiers such as tagging, SEQUENCE or SET, etc. static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_TEMPLATE *tt, int tag, int iclass, int optional) { @@ -237,10 +237,10 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, size_t j; uint32_t flags = tt->flags; - // Historically, |iclass| was repurposed to pass additional flags into the + // Historically, `iclass` was repurposed to pass additional flags into the // encoding process. assert((iclass & ASN1_TFLG_TAG_CLASS) == iclass); - // If not overriding the tag, |iclass| is ignored and should be zero. + // If not overriding the tag, `iclass` is ignored and should be zero. assert(tag != -1 || iclass == 0); // Work out tag and class to use: tagging may come either from the @@ -265,9 +265,9 @@ static int asn1_template_ex_i2d(ASN1_VALUE **pval, unsigned char **out, } // The template may itself by marked as optional, or this may be the template - // of an |ASN1_ITEM_TEMPLATE| type which was contained inside an outer + // of an `ASN1_ITEM_TEMPLATE` type which was contained inside an outer // optional template. (They cannot both be true because the - // |ASN1_ITEM_TEMPLATE| codepath rejects optional templates.) + // `ASN1_ITEM_TEMPLATE` codepath rejects optional templates.) assert(!optional || (flags & ASN1_TFLG_OPTIONAL) == 0); optional = optional || (flags & ASN1_TFLG_OPTIONAL) != 0; @@ -397,11 +397,11 @@ static int der_cmp(const void *a, const void *b) { return d1->length - d2->length; } -// asn1_set_seq_out writes |sk| to |out| under the i2d output convention, +// asn1_set_seq_out writes `sk` to `out` under the i2d output convention, // excluding the tag and length. It returns one on success and zero on error. -// |skcontlen| must be the total encoded size. If |do_sort| is non-zero, the -// elements are sorted for a SET OF type. Each element of |sk| has type -// |item|. +// `skcontlen` must be the total encoded size. If `do_sort` is non-zero, the +// elements are sorted for a SET OF type. Each element of `sk` has type +// `item`. static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, int skcontlen, const ASN1_ITEM *item, int do_sort) { // No need to sort if there are fewer than two items. @@ -424,7 +424,7 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, goto err; } - // Encode all the elements into |buf| and populate |encoded|. + // Encode all the elements into `buf` and populate `encoded`. for (size_t i = 0; i < sk_ASN1_VALUE_num(sk); i++) { ASN1_VALUE *skitem = sk_ASN1_VALUE_value(sk, i); encoded[i].data = p; @@ -453,8 +453,8 @@ static int asn1_set_seq_out(STACK_OF(ASN1_VALUE) *sk, unsigned char **out, return ret; } -// asn1_i2d_ex_primitive behaves like |ASN1_item_ex_i2d| but |item| must be a -// a PRIMITIVE or MSTRING type that is not an |ASN1_ITEM_TEMPLATE|. +// asn1_i2d_ex_primitive behaves like `ASN1_item_ex_i2d` but `item` must be a +// a PRIMITIVE or MSTRING type that is not an `ASN1_ITEM_TEMPLATE`. static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass, int optional) { @@ -504,21 +504,21 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, return len; } -// asn1_ex_i2c writes the |*pval| to |cout| under the i2d output convention, +// asn1_ex_i2c writes the `*pval` to `cout` under the i2d output convention, // excluding the tag and length. It returns the number of bytes written, -// possibly zero, on success or -1 on error. If |*pval| should be omitted, it -// returns zero and sets |*out_omit| to true. +// possibly zero, on success or -1 on error. If `*pval` should be omitted, it +// returns zero and sets `*out_omit` to true. // -// If |it| is an MSTRING or ANY type, it gets the underlying type from |*pval|, -// which must be an |ASN1_STRING| or |ASN1_TYPE|, respectively. It then updates -// |*putype| with the tag number of type used, or |V_ASN1_OTHER| if it was not a -// universal type. If |*putype| is set to |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or -// |V_ASN1_OTHER|, it additionally outputs the tag and length, so the caller +// If `it` is an MSTRING or ANY type, it gets the underlying type from `*pval`, +// which must be an `ASN1_STRING` or `ASN1_TYPE`, respectively. It then updates +// `*putype` with the tag number of type used, or `V_ASN1_OTHER` if it was not a +// universal type. If `*putype` is set to `V_ASN1_SEQUENCE`, `V_ASN1_SET`, or +// `V_ASN1_OTHER`, it additionally outputs the tag and length, so the caller // must not do so. // -// Otherwise, |*putype| must contain |it->utype|. +// Otherwise, `*putype` must contain `it->utype`. // -// WARNING: Unlike most functions in this file, |asn1_ex_i2c| can return zero +// WARNING: Unlike most functions in this file, `asn1_ex_i2c` can return zero // without omitting the element. ASN.1 values may have empty contents. static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, int *putype, const ASN1_ITEM *it) { @@ -531,8 +531,8 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, int len; assert(it->itype == ASN1_ITYPE_PRIMITIVE || it->itype == ASN1_ITYPE_MSTRING); - // Historically, |it->funcs| for primitive types contained an - // |ASN1_PRIMITIVE_FUNCS| table of callbacks. + // Historically, `it->funcs` for primitive types contained an + // `ASN1_PRIMITIVE_FUNCS` table of callbacks. assert(it->funcs == nullptr); *out_omit = 0; @@ -555,7 +555,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE); return -1; } - // Negative INTEGER and ENUMERATED values use |ASN1_STRING| type values that + // Negative INTEGER and ENUMERATED values use `ASN1_STRING` type values that // do not match their corresponding utype values. if (utype == V_ASN1_NEG_INTEGER) { utype = V_ASN1_INTEGER; @@ -569,7 +569,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, typ = (ASN1_TYPE *)*pval; utype = typ->type; if (utype < 0 && utype != V_ASN1_OTHER) { - // |ASN1_TYPE|s can have type -1 when default-constructed. + // `ASN1_TYPE`s can have type -1 when default-constructed. OPENSSL_PUT_ERROR(ASN1, ASN1_R_WRONG_TYPE); return -1; } @@ -585,7 +585,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, cont = otmp->data; len = otmp->length; if (len == 0) { - // Some |ASN1_OBJECT|s do not have OIDs and cannot be serialized. + // Some `ASN1_OBJECT`s do not have OIDs and cannot be serialized. OPENSSL_PUT_ERROR(ASN1, ASN1_R_ILLEGAL_OBJECT); return -1; } @@ -617,15 +617,15 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, case V_ASN1_BIT_STRING: { int ret = i2c_ASN1_BIT_STRING((ASN1_BIT_STRING *)*pval, cout ? &cout : nullptr); - // |i2c_ASN1_BIT_STRING| returns zero on error instead of -1. + // `i2c_ASN1_BIT_STRING` returns zero on error instead of -1. return ret <= 0 ? -1 : ret; } case V_ASN1_INTEGER: case V_ASN1_ENUMERATED: { - // |i2c_ASN1_INTEGER| also handles ENUMERATED. + // `i2c_ASN1_INTEGER` also handles ENUMERATED. int ret = i2c_ASN1_INTEGER((ASN1_INTEGER *)*pval, cout ? &cout : nullptr); - // |i2c_ASN1_INTEGER| returns zero on error instead of -1. + // `i2c_ASN1_INTEGER` returns zero on error instead of -1. return ret <= 0 ? -1 : ret; } @@ -645,7 +645,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *out_omit, case V_ASN1_UTF8STRING: case V_ASN1_SEQUENCE: case V_ASN1_SET: - // This is not a valid |ASN1_ITEM| type, but it appears in |ASN1_TYPE|. + // This is not a valid `ASN1_ITEM` type, but it appears in `ASN1_TYPE`. case V_ASN1_OTHER: // All based on ASN1_STRING and handled the same strtmp = (ASN1_STRING *)*pval; diff --git a/third_party/boringssl/src/crypto/asn1/tasn_fre.cc b/third_party/boringssl/src/crypto/asn1/tasn_fre.cc index 7b5164bd..b6f5ead7 100644 --- a/third_party/boringssl/src/crypto/asn1/tasn_fre.cc +++ b/third_party/boringssl/src/crypto/asn1/tasn_fre.cc @@ -130,8 +130,8 @@ void bssl::ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) { } void bssl::ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { - // Historically, |it->funcs| for primitive types contained an - // |ASN1_PRIMITIVE_FUNCS| table of callbacks. + // Historically, `it->funcs` for primitive types contained an + // `ASN1_PRIMITIVE_FUNCS` table of callbacks. assert(it->funcs == nullptr); int utype = it->itype == ASN1_ITYPE_MSTRING ? -1 : it->utype; diff --git a/third_party/boringssl/src/crypto/asn1/tasn_new.cc b/third_party/boringssl/src/crypto/asn1/tasn_new.cc index f73484bb..d97afb82 100644 --- a/third_party/boringssl/src/crypto/asn1/tasn_new.cc +++ b/third_party/boringssl/src/crypto/asn1/tasn_new.cc @@ -216,8 +216,8 @@ static int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { return 0; } - // Historically, |it->funcs| for primitive types contained an - // |ASN1_PRIMITIVE_FUNCS| table of callbacks. + // Historically, `it->funcs` for primitive types contained an + // `ASN1_PRIMITIVE_FUNCS` table of callbacks. assert(it->funcs == nullptr); int utype; @@ -262,8 +262,8 @@ static int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { static void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) { int utype; - // Historically, |it->funcs| for primitive types contained an - // |ASN1_PRIMITIVE_FUNCS| table of callbacks. + // Historically, `it->funcs` for primitive types contained an + // `ASN1_PRIMITIVE_FUNCS` table of callbacks. assert(it == nullptr || it->funcs == nullptr); if (!it || (it->itype == ASN1_ITYPE_MSTRING)) { utype = -1; diff --git a/third_party/boringssl/src/crypto/asn1/tasn_typ.cc b/third_party/boringssl/src/crypto/asn1/tasn_typ.cc index 0c3f6e2f..4bf3670c 100644 --- a/third_party/boringssl/src/crypto/asn1/tasn_typ.cc +++ b/third_party/boringssl/src/crypto/asn1/tasn_typ.cc @@ -21,7 +21,7 @@ using namespace bssl; -// TODO(crbug.com/42290417): While we need |ASN1_ITEM|s, the exposed new, free, +// TODO(crbug.com/42290417): While we need `ASN1_ITEM`s, the exposed new, free, // i2d, and d2i functions should call the underlying implementations directly. #define IMPLEMENT_ASN1_STRING_FUNCTIONS(sname) \ diff --git a/third_party/boringssl/src/crypto/base64/base64.cc b/third_party/boringssl/src/crypto/base64/base64.cc index 4b202e17..77e8e95b 100644 --- a/third_party/boringssl/src/crypto/base64/base64.cc +++ b/third_party/boringssl/src/crypto/base64/base64.cc @@ -24,18 +24,18 @@ using namespace bssl; -// constant_time_lt_args_8 behaves like |constant_time_lt_8| but takes |uint8_t| +// constant_time_lt_args_8 behaves like `constant_time_lt_8` but takes `uint8_t` // arguments for a slightly simpler implementation. static uint8_t constant_time_lt_args_8(uint8_t a, uint8_t b) { crypto_word_t aw = a; crypto_word_t bw = b; - // |crypto_word_t| is larger than |uint8_t|, so |aw| and |bw| have the same - // MSB. |aw| < |bw| iff MSB(|aw| - |bw|) is 1. + // `crypto_word_t` is larger than `uint8_t`, so `aw` and `bw` have the same + // MSB. `aw` < `bw` iff MSB(`aw` - `bw`) is 1. return constant_time_msb_w(aw - bw); } -// constant_time_in_range_8 returns |CONSTTIME_TRUE_8| if |min| <= |a| <= |max| -// and |CONSTTIME_FALSE_8| otherwise. +// constant_time_in_range_8 returns `CONSTTIME_TRUE_8` if `min` <= `a` <= `max` +// and `CONSTTIME_FALSE_8` otherwise. static uint8_t constant_time_in_range_8(uint8_t a, uint8_t min, uint8_t max) { a -= min; return constant_time_lt_args_8(a, max - min + 1); @@ -242,7 +242,7 @@ static uint8_t base64_ascii_to_bin(uint8_t a) { } // base64_decode_quad decodes a single “quad” (i.e. four characters) of base64 -// data and writes up to three bytes to |out|. It sets |*out_num_bytes| to the +// data and writes up to three bytes to `out`. It sets `*out_num_bytes` to the // number of bytes written, which will be less than three if the quad ended // with padding. It returns one on success or zero on error. static int base64_decode_quad(uint8_t *out, size_t *out_num_bytes, diff --git a/third_party/boringssl/src/crypto/bcm_support.h b/third_party/boringssl/src/crypto/bcm_support.h index 20e6ceff..451e56a1 100644 --- a/third_party/boringssl/src/crypto/bcm_support.h +++ b/third_party/boringssl/src/crypto/bcm_support.h @@ -28,14 +28,10 @@ BSSL_NAMESPACE_BEGIN // from the operating system, if the operating system requires initialization. void CRYPTO_init_sysrand(); -// CRYPTO_sysrand fills |len| bytes at |buf| with entropy from the operating +// CRYPTO_sysrand fills `len` bytes at `buf` with entropy from the operating // system. void CRYPTO_sysrand(uint8_t *buf, size_t len); -// RAND_need_entropy is called whenever the BCM module has stopped because it -// has run out of entropy. -void RAND_need_entropy(size_t bytes_needed); - // crypto_get_fork_generation returns the fork generation number for the current // process, or zero if not supported on the platform. The fork generation number // is a non-zero, strictly-monotonic counter with the property that, if queried @@ -48,7 +44,7 @@ void RAND_need_entropy(size_t bytes_needed); // the save fork generation. Note this logic transparently handles platforms // which always return zero. // -// This is not reliably supported on all platforms which implement |fork|, so it +// This is not reliably supported on all platforms which implement `fork`, so it // should only be used as a hardening measure. OPENSSL_EXPORT uint64_t CRYPTO_get_fork_generation(); diff --git a/third_party/boringssl/src/crypto/bio/bio.cc b/third_party/boringssl/src/crypto/bio/bio.cc index 9250be0f..055b44fe 100644 --- a/third_party/boringssl/src/crypto/bio/bio.cc +++ b/third_party/boringssl/src/crypto/bio/bio.cc @@ -19,11 +19,13 @@ #include #include +#include #include #include #include #include +#include #include "../internal.h" #include "../mem_internal.h" @@ -80,11 +82,11 @@ int BIO_read(BIO *bio, void *buf, int len) { auto *impl = FromOpaque(bio); if (impl == nullptr || impl->method->bread == nullptr) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD); - return -2; + return -1; } if (!impl->init) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED); - return -2; + return -1; } if (len <= 0) { return 0; @@ -92,6 +94,9 @@ int BIO_read(BIO *bio, void *buf, int len) { int ret = impl->method->bread(impl, reinterpret_cast(buf), len); if (ret > 0) { impl->num_read += ret; + } else if (ret < 0) { + // In preparation for |BIO_read_ex|, canonicalize error returns to -1. + ret = -1; } return ret; } @@ -100,11 +105,11 @@ int BIO_gets(BIO *bio, char *buf, int len) { auto *impl = FromOpaque(bio); if (impl == nullptr || impl->method->bgets == nullptr) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD); - return -2; + return -1; } if (!impl->init) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED); - return -2; + return -1; } if (len <= 0) { return 0; @@ -116,35 +121,66 @@ int BIO_gets(BIO *bio, char *buf, int len) { return ret; } -int BIO_write(BIO *bio, const void *in, int inl) { +int BIO_write_ex(BIO *bio, const void *data, size_t len, size_t *out_written) { + if (out_written != nullptr) { + *out_written = 0; + } auto *impl = FromOpaque(bio); - if (impl == nullptr || impl->method->bwrite == nullptr) { + if (impl == nullptr || + (impl->method->bwrite == nullptr && impl->method->bwrite_ex == nullptr)) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD); - return -2; + return 0; } if (!impl->init) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNINITIALIZED); - return -2; - } - if (inl <= 0) { return 0; } - int ret = impl->method->bwrite(impl, reinterpret_cast(in), inl); - if (ret > 0) { - impl->num_write += ret; + // Matching OpenSSL, writing zero bytes should "successfully" write no bytes. + if (len == 0) { + return 1; } - return ret; + // Support `BIO_METHOD`s using either the old or new API. + size_t written; + if (impl->method->bwrite_ex != nullptr) { + if (!impl->method->bwrite_ex(bio, static_cast(data), len, + &written)) { + return 0; + } + } else { + int ret = + impl->method->bwrite(impl, static_cast(data), + static_cast(std::min(len, size_t{INT_MAX}))); + if (ret <= 0) { + return 0; + } + written = static_cast(ret); + } + impl->num_write += written; + if (out_written != nullptr) { + *out_written = written; + } + return 1; +} + +int BIO_write(BIO *bio, const void *in, int inl) { + // Matching OpenSSL, `inl <= 0` returns zero, i.e. a "successful" write of + // zero bytes. + inl = std::max(inl, 0); + size_t written; + if (!BIO_write_ex(bio, in, static_cast(inl), &written)) { + return -1; + } + return static_cast(written); } int BIO_write_all(BIO *bio, const void *data, size_t len) { - const uint8_t *data_u8 = reinterpret_cast(data); - while (len > 0) { - int ret = BIO_write(bio, data_u8, len > INT_MAX ? INT_MAX : (int)len); - if (ret <= 0) { + auto span = Span(reinterpret_cast(data), len); + while (!span.empty()) { + size_t written; + if (!BIO_write_ex(bio, span.data(), span.size(), &written)) { return 0; } - data_u8 += ret; - len -= ret; + span = span.subspan(written); } return 1; } @@ -152,7 +188,7 @@ int BIO_write_all(BIO *bio, const void *data, size_t len) { int BIO_puts(BIO *bio, const char *in) { size_t len = strlen(in); if (len > INT_MAX) { - // |BIO_write| and the return value both assume the string fits in |int|. + // `BIO_write` and the return value both assume the string fits in `int`. OPENSSL_PUT_ERROR(BIO, ERR_R_OVERFLOW); return -1; } @@ -171,7 +207,7 @@ long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg) { if (impl->method->ctrl == nullptr) { OPENSSL_PUT_ERROR(BIO, BIO_R_UNSUPPORTED_METHOD); - return -2; + return -1; } return impl->method->ctrl(impl, cmd, larg, parg); @@ -381,14 +417,14 @@ static int print_bio(const char *str, size_t len, void *bio) { void ERR_print_errors(BIO *bio) { ERR_print_errors_cb(print_bio, bio); } -// bio_read_all reads everything from |bio| and prepends |prefix| to it. On -// success, |*out| is set to an allocated buffer (which should be freed with -// |OPENSSL_free|), |*out_len| is set to its length and one is returned. The -// buffer will contain |prefix| followed by the contents of |bio|. On failure, +// bio_read_all reads everything from `bio` and prepends `prefix` to it. On +// success, `*out` is set to an allocated buffer (which should be freed with +// `OPENSSL_free`), `*out_len` is set to its length and one is returned. The +// buffer will contain `prefix` followed by the contents of `bio`. On failure, // zero is returned. // // The function will fail if the size of the output would equal or exceed -// |max_len|. +// `max_len`. static int bio_read_all(Bio *bio, uint8_t **out, size_t *out_len, const uint8_t *prefix, size_t prefix_len, size_t max_len) { @@ -443,11 +479,11 @@ static int bio_read_all(Bio *bio, uint8_t **out, size_t *out_len, } } -// bio_read_full reads |len| bytes |bio| and writes them into |out|. It -// tolerates partial reads from |bio| and returns one on success or zero if a -// read fails before |len| bytes are read. On failure, it additionally sets -// |*out_eof_on_first_read| to whether the error was due to |bio| returning zero -// on the first read. |out_eof_on_first_read| may be NULL to discard the value. +// bio_read_full reads `len` bytes `bio` and writes them into `out`. It +// tolerates partial reads from `bio` and returns one on success or zero if a +// read fails before `len` bytes are read. On failure, it additionally sets +// `*out_eof_on_first_read` to whether the error was due to `bio` returning zero +// on the first read. `out_eof_on_first_read` may be NULL to discard the value. static int bio_read_full(Bio *bio, uint8_t *out, int *out_eof_on_first_read, size_t len) { int first_read = 1; @@ -468,8 +504,8 @@ static int bio_read_full(Bio *bio, uint8_t *out, int *out_eof_on_first_read, return 1; } -// For compatibility with existing |d2i_*_bio| callers, |BIO_read_asn1| uses -// |ERR_LIB_ASN1| errors. +// For compatibility with existing `d2i_*_bio` callers, `BIO_read_asn1` uses +// `ERR_LIB_ASN1` errors. OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_DECODE_ERROR) OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_HEADER_TOO_LONG) OPENSSL_DECLARE_ERROR_REASON(ASN1, ASN1_R_NOT_ENOUGH_DATA) @@ -483,9 +519,9 @@ int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len) { auto *impl = FromOpaque(bio); if (!bio_read_full(impl, header, &eof_on_first_read, kInitialHeaderLen)) { if (eof_on_first_read) { - // Historically, OpenSSL returned |ASN1_R_HEADER_TOO_LONG| when - // |d2i_*_bio| could not read anything. CPython conditions on this to - // determine if |bio| was empty. + // Historically, OpenSSL returned `ASN1_R_HEADER_TOO_LONG` when + // `d2i_*_bio` could not read anything. CPython conditions on this to + // determine if `bio` was empty. OPENSSL_PUT_ERROR(ASN1, ASN1_R_HEADER_TOO_LONG); } else { OPENSSL_PUT_ERROR(ASN1, ASN1_R_NOT_ENOUGH_DATA); @@ -580,7 +616,7 @@ static int g_index = BIO_TYPE_START; int BIO_get_new_index() { MutexWriteLock lock(&g_index_lock); - // If |g_index| exceeds 255, it will collide with the flags bits. + // If `g_index` exceeds 255, it will collide with the flags bits. int ret = g_index > 255 ? -1 : g_index++; return ret; } @@ -607,6 +643,13 @@ int BIO_meth_set_destroy(BIO_METHOD *method, int (*destroy_func)(BIO *)) { return 1; } +int BIO_meth_set_write_ex(BIO_METHOD *method, + int (*write_ex_func)(BIO *, const char *, size_t, + size_t *)) { + method->bwrite_ex = write_ex_func; + return 1; +} + int BIO_meth_set_write(BIO_METHOD *method, int (*write_func)(BIO *, const char *, int)) { method->bwrite = write_func; @@ -653,7 +696,7 @@ void BIO_set_shutdown(BIO *bio, int shutdown) { int BIO_get_shutdown(BIO *bio) { return FromOpaque(bio)->shutdown; } int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)) { - // Ignore the parameter. We implement |BIO_puts| using |BIO_write|. + // Ignore the parameter. We implement `BIO_puts` using `BIO_write`. return 1; } diff --git a/third_party/boringssl/src/crypto/bio/bio_mem.cc b/third_party/boringssl/src/crypto/bio/bio_mem.cc index 479b9ce2..6ffc57c2 100644 --- a/third_party/boringssl/src/crypto/bio/bio_mem.cc +++ b/third_party/boringssl/src/crypto/bio/bio_mem.cc @@ -43,14 +43,14 @@ BIO *BIO_new_mem_buf(const void *buf, ossl_ssize_t len) { } b = (BUF_MEM *)BIO_get_data(ret); - // BIO_FLAGS_MEM_RDONLY ensures |b->data| is not written to. + // BIO_FLAGS_MEM_RDONLY ensures `b->data` is not written to. b->data = reinterpret_cast(const_cast(buf)); b->length = size; b->max = size; BIO_set_flags(ret, BIO_FLAGS_MEM_RDONLY); - // |num| is used to store the value that this BIO will return when it runs + // `num` is used to store the value that this BIO will return when it runs // out of data. If it's negative then the retry flags will also be set. Since // this is static data, retrying won't help FromOpaque(ret)->num = 0; @@ -66,7 +66,7 @@ static int mem_new(BIO *bio) { return 0; } - // |shutdown| is used to store the close flag: whether the BIO has ownership + // `shutdown` is used to store the close flag: whether the BIO has ownership // of the BUF_MEM. BIO_set_shutdown(bio, 1); BIO_set_init(bio, 1); @@ -93,10 +93,6 @@ static int mem_free(BIO *bio) { static int mem_read(BIO *bio, char *out, int outl) { BIO_clear_retry_flags(bio); - if (outl <= 0) { - return 0; - } - BUF_MEM *b = reinterpret_cast(BIO_get_data(bio)); int ret = outl; if ((size_t)ret > b->length) { @@ -120,23 +116,20 @@ static int mem_read(BIO *bio, char *out, int outl) { return ret; } -static int mem_write(BIO *bio, const char *in, int inl) { +static int mem_write_ex(BIO *bio, const char *in, size_t inl, + size_t *out_written) { BIO_clear_retry_flags(bio); - if (inl <= 0) { - return 0; // Successfully write zero bytes. - } - if (BIO_test_flags(bio, BIO_FLAGS_MEM_RDONLY)) { OPENSSL_PUT_ERROR(BIO, BIO_R_WRITE_TO_READ_ONLY_BIO); - return -1; + return 0; } BUF_MEM *b = reinterpret_cast(BIO_get_data(bio)); if (!BUF_MEM_append(b, in, inl)) { - return -1; + return 0; } - - return inl; + *out_written = inl; + return 1; } static int mem_gets(BIO *bio, char *buf, int size) { @@ -192,8 +185,8 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) { char **out = reinterpret_cast(ptr); *out = b->data; } - // This API can overflow on 64-bit Windows, where |long| is smaller than - // |ptrdiff_t|. |BIO_mem_contents| is the overflow-safe API. + // This API can overflow on 64-bit Windows, where `long` is smaller than + // `ptrdiff_t`. `BIO_mem_contents` is the overflow-safe API. return static_cast(b->length); case BIO_C_SET_BUF_MEM: mem_free(bio); @@ -224,9 +217,9 @@ static long mem_ctrl(BIO *bio, int cmd, long num, void *ptr) { } static const BIO_METHOD mem_method = { - BIO_TYPE_MEM, "memory buffer", mem_write, - mem_read, mem_gets, mem_ctrl, - mem_new, mem_free, /*callback_ctrl=*/nullptr, + BIO_TYPE_MEM, "memory buffer", + /*bwrite=*/nullptr, mem_write_ex, mem_read, mem_gets, + mem_ctrl, mem_new, mem_free, /*callback_ctrl=*/nullptr, }; const BIO_METHOD *BIO_s_mem() { return &mem_method; } diff --git a/third_party/boringssl/src/crypto/bio/connect.cc b/third_party/boringssl/src/crypto/bio/connect.cc index 7f4a17be..76dded0c 100644 --- a/third_party/boringssl/src/crypto/bio/connect.cc +++ b/third_party/boringssl/src/crypto/bio/connect.cc @@ -18,6 +18,7 @@ #include #include +#include #include #if !defined(OPENSSL_WINDOWS) @@ -30,6 +31,7 @@ #include #endif +#include #include #include @@ -74,9 +76,9 @@ struct BIO_CONNECT { static int closesocket(int sock) { return close(sock); } #endif -// split_host_and_port sets |*out_host| and |*out_port| to the host and port -// parsed from |name|. It returns one on success or zero on error. Even when -// successful, |*out_port| may be NULL on return if no port was specified. +// split_host_and_port sets `*out_host` and `*out_port` to the host and port +// parsed from `name`. It returns one on success or zero on error. Even when +// successful, `*out_port` may be NULL on return if no port was specified. static int split_host_and_port(UniquePtr *out_host, UniquePtr *out_port, const char *name) { const char *host, *port = nullptr; @@ -209,21 +211,19 @@ static int conn_state(BIO *bio, BIO_CONNECT *c) { break; case BIO_CONN_S_BLOCKED_CONNECT: - i = bio_sock_error(FromOpaque(bio)->num); - if (i) { - if (bio_socket_should_retry(ret)) { + if (!bio_socket_finish_connect(FromOpaque(bio)->num)) { + if (bio_socket_should_retry(-1)) { BIO_set_retry_special(bio); c->state = BIO_CONN_S_BLOCKED_CONNECT; BIO_set_retry_reason(bio, BIO_RR_CONNECT); - ret = -1; } else { BIO_clear_retry_flags(bio); OPENSSL_PUT_SYSTEM_ERROR(); OPENSSL_PUT_ERROR(BIO, BIO_R_NBIO_CONNECT_ERROR); ERR_add_error_data(4, "host=", c->param_hostname.get(), ":", c->param_port.get()); - ret = 0; } + ret = -1; goto exit_loop; } else { c->state = BIO_CONN_S_OK; @@ -311,28 +311,32 @@ static int conn_read(BIO *bio, char *out, int out_len) { return ret; } -static int conn_write(BIO *bio, const char *in, int in_len) { - int ret; - BIO_CONNECT *data; - - data = (BIO_CONNECT *)BIO_get_data(bio); +static int conn_write_ex(BIO *bio, const char *in, size_t in_len, + size_t *out_written) { + BIO_CONNECT *data = (BIO_CONNECT *)BIO_get_data(bio); if (data->state != BIO_CONN_S_OK) { - ret = conn_state(bio, data); - if (ret <= 0) { - return ret; + if (conn_state(bio, data) <= 0) { + return 0; } } bio_clear_socket_error(); - ret = (int)send(FromOpaque(bio)->num, in, in_len, 0); +#if defined(OPENSSL_WINDOWS) + in_len = std::min(in_len, size_t{INT_MAX}); + int ret = send(FromOpaque(bio)->num, in, static_cast(in_len), 0); +#else + ssize_t ret = send(FromOpaque(bio)->num, in, in_len, 0); +#endif BIO_clear_retry_flags(bio); if (ret <= 0) { if (bio_socket_should_retry(ret)) { BIO_set_retry_write(bio); } + return 0; } - return ret; + *out_written = ret; + return 1; } static long conn_ctrl(BIO *bio, int cmd, long num, void *ptr) { @@ -427,9 +431,9 @@ BIO *BIO_new_connect(const char *hostname) { } static const BIO_METHOD methods_connectp = { - BIO_TYPE_CONNECT, "socket connect", conn_write, - conn_read, /*gets=*/nullptr, conn_ctrl, - conn_new, conn_free, conn_callback_ctrl, + BIO_TYPE_CONNECT, "socket connect", /*bwrite=*/nullptr, conn_write_ex, + conn_read, /*gets=*/nullptr, conn_ctrl, conn_new, + conn_free, conn_callback_ctrl, }; const BIO_METHOD *BIO_s_connect() { return &methods_connectp; } diff --git a/third_party/boringssl/src/crypto/bio/fd.cc b/third_party/boringssl/src/crypto/bio/fd.cc index b49acb65..b8d38928 100644 --- a/third_party/boringssl/src/crypto/bio/fd.cc +++ b/third_party/boringssl/src/crypto/bio/fd.cc @@ -23,6 +23,8 @@ #include #else #include +#include +#include #endif #include @@ -36,12 +38,10 @@ #define BORINGSSL_CLOSE _close #define BORINGSSL_LSEEK _lseek #define BORINGSSL_READ _read - #define BORINGSSL_WRITE _write #else #define BORINGSSL_CLOSE close #define BORINGSSL_LSEEK lseek #define BORINGSSL_READ read - #define BORINGSSL_WRITE write #endif using namespace bssl; @@ -72,9 +72,7 @@ static int fd_free(BIO *bio) { } static int fd_read(BIO *b, char *out, int outl) { - int ret = 0; - - ret = (int)BORINGSSL_READ(FromOpaque(b)->num, out, outl); + int ret = (int)BORINGSSL_READ(FromOpaque(b)->num, out, outl); BIO_clear_retry_flags(b); if (ret <= 0) { if (bio_errno_should_retry(ret)) { @@ -85,16 +83,24 @@ static int fd_read(BIO *b, char *out, int outl) { return ret; } -static int fd_write(BIO *b, const char *in, int inl) { - int ret = (int)BORINGSSL_WRITE(FromOpaque(b)->num, in, inl); +static int fd_write_ex(BIO *b, const char *in, size_t inl, + size_t *out_written) { +#if defined(OPENSSL_WINDOWS) + inl = std::min(inl, size_t{UINT_MAX}); + int ret = _write(FromOpaque(b)->num, in, static_cast(inl)); +#else + ssize_t ret = write(FromOpaque(b)->num, in, inl); +#endif BIO_clear_retry_flags(b); if (ret <= 0) { if (bio_errno_should_retry(ret)) { BIO_set_retry_write(b); } + return 0; } - return ret; + *out_written = ret; + return 1; } static long fd_ctrl(BIO *b, int cmd, long num, void *ptr) { @@ -158,14 +164,21 @@ static int fd_gets(BIO *bp, char *buf, int size) { ptr[0] = '\0'; - // The output length is bounded by |size|. + // The output length is bounded by `size`. return (int)(ptr - buf); } static const BIO_METHOD methods_fdp = { - BIO_TYPE_FD, "file descriptor", fd_write, - fd_read, fd_gets, fd_ctrl, - fd_new, fd_free, /*callback_ctrl=*/nullptr, + BIO_TYPE_FD, + "file descriptor", + /*bwrite=*/nullptr, + fd_write_ex, + fd_read, + fd_gets, + fd_ctrl, + fd_new, + fd_free, + /*callback_ctrl=*/nullptr, }; const BIO_METHOD *BIO_s_fd() { return &methods_fdp; } diff --git a/third_party/boringssl/src/crypto/bio/file.cc b/third_party/boringssl/src/crypto/bio/file.cc index ca80b69a..e63965a8 100644 --- a/third_party/boringssl/src/crypto/bio/file.cc +++ b/third_party/boringssl/src/crypto/bio/file.cc @@ -111,10 +111,6 @@ static int file_free(BIO *bio) { } static int file_read(BIO *b, char *out, int outl) { - if (!BIO_get_init(b)) { - return 0; - } - size_t ret = fread(out, 1, outl, (FILE *)BIO_get_data(b)); if (ret == 0 && ferror((FILE *)BIO_get_data(b))) { OPENSSL_PUT_SYSTEM_ERROR(); @@ -122,20 +118,23 @@ static int file_read(BIO *b, char *out, int outl) { return -1; } - // fread reads at most |outl| bytes, so |ret| fits in an int. + // fread reads at most `outl` bytes, so `ret` fits in an int. return (int)ret; } -static int file_write(BIO *b, const char *in, int inl) { - if (!BIO_get_init(b)) { +static int file_write_ex(BIO *b, const char *in, size_t inl, + size_t *out_written) { + if (fwrite(in, inl, 1, (FILE *)BIO_get_data(b)) == 0) { return 0; } - - int ret = (int)fwrite(in, inl, 1, (FILE *)BIO_get_data(b)); - if (ret > 0) { - ret = inl; - } - return ret; + // We currently ask |fwrite| to write one "object" of size |inl|, rather than + // |inl| objects of size 1. |fwrite| will only succeed if it wrote the whole + // input. + // + // TODO(crbug.com/518854940): This also means we discard information about + // partial writes. + *out_written = inl; + return 1; } static long file_ctrl(BIO *b, int cmd, long num, void *ptr) { @@ -157,10 +156,10 @@ static long file_ctrl(BIO *b, int cmd, long num, void *ptr) { static_assert((BIO_CLOSE & BIO_FP_TEXT) == 0, "BIO_CLOSE and BIO_FP_TEXT must not collide"); #if defined(OPENSSL_WINDOWS) - // If |BIO_FP_TEXT| is not set, OpenSSL will switch the file to binary + // If `BIO_FP_TEXT` is not set, OpenSSL will switch the file to binary // mode. BoringSSL intentionally diverges here because it means code - // tested under POSIX will inadvertently change the state of |FILE| - // objects when wrapping them in a |BIO|. + // tested under POSIX will inadvertently change the state of `FILE` + // objects when wrapping them in a `BIO`. if (num & BIO_FP_TEXT) { _setmode(_fileno(reinterpret_cast(ptr)), _O_TEXT); } @@ -226,7 +225,7 @@ static int file_gets(BIO *bp, char *buf, int size) { if (!fgets(buf, size, (FILE *)BIO_get_data(bp))) { buf[0] = 0; // TODO(davidben): This doesn't distinguish error and EOF. This should check - // |ferror| as in |file_read|. + // `ferror` as in `file_read`. return 0; } @@ -234,9 +233,16 @@ static int file_gets(BIO *bp, char *buf, int size) { } static const BIO_METHOD methods_filep = { - BIO_TYPE_FILE, "FILE pointer", file_write, - file_read, file_gets, file_ctrl, - /*create=*/nullptr, file_free, /*callback_ctrl=*/nullptr, + BIO_TYPE_FILE, + "FILE pointer", + /*bwrite=*/nullptr, + file_write_ex, + file_read, + file_gets, + file_ctrl, + /*create=*/nullptr, + file_free, + /*callback_ctrl=*/nullptr, }; const BIO_METHOD *BIO_s_file() { return &methods_filep; } diff --git a/third_party/boringssl/src/crypto/bio/hexdump.cc b/third_party/boringssl/src/crypto/bio/hexdump.cc index a3f611a3..244070c5 100644 --- a/third_party/boringssl/src/crypto/bio/hexdump.cc +++ b/third_party/boringssl/src/crypto/bio/hexdump.cc @@ -46,8 +46,8 @@ static char to_char(uint8_t b) { return b; } -// hexdump_write adds |len| bytes of |data| to the current hex dump described by -// |ctx|. +// hexdump_write adds `len` bytes of `data` to the current hex dump described by +// `ctx`. static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data, size_t len) { char buf[10]; @@ -106,9 +106,9 @@ static int hexdump_write(struct hexdump_ctx *ctx, const uint8_t *data, return 1; } -// finish flushes any buffered data in |ctx|. +// finish flushes any buffered data in `ctx`. static int finish(struct hexdump_ctx *ctx) { - // See the comments in |hexdump| for the details of this format. + // See the comments in `hexdump` for the details of this format. const unsigned n_bytes = ctx->used; unsigned l; char buf[5]; diff --git a/third_party/boringssl/src/crypto/bio/internal.h b/third_party/boringssl/src/crypto/bio/internal.h index 77cd8a88..18a13a3e 100644 --- a/third_party/boringssl/src/crypto/bio/internal.h +++ b/third_party/boringssl/src/crypto/bio/internal.h @@ -43,6 +43,7 @@ struct bio_method_st { int type; const char *name; int (*bwrite)(BIO *, const char *, int); + int (*bwrite_ex)(BIO *, const char *, size_t, size_t *); int (*bread)(BIO *, char *, int); int (*bgets)(BIO *, char *, int); long (*ctrl)(BIO *, int, long, void *); @@ -60,14 +61,14 @@ class Bio : public bio_st, public RefCounted { const BIO_METHOD *method; CRYPTO_EX_DATA ex_data; - // TODO(crbug.com/412269080): |init| and |shutdown| could be bitfields, or - // integrated into |flags|, to save memory. + // TODO(crbug.com/412269080): `init` and `shutdown` could be bitfields, or + // integrated into `flags`, to save memory. - // init is non-zero if this |BIO| has been initialised. + // init is non-zero if this `BIO` has been initialised. int init = 0; - // shutdown is often used by specific |BIO_METHOD|s to determine whether + // shutdown is often used by specific `BIO_METHOD`s to determine whether // they own some underlying resource. This flag can often be controlled by - // |BIO_set_close|. For example, whether an fd BIO closes the underlying fd + // `BIO_set_close`. For example, whether an fd BIO closes the underlying fd // when it, itself, is closed. int shutdown = 1; int flags = 0; @@ -76,8 +77,8 @@ class Bio : public bio_st, public RefCounted { // file descriptor. int num = 0; void *ptr = nullptr; - // next_bio points to the next |BIO| in a chain. This |BIO| owns a reference - // to |next_bio|. + // next_bio points to the next `BIO` in a chain. This `BIO` owns a reference + // to `next_bio`. Bio *next_bio = nullptr; // used by filter BIOs uint64_t num_read = 0, num_write = 0; @@ -88,16 +89,16 @@ class Bio : public bio_st, public RefCounted { #if !defined(OPENSSL_NO_SOCK) -// bio_ip_and_port_to_socket_and_addr creates a socket and fills in |*out_addr| -// and |*out_addr_length| with the correct values for connecting to |hostname| -// on |port_str|. It returns one on success or zero on error. +// bio_ip_and_port_to_socket_and_addr creates a socket and fills in `*out_addr` +// and `*out_addr_length` with the correct values for connecting to `hostname` +// on `port_str`. It returns one on success or zero on error. int bio_ip_and_port_to_socket_and_addr(int *out_sock, struct sockaddr_storage *out_addr, socklen_t *out_addr_length, const char *hostname, const char *port_str); -// bio_socket_nbio sets whether |sock| is non-blocking. It returns one on +// bio_socket_nbio sets whether `sock` is non-blocking. It returns one on // success and zero otherwise. int bio_socket_nbio(int sock, int on); @@ -106,17 +107,20 @@ int bio_socket_nbio(int sock, int on); // TODO(fork): remove all callers of this. void bio_clear_socket_error(); -// bio_sock_error returns the last socket error on |sock|. -int bio_sock_error(int sock); +// bio_socket_finish_connect attempts to complete an in-progress, non-blocking +// connect operation on `sock`. It returns one if the connect operation +// suceeded. Otherwise, it returns zero and sets the last socket error to the +// reason it failed. +int bio_socket_finish_connect(int sock); -// bio_socket_should_retry returns non-zero if |return_value| indicates an error +// bio_socket_should_retry returns non-zero if `return_value` indicates an error // and the last socket error indicates that it's non-fatal. int bio_socket_should_retry(int return_value); #endif // !OPENSSL_NO_SOCK -// bio_errno_should_retry returns non-zero if |return_value| indicates an error -// and |errno| indicates that it's non-fatal. +// bio_errno_should_retry returns non-zero if `return_value` indicates an error +// and `errno` indicates that it's non-fatal. int bio_errno_should_retry(int return_value); BSSL_NAMESPACE_END diff --git a/third_party/boringssl/src/crypto/bio/pair.cc b/third_party/boringssl/src/crypto/bio/pair.cc index 11b5c2ef..721c9f97 100644 --- a/third_party/boringssl/src/crypto/bio/pair.cc +++ b/third_party/boringssl/src/crypto/bio/pair.cc @@ -108,28 +108,18 @@ static int bio_free(BIO *bio) { static int bio_read(BIO *bio, char *buf, int size_) { size_t size = size_; - size_t rest; - struct bio_bio_st *b, *peer_b; BIO_clear_retry_flags(bio); - if (!BIO_get_init(bio)) { - return 0; - } - - b = reinterpret_cast(BIO_get_data(bio)); + bio_bio_st *b = reinterpret_cast(BIO_get_data(bio)); assert(b != nullptr); assert(b->peer != nullptr); - peer_b = reinterpret_cast(BIO_get_data(b->peer)); + bio_bio_st *peer_b = reinterpret_cast(BIO_get_data(b->peer)); assert(peer_b != nullptr); assert(peer_b->buf != nullptr); peer_b->request = 0; // will be set in "retry_read" situation - if (buf == nullptr || size == 0) { - return 0; - } - if (peer_b->len == 0) { if (peer_b->closed) { return 0; // writer has closed, and no data is left @@ -152,7 +142,7 @@ static int bio_read(BIO *bio, char *buf, int size_) { } // now read "size" bytes - rest = size; + size_t rest = size; assert(rest > 0); // one or two iterations @@ -186,22 +176,15 @@ static int bio_read(BIO *bio, char *buf, int size_) { rest -= chunk; } while (rest); - // |size| is bounded by the buffer size, which fits in |int|. + // `size` is bounded by the buffer size, which fits in `int`. return (int)size; } -static int bio_write(BIO *bio, const char *buf, int num_) { - size_t num = num_; - size_t rest; - struct bio_bio_st *b; - +static int bio_write_ex(BIO *bio, const char *buf, size_t num, + size_t *out_written) { BIO_clear_retry_flags(bio); - if (!BIO_get_init(bio) || buf == nullptr || num == 0) { - return 0; - } - - b = reinterpret_cast(BIO_get_data(bio)); + struct bio_bio_st *b = reinterpret_cast(BIO_get_data(bio)); assert(b != nullptr); assert(b->peer != nullptr); assert(b->buf != nullptr); @@ -210,14 +193,14 @@ static int bio_write(BIO *bio, const char *buf, int num_) { if (b->closed) { // we already closed OPENSSL_PUT_ERROR(BIO, BIO_R_BROKEN_PIPE); - return -1; + return 0; } assert(b->len <= b->size); if (b->len == b->size) { BIO_set_retry_write(bio); // buffer is full - return -1; + return 0; } // we can write @@ -226,7 +209,7 @@ static int bio_write(BIO *bio, const char *buf, int num_) { } // now write "num" bytes - rest = num; + size_t rest = num; assert(rest > 0); // one or two iterations @@ -259,8 +242,8 @@ static int bio_write(BIO *bio, const char *buf, int num_) { buf += chunk; } while (rest); - // |num| is bounded by the buffer size, which fits in |int|. - return (int)num; + *out_written = num; + return 1; } static int bio_make_pair(BIO *bio1, BIO *bio2, size_t writebuf1_len, @@ -322,7 +305,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) { // Specific control codes first: case BIO_C_GET_WRITE_BUF_SIZE: // TODO(crbug.com/412584975): This can overflow on 64-bit Windows. Do we - // need it? It implements |BIO_get_write_buf_size|, but we don't have the + // need it? It implements `BIO_get_write_buf_size`, but we don't have the // wrapper. return static_cast(b->size); @@ -401,7 +384,8 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr) { static const BIO_METHOD methods_biop = { BIO_TYPE_BIO, "BIO pair", - bio_write, + /*bwrite=*/nullptr, + bio_write_ex, bio_read, /*gets=*/nullptr, bio_ctrl, diff --git a/third_party/boringssl/src/crypto/bio/socket.cc b/third_party/boringssl/src/crypto/bio/socket.cc index c61daeca..29d164aa 100644 --- a/third_party/boringssl/src/crypto/bio/socket.cc +++ b/third_party/boringssl/src/crypto/bio/socket.cc @@ -18,6 +18,9 @@ #include #include +#include + +#include #if !defined(OPENSSL_WINDOWS) #include @@ -47,10 +50,6 @@ static int sock_free(BIO *bio) { } static int sock_read(BIO *b, char *out, int outl) { - if (out == nullptr) { - return 0; - } - bio_clear_socket_error(); #if defined(OPENSSL_WINDOWS) int ret = recv(FromOpaque(b)->num, out, outl, 0); @@ -66,20 +65,25 @@ static int sock_read(BIO *b, char *out, int outl) { return ret; } -static int sock_write(BIO *b, const char *in, int inl) { +static int sock_write_ex(BIO *b, const char *in, size_t inl, + size_t *out_written) { bio_clear_socket_error(); #if defined(OPENSSL_WINDOWS) - int ret = send(FromOpaque(b)->num, in, inl, 0); + inl = std::min(inl, size_t{INT_MAX}); + int ret = send(FromOpaque(b)->num, in, static_cast(inl), 0); #else - int ret = (int)write(FromOpaque(b)->num, in, inl); + ssize_t ret = write(FromOpaque(b)->num, in, inl); #endif BIO_clear_retry_flags(b); if (ret <= 0) { if (bio_socket_should_retry(ret)) { BIO_set_retry_write(b); } + return 0; } - return ret; + + *out_written = ret; + return 1; } static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) { @@ -112,15 +116,11 @@ static long sock_ctrl(BIO *b, int cmd, long num, void *ptr) { } static const BIO_METHOD methods_sockp = { - BIO_TYPE_SOCKET, - "socket", - sock_write, - sock_read, - nullptr /* gets, */, - sock_ctrl, - nullptr /* create */, - sock_free, - nullptr /* callback_ctrl */, + BIO_TYPE_SOCKET, "socket", + /*bwrite=*/nullptr, sock_write_ex, + sock_read, nullptr /* gets, */, + sock_ctrl, nullptr /* create */, + sock_free, nullptr /* callback_ctrl */, }; const BIO_METHOD *BIO_s_socket() { return &methods_sockp; } @@ -137,28 +137,28 @@ BIO *BIO_new_socket(int fd, int close_flag) { } // These functions are provided solely for compatibility with software that -// tries to copy and then modify |BIO_s_socket|. See bio.h for details. -// PostgreSQL's use makes several fragile assumptions on |BIO_s_socket|: +// tries to copy and then modify `BIO_s_socket`. See bio.h for details. +// PostgreSQL's use makes several fragile assumptions on `BIO_s_socket`: // -// - We do not store anything in |BIO_set_data|. (Broken in upstream OpenSSL, +// - We do not store anything in `BIO_set_data`. (Broken in upstream OpenSSL, // which broke PostgreSQL.) -// - We do not store anything in |BIO_set_app_data|. -// - |BIO_s_socket| is implemented internally using the non-|size_t|-clean -// I/O functions rather than the |size_t|-clean ones. -// - |BIO_METHOD| never gains another function pointer that is used in concert +// - We do not store anything in `BIO_set_app_data`. +// - `BIO_s_socket` is implemented internally using the non-`size_t`-clean +// I/O functions rather than the `size_t`-clean ones. +// - `BIO_METHOD` never gains another function pointer that is used in concert // with any of the functions here. // -// Some other projects doing similar things use |BIO_meth_get_read| and -// |BIO_meth_get_write| and in turn assume that |BIO_s_socket| has not been -// ported to the |size_t|-clean |BIO_read_ex| and |BIO_write_ex|. (Not yet +// Some other projects doing similar things use `BIO_meth_get_read` and +// `BIO_meth_get_write` and in turn assume that `BIO_s_socket` has not been +// ported to the `size_t`-clean `BIO_read_ex` and `BIO_write_ex`. (Not yet // implemented in BoringSSL.) // // This is hopelessly fragile. PostgreSQL 18 will include a fix to stop using // these APIs, but older versions and other software remain impacted, so we -// implement these functions, but only support |BIO_s_socket|. For now they just +// implement these functions, but only support `BIO_s_socket`. For now they just // return the underlying functions, but if we ever need to break the above -// assumptions, we can return an older, frozen version of |BIO_s_socket|. -// Limiting to exactly one allowed |BIO_METHOD| lets us do this. +// assumptions, we can return an older, frozen version of `BIO_s_socket`. +// Limiting to exactly one allowed `BIO_METHOD` lets us do this. // // These functions are also deprecated in upstream OpenSSL. See // https://github.com/openssl/openssl/issues/26047 diff --git a/third_party/boringssl/src/crypto/bio/socket_helper.cc b/third_party/boringssl/src/crypto/bio/socket_helper.cc index e251b341..6c975b38 100644 --- a/third_party/boringssl/src/crypto/bio/socket_helper.cc +++ b/third_party/boringssl/src/crypto/bio/socket_helper.cc @@ -27,7 +27,9 @@ #include #if !defined(OPENSSL_WINDOWS) +#include #include +#include #include #else #include @@ -38,13 +40,13 @@ #include "../internal.h" -using namespace bssl; +BSSL_NAMESPACE_BEGIN -int bssl::bio_ip_and_port_to_socket_and_addr(int *out_sock, - struct sockaddr_storage *out_addr, - socklen_t *out_addr_length, - const char *hostname, - const char *port_str) { +int bio_ip_and_port_to_socket_and_addr(int *out_sock, + struct sockaddr_storage *out_addr, + socklen_t *out_addr_length, + const char *hostname, + const char *port_str) { struct addrinfo hint, *result, *cur; int ret; @@ -90,7 +92,7 @@ int bssl::bio_ip_and_port_to_socket_and_addr(int *out_sock, return ret; } -int bssl::bio_socket_nbio(int sock, int on) { +int bio_socket_nbio(int sock, int on) { #if defined(OPENSSL_WINDOWS) u_long arg = on; @@ -109,19 +111,61 @@ int bssl::bio_socket_nbio(int sock, int on) { #endif } -void bssl::bio_clear_socket_error() {} +void bio_clear_socket_error() {} -int bssl::bio_sock_error(int sock) { +int bio_socket_finish_connect(int sock) { + // A blocked connect signals whether it is ready based on whether it is + // writable. (SO_ERROR is not filled in before it is writable.) +#if defined(OPENSSL_WINDOWS) + fd_set write_set, except_set; + FD_ZERO(&write_set); + FD_SET(static_cast(sock), &write_set); + FD_ZERO(&except_set); + FD_SET(static_cast(sock), &except_set); + timeval timeout = {0, 0}; + if (select(0 /* unused on Windows */, /*readfds=*/nullptr, &write_set, + &except_set, &timeout) == SOCKET_ERROR) { + return 0; + } + if (!FD_ISSET(sock, &write_set) && !FD_ISSET(sock, &except_set)) { + // The connect has not completed. Set the error that |connect| would return. + WSASetLastError(WSAEWOULDBLOCK); + return 0; + } +#else + pollfd pfd; + pfd.fd = sock; + // poll implicitly listens for POLLERR and POLLHUP. + pfd.events = POLLOUT; + pfd.revents = 0; + if (poll(&pfd, 1, /*timeout=*/0) < 0) { + return 0; + } + if (pfd.revents == 0) { + // The connect has not completed. Set the error that |connect| would return. + errno = EINPROGRESS; + return 0; + } +#endif + + // Check if the connection succeeded. int error; socklen_t error_size = sizeof(error); - if (getsockopt(sock, SOL_SOCKET, SO_ERROR, (char *)&error, &error_size) < 0) { - return 1; + return 0; + } + if (error != 0) { +#if defined(OPENSSL_WINDOWS) + WSASetLastError(error); +#else + errno = error; +#endif + return 0; } - return error; + return 1; } -int bssl::bio_socket_should_retry(int return_value) { +int bio_socket_should_retry(int return_value) { #if defined(OPENSSL_WINDOWS) return return_value == -1 && WSAGetLastError() == WSAEWOULDBLOCK; #else @@ -130,4 +174,6 @@ int bssl::bio_socket_should_retry(int return_value) { #endif } +BSSL_NAMESPACE_END + #endif // OPENSSL_NO_SOCK diff --git a/third_party/boringssl/src/crypto/blake2/blake2.cc b/third_party/boringssl/src/crypto/blake2/blake2.cc index e149164d..a14cb8ee 100644 --- a/third_party/boringssl/src/crypto/blake2/blake2.cc +++ b/third_party/boringssl/src/crypto/blake2/blake2.cc @@ -139,7 +139,7 @@ void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *in_data, size_t len) { return; } - // More input remains therefore we must have filled |b2b->block|. + // More input remains therefore we must have filled `b2b->block`. assert(b2b->block_used == BLAKE2B_CBLOCK); blake2b_transform(b2b, b2b->block, BLAKE2B_CBLOCK, /*is_final_block=*/0); diff --git a/third_party/boringssl/src/crypto/bn/bn_asn1.cc b/third_party/boringssl/src/crypto/bn/bn_asn1.cc index 71b7ae1b..80f5b6ac 100644 --- a/third_party/boringssl/src/crypto/bn/bn_asn1.cc +++ b/third_party/boringssl/src/crypto/bn/bn_asn1.cc @@ -45,7 +45,7 @@ int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn) { CBB child; if (!CBB_add_asn1(cbb, &child, CBS_ASN1_INTEGER) || // The number must be padded with a leading zero if the high bit would - // otherwise be set or if |bn| is zero. + // otherwise be set or if `bn` is zero. (BN_num_bits(bn) % 8 == 0 && !CBB_add_u8(&child, 0x00)) || !BN_bn2cbb_padded(&child, BN_num_bytes(bn), bn) || !CBB_flush(cbb)) { diff --git a/third_party/boringssl/src/crypto/bn/convert.cc b/third_party/boringssl/src/crypto/bn/convert.cc index d41453ad..a31e97fb 100644 --- a/third_party/boringssl/src/crypto/bn/convert.cc +++ b/third_party/boringssl/src/crypto/bn/convert.cc @@ -73,20 +73,20 @@ char *BN_bn2hex(const BIGNUM *bn) { return buf; } -// decode_hex decodes |in_len| bytes of hex data from |in| and updates |bn|. +// decode_hex decodes `in_len` bytes of hex data from `in` and updates `bn`. static int decode_hex(BIGNUM *bn, const char *in, int in_len) { if (in_len > INT_MAX / 4) { OPENSSL_PUT_ERROR(BN, BN_R_BIGNUM_TOO_LONG); return 0; } - // |in_len| is the number of hex digits. + // `in_len` is the number of hex digits. if (!bn_expand(bn, in_len * 4)) { return 0; } int i = 0; while (in_len > 0) { - // Decode one |BN_ULONG| at a time. + // Decode one `BN_ULONG` at a time. int todo = BN_BYTES * 2; if (todo > in_len) { todo = in_len; @@ -97,7 +97,7 @@ static int decode_hex(BIGNUM *bn, const char *in, int in_len) { for (j = todo; j > 0; j--) { uint8_t hex = 0; if (!OPENSSL_fromxdigit(&hex, in[in_len - j])) { - // This shouldn't happen. The caller checks |OPENSSL_isxdigit|. + // This shouldn't happen. The caller checks `OPENSSL_isxdigit`. assert(0); } word = (word << 4) | hex; @@ -111,12 +111,12 @@ static int decode_hex(BIGNUM *bn, const char *in, int in_len) { return 1; } -// decode_dec decodes |in_len| bytes of decimal data from |in| and updates |bn|. +// decode_dec decodes `in_len` bytes of decimal data from `in` and updates `bn`. static int decode_dec(BIGNUM *bn, const char *in, int in_len) { int i, j; BN_ULONG l = 0; - // Decode |BN_DEC_NUM| digits at a time. + // Decode `BN_DEC_NUM` digits at a time. j = BN_DEC_NUM - (in_len % BN_DEC_NUM); if (j == BN_DEC_NUM) { j = 0; diff --git a/third_party/boringssl/src/crypto/bn/div.cc b/third_party/boringssl/src/crypto/bn/div.cc index 824ab75d..fae57b82 100644 --- a/third_party/boringssl/src/crypto/bn/div.cc +++ b/third_party/boringssl/src/crypto/bn/div.cc @@ -30,27 +30,27 @@ int BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { size_t num_words = 1 + ((e - 1) / BN_BITS2); - // If |a| definitely has less than |e| bits, just BN_copy. + // If `a` definitely has less than `e` bits, just BN_copy. if ((size_t)a->width < num_words) { return BN_copy(r, a) != nullptr; } - // Otherwise, first make sure we have enough space in |r|. + // Otherwise, first make sure we have enough space in `r`. // Note that this will fail if num_words > INT_MAX. if (!bn_wexpand(r, num_words)) { return 0; } - // Copy the content of |a| into |r|. + // Copy the content of `a` into `r`. OPENSSL_memcpy(r->d, a->d, num_words * sizeof(BN_ULONG)); - // If |e| isn't word-aligned, we have to mask off some of our bits. + // If `e` isn't word-aligned, we have to mask off some of our bits. size_t top_word_exponent = e % (sizeof(BN_ULONG) * 8); if (top_word_exponent != 0) { r->d[num_words - 1] &= (((BN_ULONG)1) << top_word_exponent) - 1; } - // Fill in the remaining fields of |r|. + // Fill in the remaining fields of `r`. r->neg = a->neg; r->width = (int)num_words; bn_set_minimal_width(r); @@ -69,21 +69,21 @@ int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { size_t num_words = 1 + (e - 1) / BN_BITS2; - // Expand |r| to the size of our modulus. + // Expand `r` to the size of our modulus. if (!bn_wexpand(r, num_words)) { return 0; } - // Clear the upper words of |r|. + // Clear the upper words of `r`. OPENSSL_memset(&r->d[r->width], 0, (num_words - r->width) * BN_BYTES); - // Set parameters of |r|. + // Set parameters of `r`. r->neg = 0; r->width = (int)num_words; - // Now, invert every word. The idea here is that we want to compute 2^e-|x|, - // which is actually equivalent to the twos-complement representation of |x| - // in |e| bits, which is -x = ~x + 1. + // Now, invert every word. The idea here is that we want to compute 2^e-`x`, + // which is actually equivalent to the twos-complement representation of `x` + // in `e` bits, which is -x = ~x + 1. for (int i = 0; i < r->width; i++) { r->d[i] = ~r->d[i]; } @@ -94,7 +94,7 @@ int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e) { r->d[r->width - 1] &= (((BN_ULONG)1) << top_word_exponent) - 1; } - // Keep the minimal-width invariant for |BIGNUM|. + // Keep the minimal-width invariant for `BIGNUM`. bn_set_minimal_width(r); // Finally, add one, for the reason described above. diff --git a/third_party/boringssl/src/crypto/bn/exponentiation.cc b/third_party/boringssl/src/crypto/bn/exponentiation.cc index f4a4b406..e0981ac0 100644 --- a/third_party/boringssl/src/crypto/bn/exponentiation.cc +++ b/third_party/boringssl/src/crypto/bn/exponentiation.cc @@ -80,7 +80,7 @@ static int mod_exp_even(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, return BN_one(r); } - // Make a copy of |a|, in case it aliases |r|. + // Make a copy of `a`, in case it aliases `r`. BN_CTXScope scope(ctx); BIGNUM *tmp = BN_CTX_get(ctx); if (tmp == nullptr || !BN_copy(tmp, a)) { diff --git a/third_party/boringssl/src/crypto/bn/sqrt.cc b/third_party/boringssl/src/crypto/bn/sqrt.cc index 56a0f003..c5e4d052 100644 --- a/third_party/boringssl/src/crypto/bn/sqrt.cc +++ b/third_party/boringssl/src/crypto/bn/sqrt.cc @@ -49,22 +49,22 @@ int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx) { goto err; } - // This is Newton's method for finding a root of the equation |estimate|^2 - - // |in| = 0. + // This is Newton's method for finding a root of the equation `estimate`^2 - + // `in` = 0. for (;;) { - // |estimate| = 1/2 * (|estimate| + |in|/|estimate|) + // `estimate` = 1/2 * (`estimate` + `in`/`estimate`) if (!BN_div(tmp, nullptr, in, estimate, ctx) || !BN_add(tmp, tmp, estimate) || !BN_rshift1(estimate, tmp) || - // |tmp| = |estimate|^2 + // `tmp` = `estimate`^2 !BN_sqr(tmp, estimate, ctx) || - // |delta| = |in| - |tmp| + // `delta` = `in` - `tmp` !BN_sub(delta, in, tmp)) { OPENSSL_PUT_ERROR(BN, ERR_R_BN_LIB); goto err; } delta->neg = 0; - // The difference between |in| and |estimate| squared is required to always + // The difference between `in` and `estimate` squared is required to always // decrease. This ensures that the loop always terminates, but I don't have // a proof that it always finds the square root for a given square. if (last_delta_valid && BN_cmp(delta, last_delta) >= 0) { diff --git a/third_party/boringssl/src/crypto/bytestring/asn1_compat.cc b/third_party/boringssl/src/crypto/bytestring/asn1_compat.cc index 0ce6055d..21ebde9e 100644 --- a/third_party/boringssl/src/crypto/bytestring/asn1_compat.cc +++ b/third_party/boringssl/src/crypto/bytestring/asn1_compat.cc @@ -34,7 +34,6 @@ int bssl::CBB_finish_i2d(CBB *cbb, uint8_t **outp) { uint8_t *der; size_t der_len; if (!CBB_finish(cbb, &der, &der_len)) { - CBB_cleanup(cbb); return -1; } if (der_len > INT_MAX) { diff --git a/third_party/boringssl/src/crypto/bytestring/ber.cc b/third_party/boringssl/src/crypto/bytestring/ber.cc index f7ec5d71..ac8148b8 100644 --- a/third_party/boringssl/src/crypto/bytestring/ber.cc +++ b/third_party/boringssl/src/crypto/bytestring/ber.cc @@ -25,7 +25,7 @@ using namespace bssl; // kMaxDepth limits the recursion depth to avoid overflowing the stack. static const uint32_t kMaxDepth = 128; -// is_string_type returns one if |tag| is a string type and zero otherwise. It +// is_string_type returns one if `tag` is a string type and zero otherwise. It // ignores the constructed bit. static int is_string_type(CBS_ASN1_TAG tag) { // While BER supports constructed BIT STRINGS, OpenSSL misparses them. To @@ -50,10 +50,10 @@ static int is_string_type(CBS_ASN1_TAG tag) { } } -// cbs_find_ber walks an ASN.1 structure in |orig_in| and sets |*ber_found| +// cbs_find_ber walks an ASN.1 structure in `orig_in` and sets `*ber_found` // depending on whether an indefinite length element or constructed string was -// found. The value of |orig_in| is not changed. It returns one on success (i.e. -// |*ber_found| was set) and zero on error. +// found. The value of `orig_in` is not changed. It returns one on success (i.e. +// `*ber_found` was set) and zero on error. static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { if (depth > kMaxDepth) { return 0; @@ -94,8 +94,8 @@ static int cbs_find_ber(const CBS *orig_in, int *ber_found, uint32_t depth) { return 1; } -// cbs_get_eoc returns one if |cbs| begins with an "end of contents" (EOC) value -// and zero otherwise. If an EOC was found, it advances |cbs| past it. +// cbs_get_eoc returns one if `cbs` begins with an "end of contents" (EOC) value +// and zero otherwise. If an EOC was found, it advances `cbs` past it. static int cbs_get_eoc(CBS *cbs) { if (CBS_len(cbs) >= 2 && CBS_data(cbs)[0] == 0 && CBS_data(cbs)[1] == 0) { @@ -104,11 +104,11 @@ static int cbs_get_eoc(CBS *cbs) { return 0; } -// cbs_convert_ber reads BER data from |in| and writes DER data to |out|. If -// |string_tag| is non-zero, then all elements must match |string_tag| up to the -// constructed bit and primitive element bodies are written to |out| without +// cbs_convert_ber reads BER data from `in` and writes DER data to `out`. If +// `string_tag` is non-zero, then all elements must match `string_tag` up to the +// constructed bit and primitive element bodies are written to `out` without // element headers. This is used when concatenating the fragments of a -// constructed string. If |looking_for_eoc| is set then any EOC elements found +// constructed string. If `looking_for_eoc` is set then any EOC elements found // will cause the function to return after consuming it. It returns one on // success and zero on error. static int cbs_convert_ber(CBS *in, CBB *out, CBS_ASN1_TAG string_tag, @@ -136,7 +136,7 @@ static int cbs_convert_ber(CBS *in, CBB *out, CBS_ASN1_TAG string_tag, if (string_tag != 0) { // This is part of a constructed string. All elements must match - // |string_tag| up to the constructed bit and get appended to |out| + // `string_tag` up to the constructed bit and get appended to `out` // without a child element. if ((tag & ~CBS_ASN1_CONSTRUCTED) != string_tag) { return 0; @@ -235,7 +235,7 @@ int bssl::CBS_get_asn1_implicit_string(CBS *in, CBS *out, uint8_t **out_storage, } // Otherwise, try to parse an implicitly-tagged constructed string. - // |CBS_asn1_ber_to_der| is assumed to have run, so only allow one level deep + // `CBS_asn1_ber_to_der` is assumed to have run, so only allow one level deep // of nesting. CBB result; CBS child; diff --git a/third_party/boringssl/src/crypto/bytestring/cbb.cc b/third_party/boringssl/src/crypto/bytestring/cbb.cc index bbe59fa8..1809e655 100644 --- a/third_party/boringssl/src/crypto/bytestring/cbb.cc +++ b/third_party/boringssl/src/crypto/bytestring/cbb.cc @@ -58,8 +58,8 @@ int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len) { } void CBB_cleanup(CBB *cbb) { - // Child |CBB|s are non-owning. They are implicitly discarded and should not - // be used with |CBB_cleanup| or |ScopedCBB|. + // Child `CBB`s are non-owning. They are implicitly discarded and should not + // be used with `CBB_cleanup` or `ScopedCBB`. assert(!cbb->is_child); if (cbb->is_child) { return; @@ -67,6 +67,7 @@ void CBB_cleanup(CBB *cbb) { if (cbb->u.base.can_resize) { OPENSSL_free(cbb->u.base.buf); + cbb->u.base.buf = nullptr; } } @@ -119,7 +120,7 @@ static int cbb_buffer_add(struct cbb_buffer_st *base, uint8_t **out, if (!cbb_buffer_reserve(base, out, len)) { return 0; } - // This will not overflow or |cbb_buffer_reserve| would have failed. + // This will not overflow or `cbb_buffer_reserve` would have failed. base->len += len; return 1; } @@ -135,7 +136,7 @@ int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) { } if (cbb->u.base.can_resize && (out_data == nullptr || out_len == nullptr)) { - // |out_data| and |out_len| can only be NULL if the CBB is fixed. + // `out_data` and `out_len` can only be NULL if the CBB is fixed. return 0; } @@ -158,24 +159,24 @@ static struct cbb_buffer_st *cbb_get_base(CBB *cbb) { } static void cbb_on_error(CBB *cbb) { - // Due to C's lack of destructors and |CBB|'s auto-flushing API, a failing - // |CBB|-taking function may leave a dangling pointer to a child |CBB|. As a - // result, the convention is callers may not write to |CBB|s that have failed. - // But, as a safety measure, we lock the |CBB| into an error state. Once the - // error bit is set, |cbb->child| will not be read. + // Due to C's lack of destructors and `CBB`'s auto-flushing API, a failing + // `CBB`-taking function may leave a dangling pointer to a child `CBB`. As a + // result, the convention is callers may not write to `CBB`s that have failed. + // But, as a safety measure, we lock the `CBB` into an error state. Once the + // error bit is set, `cbb->child` will not be read. // - // TODO(davidben): This still isn't quite ideal. A |CBB| function *outside* - // this file may originate an error while the |CBB| points to a local child. + // TODO(davidben): This still isn't quite ideal. A `CBB` function *outside* + // this file may originate an error while the `CBB` points to a local child. // In that case we don't set the error bit and are reliant on the error - // convention. Perhaps we allow |CBB_cleanup| on child |CBB|s and make every - // child's |CBB_cleanup| set the error bit if unflushed. That will be + // convention. Perhaps we allow `CBB_cleanup` on child `CBB`s and make every + // child's `CBB_cleanup` set the error bit if unflushed. That will be // convenient for C++ callers, but very tedious for C callers. So C callers - // perhaps should get a |CBB_on_error| function that can be, less tediously, - // stuck in a |goto err| block. + // perhaps should get a `CBB_on_error` function that can be, less tediously, + // stuck in a `goto err` block. cbb_get_base(cbb)->error = 1; // Clearing the pointer is not strictly necessary, but GCC's dangling pointer - // warning does not know |cbb->child| will not be read once |error| is set + // warning does not know `cbb->child` will not be read once `error` is set // above. cbb->child = nullptr; } @@ -184,8 +185,8 @@ static void cbb_on_error(CBB *cbb) { // current length of the underlying base is taken to be the length of the // length-prefixed data. int CBB_flush(CBB *cbb) { - // If |base| has hit an error, the buffer is in an undefined state, so - // fail all following calls. In particular, |cbb->child| may point to invalid + // If `base` has hit an error, the buffer is in an undefined state, so + // fail all following calls. In particular, `cbb->child` may point to invalid // memory. struct cbb_buffer_st *base = cbb_get_base(cbb); if (base == nullptr || base->error) { @@ -338,7 +339,7 @@ int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents) { return cbb_add_length_prefixed(cbb, out_contents, 3); } -// add_base128_integer encodes |v| as a big-endian base-128 integer where the +// add_base128_integer encodes `v` as a big-endian base-128 integer where the // high bit of each byte indicates where there is more data. This is the // encoding used in DER for both high tag number form and OID components. static int add_base128_integer(CBB *cbb, uint64_t v) { @@ -382,7 +383,7 @@ int CBB_add_asn1(CBB *cbb, CBB *out_contents, CBS_ASN1_TAG tag) { return 0; } - // Reserve one byte of length prefix. |CBB_flush| will finish it later. + // Reserve one byte of length prefix. `CBB_flush` will finish it later. return cbb_add_child(cbb, out_contents, /*len_len=*/1, /*is_asn1=*/1); } @@ -440,7 +441,7 @@ static int cbb_add_u(CBB *cbb, uint64_t v, size_t len_len) { v >>= 8; } - // |v| must fit in |len_len| bytes. + // `v` must fit in `len_len` bytes. if (v != 0) { cbb_on_error(cbb); return 0; @@ -594,9 +595,9 @@ int CBB_add_asn1_bool(CBB *cbb, int value) { return 1; } -// parse_dotted_decimal parses one decimal component from |cbs|, where |cbs| is +// parse_dotted_decimal parses one decimal component from `cbs`, where `cbs` is // an OID literal, e.g., "1.2.840.113554.4.1.72585". It consumes both the -// component and the dot, so |cbs| may be passed into the function again for the +// component and the dot, so `cbs` may be passed into the function again for the // next value. static int parse_dotted_decimal(CBS *cbs, uint64_t *out) { if (!CBS_get_u64_decimal(cbs, out)) { @@ -624,8 +625,8 @@ int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len) { return 0; } - // The first component is encoded as 40 * |a| + |b|. This assumes that |a| is - // 0, 1, or 2 and that, when it is 0 or 1, |b| is at most 39. + // The first component is encoded as 40 * `a` + `b`. This assumes that `a` is + // 0, 1, or 2 and that, when it is 0 or 1, `b` is at most 39. if (a > 2 || (a < 2 && b > 39) || b > UINT64_MAX - 80 || !add_base128_integer(cbb, 40u * a + b)) { return 0; @@ -713,7 +714,7 @@ int CBB_flush_asn1_set_of(CBB *cbb) { } // Parse out the children and sort. We alias them into a copy of so they - // remain valid as we rewrite |cbb|. + // remain valid as we rewrite `cbb`. int ret = 0; size_t buf_len = CBB_len(cbb); uint8_t *buf = diff --git a/third_party/boringssl/src/crypto/bytestring/cbs.cc b/third_party/boringssl/src/crypto/bytestring/cbs.cc index dbaa3e8a..18a2c2e3 100644 --- a/third_party/boringssl/src/crypto/bytestring/cbs.cc +++ b/third_party/boringssl/src/crypto/bytestring/cbs.cc @@ -146,6 +146,8 @@ int CBS_get_u32le(CBS *cbs, uint32_t *out) { return 1; } +int CBS_get_u48(CBS *cbs, uint64_t *out) { return cbs_get_u(cbs, out, 6); } + int CBS_get_u64(CBS *cbs, uint64_t *out) { return cbs_get_u(cbs, out, 8); } int CBS_get_u64le(CBS *cbs, uint64_t *out) { @@ -188,7 +190,7 @@ static int cbs_get_length_prefixed(CBS *cbs, CBS *out, size_t len_len) { if (!cbs_get_u(cbs, &len, len_len)) { return 0; } - // If |len_len| <= 3 then we know that |len| will fit into a |size_t|, even on + // If `len_len` <= 3 then we know that `len` will fit into a `size_t`, even on // 32-bit systems. assert(len_len <= 3); return CBS_get_bytes(cbs, out, len); @@ -275,8 +277,8 @@ int CBS_get_u64_decimal(CBS *cbs, uint64_t *out) { return seen_digit; } -// parse_base128_integer reads a big-endian base-128 integer from |cbs| and sets -// |*out| to the result. This is the encoding used in DER for both high tag +// parse_base128_integer reads a big-endian base-128 integer from `cbs` and sets +// `*out` to the result. This is the encoding used in DER for both high tag // number form and OID components. static int parse_base128_integer(CBS *cbs, uint64_t *out) { uint64_t v = 0; @@ -411,7 +413,7 @@ static int cbs_get_any_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag, // ITU-T X.690 section 10.1 (DER length forms) requires encoding the // length with the minimum number of octets. BER could, technically, have // 125 superfluous zero bytes. We do not attempt to handle that and still - // require that the length fit in a |uint32_t| for BER. + // require that the length fit in a `uint32_t` for BER. if (len64 < 128) { // Length should have used short-form encoding. if (ber_ok) { @@ -735,8 +737,8 @@ int CBS_is_valid_asn1_oid(const CBS *cbs) { uint8_t v, prev = 0; while (CBS_get_u8(©, &v)) { // OID encodings are a sequence of minimally-encoded base-128 integers (see - // |parse_base128_integer|). If |prev|'s MSB was clear, it was the last byte - // of an integer (or |v| is the first byte). |v| is then the first byte of + // `parse_base128_integer`). If `prev`'s MSB was clear, it was the last byte + // of an integer (or `v` is the first byte). `v` is then the first byte of // the next integer. If first byte of an integer is 0x80, it is not // minimally-encoded. if ((prev & 0x80) == 0 && v == 0x80) { @@ -918,10 +920,10 @@ static int CBS_parse_rfc5280_time_internal(const CBS *cbs, int is_gentime, case 'Z': break; // We correctly have 'Z' on the end as per spec. case '+': - offset_sign = 1; + offset_sign = -1; break; // Should not be allowed per RFC 5280. case '-': - offset_sign = -1; + offset_sign = 1; break; // Should not be allowed per RFC 5280. default: return 0; // Reject anything else after the time. diff --git a/third_party/boringssl/src/crypto/bytestring/internal.h b/third_party/boringssl/src/crypto/bytestring/internal.h index 35bd4c9c..e1aa76f7 100644 --- a/third_party/boringssl/src/crypto/bytestring/internal.h +++ b/third_party/boringssl/src/crypto/bytestring/internal.h @@ -26,18 +26,18 @@ BSSL_NAMESPACE_BEGIN -// CBS_asn1_ber_to_der reads a BER element from |in|. If it finds +// CBS_asn1_ber_to_der reads a BER element from `in`. If it finds // indefinite-length elements or constructed strings then it converts the BER -// data to DER, sets |out| to the converted contents and |*out_storage| to a -// buffer which the caller must release with |OPENSSL_free|. Otherwise, it sets -// |out| to the original BER element in |in| and |*out_storage| to NULL. -// Additionally, |*in| will be advanced over the BER element. +// data to DER, sets `out` to the converted contents and `*out_storage` to a +// buffer which the caller must release with `OPENSSL_free`. Otherwise, it sets +// `out` to the original BER element in `in` and `*out_storage` to NULL. +// Additionally, `*in` will be advanced over the BER element. // // This function should successfully process any valid BER input, however it // will not convert all of BER's deviations from DER. BER is ambiguous between // implicitly-tagged SEQUENCEs of strings and implicitly-tagged constructed // strings. Implicitly-tagged strings must be parsed with -// |CBS_get_ber_implicitly_tagged_string| instead of |CBS_get_asn1|. The caller +// `CBS_get_ber_implicitly_tagged_string` instead of `CBS_get_asn1`. The caller // must also account for BER variations in the contents of a primitive. // // It returns one on success and zero otherwise. @@ -45,15 +45,15 @@ OPENSSL_EXPORT int CBS_asn1_ber_to_der(CBS *in, CBS *out, uint8_t **out_storage); // CBS_get_asn1_implicit_string parses a BER string of primitive type -// |inner_tag| implicitly-tagged with |outer_tag|. It sets |out| to the -// contents. If concatenation was needed, it sets |*out_storage| to a buffer -// which the caller must release with |OPENSSL_free|. Otherwise, it sets -// |*out_storage| to NULL. +// `inner_tag` implicitly-tagged with `outer_tag`. It sets `out` to the +// contents. If concatenation was needed, it sets `*out_storage` to a buffer +// which the caller must release with `OPENSSL_free`. Otherwise, it sets +// `*out_storage` to NULL. // // This function does not parse all of BER. It requires the string be // definite-length. Constructed strings are allowed, but all children of the // outermost element must be primitive. The caller should use -// |CBS_asn1_ber_to_der| before running this function. +// `CBS_asn1_ber_to_der` before running this function. // // It returns one on success and zero otherwise. OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out, @@ -61,17 +61,16 @@ OPENSSL_EXPORT int CBS_get_asn1_implicit_string(CBS *in, CBS *out, CBS_ASN1_TAG outer_tag, CBS_ASN1_TAG inner_tag); -// CBB_finish_i2d calls |CBB_finish| on |cbb| which must have been initialized -// with |CBB_init|. If |outp| is not NULL then the result is written to |*outp| -// and |*outp| is advanced just past the output. It returns the number of bytes -// in the result, whether written or not, or a negative value on error. On -// error, it calls |CBB_cleanup| on |cbb|. +// CBB_finish_i2d calls `CBB_finish` on `cbb` which must have been initialized +// with `CBB_init`. If `outp` is not NULL then the result is written to `*outp` +// and `*outp` is advanced just past the output. It returns the number of bytes +// in the result, whether written or not, or a negative value on error. // // This function may be used to help implement legacy i2d ASN.1 functions. OPENSSL_EXPORT int CBB_finish_i2d(CBB *cbb, uint8_t **outp); -// CBBAsSpan returns a span containing |cbb|'s contents. It does not flush -// |cbb|. The span is valid until the next operation to |cbb|. +// CBBAsSpan returns a span containing `cbb`'s contents. It does not flush +// `cbb`. The span is valid until the next operation to `cbb`. // // To avoid unfinalized length prefixes, it is a fatal error to call this on a // CBB with any active children. @@ -79,14 +78,14 @@ inline Span CBBAsSpan(const CBB *cbb) { return Span(CBB_data(cbb), CBB_len(cbb)); } -// CBBFinishArray behaves like |CBB_finish| but stores the result in an Array. +// CBBFinishArray behaves like `CBB_finish` but stores the result in an Array. OPENSSL_EXPORT bool CBBFinishArray(CBB *cbb, Array *out); -// D2IFromCBS takes a functor of type |Unique(CBS*)| and implements the d2i +// D2IFromCBS takes a functor of type `Unique(CBS*)` and implements the d2i // calling convention. For compatibility with functions that don't tag their -// return value (e.g. public APIs), |T*(CBS)| is also accepted. The callback can -// assume that the |CBS|'s length fits in |long|. The callback should not access -// |out|, |inp|, or |len| directly. +// return value (e.g. public APIs), `T*(CBS)` is also accepted. The callback can +// assume that the `CBS`'s length fits in `long`. The callback should not access +// `out`, `inp`, or `len` directly. template inline T *D2IFromCBS(T **out, const uint8_t **inp, long len, CBSFunc func) { static_assert(std::is_invocable_v); @@ -111,9 +110,9 @@ inline T *D2IFromCBS(T **out, const uint8_t **inp, long len, CBSFunc func) { return ret.release(); } -// I2DFromCBB takes a functor of type |bool(CBB*)| and implements the i2d -// calling convention. It internally makes a |CBB| with the specified initial -// capacity. The callback should not access |outp| directly. +// I2DFromCBB takes a functor of type `bool(CBB*)` and implements the i2d +// calling convention. It internally makes a `CBB` with the specified initial +// capacity. The callback should not access `outp` directly. template inline int I2DFromCBB(size_t initial_capacity, uint8_t **outp, CBBFunc func) { static_assert(std::is_invocable_v); diff --git a/third_party/boringssl/src/crypto/bytestring/unicode.cc b/third_party/boringssl/src/crypto/bytestring/unicode.cc index 74f558eb..6293feba 100644 --- a/third_party/boringssl/src/crypto/bytestring/unicode.cc +++ b/third_party/boringssl/src/crypto/bytestring/unicode.cc @@ -33,10 +33,10 @@ static int is_valid_code_point(uint32_t v) { return 1; } -// BOTTOM_BITS returns a byte with the bottom |n| bits set. +// BOTTOM_BITS returns a byte with the bottom `n` bits set. #define BOTTOM_BITS(n) (uint8_t)((1u << (n)) - 1) -// TOP_BITS returns a byte with the top |n| bits set. +// TOP_BITS returns a byte with the top `n` bits set. #define TOP_BITS(n) ((uint8_t)~BOTTOM_BITS(8 - (n))) int CBS_get_utf8(CBS *cbs, uint32_t *out) { diff --git a/third_party/boringssl/src/crypto/chacha/chacha.cc b/third_party/boringssl/src/crypto/chacha/chacha.cc index 6e444411..808a975d 100644 --- a/third_party/boringssl/src/crypto/chacha/chacha.cc +++ b/third_party/boringssl/src/crypto/chacha/chacha.cc @@ -150,7 +150,7 @@ void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in, size_t in_len, #else // chacha_core performs 20 rounds of ChaCha on the input words in -// |input| and writes the 64 output bytes to |output|. +// `input` and writes the 64 output bytes to `output`. static void chacha_core(uint8_t output[64], const uint32_t input[16]) { uint32_t x[16]; int i; diff --git a/third_party/boringssl/src/crypto/chacha/internal.h b/third_party/boringssl/src/crypto/chacha/internal.h index a758055d..04c20a46 100644 --- a/third_party/boringssl/src/crypto/chacha/internal.h +++ b/third_party/boringssl/src/crypto/chacha/internal.h @@ -84,11 +84,11 @@ extern "C" void ChaCha20_ctr32_ssse3(uint8_t *out, const uint8_t *in, #endif #if defined(CHACHA20_ASM_NOHW) -// ChaCha20_ctr32_nohw encrypts |in_len| bytes from |in| and writes the result -// to |out|. If |in| and |out| alias, they must be equal. |in_len| may not be +// ChaCha20_ctr32_nohw encrypts `in_len` bytes from `in` and writes the result +// to `out`. If `in` and `out` alias, they must be equal. `in_len` may not be // zero. // -// |counter[0]| is the initial 32-bit block counter, and the remainder is the +// `counter[0]` is the initial 32-bit block counter, and the remainder is the // 96-bit nonce. If the counter overflows, the output is undefined. The function // will produce output, but the output may vary by machine and may not be // self-consistent. (On some architectures, the assembly implements a mix of diff --git a/third_party/boringssl/src/crypto/cipher/e_aesctrhmac.cc b/third_party/boringssl/src/crypto/cipher/e_aesctrhmac.cc index 019d9e60..2bb1db6e 100644 --- a/third_party/boringssl/src/crypto/cipher/e_aesctrhmac.cc +++ b/third_party/boringssl/src/crypto/cipher/e_aesctrhmac.cc @@ -221,6 +221,13 @@ static int aead_aes_ctr_hmac_sha256_openv_detached( Span aadvecs) { const struct aead_aes_ctr_hmac_sha256_ctx *aes_ctx = (struct aead_aes_ctr_hmac_sha256_ctx *)&ctx->state; + const uint64_t in_len_64 = bssl::iovec::TotalLength(iovecs); + + if (in_len_64 >= (UINT64_C(1) << 32) * AES_BLOCK_SIZE) { + // This input is so large it would overflow the 32-bit block counter. + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); + return 0; + } if (in_tag.size() != ctx->tag_len) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); diff --git a/third_party/boringssl/src/crypto/cipher/e_aeseax.cc b/third_party/boringssl/src/crypto/cipher/e_aeseax.cc index f85da3d6..0a5cfc08 100644 --- a/third_party/boringssl/src/crypto/cipher/e_aeseax.cc +++ b/third_party/boringssl/src/crypto/cipher/e_aeseax.cc @@ -201,7 +201,7 @@ static void omac_with_tag_iovec_out(const struct aead_aes_eax_ctx *aes_ctx, }); } -// Encrypts/decrypts |in_len| bytes from |in| to |out| using AES-CTR with |n| as +// Encrypts/decrypts `in_len` bytes from `in` to `out` using AES-CTR with `n` as // the IV. static void aes_ctr(const struct aead_aes_eax_ctx *aes_ctx, Span iovecs, @@ -273,9 +273,7 @@ static int aead_aes_eax_openv_detached(const EVP_AEAD_CTX *ctx, return 0; } - const uint64_t in_len_64 = bssl::iovec::TotalLength(iovecs); - if (in_tag.size() != EVP_AEAD_AES_EAX_TAG_LEN || - in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) { + if (in_tag.size() != EVP_AEAD_AES_EAX_TAG_LEN) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } diff --git a/third_party/boringssl/src/crypto/cipher/e_aesgcmsiv.cc b/third_party/boringssl/src/crypto/cipher/e_aesgcmsiv.cc index cc80306b..35f71cf0 100644 --- a/third_party/boringssl/src/crypto/cipher/e_aesgcmsiv.cc +++ b/third_party/boringssl/src/crypto/cipher/e_aesgcmsiv.cc @@ -51,63 +51,63 @@ struct aead_aes_gcm_siv_asm_ctx { // The assembly code assumes 8-byte alignment of the EVP_AEAD_CTX's state, and // aligns to 16 bytes itself. -static_assert(sizeof(((EVP_AEAD_CTX *)nullptr)->state) + 8 >= - sizeof(struct aead_aes_gcm_siv_asm_ctx), +static_assert(sizeof(((EVP_AEAD_CTX *)nullptr)->state) >= + sizeof(struct aead_aes_gcm_siv_asm_ctx) + 8, "AEAD state is too small"); static_assert(alignof(union evp_aead_ctx_st_state) >= 8, "AEAD state has insufficient alignment"); extern "C" { -// aes128gcmsiv_aes_ks writes an AES-128 key schedule for |key| to -// |out_expanded_key|. +// aes128gcmsiv_aes_ks writes an AES-128 key schedule for `key` to +// `out_expanded_key`. extern void aes128gcmsiv_aes_ks(const uint8_t key[16], uint8_t out_expanded_key[16 * 15]); -// aes256gcmsiv_aes_ks writes an AES-256 key schedule for |key| to -// |out_expanded_key|. +// aes256gcmsiv_aes_ks writes an AES-256 key schedule for `key` to +// `out_expanded_key`. extern void aes256gcmsiv_aes_ks(const uint8_t key[32], uint8_t out_expanded_key[16 * 15]); -// aesgcmsiv_polyval_horner updates the POLYVAL value in |in_out_poly| to -// include a number (|in_blocks|) of 16-byte blocks of data from |in|, given -// the POLYVAL key in |key|. +// aesgcmsiv_polyval_horner updates the POLYVAL value in `in_out_poly` to +// include a number (`in_blocks`) of 16-byte blocks of data from `in`, given +// the POLYVAL key in `key`. extern void aesgcmsiv_polyval_horner(const uint8_t in_out_poly[16], const uint8_t key[16], const uint8_t *in, size_t in_blocks); -// aesgcmsiv_htable_init writes powers 1..8 of |auth_key| to |out_htable|. +// aesgcmsiv_htable_init writes powers 1..8 of `auth_key` to `out_htable`. extern void aesgcmsiv_htable_init(uint8_t out_htable[16 * 8], const uint8_t auth_key[16]); -// aesgcmsiv_htable6_init writes powers 1..6 of |auth_key| to |out_htable|. +// aesgcmsiv_htable6_init writes powers 1..6 of `auth_key` to `out_htable`. extern void aesgcmsiv_htable6_init(uint8_t out_htable[16 * 6], const uint8_t auth_key[16]); -// aesgcmsiv_htable_polyval updates the POLYVAL value in |in_out_poly| to -// include |in_len| bytes of data from |in|. (Where |in_len| must be a multiple -// of 16.) It uses the precomputed powers of the key given in |htable|. +// aesgcmsiv_htable_polyval updates the POLYVAL value in `in_out_poly` to +// include `in_len` bytes of data from `in`. (Where `in_len` must be a multiple +// of 16.) It uses the precomputed powers of the key given in `htable`. extern void aesgcmsiv_htable_polyval(const uint8_t htable[16 * 8], const uint8_t *in, size_t in_len, uint8_t in_out_poly[16]); -// aes128gcmsiv_dec decrypts |in_len| & ~15 bytes from |out| and writes them to -// |in|. |in| and |out| may be equal, but must not otherwise alias. +// aes128gcmsiv_dec decrypts `in_len` & ~15 bytes from `out` and writes them to +// `in`. `in` and `out` may be equal, but must not otherwise alias. // -// |in_out_calculated_tag_and_scratch|, on entry, must contain: +// `in_out_calculated_tag_and_scratch`, on entry, must contain: // 1. The current value of the calculated tag, which will be updated during // decryption and written back to the beginning of this buffer on exit. // 2. The claimed tag, which is needed to derive counter values. // -// While decrypting, the whole of |in_out_calculated_tag_and_scratch| may be +// While decrypting, the whole of `in_out_calculated_tag_and_scratch` may be // used for other purposes. In order to decrypt and update the POLYVAL value, it -// uses the expanded key from |key| and the table of powers in |htable|. +// uses the expanded key from `key` and the table of powers in `htable`. extern void aes128gcmsiv_dec(const uint8_t *in, uint8_t *out, uint8_t in_out_calculated_tag_and_scratch[16 * 8], const uint8_t htable[16 * 6], const struct aead_aes_gcm_siv_asm_ctx *key, size_t in_len); -// aes256gcmsiv_dec acts like |aes128gcmsiv_dec|, but for AES-256. +// aes256gcmsiv_dec acts like `aes128gcmsiv_dec`, but for AES-256. extern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out, uint8_t in_out_calculated_tag_and_scratch[16 * 8], const uint8_t htable[16 * 6], @@ -115,68 +115,68 @@ extern void aes256gcmsiv_dec(const uint8_t *in, uint8_t *out, size_t in_len); // aes128gcmsiv_kdf performs the AES-GCM-SIV KDF given the expanded key from -// |key_schedule| and the nonce in |nonce|. Note that, while only 12 bytes of +// `key_schedule` and the nonce in `nonce`. Note that, while only 12 bytes of // the nonce are used, 16 bytes are read and so the value must be // right-padded. extern void aes128gcmsiv_kdf(const uint8_t nonce[16], uint64_t out_key_material[8], const uint8_t *key_schedule); -// aes256gcmsiv_kdf acts like |aes128gcmsiv_kdf|, but for AES-256. +// aes256gcmsiv_kdf acts like `aes128gcmsiv_kdf`, but for AES-256. extern void aes256gcmsiv_kdf(const uint8_t nonce[16], uint64_t out_key_material[12], const uint8_t *key_schedule); // aes128gcmsiv_aes_ks_enc_x1 performs a key expansion of the AES-128 key in -// |key|, writes the expanded key to |out_expanded_key| and encrypts a single -// block from |in| to |out|. +// `key`, writes the expanded key to `out_expanded_key` and encrypts a single +// block from `in` to `out`. extern void aes128gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16], uint8_t out_expanded_key[16 * 15], const uint64_t key[2]); -// aes256gcmsiv_aes_ks_enc_x1 acts like |aes128gcmsiv_aes_ks_enc_x1|, but for +// aes256gcmsiv_aes_ks_enc_x1 acts like `aes128gcmsiv_aes_ks_enc_x1`, but for // AES-256. extern void aes256gcmsiv_aes_ks_enc_x1(const uint8_t in[16], uint8_t out[16], uint8_t out_expanded_key[16 * 15], const uint64_t key[4]); -// aes128gcmsiv_ecb_enc_block encrypts a single block from |in| to |out| using -// the expanded key in |expanded_key|. +// aes128gcmsiv_ecb_enc_block encrypts a single block from `in` to `out` using +// the expanded key in `expanded_key`. extern void aes128gcmsiv_ecb_enc_block( const uint8_t in[16], uint8_t out[16], const struct aead_aes_gcm_siv_asm_ctx *expanded_key); -// aes256gcmsiv_ecb_enc_block acts like |aes128gcmsiv_ecb_enc_block|, but for +// aes256gcmsiv_ecb_enc_block acts like `aes128gcmsiv_ecb_enc_block`, but for // AES-256. extern void aes256gcmsiv_ecb_enc_block( const uint8_t in[16], uint8_t out[16], const struct aead_aes_gcm_siv_asm_ctx *expanded_key); -// aes128gcmsiv_enc_msg_x4 encrypts |in_len| bytes from |in| to |out| using the -// expanded key from |key|. (The value of |in_len| must be a multiple of 16.) -// The |in| and |out| buffers may be equal but must not otherwise overlap. The -// initial counter is constructed from the given |tag| as required by +// aes128gcmsiv_enc_msg_x4 encrypts `in_len` bytes from `in` to `out` using the +// expanded key from `key`. (The value of `in_len` must be a multiple of 16.) +// The `in` and `out` buffers may be equal but must not otherwise overlap. The +// initial counter is constructed from the given `tag` as required by // AES-GCM-SIV. extern void aes128gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out, const uint8_t *tag, const struct aead_aes_gcm_siv_asm_ctx *key, size_t in_len); -// aes256gcmsiv_enc_msg_x4 acts like |aes128gcmsiv_enc_msg_x4|, but for +// aes256gcmsiv_enc_msg_x4 acts like `aes128gcmsiv_enc_msg_x4`, but for // AES-256. extern void aes256gcmsiv_enc_msg_x4(const uint8_t *in, uint8_t *out, const uint8_t *tag, const struct aead_aes_gcm_siv_asm_ctx *key, size_t in_len); -// aes128gcmsiv_enc_msg_x8 acts like |aes128gcmsiv_enc_msg_x4|, but is +// aes128gcmsiv_enc_msg_x8 acts like `aes128gcmsiv_enc_msg_x4`, but is // optimised for longer messages. extern void aes128gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out, const uint8_t *tag, const struct aead_aes_gcm_siv_asm_ctx *key, size_t in_len); -// aes256gcmsiv_enc_msg_x8 acts like |aes256gcmsiv_enc_msg_x4|, but is +// aes256gcmsiv_enc_msg_x8 acts like `aes256gcmsiv_enc_msg_x4`, but is // optimised for longer messages. extern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out, const uint8_t *tag, @@ -184,7 +184,7 @@ extern void aes256gcmsiv_enc_msg_x8(const uint8_t *in, uint8_t *out, size_t in_len); } -// asm_ctx_from_ctx returns a 16-byte aligned context pointer from |ctx|. +// asm_ctx_from_ctx returns a 16-byte aligned context pointer from `ctx`. struct aead_aes_gcm_siv_asm_ctx *asm_ctx_from_ctx(const EVP_AEAD_CTX *ctx) { // ctx->state must already be 8-byte aligned. Thus, at most, we may need to // add eight to align it to 16 bytes. @@ -228,8 +228,8 @@ int aead_aes_gcm_siv_asm_init(EVP_AEAD_CTX *ctx, const uint8_t *key, void aead_aes_gcm_siv_asm_cleanup(EVP_AEAD_CTX *ctx) {} -// gcm_siv_asm_polyval evaluates POLYVAL at |auth_key| on the given plaintext -// and AD. The result is written to |out_tag|. +// gcm_siv_asm_polyval evaluates POLYVAL at `auth_key` on the given plaintext +// and AD. The result is written to `out_tag`. void gcm_siv_asm_polyval(uint8_t out_tag[16], Span iovecs, Span aadvecs, const uint8_t auth_key[16], const uint8_t nonce[12]) { @@ -291,8 +291,8 @@ void gcm_siv_asm_polyval(uint8_t out_tag[16], Span iovecs, // aead_aes_gcm_siv_asm_crypt_last_block handles the encryption/decryption // (same thing in CTR mode) of the final block of a plaintext/ciphertext. It -// writes |total_in_len| & 15 bytes to |out_last_block|, based on an initial -// counter derived from |tag|. +// writes `total_in_len` & 15 bytes to `out_last_block`, based on an initial +// counter derived from `tag`. void aead_aes_gcm_siv_asm_crypt_last_block( int is_128_bit, uint8_t *out_last_block, const uint8_t *in_last_block, size_t total_in_len, const uint8_t tag[16], @@ -315,13 +315,13 @@ void aead_aes_gcm_siv_asm_crypt_last_block( } // aead_aes_gcm_siv_kdf calculates the record encryption and authentication -// keys given the |nonce|. +// keys given the `nonce`. void aead_aes_gcm_siv_kdf(int is_128_bit, const struct aead_aes_gcm_siv_asm_ctx *gcm_siv_ctx, uint64_t out_record_auth_key[2], uint64_t out_record_enc_key[4], const uint8_t nonce[12]) { - alignas(16) uint8_t padded_nonce[16]; + alignas(16) uint8_t padded_nonce[16] = {0}; OPENSSL_memcpy(padded_nonce, nonce, 12); alignas(16) uint64_t key_material[12]; @@ -698,12 +698,12 @@ int aead_aes_gcm_siv_init(EVP_AEAD_CTX *ctx, const uint8_t *key, size_t key_len, void aead_aes_gcm_siv_cleanup(EVP_AEAD_CTX *ctx) {} -// gcm_siv_crypt encrypts (or decrypts—it's the same thing) bytes from |in| to -// |out| in the |iovec|, using the block function |enc_block| with |key| in -// counter mode, starting at |initial_counter|. This differs from the +// gcm_siv_crypt encrypts (or decrypts—it's the same thing) bytes from `in` to +// `out` in the `iovec`, using the block function `enc_block` with `key` in +// counter mode, starting at `initial_counter`. This differs from the // traditional counter mode code in that the counter is handled little-endian, // only the first four bytes are used and the GCM-SIV tweak to the final byte -// is applied. The |in| and |out| pointers may be equal but otherwise must not +// is applied. The `in` and `out` pointers may be equal but otherwise must not // alias. void gcm_siv_crypt(Span iovecs, const uint8_t initial_counter[AES_BLOCK_SIZE], @@ -757,7 +757,7 @@ struct polyval_ctx { ghash_func ghash; }; -// byte_reverse reverses the order of the bytes in |b->c|. +// byte_reverse reverses the order of the bytes in `b->c`. void byte_reverse(uint8_t b[16]) { uint64_t hi = CRYPTO_load_u64_le(b); uint64_t lo = CRYPTO_load_u64_le(b + 8); @@ -765,8 +765,8 @@ void byte_reverse(uint8_t b[16]) { CRYPTO_store_u64_le(b + 8, CRYPTO_bswap8(hi)); } -// reverse_and_mulX_ghash interprets |b| as a reversed element of the GHASH -// field, multiplies that by 'x' and serialises the result back into |b|, but +// reverse_and_mulX_ghash interprets `b` as a reversed element of the GHASH +// field, multiplies that by 'x' and serialises the result back into `b`, but // with GHASH's backwards bit ordering. void reverse_and_mulX_ghash(uint8_t b[16]) { uint64_t hi = CRYPTO_load_u64_le(b); @@ -818,8 +818,8 @@ void crypto_polyval_finish(const struct polyval_ctx *ctx, uint8_t out[16]) { byte_reverse(out); } -// gcm_siv_polyval evaluates POLYVAL at |auth_key| on the given plaintext and -// AD. The result is written to |out_tag|. +// gcm_siv_polyval evaluates POLYVAL at `auth_key` on the given plaintext and +// AD. The result is written to `out_tag`. void gcm_siv_polyval(uint8_t out_tag[16], Span iovecs, bool encrypt, Span aadvecs, const uint8_t auth_key[16], @@ -883,7 +883,7 @@ struct gcm_siv_record_keys { }; // gcm_siv_keys calculates the keys for a specific GCM-SIV record with the -// given nonce and writes them to |*out_keys|. +// given nonce and writes them to `*out_keys`. void gcm_siv_keys(const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx, struct gcm_siv_record_keys *out_keys, const uint8_t nonce[EVP_AEAD_AES_GCM_SIV_NONCE_LEN]) { @@ -904,13 +904,13 @@ void gcm_siv_keys(const struct aead_aes_gcm_siv_ctx *gcm_siv_ctx, } OPENSSL_memcpy(out_keys->auth_key, key_material, 16); - // Note the |ctr128_f| function uses a big-endian couner, while AES-GCM-SIV + // Note the `ctr128_f` function uses a big-endian couner, while AES-GCM-SIV // uses a little-endian counter. We ignore the return value and only use - // |block128_f|. This has a significant performance cost for the fallback + // `block128_f`. This has a significant performance cost for the fallback // bitsliced AES implementations (bsaes and aes_nohw). // // We currently do not consider AES-GCM-SIV to be performance-sensitive on - // client hardware. If this changes, we can write little-endian |ctr128_f| + // client hardware. If this changes, we can write little-endian `ctr128_f` // functions. aes_ctr_set_key(&out_keys->enc_key.ks, nullptr, &out_keys->enc_block, key_material + 16, gcm_siv_ctx->is_256 ? 32 : 16); @@ -972,7 +972,7 @@ int aead_aes_gcm_siv_openv_detached(const EVP_AEAD_CTX *ctx, const uint64_t in_len_64 = bssl::iovec::TotalLength(iovecs); if (in_tag.size() != EVP_AEAD_AES_GCM_SIV_TAG_LEN || - in_len_64 > (UINT64_C(1) << 36) + AES_BLOCK_SIZE) { + in_len_64 > (UINT64_C(1) << 36)) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -1039,14 +1039,16 @@ const EVP_AEAD aead_aes_256_gcm_siv = { #if defined(AES_GCM_SIV_ASM) const EVP_AEAD *EVP_aead_aes_128_gcm_siv() { - if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) { + if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable() && + CRYPTO_is_PCLMUL_capable()) { return &aead_aes_128_gcm_siv_asm; } return &aead_aes_128_gcm_siv; } const EVP_AEAD *EVP_aead_aes_256_gcm_siv() { - if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable()) { + if (CRYPTO_is_AVX_capable() && CRYPTO_is_AESNI_capable() && + CRYPTO_is_PCLMUL_capable()) { return &aead_aes_256_gcm_siv_asm; } return &aead_aes_256_gcm_siv; diff --git a/third_party/boringssl/src/crypto/cipher/e_chacha20poly1305.cc b/third_party/boringssl/src/crypto/cipher/e_chacha20poly1305.cc index 4f99f6ec..69b70714 100644 --- a/third_party/boringssl/src/crypto/cipher/e_chacha20poly1305.cc +++ b/third_party/boringssl/src/crypto/cipher/e_chacha20poly1305.cc @@ -79,7 +79,7 @@ static void poly1305_update_length(poly1305_state *poly1305, size_t data_len) { CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes)); } -// calc_tag_pre prepares filling |tag| with the authentication tag for the given +// calc_tag_pre prepares filling `tag` with the authentication tag for the given // inputs. static size_t calc_tag_pre(poly1305_state *ctx, const uint8_t key[32], const uint8_t nonce[12], @@ -129,9 +129,9 @@ static int chacha20_poly1305_sealv(const uint8_t *key, return 0; } - // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow + // `CRYPTO_chacha_20` uses a 32-bit block counter. Therefore we disallow // individual operations that work on more than 256GB at a time. - // |in_len_64| is needed because, on 32-bit platforms, size_t is only + // `in_len_64` is needed because, on 32-bit platforms, size_t is only // 32-bits and this produces a warning because it's always false. // Casting to uint64_t inside the conditional is not sufficient to stop // the warning. @@ -148,7 +148,7 @@ static int chacha20_poly1305_sealv(const uint8_t *key, data.in.counter = 0; CopySpan(nonce, data.in.nonce); if (iovecs.size() >= 2) { - // |chacha20_poly1305_seal| only supports one extra input and expects it + // `chacha20_poly1305_seal` only supports one extra input and expects it // to have been encrypted ahead of time. (Historically it was only used // for very short inputs.) constexpr size_t kChaChaBlockSize = 64; @@ -271,9 +271,9 @@ static int chacha20_poly1305_openv_detached(const uint8_t *key, return 0; } - // |CRYPTO_chacha_20| uses a 32-bit block counter. Therefore we disallow + // `CRYPTO_chacha_20` uses a 32-bit block counter. Therefore we disallow // individual operations that work on more than 256GB at a time. - // |in_len_64| is needed because, on 32-bit platforms, size_t is only + // `in_len_64` is needed because, on 32-bit platforms, size_t is only // 32-bits and this produces a warning because it's always false. // Casting to uint64_t inside the conditional is not sufficient to stop // the warning. diff --git a/third_party/boringssl/src/crypto/cipher/e_rc2.cc b/third_party/boringssl/src/crypto/cipher/e_rc2.cc index 91c5f52d..2fb90ada 100644 --- a/third_party/boringssl/src/crypto/cipher/e_rc2.cc +++ b/third_party/boringssl/src/crypto/cipher/e_rc2.cc @@ -100,7 +100,7 @@ typedef struct rc2_key_st { uint16_t data[64]; } RC2_KEY; -static void RC2_encrypt(uint32_t *d, RC2_KEY *key) { +static void rc2_encrypt(uint32_t *d, RC2_KEY *key) { int i, n; uint16_t *p0, *p1; uint16_t x0, x1, x2, x3, t; @@ -144,7 +144,7 @@ static void RC2_encrypt(uint32_t *d, RC2_KEY *key) { d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L); } -static void RC2_decrypt(uint32_t *d, RC2_KEY *key) { +static void rc2_decrypt(uint32_t *d, RC2_KEY *key) { int i, n; uint16_t *p0, *p1; uint16_t x0, x1, x2, x3, t; @@ -189,7 +189,7 @@ static void RC2_decrypt(uint32_t *d, RC2_KEY *key) { d[1] = (uint32_t)(x2 & 0xffff) | ((uint32_t)(x3 & 0xffff) << 16L); } -static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, +static void rc2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, RC2_KEY *ks, uint8_t *iv, int encrypt) { uint32_t tin0, tin1; uint32_t tout0, tout1, xor0, xor1; @@ -207,7 +207,7 @@ static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, tin1 ^= tout1; tin[0] = tin0; tin[1] = tin1; - RC2_encrypt(tin, ks); + rc2_encrypt(tin, ks); tout0 = tin[0]; l2c(tout0, out); tout1 = tin[1]; @@ -219,7 +219,7 @@ static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, tin1 ^= tout1; tin[0] = tin0; tin[1] = tin1; - RC2_encrypt(tin, ks); + rc2_encrypt(tin, ks); tout0 = tin[0]; l2c(tout0, out); tout1 = tin[1]; @@ -236,7 +236,7 @@ static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, tin[0] = tin0; c2l(in, tin1); tin[1] = tin1; - RC2_decrypt(tin, ks); + rc2_decrypt(tin, ks); tout0 = tin[0] ^ xor0; tout1 = tin[1] ^ xor1; l2c(tout0, out); @@ -249,7 +249,7 @@ static void RC2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, tin[0] = tin0; c2l(in, tin1); tin[1] = tin1; - RC2_decrypt(tin, ks); + rc2_decrypt(tin, ks); tout0 = tin[0] ^ xor0; tout1 = tin[1] ^ xor1; l2cn(tout0, tout1, out, l + 8); @@ -287,18 +287,23 @@ static const uint8_t key_table[256] = { 0xfe, 0x7f, 0xc1, 0xad, }; -static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) { - int i, j; +static int rc2_set_key(RC2_KEY *key, size_t len, const uint8_t *data, + int bits) { + size_t i, j; uint8_t *k; - uint16_t *ki; unsigned int c, d; k = (uint8_t *)&key->data[0]; *k = 0; // for if there is a zero length key + if (len == 0) { + OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_KEY_LENGTH); + return 0; + } if (len > 128) { len = 128; } + if (bits <= 0) { bits = 1024; } @@ -326,16 +331,20 @@ static void RC2_set_key(RC2_KEY *key, int len, const uint8_t *data, int bits) { d = key_table[k[i] & c]; k[i] = d; - while (i--) { + + while (i > 0) { + --i; d = key_table[k[i + j] ^ d]; k[i] = d; } // copy from bytes into uint16_t's - ki = &(key->data[63]); - for (i = 127; i >= 0; i -= 2) { - *(ki--) = ((k[i] << 8) | k[i - 1]) & 0xffff; + for (i = 0; i < 64; ++i) { + j = 63 - i; + key->data[j] = ((k[2 * j + 1] << 8) | k[2 * j]) & 0xffff; } + + return 1; } typedef struct { @@ -346,8 +355,10 @@ typedef struct { static int rc2_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc) { EVP_RC2_KEY *rc2_key = (EVP_RC2_KEY *)ctx->cipher_data; - RC2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key, - rc2_key->key_bits); + if (!rc2_set_key(&rc2_key->ks, EVP_CIPHER_CTX_key_length(ctx), key, + rc2_key->key_bits)) { + return 0; + } return 1; } @@ -357,13 +368,13 @@ static int rc2_cbc_cipher_update(EVP_CIPHER_CTX *ctx, uint8_t *out, static const size_t kChunkSize = 0x10000; while (len >= kChunkSize) { - RC2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt); + rc2_cbc_encrypt(in, out, kChunkSize, &key->ks, ctx->iv, ctx->encrypt); len -= kChunkSize; in += kChunkSize; out += kChunkSize; } if (len) { - RC2_cbc_encrypt(in, out, len, &key->ks, ctx->iv, ctx->encrypt); + rc2_cbc_encrypt(in, out, len, &key->ks, ctx->iv, ctx->encrypt); } return 1; } @@ -376,7 +387,7 @@ static int rc2_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { key->key_bits = EVP_CIPHER_CTX_key_length(ctx) * 8; return 1; case EVP_CTRL_SET_RC2_KEY_BITS: - // Should be overridden by later call to |EVP_CTRL_INIT|, but + // Should be overridden by later call to `EVP_CTRL_INIT`, but // people call it, so it may as well work. key->key_bits = arg; return 1; diff --git a/third_party/boringssl/src/crypto/cipher/e_tls.cc b/third_party/boringssl/src/crypto/cipher/e_tls.cc index f38a41e1..0edf61a2 100644 --- a/third_party/boringssl/src/crypto/cipher/e_tls.cc +++ b/third_party/boringssl/src/crypto/cipher/e_tls.cc @@ -108,8 +108,8 @@ static size_t aead_tls_tag_len(const EVP_AEAD_CTX *ctx, const size_t in_len) { const size_t hmac_len = HMAC_size(tls_ctx->hmac_ctx); const size_t block_size = EVP_CIPHER_CTX_block_size(&tls_ctx->cipher_ctx); - // An overflow of |in_len + hmac_len| doesn't affect the result mod - // |block_size|, provided that |block_size| is a smaller power of two. + // An overflow of `in_len + hmac_len` doesn't affect the result mod + // `block_size`, provided that `block_size` is a smaller power of two. assert(block_size == 8 /*3DES*/ || block_size == 16 /*AES*/); const size_t pad_len = block_size - ((in_len + hmac_len) & (block_size - 1)); return hmac_len + pad_len; @@ -145,7 +145,7 @@ static int aead_tls_sealv(const EVP_AEAD_CTX *ctx, return 0; } - // To allow for CBC mode which changes cipher length, |ad| doesn't include the + // To allow for CBC mode which changes cipher length, `ad` doesn't include the // length for legacy ciphers. uint8_t ad_extra[2]; CRYPTO_store_u16_be(ad_extra, static_cast(in_len)); @@ -217,7 +217,7 @@ static int aead_tls_sealv(const EVP_AEAD_CTX *ctx, // Feed the MAC into the cipher in two steps. First complete the // final partial block from encrypting the input and split the - // result between |out| and |out_tag|. Then feed the rest. + // result between `out` and `out_tag`. Then feed the rest. const size_t early_mac_len = block_size - remaining; assert(early_mac_len < block_size); assert(len + block_size - early_mac_len == in_len); @@ -329,9 +329,9 @@ static int aead_tls_openv(const EVP_AEAD_CTX *ctx, const size_t mac_len = HMAC_size(tls_ctx->hmac_ctx); - // Split the decrypted record into |iovecs_without_trailer| and |trailer|, + // Split the decrypted record into `iovecs_without_trailer` and `trailer`, // based on the public lower bound of where the plaintext ends. The plaintext - // is followed by |mac_len| and then at most 256 bytes of padding. + // is followed by `mac_len` and then at most 256 bytes of padding. InplaceVector iovecs_without_trailer; iovecs_without_trailer.CopyFrom(iovecs); uint8_t trailer_buf[EVP_MAX_MD_SIZE + 256]; @@ -341,7 +341,7 @@ static int aead_tls_openv(const EVP_AEAD_CTX *ctx, BSSL_CHECK(trailer.has_value()); // Remove CBC padding. Code from here on is timing-sensitive with respect to - // |padding_ok|, |trailer_minus_padding|, and derived values. + // `padding_ok`, `trailer_minus_padding`, and derived values. crypto_word_t padding_ok; size_t trailer_minus_padding; if (!EVP_tls_cbc_remove_padding(&padding_ok, &trailer_minus_padding, @@ -352,16 +352,16 @@ static int aead_tls_openv(const EVP_AEAD_CTX *ctx, return 0; } - // If the padding is valid, |trailer->first(trailer_minus_padding)| is the + // If the padding is valid, `trailer->first(trailer_minus_padding)` is the // last bytes of plaintext and the MAC. Otherwise, it is still large enough to - // extract a MAC, but it will be irrelevant. Note that |trailer_minus_padding| + // extract a MAC, but it will be irrelevant. Note that `trailer_minus_padding` // is secret. declassify_assert(trailer_minus_padding >= mac_len); size_t data_in_trailer_len = trailer_minus_padding - mac_len; size_t max_data_in_trailer_len = trailer->size() - mac_len; size_t data_len = total - trailer->size() + data_in_trailer_len; - // To allow for CBC mode which changes cipher length, |ad_len| doesn't + // To allow for CBC mode which changes cipher length, `ad_len` doesn't // include the length for legacy ciphers. uint8_t ad_extra[2]; CRYPTO_store_u16_be(ad_extra, static_cast(data_len)); diff --git a/third_party/boringssl/src/crypto/cipher/get_cipher.cc b/third_party/boringssl/src/crypto/cipher/get_cipher.cc index dabc54aa..576a94f5 100644 --- a/third_party/boringssl/src/crypto/cipher/get_cipher.cc +++ b/third_party/boringssl/src/crypto/cipher/get_cipher.cc @@ -69,7 +69,7 @@ const EVP_CIPHER *EVP_get_cipherbyname(const char *name) { } // This is not a name used by OpenSSL, but tcpdump registers it with - // |EVP_add_cipher_alias|. Our |EVP_add_cipher_alias| is a no-op, so we + // `EVP_add_cipher_alias`. Our `EVP_add_cipher_alias` is a no-op, so we // support the name here. if (OPENSSL_strcasecmp(name, "3des") == 0) { name = "des-ede3-cbc"; diff --git a/third_party/boringssl/src/crypto/cipher/internal.h b/third_party/boringssl/src/crypto/cipher/internal.h index e6ce207e..0293e349 100644 --- a/third_party/boringssl/src/crypto/cipher/internal.h +++ b/third_party/boringssl/src/crypto/cipher/internal.h @@ -28,23 +28,23 @@ BSSL_NAMESPACE_BEGIN // EVP_tls_cbc_get_padding determines the padding from the decrypted, TLS, CBC -// record in |in|. This decrypted record should not include any "decrypted" +// record in `in`. This decrypted record should not include any "decrypted" // explicit IV. If the record is publicly invalid, it returns zero. Otherwise, -// it returns one and sets |*out_padding_ok| to all ones (0xfff..f) if the -// padding is valid and zero otherwise. It then sets |*out_len| to the length -// with the padding removed or |in_len| if invalid. +// it returns one and sets `*out_padding_ok` to all ones (0xfff..f) if the +// padding is valid and zero otherwise. It then sets `*out_len` to the length +// with the padding removed or `in_len` if invalid. // // If the function returns one, it runs in time independent of the contents of -// |in|. It is also guaranteed that, independent of |*out_padding_ok|, |mac_len| -// <= |*out_len| <= |in_len|, satisfying |EVP_tls_cbc_copy_mac|'s precondition. +// `in`. It is also guaranteed that, independent of `*out_padding_ok`, `mac_len` +// <= `*out_len` <= `in_len`, satisfying `EVP_tls_cbc_copy_mac`'s precondition. int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len, const uint8_t *in, size_t in_len, size_t block_size, size_t mac_size); -// EVP_tls_cbc_copy_mac copies |md_size| bytes from the end of the first -// |in_len| bytes of |in| to |out| in constant time (independent of the concrete -// value of |in_len|, which may vary within a 256-byte window). |in| must point -// to a buffer of |orig_len| bytes. +// EVP_tls_cbc_copy_mac copies `md_size` bytes from the end of the first +// `in_len` bytes of `in` to `out` in constant time (independent of the concrete +// value of `in_len`, which may vary within a 256-byte window). `in` must point +// to a buffer of `orig_len` bytes. // // On entry: // orig_len >= in_len >= md_size @@ -52,14 +52,14 @@ int EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, size_t *out_len, void EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in, size_t in_len, size_t orig_len); -// EVP_tls_cbc_record_digest_supported returns 1 iff |md| is a hash function +// EVP_tls_cbc_record_digest_supported returns 1 iff `md` is a hash function // which EVP_tls_cbc_digest_record supports. int EVP_tls_cbc_record_digest_supported(const EVP_MD *md); -// EVP_sha1_final_with_secret_suffix computes the result of hashing |len| bytes -// from |in| to |ctx| and writes the resulting hash to |out|. |len| is treated -// as secret and must be at most |max_len|, which is treated as public. |in| -// must point to a buffer of at least |max_len| bytes. It returns one on success +// EVP_sha1_final_with_secret_suffix computes the result of hashing `len` bytes +// from `in` to `ctx` and writes the resulting hash to `out`. `len` is treated +// as secret and must be at most `max_len`, which is treated as public. `in` +// must point to a buffer of at least `max_len` bytes. It returns one on success // and zero if inputs are too long. // // This function is exported for unit tests. @@ -68,7 +68,7 @@ OPENSSL_EXPORT int EVP_sha1_final_with_secret_suffix( size_t max_len); // EVP_sha256_final_with_secret_suffix acts like -// |EVP_sha1_final_with_secret_suffix|, but for SHA-256. +// `EVP_sha1_final_with_secret_suffix`, but for SHA-256. // // This function is exported for unit tests. OPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix( @@ -90,7 +90,7 @@ OPENSSL_EXPORT int EVP_sha256_final_with_secret_suffix( // trailer: a buffer, of public length, containing the remainder of the // plaintext as a prefix. // data_in_trailer_size: the secret, reported length of the data portion in -// |trailer| once the padding and MAC have been removed. +// `trailer` once the padding and MAC have been removed. // // On entry: by virtue of having been through one of the remove_padding // functions, above, we know that data_plus_mac_size is large enough to contain @@ -149,9 +149,9 @@ inline int chacha20_poly1305_asm_capable() { } // chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It decrypts -// |plaintext_len| bytes from |ciphertext| and writes them to |out_plaintext|. -// Additional input parameters are passed in |aead_data->in|. On exit, it will -// write calculated tag value to |aead_data->out.tag|, which the caller must +// `plaintext_len` bytes from `ciphertext` and writes them to `out_plaintext`. +// Additional input parameters are passed in `aead_data->in`. On exit, it will +// write calculated tag value to `aead_data->out.tag`, which the caller must // check. #if defined(OPENSSL_X86_64) extern "C" void chacha20_poly1305_open_sse41( @@ -182,10 +182,10 @@ extern "C" void chacha20_poly1305_open(uint8_t *out_plaintext, #endif // chacha20_poly1305_open is defined in chacha20_poly1305_*.pl. It encrypts -// |plaintext_len| bytes from |plaintext| and writes them to |out_ciphertext|. -// Additional input parameters are passed in |aead_data->in|. The calculated tag -// value is over the computed ciphertext concatenated with |extra_ciphertext| -// and written to |aead_data->out.tag|. +// `plaintext_len` bytes from `plaintext` and writes them to `out_ciphertext`. +// Additional input parameters are passed in `aead_data->in`. The calculated tag +// value is over the computed ciphertext concatenated with `extra_ciphertext` +// and written to `aead_data->out.tag`. #if defined(OPENSSL_X86_64) extern "C" void chacha20_poly1305_seal_sse41( uint8_t *out_ciphertext, const uint8_t *plaintext, size_t plaintext_len, diff --git a/third_party/boringssl/src/crypto/cipher/tls_cbc.cc b/third_party/boringssl/src/crypto/cipher/tls_cbc.cc index f0c57647..dc7058e5 100644 --- a/third_party/boringssl/src/crypto/cipher/tls_cbc.cc +++ b/third_party/boringssl/src/crypto/cipher/tls_cbc.cc @@ -46,7 +46,7 @@ int bssl::EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, // length byte. Thus, with the length byte included, there are i+1 // bytes of padding. // - // We can't check just |padding_length+1| bytes because that leaks + // We can't check just `padding_length+1` bytes because that leaks // decrypted information. Therefore we always have to check the maximum // amount of padding possible. (Again, the length of the record is // public information so we can use it.) @@ -57,21 +57,21 @@ int bssl::EVP_tls_cbc_remove_padding(crypto_word_t *out_padding_ok, for (size_t i = 0; i < to_check; i++) { uint8_t mask = constant_time_ge_8(padding_length, i); - // The value barrier on |(in_len - 1 - i)| isn't needed to enforce + // The value barrier on `(in_len - 1 - i)` isn't needed to enforce // constant-time. It is just there to prevent a false positive in // constant-time checks by valgrind. uint8_t b = in[value_barrier_w(in_len - 1 - i)]; - // The final |padding_length+1| bytes should all have the value - // |padding_length|. Therefore the XOR should be zero. + // The final `padding_length+1` bytes should all have the value + // `padding_length`. Therefore the XOR should be zero. good &= ~(mask & (padding_length ^ b)); } - // If any of the final |padding_length+1| bytes had the wrong value, - // one or more of the lower eight bits of |good| will be cleared. + // If any of the final `padding_length+1` bytes had the wrong value, + // one or more of the lower eight bits of `good` will be cleared. good = constant_time_eq_w(0xff, good & 0xff); - // Always treat |padding_length| as zero on error. If, assuming block size of - // 16, a padding of [<15 arbitrary bytes> 15] treated |padding_length| as 16 + // Always treat `padding_length` as zero on error. If, assuming block size of + // 16, a padding of [<15 arbitrary bytes> 15] treated `padding_length` as 16 // and returned -1, distinguishing good MAC and bad padding from bad MAC and // bad padding would give POODLE's padding oracle. padding_length = good & (padding_length + 1); @@ -86,7 +86,7 @@ void bssl::EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in, uint8_t *rotated_mac = rotated_mac1; uint8_t *rotated_mac_tmp = rotated_mac2; - // mac_end is the index of |in| just after the end of the MAC. + // mac_end is the index of `in` just after the end of the MAC. size_t mac_end = in_len; size_t mac_start = mac_end - md_size; @@ -114,15 +114,15 @@ void bssl::EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in, mac_started |= is_mac_start; uint8_t mac_ended = constant_time_ge_8(i, mac_end); rotated_mac[j] |= in[i] & mac_started & ~mac_ended; - // Save the offset that |mac_start| is mapped to. + // Save the offset that `mac_start` is mapped to. rotate_offset |= j & is_mac_start; } // Now rotate the MAC. We rotate in log(md_size) steps, one for each bit // position. for (size_t offset = 1; offset < md_size; offset <<= 1, rotate_offset >>= 1) { - // Rotate by |offset| iff the corresponding bit is set in - // |rotate_offset|, placing the result in |rotated_mac_tmp|. + // Rotate by `offset` iff the corresponding bit is set in + // `rotate_offset`, placing the result in `rotated_mac_tmp`. const uint8_t skip_rotate = (rotate_offset & 1) - 1; for (size_t i = 0, j = offset; i < md_size; i++, j++) { if (j >= md_size) { @@ -132,7 +132,7 @@ void bssl::EVP_tls_cbc_copy_mac(uint8_t *out, size_t md_size, const uint8_t *in, constant_time_select_8(skip_rotate, rotated_mac[i], rotated_mac[j]); } - // Swap pointers so |rotated_mac| contains the (possibly) rotated value. + // Swap pointers so `rotated_mac` contains the (possibly) rotated value. // Note the number of iterations and thus the identity of these pointers is // public information. uint8_t *tmp = rotated_mac; @@ -147,8 +147,8 @@ int bssl::EVP_sha1_final_with_secret_suffix(SHA_CTX *ctx, uint8_t out[SHA_DIGEST_LENGTH], const uint8_t *in, size_t len, size_t max_len) { - // Bound the input length so |total_bits| below fits in four bytes. This is - // redundant with TLS record size limits. This also ensures |input_idx| below + // Bound the input length so `total_bits` below fits in four bytes. This is + // redundant with TLS record size limits. This also ensures `input_idx` below // does not overflow. size_t max_len_bits = max_len << 3; if (ctx->Nh != 0 || @@ -158,7 +158,7 @@ int bssl::EVP_sha1_final_with_secret_suffix(SHA_CTX *ctx, return 0; } - // We need to hash the following into |ctx|: + // We need to hash the following into `ctx`: // // - ctx->data[:ctx->num] // - in[:len] @@ -169,7 +169,7 @@ int bssl::EVP_sha1_final_with_secret_suffix(SHA_CTX *ctx, size_t last_block = num_blocks - 1; size_t max_blocks = (ctx->num + max_len + 1 + 8 + SHA_CBLOCK - 1) >> 6; - // The bounds above imply |total_bits| fits in four bytes. + // The bounds above imply `total_bits` fits in four bytes. size_t total_bits = ctx->Nl + (len << 3); uint8_t length_bytes[4]; CRYPTO_store_u32_be(length_bytes, total_bits); @@ -177,13 +177,13 @@ int bssl::EVP_sha1_final_with_secret_suffix(SHA_CTX *ctx, // We now construct and process each expected block in constant-time. uint8_t block[SHA_CBLOCK] = {0}; uint32_t result[5] = {0}; - // input_idx is the index into |in| corresponding to the current block. - // However, we allow this index to overflow beyond |max_len|, to simplify the + // input_idx is the index into `in` corresponding to the current block. + // However, we allow this index to overflow beyond `max_len`, to simplify the // 0x80 byte. size_t input_idx = 0; for (size_t i = 0; i < max_blocks; i++) { - // Fill |block| with data from the partial block in |ctx| and |in|. We copy - // as if we were hashing up to |max_len| and then zero the excess later. + // Fill `block` with data from the partial block in `ctx` and `in`. We copy + // as if we were hashing up to `max_len` and then zero the excess later. size_t block_start = 0; if (i == 0) { OPENSSL_memcpy(block, ctx->data, ctx->num); @@ -197,12 +197,12 @@ int bssl::EVP_sha1_final_with_secret_suffix(SHA_CTX *ctx, OPENSSL_memcpy(block + block_start, in + input_idx, to_copy); } - // Zero any bytes beyond |len| and add the 0x80 byte. + // Zero any bytes beyond `len` and add the 0x80 byte. for (size_t j = block_start; j < SHA_CBLOCK; j++) { // input[idx] corresponds to block[j]. size_t idx = input_idx + j - block_start; - // The barriers on |len| are not strictly necessary. However, without - // them, GCC compiles this code by incorporating |len| into the loop + // The barriers on `len` are not strictly necessary. However, without + // them, GCC compiles this code by incorporating `len` into the loop // counter and subtracting it out later. This is still constant-time, but // it frustrates attempts to validate this. uint8_t is_in_bounds = constant_time_lt_8(idx, value_barrier_w(len)); @@ -239,8 +239,8 @@ int bssl::EVP_sha256_final_with_secret_suffix(SHA256_CTX *ctx, uint8_t out[SHA256_DIGEST_LENGTH], const uint8_t *in, size_t len, size_t max_len) { - // Bound the input length so |total_bits| below fits in four bytes. This is - // redundant with TLS record size limits. This also ensures |input_idx| below + // Bound the input length so `total_bits` below fits in four bytes. This is + // redundant with TLS record size limits. This also ensures `input_idx` below // does not overflow. size_t max_len_bits = max_len << 3; if (ctx->Nh != 0 || @@ -250,7 +250,7 @@ int bssl::EVP_sha256_final_with_secret_suffix(SHA256_CTX *ctx, return 0; } - // We need to hash the following into |ctx|: + // We need to hash the following into `ctx`: // // - ctx->data[:ctx->num] // - in[:len] @@ -261,7 +261,7 @@ int bssl::EVP_sha256_final_with_secret_suffix(SHA256_CTX *ctx, size_t last_block = num_blocks - 1; size_t max_blocks = (ctx->num + max_len + 1 + 8 + SHA256_CBLOCK - 1) >> 6; - // The bounds above imply |total_bits| fits in four bytes. + // The bounds above imply `total_bits` fits in four bytes. size_t total_bits = ctx->Nl + (len << 3); uint8_t length_bytes[4]; CRYPTO_store_u32_be(length_bytes, total_bits); @@ -269,13 +269,13 @@ int bssl::EVP_sha256_final_with_secret_suffix(SHA256_CTX *ctx, // We now construct and process each expected block in constant-time. uint8_t block[SHA256_CBLOCK] = {0}; uint32_t result[8] = {0}; - // input_idx is the index into |in| corresponding to the current block. - // However, we allow this index to overflow beyond |max_len|, to simplify the + // input_idx is the index into `in` corresponding to the current block. + // However, we allow this index to overflow beyond `max_len`, to simplify the // 0x80 byte. size_t input_idx = 0; for (size_t i = 0; i < max_blocks; i++) { - // Fill |block| with data from the partial block in |ctx| and |in|. We copy - // as if we were hashing up to |max_len| and then zero the excess later. + // Fill `block` with data from the partial block in `ctx` and `in`. We copy + // as if we were hashing up to `max_len` and then zero the excess later. size_t block_start = 0; if (i == 0) { OPENSSL_memcpy(block, ctx->data, ctx->num); @@ -289,12 +289,12 @@ int bssl::EVP_sha256_final_with_secret_suffix(SHA256_CTX *ctx, OPENSSL_memcpy(block + block_start, in + input_idx, to_copy); } - // Zero any bytes beyond |len| and add the 0x80 byte. + // Zero any bytes beyond `len` and add the 0x80 byte. for (size_t j = block_start; j < SHA256_CBLOCK; j++) { // input[idx] corresponds to block[j]. size_t idx = input_idx + j - block_start; - // The barriers on |len| are not strictly necessary. However, without - // them, GCC compiles this code by incorporating |len| into the loop + // The barriers on `len` are not strictly necessary. However, without + // them, GCC compiles this code by incorporating `len` into the loop // counter and subtracting it out later. This is still constant-time, but // it frustrates attempts to validate this. uint8_t is_in_bounds = constant_time_lt_8(idx, value_barrier_w(len)); @@ -372,7 +372,7 @@ static int tls_cbc_digest_record_sha1( SHA1_Update(&ctx, iovec.out, iovec.len); } - // Hash the remaining data without leaking |data_in_trailer_size|. + // Hash the remaining data without leaking `data_in_trailer_size`. uint8_t mac_out[SHA_DIGEST_LENGTH]; if (!EVP_sha1_final_with_secret_suffix(&ctx, mac_out, trailer.data(), data_in_trailer_size, @@ -428,7 +428,7 @@ static int tls_cbc_digest_record_sha256( SHA256_Update(&ctx, iovec.out, iovec.len); } - // Hash the remaining data without leaking |data_in_trailer_size|. + // Hash the remaining data without leaking `data_in_trailer_size`. uint8_t mac_out[SHA256_DIGEST_LENGTH]; if (!EVP_sha256_final_with_secret_suffix(&ctx, mac_out, trailer.data(), data_in_trailer_size, diff --git a/third_party/boringssl/src/crypto/cms/cms.cc b/third_party/boringssl/src/crypto/cms/cms.cc index e7b18036..e8ba9629 100644 --- a/third_party/boringssl/src/crypto/cms/cms.cc +++ b/third_party/boringssl/src/crypto/cms/cms.cc @@ -75,8 +75,8 @@ CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, return nullptr; } - // We don't actually use streaming mode, but Linux passes |CMS_STREAM| to - // |CMS_sign| and OpenSSL interprets it as an alias for |CMS_PARTIAL| in this + // We don't actually use streaming mode, but Linux passes `CMS_STREAM` to + // `CMS_sign` and OpenSSL interprets it as an alias for `CMS_PARTIAL` in this // context. if ((flags & (CMS_PARTIAL | CMS_STREAM)) == 0 && !CMS_final(cms.get(), data, nullptr, flags)) { @@ -137,7 +137,7 @@ int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, uint32_t flags) { // We only support the straightforward passthrough mode, without S/MIME // translations. (flags & CMS_BINARY) == 0 || - // We do not support |dcont|. It is unclear what it does. + // We do not support `dcont`. It is unclear what it does. dcont != nullptr) { OPENSSL_PUT_ERROR(CMS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; diff --git a/third_party/boringssl/src/crypto/conf/conf.cc b/third_party/boringssl/src/crypto/conf/conf.cc index 0c7ea9db..e4d01c1a 100644 --- a/third_party/boringssl/src/crypto/conf/conf.cc +++ b/third_party/boringssl/src/crypto/conf/conf.cc @@ -154,7 +154,7 @@ static int is_quote(char c) { return c == '"' || c == '\'' || c == '`'; } static int is_esc(char c) { return c == '\\'; } static int is_conf_ws(char c) { - // This differs from |OPENSSL_isspace| in that CONF does not accept '\v' and + // This differs from `OPENSSL_isspace` in that CONF does not accept '\v' and // '\f' as whitespace. return c == ' ' || c == '\t' || c == '\r' || c == '\n'; } @@ -285,7 +285,7 @@ static int add_string(const CONF *conf, CONF_SECTION *section, CONF_VALUE *old_value; if (!lh_CONF_VALUE_insert(conf->values, &old_value, value)) { - // Remove |value| from |section->values|, so we do not leave a dangling + // Remove `value` from `section->values`, so we do not leave a dangling // pointer. sk_CONF_VALUE_pop(section->values); return 0; diff --git a/third_party/boringssl/src/crypto/conf/internal.h b/third_party/boringssl/src/crypto/conf/internal.h index 7fe35aa2..f924390f 100644 --- a/third_party/boringssl/src/crypto/conf/internal.h +++ b/third_party/boringssl/src/crypto/conf/internal.h @@ -36,14 +36,14 @@ struct conf_st { BSSL_NAMESPACE_BEGIN -// CONF_VALUE_new returns a freshly allocated and zeroed |CONF_VALUE|. +// CONF_VALUE_new returns a freshly allocated and zeroed `CONF_VALUE`. CONF_VALUE *CONF_VALUE_new(); -// CONF_parse_list takes a list separated by 'sep' and calls |list_cb| giving +// CONF_parse_list takes a list separated by 'sep' and calls `list_cb` giving // the start and length of each member, optionally stripping leading and // trailing whitespace. This can be used to parse comma separated lists for -// example. If |list_cb| returns <= 0, then the iteration is halted and that -// value is returned immediately. Otherwise it returns one. Note that |list_cb| +// example. If `list_cb` returns <= 0, then the iteration is halted and that +// value is returned immediately. Otherwise it returns one. Note that `list_cb` // may be called on an empty member. OPENSSL_EXPORT int CONF_parse_list( const char *list, char sep, int remove_whitespace, diff --git a/third_party/boringssl/src/crypto/cpu_arm_freebsd.cc b/third_party/boringssl/src/crypto/cpu_arm_freebsd.cc index 7a8d05b6..f67b9499 100644 --- a/third_party/boringssl/src/crypto/cpu_arm_freebsd.cc +++ b/third_party/boringssl/src/crypto/cpu_arm_freebsd.cc @@ -27,7 +27,7 @@ using namespace bssl; void bssl::OPENSSL_cpuid_setup() { unsigned long hwcap = 0, hwcap2 = 0; - // |elf_aux_info| may fail, in which case |hwcap| and |hwcap2| will be + // `elf_aux_info` may fail, in which case `hwcap` and `hwcap2` will be // left at zero. The rest of this function will then gracefully report // the features are absent. elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); diff --git a/third_party/boringssl/src/crypto/cpu_arm_linux.cc b/third_party/boringssl/src/crypto/cpu_arm_linux.cc index d8ea98a6..29325f76 100644 --- a/third_party/boringssl/src/crypto/cpu_arm_linux.cc +++ b/third_party/boringssl/src/crypto/cpu_arm_linux.cc @@ -46,8 +46,8 @@ static ssize_t read_eintr(int fd, void *out, size_t len) { return ret; } -// read_file opens |path| and reads until end-of-file. On success, it returns -// one and sets |*out_ptr| and |*out_len| to a newly-allocated buffer with the +// read_file opens `path` and reads until end-of-file. On success, it returns +// one and sets `*out_ptr` and `*out_len` to a newly-allocated buffer with the // contents. Otherwise, it returns zero. static int read_file(char **out_ptr, size_t *out_len, const char *path) { int fd = open_eintr(path, O_RDONLY); diff --git a/third_party/boringssl/src/crypto/cpu_arm_linux.h b/third_party/boringssl/src/crypto/cpu_arm_linux.h index b01ee541..bea577ab 100644 --- a/third_party/boringssl/src/crypto/cpu_arm_linux.h +++ b/third_party/boringssl/src/crypto/cpu_arm_linux.h @@ -41,8 +41,8 @@ namespace armcap { #define CRYPTO_HWCAP2_SHA1 (1 << 2) #define CRYPTO_HWCAP2_SHA2 (1 << 3) -// SplitStringView finds the first occurrence of |sep| in |in| and, if found, -// sets |*out_left| and |*out_right| to |in| split before and after |sep|, and +// SplitStringView finds the first occurrence of `sep` in `in` and, if found, +// sets `*out_left` and `*out_right` to `in` split before and after `sep`, and // returns true. If not found, it returns false. inline bool SplitStringView(std::string_view *out_left, std::string_view *out_right, std::string_view in, @@ -56,23 +56,23 @@ inline bool SplitStringView(std::string_view *out_left, return true; } -// GetDelimited reads a |sep|-delimited entry from |s|, writing it to |out| and -// updating |s| to point beyond it. It returns true on success and false if |s| -// is empty. If |s| has no copies of |sep| and is non-empty, it reads the entire -// string to |out|. +// GetDelimited reads a `sep`-delimited entry from `s`, writing it to `out` and +// updating `s` to point beyond it. It returns true on success and false if `s` +// is empty. If `s` has no copies of `sep` and is non-empty, it reads the entire +// string to `out`. inline bool GetDelimited(std::string_view *s, std::string_view *out, char sep) { if (s->empty()) { return false; } if (!SplitStringView(out, s, *s, sep)) { - // |s| had no instances of |sep|. Return the entire string. + // `s` had no instances of `sep`. Return the entire string. *out = *s; *s = std::string_view(); } return true; } -// TrimStringView removes leading and trailing whitespace from |s|. +// TrimStringView removes leading and trailing whitespace from `s`. inline std::string_view TrimStringView(std::string_view s) { size_t pos = s.find_first_not_of(" \t"); if (pos == std::string_view::npos) { @@ -84,11 +84,11 @@ inline std::string_view TrimStringView(std::string_view s) { return s.substr(0, pos + 1); } -// ExtractCpuinfoField extracts a /proc/cpuinfo field named |field| from |in|. +// ExtractCpuinfoField extracts a /proc/cpuinfo field named `field` from `in`. // If found, it returns the value. Otherwise, it returns the empty string. inline std::string_view ExtractCpuinfoField(std::string_view in, std::string_view field) { - // Process |in| one line at a time. + // Process `in` one line at a time. std::string_view line; while (GetDelimited(&in, &line, '\n')) { std::string_view key, value; @@ -103,8 +103,8 @@ inline std::string_view ExtractCpuinfoField(std::string_view in, return {}; } -// HasListItem treats |list| as a space-separated list of items and returns -// whether |item| is contained in |list|. +// HasListItem treats `list` as a space-separated list of items and returns +// whether `item` is contained in `list`. inline bool HasListItem(std::string_view list, std::string_view item) { std::string_view feature; while (GetDelimited(&list, &feature, ' ')) { @@ -115,8 +115,8 @@ inline bool HasListItem(std::string_view list, std::string_view item) { return false; } -// GetHWCAP2FromCpuinfo returns an equivalent ARM |AT_HWCAP2| value from -// |cpuinfo|. +// GetHWCAP2FromCpuinfo returns an equivalent ARM `AT_HWCAP2` value from +// `cpuinfo`. inline unsigned long GetHWCAP2FromCpuinfo(std::string_view cpuinfo) { std::string_view features = ExtractCpuinfoField(cpuinfo, "Features"); unsigned long ret = 0; diff --git a/third_party/boringssl/src/crypto/cpu_intel.cc b/third_party/boringssl/src/crypto/cpu_intel.cc index 6a406a79..3d1180ab 100644 --- a/third_party/boringssl/src/crypto/cpu_intel.cc +++ b/third_party/boringssl/src/crypto/cpu_intel.cc @@ -33,9 +33,9 @@ using namespace bssl; -// OPENSSL_cpuid runs the cpuid instruction. |leaf| is passed in as EAX and ECX -// is set to zero. It writes EAX, EBX, ECX, and EDX to |*out_eax| through -// |*out_edx|. +// OPENSSL_cpuid runs the cpuid instruction. `leaf` is passed in as EAX and ECX +// is set to zero. It writes EAX, EBX, ECX, and EDX to `*out_eax` through +// `*out_edx`. static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx, uint32_t *out_ecx, uint32_t *out_edx, uint32_t leaf) { #if defined(_MSC_VER) @@ -65,7 +65,7 @@ static void OPENSSL_cpuid(uint32_t *out_eax, uint32_t *out_ebx, } // OPENSSL_xgetbv returns the value of an Intel Extended Control Register (XCR). -// Currently only XCR0 is defined by Intel so |xcr| should always be zero. +// Currently only XCR0 is defined by Intel so `xcr` should always be zero. static uint64_t OPENSSL_xgetbv(uint32_t xcr) { #if defined(_MSC_VER) return (uint64_t)_xgetbv(xcr); @@ -92,9 +92,9 @@ static bool os_supports_avx512(uint64_t xcr0) { #endif } -// handle_cpu_env applies the value from |in| to the CPUID values in |out[0]| -// and |out[1]|. See the comment in |OPENSSL_cpuid_setup| about this. The -// |is_last| argument specifies whether the value is at the end of the string. +// handle_cpu_env applies the value from `in` to the CPUID values in `out[0]` +// and `out[1]`. See the comment in `OPENSSL_cpuid_setup` about this. The +// `is_last` argument specifies whether the value is at the end of the string. // Otherwise it may be followed by a colon. static void handle_cpu_env(uint32_t out[2], const char *in, bool is_last) { const int invert_op = in[0] == '~'; diff --git a/third_party/boringssl/src/crypto/curve25519/curve25519.cc b/third_party/boringssl/src/crypto/curve25519/curve25519.cc index 66d5d84b..3133633d 100644 --- a/third_party/boringssl/src/crypto/curve25519/curve25519.cc +++ b/third_party/boringssl/src/crypto/curve25519/curve25519.cc @@ -70,7 +70,7 @@ static uint64_t load_4(const uint8_t *in) { typedef uint64_t fe_limb_t; #define FE_NUM_LIMBS 5 -// assert_fe asserts that |f| satisfies bounds: +// assert_fe asserts that `f` satisfies bounds: // // [[0x0 ~> 0x8cccccccccccc], // [0x0 ~> 0x8cccccccccccc], @@ -87,7 +87,7 @@ typedef uint64_t fe_limb_t; } \ } while (0) -// assert_fe_loose asserts that |f| satisfies bounds: +// assert_fe_loose asserts that `f` satisfies bounds: // // [[0x0 ~> 0x1a666666666664], // [0x0 ~> 0x1a666666666664], @@ -109,7 +109,7 @@ typedef uint64_t fe_limb_t; typedef uint32_t fe_limb_t; #define FE_NUM_LIMBS 10 -// assert_fe asserts that |f| satisfies bounds: +// assert_fe asserts that `f` satisfies bounds: // // [[0x0 ~> 0x4666666], [0x0 ~> 0x2333333], // [0x0 ~> 0x4666666], [0x0 ~> 0x2333333], @@ -127,7 +127,7 @@ typedef uint32_t fe_limb_t; } \ } while (0) -// assert_fe_loose asserts that |f| satisfies bounds: +// assert_fe_loose asserts that `f` satisfies bounds: // // [[0x0 ~> 0xd333332], [0x0 ~> 0x6999999], // [0x0 ~> 0xd333332], [0x0 ~> 0x6999999], @@ -151,7 +151,7 @@ static_assert(sizeof(fe) == sizeof(fe_limb_t) * FE_NUM_LIMBS, "fe_limb_t[FE_NUM_LIMBS] is inconsistent with fe"); static void fe_frombytes_strict(fe *h, const uint8_t s[32]) { - // |fiat_25519_from_bytes| requires the top-most bit be clear. + // `fiat_25519_from_bytes` requires the top-most bit be clear. declassify_assert((s[31] & 0x80) == 0); fiat_25519_from_bytes(h->v, s); assert_fe(h->v); @@ -286,7 +286,7 @@ static void fe_neg(fe_loose *h, const fe *f) { // // Preconditions: b in {0,1}. static void fe_cmov(fe_loose *f, const fe_loose *g, fe_limb_t b) { - // Silence an unused function warning. |fiat_25519_selectznz| isn't quite the + // Silence an unused function warning. `fiat_25519_selectznz` isn't quite the // calling convention the rest of this code wants, so implement it by hand. // // TODO(davidben): Switch to fiat's calling convention, or ask fiat to emit a @@ -693,14 +693,14 @@ static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) { void bssl::x25519_ge_scalarmult_small_precomp( ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) { - // precomp_table is first expanded into matching |ge_precomp| + // precomp_table is first expanded into matching `ge_precomp` // elements. ge_precomp multiples[15]; unsigned i; for (i = 0; i < 15; i++) { // The precomputed table is assumed to already clear the top bit, so - // |fe_frombytes_strict| may be used directly. + // `fe_frombytes_strict` may be used directly. const uint8_t *bytes = &precomp_table[i * (2 * 32)]; fe x, y; fe_frombytes_strict(&x, bytes); @@ -713,7 +713,7 @@ void bssl::x25519_ge_scalarmult_small_precomp( fe_mul_llt(&out->xy2d, &out->xy2d, &d2); } - // See the comment above |k25519SmallPrecomp| about the structure of the + // See the comment above `k25519SmallPrecomp` about the structure of the // precomputed elements. This loop does 64 additions and 64 doublings to // calculate the result. ge_p3_0(h); @@ -1024,7 +1024,7 @@ static void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a, } } -// int64_lshift21 returns |a << 21| but is defined when shifting bits into the +// int64_lshift21 returns `a << 21` but is defined when shifting bits into the // sign bit. This works around a language flaw in C. static int64_t int64_lshift21(int64_t a) { return (int64_t)((uint64_t)a << 21); diff --git a/third_party/boringssl/src/crypto/curve25519/curve25519_tables.h b/third_party/boringssl/src/crypto/curve25519/curve25519_tables.h index 942336d0..0869238b 100644 --- a/third_party/boringssl/src/crypto/curve25519/curve25519_tables.h +++ b/third_party/boringssl/src/crypto/curve25519/curve25519_tables.h @@ -52,7 +52,7 @@ static const bssl::fe d2 = {{ // one. The standard table is 30,720 bytes while this one is just 960. // // This table contains 15 pairs of group elements, (x, y), where each field -// element is serialised with |fe_tobytes|. If |i| is the index of the group +// element is serialised with `fe_tobytes`. If `i` is the index of the group // element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀ // is the most significant bit). The value of the group element is then: // (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. diff --git a/third_party/boringssl/src/crypto/curve25519/internal.h b/third_party/boringssl/src/crypto/curve25519/internal.h index c3bc6fe0..ecaecb93 100644 --- a/third_party/boringssl/src/crypto/curve25519/internal.h +++ b/third_party/boringssl/src/crypto/curve25519/internal.h @@ -30,7 +30,7 @@ extern "C" void x25519_NEON(uint8_t out[32], const uint8_t scalar[32], #endif #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \ - defined(__GNUC__) && defined(__x86_64__) && !defined(OPENSSL_WINDOWS) + (defined(__APPLE__) || defined(__ELF__)) && defined(OPENSSL_X86_64) #define BORINGSSL_FE25519_ADX // fiat_curve25519_adx_mul is defined in diff --git a/third_party/boringssl/src/crypto/curve25519/spake25519.cc b/third_party/boringssl/src/crypto/curve25519/spake25519.cc index 0f6cf04e..ee5cd7cf 100644 --- a/third_party/boringssl/src/crypto/curve25519/spake25519.cc +++ b/third_party/boringssl/src/crypto/curve25519/spake25519.cc @@ -310,7 +310,7 @@ void SPAKE2_CTX_free(SPAKE2_CTX *ctx) { Delete(ctx); } -// left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian +// left_shift_3 sets `n` to `n`*8, where `n` is represented in little-endian // order. static void left_shift_3(uint8_t n[32]) { uint8_t carry = 0; @@ -334,18 +334,18 @@ static const scalar kOrder = { {TOBN(0x5812631a, 0x5cf5d3ed), TOBN(0x14def9de, 0xa2f79cd6), TOBN(0x00000000, 0x00000000), TOBN(0x10000000, 0x00000000)}}; -// scalar_cmov copies |src| to |dest| if |mask| is all ones. +// scalar_cmov copies `src` to `dest` if `mask` is all ones. static void scalar_cmov(scalar *dest, const scalar *src, crypto_word_t mask) { bn_select_words(dest->words, mask, src->words, dest->words, std::size(dest->words)); } -// scalar_double sets |s| to |2×s|. +// scalar_double sets `s` to `2×s`. static void scalar_double(scalar *s) { bn_add_words(s->words, s->words, s->words, std::size(s->words)); } -// scalar_add sets |dest| to |dest| plus |src|. +// scalar_add sets `dest` to `dest` plus `src`. static void scalar_add(scalar *dest, const scalar *src) { bn_add_words(dest->words, dest->words, src->words, std::size(dest->words)); } @@ -378,8 +378,8 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len, OPENSSL_memcpy(ctx->password_hash, password_tmp, sizeof(ctx->password_hash)); x25519_sc_reduce(password_tmp); - // Due to a copy-paste error, the call to |left_shift_3| was omitted after - // the |x25519_sc_reduce|, just above. This meant that |ctx->password_scalar| + // Due to a copy-paste error, the call to `left_shift_3` was omitted after + // the `x25519_sc_reduce`, just above. This meant that `ctx->password_scalar` // was not a multiple of eight to clear the cofactor and thus three bits of // the password hash would leak. In order to fix this in a unilateral way, // points of small order are added to the mask point such that it is in the @@ -395,8 +395,8 @@ int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, size_t *out_len, scalar password_scalar; OPENSSL_memcpy(&password_scalar, password_tmp, sizeof(password_scalar)); - // |password_scalar| is the result of |x25519_sc_reduce| and thus is, at - // most, $l-1$ (where $l$ is |kOrder|, the order of the prime-order subgroup + // `password_scalar` is the result of `x25519_sc_reduce` and thus is, at + // most, $l-1$ (where $l$ is `kOrder`, the order of the prime-order subgroup // of Ed25519). In the following, we may add $l + 2×l + 4×l$ for a max value // of $8×l-1$. That is < 2**256, as required. diff --git a/third_party/boringssl/src/crypto/des/internal.h b/third_party/boringssl/src/crypto/des/internal.h index 6bb46ff5..221f3091 100644 --- a/third_party/boringssl/src/crypto/des/internal.h +++ b/third_party/boringssl/src/crypto/des/internal.h @@ -24,7 +24,7 @@ BSSL_NAMESPACE_BEGIN // TODO(davidben): Ideally these macros would be replaced with -// |CRYPTO_load_u32_le| and |CRYPTO_store_u32_le|. +// `CRYPTO_load_u32_le` and `CRYPTO_store_u32_le`. #define c2l(c, l) \ do { \ @@ -129,7 +129,7 @@ void DES_ede3_cbc_encrypt_ex(const uint8_t *in, uint8_t *out, size_t len, // Private functions. // -// These functions are only exported for use in |decrepit|. +// These functions are only exported for use in `decrepit`. OPENSSL_EXPORT void DES_decrypt3(uint32_t data[2], const DES_key_schedule *ks1, const DES_key_schedule *ks2, diff --git a/third_party/boringssl/src/crypto/dh/params.cc b/third_party/boringssl/src/crypto/dh/params.cc index 406a069d..29a08742 100644 --- a/third_party/boringssl/src/crypto/dh/params.cc +++ b/third_party/boringssl/src/crypto/dh/params.cc @@ -307,7 +307,7 @@ int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, return 0; } - // Make sure |dh| has the necessary elements + // Make sure `dh` has the necessary elements auto *impl = FromOpaque(dh); if (impl->p == nullptr) { impl->p.reset(BN_new()); diff --git a/third_party/boringssl/src/crypto/digest/digest_extra.cc b/third_party/boringssl/src/crypto/digest/digest_extra.cc index d38e0c11..070ab36e 100644 --- a/third_party/boringssl/src/crypto/digest/digest_extra.cc +++ b/third_party/boringssl/src/crypto/digest/digest_extra.cc @@ -48,10 +48,10 @@ static const struct nid_to_digest nid_to_digest_mapping[] = { {NID_sha512, EVP_sha512, SN_sha512, LN_sha512}, {NID_sha512_256, EVP_sha512_256, SN_sha512_256, LN_sha512_256}, {NID_md5_sha1, EVP_md5_sha1, SN_md5_sha1, LN_md5_sha1}, - // As a remnant of signing |EVP_MD|s, OpenSSL returned the corresponding + // As a remnant of signing `EVP_MD`s, OpenSSL returned the corresponding // hash function when given a signature OID. To avoid unintended lax parsing // of hash OIDs, this is no longer supported for lookup by OID or NID. - // Node.js, however, exposes |EVP_get_digestbyname|'s full behavior to + // Node.js, however, exposes `EVP_get_digestbyname`'s full behavior to // consumers so we retain it there. {NID_undef, EVP_sha1, SN_dsaWithSHA, LN_dsaWithSHA}, {NID_undef, EVP_sha1, SN_dsaWithSHA1, LN_dsaWithSHA1}, @@ -70,7 +70,7 @@ static const struct nid_to_digest nid_to_digest_mapping[] = { const EVP_MD *EVP_get_digestbynid(int nid) { if (nid == NID_undef) { - // Skip the |NID_undef| entries in |nid_to_digest_mapping|. + // Skip the `NID_undef` entries in `nid_to_digest_mapping`. return nullptr; } @@ -117,7 +117,7 @@ static int cbs_to_digest_nid(const CBS *cbs) { const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj) { int nid = obj->nid; if (nid == NID_undef) { - // Handle objects with no saved NID. Note we don't use |OBJ_obj2nid| here to + // Handle objects with no saved NID. Note we don't use `OBJ_obj2nid` here to // avoid pulling in the OID table. CBS cbs; CBS_init(&cbs, OBJ_get0_data(obj), OBJ_length(obj)); diff --git a/third_party/boringssl/src/crypto/dsa/dsa.cc b/third_party/boringssl/src/crypto/dsa/dsa.cc index e346758b..5592fa65 100644 --- a/third_party/boringssl/src/crypto/dsa/dsa.cc +++ b/third_party/boringssl/src/crypto/dsa/dsa.cc @@ -476,15 +476,15 @@ int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { return 1; } -// mod_mul_consttime sets |r| to |a| * |b| modulo |mont->N|, treating |a| and -// |b| as secret. This function internally uses Montgomery reduction, but +// mod_mul_consttime sets `r` to `a` * `b` modulo `mont->N`, treating `a` and +// `b` as secret. This function internally uses Montgomery reduction, but // neither inputs nor outputs are in Montgomery form. static int mod_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BN_MONT_CTX *mont, BN_CTX *ctx) { BN_CTXScope scope(ctx); BIGNUM *tmp = BN_CTX_get(ctx); - // |BN_mod_mul_montgomery| removes a factor of R, so we cancel it with a - // single |BN_to_montgomery| which adds one factor of R. + // `BN_mod_mul_montgomery` removes a factor of R, so we cancel it with a + // single `BN_to_montgomery` which adds one factor of R. return tmp != nullptr && // BN_to_montgomery(tmp, a, mont, ctx) && BN_mod_mul_montgomery(r, tmp, b, mont, ctx); @@ -524,7 +524,7 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { // not impact valid parameters because the probability of requiring even one // retry is negligible, let alone 32. Unfortunately, DSA was mis-specified, // so invalid parameters are reachable from most callers handling untrusted - // private keys. (The |dsa_check_key| call above is not sufficient. Checking + // private keys. (The `dsa_check_key` call above is not sufficient. Checking // whether arbitrary parameters form a valid DSA group is expensive.) static const int kMaxIterations = 32; int iters = 0; @@ -534,9 +534,9 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { } if (digest_len > BN_num_bytes(impl->q.get())) { - // If the digest length is greater than the size of |impl->q| use the + // If the digest length is greater than the size of `impl->q` use the // BN_num_bits(impl->q) leftmost bits of the digest, see FIPS 186-3, 4.2. - // Note the above check that |impl->q| is a multiple of 8 bits. + // Note the above check that `impl->q` is a multiple of 8 bits. digest_len = BN_num_bytes(impl->q.get()); } @@ -544,8 +544,8 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { goto err; } - // |m| is bounded by 2^(num_bits(q)), which is slightly looser than q. This - // violates |bn_mod_add_consttime| and |mod_mul_consttime|'s preconditions. + // `m` is bounded by 2^(num_bits(q)), which is slightly looser than q. This + // violates `bn_mod_add_consttime` and `mod_mul_consttime`'s preconditions. // (The underlying algorithms could accept looser bounds, but we reduce for // simplicity.) size_t q_width = bn_minimal_width(impl->q.get()); @@ -555,8 +555,8 @@ DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa) { bn_reduce_once_in_place(m.d, 0 /* no carry word */, impl->q->d, xr.d /* scratch space */, q_width); - // Compute s = inv(k) (m + xr) mod q. Note |impl->method_mont_q| is - // initialized by |dsa_sign_setup|. + // Compute s = inv(k) (m + xr) mod q. Note `impl->method_mont_q` is + // initialized by `dsa_sign_setup`. if (!mod_mul_consttime(&xr, impl->priv_key.get(), r, impl->method_mont_q.get(), ctx) || !bn_mod_add_consttime(s, &xr, &m, impl->q.get(), ctx) || @@ -741,6 +741,7 @@ int DSA_verify(int type, const uint8_t *digest, size_t digest_len, int DSA_check_signature(int *out_valid, const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, const DSA *dsa) { + *out_valid = 0; DSA_SIG *s = nullptr; int ret = 0; uint8_t *der = nullptr; @@ -772,7 +773,7 @@ int DSA_check_signature(int *out_valid, const uint8_t *digest, return ret; } -// der_len_len returns the number of bytes needed to represent a length of |len| +// der_len_len returns the number of bytes needed to represent a length of `len` // in DER. static size_t der_len_len(size_t len) { if (len < 0x80) { @@ -794,7 +795,7 @@ int DSA_size(const DSA *dsa) { } size_t order_len = BN_num_bytes(impl->q.get()); - // Compute the maximum length of an |order_len| byte integer. Defensively + // Compute the maximum length of an `order_len` byte integer. Defensively // assume that the leading 0x00 is included. size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len; if (integer_len < order_len) { @@ -833,13 +834,13 @@ static int dsa_sign_setup(const DSAImpl *dsa, BN_CTX *ctx, BIGNUM **out_kinv, OPENSSL_PUT_ERROR(DSA, ERR_R_BN_LIB); goto err; } - // Note |BN_mod| below is not constant-time and may leak information about - // |r|. |dsa->p| may be significantly larger than |dsa->q|, so this is not + // Note `BN_mod` below is not constant-time and may leak information about + // `r`. `dsa->p` may be significantly larger than `dsa->q`, so this is not // easily performed in constant-time with Montgomery reduction. // - // However, |r| at this point is g^k (mod p). It is almost the value of |r| + // However, `r` at this point is g^k (mod p). It is almost the value of `r` // revealed in the signature anyway (g^k (mod p) (mod q)), going from it to - // |k| would require computing a discrete log. + // `k` would require computing a discrete log. bn_declassify(r); if (!BN_mod(r, r, dsa->q.get(), ctx) || // Compute part of 's = inv(k) (m + xr) mod q' using Fermat's Little diff --git a/third_party/boringssl/src/crypto/dsa/dsa_asn1.cc b/third_party/boringssl/src/crypto/dsa/dsa_asn1.cc index a1338681..d2ac83cf 100644 --- a/third_party/boringssl/src/crypto/dsa/dsa_asn1.cc +++ b/third_party/boringssl/src/crypto/dsa/dsa_asn1.cc @@ -29,7 +29,7 @@ using namespace bssl; // This function is in dsa_asn1.c rather than dsa.c because it is reachable from -// |EVP_PKEY| parsers. This makes it easier for the static linker to drop most +// `EVP_PKEY` parsers. This makes it easier for the static linker to drop most // of the DSA implementation. int bssl::dsa_check_key(const DSAImpl *dsa) { if (!dsa->p || !dsa->q || !dsa->g) { @@ -38,17 +38,17 @@ int bssl::dsa_check_key(const DSAImpl *dsa) { } // Fully checking for invalid DSA groups is expensive, so security and - // correctness of the signature scheme depend on how |dsa| was computed. I.e. + // correctness of the signature scheme depend on how `dsa` was computed. I.e. // we leave "assurance of domain parameter validity" from FIPS 186-4 to the // caller. However, we check bounds on all values to avoid DoS vectors even // when domain parameters are invalid. In particular, signing will infinite - // loop if |g| is zero. + // loop if `g` is zero. if (BN_is_negative(dsa->p.get()) || BN_is_negative(dsa->q.get()) || BN_is_zero(dsa->p.get()) || BN_is_zero(dsa->q.get()) || !BN_is_odd(dsa->p.get()) || !BN_is_odd(dsa->q.get()) || - // |q| must be a prime divisor of |p - 1|, which implies |q < p|. + // `q` must be a prime divisor of `p - 1`, which implies `q < p`. BN_cmp(dsa->q.get(), dsa->p.get()) >= 0 || - // |g| is in the multiplicative group of |p|. + // `g` is in the multiplicative group of `p`. BN_is_negative(dsa->g.get()) || BN_is_zero(dsa->g.get()) || BN_cmp(dsa->g.get(), dsa->p.get()) >= 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS); @@ -62,7 +62,7 @@ int bssl::dsa_check_key(const DSAImpl *dsa) { return 0; } - // Bound |dsa->p| to avoid a DoS vector. Note this limit is much larger than + // Bound `dsa->p` to avoid a DoS vector. Note this limit is much larger than // the one in FIPS 186-4, which only allows L = 1024, 2048, and 3072. if (BN_num_bits(dsa->p.get()) > OPENSSL_DSA_MAX_MODULUS_BITS) { OPENSSL_PUT_ERROR(DSA, DSA_R_MODULUS_TOO_LARGE); @@ -70,7 +70,7 @@ int bssl::dsa_check_key(const DSAImpl *dsa) { } if (dsa->pub_key != nullptr) { - // The public key is also in the multiplicative group of |p|. + // The public key is also in the multiplicative group of `p`. if (BN_is_negative(dsa->pub_key.get()) || BN_is_zero(dsa->pub_key.get()) || BN_cmp(dsa->pub_key.get(), dsa->p.get()) >= 0) { OPENSSL_PUT_ERROR(DSA, DSA_R_INVALID_PARAMETERS); @@ -80,7 +80,7 @@ int bssl::dsa_check_key(const DSAImpl *dsa) { if (dsa->priv_key != nullptr) { // The private key is a non-zero element of the scalar field, determined by - // |q|. + // `q`. if (BN_is_negative(dsa->priv_key.get()) || constant_time_declassify_int(BN_is_zero(dsa->priv_key.get())) || constant_time_declassify_int( diff --git a/third_party/boringssl/src/crypto/dsa/internal.h b/third_party/boringssl/src/crypto/dsa/internal.h index 70f77e76..99387321 100644 --- a/third_party/boringssl/src/crypto/dsa/internal.h +++ b/third_party/boringssl/src/crypto/dsa/internal.h @@ -47,7 +47,7 @@ class DSAImpl : public dsa_st, public RefCounted { ~DSAImpl(); }; -// dsa_check_key performs cheap self-checks on |dsa|, and ensures it is within +// dsa_check_key performs cheap self-checks on `dsa`, and ensures it is within // DoS bounds. It returns one on success and zero on error. int dsa_check_key(const DSAImpl *dsa); diff --git a/third_party/boringssl/src/crypto/ec/ec_asn1.cc b/third_party/boringssl/src/crypto/ec/ec_asn1.cc index a34b4107..8cf7166a 100644 --- a/third_party/boringssl/src/crypto/ec/ec_asn1.cc +++ b/third_party/boringssl/src/crypto/ec/ec_asn1.cc @@ -83,7 +83,7 @@ EC_KEY *bssl::ec_key_parse_private_key( ec_key_parse_parameters(&child, allowed_groups); if (inner_group == nullptr) { // If the caller already supplied a group, any explicit group is required - // to match. On mismatch, |ec_key_parse_parameters| will fail to recognize + // to match. On mismatch, `ec_key_parse_parameters` will fail to recognize // any other groups, so remap the error. if (group != nullptr && ERR_equals(ERR_peek_last_error(), ERR_LIB_EC, EC_R_UNKNOWN_GROUP)) { @@ -92,7 +92,7 @@ EC_KEY *bssl::ec_key_parse_private_key( } return nullptr; } - // Overriding |allowed_groups| above ensures the only returned group will be + // Overriding `allowed_groups` above ensures the only returned group will be // the matching one. assert(group == nullptr || inner_group == group); group = inner_group; @@ -134,7 +134,7 @@ EC_KEY *bssl::ec_key_parse_private_key( // encoded as a BIT STRING with bits ordered as in the DER encoding. !CBS_get_u8(&public_key, &padding) || // padding != 0 || - // Explicitly check |public_key| is non-empty to save the conversion + // Explicitly check `public_key` is non-empty to save the conversion // form later. CBS_len(&public_key) == 0 || !EC_POINT_oct2point(group, ret->pub_key, CBS_data(&public_key), @@ -260,7 +260,7 @@ static int parse_explicit_prime_curve(CBS *in, !CBS_get_asn1(¶ms, &curve, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&curve, &out->a, CBS_ASN1_OCTETSTRING) || !CBS_get_asn1(&curve, &out->b, CBS_ASN1_OCTETSTRING) || - // |curve| has an optional BIT STRING seed which we ignore. + // `curve` has an optional BIT STRING seed which we ignore. !CBS_get_optional_asn1(&curve, nullptr, nullptr, CBS_ASN1_BITSTRING) || CBS_len(&curve) != 0 || !CBS_get_asn1(¶ms, &base, CBS_ASN1_OCTETSTRING) || @@ -300,12 +300,12 @@ static int parse_explicit_prime_curve(CBS *in, return 1; } -// integers_equal returns one if |bytes| is a big-endian encoding of |bn|, and +// integers_equal returns one if `bytes` is a big-endian encoding of `bn`, and // zero otherwise. static int integers_equal(const CBS *bytes, const BIGNUM *bn) { // Although, in SEC 1, Field-Element-to-Octet-String has a fixed width, - // OpenSSL mis-encodes the |a| and |b|, so we tolerate any number of leading - // zeros. (This matters for P-521 whose |b| has a leading 0.) + // OpenSSL mis-encodes the `a` and `b`, so we tolerate any number of leading + // zeros. (This matters for P-521 whose `b` has a leading 0.) CBS copy = *bytes; while (CBS_len(©) > 0 && CBS_data(©)[0] == 0) { CBS_skip(©, 1); @@ -343,7 +343,7 @@ const EC_GROUP *bssl::ec_key_parse_curve_name( } EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs) { - // This function only ever returns a static |EC_GROUP|, but currently returns + // This function only ever returns a static `EC_GROUP`, but currently returns // a non-const pointer for historical reasons. return const_cast(ec_key_parse_curve_name(cbs, get_all_groups())); } @@ -413,7 +413,7 @@ const EC_GROUP *bssl::ec_key_parse_parameters( } EC_GROUP *EC_KEY_parse_parameters(CBS *cbs) { - // This function only ever returns a static |EC_GROUP|, but currently returns + // This function only ever returns a static `EC_GROUP`, but currently returns // a non-const pointer for historical reasons. return const_cast(ec_key_parse_parameters(cbs, get_all_groups())); } @@ -430,8 +430,8 @@ int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point, } EC_KEY *d2i_ECPrivateKey(EC_KEY **out, const uint8_t **inp, long len) { - // This function treats its |out| parameter differently from other |d2i| - // functions. If supplied, take the group from |*out|. + // This function treats its `out` parameter differently from other `d2i` + // functions. If supplied, take the group from `*out`. const EC_GROUP *group = nullptr; if (out != nullptr && *out != nullptr) { group = EC_KEY_get0_group(*out); @@ -518,7 +518,7 @@ int i2o_ECPublicKey(const EC_KEY *key, uint8_t **outp) { return 0; } const ECKey *key_impl = FromOpaque(key); - // No initial capacity because |EC_POINT_point2cbb| will internally reserve + // No initial capacity because `EC_POINT_point2cbb` will internally reserve // the right size in one shot, so it's best to leave this at zero. int ret = I2DFromCBB( /*initial_capacity=*/0, outp, [&](CBB *cbb) -> bool { diff --git a/third_party/boringssl/src/crypto/ec/ec_derive.cc b/third_party/boringssl/src/crypto/ec/ec_derive.cc index 6f6f7865..b500336f 100644 --- a/third_party/boringssl/src/crypto/ec/ec_derive.cc +++ b/third_party/boringssl/src/crypto/ec/ec_derive.cc @@ -35,8 +35,8 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret, return nullptr; } - // Assemble a label string to provide some key separation in case |secret| is - // misused, but ultimately it's on the caller to ensure |secret| is suitably + // Assemble a label string to provide some key separation in case `secret` is + // misused, but ultimately it's on the caller to ensure `secret` is suitably // separated. static const char kLabel[] = "derive EC key "; char info[sizeof(kLabel) + EC_KEY_DERIVE_MAX_NAME_LEN]; @@ -70,9 +70,9 @@ EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret, bssl::UniquePtr priv(BN_bin2bn(derived, derived_len, nullptr)); bssl::UniquePtr pub(EC_POINT_new(group)); if (key == nullptr || ctx == nullptr || priv == nullptr || pub == nullptr || - // Reduce |priv| with Montgomery reduction. First, convert "from" - // Montgomery form to compute |priv| * R^-1 mod |order|. This requires - // |priv| be under order * R, which is true if the group order is large + // Reduce `priv` with Montgomery reduction. First, convert "from" + // Montgomery form to compute `priv` * R^-1 mod `order`. This requires + // `priv` be under order * R, which is true if the group order is large // enough. 2^(num_bytes(order)) < 2^8 * order, so: // // priv < 2^8 * order * 2^128 < order * order < order * R diff --git a/third_party/boringssl/src/crypto/ec/hash_to_curve.cc b/third_party/boringssl/src/crypto/ec/hash_to_curve.cc index 6ce88ee1..dd32dd2f 100644 --- a/third_party/boringssl/src/crypto/ec/hash_to_curve.cc +++ b/third_party/boringssl/src/crypto/ec/hash_to_curve.cc @@ -37,11 +37,11 @@ namespace { // becomes a performance bottleneck, some possible optimizations by // specializing it to the curve: // -// - Rather than using a generic |ec_felem_exp|, specialize the exponentiation +// - Rather than using a generic `ec_felem_exp`, specialize the exponentiation // to c2 with a faster addition chain. // -// - |ec_felem_mul| and |ec_felem_sqr| are generic Montgomery code. Given the -// few curves, we could specialize |map_to_curve_simple_swu|. But doing this +// - `ec_felem_mul` and `ec_felem_sqr` are generic Montgomery code. Given the +// few curves, we could specialize `map_to_curve_simple_swu`. But doing this // reasonably without duplicating code in C is difficult. (C++ templates // would be useful here.) // @@ -83,7 +83,7 @@ int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, // Compute b_0. static const uint8_t kZeros[EVP_MAX_MD_BLOCK_SIZE] = {0}; - // If |out_len| exceeds 16 bits then |i| will wrap below causing an error to + // If `out_len` exceeds 16 bits then `i` will wrap below causing an error to // be returned. This depends on the static assert above. uint8_t l_i_b_str_zero[3] = {static_cast(out_len >> 8), static_cast(out_len), 0}; @@ -134,15 +134,15 @@ int expand_message_xmd(const EVP_MD *md, uint8_t *out, size_t out_len, } // num_bytes_to_derive determines the number of bytes to derive when hashing to -// a number modulo |modulus|. See the hash_to_field operation defined in +// a number modulo `modulus`. See the hash_to_field operation defined in // section 5.2 of RFC 9380. int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { size_t bits = BN_num_bits(modulus); size_t L = (bits + k + 7) / 8; // We require 2^(8*L) < 2^(2*bits - 2) <= n^2 so to fit in bounds for - // |felem_reduce| and |ec_scalar_reduce|. All defined hash-to-curve suites - // define |k| to be well under this bound. (|k| is usually around half of - // |p_bits|.) + // `felem_reduce` and `ec_scalar_reduce`. All defined hash-to-curve suites + // define `k` to be well under this bound. (`k` is usually around half of + // `p_bits`.) if (L * 8 >= 2 * bits - 2 || L > 2 * EC_MAX_BYTES) { assert(0); OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); @@ -153,8 +153,8 @@ int num_bytes_to_derive(size_t *out, const BIGNUM *modulus, unsigned k) { return 1; } -// big_endian_to_words decodes |in| as a big-endian integer and writes the -// result to |out|. |num_words| must be large enough to contain the output. +// big_endian_to_words decodes `in` as a big-endian integer and writes the +// result to `out`. `num_words` must be large enough to contain the output. void big_endian_to_words(BN_ULONG *out, size_t num_words, const uint8_t *in, size_t len) { assert(len <= num_words * sizeof(BN_ULONG)); @@ -167,7 +167,7 @@ void big_endian_to_words(BN_ULONG *out, size_t num_words, const uint8_t *in, } // hash_to_field implements the operation described in section 5.2 -// of RFC 9380, with count = 2. |k| is the security factor. +// of RFC 9380, with count = 2. `k` is the security factor. int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out1, EC_FELEM *out2, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, size_t msg_len) { @@ -187,7 +187,7 @@ int hash_to_field2(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out1, } // hash_to_field1 implements the operation described in section 5.2 -// of RFC 9380, with count = 1. |k| is the security factor. +// of RFC 9380, with count = 1. `k` is the security factor. int hash_to_field1(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, size_t msg_len) { @@ -204,8 +204,8 @@ int hash_to_field1(const EC_GROUP *group, const EVP_MD *md, EC_FELEM *out, return 1; } -// hash_to_scalar behaves like |hash_to_field2| but returns a value modulo the -// group order rather than a field element. |k| is the security factor. +// hash_to_scalar behaves like `hash_to_field2` but returns a value modulo the +// group order rather than a field element. `k` is the security factor. int hash_to_scalar(const EC_GROUP *group, const EVP_MD *md, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, unsigned k, const uint8_t *msg, size_t msg_len) { @@ -266,7 +266,7 @@ BN_ULONG sqrt_ratio_3mod4(const EC_GROUP *group, const EC_FELEM *Z, // 10. y = CMOV(y2, y1, isQR) // 11. return (isQR, y) // - // Note the specification's CMOV function and our |ec_felem_select| have the + // Note the specification's CMOV function and our `ec_felem_select` have the // opposite argument order. ec_felem_sub(group, &tv1, &tv3, u); const BN_ULONG isQR = ~ec_felem_non_zero_mask(group, &tv1); @@ -332,7 +332,7 @@ void map_to_curve_simple_swu(const EC_GROUP *group, const EC_FELEM *Z, // 25. x = x / tv4 // - // Our output is in projective coordinates, so rather than inverting |tv4| + // Our output is in projective coordinates, so rather than inverting `tv4` // now, represent (x / tv4, y) as (x * tv4, y * tv4^3, tv4). This is much more // efficient if the caller will do further computation on the output. (If the // caller will immediately convert to affine coordinates, it is slightly less @@ -351,7 +351,7 @@ int hash_to_curve(const EC_GROUP *group, const EVP_MD *md, const EC_FELEM *Z, return 0; } - // Compute |c1| = (p - 3) / 4. + // Compute `c1` = (p - 3) / 4. BN_ULONG c1[EC_MAX_WORDS]; size_t num_c1 = group->field.N.width; if (!bn_copy_words(c1, num_c1, &group->field.N)) { @@ -364,7 +364,7 @@ int hash_to_curve(const EC_GROUP *group, const EVP_MD *md, const EC_FELEM *Z, map_to_curve_simple_swu(group, Z, c1, num_c1, c2, &Q1, &u1); group->meth->add(group, out, &Q0, &Q1); // R = Q0 + Q1 - // All our curves have cofactor one, so |clear_cofactor| is a no-op. + // All our curves have cofactor one, so `clear_cofactor` is a no-op. return 1; } @@ -377,7 +377,7 @@ int encode_to_curve(const EC_GROUP *group, const EVP_MD *md, const EC_FELEM *Z, return 0; } - // Compute |c1| = (p - 3) / 4. + // Compute `c1` = (p - 3) / 4. BN_ULONG c1[EC_MAX_WORDS]; size_t num_c1 = group->field.N.width; if (!bn_copy_words(c1, num_c1, &group->field.N)) { @@ -386,7 +386,7 @@ int encode_to_curve(const EC_GROUP *group, const EVP_MD *md, const EC_FELEM *Z, bn_rshift_words(c1, c1, /*shift=*/2, /*num=*/num_c1); map_to_curve_simple_swu(group, Z, c1, num_c1, c2, out, &u); - // All our curves have cofactor one, so |clear_cofactor| is a no-op. + // All our curves have cofactor one, so `clear_cofactor` is a no-op. return 1; } diff --git a/third_party/boringssl/src/crypto/ec/internal.h b/third_party/boringssl/src/crypto/ec/internal.h index 6e464854..902eb81d 100644 --- a/third_party/boringssl/src/crypto/ec/internal.h +++ b/third_party/boringssl/src/crypto/ec/internal.h @@ -26,21 +26,21 @@ BSSL_NAMESPACE_BEGIN // Parsing functions. -// ec_key_parse_curve_name behaves like |EC_KEY_parse_curve_name| but only -// supports the groups in |allowed_groups|. If no syntax errors were found but -// the group is unknown, it will fail with an error of |EC_R_UNKNOWN_GROUP|. +// ec_key_parse_curve_name behaves like `EC_KEY_parse_curve_name` but only +// supports the groups in `allowed_groups`. If no syntax errors were found but +// the group is unknown, it will fail with an error of `EC_R_UNKNOWN_GROUP`. const EC_GROUP *ec_key_parse_curve_name( CBS *cbs, bssl::Span allowed_groups); -// ec_key_parse_parameters behaves like |EC_KEY_parse_parameters| but only -// supports the groups in |allowed_groups|. If no syntax errors were found but -// the group is unknown, it will fail with an error of |EC_R_UNKNOWN_GROUP|. +// ec_key_parse_parameters behaves like `EC_KEY_parse_parameters` but only +// supports the groups in `allowed_groups`. If no syntax errors were found but +// the group is unknown, it will fail with an error of `EC_R_UNKNOWN_GROUP`. const EC_GROUP *ec_key_parse_parameters( CBS *cbs, bssl::Span allowed_groups); -// ec_key_parse_private_key behaves like |EC_KEY_parse_private_key| but only -// supports the groups in |allowed_groups|. If |group| is non-NULL, -// |allowed_groups| is ignored and instead only |group| is supported. +// ec_key_parse_private_key behaves like `EC_KEY_parse_private_key` but only +// supports the groups in `allowed_groups`. If `group` is non-NULL, +// `allowed_groups` is ignored and instead only `group` is supported. // // TODO(crbug.com/boringssl/414361735): This should return a bssl::UniquePtr, // but cannot until it is made C++ linkage. @@ -51,46 +51,46 @@ EC_KEY *ec_key_parse_private_key( // Hash-to-curve. // -// Internal |EC_JACOBIAN| versions of the corresponding public APIs. +// Internal `EC_JACOBIAN` versions of the corresponding public APIs. -// ec_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and -// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite +// ec_hash_to_curve_p256_xmd_sha256_sswu hashes `msg` to a point on `group` and +// writes the result to `out`, implementing the P256_XMD:SHA-256_SSWU_RO_ suite // from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// ec_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and -// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite +// ec_hash_to_curve_p384_xmd_sha384_sswu hashes `msg` to a point on `group` and +// writes the result to `out`, implementing the P384_XMD:SHA-384_SSWU_RO_ suite // from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// ec_encode_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| -// and writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_NU_ +// ec_encode_to_curve_p256_xmd_sha256_sswu hashes `msg` to a point on `group` +// and writes the result to `out`, implementing the P256_XMD:SHA-256_SSWU_NU_ // suite from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_encode_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// ec_encode_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| -// and writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_NU_ +// ec_encode_to_curve_p384_xmd_sha384_sswu hashes `msg` to a point on `group` +// and writes the result to `out`, implementing the P384_XMD:SHA-384_SSWU_NU_ // suite from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int ec_encode_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// ec_hash_to_scalar_p384_xmd_sha384 hashes |msg| to a scalar on |group| -// and writes the result to |out|, using the hash_to_field operation from the +// ec_hash_to_scalar_p384_xmd_sha384 hashes `msg` to a scalar on `group` +// and writes the result to `out`, using the hash_to_field operation from the // P384_XMD:SHA-384_SSWU_RO_ suite from RFC 9380, but generating a value modulo // the group order rather than a field element. OPENSSL_EXPORT int ec_hash_to_scalar_p384_xmd_sha384( const EC_GROUP *group, EC_SCALAR *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 hashes |msg| to a point on -// |group| and writes the result to |out|, implementing the +// ec_hash_to_curve_p384_xmd_sha512_sswu_draft07 hashes `msg` to a point on +// `group` and writes the result to `out`, implementing the // P384_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-07. It // returns one on success and zero on error. // @@ -99,8 +99,8 @@ OPENSSL_EXPORT int ec_hash_to_curve_p384_xmd_sha512_sswu_draft07( const EC_GROUP *group, EC_JACOBIAN *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes |msg| to a scalar on |group| -// and writes the result to |out|, using the hash_to_field operation from the +// ec_hash_to_scalar_p384_xmd_sha512_draft07 hashes `msg` to a scalar on `group` +// and writes the result to `out`, using the hash_to_field operation from the // P384_XMD:SHA-512_SSWU_RO_ suite from draft-irtf-cfrg-hash-to-curve-07, but // generating a value modulo the group order rather than a field element. // diff --git a/third_party/boringssl/src/crypto/ecdsa/ecdsa_asn1.cc b/third_party/boringssl/src/crypto/ecdsa/ecdsa_asn1.cc index d4d0b4b6..ad29cbbd 100644 --- a/third_party/boringssl/src/crypto/ecdsa/ecdsa_asn1.cc +++ b/third_party/boringssl/src/crypto/ecdsa/ecdsa_asn1.cc @@ -292,7 +292,7 @@ int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len, return 1; } -// der_len_len returns the number of bytes needed to represent a length of |len| +// der_len_len returns the number of bytes needed to represent a length of `len` // in DER. static size_t der_len_len(size_t len) { if (len < 0x80) { @@ -307,7 +307,7 @@ static size_t der_len_len(size_t len) { } size_t ECDSA_SIG_max_len(size_t order_len) { - // Compute the maximum length of an |order_len| byte integer. Defensively + // Compute the maximum length of an `order_len` byte integer. Defensively // assume that the leading 0x00 is included. size_t integer_len = 1 /* tag */ + der_len_len(order_len + 1) + 1 + order_len; if (integer_len < order_len) { diff --git a/third_party/boringssl/src/crypto/engine/engine.cc b/third_party/boringssl/src/crypto/engine/engine.cc index 4d39cd83..c39d3403 100644 --- a/third_party/boringssl/src/crypto/engine/engine.cc +++ b/third_party/boringssl/src/crypto/engine/engine.cc @@ -42,7 +42,7 @@ int ENGINE_free(ENGINE *engine) { } // set_method takes a pointer to a method and its given size and sets -// |*out_member| to point to it. This function might want to be extended in the +// `*out_member` to point to it. This function might want to be extended in the // future to support making a copy of the method so that a stable ABI for // ENGINEs can be supported. But, for the moment, all *_METHODS must be // static. diff --git a/third_party/boringssl/src/crypto/err/err.cc b/third_party/boringssl/src/crypto/err/err.cc index b3fe3164..997399e0 100644 --- a/third_party/boringssl/src/crypto/err/err.cc +++ b/third_party/boringssl/src/crypto/err/err.cc @@ -40,13 +40,13 @@ struct err_error_st { // file contains the filename where the error occurred. const char *file; // data contains a NUL-terminated string with optional data. It is allocated - // with system |malloc| and must be freed with |free| (not |OPENSSL_free|) + // with system `malloc` and must be freed with `free` (not `OPENSSL_free`) char *data; // packed contains the error library and reason, as packed by ERR_PACK. uint32_t packed; // line contains the line number where the error occurred. uint16_t line; - // mark indicates a reversion point in the queue. See |ERR_pop_to_mark|. + // mark indicates a reversion point in the queue. See `ERR_pop_to_mark`. unsigned mark : 1; }; @@ -55,14 +55,14 @@ typedef struct err_state_st { // errors contains up to ERR_NUM_ERRORS - 1 most recent errors, organised as a // ring buffer. struct err_error_st errors[ERR_NUM_ERRORS]; - // top contains the index of the most recent error. If |top| equals |bottom| + // top contains the index of the most recent error. If `top` equals `bottom` // then the queue is empty. unsigned top; // bottom contains the index before the least recent error in the queue. unsigned bottom; // to_free, if not NULL, contains a pointer owned by this structure that was - // previously a |data| pointer of one of the elements of |errors|. + // previously a `data` pointer of one of the elements of `errors`. void *to_free; } ERR_STATE; } // namespace @@ -76,7 +76,7 @@ extern const char kOpenSSLReasonStringData[]; BSSL_NAMESPACE_END static char *strdup_libc_malloc(const char *str) { - // |strdup| is not in C until C23, so MSVC triggers deprecation warnings, and + // `strdup` is not in C until C23, so MSVC triggers deprecation warnings, and // glibc and musl gate it on a feature macro. Reimplementing it is easier. size_t len = strlen(str); char *ret = reinterpret_cast(malloc(len + 1)); @@ -108,7 +108,7 @@ static void err_copy(struct err_error_st *dst, const struct err_error_st *src) { // global_next_library contains the next custom library value to return. static int global_next_library = ERR_NUM_LIBS; -// global_next_library_mutex protects |global_next_library| from concurrent +// global_next_library_mutex protects `global_next_library` from concurrent // updates. static StaticMutex global_next_library_mutex; @@ -187,7 +187,7 @@ static uint32_t get_error_values(int inc, int top, const char **file, int *line, } else { *data = error->data; if (flags != nullptr) { - // Without |ERR_FLAG_MALLOCED|, rust-openssl assumes the string has a + // Without `ERR_FLAG_MALLOCED`, rust-openssl assumes the string has a // static lifetime. In both cases, we retain ownership of the string, // and the caller is not expected to free it. *flags = ERR_FLAG_STRING | ERR_FLAG_MALLOCED; @@ -298,7 +298,7 @@ void ERR_remove_state(unsigned long pid) { ERR_clear_error(); } void ERR_clear_system_error() { errno = 0; } // err_string_cmp is a compare function for searching error values with -// |bsearch| in |err_string_lookup|. +// `bsearch` in `err_string_lookup`. static int err_string_cmp(const void *a, const void *b) { const uint32_t a_key = *((const uint32_t *)a) >> 15; const uint32_t b_key = *((const uint32_t *)b) >> 15; @@ -312,23 +312,23 @@ static int err_string_cmp(const void *a, const void *b) { } } -// err_string_lookup looks up the string associated with |lib| and |key| in -// |values| and |string_data|. It returns the string or NULL if not found. +// err_string_lookup looks up the string associated with `lib` and `key` in +// `values` and `string_data`. It returns the string or NULL if not found. static const char *err_string_lookup(uint32_t lib, uint32_t key, const uint32_t *values, size_t num_values, const char *string_data) { - // |values| points to data in err_data.h, which is generated by + // `values` points to data in err_data.h, which is generated by // err_data_generate.go. It's an array of uint32_t values. Each value has the // following structure: // | lib | key | offset | // |6 bits| 11 bits | 15 bits | // - // The |lib| value is a library identifier: one of the |ERR_LIB_*| values. - // The |key| is a reason code, depending on the context. - // The |offset| is the number of bytes from the start of |string_data| where + // The `lib` value is a library identifier: one of the `ERR_LIB_*` values. + // The `key` is a reason code, depending on the context. + // The `offset` is the number of bytes from the start of `string_data` where // the (NUL terminated) string for this value can be found. // - // Values are sorted based on treating the |lib| and |key| part as an + // Values are sorted based on treating the `lib` and `key` part as an // unsigned integer. if (lib >= (1 << 6) || key >= (1 << 11)) { return nullptr; @@ -385,6 +385,7 @@ static const LIBRARY_NAME kLibraryNames[ERR_NUM_LIBS] = { {"Cipher functions", "CIPHER", "CIPHER_LIB"}, {"HKDF functions", "HKDF", "HKDF_LIB"}, {"Trust Token functions", "TRUST_TOKEN", "TRUST_TOKEN_LIB"}, + {"CMS routines", "CMS", "CMS_LIB"}, {"User defined functions", "USER", "USER_LIB"}, }; @@ -445,7 +446,7 @@ static const char *err_reason_error_string(uint32_t packed_error, int symbol) { } // Unlike OpenSSL, BoringSSL's reason strings already match symbol name, so we - // do not need to check |symbol|. + // do not need to check `symbol`. return err_string_lookup(lib, reason, kOpenSSLReasonValues, kOpenSSLReasonValuesLen, kOpenSSLReasonStringData); } @@ -469,7 +470,7 @@ char *ERR_error_string(uint32_t packed_error, char *ret) { #if !defined(NDEBUG) // This is aimed to help catch callers who don't provide - // |ERR_ERROR_STRING_BUF_LEN| bytes of space. + // `ERR_ERROR_STRING_BUF_LEN` bytes of space. OPENSSL_memset(ret, 0, ERR_ERROR_STRING_BUF_LEN); #endif @@ -518,7 +519,7 @@ char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len) { char *last_pos = &buf[len - 1] - num_colons + i; if (colon == nullptr || colon > last_pos) { - // set colon |i| at last possible position (buf[len-1] is the + // set colon `i` at last possible position (`buf[len-1]` is the // terminating 0). If we're setting this colon, then all whole of the // rest of the string must be colons in order to have the correct // number. @@ -540,7 +541,7 @@ void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx) { int line, flags; uint32_t packed_error; - // thread_hash is the least-significant bits of the |ERR_STATE| pointer value + // thread_hash is the least-significant bits of the `ERR_STATE` pointer value // for this thread. const unsigned long thread_hash = (uintptr_t)err_get_state(); @@ -690,8 +691,8 @@ void ERR_set_error_data(char *data, int flags) { err_set_error_data(copy); } if (flags & ERR_FLAG_MALLOCED) { - // We can not take ownership of |data| directly because it is allocated with - // |OPENSSL_malloc| and we will free it with system |free| later. + // We can not take ownership of `data` directly because it is allocated with + // `OPENSSL_malloc` and we will free it with system `free` later. OPENSSL_free(data); } } diff --git a/third_party/boringssl/src/crypto/err/internal.h b/third_party/boringssl/src/crypto/err/internal.h index e81768c7..d0f722d9 100644 --- a/third_party/boringssl/src/crypto/err/internal.h +++ b/third_party/boringssl/src/crypto/err/internal.h @@ -23,19 +23,19 @@ BSSL_NAMESPACE_BEGIN // Private error queue functions. // ERR_SAVE_STATE contains a saved representation of the error queue. It is -// slightly more compact than |ERR_STATE| as the error queue will typically not -// contain |ERR_NUM_ERRORS| entries. +// slightly more compact than `ERR_STATE` as the error queue will typically not +// contain `ERR_NUM_ERRORS` entries. typedef struct err_save_state_st ERR_SAVE_STATE; -// ERR_SAVE_STATE_free releases all memory associated with |state|. +// ERR_SAVE_STATE_free releases all memory associated with `state`. OPENSSL_EXPORT void ERR_SAVE_STATE_free(ERR_SAVE_STATE *state); -// ERR_save_state returns a newly-allocated |ERR_SAVE_STATE| structure +// ERR_save_state returns a newly-allocated `ERR_SAVE_STATE` structure // containing the current state of the error queue or NULL on allocation -// error. It should be released with |ERR_SAVE_STATE_free|. +// error. It should be released with `ERR_SAVE_STATE_free`. OPENSSL_EXPORT ERR_SAVE_STATE *ERR_save_state(); -// ERR_restore_state clears the error queue and replaces it with |state|. +// ERR_restore_state clears the error queue and replaces it with `state`. OPENSSL_EXPORT void ERR_restore_state(const ERR_SAVE_STATE *state); BORINGSSL_MAKE_DELETER(ERR_SAVE_STATE, ERR_SAVE_STATE_free) diff --git a/third_party/boringssl/src/crypto/evp/evp.cc b/third_party/boringssl/src/crypto/evp/evp.cc index 1b182592..5a716b07 100644 --- a/third_party/boringssl/src/crypto/evp/evp.cc +++ b/third_party/boringssl/src/crypto/evp/evp.cc @@ -29,7 +29,7 @@ using namespace bssl; -// Node depends on |EVP_R_NOT_XOF_OR_INVALID_LENGTH|. +// Node depends on `EVP_R_NOT_XOF_OR_INVALID_LENGTH`. // // TODO(davidben): Fix Node to not touch the error queue itself and remove this. OPENSSL_DECLARE_ERROR_REASON(EVP, NOT_XOF_OR_INVALID_LENGTH) @@ -75,7 +75,7 @@ int EVP_PKEY_is_opaque(const EVP_PKEY *pkey) { } int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b) { - // This also checks that |EVP_PKEY_id| matches. + // This also checks that `EVP_PKEY_id` matches. if (!EVP_PKEY_parameters_eq(a, b)) { return 0; } @@ -96,7 +96,7 @@ int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { auto *from_impl = FromOpaque(from); if (EVP_PKEY_id(to_impl) == EVP_PKEY_NONE) { - // TODO(crbug.com/42290409): This shouldn't leave |to| in a half-empty state + // TODO(crbug.com/42290409): This shouldn't leave `to` in a half-empty state // on error. The complexity here largely comes from parameterless DSA keys, // which we no longer support, so this function can probably be trimmed // down. @@ -205,15 +205,15 @@ int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) { int EVP_PKEY_set_type(EVP_PKEY *pkey, int type) { auto *impl = FromOpaque(pkey); if (impl && impl->pkey) { - // Some callers rely on |pkey| getting cleared even if |type| is - // unsupported, usually setting |type| to |EVP_PKEY_NONE|. + // Some callers rely on `pkey` getting cleared even if `type` is + // unsupported, usually setting `type` to `EVP_PKEY_NONE`. evp_pkey_set0(impl, nullptr, nullptr); } - // This function broadly isn't useful. It initializes |EVP_PKEY| for a type, - // but forgets to put anything in the |pkey|. The one pattern where it does - // anything is |EVP_PKEY_X25519|, where it's needed to make - // |EVP_PKEY_set1_tls_encodedpoint| work, so we support only that. + // This function broadly isn't useful. It initializes `EVP_PKEY` for a type, + // but forgets to put anything in the `pkey`. The one pattern where it does + // anything is `EVP_PKEY_X25519`, where it's needed to make + // `EVP_PKEY_set1_tls_encodedpoint` work, so we support only that. const EVP_PKEY_ALG *alg; if (type == EVP_PKEY_X25519) { alg = EVP_pkey_x25519(); @@ -367,8 +367,8 @@ int EVP_PKEY_CTX_set1_signature_context_string(EVP_PKEY_CTX *ctx, void *EVP_PKEY_get0(const EVP_PKEY *pkey) { // Node references, but never calls this function, so for now we return NULL. - // If other projects require complete support, call |EVP_PKEY_get0_RSA|, etc., - // rather than reading |pkey->pkey| directly. This avoids problems if our + // If other projects require complete support, call `EVP_PKEY_get0_RSA`, etc., + // rather than reading `pkey->pkey` directly. This avoids problems if our // internal representation does not match the type the caller expects from // OpenSSL. return nullptr; diff --git a/third_party/boringssl/src/crypto/evp/evp_asn1.cc b/third_party/boringssl/src/crypto/evp/evp_asn1.cc index e32a6f71..a0b8c32a 100644 --- a/third_party/boringssl/src/crypto/evp/evp_asn1.cc +++ b/third_party/boringssl/src/crypto/evp/evp_asn1.cc @@ -238,7 +238,7 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp, }); } -// num_elements parses one SEQUENCE from |in| and returns the number of elements +// num_elements parses one SEQUENCE from `in` and returns the number of elements // in it. On parse error, it returns zero. static size_t num_elements(const uint8_t *in, size_t in_len) { CBS cbs, sequence; @@ -326,9 +326,9 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, const uint8_t **inp, // Unlike OpenSSL, we do not support EC keys with this API. The raw EC // public key serialization requires knowing the group. In OpenSSL, - // calling this function with |EVP_PKEY_EC| and setting |out| to - // nullptr does not work. It requires |*out| to include a - // partially-initialized |EVP_PKEY| to extract the group. + // calling this function with `EVP_PKEY_EC` and setting `out` to + // nullptr does not work. It requires `*out` to include a + // partially-initialized `EVP_PKEY` to extract the group. default: OPENSSL_PUT_ERROR(EVP, EVP_R_UNSUPPORTED_PUBLIC_KEY_TYPE); return nullptr; diff --git a/third_party/boringssl/src/crypto/evp/evp_ctx.cc b/third_party/boringssl/src/crypto/evp/evp_ctx.cc index ffb9b6f2..a0d78105 100644 --- a/third_party/boringssl/src/crypto/evp/evp_ctx.cc +++ b/third_party/boringssl/src/crypto/evp/evp_ctx.cc @@ -42,7 +42,7 @@ static UniquePtr evp_pkey_ctx_new( ret->pkey = UpRef(pkey); if (pmeth->init && pmeth->init(ret.get(), alg) <= 0) { - ret->pmeth = nullptr; // Don't call |pmeth->cleanup|. + ret->pmeth = nullptr; // Don't call `pmeth->cleanup`. return nullptr; } @@ -71,9 +71,9 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e) { } EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e) { - // |EVP_PKEY_RSA_PSS| is intentionally omitted from this list. These are types - // that can be created without an |EVP_PKEY|, and we do not support - // |EVP_PKEY_RSA_PSS| keygen. + // `EVP_PKEY_RSA_PSS` is intentionally omitted from this list. These are types + // that can be created without an `EVP_PKEY`, and we do not support + // `EVP_PKEY_RSA_PSS` keygen. const EVP_PKEY_ALG *alg = nullptr; switch (id) { case EVP_PKEY_RSA: diff --git a/third_party/boringssl/src/crypto/evp/internal.h b/third_party/boringssl/src/crypto/evp/internal.h index 10485b64..6692c583 100644 --- a/third_party/boringssl/src/crypto/evp/internal.h +++ b/third_party/boringssl/src/crypto/evp/internal.h @@ -36,7 +36,7 @@ typedef struct evp_pkey_ctx_method_st EVP_PKEY_CTX_METHOD; BSSL_NAMESPACE_END struct evp_pkey_alg_st { - // method and pkey_method implement operations for this |EVP_PKEY_ALG|. + // method and pkey_method implement operations for this `EVP_PKEY_ALG`. const bssl::EVP_PKEY_ASN1_METHOD *method; const bssl::EVP_PKEY_CTX_METHOD *pkey_method; }; @@ -50,7 +50,7 @@ enum evp_decode_result_t { }; struct evp_pkey_asn1_method_st { - // pkey_id contains one of the |EVP_PKEY_*| values and corresponds to the OID + // pkey_id contains one of the `EVP_PKEY_*` values and corresponds to the OID // in the key type's AlgorithmIdentifier. int pkey_id; uint8_t oid[9]; @@ -58,53 +58,53 @@ struct evp_pkey_asn1_method_st { const EVP_PKEY_CTX_METHOD *pkey_method; - // pub_decode decodes |params| and |key| as a SubjectPublicKeyInfo - // and writes the result into |out|. It returns |evp_decode_ok| on success, - // and |evp_decode_error| on error, and |evp_decode_unsupported| if the input - // was not supported by this |EVP_PKEY_ALG|. In case of - // |evp_decode_unsupported|, it does not add an error to the error queue. May - // modify |params| and |key|. Callers must make a copy if calling in a loop. + // pub_decode decodes `params` and `key` as a SubjectPublicKeyInfo + // and writes the result into `out`. It returns `evp_decode_ok` on success, + // and `evp_decode_error` on error, and `evp_decode_unsupported` if the input + // was not supported by this `EVP_PKEY_ALG`. In case of + // `evp_decode_unsupported`, it does not add an error to the error queue. May + // modify `params` and `key`. Callers must make a copy if calling in a loop. // - // |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, - // and |key| is the contents of the subjectPublicKey with the leading padding + // `params` is the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, + // and `key` is the contents of the subjectPublicKey with the leading padding // byte checked and removed. Although X.509 uses BIT STRINGs to represent // SubjectPublicKeyInfo, every key type defined encodes the key as a byte // string with the same conversion to BIT STRING. evp_decode_result_t (*pub_decode)(const EVP_PKEY_ALG *alg, EvpPkey *out, CBS *params, CBS *key); - // pub_encode encodes |key| as a SubjectPublicKeyInfo and appends the result - // to |out|. It returns one on success and zero on error. + // pub_encode encodes `key` as a SubjectPublicKeyInfo and appends the result + // to `out`. It returns one on success and zero on error. int (*pub_encode)(CBB *out, const EvpPkey *key); bool (*pub_equal)(const EvpPkey *a, const EvpPkey *b); - // pub_present returns true iff the |pk| has a public key. (If so, validity + // pub_present returns true iff the `pk` has a public key. (If so, validity // is not guaranteed and should be checked separately.) bool (*pub_present)(const EvpPkey *pk); - // pub_copy sets the key data of |out| to a newly allocated key data structure - // which contains a copy of only the public key of |pk|, freeing any key - // previously in |out|. Returns true on success or false on failure. + // pub_copy sets the key data of `out` to a newly allocated key data structure + // which contains a copy of only the public key of `pk`, freeing any key + // previously in `out`. Returns true on success or false on failure. bool (*pub_copy)(EvpPkey *out, const EvpPkey *pk); - // priv_decode decodes |params| and |key| as a PrivateKeyInfo and writes the - // result into |out|. It returns |evp_decode_ok| on success, and - // |evp_decode_error| on error, and |evp_decode_unsupported| if the key type - // was not supported by this |EVP_PKEY_ALG|. In case of - // |evp_decode_unsupported|, it does not add an error to the error queue. May - // modify |params| and |key|. Callers must make a copy if calling in a loop. + // priv_decode decodes `params` and `key` as a PrivateKeyInfo and writes the + // result into `out`. It returns `evp_decode_ok` on success, and + // `evp_decode_error` on error, and `evp_decode_unsupported` if the key type + // was not supported by this `EVP_PKEY_ALG`. In case of + // `evp_decode_unsupported`, it does not add an error to the error queue. May + // modify `params` and `key`. Callers must make a copy if calling in a loop. // - // |params| is the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, - // and |key| is the contents of the OCTET STRING privateKey field. + // `params` is the AlgorithmIdentifier after the OBJECT IDENTIFIER type field, + // and `key` is the contents of the OCTET STRING privateKey field. evp_decode_result_t (*priv_decode)(const EVP_PKEY_ALG *alg, EvpPkey *out, CBS *params, CBS *key); - // priv_encode encodes |key| as a PrivateKeyInfo and appends the result to - // |out|. It returns one on success and zero on error. + // priv_encode encodes `key` as a PrivateKeyInfo and appends the result to + // `out`. It returns one on success and zero on error. int (*priv_encode)(CBB *out, const EvpPkey *key); - // priv_present returns true iff the |pk| has a private key. (If so, validity + // priv_present returns true iff the `pk` has a private key. (If so, validity // is not guaranteed and should be checked separately.) bool (*priv_present)(const EvpPkey *pk); @@ -116,9 +116,9 @@ struct evp_pkey_asn1_method_st { int (*get_pub_raw)(const EvpPkey *pkey, uint8_t *out, size_t *out_len); // TODO(davidben): Can these be merged with the functions above? OpenSSL does - // not implement |EVP_PKEY_get_raw_public_key|, etc., for |EVP_PKEY_EC|, but + // not implement `EVP_PKEY_get_raw_public_key`, etc., for `EVP_PKEY_EC`, but // the distinction seems unimportant. OpenSSL 3.0 has since renamed - // |EVP_PKEY_get1_tls_encodedpoint| to |EVP_PKEY_get1_encoded_public_key|, and + // `EVP_PKEY_get1_tls_encodedpoint` to `EVP_PKEY_get1_encoded_public_key`, and // what is the difference between "raw" and an "encoded" public key. // // One nuisance is the notion of "raw" is slightly ambiguous for EC keys. Is @@ -126,7 +126,7 @@ struct evp_pkey_asn1_method_st { int (*set1_tls_encodedpoint)(EvpPkey *pkey, const uint8_t *in, size_t len); size_t (*get1_tls_encodedpoint)(const EvpPkey *pkey, uint8_t **out_ptr); - // pkey_opaque returns 1 if the |pk| is opaque. Opaque keys are backed by + // pkey_opaque returns 1 if the `pk` is opaque. Opaque keys are backed by // custom implementations which do not expose key material and parameters. int (*pkey_opaque)(const EvpPkey *pk); @@ -144,7 +144,7 @@ class EvpPkey : public evp_pkey_st, public RefCounted { public: EvpPkey(); - // pkey contains a pointer to a structure dependent on |ameth|. + // pkey contains a pointer to a structure dependent on `ameth`. void *pkey = nullptr; // ameth contains a pointer to a method table that determines the key type, or @@ -175,12 +175,12 @@ class EvpPkey : public evp_pkey_st, public RefCounted { #define EVP_PKEY_OP_TYPE_GEN (EVP_PKEY_OP_KEYGEN | EVP_PKEY_OP_PARAMGEN) -// EVP_PKEY_CTX_ctrl performs |cmd| on |ctx|. The |keytype| and |optype| +// EVP_PKEY_CTX_ctrl performs `cmd` on `ctx`. The `keytype` and `optype` // arguments can be -1 to specify that any type and operation are acceptable, -// otherwise |keytype| must match the type of |ctx| and the bits of |optype| -// must intersect the operation flags set on |ctx|. +// otherwise `keytype` must match the type of `ctx` and the bits of `optype` +// must intersect the operation flags set on `ctx`. // -// The |p1| and |p2| arguments depend on the value of |cmd|. +// The `p1` and `p2` arguments depend on the value of `cmd`. // // It returns one on success and zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, @@ -189,14 +189,14 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_ctrl(EVP_PKEY_CTX *ctx, int keytype, int optype, #define EVP_PKEY_CTRL_MD 1 #define EVP_PKEY_CTRL_GET_MD 2 -// EVP_PKEY_CTRL_PEER_KEY is called with different values of |p1|: -// 0: Is called from |EVP_PKEY_derive_set_peer| and |p2| contains a peer key. +// EVP_PKEY_CTRL_PEER_KEY is called with different values of `p1`: +// 0: Is called from `EVP_PKEY_derive_set_peer` and `p2` contains a peer key. // If the return value is <= 0, the key is rejected. -// 1: Is called at the end of |EVP_PKEY_derive_set_peer| and |p2| contains a +// 1: Is called at the end of `EVP_PKEY_derive_set_peer` and `p2` contains a // peer key. If the return value is <= 0, the key is rejected. -// 2: Is called with |p2| == NULL to test whether the peer's key was used. +// 2: Is called with `p2` == NULL to test whether the peer's key was used. // (EC)DH always return one in this case. -// 3: Is called with |p2| == NULL to set whether the peer's key was used. +// 3: Is called with `p2` == NULL to set whether the peer's key was used. // (EC)DH always return one in this case. This was only used for GOST. #define EVP_PKEY_CTRL_PEER_KEY 3 @@ -229,10 +229,20 @@ class EvpPkeyCtx : public evp_pkey_ctx_st { public: static constexpr bool kAllowUniquePtr = true; - // TODO(crbug.com/487376811): Ideally this destructor should be virtual so - // that we can emit vtables in libcrypto. In that case we would be able to - // replace |pmeth| with virtual methods and subclassing. + // Use an optional virtual destructor. This class does not (yet) have a need + // for a vtable, but we intend to write code with vtables in the future. + // Virtual destructors add a reference to symbols in the C++ runtime, so trial + // the dependency here. This is, temporarily, gated on a build define. If this + // breaks your build, build with `BORINGSSL_TEMPORARY_NO_CXX_RUNTIME` and then + // contact the BoringSSL team, so we can help fix your build. + // + // TODO(crbug.com/486922845): Remove the `BORINGSSL_TEMPORARY_NO_CXX_RUNTIME` + // case. +#if defined(BORINGSSL_TEMPORARY_NO_CXX_RUNTIME) ~EvpPkeyCtx(); +#else + virtual ~EvpPkeyCtx(); +#endif // Method associated with this operation const bssl::EVP_PKEY_CTX_METHOD *pmeth = nullptr; @@ -240,10 +250,10 @@ class EvpPkeyCtx : public evp_pkey_ctx_st { bssl::UniquePtr pkey; // Peer key for key agreement, may be nullptr bssl::UniquePtr peerkey; - // operation contains one of the |EVP_PKEY_OP_*| values. + // operation contains one of the `EVP_PKEY_OP_*` values. int operation = EVP_PKEY_OP_UNDEFINED; // Algorithm specific data. - // TODO(crbug.com/487376811): Since a |EVP_PKEY_CTX| never has its type change + // TODO(crbug.com/487376811): Since a `EVP_PKEY_CTX` never has its type change // after creation, this should instead be a base class, with the // algorithm-specific data on the subclass, coming from the same allocation. void *data = nullptr; @@ -252,7 +262,7 @@ class EvpPkeyCtx : public evp_pkey_ctx_st { struct evp_pkey_ctx_method_st { int pkey_id; - // |alg| may be nullptr. If non-null, |ctx| will have a key set. + // `alg` may be nullptr. If non-null, `ctx` will have a key set. int (*init)(EvpPkeyCtx *ctx, const EVP_PKEY_ALG *alg); int (*copy)(EvpPkeyCtx *dst, EvpPkeyCtx *src); void (*cleanup)(EvpPkeyCtx *ctx); @@ -368,27 +378,27 @@ struct KemAdapter { } }; -// evp_pkey_ec_no_curve returns an internal curveless EC |EVP_PKEY_ALG|. This +// evp_pkey_ec_no_curve returns an internal curveless EC `EVP_PKEY_ALG`. This // cannot be used to parse anything and is only useful for key generation. const EVP_PKEY_ALG *evp_pkey_ec_no_curve(); -// evp_pkey_hkdf returns an internal |EVP_PKEY_ALG| used to implement -// |EVP_PKEY_HKDF|. It has no associated key type. +// evp_pkey_hkdf returns an internal `EVP_PKEY_ALG` used to implement +// `EVP_PKEY_HKDF`. It has no associated key type. const EVP_PKEY_ALG *evp_pkey_hkdf(); -// evp_pkey_ctx_new_alg behaves like |EVP_PKEY_CTX_new_id| but takes an -// |EVP_PKEY_ALG|. +// evp_pkey_ctx_new_alg behaves like `EVP_PKEY_CTX_new_id` but takes an +// `EVP_PKEY_ALG`. UniquePtr evp_pkey_ctx_new_alg(const EVP_PKEY_ALG *alg); -// evp_pkey_set0 sets |pkey|'s method to |method| and data to |pkey_data|, +// evp_pkey_set0 sets `pkey`'s method to `method` and data to `pkey_data`, // freeing any key that may previously have been configured. This function takes -// ownership of |pkey_data|, which must be of the type expected by |method|. +// ownership of `pkey_data`, which must be of the type expected by `method`. void evp_pkey_set0(EvpPkey *pkey, const EVP_PKEY_ASN1_METHOD *method, void *pkey_data); inline auto GetDefaultEVPAlgorithms() { - // A set of algorithms to use by default in |EVP_parse_public_key| and - // |EVP_parse_private_key|. + // A set of algorithms to use by default in `EVP_parse_public_key` and + // `EVP_parse_private_key`. return std::array{ EVP_pkey_ec_p224(), EVP_pkey_ec_p256(), @@ -403,7 +413,7 @@ inline auto GetDefaultEVPAlgorithms() { EVP_pkey_ml_kem_768(), EVP_pkey_ml_kem_1024(), // TODO(crbug.com/438761503): Remove DSA from this set, after callers that - // need DSA pass in |EVP_pkey_dsa| explicitly. + // need DSA pass in `EVP_pkey_dsa` explicitly. EVP_pkey_dsa(), }; } diff --git a/third_party/boringssl/src/crypto/evp/p_dh.cc b/third_party/boringssl/src/crypto/evp/p_dh.cc index eaf7fadc..c3d8f7f6 100644 --- a/third_party/boringssl/src/crypto/evp/p_dh.cc +++ b/third_party/boringssl/src/crypto/evp/p_dh.cc @@ -77,7 +77,7 @@ static int dh_param_copy(EvpPkey *to, const EvpPkey *from) { return 0; } - // |DH_set0_pqg| took ownership of |p|, |q|, and |g|. + // `DH_set0_pqg` took ownership of `p`, `q`, and `g`. return 1; } @@ -252,7 +252,7 @@ static int pkey_dh_ctrl(EvpPkeyCtx *ctx, int type, int p1, void *p2) { DH_PKEY_CTX *dctx = reinterpret_cast(ctx->data); switch (type) { case EVP_PKEY_CTRL_PEER_KEY: - // |EVP_PKEY_derive_set_peer| requires the key implement this command, + // `EVP_PKEY_derive_set_peer` requires the key implement this command, // even if it is a no-op. return 1; diff --git a/third_party/boringssl/src/crypto/evp/p_dsa.cc b/third_party/boringssl/src/crypto/evp/p_dsa.cc index 6b6201c4..df02f1f8 100644 --- a/third_party/boringssl/src/crypto/evp/p_dsa.cc +++ b/third_party/boringssl/src/crypto/evp/p_dsa.cc @@ -102,8 +102,8 @@ static bssl::evp_decode_result_t dsa_priv_decode(const EVP_PKEY_ALG *alg, return evp_decode_error; } - // To avoid DoS attacks when importing private keys, check bounds on |dsa|. - // This bounds |dsa->priv_key| against |dsa->q| and bounds |dsa->q|'s bit + // To avoid DoS attacks when importing private keys, check bounds on `dsa`. + // This bounds `dsa->priv_key` against `dsa->q` and bounds `dsa->q`'s bit // width. if (!dsa_check_key(dsa.get())) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); @@ -289,13 +289,13 @@ const EVP_PKEY_ALG *EVP_pkey_dsa() { } int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits) { - // BoringSSL does not support DSA in |EVP_PKEY_CTX|. + // BoringSSL does not support DSA in `EVP_PKEY_CTX`. OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits) { - // BoringSSL does not support DSA in |EVP_PKEY_CTX|. + // BoringSSL does not support DSA in `EVP_PKEY_CTX`. OPENSSL_PUT_ERROR(EVP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } diff --git a/third_party/boringssl/src/crypto/evp/p_ec.cc b/third_party/boringssl/src/crypto/evp/p_ec.cc index ac9a489d..06ef9322 100644 --- a/third_party/boringssl/src/crypto/evp/p_ec.cc +++ b/third_party/boringssl/src/crypto/evp/p_ec.cc @@ -40,7 +40,7 @@ using namespace bssl; namespace { struct EVP_PKEY_ALG_EC : public EVP_PKEY_ALG { - // ec_group returns the |EC_GROUP| for this algorithm. + // ec_group returns the `EC_GROUP` for this algorithm. const EC_GROUP *(*ec_group)(); }; @@ -81,7 +81,7 @@ static bssl::evp_decode_result_t eckey_pub_decode(const EVP_PKEY_ALG *alg, // See RFC 5480, section 2. - // Check that |params| matches |alg|. Only the namedCurve form is allowed. + // Check that `params` matches `alg`. Only the namedCurve form is allowed. const EC_GROUP *group = ec_alg->ec_group(); if (ec_key_parse_curve_name(params, Span(&group, 1)) == nullptr) { if (ERR_equals(ERR_peek_last_error(), ERR_LIB_EC, EC_R_UNKNOWN_GROUP)) { diff --git a/third_party/boringssl/src/crypto/evp/p_ed25519.cc b/third_party/boringssl/src/crypto/evp/p_ed25519.cc index 3ca66b7c..868c9f0c 100644 --- a/third_party/boringssl/src/crypto/evp/p_ed25519.cc +++ b/third_party/boringssl/src/crypto/evp/p_ed25519.cc @@ -29,8 +29,8 @@ namespace { struct ED25519_KEY { // key is the concatenation of the private seed and public key. It is stored - // as a single 64-bit array to allow passing to |ED25519_sign|. If - // |has_private| is false, the first 32 bytes are uninitialized and the public + // as a single 64-bit array to allow passing to `ED25519_sign`. If + // `has_private` is false, the first 32 bytes are uninitialized and the public // key is in the last 32 bytes. uint8_t key[64]; bool has_private; diff --git a/third_party/boringssl/src/crypto/evp/p_hkdf.cc b/third_party/boringssl/src/crypto/evp/p_hkdf.cc index 14cb76cb..a45bd6c3 100644 --- a/third_party/boringssl/src/crypto/evp/p_hkdf.cc +++ b/third_party/boringssl/src/crypto/evp/p_hkdf.cc @@ -81,7 +81,7 @@ static int pkey_hkdf_derive(EvpPkeyCtx *ctx, uint8_t *out, size_t *out_len) { if (hctx->mode == EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY) { *out_len = EVP_MD_size(hctx->md); } - // HKDF-Expand is variable-length and returns |*out_len| bytes. "Output" the + // HKDF-Expand is variable-length and returns `*out_len` bytes. "Output" the // input length by leaving it alone. return 1; } @@ -135,7 +135,7 @@ static int pkey_hkdf_ctrl(EvpPkeyCtx *ctx, int type, int p1, void *p2) { } case EVP_PKEY_CTRL_HKDF_INFO: { const auto *info = reinterpret_cast *>(p2); - // |EVP_PKEY_CTX_add1_hkdf_info| appends to the info string, rather than + // `EVP_PKEY_CTX_add1_hkdf_info` appends to the info string, rather than // replacing it. return hctx->info.Append(*info); } diff --git a/third_party/boringssl/src/crypto/evp/p_mldsa.cc b/third_party/boringssl/src/crypto/evp/p_mldsa.cc index 3e4c6627..6fe35644 100644 --- a/third_party/boringssl/src/crypto/evp/p_mldsa.cc +++ b/third_party/boringssl/src/crypto/evp/p_mldsa.cc @@ -69,13 +69,13 @@ MAKE_MLDSA_TRAITS(44) MAKE_MLDSA_TRAITS(65) MAKE_MLDSA_TRAITS(87) -// For each ML-DSA variant, the |EvpPkey| must hold a public or private key. +// For each ML-DSA variant, the `EvpPkey` must hold a public or private key. // EVP uses the same type for public and private keys, so the representation // must support both. The private key type contains the public key struct in it, // so we use a pointer to either a PrivateKeyData or // PublicKeyData, with a common base class to dispatch between them. // -// TODO(crbug.com/404286922): In C++20, we need fewer |typename|s in front of +// TODO(crbug.com/404286922): In C++20, we need fewer `typename`s in front of // dependent type names. template @@ -252,8 +252,7 @@ struct MLDSAImplementation { static evp_decode_result_t DecodePublic(const EVP_PKEY_ALG *alg, EvpPkey *out, CBS *params, CBS *key) { - // The parameters must be omitted. See - // draft-ietf-lamps-dilithium-certificates-13, Section 2. + // The parameters must be omitted. See RFC 9881, Section 2. if (CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return evp_decode_error; @@ -264,7 +263,7 @@ struct MLDSAImplementation { static int EncodePublic(CBB *out, const EvpPkey *pkey) { const auto *pub = GetKeyData(pkey)->GetPublicKey(); - // See draft-ietf-lamps-dilithium-certificates-13, Sections 2 and 4. + // See RFC 9881, Sections 2 and 4. CBB spki, algorithm, key_bitstring; if (!CBB_add_asn1(out, &spki, CBS_ASN1_SEQUENCE) || !CBB_add_asn1(&spki, &algorithm, CBS_ASN1_SEQUENCE) || @@ -302,17 +301,16 @@ struct MLDSAImplementation { static evp_decode_result_t DecodePrivate(const EVP_PKEY_ALG *alg, EvpPkey *out, CBS *params, CBS *key) { - // The parameters must be omitted. See - // draft-ietf-lamps-dilithium-certificates-13, Section 2. + // The parameters must be omitted. See RFC 9881, Section 2. if (CBS_len(params) != 0) { OPENSSL_PUT_ERROR(EVP, EVP_R_DECODE_ERROR); return evp_decode_error; } - // See draft-ietf-lamps-dilithium-certificates-13, Section 6. Three - // different encodings were specified, adding complexity to the question of - // whether a private key is valid. We only implement the "seed" - // representation. Give this case a different error for easier diagnostics. + // See RFC 9881, Section 6. Three different encodings were specified, adding + // complexity to the question of whether a private key is valid. We only + // implement the "seed" representation. Give this case a different error for + // easier diagnostics. // // The "expandedKey" representation was a last-minute accommodation for // legacy hardware, which should be updated to use seeds. Supporting it @@ -345,8 +343,7 @@ struct MLDSAImplementation { OPENSSL_PUT_ERROR(EVP, EVP_R_NOT_A_PRIVATE_KEY); return 0; } - // See draft-ietf-lamps-dilithium-certificates-13, Sections 2 and 6. We - // encode only the seed representation. + // See RFC 9881, Sections 2 and 6. We encode only the seed representation. CBB pkcs8, algorithm, private_key; if (!CBB_add_asn1(out, &pkcs8, CBS_ASN1_SEQUENCE) || !CBB_add_asn1_uint64(&pkcs8, 0 /* version */) || diff --git a/third_party/boringssl/src/crypto/evp/p_rsa.cc b/third_party/boringssl/src/crypto/evp/p_rsa.cc index 90038538..91177e65 100644 --- a/third_party/boringssl/src/crypto/evp/p_rsa.cc +++ b/third_party/boringssl/src/crypto/evp/p_rsa.cc @@ -90,7 +90,7 @@ static bssl::evp_decode_result_t rsa_pub_decode(const EVP_PKEY_ALG *alg, } static bool rsa_pub_equal(const EvpPkey *a, const EvpPkey *b) { - // We currently assume that all |EVP_PKEY_RSA_PSS| keys have the same + // We currently assume that all `EVP_PKEY_RSA_PSS` keys have the same // parameters, so this vacuously compares parameters. If we ever support // multiple PSS parameter sets, we probably should compare them too. Note, // however, that OpenSSL does not compare parameters here. @@ -418,8 +418,8 @@ struct RSA_PKEY_CTX { // PSS salt length int saltlen = RSA_PSS_SALTLEN_DIGEST; // restrict_pss_params, if true, indicates that the PSS signing/verifying - // parameters are restricted by the key's parameters. |md| and |mgf1md| may - // not change, and |saltlen| must be at least |md|'s hash length. + // parameters are restricted by the key's parameters. `md` and `mgf1md` may + // not change, and `saltlen` must be at least `md`'s hash length. bool restrict_pss_params = false; Array oaep_label; }; @@ -755,7 +755,7 @@ static int pkey_rsa_ctrl(EvpPkeyCtx *ctx, int type, int p1, void *p2) { return 0; } // All our PSS restrictions accept saltlen == hashlen, so allow - // |RSA_PSS_SALTLEN_DIGEST|. Reject |RSA_PSS_SALTLEN_AUTO| for + // `RSA_PSS_SALTLEN_DIGEST`. Reject `RSA_PSS_SALTLEN_AUTO` for // simplicity. if (rctx->restrict_pss_params && p1 != RSA_PSS_SALTLEN_DIGEST) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PSS_SALTLEN); @@ -845,8 +845,8 @@ static int pkey_rsa_ctrl(EvpPkeyCtx *ctx, int type, int p1, void *p2) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PADDING_MODE); return 0; } - // |EVP_PKEY_CTRL_RSA_OAEP_LABEL| takes ownership of |label|'s underlying - // buffer (via |Reset|), but only on success. + // `EVP_PKEY_CTRL_RSA_OAEP_LABEL` takes ownership of `label`'s underlying + // buffer (via `Reset`), but only on success. auto *label = reinterpret_cast *>(p2); rctx->oaep_label.Reset(label->data(), label->size()); return 1; @@ -913,11 +913,11 @@ const EVP_PKEY_CTX_METHOD rsa_pss_pkey_meth = { pkey_rsa_init, pkey_rsa_copy, pkey_rsa_cleanup, - // In OpenSSL, |EVP_PKEY_RSA_PSS| supports key generation and fills in PSS + // In OpenSSL, `EVP_PKEY_RSA_PSS` supports key generation and fills in PSS // parameters based on a separate set of keygen-targetted setters: - // |EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen|, - // |EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md|, and - // |EVP_PKEY_CTX_rsa_pss_key_digest|. We do not currently implement this + // `EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen`, + // `EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md`, and + // `EVP_PKEY_CTX_rsa_pss_key_digest`. We do not currently implement this // because we only support one parameter set. /*keygen=*/nullptr, pkey_rsa_sign, @@ -1032,18 +1032,18 @@ int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding) { } int EVP_PKEY_CTX_set_rsa_pss_keygen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - // We currently do not support keygen with |EVP_PKEY_RSA_PSS|. + // We currently do not support keygen with `EVP_PKEY_RSA_PSS`. return 0; } int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int salt_len) { - // We currently do not support keygen with |EVP_PKEY_RSA_PSS|. + // We currently do not support keygen with `EVP_PKEY_RSA_PSS`. return 0; } int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md) { - // We currently do not support keygen with |EVP_PKEY_RSA_PSS|. + // We currently do not support keygen with `EVP_PKEY_RSA_PSS`. return 0; } diff --git a/third_party/boringssl/src/crypto/evp/p_x25519.cc b/third_party/boringssl/src/crypto/evp/p_x25519.cc index db38d26f..91df6f4d 100644 --- a/third_party/boringssl/src/crypto/evp/p_x25519.cc +++ b/third_party/boringssl/src/crypto/evp/p_x25519.cc @@ -333,7 +333,7 @@ static int pkey_x25519_derive(EvpPkeyCtx *ctx, uint8_t *out, size_t *out_len) { static int pkey_x25519_ctrl(EvpPkeyCtx *ctx, int type, int p1, void *p2) { switch (type) { case EVP_PKEY_CTRL_PEER_KEY: - // |EVP_PKEY_derive_set_peer| requires the key implement this command, + // `EVP_PKEY_derive_set_peer` requires the key implement this command, // even if it is a no-op. return 1; diff --git a/third_party/boringssl/src/crypto/evp/pbkdf.cc b/third_party/boringssl/src/crypto/evp/pbkdf.cc index 6388876e..8dddbd08 100644 --- a/third_party/boringssl/src/crypto/evp/pbkdf.cc +++ b/third_party/boringssl/src/crypto/evp/pbkdf.cc @@ -16,6 +16,7 @@ #include +#include #include #include "../internal.h" @@ -34,6 +35,10 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, uint32_t i = 1; size_t md_len = EVP_MD_size(digest); + if (key_len > ((uint64_t{1} << 32) - 1) * md_len) { + OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_SECRET_LENGTH); + return 0; + } while (key_len > 0) { size_t todo = md_len; if (todo > key_len) { @@ -77,7 +82,7 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, // value of 0 is an error. // // Unfortunately not all consumers of PKCS5_PBKDF2_HMAC() check their return - // value, expecting it to succeed and unconditionally using |out_key|. As a + // value, expecting it to succeed and unconditionally using `out_key`. As a // precaution for such callsites in external code, the old behavior of // iterations < 1 being treated as iterations == 1 is preserved, but // additionally an error result is returned. diff --git a/third_party/boringssl/src/crypto/evp/print.cc b/third_party/boringssl/src/crypto/evp/print.cc index 2dce12fe..b50f5a37 100644 --- a/third_party/boringssl/src/crypto/evp/print.cc +++ b/third_party/boringssl/src/crypto/evp/print.cc @@ -72,7 +72,7 @@ static int bn_print(BIO *bp, const char *name, const BIGNUM *num, int off) { return 0; } - // Print |num| in hex, adding a leading zero, as in ASN.1, if the high bit + // Print `num` in hex, adding a leading zero, as in ASN.1, if the high bit // is set. // // TODO(davidben): Do we need to do this? We already print "(Negative)" above diff --git a/third_party/boringssl/src/crypto/evp/scrypt.cc b/third_party/boringssl/src/crypto/evp/scrypt.cc index 8c229b2e..d1e89a77 100644 --- a/third_party/boringssl/src/crypto/evp/scrypt.cc +++ b/third_party/boringssl/src/crypto/evp/scrypt.cc @@ -26,8 +26,8 @@ // // Note scrypt refers to both "blocks" and a "block size" parameter, r. These // are two different notions of blocks. A Salsa20 block is 64 bytes long, -// represented in this implementation by 16 |uint32_t|s. |r| determines the -// number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * |r| +// represented in this implementation by 16 `uint32_t`s. `r` determines the +// number of 64-byte Salsa20 blocks in a scryptBlockMix block, which is 2 * `r` // Salsa20 blocks. This implementation refers to them as Salsa20 blocks and // scrypt blocks, respectively. @@ -41,7 +41,7 @@ typedef struct { static_assert(sizeof(block_t) == 64, "block_t has padding"); // salsa208_word_specification implements the Salsa20/8 core function, also -// described in RFC 7914, section 3. It modifies the block at |inout| +// described in RFC 7914, section 3. It modifies the block at `inout` // in-place. static void salsa208_word_specification(block_t *inout) { block_t x; @@ -87,7 +87,7 @@ static void salsa208_word_specification(block_t *inout) { } } -// xor_block sets |*out| to be |*a| XOR |*b|. +// xor_block sets `*out` to be `*a` XOR `*b`. static void xor_block(block_t *out, const block_t *a, const block_t *b) { for (size_t i = 0; i < 16; i++) { out->words[i] = a->words[i] ^ b->words[i]; @@ -95,8 +95,8 @@ static void xor_block(block_t *out, const block_t *a, const block_t *b) { } // scryptBlockMix implements the function described in RFC 7914, section 4. B' -// is written to |out|. |out| and |B| may not alias and must be each one scrypt -// block (2 * |r| Salsa20 blocks) long. +// is written to `out`. `out` and `B` may not alias and must be each one scrypt +// block (2 * `r` Salsa20 blocks) long. static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) { assert(out != B); @@ -111,11 +111,11 @@ static void scryptBlockMix(block_t *out, const block_t *B, uint64_t r) { } } -// scryptROMix implements the function described in RFC 7914, section 5. |B| is -// an scrypt block (2 * |r| Salsa20 blocks) and is modified in-place. |T| and -// |V| are scratch space allocated by the caller. |T| must have space for one -// scrypt block (2 * |r| Salsa20 blocks). |V| must have space for |N| scrypt -// blocks (2 * |r| * |N| Salsa20 blocks). +// scryptROMix implements the function described in RFC 7914, section 5. `B` is +// an scrypt block (2 * `r` Salsa20 blocks) and is modified in-place. `T` and +// `V` are scratch space allocated by the caller. `T` must have space for one +// scrypt block (2 * `r` Salsa20 blocks). `V` must have space for `N` scrypt +// blocks (2 * `r` * `N` Salsa20 blocks). static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, block_t *V) { // Steps 1 and 2. @@ -128,7 +128,7 @@ static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, // Step 3. for (uint64_t i = 0; i < N; i++) { - // Note this assumes |N| <= 2^32 and is a power of 2. + // Note this assumes `N` <= 2^32 and is a power of 2. uint32_t j = B[2 * r - 1].words[0] & (N - 1); for (size_t k = 0; k < 2 * r; k++) { xor_block(&T[k], &B[k], &V[2 * r * j + k]); @@ -146,7 +146,7 @@ static void scryptROMix(block_t *B, uint64_t r, uint64_t N, block_t *T, #define SCRYPT_PR_MAX ((1 << 30) - 1) // SCRYPT_MAX_MEM is the default maximum memory that may be allocated by -// |EVP_PBE_scrypt|. +// `EVP_PBE_scrypt`. #define SCRYPT_MAX_MEM (1024 * 1024 * 65) int EVP_PBE_scrypt(const char *password, size_t password_len, @@ -154,18 +154,18 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, uint64_t p, size_t max_mem, uint8_t *out_key, size_t key_len) { if (r == 0 || p == 0 || p > SCRYPT_PR_MAX / r || - // |N| must be a power of two. + // `N` must be a power of two. N < 2 || (N & (N - 1)) || - // We only support |N| <= 2^32 in |scryptROMix|. + // We only support `N` <= 2^32 in `scryptROMix`. N > UINT64_C(1) << 32 || - // Check that |N| < 2^(128×r / 8). + // Check that `N` < 2^(128×r / 8). (16 * r <= 63 && N >= UINT64_C(1) << (16 * r))) { OPENSSL_PUT_ERROR(EVP, EVP_R_INVALID_PARAMETERS); return 0; } - // Determine the amount of memory needed. B, T, and V are |p|, 1, and |N| - // scrypt blocks, respectively. Each scrypt block is 2*|r| |block_t|s. + // Determine the amount of memory needed. B, T, and V are `p`, 1, and `N` + // scrypt blocks, respectively. Each scrypt block is 2*`r` `block_t`s. if (max_mem == 0) { max_mem = SCRYPT_MAX_MEM; } @@ -176,7 +176,7 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, return 0; } - // Allocate and divide up the scratch space. |max_mem| fits in a size_t, which + // Allocate and divide up the scratch space. `max_mem` fits in a size_t, which // is no bigger than uint64_t, so none of these operations may overflow. static_assert(UINT64_MAX >= SIZE_MAX, "size_t exceeds uint64_t"); size_t B_blocks = p * 2 * r; @@ -194,7 +194,7 @@ int EVP_PBE_scrypt(const char *password, size_t password_len, block_t *V = T + T_blocks; // NOTE: PKCS5_PBKDF2_HMAC can only fail due to allocation failure - // or |iterations| of 0 (we pass 1 here). This is consistent with + // or `iterations` of 0 (we pass 1 here). This is consistent with // the documented failure conditions of EVP_PBE_scrypt. if (!PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, 1, EVP_sha256(), B_bytes, (uint8_t *)B)) { diff --git a/third_party/boringssl/src/crypto/evp/sign.cc b/third_party/boringssl/src/crypto/evp/sign.cc index e14acc4e..afccef5b 100644 --- a/third_party/boringssl/src/crypto/evp/sign.cc +++ b/third_party/boringssl/src/crypto/evp/sign.cc @@ -36,7 +36,7 @@ int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { int EVP_SignFinal(const EVP_MD_CTX *ctx, uint8_t *sig, unsigned *out_sig_len, EVP_PKEY *pkey) { - // Ensure the final result will fit in |unsigned|. + // Ensure the final result will fit in `unsigned`. size_t sig_len = EVP_PKEY_size(pkey); if (sig_len > UINT_MAX) { sig_len = UINT_MAX; diff --git a/third_party/boringssl/src/crypto/ex_data.cc b/third_party/boringssl/src/crypto/ex_data.cc index ea66bc6d..c3ea1f5c 100644 --- a/third_party/boringssl/src/crypto/ex_data.cc +++ b/third_party/boringssl/src/crypto/ex_data.cc @@ -33,8 +33,8 @@ struct ExDataFuncs { long argl; // Arbitrary long void *argp; // Arbitrary void pointer CRYPTO_EX_free *free_func; - // next points to the next |ExDataFuncs| or NULL if this is the last - // one. It may only be read if synchronized with a read from |num_funcs|. + // next points to the next `ExDataFuncs` or NULL if this is the last + // one. It may only be read if synchronized with a read from `num_funcs`. ExDataFuncs *next; }; @@ -53,13 +53,13 @@ int CRYPTO_get_ex_new_index_ex(ExDataClass *ex_data_class, long argl, MutexWriteLock lock(&ex_data_class->lock); uint32_t num_funcs = ex_data_class->num_funcs.load(); - // The index must fit in |int|. + // The index must fit in `int`. if (num_funcs > (size_t)(INT_MAX - ex_data_class->num_reserved)) { OPENSSL_PUT_ERROR(CRYPTO, ERR_R_OVERFLOW); return -1; } - // Append |funcs| to the linked list. + // Append `funcs` to the linked list. if (ex_data_class->last == nullptr) { assert(num_funcs == 0); ex_data_class->funcs = funcs; @@ -76,8 +76,8 @@ int CRYPTO_get_ex_new_index_ex(ExDataClass *ex_data_class, long argl, int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val) { if (index < 0) { // A caller that can accidentally pass in an invalid index into this - // function will hit an memory error if |index| happened to be valid, and - // expected |val| to be of a different type. + // function will hit an memory error if `index` happened to be valid, and + // expected `val` to be of a different type. abort(); } @@ -115,11 +115,11 @@ void CRYPTO_free_ex_data(ExDataClass *ex_data_class, CRYPTO_EX_DATA *ad) { } uint32_t num_funcs = ex_data_class->num_funcs.load(); - // |CRYPTO_get_ex_new_index_ex| will not allocate indices beyond |INT_MAX|. + // `CRYPTO_get_ex_new_index_ex` will not allocate indices beyond `INT_MAX`. assert(num_funcs <= (size_t)(INT_MAX - ex_data_class->num_reserved)); - // Defer dereferencing |ex_data_class->funcs| and |funcs->next|. It must come - // after the |num_funcs| comparison to be correctly synchronized. + // Defer dereferencing `ex_data_class->funcs` and `funcs->next`. It must come + // after the `num_funcs` comparison to be correctly synchronized. ExDataFuncs *const *funcs = &ex_data_class->funcs; for (uint32_t i = 0; i < num_funcs; i++) { if ((*funcs)->free_func != nullptr) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/aes.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/aes/aes.cc.inc index 56a110f3..f18906b0 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/aes.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/aes.cc.inc @@ -21,9 +21,9 @@ using namespace bssl; // Be aware that different sets of AES functions use incompatible key -// representations, varying in format of the key schedule, the |AES_KEY.rounds| +// representations, varying in format of the key schedule, the `AES_KEY.rounds` // value, or both. Therefore they cannot mix. Also, on AArch64, the plain-C -// code, above, is incompatible with the |aes_hw_*| functions. +// code, above, is incompatible with the `aes_hw_*` functions. bcm_infallible bssl::BCM_aes_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key) { @@ -84,8 +84,8 @@ bcm_status bssl::BCM_aes_set_decrypt_key(const uint8_t *key, unsigned bits, } #if defined(HWAES) && (defined(OPENSSL_X86) || defined(OPENSSL_X86_64)) -// On x86 and x86_64, |aes_hw_set_decrypt_key|, we implement -// |aes_hw_encrypt_key_to_decrypt_key| in assembly and rely on C code to combine +// On x86 and x86_64, `aes_hw_set_decrypt_key`, we implement +// `aes_hw_encrypt_key_to_decrypt_key` in assembly and rely on C code to combine // the operations. int bssl::aes_hw_set_decrypt_key(const uint8_t *user_key, int bits, AES_KEY *key) { @@ -107,7 +107,7 @@ int bssl::aes_hw_set_encrypt_key(const uint8_t *user_key, int bits, #endif #if defined(VPAES) && defined(OPENSSL_X86) -// On x86, there is no |vpaes_ctr32_encrypt_blocks|, so we implement it +// On x86, there is no `vpaes_ctr32_encrypt_blocks`, so we implement it // ourselves. This avoids all callers needing to account for a missing function. void bssl::vpaes_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, size_t blocks, const AES_KEY *key, @@ -131,7 +131,7 @@ void bssl::vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, uint8_t *out, size_t blocks, const AES_KEY *key, const uint8_t ivec[16]) { - // |bsaes_ctr32_encrypt_blocks| is faster than |vpaes_ctr32_encrypt_blocks|, + // `bsaes_ctr32_encrypt_blocks` is faster than `vpaes_ctr32_encrypt_blocks`, // but it takes at least one full 8-block batch to amortize the conversion. if (blocks < 8) { vpaes_ctr32_encrypt_blocks(in, out, blocks, key, ivec); @@ -140,9 +140,9 @@ void bssl::vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, size_t bsaes_blocks = blocks; if (bsaes_blocks % 8 < 6) { - // |bsaes_ctr32_encrypt_blocks| internally works in 8-block batches. If the + // `bsaes_ctr32_encrypt_blocks` internally works in 8-block batches. If the // final batch is too small (under six blocks), it is faster to loop over - // |vpaes_encrypt|. Round |bsaes_blocks| down to a multiple of 8. + // `vpaes_encrypt`. Round `bsaes_blocks` down to a multiple of 8. bsaes_blocks -= bsaes_blocks % 8; } @@ -160,7 +160,7 @@ void bssl::vpaes_ctr32_encrypt_blocks_with_bsaes(const uint8_t *in, uint32_t ctr = CRYPTO_load_u32_be(ivec + 12) + bsaes_blocks; CRYPTO_store_u32_be(new_ivec + 12, ctr); - // Finish any remaining blocks with |vpaes_ctr32_encrypt_blocks|. + // Finish any remaining blocks with `vpaes_ctr32_encrypt_blocks`. vpaes_ctr32_encrypt_blocks(in, out, blocks, key, new_ivec); } #endif // BSAES diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/aes_nohw.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/aes/aes_nohw.cc.inc index 20f6a6ba..0c312510 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/aes_nohw.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/aes_nohw.cc.inc @@ -45,18 +45,18 @@ using namespace bssl; // shifts match the operations themselves, which makes them reversed in a // little-endian, left-to-right reading. // -// Eight |aes_word_t|s contain |AES_NOHW_BATCH_SIZE| blocks. The bits in an -// |aes_word_t| are divided into 16 consecutive groups of |AES_NOHW_BATCH_SIZE| +// Eight `aes_word_t`s contain `AES_NOHW_BATCH_SIZE` blocks. The bits in an +// `aes_word_t` are divided into 16 consecutive groups of `AES_NOHW_BATCH_SIZE` // bits each, each corresponding to a byte in an AES block in column-major // order (AES's byte order). We refer to these as "logical bytes". Note, in the // 32-bit and 64-bit implementations, they are smaller than a byte. (The // contents of a logical byte will be described later.) // -// MSVC does not support C bit operators on |__m128i|, so the wrapper functions -// |aes_nohw_and|, etc., should be used instead. Note |aes_nohw_shift_left| and -// |aes_nohw_shift_right| measure the shift in logical bytes. That is, the shift -// value ranges from 0 to 15 independent of |aes_word_t| and -// |AES_NOHW_BATCH_SIZE|. +// MSVC does not support C bit operators on `__m128i`, so the wrapper functions +// `aes_nohw_and`, etc., should be used instead. Note `aes_nohw_shift_left` and +// `aes_nohw_shift_right` measure the shift in logical bytes. That is, the shift +// value ranges from 0 to 15 independent of `aes_word_t` and +// `AES_NOHW_BATCH_SIZE`. // // This ordering is different from https://eprint.iacr.org/2009/129.pdf, which // uses row-major order. Matching the AES order was easier to reason about, and @@ -100,7 +100,7 @@ static aes_word_t aes_nohw_not(aes_word_t a) { a, _mm_set_epi32(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff)); } -// These are macros because parameters to |_mm_slli_si128| and |_mm_srli_si128| +// These are macros because parameters to `_mm_slli_si128` and `_mm_srli_si128` // must be constants. #define aes_nohw_shift_left(/* aes_word_t */ a, /* const */ i) \ _mm_slli_si128((a), (i)) @@ -158,8 +158,8 @@ static_assert(AES_NOHW_WORD_SIZE == sizeof(aes_word_t), // // This implementation uses three representations for AES blocks. First, the // public API represents blocks as uint8_t[16] in the usual way. Second, most -// AES steps are evaluated in bitsliced form, stored in an |AES_NOHW_BATCH|. -// This stores |AES_NOHW_BATCH_SIZE| blocks in bitsliced order. For 64-bit words +// AES steps are evaluated in bitsliced form, stored in an `AES_NOHW_BATCH`. +// This stores `AES_NOHW_BATCH_SIZE` blocks in bitsliced order. For 64-bit words // containing bitsliced blocks a, b, c, d, this would be as follows (vertical // bars divide logical bytes): // @@ -172,10 +172,10 @@ static_assert(AES_NOHW_WORD_SIZE == sizeof(aes_word_t), // Finally, an individual block may be stored as an intermediate form in an // aes_word_t[AES_NOHW_BLOCK_WORDS]. In this form, we permute the bits in each // block, so that block[0]'s ith logical byte contains least-significant -// |AES_NOHW_BATCH_SIZE| bits of byte i, block[1] contains the next group of -// |AES_NOHW_BATCH_SIZE| bits, and so on. We refer to this transformation as +// `AES_NOHW_BATCH_SIZE` bits of byte i, block[1] contains the next group of +// `AES_NOHW_BATCH_SIZE` bits, and so on. We refer to this transformation as // "compacting" the block. Note this is no-op with 128-bit words because then -// |AES_NOHW_BLOCK_WORDS| is one and |AES_NOHW_BATCH_SIZE| is eight. For 64-bit +// `AES_NOHW_BLOCK_WORDS` is one and `AES_NOHW_BATCH_SIZE` is eight. For 64-bit // words, one block would be stored in two words: // // block[0] = a0 a1 a2 a3 | a8 a9 a10 a11 | a16 a17 a18 a19 ... @@ -197,40 +197,40 @@ static_assert(AES_NOHW_WORD_SIZE == sizeof(aes_word_t), // batch.w[3] = a3 b3 c3 d3 | a11 b11 c11 d11 | a19 b19 c19 d19 ... // // Note also that bitwise operations and (logical) byte permutations on an -// |aes_word_t| work equally for the bitsliced and compact words. +// `aes_word_t` work equally for the bitsliced and compact words. // -// We use the compact form in the |AES_KEY| representation to save work -// inflating round keys into |AES_NOHW_BATCH|. The compact form also exists -// temporarily while moving blocks in or out of an |AES_NOHW_BATCH|, immediately -// before or after |aes_nohw_transpose|. +// We use the compact form in the `AES_KEY` representation to save work +// inflating round keys into `AES_NOHW_BATCH`. The compact form also exists +// temporarily while moving blocks in or out of an `AES_NOHW_BATCH`, immediately +// before or after `aes_nohw_transpose`. #define AES_NOHW_BLOCK_WORDS (16 / sizeof(aes_word_t)) -// An AES_NOHW_BATCH stores |AES_NOHW_BATCH_SIZE| blocks. Unless otherwise +// An AES_NOHW_BATCH stores `AES_NOHW_BATCH_SIZE` blocks. Unless otherwise // specified, it is in bitsliced form. typedef struct { aes_word_t w[8]; } AES_NOHW_BATCH; // An AES_NOHW_SCHEDULE is an expanded bitsliced AES key schedule. It is -// suitable for encryption or decryption. It is as large as |AES_NOHW_BATCH| -// |AES_KEY|s so it should not be used as a long-term key representation. +// suitable for encryption or decryption. It is as large as `AES_NOHW_BATCH` +// `AES_KEY`s so it should not be used as a long-term key representation. typedef struct { // keys is an array of batches, one for each round key. Each batch stores - // |AES_NOHW_BATCH_SIZE| copies of the round key in bitsliced form. + // `AES_NOHW_BATCH_SIZE` copies of the round key in bitsliced form. AES_NOHW_BATCH keys[AES_MAXNR + 1]; } AES_NOHW_SCHEDULE; -// aes_nohw_batch_set sets the |i|th block of |batch| to |in|. |batch| is in +// aes_nohw_batch_set sets the `i`th block of `batch` to `in`. `batch` is in // compact form. static void aes_nohw_batch_set(AES_NOHW_BATCH *batch, const aes_word_t in[AES_NOHW_BLOCK_WORDS], size_t i) { - // Note the words are interleaved. The order comes from |aes_nohw_transpose|. - // If |i| is zero and this is the 64-bit implementation, in[0] contains bits + // Note the words are interleaved. The order comes from `aes_nohw_transpose`. + // If `i` is zero and this is the 64-bit implementation, in[0] contains bits // 0-3 and in[1] contains bits 4-7. We place in[0] at w[0] and in[1] at // w[4] so that bits 0 and 4 are in the correct position. (In general, bits - // along diagonals of |AES_NOHW_BATCH_SIZE| by |AES_NOHW_BATCH_SIZE| squares + // along diagonals of `AES_NOHW_BATCH_SIZE` by `AES_NOHW_BATCH_SIZE` squares // will be correctly placed.) assert(i < AES_NOHW_BATCH_SIZE); #if defined(OPENSSL_SSE2) @@ -246,7 +246,7 @@ static void aes_nohw_batch_set(AES_NOHW_BATCH *batch, #endif } -// aes_nohw_batch_get writes the |i|th block of |batch| to |out|. |batch| is in +// aes_nohw_batch_get writes the `i`th block of `batch` to `out`. `batch` is in // compact form. static void aes_nohw_batch_get(const AES_NOHW_BATCH *batch, aes_word_t out[AES_NOHW_BLOCK_WORDS], size_t i) { @@ -265,8 +265,8 @@ static void aes_nohw_batch_get(const AES_NOHW_BATCH *batch, } #if !defined(OPENSSL_SSE2) -// aes_nohw_delta_swap returns |a| with bits |a & mask| and -// |a & (mask << shift)| swapped. |mask| and |mask << shift| may not overlap. +// aes_nohw_delta_swap returns `a` with bits |a & mask| and +// |a & (mask << shift)| swapped. `mask` and |mask << shift| may not overlap. static aes_word_t aes_nohw_delta_swap(aes_word_t a, aes_word_t mask, aes_word_t shift) { // See @@ -276,8 +276,8 @@ static aes_word_t aes_nohw_delta_swap(aes_word_t a, aes_word_t mask, } // In the 32-bit and 64-bit implementations, a block spans multiple words. -// |aes_nohw_compact_block| must permute bits across different words. First we -// implement |aes_nohw_compact_word| which performs a smaller version of the +// `aes_nohw_compact_block` must permute bits across different words. First we +// implement `aes_nohw_compact_word` which performs a smaller version of the // transformation which stays within a single word. // // These transformations are generalizations of the output of @@ -301,7 +301,7 @@ static uint64_t aes_nohw_compact_word(uint64_t a) { } static uint64_t aes_nohw_uncompact_word(uint64_t a) { - // Reverse the steps of |aes_nohw_uncompact_word|. + // Reverse the steps of `aes_nohw_uncompact_word`. a = aes_nohw_delta_swap(a, UINT64_C(0x00000000ffff0000), 16); a = aes_nohw_delta_swap(a, UINT64_C(0x0000ff000000ff00), 8); a = aes_nohw_delta_swap(a, UINT64_C(0x00f000f000f000f0), 4); @@ -324,7 +324,7 @@ static uint32_t aes_nohw_compact_word(uint32_t a) { } static uint32_t aes_nohw_uncompact_word(uint32_t a) { - // Reverse the steps of |aes_nohw_uncompact_word|. + // Reverse the steps of `aes_nohw_uncompact_word`. a = aes_nohw_delta_swap(a, 0x0000f0f0, 12); a = aes_nohw_delta_swap(a, 0x00cc00cc, 6); return a; @@ -406,11 +406,11 @@ static void aes_nohw_uncompact_block( } // aes_nohw_swap_bits is a variation on a delta swap. It swaps the bits in -// |*a & (mask << shift)| with the bits in |*b & mask|. |mask| and -// |mask << shift| must not overlap. |mask| is specified as a |uint32_t|, but it -// is repeated to the full width of |aes_word_t|. +// `*a & (mask << shift)` with the bits in `*b & mask`. `mask` and +// `mask << shift` must not overlap. `mask` is specified as a `uint32_t`, but it +// is repeated to the full width of `aes_word_t`. #if defined(OPENSSL_SSE2) -// This must be a macro because |_mm_srli_epi32| and |_mm_slli_epi32| require +// This must be a macro because `_mm_srli_epi32` and `_mm_slli_epi32` require // constant shift values. #define aes_nohw_swap_bits(/*__m128i* */ a, /*__m128i* */ b, \ /* uint32_t */ mask, /* const */ shift) \ @@ -437,7 +437,7 @@ static void aes_nohw_swap_bits(aes_word_t *a, aes_word_t *b, uint32_t mask, } #endif // OPENSSL_SSE2 -// aes_nohw_transpose converts |batch| to and from bitsliced form. It divides +// aes_nohw_transpose converts `batch` to and from bitsliced form. It divides // the 8 × word_size bits into AES_NOHW_BATCH_SIZE × AES_NOHW_BATCH_SIZE squares // and transposes each square. static void aes_nohw_transpose(AES_NOHW_BATCH *batch) { @@ -464,8 +464,8 @@ static void aes_nohw_transpose(AES_NOHW_BATCH *batch) { #endif } -// aes_nohw_to_batch initializes |out| with the |num_blocks| blocks from |in|. -// |num_blocks| must be at most |AES_NOHW_BATCH|. +// aes_nohw_to_batch initializes `out` with the `num_blocks` blocks from `in`. +// `num_blocks` must be at most `AES_NOHW_BATCH`. static void aes_nohw_to_batch(AES_NOHW_BATCH *out, const uint8_t *in, size_t num_blocks) { // Don't leave unused blocks uninitialized. @@ -480,8 +480,8 @@ static void aes_nohw_to_batch(AES_NOHW_BATCH *out, const uint8_t *in, aes_nohw_transpose(out); } -// aes_nohw_to_batch writes the first |num_blocks| blocks in |batch| to |out|. -// |num_blocks| must be at most |AES_NOHW_BATCH|. +// aes_nohw_to_batch writes the first `num_blocks` blocks in `batch` to `out`. +// `num_blocks` must be at most `AES_NOHW_BATCH`. static void aes_nohw_from_batch(uint8_t *out, size_t num_blocks, const AES_NOHW_BATCH *batch) { AES_NOHW_BATCH copy = *batch; @@ -696,8 +696,8 @@ static void aes_nohw_inv_sub_bytes(AES_NOHW_BATCH *batch) { aes_nohw_sub_bytes_inv_affine(batch); } -// aes_nohw_rotate_cols_right returns |v| with the columns in each row rotated -// to the right by |n|. This is a macro because |aes_nohw_shift_*| require +// aes_nohw_rotate_cols_right returns `v` with the columns in each row rotated +// to the right by `n`. This is a macro because `aes_nohw_shift_*` require // constant shift counts in the SSE2 implementation. #define aes_nohw_rotate_cols_right(/* aes_word_t */ v, /* const */ n) \ (aes_nohw_or(aes_nohw_shift_right((v), (n)*4), \ @@ -729,7 +729,7 @@ static void aes_nohw_inv_shift_rows(AES_NOHW_BATCH *batch) { } } -// aes_nohw_rotate_rows_down returns |v| with the rows in each column rotated +// aes_nohw_rotate_rows_down returns `v` with the rows in each column rotated // down by one. static aes_word_t aes_nohw_rotate_rows_down(aes_word_t v) { #if defined(OPENSSL_SSE2) @@ -742,7 +742,7 @@ static aes_word_t aes_nohw_rotate_rows_down(aes_word_t v) { #endif } -// aes_nohw_rotate_rows_twice returns |v| with the rows in each column rotated +// aes_nohw_rotate_rows_twice returns `v` with the rows in each column rotated // by two. static aes_word_t aes_nohw_rotate_rows_twice(aes_word_t v) { #if defined(OPENSSL_SSE2) @@ -910,8 +910,8 @@ static void aes_nohw_expand_round_keys(AES_NOHW_SCHEDULE *out, static const uint8_t aes_nohw_rcon[10] = {0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36}; -// aes_nohw_rcon_slice returns the |i|th group of |AES_NOHW_BATCH_SIZE| bits in -// |rcon|, stored in a |aes_word_t|. +// aes_nohw_rcon_slice returns the `i`th group of `AES_NOHW_BATCH_SIZE` bits in +// `rcon`, stored in a `aes_word_t`. static aes_word_t aes_nohw_rcon_slice(uint8_t rcon, size_t i) { rcon = (rcon >> (i * AES_NOHW_BATCH_SIZE)) & ((1 << AES_NOHW_BATCH_SIZE) - 1); #if defined(OPENSSL_SSE2) @@ -944,7 +944,7 @@ static void aes_nohw_setup_key_128(AES_KEY *key, const uint8_t in[16]) { aes_nohw_sub_block(sub, block); uint8_t rcon = aes_nohw_rcon[i - 1]; for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) { - // Incorporate |rcon| and the transformed word into the first word. + // Incorporate `rcon` and the transformed word into the first word. block[j] = aes_nohw_xor(block[j], aes_nohw_rcon_slice(rcon, j)); block[j] = aes_nohw_xor( block[j], @@ -971,9 +971,9 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { // We maintain a sliding window of two blocks, filled to 1.5 blocks at a time. // We loop below every three blocks or two key schedule iterations. // - // On entry to the loop, |block1| and the first half of |block2| contain the - // previous key schedule iteration. |block1| has been written to |key|, but - // |block2| has not as it is incomplete. + // On entry to the loop, `block1` and the first half of `block2` contain the + // previous key schedule iteration. `block1` has been written to `key`, but + // `block2` has not as it is incomplete. aes_nohw_compact_block(block1, in); memcpy(key->rd_key, block1, 16); @@ -987,17 +987,17 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { uint8_t rcon = aes_nohw_rcon[2 * i]; for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) { // Compute the first two words of the next key schedule iteration, which - // go in the second half of |block2|. The first two words of the previous - // iteration are in the first half of |block1|. Apply |rcon| here too + // go in the second half of `block2`. The first two words of the previous + // iteration are in the first half of `block1`. Apply `rcon` here too // because the shifts match. block2[j] = aes_nohw_or( block2[j], aes_nohw_shift_left( aes_nohw_xor(block1[j], aes_nohw_rcon_slice(rcon, j)), 8)); // Incorporate the transformed word and propagate. Note the last word of - // the previous iteration corresponds to the second word of |copy|. This + // the previous iteration corresponds to the second word of `copy`. This // is incorporated into the first word of the next iteration, or the third - // word of |block2|. + // word of `block2`. block2[j] = aes_nohw_xor( block2[j], aes_nohw_and(aes_nohw_shift_left( aes_nohw_rotate_rows_down(sub[j]), 4), @@ -1006,12 +1006,12 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { block2[j], aes_nohw_and(aes_nohw_shift_left(block2[j], 4), AES_NOHW_COL3_MASK)); - // Compute the remaining four words, which fill |block1|. Begin by moving + // Compute the remaining four words, which fill `block1`. Begin by moving // the corresponding words of the previous iteration: the second half of - // |block1| and the first half of |block2|. + // `block1` and the first half of `block2`. block1[j] = aes_nohw_shift_right(block1[j], 8); block1[j] = aes_nohw_or(block1[j], aes_nohw_shift_left(block2[j], 8)); - // Incorporate the second word, computed previously in |block2|, and + // Incorporate the second word, computed previously in `block2`, and // propagate. block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_right(block2[j], 12)); aes_word_t v = block1[j]; @@ -1020,7 +1020,7 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_left(v, 12)); } - // This completes two round keys. Note half of |block2| was computed in the + // This completes two round keys. Note half of `block2` was computed in the // previous loop iteration but was not yet output. memcpy(key->rd_key + 4 * (3 * i + 1), block2, 16); memcpy(key->rd_key + 4 * (3 * i + 2), block1, 16); @@ -1029,12 +1029,12 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { rcon = aes_nohw_rcon[2 * i + 1]; for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) { // Compute the first four words of the next key schedule iteration in - // |block2|. Begin by moving the corresponding words of the previous - // iteration: the second half of |block2| and the first half of |block1|. + // `block2`. Begin by moving the corresponding words of the previous + // iteration: the second half of `block2` and the first half of `block1`. block2[j] = aes_nohw_shift_right(block2[j], 8); block2[j] = aes_nohw_or(block2[j], aes_nohw_shift_left(block1[j], 8)); // Incorporate rcon and the transformed word. Note the last word of the - // previous iteration corresponds to the last word of |copy|. + // previous iteration corresponds to the last word of `copy`. block2[j] = aes_nohw_xor(block2[j], aes_nohw_rcon_slice(rcon, j)); block2[j] = aes_nohw_xor( block2[j], @@ -1045,9 +1045,9 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 8)); block2[j] = aes_nohw_xor(block2[j], aes_nohw_shift_left(v, 12)); - // Compute the last two words, which go in the first half of |block1|. The + // Compute the last two words, which go in the first half of `block1`. The // last two words of the previous iteration are in the second half of - // |block1|. + // `block1`. block1[j] = aes_nohw_shift_right(block1[j], 8); // Propagate blocks and mask off the excess. block1[j] = aes_nohw_xor(block1[j], aes_nohw_shift_right(block2[j], 12)); @@ -1055,7 +1055,7 @@ static void aes_nohw_setup_key_192(AES_KEY *key, const uint8_t in[24]) { block1[j] = aes_nohw_and(block1[j], AES_NOHW_COL01_MASK); } - // |block2| has a complete round key. |block1| will be completed in the next + // `block2` has a complete round key. `block1` will be completed in the next // iteration. memcpy(key->rd_key + 4 * (3 * i + 3), block2, 16); @@ -1082,7 +1082,7 @@ static void aes_nohw_setup_key_256(AES_KEY *key, const uint8_t in[32]) { aes_nohw_sub_block(sub, block2); uint8_t rcon = aes_nohw_rcon[i / 2 - 1]; for (size_t j = 0; j < AES_NOHW_BLOCK_WORDS; j++) { - // Incorporate |rcon| and the transformed word into the first word. + // Incorporate `rcon` and the transformed word into the first word. block1[j] = aes_nohw_xor(block1[j], aes_nohw_rcon_slice(rcon, j)); block1[j] = aes_nohw_xor( block1[j], @@ -1178,7 +1178,7 @@ void bssl::aes_nohw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, AES_NOHW_SCHEDULE sched; aes_nohw_expand_round_keys(&sched, key); - // Make |AES_NOHW_BATCH_SIZE| copies of |ivec|. + // Make `AES_NOHW_BATCH_SIZE` copies of `ivec`. alignas(AES_NOHW_WORD_SIZE) uint8_t ivs[AES_NOHW_BATCH_SIZE * 16]; alignas(AES_NOHW_WORD_SIZE) uint8_t enc_ivs[AES_NOHW_BATCH_SIZE * 16]; for (size_t i = 0; i < AES_NOHW_BATCH_SIZE; i++) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/cbc.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/aes/cbc.cc.inc index aa9b759a..5ed6373e 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/cbc.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/cbc.cc.inc @@ -26,7 +26,7 @@ void bssl::CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, block128_f block) { assert(key != nullptr && ivec != nullptr); if (len == 0) { - // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C. + // Avoid `ivec` == `iv` in the `memcpy` below, which is not legal in C. return; } @@ -67,7 +67,7 @@ void bssl::CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, block128_f block) { assert(key != nullptr && ivec != nullptr); if (len == 0) { - // Avoid |ivec| == |iv| in the |memcpy| below, which is not legal in C. + // Avoid `ivec` == `iv` in the `memcpy` below, which is not legal in C. return; } @@ -75,13 +75,13 @@ void bssl::CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, const uintptr_t inptr = (uintptr_t) in; const uintptr_t outptr = (uintptr_t) out; - // If |in| and |out| alias, |in| must be ahead. + // If `in` and `out` alias, `in` must be ahead. assert(inptr >= outptr || inptr + len <= outptr); size_t n; alignas(16) uint8_t tmp[16]; if ((inptr >= 32 && outptr <= inptr - 32) || inptr < outptr) { - // If |out| is at least two blocks behind |in| or completely disjoint, there + // If `out` is at least two blocks behind `in` or completely disjoint, there // is no need to decrypt to a temporary block. const uint8_t *iv = ivec; while (len >= 16) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/gcm.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/aes/gcm.cc.inc index 73beb8b3..0e6f7719 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/gcm.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/gcm.cc.inc @@ -26,7 +26,7 @@ using namespace bssl; // kSizeTWithoutLower4Bits is a mask that can be used to zero the lower four -// bits of a |size_t|. +// bits of a `size_t`. static const size_t kSizeTWithoutLower4Bits = (size_t) -16; @@ -79,7 +79,7 @@ void bssl::gcm_init_ssse3(u128 Htable[16], const uint64_t H[2]) { Htable[14].hi = V.hi ^ Htable[6].hi, Htable[14].lo = V.lo ^ Htable[6].lo; Htable[15].hi = V.hi ^ Htable[7].hi, Htable[15].lo = V.lo ^ Htable[7].lo; - // Treat |Htable| as a 16x16 byte table and transpose it. Thus, Htable[i] + // Treat `Htable` as a 16x16 byte table and transpose it. Thus, Htable[i] // contains the i'th byte of j*H for all j. uint8_t *Hbytes = (uint8_t *)Htable; for (int i = 0; i < 16; i++) { @@ -180,7 +180,7 @@ static size_t hw_gcm_decrypt(const uint8_t *in, uint8_t *out, size_t len, void bssl::CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, u128 out_table[16], const uint8_t gcm_key[16]) { - // H is passed to |gcm_init_*| as a pair of byte-swapped, 64-bit values. + // H is passed to `gcm_init_*` as a pair of byte-swapped, 64-bit values. uint64_t H[2] = {CRYPTO_load_u64_be(gcm_key), CRYPTO_load_u64_be(gcm_key + 8)}; @@ -435,7 +435,7 @@ int bssl::CRYPTO_gcm128_encrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx, #if defined(HW_GCM) if (key->impl != gcm_separate && len > 0) { - // |hw_gcm_encrypt| may not process all the input given to it. It may + // `hw_gcm_encrypt` may not process all the input given to it. It may // not process *any* of its input if it is deemed too small. size_t bulk = hw_gcm_encrypt(in, out, len, &key->aes, ctx->Yi, ctx->Xi, key->Htable, key->impl); @@ -523,7 +523,7 @@ int bssl::CRYPTO_gcm128_decrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx, #if defined(HW_GCM) if (key->impl != gcm_separate && len > 0) { - // |hw_gcm_decrypt| may not process all the input given to it. It may + // `hw_gcm_decrypt` may not process all the input given to it. It may // not process *any* of its input if it is deemed too small. size_t bulk = hw_gcm_decrypt(in, out, len, &key->aes, ctx->Yi, ctx->Xi, key->Htable, key->impl); diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/gcm_nohw.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/aes/gcm_nohw.cc.inc index a4c6d1c0..4af795e6 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/gcm_nohw.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/gcm_nohw.cc.inc @@ -40,7 +40,7 @@ static void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a, // One term every four bits means the largest term is 64/4 = 16, which barely // overflows into the next term. Using one term every five bits would cost 25 // multiplications instead of 16. It is faster to mask off the bottom four - // bits of |a|, giving a largest term of 60/4 = 15, and apply the bottom bits + // bits of `a`, giving a largest term of 60/4 = 15, and apply the bottom bits // separately. uint64_t a0 = a & UINT64_C(0x1111111111111110); uint64_t a1 = a & UINT64_C(0x2222222222222220); @@ -61,7 +61,7 @@ static void gcm_mul64_nohw(uint64_t *out_lo, uint64_t *out_hi, uint64_t a, uint128_t c3 = (a0 * (uint128_t)b3) ^ (a1 * (uint128_t)b2) ^ (a2 * (uint128_t)b1) ^ (a3 * (uint128_t)b0); - // Multiply the bottom four bits of |a| with |b|. + // Multiply the bottom four bits of `a` with `b`. uint64_t a0_mask = UINT64_C(0) - (a & 1); uint64_t a1_mask = UINT64_C(0) - ((a >> 1) & 1); uint64_t a2_mask = UINT64_C(0) - ((a >> 2) & 1); @@ -201,7 +201,7 @@ void bssl::gcm_init_nohw(u128 Htable[16], const uint64_t Xi[2]) { // rev128(X) * rev128(Y) = rev255(X*Y). // // Per Appendix A, we run mulX_POLYVAL. Note this is the same transformation - // applied by |gcm_init_clmul|, etc. Note |Xi| has already been byteswapped. + // applied by `gcm_init_clmul`, etc. Note `Xi` has already been byteswapped. // // See also slide 16 of // https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf @@ -220,12 +220,12 @@ void bssl::gcm_init_nohw(u128 Htable[16], const uint64_t Xi[2]) { Htable[0].lo ^= carry & 1; Htable[0].hi ^= carry & UINT64_C(0xc200000000000000); - // This implementation does not use the rest of |Htable|. + // This implementation does not use the rest of `Htable`. } static void gcm_polyval_nohw(uint64_t Xi[2], const u128 *H) { - // Karatsuba multiplication. The product of |Xi| and |H| is stored in |r0| - // through |r3|. Note there is no byte or bit reversal because we are + // Karatsuba multiplication. The product of `Xi` and `H` is stored in `r0` + // through `r3`. Note there is no byte or bit reversal because we are // evaluating POLYVAL. uint64_t r0, r1; gcm_mul64_nohw(&r0, &r1, Xi[0], H->lo); @@ -238,8 +238,8 @@ static void gcm_polyval_nohw(uint64_t Xi[2], const u128 *H) { r2 ^= mid1; r1 ^= mid0; - // Now we multiply our 256-bit result by x^-128 and reduce. |r2| and - // |r3| shifts into position and we must multiply |r0| and |r1| by x^-128. We + // Now we multiply our 256-bit result by x^-128 and reduce. `r2` and + // `r3` shifts into position and we must multiply `r0` and `r1` by x^-128. We // have: // // 1 = x^121 + x^126 + x^127 + x^128 @@ -249,7 +249,7 @@ static void gcm_polyval_nohw(uint64_t Xi[2], const u128 *H) { // The x^-7, x^-2, and x^-1 terms shift bits past x^0, which would require // another reduction steps. Instead, we gather the excess bits, incorporate - // them into |r0| and |r1| and reduce once. See slides 17-19 + // them into `r0` and `r1` and reduce once. See slides 17-19 // of https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf. r1 ^= (r0 << 63) ^ (r0 << 62) ^ (r0 << 57); diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/internal.h b/third_party/boringssl/src/crypto/fipsmodule/aes/internal.h index db627037..3ee356c5 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/internal.h @@ -26,9 +26,9 @@ BSSL_NAMESPACE_BEGIN // block128_f is the type of an AES block cipher implementation. // // Unlike upstream OpenSSL, it and the other functions in this file hard-code -// |AES_KEY|. It is undefined in C to call a function pointer with anything -// other than the original type. Thus we either must match |block128_f| to the -// type signature of |BCM_aes_encrypt| and friends or pass in |void*| wrapper +// `AES_KEY`. It is undefined in C to call a function pointer with anything +// other than the original type. Thus we either must match `block128_f` to the +// type signature of `BCM_aes_encrypt` and friends or pass in `void*` wrapper // functions. // // These functions are called exclusively with AES, so we use the former. @@ -39,9 +39,9 @@ typedef void (*block128_f)(const uint8_t in[16], uint8_t out[16], typedef void (*ctr128_f)(const uint8_t *in, uint8_t *out, size_t blocks, const AES_KEY *key, const uint8_t ivec[16]); -// aes_ctr_set_key initialises |*aes_key| using |key_bytes| bytes from |key|, -// where |key_bytes| must either be 16, 24 or 32. If not NULL, |*out_block| is -// set to a function that encrypts single blocks. If not NULL, |*out_is_hwaes| +// aes_ctr_set_key initialises `*aes_key` using `key_bytes` bytes from `key`, +// where `key_bytes` must either be 16, 24 or 32. If not NULL, `*out_block` is +// set to a function that encrypts single blocks. If not NULL, `*out_is_hwaes` // is set to whether the hardware AES implementation was used. It returns a // function for optimised CTR-mode. ctr128_f aes_ctr_set_key(AES_KEY *aes_key, int *out_is_hwaes, @@ -104,8 +104,8 @@ extern "C" void aes_hw_ctr32_encrypt_blocks(const uint8_t *in, uint8_t *out, const uint8_t ivec[16]); #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) -// On x86 and x86_64, |aes_hw_set_decrypt_key| is implemented in terms of -// |aes_hw_set_encrypt_key| and a conversion function. +// On x86 and x86_64, `aes_hw_set_decrypt_key` is implemented in terms of +// `aes_hw_set_encrypt_key` and a conversion function. extern "C" void aes_hw_encrypt_key_to_decrypt_key(AES_KEY *key); // There are two variants of this function, one which uses aeskeygenassist @@ -177,7 +177,7 @@ extern "C" void aes_hw_ecb_encrypt(const uint8_t *in, uint8_t *out, #if defined(BSAES) -// Note |bsaes_cbc_encrypt| requires |enc| to be zero. +// Note `bsaes_cbc_encrypt` requires `enc` to be zero. extern "C" void bsaes_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, const AES_KEY *key, uint8_t ivec[16], int enc); @@ -264,8 +264,8 @@ void aes_nohw_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, inline void CRYPTO_xor16(uint8_t out[16], const uint8_t a[16], const uint8_t b[16]) { // TODO(davidben): Ideally we'd leave this to the compiler, which could use - // vector registers, etc. But the compiler doesn't know that |in| and |out| - // cannot partially alias. |restrict| is slightly two strict (we allow exact + // vector registers, etc. But the compiler doesn't know that `in` and `out` + // cannot partially alias. `restrict` is slightly two strict (we allow exact // aliasing), but perhaps in-place could be a separate function? static_assert(16 % sizeof(crypto_word_t) == 0, "block cannot be evenly divided into words"); @@ -279,12 +279,12 @@ inline void CRYPTO_xor16(uint8_t out[16], const uint8_t a[16], // CTR. // CRYPTO_ctr128_encrypt_ctr32 encrypts (or decrypts, it's the same in CTR mode) -// |len| bytes from |in| to |out| using |block| in counter mode. There's no -// requirement that |len| be a multiple of any value and any partial blocks are -// stored in |ecount_buf| and |*num|, which must be zeroed before the initial -// call. The counter is a 128-bit, big-endian value in |ivec| and is +// `len` bytes from `in` to `out` using `block` in counter mode. There's no +// requirement that `len` be a multiple of any value and any partial blocks are +// stored in `ecount_buf` and `*num`, which must be zeroed before the initial +// call. The counter is a 128-bit, big-endian value in `ivec` and is // incremented by this function. If the counter overflows, it wraps around. -// |ctr| must be a function that performs CTR mode but only deals with the lower +// `ctr` must be a function that performs CTR mode but only deals with the lower // 32 bits of the counter. void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], @@ -294,10 +294,10 @@ void CRYPTO_ctr128_encrypt_ctr32(const uint8_t *in, uint8_t *out, size_t len, // GCM. // -// This API differs from the upstream API slightly. The |GCM128_CONTEXT| does -// not have a |key| pointer that points to the key as upstream's version does. -// Instead, every function takes a |key| parameter. This way |GCM128_CONTEXT| -// can be safely copied. Additionally, |gcm_key| is split into a separate +// This API differs from the upstream API slightly. The `GCM128_CONTEXT` does +// not have a `key` pointer that points to the key as upstream's version does. +// Instead, every function takes a `key` parameter. This way `GCM128_CONTEXT` +// can be safely copied. Additionally, `gcm_key` is split into a separate // struct. // gcm_impl_t specifies an assembly implementation of AES-GCM. @@ -312,12 +312,12 @@ enum gcm_impl_t { typedef struct { uint64_t hi,lo; } u128; -// gmult_func multiplies |Xi| by the GCM key and writes the result back to -// |Xi|. +// gmult_func multiplies `Xi` by the GCM key and writes the result back to +// `Xi`. typedef void (*gmult_func)(uint8_t Xi[16], const u128 Htable[16]); -// ghash_func repeatedly multiplies |Xi| by the GCM key and adds in blocks from -// |inp|. The result is written back to |Xi| and the |len| argument must be a +// ghash_func repeatedly multiplies `Xi` by the GCM key and adds in blocks from +// `inp`. The result is written back to `Xi` and the `len` argument must be a // multiple of 16. typedef void (*ghash_func)(uint8_t Xi[16], const u128 Htable[16], const uint8_t *inp, size_t len); @@ -354,48 +354,48 @@ typedef struct { int crypto_gcm_clmul_enabled(); #endif -// CRYPTO_ghash_init writes a precomputed table of powers of |gcm_key| to -// |out_table| and sets |*out_mult| and |*out_hash| to (potentially hardware +// CRYPTO_ghash_init writes a precomputed table of powers of `gcm_key` to +// `out_table` and sets `*out_mult` and `*out_hash` to (potentially hardware // accelerated) functions for performing operations in the GHASH field. void CRYPTO_ghash_init(gmult_func *out_mult, ghash_func *out_hash, u128 out_table[16], const uint8_t gcm_key[16]); -// CRYPTO_gcm128_init_aes_key initialises |gcm_key| to with AES key |key|. +// CRYPTO_gcm128_init_aes_key initialises `gcm_key` to with AES key `key`. void CRYPTO_gcm128_init_aes_key(GCM128_KEY *gcm_key, const uint8_t *key, size_t key_bytes); -// CRYPTO_gcm128_init_ctx initializes |ctx| to encrypt with |key| and |iv|. +// CRYPTO_gcm128_init_ctx initializes `ctx` to encrypt with `key` and `iv`. void CRYPTO_gcm128_init_ctx(const GCM128_KEY *key, GCM128_CONTEXT *ctx, const uint8_t *iv, size_t iv_len); // CRYPTO_gcm128_aad adds to the authenticated data for an instance of GCM. -// This must be called before and data is encrypted. |key| must be the same -// value that was passed to |CRYPTO_gcm128_init_ctx|. It returns one on success +// This must be called before and data is encrypted. `key` must be the same +// value that was passed to `CRYPTO_gcm128_init_ctx`. It returns one on success // and zero otherwise. int CRYPTO_gcm128_aad(const GCM128_KEY *key, GCM128_CONTEXT *ctx, const uint8_t *aad, size_t aad_len); -// CRYPTO_gcm128_encrypt encrypts |len| bytes from |in| to |out|. |key| must be -// the same value that was passed to |CRYPTO_gcm128_init_ctx|. It returns one on +// CRYPTO_gcm128_encrypt encrypts `len` bytes from `in` to `out`. `key` must be +// the same value that was passed to `CRYPTO_gcm128_init_ctx`. It returns one on // success and zero otherwise. int CRYPTO_gcm128_encrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx, const uint8_t *in, uint8_t *out, size_t len); -// CRYPTO_gcm128_decrypt decrypts |len| bytes from |in| to |out|. |key| must be -// the same value that was passed to |CRYPTO_gcm128_init_ctx|. It returns one on +// CRYPTO_gcm128_decrypt decrypts `len` bytes from `in` to `out`. `key` must be +// the same value that was passed to `CRYPTO_gcm128_init_ctx`. It returns one on // success and zero otherwise. int CRYPTO_gcm128_decrypt(const GCM128_KEY *key, GCM128_CONTEXT *ctx, const uint8_t *in, uint8_t *out, size_t len); // CRYPTO_gcm128_finish calculates the authenticator and compares it against -// |len| bytes of |tag|. |key| must be the same value that was passed to -// |CRYPTO_gcm128_init_ctx|. It returns one on success and zero otherwise. +// `len` bytes of `tag`. `key` must be the same value that was passed to +// `CRYPTO_gcm128_init_ctx`. It returns one on success and zero otherwise. int CRYPTO_gcm128_finish(const GCM128_KEY *key, GCM128_CONTEXT *ctx, const uint8_t *tag, size_t len); -// CRYPTO_gcm128_tag calculates the authenticator and copies it into |tag|. -// The minimum of |len| and 16 bytes are copied into |tag|. |key| must be the -// same value that was passed to |CRYPTO_gcm128_init_ctx|. +// CRYPTO_gcm128_tag calculates the authenticator and copies it into `tag`. +// The minimum of `len` and 16 bytes are copied into `tag`. `key` must be the +// same value that was passed to `CRYPTO_gcm128_init_ctx`. void CRYPTO_gcm128_tag(const GCM128_KEY *key, GCM128_CONTEXT *ctx, uint8_t *tag, size_t len); @@ -528,7 +528,7 @@ extern "C" void aes_gcm_dec_kernel_eor3(const uint8_t *in, uint64_t in_bits, typedef void (*cbc128_f)(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], int enc); -// CRYPTO_cbc128_encrypt encrypts |len| bytes from |in| to |out| using the +// CRYPTO_cbc128_encrypt encrypts `len` bytes from `in` to `out` using the // given IV and block cipher in CBC mode. The input need not be a multiple of // 128 bits long, but the output will round up to the nearest 128 bit multiple, // zero padding the input if needed. The IV will be updated on return. @@ -536,10 +536,10 @@ void CRYPTO_cbc128_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], block128_f block); -// CRYPTO_cbc128_decrypt decrypts |len| bytes from |in| to |out| using the -// given IV and block cipher in CBC mode. If |len| is not a multiple of 128 +// CRYPTO_cbc128_decrypt decrypts `len` bytes from `in` to `out` using the +// given IV and block cipher in CBC mode. If `len` is not a multiple of 128 // bits then only that many bytes will be written, but a multiple of 128 bits -// is always read from |in|. The IV will be updated on return. +// is always read from `in`. The IV will be updated on return. void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], block128_f block); @@ -548,9 +548,9 @@ void CRYPTO_cbc128_decrypt(const uint8_t *in, uint8_t *out, size_t len, // OFB. // CRYPTO_ofb128_encrypt encrypts (or decrypts, it's the same with OFB mode) -// |len| bytes from |in| to |out| using |block| in OFB mode. There's no -// requirement that |len| be a multiple of any value and any partial blocks are -// stored in |ivec| and |*num|, the latter must be zero before the initial +// `len` bytes from `in` to `out` using `block` in OFB mode. There's no +// requirement that `len` be a multiple of any value and any partial blocks are +// stored in `ivec` and `*num`, the latter must be zero before the initial // call. void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], unsigned *num, @@ -559,24 +559,24 @@ void CRYPTO_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, // CFB. -// CRYPTO_cfb128_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes -// from |in| to |out| using |block| in CFB mode. There's no requirement that -// |len| be a multiple of any value and any partial blocks are stored in |ivec| -// and |*num|, the latter must be zero before the initial call. +// CRYPTO_cfb128_encrypt encrypts (or decrypts, if `enc` is zero) `len` bytes +// from `in` to `out` using `block` in CFB mode. There's no requirement that +// `len` be a multiple of any value and any partial blocks are stored in `ivec` +// and `*num`, the latter must be zero before the initial call. void CRYPTO_cfb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], unsigned *num, int enc, block128_f block); -// CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes -// from |in| to |out| using |block| in CFB-8 mode. Prior to the first call -// |num| should be set to zero. +// CRYPTO_cfb128_8_encrypt encrypts (or decrypts, if `enc` is zero) `len` bytes +// from `in` to `out` using `block` in CFB-8 mode. Prior to the first call +// `num` should be set to zero. void CRYPTO_cfb128_8_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t ivec[16], unsigned *num, int enc, block128_f block); -// CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if |enc| is zero) |len| bytes -// from |in| to |out| using |block| in CFB-1 mode. Prior to the first call -// |num| should be set to zero. +// CRYPTO_cfb128_1_encrypt encrypts (or decrypts, if `enc` is zero) `len` bytes +// from `in` to `out` using `block` in CFB-1 mode. Prior to the first call +// `num` should be set to zero. void CRYPTO_cfb128_1_encrypt(const uint8_t *in, uint8_t *out, size_t bits, const AES_KEY *key, uint8_t ivec[16], unsigned *num, int enc, block128_f block); diff --git a/third_party/boringssl/src/crypto/fipsmodule/aes/mode_wrappers.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/aes/mode_wrappers.cc.inc index 34f14b00..5507961e 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/aes/mode_wrappers.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/aes/mode_wrappers.cc.inc @@ -39,8 +39,8 @@ void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, size_t len, CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, ivec, ecount_buf, num, aes_hw_ctr32_encrypt_blocks); } else if (vpaes_capable()) { - // TODO(davidben): On ARM, where |BSAES| is additionally defined, this could - // use |vpaes_ctr32_encrypt_blocks_with_bsaes|. + // TODO(davidben): On ARM, where `BSAES` is additionally defined, this could + // use `vpaes_ctr32_encrypt_blocks_with_bsaes`. CRYPTO_ctr128_encrypt_ctr32(in, out, len, key, ivec, ecount_buf, num, vpaes_ctr32_encrypt_blocks); } else { diff --git a/third_party/boringssl/src/crypto/fipsmodule/bcm.cc b/third_party/boringssl/src/crypto/fipsmodule/bcm.cc index 1a5a6fd6..7cb8410b 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bcm.cc +++ b/third_party/boringssl/src/crypto/fipsmodule/bcm.cc @@ -87,7 +87,6 @@ OPENSSL_CLANG_PRAGMA("clang diagnostic ignored \"-Wheader-hygiene\"") #include "ec/ec_montgomery.cc.inc" #include "ec/felem.cc.inc" #include "ec/oct.cc.inc" -#include "ec/p256-nistz.cc.inc" #include "ec/p256.cc.inc" #include "ec/scalar.cc.inc" #include "ec/simple.cc.inc" @@ -102,6 +101,7 @@ OPENSSL_CLANG_PRAGMA("clang diagnostic ignored \"-Wheader-hygiene\"") #include "keccak/keccak.cc.inc" #include "mldsa/mldsa.cc.inc" #include "mlkem/mlkem.cc.inc" +#include "rand/android_entropy_client.cc.inc" #include "rand/ctrdrbg.cc.inc" #include "rand/rand.cc.inc" #include "rsa/padding.cc.inc" @@ -162,7 +162,7 @@ static void assert_within(const void *start, const void *symbol, static void BORINGSSL_maybe_set_module_text_permissions(int permission) { // Android may be compiled in execute-only-memory mode, in which case the // .text segment cannot be read. That conflicts with the need for a FIPS - // module to hash its own contents, therefore |mprotect| is used to make + // module to hash its own contents, therefore `mprotect` is used to make // the module's .text readable for the duration of the hashing process. In // other build configurations this is a no-op. const uintptr_t page_size = getpagesize(); @@ -181,8 +181,8 @@ static void BORINGSSL_maybe_set_module_text_permissions(int permission) {} #endif // !ASAN -static void - __attribute__((constructor)) BORINGSSL_bcm_power_on_self_test(void) { +static void __attribute__((constructor)) BORINGSSL_bcm_power_on_self_test( + void) { #if !defined(OPENSSL_ASAN) // Integrity tests cannot run under ASAN because it involves reading the full // .text section, which triggers the global-buffer overflow detection. diff --git a/third_party/boringssl/src/crypto/fipsmodule/bcm_interface.h b/third_party/boringssl/src/crypto/fipsmodule/bcm_interface.h index d4ea95d5..66f32aa9 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bcm_interface.h +++ b/third_party/boringssl/src/crypto/fipsmodule/bcm_interface.h @@ -73,54 +73,48 @@ inline bcm_status_t bcm_as_not_approved_status(int result) { #endif // BORINGSSL_FIPS -// BCM_rand_load_entropy supplies |entropy_len| bytes of entropy to the BCM -// module. The |want_additional_input| parameter is true iff the entropy was -// obtained from a source other than the system, e.g. directly from the CPU. -bcm_infallible BCM_rand_load_entropy(const uint8_t *entropy, size_t entropy_len, - int want_additional_input); - -// BCM_rand_bytes is the same as the public |RAND_bytes| function, other +// BCM_rand_bytes is the same as the public `RAND_bytes` function, other // than returning a bcm_infallible status indicator. bcm_infallible BCM_rand_bytes(uint8_t *out, size_t out_len); -// BCM_rand_bytes_hwrng attempts to fill |out| with |len| bytes of entropy from +// BCM_rand_bytes_hwrng attempts to fill `out` with `len` bytes of entropy from // the CPU hardware random number generator if one is present. // bcm_status_approved is returned on success, and a failure status is // returned otherwise. bcm_status BCM_rand_bytes_hwrng(uint8_t *out, size_t len); // BCM_rand_bytes_with_additional_data samples from the RNG after mixing 32 -// bytes from |user_additional_data| in. +// bytes from `user_additional_data` in. bcm_infallible BCM_rand_bytes_with_additional_data( uint8_t *out, size_t out_len, const uint8_t user_additional_data[32]); // SHA-1 -// BCM_sha1_init initialises |sha|. +// BCM_sha1_init initialises `sha`. bcm_infallible BCM_sha1_init(SHA_CTX *sha); // SHA1_transform is a low-level function that performs a single, SHA-1 -// block transformation using the state from |sha| and |SHA_CBLOCK| bytes from -// |block|. +// block transformation using the state from `sha` and `SHA_CBLOCK` bytes from +// `block`. bcm_infallible BCM_sha1_transform(SHA_CTX *c, const uint8_t data[SHA_CBLOCK]); -// BCM_sha1_update adds |len| bytes from |data| to |sha|. +// BCM_sha1_update adds `len` bytes from `data` to `sha`. bcm_infallible BCM_sha1_update(SHA_CTX *c, const void *data, size_t len); -// BCM_sha1_final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. +// BCM_sha1_final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA_DIGEST_LENGTH` bytes of space. bcm_infallible BCM_sha1_final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *c); -// BCM_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF +// BCM_fips_186_2_prf derives `out_len` bytes from `xkey` using the PRF // defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b // parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user // input is all zeros. // // The PRF generates a sequence of 320-bit numbers. Each number is encoded as a -// 40-byte string in big-endian and then concatenated to form |out|. If -// |out_len| is not a multiple of 40, the result is truncated. This matches the +// 40-byte string in big-endian and then concatenated to form `out`. If +// `out_len` is not a multiple of 40, the result is truncated. This matches the // construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187. // // This PRF is based on SHA-1, a weak hash function, and should not be used @@ -132,14 +126,14 @@ bcm_infallible BCM_fips_186_2_prf(uint8_t *out, size_t out_len, // SHA-224 -// BCM_sha224_unit initialises |sha|. +// BCM_sha224_unit initialises `sha`. bcm_infallible BCM_sha224_init(SHA256_CTX *sha); -// BCM_sha224_update adds |len| bytes from |data| to |sha|. +// BCM_sha224_update adds `len` bytes from `data` to `sha`. bcm_infallible BCM_sha224_update(SHA256_CTX *sha, const void *data, size_t len); -// BCM_sha224_final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of +// BCM_sha224_final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA224_DIGEST_LENGTH` bytes of // space. It aborts on programmer error. bcm_infallible BCM_sha224_final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *sha); @@ -147,27 +141,27 @@ bcm_infallible BCM_sha224_final(uint8_t out[SHA224_DIGEST_LENGTH], // SHA-256 -// BCM_sha256_init initialises |sha|. +// BCM_sha256_init initialises `sha`. bcm_infallible BCM_sha256_init(SHA256_CTX *sha); -// BCM_sha256_update adds |len| bytes from |data| to |sha|. +// BCM_sha256_update adds `len` bytes from `data` to `sha`. bcm_infallible BCM_sha256_update(SHA256_CTX *sha, const void *data, size_t len); -// BCM_sha256_final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA256_DIGEST_LENGTH| bytes of +// BCM_sha256_final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA256_DIGEST_LENGTH` bytes of // space. It aborts on programmer error. bcm_infallible BCM_sha256_final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *sha); // BCM_sha256_transform is a low-level function that performs a single, SHA-256 -// block transformation using the state from |sha| and |SHA256_CBLOCK| bytes -// from |block|. +// block transformation using the state from `sha` and `SHA256_CBLOCK` bytes +// from `block`. bcm_infallible BCM_sha256_transform(SHA256_CTX *sha, const uint8_t block[SHA256_CBLOCK]); -// BCM_sha256_transform_blocks is a low-level function that takes |num_blocks| * -// |SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to update -// |state|. +// BCM_sha256_transform_blocks is a low-level function that takes `num_blocks` * +// `SHA256_CBLOCK` bytes of data and performs SHA-256 transforms on it to update +// `state`. bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8], const uint8_t *data, size_t num_blocks); @@ -175,14 +169,14 @@ bcm_infallible BCM_sha256_transform_blocks(uint32_t state[8], // SHA-384. -// BCM_sha384_init initialises |sha|. +// BCM_sha384_init initialises `sha`. bcm_infallible BCM_sha384_init(SHA512_CTX *sha); -// BCM_sha384_update adds |len| bytes from |data| to |sha|. +// BCM_sha384_update adds `len` bytes from `data` to `sha`. bcm_infallible BCM_sha384_update(SHA512_CTX *sha, const void *data, size_t len); -// BCM_sha384_final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA384_DIGEST_LENGTH| bytes of +// BCM_sha384_final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA384_DIGEST_LENGTH` bytes of // space. It may abort on programmer error. bcm_infallible BCM_sha384_final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha); @@ -190,21 +184,21 @@ bcm_infallible BCM_sha384_final(uint8_t out[SHA384_DIGEST_LENGTH], // SHA-512. -// BCM_sha512_init initialises |sha|. +// BCM_sha512_init initialises `sha`. bcm_infallible BCM_sha512_init(SHA512_CTX *sha); -// BCM_sha512_update adds |len| bytes from |data| to |sha|. +// BCM_sha512_update adds `len` bytes from `data` to `sha`. bcm_infallible BCM_sha512_update(SHA512_CTX *sha, const void *data, size_t len); -// BCM_sha512_final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA512_DIGEST_LENGTH| bytes of +// BCM_sha512_final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA512_DIGEST_LENGTH` bytes of // space. bcm_infallible BCM_sha512_final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha); // BCM_sha512_transform is a low-level function that performs a single, SHA-512 -// block transformation using the state from |sha| and |SHA512_CBLOCK| bytes -// from |block|. +// block transformation using the state from `sha` and `SHA512_CBLOCK` bytes +// from `block`. bcm_infallible BCM_sha512_transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK]); @@ -213,15 +207,15 @@ bcm_infallible BCM_sha512_transform(SHA512_CTX *sha, // // See https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf section 5.3.6 -// BCM_sha512_256_init initialises |sha|. +// BCM_sha512_256_init initialises `sha`. bcm_infallible BCM_sha512_256_init(SHA512_CTX *sha); -// BCM_sha512_256_update adds |len| bytes from |data| to |sha|. +// BCM_sha512_256_update adds `len` bytes from `data` to `sha`. bcm_infallible BCM_sha512_256_update(SHA512_CTX *sha, const void *data, size_t len); -// BCM_sha512_256_final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA512_256_DIGEST_LENGTH| bytes of +// BCM_sha512_256_final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA512_256_DIGEST_LENGTH` bytes of // space. It may abort on programmer error. bcm_infallible BCM_sha512_256_final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha); @@ -250,7 +244,7 @@ OPENSSL_EXPORT bcm_status BCM_mldsa65_private_key_from_seed( OPENSSL_EXPORT bcm_status BCM_mldsa65_public_from_private( MLDSA65_public_key *out_public_key, const MLDSA65_private_key *private_key); -// BCM_mldsa65_public_of_private returns the public half of |private_key|. +// BCM_mldsa65_public_of_private returns the public half of `private_key`. const MLDSA65_public_key *BCM_mldsa65_public_of_private( const MLDSA65_private_key *private_key); @@ -305,7 +299,7 @@ BCM_mldsa65_parse_private_key(MLDSA65_private_key *private_key, CBS *in); // BCM_mldsa65_generate_key_external_entropy generates a public/private key pair // using the given seed, writes the encoded public key to -// |out_encoded_public_key| and sets |out_private_key| to the private key. +// `out_encoded_public_key` and sets `out_private_key` to the private key. OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_external_entropy( uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], MLDSA65_private_key *out_private_key, @@ -316,11 +310,11 @@ OPENSSL_EXPORT bcm_status BCM_mldsa65_generate_key_external_entropy_fips( MLDSA65_private_key *out_private_key, const uint8_t entropy[MLDSA_SEED_BYTES]); -// BCM_mldsa5_sign_internal signs |msg| using |private_key| and writes the -// signature to |out_encoded_signature|. The |context_prefix| and |context| are -// prefixed to the message, in that order, before signing. The |randomizer| +// BCM_mldsa5_sign_internal signs `msg` using `private_key` and writes the +// signature to `out_encoded_signature`. The `context_prefix` and `context` are +// prefixed to the message, in that order, before signing. The `randomizer` // value can be set to zero bytes in order to make a deterministic signature, or -// else filled with entropy for the usual |MLDSA_sign| behavior. +// else filled with entropy for the usual `MLDSA_sign` behavior. OPENSSL_EXPORT bcm_status BCM_mldsa65_sign_internal( uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], const MLDSA65_private_key *private_key, const uint8_t *msg, size_t msg_len, @@ -334,8 +328,8 @@ OPENSSL_EXPORT bcm_status BCM_mldsa65_sign_mu_internal( const uint8_t msg_rep[MLDSA_MU_BYTES], const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]); -// BCM_mldsa5_verify_internal verifies that |encoded_signature| is a valid -// signature of |msg| by |public_key|. The |context_prefix| and |context| are +// BCM_mldsa5_verify_internal verifies that `encoded_signature` is a valid +// signature of `msg` by `public_key`. The `context_prefix` and `context` are // prefixed to the message before verification, in that order. OPENSSL_EXPORT bcm_status BCM_mldsa65_verify_internal( const MLDSA65_public_key *public_key, @@ -343,12 +337,12 @@ OPENSSL_EXPORT bcm_status BCM_mldsa65_verify_internal( const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, const uint8_t *context, size_t context_len); -// BCM_mldsa65_marshal_private_key serializes |private_key| to |out| in the +// BCM_mldsa65_marshal_private_key serializes `private_key` to `out` in the // NIST format for ML-DSA-65 private keys. OPENSSL_EXPORT bcm_status BCM_mldsa65_marshal_private_key( CBB *out, const MLDSA65_private_key *private_key); -// BCM_mldsa65_public_keys_equal returns one if |a| and |b| are equal and zero +// BCM_mldsa65_public_keys_equal returns one if `a` and `b` are equal and zero // otherwise. int BCM_mldsa65_public_keys_equal(const MLDSA65_public_key *a, const MLDSA65_public_key *b); @@ -368,7 +362,7 @@ OPENSSL_EXPORT bcm_status BCM_mldsa87_private_key_from_seed( OPENSSL_EXPORT bcm_status BCM_mldsa87_public_from_private( MLDSA87_public_key *out_public_key, const MLDSA87_private_key *private_key); -// BCM_mldsa87_public_of_private returns the public half of |private_key|. +// BCM_mldsa87_public_of_private returns the public half of `private_key`. const MLDSA87_public_key *BCM_mldsa87_public_of_private( const MLDSA87_private_key *private_key); @@ -423,7 +417,7 @@ BCM_mldsa87_parse_private_key(MLDSA87_private_key *private_key, CBS *in); // BCM_mldsa87_generate_key_external_entropy generates a public/private key pair // using the given seed, writes the encoded public key to -// |out_encoded_public_key| and sets |out_private_key| to the private key. +// `out_encoded_public_key` and sets `out_private_key` to the private key. OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_external_entropy( uint8_t out_encoded_public_key[MLDSA87_PUBLIC_KEY_BYTES], MLDSA87_private_key *out_private_key, @@ -434,11 +428,11 @@ OPENSSL_EXPORT bcm_status BCM_mldsa87_generate_key_external_entropy_fips( MLDSA87_private_key *out_private_key, const uint8_t entropy[MLDSA_SEED_BYTES]); -// BCM_mldsa87_sign_internal signs |msg| using |private_key| and writes the -// signature to |out_encoded_signature|. The |context_prefix| and |context| are -// prefixed to the message, in that order, before signing. The |randomizer| +// BCM_mldsa87_sign_internal signs `msg` using `private_key` and writes the +// signature to `out_encoded_signature`. The `context_prefix` and `context` are +// prefixed to the message, in that order, before signing. The `randomizer` // value can be set to zero bytes in order to make a deterministic signature, or -// else filled with entropy for the usual |MLDSA_sign| behavior. +// else filled with entropy for the usual `MLDSA_sign` behavior. OPENSSL_EXPORT bcm_status BCM_mldsa87_sign_internal( uint8_t out_encoded_signature[MLDSA87_SIGNATURE_BYTES], const MLDSA87_private_key *private_key, const uint8_t *msg, size_t msg_len, @@ -452,8 +446,8 @@ OPENSSL_EXPORT bcm_status BCM_mldsa87_sign_mu_internal( const uint8_t msg_rep[MLDSA_MU_BYTES], const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]); -// BCM_mldsa87_verify_internal verifies that |encoded_signature| is a valid -// signature of |msg| by |public_key|. The |context_prefix| and |context| are +// BCM_mldsa87_verify_internal verifies that `encoded_signature` is a valid +// signature of `msg` by `public_key`. The `context_prefix` and `context` are // prefixed to the message before verification, in that order. OPENSSL_EXPORT bcm_status BCM_mldsa87_verify_internal( const MLDSA87_public_key *public_key, @@ -461,12 +455,12 @@ OPENSSL_EXPORT bcm_status BCM_mldsa87_verify_internal( const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, const uint8_t *context, size_t context_len); -// BCM_mldsa87_marshal_private_key serializes |private_key| to |out| in the +// BCM_mldsa87_marshal_private_key serializes `private_key` to `out` in the // NIST format for ML-DSA-87 private keys. OPENSSL_EXPORT bcm_status BCM_mldsa87_marshal_private_key( CBB *out, const MLDSA87_private_key *private_key); -// BCM_mldsa87_public_keys_equal returns one if |a| and |b| are equal and zero +// BCM_mldsa87_public_keys_equal returns one if `a` and `b` are equal and zero // otherwise. int BCM_mldsa87_public_keys_equal(const MLDSA87_public_key *a, const MLDSA87_public_key *b); @@ -485,7 +479,7 @@ OPENSSL_EXPORT bcm_status BCM_mldsa44_private_key_from_seed( OPENSSL_EXPORT bcm_status BCM_mldsa44_public_from_private( MLDSA44_public_key *out_public_key, const MLDSA44_private_key *private_key); -// BCM_mldsa44_public_of_private returns the public half of |private_key|. +// BCM_mldsa44_public_of_private returns the public half of `private_key`. const MLDSA44_public_key *BCM_mldsa44_public_of_private( const MLDSA44_private_key *private_key); @@ -540,7 +534,7 @@ BCM_mldsa44_parse_private_key(MLDSA44_private_key *private_key, CBS *in); // BCM_mldsa44_generate_key_external_entropy generates a public/private key pair // using the given seed, writes the encoded public key to -// |out_encoded_public_key| and sets |out_private_key| to the private key. +// `out_encoded_public_key` and sets `out_private_key` to the private key. OPENSSL_EXPORT bcm_status BCM_mldsa44_generate_key_external_entropy( uint8_t out_encoded_public_key[MLDSA44_PUBLIC_KEY_BYTES], MLDSA44_private_key *out_private_key, @@ -551,11 +545,11 @@ OPENSSL_EXPORT bcm_status BCM_mldsa44_generate_key_external_entropy_fips( MLDSA44_private_key *out_private_key, const uint8_t entropy[MLDSA_SEED_BYTES]); -// BCM_mldsa44_sign_internal signs |msg| using |private_key| and writes the -// signature to |out_encoded_signature|. The |context_prefix| and |context| are -// prefixed to the message, in that order, before signing. The |randomizer| +// BCM_mldsa44_sign_internal signs `msg` using `private_key` and writes the +// signature to `out_encoded_signature`. The `context_prefix` and `context` are +// prefixed to the message, in that order, before signing. The `randomizer` // value can be set to zero bytes in order to make a deterministic signature, or -// else filled with entropy for the usual |MLDSA_sign| behavior. +// else filled with entropy for the usual `MLDSA_sign` behavior. OPENSSL_EXPORT bcm_status BCM_mldsa44_sign_internal( uint8_t out_encoded_signature[MLDSA44_SIGNATURE_BYTES], const MLDSA44_private_key *private_key, const uint8_t *msg, size_t msg_len, @@ -569,8 +563,8 @@ OPENSSL_EXPORT bcm_status BCM_mldsa44_sign_mu_internal( const uint8_t msg_rep[MLDSA_MU_BYTES], const uint8_t randomizer[BCM_MLDSA_SIGNATURE_RANDOMIZER_BYTES]); -// BCM_mldsa44_verify_internal verifies that |encoded_signature| is a valid -// signature of |msg| by |public_key|. The |context_prefix| and |context| are +// BCM_mldsa44_verify_internal verifies that `encoded_signature` is a valid +// signature of `msg` by `public_key`. The `context_prefix` and `context` are // prefixed to the message before verification, in that order. OPENSSL_EXPORT bcm_status BCM_mldsa44_verify_internal( const MLDSA44_public_key *public_key, @@ -578,12 +572,12 @@ OPENSSL_EXPORT bcm_status BCM_mldsa44_verify_internal( const uint8_t *msg, size_t msg_len, const uint8_t *context_prefix, size_t context_prefix_len, const uint8_t *context, size_t context_len); -// BCM_mldsa44_marshal_private_key serializes |private_key| to |out| in the +// BCM_mldsa44_marshal_private_key serializes `private_key` to `out` in the // NIST format for ML-DSA-44 private keys. OPENSSL_EXPORT bcm_status BCM_mldsa44_marshal_private_key( CBB *out, const MLDSA44_private_key *private_key); -// BCM_mldsa44_public_keys_equal returns one if |a| and |b| are equal and zero +// BCM_mldsa44_public_keys_equal returns one if `a` and `b` are equal and zero // otherwise. int BCM_mldsa44_public_keys_equal(const MLDSA44_public_key *a, const MLDSA44_public_key *b); @@ -600,11 +594,11 @@ int BCM_mldsa44_public_keys_equal(const MLDSA44_public_key *a, #define BCM_MLKEM_ENCAP_ENTROPY 32 // BCM_MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by -// |BCM_mlkem768_marshal_private_key|. +// `BCM_mlkem768_marshal_private_key`. #define BCM_MLKEM768_PRIVATE_KEY_BYTES 2400 // BCM_MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by -// |BCM_mlkem1024_marshal_private_key|. +// `BCM_mlkem1024_marshal_private_key`. #define BCM_MLKEM1024_PRIVATE_KEY_BYTES 3168 OPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key( @@ -644,7 +638,7 @@ BCM_mlkem768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], OPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_public_key( CBB *out, const MLKEM768_public_key *public_key); -// BCM_mlkem768_public_keys_equal returns one if |a| and |b| are equal and zero +// BCM_mlkem768_public_keys_equal returns one if `a` and `b` are equal and zero // otherwise. int BCM_mlkem768_public_keys_equal(const MLKEM768_public_key *a, const MLKEM768_public_key *b); @@ -653,37 +647,37 @@ OPENSSL_EXPORT bcm_status BCM_mlkem768_parse_public_key(MLKEM768_public_key *out_public_key, CBS *in); // BCM_mlkem768_parse_private_key parses a private key, in NIST's format for -// private keys, from |in| and writes the result to |out_private_key|. It +// private keys, from `in` and writes the result to `out_private_key`. It // returns one on success or zero on parse error or if there are trailing bytes -// in |in|. This format is verbose and should be avoided. Private keys should be -// stored as seeds and parsed using |BCM_mlkem768_private_key_from_seed|. +// in `in`. This format is verbose and should be avoided. Private keys should be +// stored as seeds and parsed using `BCM_mlkem768_private_key_from_seed`. OPENSSL_EXPORT bcm_status BCM_mlkem768_parse_private_key(MLKEM768_private_key *out_private_key, CBS *in); // BCM_mlkem768_generate_key_external_seed is a deterministic function to create // a pair of ML-KEM-768 keys, using the supplied seed. The seed needs to be // uniformly random. This function should only be used for tests; regular -// callers should use the non-deterministic |BCM_mlkem768_generate_key| +// callers should use the non-deterministic `BCM_mlkem768_generate_key` // directly. OPENSSL_EXPORT bcm_infallible BCM_mlkem768_generate_key_external_seed( uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], MLKEM768_private_key *out_private_key, const uint8_t seed[MLKEM_SEED_BYTES]); -// BCM_mlkem768_encap_external_entropy behaves like |MLKEM768_encap|, but uses -// |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating -// side will be able to recover |entropy| in full. This function should only be +// BCM_mlkem768_encap_external_entropy behaves like `MLKEM768_encap`, but uses +// `MLKEM_ENCAP_ENTROPY` bytes of `entropy` for randomization. The decapsulating +// side will be able to recover `entropy` in full. This function should only be // used for tests, regular callers should use the non-deterministic -// |BCM_mlkem768_encap| directly. +// `BCM_mlkem768_encap` directly. OPENSSL_EXPORT bcm_infallible BCM_mlkem768_encap_external_entropy( uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const MLKEM768_public_key *public_key, const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]); -// BCM_mlkem768_marshal_private_key serializes |private_key| to |out| in the +// BCM_mlkem768_marshal_private_key serializes `private_key` to `out` in the // NIST format for ML-KEM-768 private keys. (Note that one can also save just -// the seed value produced by |BCM_mlkem768_generate_key|, which is +// the seed value produced by `BCM_mlkem768_generate_key`, which is // significantly smaller.) OPENSSL_EXPORT bcm_status BCM_mlkem768_marshal_private_key( CBB *out, const MLKEM768_private_key *private_key); @@ -725,7 +719,7 @@ BCM_mlkem1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_public_key( CBB *out, const MLKEM1024_public_key *public_key); -// BCM_mlkem1024_public_keys_equal returns one if |a| and |b| are equal and zero +// BCM_mlkem1024_public_keys_equal returns one if `a` and `b` are equal and zero // otherwise. int BCM_mlkem1024_public_keys_equal(const MLKEM1024_public_key *a, const MLKEM1024_public_key *b); @@ -734,37 +728,37 @@ OPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_public_key(MLKEM1024_public_key *out_public_key, CBS *in); // BCM_mlkem1024_parse_private_key parses a private key, in NIST's format for -// private keys, from |in| and writes the result to |out_private_key|. It +// private keys, from `in` and writes the result to `out_private_key`. It // returns one on success or zero on parse error or if there are trailing bytes -// in |in|. This format is verbose and should be avoided. Private keys should be -// stored as seeds and parsed using |BCM_mlkem1024_private_key_from_seed|. +// in `in`. This format is verbose and should be avoided. Private keys should be +// stored as seeds and parsed using `BCM_mlkem1024_private_key_from_seed`. OPENSSL_EXPORT bcm_status BCM_mlkem1024_parse_private_key( MLKEM1024_private_key *out_private_key, CBS *in); // BCM_mlkem1024_generate_key_external_seed is a deterministic function to // create a pair of ML-KEM-1024 keys, using the supplied seed. The seed needs to // be uniformly random. This function should only be used for tests, regular -// callers should use the non-deterministic |BCM_mlkem1024_generate_key| +// callers should use the non-deterministic `BCM_mlkem1024_generate_key` // directly. OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_generate_key_external_seed( uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], MLKEM1024_private_key *out_private_key, const uint8_t seed[MLKEM_SEED_BYTES]); -// BCM_mlkem1024_encap_external_entropy behaves like |MLKEM1024_encap|, but uses -// |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The -// decapsulating side will be able to recover |entropy| in full. This function +// BCM_mlkem1024_encap_external_entropy behaves like `MLKEM1024_encap`, but uses +// `MLKEM_ENCAP_ENTROPY` bytes of `entropy` for randomization. The +// decapsulating side will be able to recover `entropy` in full. This function // should only be used for tests, regular callers should use the -// non-deterministic |BCM_mlkem1024_encap| directly. +// non-deterministic `BCM_mlkem1024_encap` directly. OPENSSL_EXPORT bcm_infallible BCM_mlkem1024_encap_external_entropy( uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const MLKEM1024_public_key *public_key, const uint8_t entropy[BCM_MLKEM_ENCAP_ENTROPY]); -// BCM_mlkem1024_marshal_private_key serializes |private_key| to |out| in the +// BCM_mlkem1024_marshal_private_key serializes `private_key` to `out` in the // NIST format for ML-KEM-1024 private keys. (Note that one can also save just -// the seed value produced by |BCM_mlkem1024_generate_key|, which is +// the seed value produced by `BCM_mlkem1024_generate_key`, which is // significantly smaller.) OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_private_key( CBB *out, const MLKEM1024_private_key *private_key); @@ -796,8 +790,8 @@ OPENSSL_EXPORT bcm_status BCM_mlkem1024_marshal_private_key( #define BCM_SLHDSA_SHAKE_256F_SIGNATURE_BYTES 49856 // BCM_slhdsa_sha2_128s_generate_key_from_seed generates an SLH-DSA-SHA2-128s -// key pair from a 48-byte seed and writes the result to |out_public_key| and -// |out_secret_key|. +// key pair from a 48-byte seed and writes the result to `out_public_key` and +// `out_secret_key`. OPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_generate_key_from_seed( uint8_t out_public_key[BCM_SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], uint8_t out_secret_key[BCM_SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], @@ -821,11 +815,11 @@ OPENSSL_EXPORT bcm_status BCM_slhdsa_shake_256f_generate_key_from_seed_fips( uint8_t out_secret_key[BCM_SLHDSA_SHAKE_256F_PRIVATE_KEY_BYTES], const uint8_t seed[3 * BCM_SLHDSA_SHAKE_256F_N]); -// BCM_slhdsa_sha2_128s_sign_internal acts like |SLHDSA_SHA2_128S_sign| but +// BCM_slhdsa_sha2_128s_sign_internal acts like `SLHDSA_SHA2_128S_sign` but // accepts an explicit entropy input, which can be PK.seed (bytes 32..48 of // the private key) to generate deterministic signatures. It also takes the // input message in three parts so that the "internal" version of the signing -// function, from section 9.2, can be implemented. The |header| argument may be +// function, from section 9.2, can be implemented. The `header` argument may be // NULL to omit it. OPENSSL_EXPORT bcm_infallible BCM_slhdsa_sha2_128s_sign_internal( uint8_t out_signature[BCM_SLHDSA_SHA2_128S_SIGNATURE_BYTES], @@ -841,9 +835,9 @@ OPENSSL_EXPORT bcm_infallible BCM_slhdsa_shake_256f_sign_internal( size_t context_len, const uint8_t *msg, size_t msg_len, const uint8_t entropy[BCM_SLHDSA_SHAKE_256F_N]); -// BCM_slhdsa_sha2_128s_verify_internal acts like |SLHDSA_SHA2_128S_verify| but +// BCM_slhdsa_sha2_128s_verify_internal acts like `SLHDSA_SHA2_128S_verify` but // takes the input message in three parts so that the "internal" version of the -// verification function, from section 9.3, can be implemented. The |header| +// verification function, from section 9.3, can be implemented. The `header` // argument may be NULL to omit it. OPENSSL_EXPORT bcm_status BCM_slhdsa_sha2_128s_verify_internal( const uint8_t *signature, size_t signature_len, @@ -932,24 +926,24 @@ OPENSSL_EXPORT bcm_status BCM_slhdsa_shake_256f_prehash_verify( // AES -// BCM_aes_encrypt encrypts a single block from |in| to |out| with |key|. The -// |in| and |out| pointers may overlap. +// BCM_aes_encrypt encrypts a single block from `in` to `out` with `key`. The +// `in` and `out` pointers may overlap. bcm_infallible BCM_aes_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); -// BCM_aes_decrypt decrypts a single block from |in| to |out| with |key|. The -// |in| and |out| pointers may overlap. +// BCM_aes_decrypt decrypts a single block from `in` to `out` with `key`. The +// `in` and `out` pointers may overlap. bcm_infallible BCM_aes_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); -// BCM_aes_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit -// key, |key|. |key| must point to |bits|/8 bytes. It will return failure if -// |bits| is an invalid AES key size. +// BCM_aes_set_encrypt_key configures `aeskey` to encrypt with the `bits`-bit +// key, `key`. `key` must point to `bits`/8 bytes. It will return failure if +// `bits` is an invalid AES key size. bcm_status BCM_aes_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey); -// BCM_aes_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit -// key, |key|. |key| must point to |bits|/8 bytes. It will return failure if -// |bits| is an invalid AES key size. +// BCM_aes_set_decrypt_key configures `aeskey` to decrypt with the `bits`-bit +// key, `key`. `key` must point to `bits`/8 bytes. It will return failure if +// `bits` is an invalid AES key size. bcm_status BCM_aes_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey); diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/add.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/add.cc.inc index 38c7d5b3..5c48e444 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/add.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/add.cc.inc @@ -62,7 +62,7 @@ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { } int bssl::bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { - // Widths are public, so we normalize to make |a| the larger one. + // Widths are public, so we normalize to make `a` the larger one. if (a->width < b->width) { const BIGNUM *tmp = a; a = b; @@ -182,8 +182,8 @@ int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { } int bssl::bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { - // |b| may have more words than |a| given non-minimal inputs, but all words - // beyond |a->width| must then be zero. + // `b` may have more words than `a` given non-minimal inputs, but all words + // beyond `a->width` must then be zero. int b_width = b->width; if (b_width > a->width) { if (!bn_fits_in_words(b, a->width)) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/bn.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/bn.cc.inc index 38dea250..c18efa95 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/bn.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/bn.cc.inc @@ -28,8 +28,8 @@ using namespace bssl; -// BN_MAX_WORDS is the maximum number of words allowed in a |BIGNUM|. It is -// sized so byte and bit counts of a |BIGNUM| always fit in |int|, with room to +// BN_MAX_WORDS is the maximum number of words allowed in a `BIGNUM`. It is +// sized so byte and bit counts of a `BIGNUM` always fit in `int`, with room to // spare. #define BN_MAX_WORDS (INT_MAX / (4 * BN_BITS2)) @@ -123,25 +123,25 @@ DEFINE_METHOD_FUNCTION(BIGNUM, BN_value_one) { } // BN_num_bits_word returns the minimum number of bits needed to represent the -// value in |l|. +// value in `l`. unsigned BN_num_bits_word(BN_ULONG l) { - // |BN_num_bits| is often called on RSA prime factors. These have public bit + // `BN_num_bits` is often called on RSA prime factors. These have public bit // lengths, but all bits beyond the high bit are secret, so count bits in // constant time. BN_ULONG x, mask; int bits = (l != 0); #if BN_BITS2 > 32 - // Look at the upper half of |x|. |x| is at most 64 bits long. + // Look at the upper half of `x`. `x` is at most 64 bits long. x = l >> 32; - // Set |mask| to all ones if |x| (the top 32 bits of |l|) is non-zero and all + // Set `mask` to all ones if `x` (the top 32 bits of `l`) is non-zero and all // all zeros otherwise. mask = 0u - x; mask = (0u - (mask >> (BN_BITS2 - 1))); - // If |x| is non-zero, the lower half is included in the bit count in full, + // If `x` is non-zero, the lower half is included in the bit count in full, // and we count the upper half. Otherwise, we count the lower half. bits += 32 & mask; - l ^= (x ^ l) & mask; // |l| is |x| if |mask| and remains |l| otherwise. + l ^= (x ^ l) & mask; // `l` is `x` if `mask` and remains `l` otherwise. #endif // The remaining blocks are analogous iterations at lower powers of two. @@ -235,7 +235,7 @@ int bssl::bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num) { return 0; } OPENSSL_memmove(bn->d, words, num * sizeof(BN_ULONG)); - // |bn_wexpand| verified that |num| isn't too large. + // `bn_wexpand` verified that `num` isn't too large. bn->width = (int)num; bn->neg = 0; return 1; @@ -255,7 +255,7 @@ void bssl::bn_set_static_words(BIGNUM *bn, const BN_ULONG *words, size_t num) { } int bssl::bn_fits_in_words(const BIGNUM *bn, size_t num) { - // All words beyond |num| must be zero. + // All words beyond `num` must be zero. BN_ULONG mask = 0; for (size_t i = num; i < (size_t)bn->width; i++) { mask |= bn->d[i]; diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/bytes.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/bytes.cc.inc index 4d3fadaf..ef2c87b3 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/bytes.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/bytes.cc.inc @@ -24,8 +24,8 @@ using namespace bssl; void bssl::bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len) { - // The caller should have sized |out| to fit |in| without truncating. This - // condition ensures we do not overflow |out|, so use a runtime check. + // The caller should have sized `out` to fit `in` without truncating. This + // condition ensures we do not overflow `out`, so use a runtime check. BSSL_CHECK(in_len <= out_len * sizeof(BN_ULONG)); // Load whole words. @@ -73,8 +73,8 @@ BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return nullptr; } - // |bn_wexpand| must check bounds on |num_words| to write it into - // |ret->dmax|. + // `bn_wexpand` must check bounds on `num_words` to write it into + // `ret->dmax`. assert(num_words <= INT_MAX); ret->width = (int)num_words; ret->neg = 0; @@ -99,7 +99,7 @@ BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return ret; } - // Reserve enough space in |ret|. + // Reserve enough space in `ret`. size_t num_words = ((len - 1) / BN_BYTES) + 1; if (!bn_wexpand(ret, num_words)) { BN_free(bn); @@ -121,8 +121,8 @@ BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret) { return BN_lebin2bn(in, len, ret); } -// fits_in_bytes returns one if the |num_words| words in |words| can be -// represented in |num_bytes| bytes. +// fits_in_bytes returns one if the `num_words` words in `words` can be +// represented in `num_bytes` bytes. static int fits_in_bytes(const BN_ULONG *words, size_t num_words, size_t num_bytes) { const uint8_t *bytes = (const uint8_t *)words; diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/cmp.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/cmp.cc.inc index aed2de17..c0a29ab8 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/cmp.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/cmp.cc.inc @@ -38,7 +38,7 @@ static int bn_cmp_words_consttime(const BN_ULONG *a, size_t a_len, constant_time_select_int(eq, ret, constant_time_select_int(lt, -1, 1)); } - // If |a| or |b| has non-zero words beyond |min|, they take precedence. + // If `a` or `b` has non-zero words beyond `min`, they take precedence. if (a_len < b_len) { crypto_word_t mask = 0; for (size_t i = a_len; i < b_len; i++) { @@ -72,7 +72,7 @@ int BN_cmp(const BIGNUM *a, const BIGNUM *b) { } // We do not attempt to process the sign bit in constant time. Negative - // |BIGNUM|s should never occur in crypto, only calculators. + // `BIGNUM`s should never occur in crypto, only calculators. if (a->neg != b->neg) { if (a->neg) { return -1; @@ -143,7 +143,7 @@ int BN_is_pow2(const BIGNUM *bn) { int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b) { BN_ULONG mask = 0; - // If |a| or |b| has more words than the other, all those words must be zero. + // If `a` or `b` has more words than the other, all those words must be zero. for (int i = a->width; i < b->width; i++) { mask |= b->d[i]; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/ctx.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/ctx.cc.inc index 1d67281c..a7381b05 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/ctx.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/ctx.cc.inc @@ -35,25 +35,25 @@ BSSL_NAMESPACE_BEGIN class BignumCtx : public bignum_ctx { public: ~BignumCtx() { - // All |BN_CTX_start| calls must be matched with |BN_CTX_end|, otherwise the + // All `BN_CTX_start` calls must be matched with `BN_CTX_end`, otherwise the // function may use more memory than expected, potentially without bound if - // done in a loop. Assert that all |BIGNUM|s have been released. + // done in a loop. Assert that all `BIGNUM`s have been released. assert(used_ == 0 || error_); } - // bignums_ is the stack of |BIGNUM|s managed by this |BN_CTX|. + // bignums_ is the stack of `BIGNUM`s managed by this `BN_CTX`. Vector> bignums_; - // stack_ is the stack of |BN_CTX_start| frames. It is the value of |used_| at - // the time |BN_CTX_start| was called. + // stack_ is the stack of `BN_CTX_start` frames. It is the value of `used_` at + // the time `BN_CTX_start` was called. Vector stack_; - // used_ is the number of |BIGNUM|s from |bignums_| that have been used. + // used_ is the number of `BIGNUM`s from `bignums_` that have been used. size_t used_ = 0; - // error_ is whether any operation on this |BN_CTX| failed. All subsequent + // error_ is whether any operation on this `BN_CTX` failed. All subsequent // operations will fail. bool error_ = false; - // defer_error_ is whether an operation on this |BN_CTX| has failed, but no + // defer_error_ is whether an operation on this `BN_CTX` has failed, but no // error has been pushed to the queue yet. This is used to defer errors from - // |BN_CTX_start| to |BN_CTX_get|. + // `BN_CTX_start` to `BN_CTX_get`. bool defer_error_ = false; }; @@ -71,14 +71,14 @@ void BN_CTX_start(BN_CTX *ctx) { auto *impl = FromOpaque(ctx); if (impl->error_) { - // Once an operation has failed, |impl->stack| no longer matches the number - // of |BN_CTX_end| calls to come. Do nothing. + // Once an operation has failed, `impl->stack` no longer matches the number + // of `BN_CTX_end` calls to come. Do nothing. return; } if (!impl->stack_.Push(impl->used_)) { impl->error_ = true; - // |BN_CTX_start| cannot fail, so defer the error to |BN_CTX_get|. + // `BN_CTX_start` cannot fail, so defer the error to `BN_CTX_get`. impl->defer_error_ = true; ERR_clear_error(); } @@ -107,7 +107,7 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx) { BIGNUM *ret = impl->bignums_[impl->used_].get(); BN_zero(ret); - // This is bounded by |impl->bignums_.size()|, so it cannot overflow. + // This is bounded by `impl->bignums_.size()`, so it cannot overflow. impl->used_++; return ret; } @@ -116,8 +116,8 @@ void BN_CTX_end(BN_CTX *ctx) { auto *impl = FromOpaque(ctx); if (impl->error_) { - // Once an operation has failed, |impl->stack_| no longer matches the number - // of |BN_CTX_end| calls to come. Do nothing. + // Once an operation has failed, `impl->stack_` no longer matches the number + // of `BN_CTX_end` calls to come. Do nothing. return; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/div.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/div.cc.inc index af522dfc..8147dcce 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/div.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/div.cc.inc @@ -35,8 +35,8 @@ using namespace bssl; -// bn_div_words divides a double-width |h|,|l| by |d| and returns the result, -// which must fit in a |BN_ULONG|, i.e. |h < d|. +// bn_div_words divides a double-width `h`,`l` by `d` and returns the result, +// which must fit in a `BN_ULONG`, i.e. `h < d`. [[maybe_unused]] static BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { assert(h < d); @@ -108,18 +108,18 @@ static BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) { return ret; } -// bn_div_rem_words divides a double-width numerator (high half |nh| and low -// half |nl|) with a single-width divisor. It sets |*quotient_out| and -// |*rem_out| to be the quotient and numerator, respectively. The quotient must -// fit in a |BN_ULONG|, i.e. |nh < d|. +// bn_div_rem_words divides a double-width numerator (high half `nh` and low +// half `nl`) with a single-width divisor. It sets `*quotient_out` and +// `*rem_out` to be the quotient and numerator, respectively. The quotient must +// fit in a `BN_ULONG`, i.e. `nh < d`. static void bn_div_rem_words(BN_ULONG *quotient_out, BN_ULONG *rem_out, BN_ULONG nh, BN_ULONG nl, BN_ULONG d) { assert(nh < d); // This operation is the x86 and x86_64 DIV instruction, but it is difficult - // for the compiler to emit it. Dividing a |BN_ULLONG| by a |BN_ULONG| does - // not work because, a priori, the quotient may not fit in |BN_ULONG| and DIV + // for the compiler to emit it. Dividing a `BN_ULLONG` by a `BN_ULONG` does + // not work because, a priori, the quotient may not fit in `BN_ULONG` and DIV // will trap on overflow, not truncate. The compiler will instead emit a call - // to a more expensive support function (e.g. |__udivdi3|). Thus we use inline + // to a more expensive support function (e.g. `__udivdi3`). Thus we use inline // assembly or intrinsics to get the instruction. // // These is specific to x86 and x86_64; Arm and RISC-V do not have double-wide @@ -189,8 +189,8 @@ int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, return 0; } - // This algorithm relies on |sdiv| being minimal width. We do not use this - // function on secret inputs, so leaking this is fine. Also minimize |snum| to + // This algorithm relies on `sdiv` being minimal width. We do not use this + // function on secret inputs, so leaking this is fine. Also minimize `snum` to // avoid looping on leading zeros, as we're not trying to be leak-free. bn_set_minimal_width(sdiv); bn_set_minimal_width(snum); @@ -199,10 +199,10 @@ int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, d1 = (div_n == 1) ? 0 : sdiv->d[div_n - 2]; assert(d0 & (((BN_ULONG)1) << (BN_BITS2 - 1))); - // Extend |snum| with zeros to satisfy the long division invariants: - // - |snum| must have at least |div_n| + 1 words. - // - |snum|'s most significant word must be zero to guarantee the first loop - // iteration works with a prefix greater than |sdiv|. (This is the extra u0 + // Extend `snum` with zeros to satisfy the long division invariants: + // - `snum` must have at least `div_n` + 1 words. + // - `snum`'s most significant word must be zero to guarantee the first loop + // iteration works with a prefix greater than `sdiv`. (This is the extra u0 // digit in Knuth step D1.) num_n = snum->width <= div_n ? div_n + 1 : snum->width + 1; if (!bn_resize_words(snum, num_n)) { @@ -356,18 +356,18 @@ int BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) { BN_ULONG bssl::bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry, const BN_ULONG *m, size_t num) { assert(r != a); - // |r| = |a| - |m|. |bn_sub_words| performs the bulk of the subtraction, and - // then we apply the borrow to |carry|. + // `r` = `a` - `m`. `bn_sub_words` performs the bulk of the subtraction, and + // then we apply the borrow to `carry`. carry -= bn_sub_words(r, a, m, num); - // We know 0 <= |a| < 2*|m|, so -|m| <= |r| < |m|. + // We know 0 <= `a` < 2*`m`, so -`m` <= `r` < `m`. // - // If 0 <= |r| < |m|, |r| fits in |num| words and |carry| is zero. We then - // wish to select |r| as the answer. Otherwise -m <= r < 0 and we wish to - // return |r| + |m|, or |a|. |carry| must then be -1 or all ones. In both - // cases, |carry| is a suitable input to |bn_select_words|. + // If 0 <= `r` < `m`, `r` fits in `num` words and `carry` is zero. We then + // wish to select `r` as the answer. Otherwise -m <= r < 0 and we wish to + // return `r` + `m`, or `a`. `carry` must then be -1 or all ones. In both + // cases, `carry` is a suitable input to `bn_select_words`. // - // Although |carry| may be one if it was one on input and |bn_sub_words| - // returns zero, this would give |r| > |m|, violating our input assumptions. + // Although `carry` may be one if it was one on input and `bn_sub_words` + // returns zero, this would give `r` > `m`, violating our input assumptions. declassify_assert(carry + 1 <= 1); bn_select_words(r, carry, a /* r < 0 */, r /* r >= 0 */, num); return carry; @@ -376,7 +376,7 @@ BN_ULONG bssl::bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry, BN_ULONG bssl::bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m, BN_ULONG *tmp, size_t num) { - // See |bn_reduce_once| for why this logic works. + // See `bn_reduce_once` for why this logic works. carry -= bn_sub_words(tmp, r, m, num); declassify_assert(carry + 1 <= 1); bn_select_words(r, carry, r /* tmp < 0 */, tmp /* tmp >= 0 */, num); @@ -438,14 +438,14 @@ int bssl::bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, r->width = divisor->width; r->neg = 0; - // Incorporate |numerator| into |r|, one bit at a time, reducing after each - // step. We maintain the invariant that |0 <= r < divisor| and - // |q * divisor + r = n| where |n| is the portion of |numerator| incorporated + // Incorporate `numerator` into `r`, one bit at a time, reducing after each + // step. We maintain the invariant that `0 <= r < divisor` and + // `q * divisor + r = n` where `n` is the portion of `numerator` incorporated // so far. // - // First, we short-circuit the loop: if we know |divisor| has at least - // |divisor_min_bits| bits, the top |divisor_min_bits - 1| can be incorporated - // without reductions. This significantly speeds up |RSA_check_key|. For + // First, we short-circuit the loop: if we know `divisor` has at least + // `divisor_min_bits` bits, the top `divisor_min_bits - 1` can be incorporated + // without reductions. This significantly speeds up `RSA_check_key`. For // simplicity, we round down to a whole number of words. declassify_assert(divisor_min_bits <= BN_num_bits(divisor)); initial_words = 0; @@ -462,13 +462,13 @@ int bssl::bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, for (int bit = BN_BITS2 - 1; bit >= 0; bit--) { // Incorporate the next bit of the numerator, by computing // r = 2*r or 2*r + 1. Note the result fits in one more word. We store the - // extra word in |carry|. + // extra word in `carry`. BN_ULONG carry = bn_add_words(r->d, r->d, r->d, divisor->width); r->d[0] |= (numerator->d[i] >> bit) & 1; - // |r| was previously fully-reduced, so we know: + // `r` was previously fully-reduced, so we know: // 2*0 <= r <= 2*(divisor-1) + 1 // 0 <= r <= 2*divisor - 1 < 2*divisor. - // Thus |r| satisfies the preconditions for |bn_reduce_once_in_place|. + // Thus `r` satisfies the preconditions for `bn_reduce_once_in_place`. BN_ULONG subtracted = bn_reduce_once_in_place(r->d, carry, divisor->d, tmp->d, divisor->width); // The corresponding bit of the quotient is set iff we needed to subtract. @@ -494,11 +494,11 @@ static BIGNUM *bn_scratch_space_from_ctx(size_t width, BN_CTX *ctx) { return ret; } -// bn_resized_from_ctx returns |bn| with width at least |width| or NULL on +// bn_resized_from_ctx returns `bn` with width at least `width` or NULL on // error. This is so it may be used with low-level "words" functions. If -// necessary, it allocates a new |BIGNUM| with a lifetime of the current scope -// in |ctx|, so the caller does not need to explicitly free it. |bn| must fit in -// |width| words. +// necessary, it allocates a new `BIGNUM` with a lifetime of the current scope +// in `ctx`, so the caller does not need to explicitly free it. `bn` must fit in +// `width` words. static const BIGNUM *bn_resized_from_ctx(const BIGNUM *bn, size_t width, BN_CTX *ctx) { if ((size_t)bn->width >= width) { @@ -679,7 +679,7 @@ BN_ULONG BN_div_word(BIGNUM *a, BN_ULONG w) { return 0; } - // normalize input for |bn_div_rem_words|. + // normalize input for `bn_div_rem_words`. j = BN_BITS2 - BN_num_bits_word(w); w <<= j; if (!BN_lshift(a, a, j)) { @@ -713,8 +713,8 @@ BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) { } #ifndef BN_CAN_DIVIDE_ULLONG - // If |w| is too long and we don't have |BN_ULLONG| division then we need to - // fall back to using |BN_div_word|. + // If `w` is too long and we don't have `BN_ULLONG` division then we need to + // fall back to using `BN_div_word`. if (w > ((BN_ULONG)1 << BN_BITS4)) { BIGNUM *tmp = BN_dup(a); if (tmp == nullptr) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/div_extra.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/div_extra.cc.inc index 52e1be63..b518b4e1 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/div_extra.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/div_extra.cc.inc @@ -26,13 +26,13 @@ using namespace bssl; // http://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html // // We use 32-bit numerator and 16-bit divisor for simplicity. This allows -// computing |m| and |q| without architecture-specific code. +// computing `m` and `q` without architecture-specific code. -// mod_u16 returns |n| mod |d|. |p| and |m| are the "magic numbers" for |d| (see +// mod_u16 returns `n` mod `d`. `p` and `m` are the "magic numbers" for `d` (see // reference). For proof of correctness in Coq, see // https://github.com/davidben/fiat-crypto/blob/barrett/src/Arithmetic/BarrettReduction/RidiculousFish.v -// Note the Coq version of |mod_u16| additionally includes the computation of -// |p| and |m| from |bn_mod_u16_consttime| below. +// Note the Coq version of `mod_u16` additionally includes the computation of +// `p` and `m` from `bn_mod_u16_consttime` below. static uint16_t mod_u16(uint32_t n, uint16_t d, uint32_t p, uint32_t m) { // Compute floor(n/d) per steps 3 through 5. uint32_t q = ((uint64_t)m * n) >> 32; @@ -46,11 +46,11 @@ static uint16_t mod_u16(uint32_t n, uint16_t d, uint32_t p, uint32_t m) { return n; } -// shift_and_add_mod_u16 returns |r| * 2^32 + |a| mod |d|. |p| and |m| are the -// "magic numbers" for |d| (see reference). +// shift_and_add_mod_u16 returns `r` * 2^32 + `a` mod `d`. `p` and `m` are the +// "magic numbers" for `d` (see reference). static uint16_t shift_and_add_mod_u16(uint16_t r, uint32_t a, uint16_t d, uint32_t p, uint32_t m) { - // Incorporate |a| in two 16-bit chunks. + // Incorporate `a` in two 16-bit chunks. uint32_t t = r; t <<= 16; t |= a >> 16; @@ -67,11 +67,11 @@ uint16_t bssl::bn_mod_u16_consttime(const BIGNUM *bn, uint16_t d) { return 0; } - // Compute the "magic numbers" for |d|. See steps 1 and 2. + // Compute the "magic numbers" for `d`. See steps 1 and 2. // This computes p = ceil(log_2(d)). uint32_t p = BN_num_bits_word(d - 1); - // This operation is not constant-time, but |p| and |d| are public values. - // Note that |p| is at most 16, so the computation fits in |uint64_t|. + // This operation is not constant-time, but `p` and `d` are public values. + // Note that `p` is at most 16, so the computation fits in `uint64_t`. assert(p <= 16); uint32_t m = (uint32_t)(((UINT64_C(1) << (32 + p)) + d - 1) / d); diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/exponentiation.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/exponentiation.cc.inc index 869c78eb..911ac435 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/exponentiation.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/exponentiation.cc.inc @@ -30,11 +30,11 @@ using namespace bssl; #if defined(OPENSSL_BN_ASM_MONT5) -// bn_mul_mont_gather5 multiples loads index |power| of |table|, multiplies it -// by |ap| modulo |np|, and stores the result in |rp|. The values are |num| -// words long and represented in Montgomery form. |n0| is a pointer to the -// corresponding field in |BN_MONT_CTX|. |table| must be aligned to at least -// 16 bytes. |power| must be less than 32 and is treated as secret. +// bn_mul_mont_gather5 multiples loads index `power` of `table`, multiplies it +// by `ap` modulo `np`, and stores the result in `rp`. The values are `num` +// words long and represented in Montgomery form. `n0` is a pointer to the +// corresponding field in `BN_MONT_CTX`. `table` must be aligned to at least +// 16 bytes. `power` must be less than 32 and is treated as secret. // // WARNING: This function implements Almost Montgomery Multiplication from // https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced. @@ -51,11 +51,11 @@ static void bn_mul_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, } } -// bn_power5 squares |ap| five times and multiplies it by the value stored at -// index |power| of |table|, modulo |np|. It stores the result in |rp|. The -// values are |num| words long and represented in Montgomery form. |n0| is a -// pointer to the corresponding field in |BN_MONT_CTX|. |num| must be divisible -// by 8. |power| must be less than 32 and is treated as secret. +// bn_power5 squares `ap` five times and multiplies it by the value stored at +// index `power` of `table`, modulo `np`. It stores the result in `rp`. The +// values are `num` words long and represented in Montgomery form. `n0` is a +// pointer to the corresponding field in `BN_MONT_CTX`. `num` must be divisible +// by 8. `power` must be less than 32 and is treated as secret. // // WARNING: This function implements Almost Montgomery Multiplication from // https://eprint.iacr.org/2011/239. The inputs do not need to be fully reduced. @@ -74,7 +74,7 @@ static void bn_power5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, #endif // defined(OPENSSL_BN_ASM_MONT5) // BN_window_bits_for_exponent_size returns sliding window size for mod_exp with -// a |b| bit exponent. +// a `b` bit exponent. // // For window size 'w' (w >= 2) and a random 'b' bits exponent, the number of // multiplications is a constant plus on average @@ -114,16 +114,16 @@ static int BN_window_bits_for_exponent_size(size_t b) { // TABLE_SIZE is the maximum precomputation table size for *variable* sliding // windows. This must be 2^(max_window - 1), where max_window is the largest -// value returned from |BN_window_bits_for_exponent_size|. +// value returned from `BN_window_bits_for_exponent_size`. #define TABLE_SIZE 32 // TABLE_BITS_SMALL is the smallest value returned from -// |BN_window_bits_for_exponent_size| when |b| is at most |BN_BITS2| * -// |BN_SMALL_MAX_WORDS| words. +// `BN_window_bits_for_exponent_size` when `b` is at most `BN_BITS2` * +// `BN_SMALL_MAX_WORDS` words. #define TABLE_BITS_SMALL 5 -// TABLE_SIZE_SMALL is the same as |TABLE_SIZE|, but when |b| is at most -// |BN_BITS2| * |BN_SMALL_MAX_WORDS|. +// TABLE_SIZE_SMALL is the same as `TABLE_SIZE`, but when `b` is at most +// `BN_BITS2` * `BN_SMALL_MAX_WORDS`. #define TABLE_SIZE_SMALL (1 << (TABLE_BITS_SMALL - 1)) int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, @@ -136,7 +136,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; } - // |a| is secret, but |a < m| is not. + // `a` is secret, but `a < m` is not. if (a->neg || constant_time_declassify_int(BN_ucmp(a, m)) >= 0) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; @@ -172,7 +172,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } // We exponentiate by looking at sliding windows of the exponent and - // precomputing powers of |a|. Windows may be shifted so they always end on a + // precomputing powers of `a`. Windows may be shifted so they always end on a // set bit, so only precompute odd powers. We compute val[i] = a^(2*i + 1) // for i = 0 to 2^(window-1), all in Montgomery form. int window = BN_window_bits_for_exponent_size(bits); @@ -193,8 +193,8 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } } - // |p| is non-zero, so at least one window is non-zero. To save some - // multiplications, defer initializing |r| until then. + // `p` is non-zero, so at least one window is non-zero. To save some + // multiplications, defer initializing `r` until then. int r_is_one = 1; int wstart = bits - 1; // The top bit of the window. for (;;) { @@ -220,7 +220,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } } - // Shift |r| to the end of the window. + // Shift `r` to the end of the window. if (!r_is_one) { for (int i = 0; i < wsize + 1; i++) { if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) { @@ -246,7 +246,7 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, wstart -= wsize + 1; } - // |p| is non-zero, so |r_is_one| must be cleared at some point. + // `p` is non-zero, so `r_is_one` must be cleared at some point. assert(!r_is_one); return BN_from_montgomery(rr, r, mont, ctx); @@ -261,8 +261,8 @@ void bssl::bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, } assert(BN_is_odd(&mont->N)); - // Count the number of bits in |p|, skipping leading zeros. Note this function - // treats |p| as public. + // Count the number of bits in `p`, skipping leading zeros. Note this function + // treats `p` as public. while (num_p != 0 && p[num_p - 1] == 0) { num_p--; } @@ -274,12 +274,12 @@ void bssl::bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, assert(bits != 0); // We exponentiate by looking at sliding windows of the exponent and - // precomputing powers of |a|. Windows may be shifted so they always end on a + // precomputing powers of `a`. Windows may be shifted so they always end on a // set bit, so only precompute odd powers. We compute val[i] = a^(2*i + 1) for // i = 0 to 2^(window-1), all in Montgomery form. unsigned window = BN_window_bits_for_exponent_size(bits); if (window > TABLE_BITS_SMALL) { - window = TABLE_BITS_SMALL; // Tolerate excessively large |p|. + window = TABLE_BITS_SMALL; // Tolerate excessively large `p`. } BN_ULONG val[TABLE_SIZE_SMALL][BN_SMALL_MAX_WORDS]; OPENSSL_memcpy(val[0], a, num * sizeof(BN_ULONG)); @@ -291,8 +291,8 @@ void bssl::bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, } } - // |p| is non-zero, so at least one window is non-zero. To save some - // multiplications, defer initializing |r| until then. + // `p` is non-zero, so at least one window is non-zero. To save some + // multiplications, defer initializing `r` until then. int r_is_one = 1; size_t wstart = bits - 1; // The top bit of the window. for (;;) { @@ -318,7 +318,7 @@ void bssl::bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, } } - // Shift |r| to the end of the window. + // Shift `r` to the end of the window. if (!r_is_one) { for (unsigned i = 0; i < wsize + 1; i++) { bn_mod_mul_montgomery_small(r, r, r, num, mont); @@ -339,7 +339,7 @@ void bssl::bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, wstart -= wsize + 1; } - // |p| is non-zero, so |r_is_one| must be cleared at some point. + // `p` is non-zero, so `r_is_one` must be cleared at some point. assert(!r_is_one); OPENSSL_cleanse(val, sizeof(val)); } @@ -372,7 +372,7 @@ void bssl::bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, static void copy_to_prebuf(const BIGNUM *b, int top, BN_ULONG *table, int idx, int window) { int ret = bn_copy_words(table + idx * top, top, b); - assert(ret); // |b| is guaranteed to fit. + assert(ret); // `b` is guaranteed to fit. (void)ret; } @@ -385,9 +385,9 @@ static int copy_from_prebuf(BIGNUM *b, int top, const BN_ULONG *table, int idx, OPENSSL_memset(b->d, 0, sizeof(BN_ULONG) * top); const int width = 1 << window; for (int i = 0; i < width; i++, table += top) { - // Use a value barrier to prevent Clang from adding a branch when |i != idx| + // Use a value barrier to prevent Clang from adding a branch when `i != idx` // and making this copy not constant time. Clang is still allowed to learn - // that |mask| is constant across the inner loop, so this won't inhibit any + // that `mask` is constant across the inner loop, so this won't inhibit any // vectorization it might do. BN_ULONG mask = value_barrier_w(constant_time_eq_int(i, idx)); for (int j = 0; j < top; j++) { @@ -409,7 +409,7 @@ static int copy_from_prebuf(BIGNUM *b, int top, const BN_ULONG *table, int idx, ((b) > 937 ? 6 : (b) > 306 ? 5 : (b) > 89 ? 4 : (b) > 22 ? 3 : 1) #define BN_MAX_MOD_EXP_CTIME_WINDOW (6) -// This variant of |BN_mod_exp_mont| uses fixed windows and fixed memory access +// This variant of `BN_mod_exp_mont` uses fixed windows and fixed memory access // patterns to protect secret exponents (cf. the hyper-threading timing attacks // pointed out by Colin Percival, // http://www.daemonology.net/hyperthreading-considered-harmful/) @@ -430,14 +430,14 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, OPENSSL_PUT_ERROR(BN, BN_R_NEGATIVE_NUMBER); return 0; } - // |a| is secret, but it is required to be in range, so these comparisons may + // `a` is secret, but it is required to be in range, so these comparisons may // be leaked. if (a->neg || constant_time_declassify_int(BN_ucmp(a, m) >= 0)) { OPENSSL_PUT_ERROR(BN, BN_R_INPUT_NOT_REDUCED); return 0; } - // Use all bits stored in |p|, rather than |BN_num_bits|, so we do not leak + // Use all bits stored in `p`, rather than `BN_num_bits`, so we do not leak // whether the top bits are zero. int max_bits = p->width * BN_BITS2; int bits = max_bits; @@ -461,8 +461,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, mont = new_mont.get(); } - // Use the width in |mont->N|, rather than the copy in |m|. The assembly - // implementation assumes it can use |top| to size R. + // Use the width in `mont->N`, rather than the copy in `m`. The assembly + // implementation assumes it can use `top` to size R. top = mont->N.width; #if defined(OPENSSL_BN_ASM_MONT5) || defined(RSAZ_ENABLED) @@ -494,7 +494,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, window = BN_window_bits_for_ctime_exponent_size(bits); assert(window <= BN_MAX_MOD_EXP_CTIME_WINDOW); - // Calculating |powerbuf_len| below cannot overflow because of the bound on + // Calculating `powerbuf_len` below cannot overflow because of the bound on // Montgomery reduction. assert((size_t)top <= BN_MONTGOMERY_MAX_WORDS); static_assert( @@ -505,13 +505,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, #if defined(OPENSSL_BN_ASM_MONT5) if (window >= 5) { window = 5; // ~5% improvement for RSA2048 sign, and even for RSA4096 - // Reserve space for the |mont->N| copy. + // Reserve space for the `mont->N` copy. powerbuf_len += top * sizeof(mont->N.d[0]); } #endif // Allocate a buffer large enough to hold all of the pre-computed - // powers of |am|, |am| itself, and |tmp|. + // powers of `am`, `am` itself, and `tmp`. num_powers = 1 << window; powerbuf_len += sizeof(m->d[0]) * top * (num_powers + 2); @@ -519,7 +519,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, if (powerbuf_len <= sizeof(storage)) { powerbuf = storage; } - // |storage| is more than large enough to handle 1024-bit inputs. + // `storage` is more than large enough to handle 1024-bit inputs. assert(powerbuf != nullptr || top * BN_BITS2 > 1024); #endif if (powerbuf == nullptr) { @@ -532,7 +532,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } OPENSSL_memset(powerbuf, 0, powerbuf_len); - // Place |tmp| and |am| right after powers table. + // Place `tmp` and `am` right after powers table. BIGNUM tmp, am; tmp.d = powerbuf + top * num_powers; am.d = tmp.d + top; @@ -561,24 +561,24 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, // exponentiation, used in RSA-1024 with CRT, but RSA-1024 is no longer // important. // - // |bn_mul_mont_gather5| and |bn_power5| implement the "almost" reduction + // `bn_mul_mont_gather5` and `bn_power5` implement the "almost" reduction // variant, so the values here may not be fully reduced. They are bounded by R - // (i.e. they fit in |top| words), not |m|. Additionally, we pass these - // "almost" reduced inputs into |bn_mul_mont_words|, which implements the - // normal reduction variant. Given those inputs, |bn_mul_mont_words| may not + // (i.e. they fit in `top` words), not `m`. Additionally, we pass these + // "almost" reduced inputs into `bn_mul_mont_words`, which implements the + // normal reduction variant. Given those inputs, `bn_mul_mont_words` may not // give reduced output, but it will still produce "almost" reduced output. // // TODO(davidben): Using "almost" reduction complicates analysis of this code, // and its interaction with other parts of the project. Determine whether this // is actually necessary for performance. if (window == 5 && top > 1) { - // Copy |mont->N| to improve cache locality. + // Copy `mont->N` to improve cache locality. BN_ULONG *np = am.d + top; for (i = 0; i < top; i++) { np[i] = mont->N.d[i]; } - // Fill |powerbuf| with the first 32 powers of |am|. + // Fill `powerbuf` with the first 32 powers of `am`. const BN_ULONG *n0 = mont->n0; bn_scatter5(tmp.d, top, powerbuf, 0); bn_scatter5(am.d, am.width, powerbuf, 1); @@ -590,7 +590,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bn_mul_mont_words(tmp.d, tmp.d, tmp.d, np, n0, top); bn_scatter5(tmp.d, top, powerbuf, i); } - // Compute odd powers |i| based on |i - 1|, then all powers |i * 2^j|. + // Compute odd powers `i` based on `i - 1`, then all powers `i * 2^j`. for (i = 3; i < 32; i += 2) { bn_mul_mont_gather5(tmp.d, am.d, powerbuf, np, n0, top, i - 1); bn_scatter5(tmp.d, top, powerbuf, i); @@ -606,7 +606,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } bn_gather5(tmp.d, top, powerbuf, wvalue); - // At this point |bits| is 4 mod 5 and at least -1. (|bits| is the first bit + // At this point `bits` is 4 mod 5 and at least -1. (`bits` is the first bit // that has not been read yet.) assert(bits >= -1 && (bits == -1 || bits % 5 == 4)); @@ -628,16 +628,16 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } else { const uint8_t *p_bytes = (const uint8_t *)p->d; assert(bits < max_bits); - // |p = 0| has been handled as a special case, so |max_bits| is at least + // `p = 0` has been handled as a special case, so `max_bits` is at least // one word. assert(max_bits >= 64); // If the first bit to be read lands in the last byte, unroll the first - // iteration to avoid reading past the bounds of |p->d|. (After the first - // iteration, we are guaranteed to be past the last byte.) Note |bits| + // iteration to avoid reading past the bounds of `p->d`. (After the first + // iteration, we are guaranteed to be past the last byte.) Note `bits` // here is the top bit, inclusive. if (bits - 4 >= max_bits - 8) { - // Read five bits from |bits-4| through |bits|, inclusive. + // Read five bits from `bits-4` through `bits`, inclusive. wvalue = p_bytes[p->width * BN_BYTES - 1]; wvalue >>= (bits - 4) & 7; wvalue &= 0x1f; @@ -645,7 +645,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, wvalue); } while (bits >= 0) { - // Read five bits from |bits-4| through |bits|, inclusive. + // Read five bits from `bits-4` through `bits`, inclusive. int first_bit = bits - 4; uint16_t val; OPENSSL_memcpy(&val, p_bytes + (first_bit >> 3), sizeof(val)); @@ -655,8 +655,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bn_power5(tmp.d, tmp.d, powerbuf, np, n0, top, val); } } - // The result is now in |tmp| in Montgomery form, but it may not be fully - // reduced. This is within bounds for |BN_from_montgomery| (tmp < R <= m*R) + // The result is now in `tmp` in Montgomery form, but it may not be fully + // reduced. This is within bounds for `BN_from_montgomery` (tmp < R <= m*R) // so it will, when converting from Montgomery form, produce a fully reduced // result. // @@ -725,9 +725,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } // Convert the final result from Montgomery to standard format. If we used the - // |OPENSSL_BN_ASM_MONT5| codepath, |tmp| may not be fully reduced. It is only - // bounded by R rather than |m|. However, that is still within bounds for - // |BN_from_montgomery|, which implements full Montgomery reduction, not + // `OPENSSL_BN_ASM_MONT5` codepath, `tmp` may not be fully reduced. It is only + // bounded by R rather than `m`. However, that is still within bounds for + // `BN_from_montgomery`, which implements full Montgomery reduction, not // "almost" Montgomery reduction. if (!BN_from_montgomery(rr, &tmp, mont, ctx)) { goto err; diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/gcd.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/gcd.cc.inc index 4fdb2e96..d78185ce 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/gcd.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/gcd.cc.inc @@ -211,7 +211,7 @@ BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n, return nullptr; } - new_out.release(); // Passed to the caller via |out|. + new_out.release(); // Passed to the caller via `out`. return out; } @@ -219,7 +219,7 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx) { *out_no_inverse = 0; - // |a| is secret, but it is required to be in range, so these comparisons may + // `a` is secret, but it is required to be in range, so these comparisons may // be leaked. if (BN_is_negative(a) || constant_time_declassify_int(BN_cmp(a, &mont->N) >= 0)) { @@ -232,15 +232,15 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, return 0; } - // |BN_mod_inverse_odd| is leaky, so generate a secret blinding factor and - // blind |a|. This works because (ar)^-1 * r = a^-1, supposing r is + // `BN_mod_inverse_odd` is leaky, so generate a secret blinding factor and + // blind `a`. This works because (ar)^-1 * r = a^-1, supposing r is // invertible. If r is not invertible, this function will fail. However, we // only use this in RSA, where stumbling on an uninvertible element means // stumbling on the key's factorization. That is, if this function fails, the // RSA key was not actually a product of two large primes. // // TODO(crbug.com/boringssl/677): When the PRNG output is marked secret by - // default, the explicit |bn_secret| call can be removed. + // default, the explicit `bn_secret` call can be removed. if (!BN_rand_range_ex(blinding_factor.get(), 1, &mont->N)) { return 0; } @@ -249,8 +249,8 @@ int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, return 0; } - // Once blinded, |out| is no longer secret, so it may be passed to a leaky - // mod inverse function. Note |blinding_factor| is secret, so |out| will be + // Once blinded, `out` is no longer secret, so it may be passed to a leaky + // mod inverse function. Note `blinding_factor` is secret, so `out` will be // secret again after multiplying. bn_declassify(out); if (!BN_mod_inverse_odd(out, out_no_inverse, out, &mont->N, ctx) || diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/gcd_extra.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/gcd_extra.cc.inc index a48762fe..867147da 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/gcd_extra.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/gcd_extra.cc.inc @@ -72,7 +72,7 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, return 0; } - // Each loop iteration halves at least one of |u| and |v|. Thus we need at + // Each loop iteration halves at least one of `u` and `v`. Thus we need at // most the combined bit width of inputs for at least one value to be zero. x_bits = x->width * BN_BITS2; y_bits = y->width * BN_BITS2; @@ -86,14 +86,14 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, for (unsigned i = 0; i < num_iters; i++) { BN_ULONG both_odd = word_is_odd_mask(u->d[0]) & word_is_odd_mask(v->d[0]); - // If both |u| and |v| are odd, subtract the smaller from the larger. + // If both `u` and `v` are odd, subtract the smaller from the larger. BN_ULONG u_less_than_v = (BN_ULONG)0 - bn_sub_words(tmp->d, u->d, v->d, width); bn_select_words(u->d, both_odd & ~u_less_than_v, tmp->d, u->d, width); bn_sub_words(tmp->d, v->d, u->d, width); bn_select_words(v->d, both_odd & u_less_than_v, tmp->d, v->d, width); - // At least one of |u| and |v| is now even. + // At least one of `u` and `v` is now even. BN_ULONG u_is_odd = word_is_odd_mask(u->d[0]); BN_ULONG v_is_odd = word_is_odd_mask(v->d[0]); declassify_assert(!(u_is_odd & v_is_odd)); @@ -106,8 +106,8 @@ static int bn_gcd_consttime(BIGNUM *r, unsigned *out_shift, const BIGNUM *x, maybe_rshift1_words(v->d, ~v_is_odd, tmp->d, width); } - // One of |u| or |v| is zero at this point. The algorithm usually makes |u| - // zero, unless |y| was already zero on input. Fix this by combining the + // One of `u` or `v` is zero at this point. The algorithm usually makes `u` + // zero, unless `y` was already zero on input. Fix this by combining the // values. declassify_assert(BN_is_zero(u) | BN_is_zero(v)); for (size_t i = 0; i < width; i++) { @@ -132,7 +132,7 @@ int bssl::bn_is_relatively_prime(int *out_relatively_prime, const BIGNUM *x, return 0; } - // Check that 2^|shift| * |gcd| is one. + // Check that 2^`shift` * `gcd` is one. if (gcd->width == 0) { *out_relatively_prime = 0; } else { @@ -154,7 +154,7 @@ int bssl::bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, return gcd != nullptr && // bn_mul_consttime(r, a, b, ctx) && bn_gcd_consttime(gcd, &shift, a, b, ctx) && - // |gcd| has a secret bit width. + // `gcd` has a secret bit width. bn_div_consttime(r, nullptr, r, gcd, /*divisor_min_bits=*/0, ctx) && bn_rshift_secret_shift(r, r, shift, ctx); } @@ -183,9 +183,9 @@ int bssl::bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, // negative numbers. // // For more details and proof of correctness, see - // https://github.com/mit-plv/fiat-crypto/pull/333. In particular, see |step| - // and |mod_inverse_consttime| for the algorithm in Gallina and see - // |mod_inverse_consttime_spec| for the correctness result. + // https://github.com/mit-plv/fiat-crypto/pull/333. In particular, see `step` + // and `mod_inverse_consttime` for the algorithm in Gallina and see + // `mod_inverse_consttime_spec` for the correctness result. if (!BN_is_odd(a) && !BN_is_odd(n)) { *out_no_inverse = 1; @@ -193,8 +193,8 @@ int bssl::bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, return 0; } - // This function exists to compute the RSA private exponent, where |a| is one - // word. We'll thus use |a_width| when available. + // This function exists to compute the RSA private exponent, where `a` is one + // word. We'll thus use `a_width` when available. size_t n_width = n->width, a_width = a->width; if (a_width > n_width) { a_width = n_width; @@ -222,25 +222,25 @@ int bssl::bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, !BN_copy(v, n) || // !BN_one(A) || // !BN_one(D) || - // For convenience, size |u| and |v| equivalently. + // For convenience, size `u` and `v` equivalently. !bn_resize_words(u, n_width) || // !bn_resize_words(v, n_width) || - // |A| and |C| are bounded by |m|. + // `A` and `C` are bounded by `m`. !bn_resize_words(A, n_width) || // !bn_resize_words(C, n_width) || - // |B| and |D| are bounded by |a|. + // `B` and `D` are bounded by `a`. !bn_resize_words(B, a_width) || // !bn_resize_words(D, a_width) || - // |tmp| and |tmp2| may be used at either size. + // `tmp` and `tmp2` may be used at either size. !bn_resize_words(tmp, n_width) || // !bn_resize_words(tmp2, n_width)) { return 0; } - // Each loop iteration halves at least one of |u| and |v|. Thus we need at + // Each loop iteration halves at least one of `u` and `v`. Thus we need at // most the combined bit width of inputs for at least one value to be zero. - // |a_bits| and |n_bits| cannot overflow because |bn_wexpand| ensures bit - // counts fit in even |int|. + // `a_bits` and `n_bits` cannot overflow because `bn_wexpand` ensures bit + // counts fit in even `int`. a_bits = a_width * BN_BITS2; n_bits = n_width * BN_BITS2; num_iters = a_bits + n_bits; @@ -265,7 +265,7 @@ int bssl::bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, for (size_t i = 0; i < num_iters; i++) { BN_ULONG both_odd = word_is_odd_mask(u->d[0]) & word_is_odd_mask(v->d[0]); - // If both |u| and |v| are odd, subtract the smaller from the larger. + // If both `u` and `v` are odd, subtract the smaller from the larger. BN_ULONG v_less_than_u = (BN_ULONG)0 - bn_sub_words(tmp->d, v->d, u->d, n_width); bn_select_words(v->d, both_odd & ~v_less_than_u, tmp->d, v->d, n_width); @@ -285,8 +285,8 @@ int bssl::bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, bn_select_words(B->d, both_odd & v_less_than_u, tmp->d, B->d, a_width); bn_select_words(D->d, both_odd & ~v_less_than_u, tmp->d, D->d, a_width); - // Our loop invariants hold at this point. Additionally, exactly one of |u| - // and |v| is now even. + // Our loop invariants hold at this point. Additionally, exactly one of `u` + // and `v` is now even. BN_ULONG u_is_even = ~word_is_odd_mask(u->d[0]); BN_ULONG v_is_even = ~word_is_odd_mask(v->d[0]); declassify_assert(u_is_even != v_is_even); diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/internal.h b/third_party/boringssl/src/crypto/fipsmodule/bn/internal.h index 486fae10..2fa8ebba 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/internal.h @@ -64,7 +64,7 @@ BSSL_NAMESPACE_BEGIN #define BN_MASK2h1 (0xffff8000UL) #define BN_MASK2h (0xffff0000UL) // On some 32-bit platforms, Montgomery multiplication is done using 64-bit -// arithmetic with SIMD instructions. On such platforms, |BN_MONT_CTX::n0| +// arithmetic with SIMD instructions. On such platforms, `BN_MONT_CTX::n0` // needs to be two words long. Only certain 32-bit platforms actually make use // of n0[1] and shorter R value would suffice for the others. However, // currently only the assembly files know which is which. @@ -81,7 +81,7 @@ BSSL_NAMESPACE_BEGIN #define BN_CAN_USE_INLINE_ASM #endif -// MOD_EXP_CTIME_ALIGN is the alignment needed for |BN_mod_exp_mont_consttime|'s +// MOD_EXP_CTIME_ALIGN is the alignment needed for `BN_mod_exp_mont_consttime`'s // tables. // // TODO(davidben): Historically, this alignment came from cache line @@ -91,8 +91,8 @@ BSSL_NAMESPACE_BEGIN // requirements. #define MOD_EXP_CTIME_ALIGN 64 -// MOD_EXP_CTIME_STORAGE_LEN is the number of |BN_ULONG|s needed for the -// |BN_mod_exp_mont_consttime| stack-allocated storage buffer. The buffer is +// MOD_EXP_CTIME_STORAGE_LEN is the number of `BN_ULONG`s needed for the +// `BN_mod_exp_mont_consttime` stack-allocated storage buffer. The buffer is // just the right size for the RSAZ and is about ~1KB larger than what's // necessary (4480 bytes) for 1024-bit inputs. #define MOD_EXP_CTIME_STORAGE_LEN \ @@ -105,64 +105,64 @@ BSSL_NAMESPACE_BEGIN } // bn_minimal_width returns the minimal number of words needed to represent -// |bn|. +// `bn`. int bn_minimal_width(const BIGNUM *bn); -// bn_set_minimal_width sets |bn->width| to |bn_minimal_width(bn)|. If |bn| is -// zero, |bn->neg| is set to zero. +// bn_set_minimal_width sets `bn->width` to `bn_minimal_width(bn)`. If `bn` is +// zero, `bn->neg` is set to zero. void bn_set_minimal_width(BIGNUM *bn); -// bn_wexpand ensures that |bn| has at least |words| works of space without +// bn_wexpand ensures that `bn` has at least `words` works of space without // altering its value. It returns one on success or zero on allocation // failure. int bn_wexpand(BIGNUM *bn, size_t words); -// bn_expand acts the same as |bn_wexpand|, but takes a number of bits rather +// bn_expand acts the same as `bn_wexpand`, but takes a number of bits rather // than a number of words. int bn_expand(BIGNUM *bn, size_t bits); -// bn_resize_words adjusts |bn->width| to be |words|. It returns one on success -// and zero on allocation error or if |bn|'s value is too large. +// bn_resize_words adjusts `bn->width` to be `words`. It returns one on success +// and zero on allocation error or if `bn`'s value is too large. OPENSSL_EXPORT int bn_resize_words(BIGNUM *bn, size_t words); -// bn_select_words sets |r| to |a| if |mask| is all ones or |b| if |mask| is +// bn_select_words sets `r` to `a` if `mask` is all ones or `b` if `mask` is // all zeros. void bn_select_words(BN_ULONG *r, BN_ULONG mask, const BN_ULONG *a, const BN_ULONG *b, size_t num); -// bn_set_words sets |bn| to the value encoded in the |num| words in |words|, +// bn_set_words sets `bn` to the value encoded in the `num` words in `words`, // least significant word first. int bn_set_words(BIGNUM *bn, const BN_ULONG *words, size_t num); -// bn_set_static_words acts like |bn_set_words|, but doesn't copy the data. A -// flag is set on |bn| so that |BN_free| won't attempt to free the data. +// bn_set_static_words acts like `bn_set_words`, but doesn't copy the data. A +// flag is set on `bn` so that `BN_free` won't attempt to free the data. // -// The |STATIC_BIGNUM| macro is probably a better solution for this outside of +// The `STATIC_BIGNUM` macro is probably a better solution for this outside of // the FIPS module. Inside of the FIPS module that macro generates rel.ro data, // which doesn't work with FIPS requirements. void bn_set_static_words(BIGNUM *bn, const BN_ULONG *words, size_t num); -// bn_fits_in_words returns one if |bn| may be represented in |num| words, plus +// bn_fits_in_words returns one if `bn` may be represented in `num` words, plus // a sign bit, and zero otherwise. int bn_fits_in_words(const BIGNUM *bn, size_t num); -// bn_copy_words copies the value of |bn| to |out| and returns one if the value -// is representable in |num| words. Otherwise, it returns zero. +// bn_copy_words copies the value of `bn` to `out` and returns one if the value +// is representable in `num` words. Otherwise, it returns zero. int bn_copy_words(BN_ULONG *out, size_t num, const BIGNUM *bn); -// bn_assert_fits_in_bytes asserts that |bn| fits in |num| bytes. This is a +// bn_assert_fits_in_bytes asserts that `bn` fits in `num` bytes. This is a // no-op in release builds, but triggers an assert in debug builds, and // declassifies all bytes which are therefore known to be zero in constant-time // validation. void bn_assert_fits_in_bytes(const BIGNUM *bn, size_t num); -// bn_secret marks |bn|'s contents, but not its width or sign, as secret. See -// |CONSTTIME_SECRET| for details. +// bn_secret marks `bn`'s contents, but not its width or sign, as secret. See +// `CONSTTIME_SECRET` for details. inline void bn_secret(BIGNUM *bn) { CONSTTIME_SECRET(bn->d, bn->width * sizeof(BN_ULONG)); } -// bn_declassify marks |bn|'s value as public. See |CONSTTIME_DECLASSIFY| for +// bn_declassify marks `bn`'s value as public. See `CONSTTIME_DECLASSIFY` for // details. inline void bn_declassify(BIGNUM *bn) { CONSTTIME_DECLASSIFY(bn->d, bn->width * sizeof(BN_ULONG)); @@ -186,9 +186,9 @@ inline void bn_declassify(BIGNUM *bn) { #define BN_ADD_ASM #endif -// bn_mul_add_words multiples |ap| by |w|, adds the result to |rp|, and places -// the result in |rp|. |ap| and |rp| must both be |num| words long. It returns -// the carry word of the operation. |ap| and |rp| may be equal but otherwise may +// bn_mul_add_words multiples `ap` by `w`, adds the result to `rp`, and places +// the result in `rp`. `ap` and `rp` must both be `num` words long. It returns +// the carry word of the operation. `ap` and `rp` may be equal but otherwise may // not alias. #if defined(BN_MUL_ASM) extern "C" @@ -196,30 +196,30 @@ extern "C" BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num, BN_ULONG w); -// bn_mul_words multiples |ap| by |w| and places the result in |rp|. |ap| and -// |rp| must both be |num| words long. It returns the carry word of the -// operation. |ap| and |rp| may be equal but otherwise may not alias. +// bn_mul_words multiples `ap` by `w` and places the result in `rp`. `ap` and +// `rp` must both be `num` words long. It returns the carry word of the +// operation. `ap` and `rp` may be equal but otherwise may not alias. #if defined(BN_MUL_ASM) extern "C" #endif BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num, BN_ULONG w); -// bn_sqr_add_words computes |tmp| where |tmp[2*i]| and |tmp[2*i+1]| are -// |ap[i]|'s square, for all |i| up to |num|, and adds the result to |rp|. If -// the result does not fit in |2*num| words, the final carry bit is truncated. -// |ap| is an array of |num| words and |rp| an array of |2*num| words. |ap| and -// |rp| may not alias. +// bn_sqr_add_words computes `tmp` where `tmp[2*i]` and `tmp[2*i+1]` are +// `ap[i]`'s square, for all `i` up to `num`, and adds the result to `rp`. If +// the result does not fit in `2*num` words, the final carry bit is truncated. +// `ap` is an array of `num` words and `rp` an array of `2*num` words. `ap` and +// `rp` may not alias. // -// This gives the contribution of the |ap[i]*ap[i]| terms when squaring |ap|. +// This gives the contribution of the `ap[i]*ap[i]` terms when squaring `ap`. #if defined(BN_MUL_ASM) extern "C" #endif void bn_sqr_add_words(BN_ULONG *rp, const BN_ULONG *ap, size_t num); -// bn_add_words adds |ap| to |bp| and places the result in |rp|, each of which -// are |num| words long. It returns the carry bit, which is one if the operation -// overflowed and zero otherwise. Any pair of |ap|, |bp|, and |rp| may be equal +// bn_add_words adds `ap` to `bp` and places the result in `rp`, each of which +// are `num` words long. It returns the carry bit, which is one if the operation +// overflowed and zero otherwise. Any pair of `ap`, `bp`, and `rp` may be equal // to each other but otherwise may not alias. #if defined(BN_ADD_ASM) @@ -228,9 +228,9 @@ extern "C" BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, size_t num); -// bn_sub_words subtracts |bp| from |ap| and places the result in |rp|. It +// bn_sub_words subtracts `bp` from `ap` and places the result in `rp`. It // returns the borrow bit, which is one if the computation underflowed and zero -// otherwise. Any pair of |ap|, |bp|, and |rp| may be equal to each other but +// otherwise. Any pair of `ap`, `bp`, and `rp` may be equal to each other but // otherwise may not alias. #if defined(BN_ADD_ASM) extern "C" @@ -238,76 +238,76 @@ extern "C" BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, size_t num); -// bn_mul_comba4 sets |r| to the product of |a| and |b|. +// bn_mul_comba4 sets `r` to the product of `a` and `b`. #if defined(BN_MUL_ASM) extern "C" #endif void bn_mul_comba4(BN_ULONG r[8], const BN_ULONG a[4], const BN_ULONG b[4]); -// bn_mul_comba8 sets |r| to the product of |a| and |b|. +// bn_mul_comba8 sets `r` to the product of `a` and `b`. #if defined(BN_MUL_ASM) extern "C" #endif void bn_mul_comba8(BN_ULONG r[16], const BN_ULONG a[8], const BN_ULONG b[8]); -// bn_sqr_comba8 sets |r| to |a|^2. +// bn_sqr_comba8 sets `r` to `a`^2. #if defined(BN_MUL_ASM) extern "C" #endif void bn_sqr_comba8(BN_ULONG r[16], const BN_ULONG a[8]); -// bn_sqr_comba4 sets |r| to |a|^2. +// bn_sqr_comba4 sets `r` to `a`^2. #if defined(BN_MUL_ASM) extern "C" #endif void bn_sqr_comba4(BN_ULONG r[8], const BN_ULONG a[4]); -// bn_less_than_words returns one if |a| < |b| and zero otherwise, where |a| -// and |b| both are |len| words long. It runs in constant time. +// bn_less_than_words returns one if `a` < `b` and zero otherwise, where `a` +// and `b` both are `len` words long. It runs in constant time. int bn_less_than_words(const BN_ULONG *a, const BN_ULONG *b, size_t len); -// bn_in_range_words returns one if |min_inclusive| <= |a| < |max_exclusive|, -// where |a| and |max_exclusive| both are |len| words long. |a| and -// |max_exclusive| are treated as secret. +// bn_in_range_words returns one if `min_inclusive` <= `a` < `max_exclusive`, +// where `a` and `max_exclusive` both are `len` words long. `a` and +// `max_exclusive` are treated as secret. int bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive, const BN_ULONG *max_exclusive, size_t len); -// bn_rand_range_words sets |out| to a uniformly distributed random number from -// |min_inclusive| to |max_exclusive|. Both |out| and |max_exclusive| are |len| +// bn_rand_range_words sets `out` to a uniformly distributed random number from +// `min_inclusive` to `max_exclusive`. Both `out` and `max_exclusive` are `len` // words long. // -// This function runs in time independent of the result, but |min_inclusive| and -// |max_exclusive| are public data. (Information about the range is unavoidably +// This function runs in time independent of the result, but `min_inclusive` and +// `max_exclusive` are public data. (Information about the range is unavoidably // leaked by how many iterations it took to select a number.) int bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive, const BN_ULONG *max_exclusive, size_t len, const uint8_t additional_data[32]); -// bn_range_secret_range behaves like |BN_rand_range_ex|, but treats -// |max_exclusive| as secret. Because of this constraint, the distribution of +// bn_range_secret_range behaves like `BN_rand_range_ex`, but treats +// `max_exclusive` as secret. Because of this constraint, the distribution of // values returned is more complex. // // Rather than repeatedly generating values until one is in range, which would // leak information, it generates one value. If the value is in range, it sets -// |*out_is_uniform| to one. Otherwise, it sets |*out_is_uniform| to zero, +// `*out_is_uniform` to one. Otherwise, it sets `*out_is_uniform` to zero, // fixing up the value to force it in range. // -// The subset of calls to |bn_rand_secret_range| which set |*out_is_uniform| to +// The subset of calls to `bn_rand_secret_range` which set `*out_is_uniform` to // one are uniformly distributed in the target range. Calls overall are not. // This function is intended for use in situations where the extra values are // still usable and where the number of iterations needed to reach the target // number of uniform outputs may be blinded for negligible probabilities of // timing leaks. // -// Although this function treats |max_exclusive| as secret, it treats the number -// of bits in |max_exclusive| as public. +// Although this function treats `max_exclusive` as secret, it treats the number +// of bits in `max_exclusive` as public. int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive, const BIGNUM *max_exclusive); -// BN_MONTGOMERY_MAX_WORDS is the maximum number of words allowed in a |BIGNUM| +// BN_MONTGOMERY_MAX_WORDS is the maximum number of words allowed in a `BIGNUM` // used with Montgomery reduction. Ideally this limit would be applied to all -// |BIGNUM|s, in |bn_wexpand|, but the exactfloat library needs to create 8 MiB +// `BIGNUM`s, in `bn_wexpand`, but the exactfloat library needs to create 8 MiB // values for other operations. // // This limit is set so that one number fits within 2 KiB, giving room to @@ -318,10 +318,10 @@ int bn_rand_secret_range(BIGNUM *r, int *out_is_uniform, BN_ULONG min_inclusive, BSSL_NAMESPACE_END struct bn_mont_ctx_st { - // RR is R^2, reduced modulo |N|. It is used to convert to Montgomery form. It - // is guaranteed to have the same width as |N|. + // RR is R^2, reduced modulo `N`. It is used to convert to Montgomery form. It + // is guaranteed to have the same width as `N`. BIGNUM RR; - // N is the modulus. It is always stored in minimal form, so |N.width| + // N is the modulus. It is always stored in minimal form, so `N.width` // determines R. BIGNUM N; BN_ULONG n0[BN_MONT_CTX_N0_LIMBS]; // least significant words of (R*Ri-1)/N @@ -333,23 +333,23 @@ BSSL_NAMESPACE_BEGIN (defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || \ defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) #define OPENSSL_BN_ASM_MONT -// bn_mul_mont_words writes |ap| * |bp| mod |np| to |rp|, each |num| words -// long. Inputs and outputs are in Montgomery form. |n0| is a pointer to the -// corresponding field in |BN_MONT_CTX|. +// bn_mul_mont_words writes `ap` * `bp` mod `np` to `rp`, each `num` words +// long. Inputs and outputs are in Montgomery form. `n0` is a pointer to the +// corresponding field in `BN_MONT_CTX`. // -// If at least one of |ap| or |bp| is fully reduced, |rp| will be fully reduced. +// If at least one of `ap` or `bp` is fully reduced, `rp` will be fully reduced. // If neither is fully-reduced, the output may not be either. // -// This function allocates up to 2 * |num| words (plus a constant allocation) on -// the stack, so |num| should be at most |BN_MONTGOMERY_MAX_WORDS|. -// Additionally, |num| must be at least 128 / |BN_BITS2|. +// This function allocates up to 2 * `num` words (plus a constant allocation) on +// the stack, so `num` should be at most `BN_MONTGOMERY_MAX_WORDS`. +// Additionally, `num` must be at least 128 / `BN_BITS2`. // // TODO(davidben): The x86_64 implementation expects a 32-bit input and masks // off upper bits. The aarch64 implementation expects a 64-bit input and does -// not. |size_t| is the safer option but not strictly correct for x86_64. But -// the |BN_MONTGOMERY_MAX_WORDS| bound makes this moot. +// not. `size_t` is the safer option but not strictly correct for x86_64. But +// the `BN_MONTGOMERY_MAX_WORDS` bound makes this moot. // -// See also discussion in |ToWord| in abi_test.h for notes on smaller-than-word +// See also discussion in `ToWord` in abi_test.h for notes on smaller-than-word // inputs. extern "C" void bn_mul_mont_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, @@ -405,8 +405,8 @@ extern "C" void bn_mul_mont_nohw(BN_ULONG *rp, const BN_ULONG *ap, #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) #define OPENSSL_BN_ASM_MONT5 -// The following functions implement |bn_mul_mont_gather5|. See -// |bn_mul_mont_gather5| for details. +// The following functions implement `bn_mul_mont_gather5`. See +// `bn_mul_mont_gather5` for details. inline int bn_mul4x_mont_gather5_capable(int num) { return (num & 7) == 0; } extern "C" void bn_mul4x_mont_gather5(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, const BN_ULONG *np, @@ -427,20 +427,20 @@ extern "C" void bn_mul_mont_gather5_nohw( BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, const BN_ULONG *np, const BN_ULONG n0[BN_MONT_CTX_N0_LIMBS], int num, int power); -// bn_scatter5 stores |inp| to index |power| of |table|. |inp| and each entry of -// |table| are |num| words long. |power| must be less than 32 and is treated as -// public. |table| must be 32*|num| words long. |table| must be aligned to at +// bn_scatter5 stores `inp` to index `power` of `table`. `inp` and each entry of +// `table` are `num` words long. `power` must be less than 32 and is treated as +// public. `table` must be 32*`num` words long. `table` must be aligned to at // least 16 bytes. extern "C" void bn_scatter5(const BN_ULONG *inp, size_t num, BN_ULONG *table, size_t power); -// bn_gather5 loads index |power| of |table| and stores it in |out|. |out| and -// each entry of |table| are |num| words long. |power| must be less than 32 and -// is treated as secret. |table| must be aligned to at least 16 bytes. +// bn_gather5 loads index `power` of `table` and stores it in `out`. `out` and +// each entry of `table` are `num` words long. `power` must be less than 32 and +// is treated as secret. `table` must be aligned to at least 16 bytes. extern "C" void bn_gather5(BN_ULONG *out, size_t num, const BN_ULONG *table, size_t power); -// The following functions implement |bn_power5|. See |bn_power5| for details. +// The following functions implement `bn_power5`. See `bn_power5` for details. extern "C" void bn_power5_nohw(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *table, const BN_ULONG *np, const BN_ULONG n0[BN_MONT_CTX_N0_LIMBS], int num, @@ -461,10 +461,10 @@ extern "C" void bn_powerx5(BN_ULONG *rp, const BN_ULONG *ap, uint64_t bn_mont_n0(const BIGNUM *n); -// bn_mont_ctx_set_RR_consttime initializes |mont->RR|. It returns one on -// success and zero on error. |mont->N| and |mont->n0| must have been -// initialized already. The bit width of |mont->N| is assumed public, but -// |mont->N| is otherwise treated as secret. +// bn_mont_ctx_set_RR_consttime initializes `mont->RR`. It returns one on +// success and zero on error. `mont->N` and `mont->n0` must have been +// initialized already. The bit width of `mont->N` is assumed public, but +// `mont->N` is otherwise treated as secret. int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx); #if defined(_MSC_VER) @@ -485,34 +485,34 @@ int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx); #error "Either BN_ULLONG or BN_UMULT_LOHI must be defined on every platform." #endif -// bn_jacobi returns the Jacobi symbol of |a| and |b| (which is -1, 0 or 1), or +// bn_jacobi returns the Jacobi symbol of `a` and `b` (which is -1, 0 or 1), or // -2 on error. int bn_jacobi(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// bn_is_bit_set_words returns one if bit |bit| is set in |a| and zero +// bn_is_bit_set_words returns one if bit `bit` is set in `a` and zero // otherwise. int bn_is_bit_set_words(const BN_ULONG *a, size_t num, size_t bit); -// bn_one_to_montgomery sets |r| to one in Montgomery form. It returns one on +// bn_one_to_montgomery sets `r` to one in Montgomery form. It returns one on // success and zero on error. This function treats the bit width of the modulus // as public. int bn_one_to_montgomery(BIGNUM *r, const BN_MONT_CTX *mont, BN_CTX *ctx); -// bn_less_than_montgomery_R returns one if |bn| is less than the Montgomery R -// value for |mont| and zero otherwise. +// bn_less_than_montgomery_R returns one if `bn` is less than the Montgomery R +// value for `mont` and zero otherwise. int bn_less_than_montgomery_R(const BIGNUM *bn, const BN_MONT_CTX *mont); -// bn_mod_u16_consttime returns |bn| mod |d|, ignoring |bn|'s sign bit. It runs -// in time independent of the value of |bn|, but it treats |d| as public. +// bn_mod_u16_consttime returns `bn` mod `d`, ignoring `bn`'s sign bit. It runs +// in time independent of the value of `bn`, but it treats `d` as public. OPENSSL_EXPORT uint16_t bn_mod_u16_consttime(const BIGNUM *bn, uint16_t d); -// bn_odd_number_is_obviously_composite returns one if |bn| is divisible by one +// bn_odd_number_is_obviously_composite returns one if `bn` is divisible by one // of the first several odd primes and zero otherwise. int bn_odd_number_is_obviously_composite(const BIGNUM *bn); // A BN_MILLER_RABIN stores state common to each Miller-Rabin iteration. It is -// initialized within an existing |BN_CTX| scope and may not be used after -// that scope is released with |BN_CTX_end|. Field names match those in FIPS +// initialized within an existing `BN_CTX` scope and may not be used after +// that scope is released with `BN_CTX_end`. Field names match those in FIPS // 186-5, section B.3.1. typedef struct { // w1 is w-1. @@ -529,46 +529,46 @@ typedef struct { int a; } BN_MILLER_RABIN; -// bn_miller_rabin_init initializes |miller_rabin| for testing if |mont->N| is +// bn_miller_rabin_init initializes `miller_rabin` for testing if `mont->N` is // prime. It returns one on success and zero on error. OPENSSL_EXPORT int bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin, const BN_MONT_CTX *mont, BN_CTX *ctx); // bn_miller_rabin_iteration performs one Miller-Rabin iteration, checking if -// |b| is a composite witness for |mont->N|. |miller_rabin| must have been -// initialized with |bn_miller_rabin_setup|. On success, it returns one and sets -// |*out_is_possibly_prime| to one if |mont->N| may still be prime or zero if -// |b| shows it is composite. On allocation or internal failure, it returns +// `b` is a composite witness for `mont->N`. `miller_rabin` must have been +// initialized with `bn_miller_rabin_setup`. On success, it returns one and sets +// `*out_is_possibly_prime` to one if `mont->N` may still be prime or zero if +// `b` shows it is composite. On allocation or internal failure, it returns // zero. OPENSSL_EXPORT int bn_miller_rabin_iteration( const BN_MILLER_RABIN *miller_rabin, int *out_is_possibly_prime, const BIGNUM *b, const BN_MONT_CTX *mont, BN_CTX *ctx); -// bn_rshift1_words sets |r| to |a| >> 1, where both arrays are |num| bits wide. +// bn_rshift1_words sets `r` to `a` >> 1, where both arrays are `num` bits wide. void bn_rshift1_words(BN_ULONG *r, const BN_ULONG *a, size_t num); -// bn_rshift_words sets |r| to |a| >> |shift|, where both arrays are |num| bits +// bn_rshift_words sets `r` to `a` >> `shift`, where both arrays are `num` bits // wide. void bn_rshift_words(BN_ULONG *r, const BN_ULONG *a, unsigned shift, size_t num); -// bn_rshift_secret_shift behaves like |BN_rshift| but runs in time independent -// of both |a| and |n|. +// bn_rshift_secret_shift behaves like `BN_rshift` but runs in time independent +// of both `a` and `n`. OPENSSL_EXPORT int bn_rshift_secret_shift(BIGNUM *r, const BIGNUM *a, unsigned n, BN_CTX *ctx); -// bn_reduce_once sets |r| to |a| mod |m| where 0 <= |a| < 2*|m|. It returns -// zero if |a| < |m| and a mask of all ones if |a| >= |m|. Each array is |num| -// words long, but |a| has an additional word specified by |carry|. |carry| must -// be zero or one, as implied by the bounds on |a|. +// bn_reduce_once sets `r` to `a` mod `m` where 0 <= `a` < 2*`m`. It returns +// zero if `a` < `m` and a mask of all ones if `a` >= `m`. Each array is `num` +// words long, but `a` has an additional word specified by `carry`. `carry` must +// be zero or one, as implied by the bounds on `a`. // -// |r|, |a|, and |m| may not alias. Use |bn_reduce_once_in_place| if |r| and |a| +// `r`, `a`, and `m` may not alias. Use `bn_reduce_once_in_place` if `r` and `a` // must alias. BN_ULONG bn_reduce_once(BN_ULONG *r, const BN_ULONG *a, BN_ULONG carry, const BN_ULONG *m, size_t num); -// bn_reduce_once_in_place behaves like |bn_reduce_once| but acts in-place on -// |r|, using |tmp| as scratch space. |r|, |tmp|, and |m| may not alias. +// bn_reduce_once_in_place behaves like `bn_reduce_once` but acts in-place on +// `r`, using `tmp` as scratch space. `r`, `tmp`, and `m` may not alias. BN_ULONG bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m, BN_ULONG *tmp, size_t num); @@ -576,64 +576,64 @@ BN_ULONG bn_reduce_once_in_place(BN_ULONG *r, BN_ULONG carry, const BN_ULONG *m, // Constant-time non-modular arithmetic. // // The following functions implement non-modular arithmetic in constant-time -// and pessimally set |r->width| to the largest possible word size. +// and pessimally set `r->width` to the largest possible word size. // // Note this means that, e.g., repeatedly multiplying by one will cause widths // to increase without bound. The corresponding public API functions minimize // their outputs to avoid regressing calculator consumers. -// bn_uadd_consttime behaves like |BN_uadd|, but it pessimally sets -// |r->width| = |a->width| + |b->width| + 1. +// bn_uadd_consttime behaves like `BN_uadd`, but it pessimally sets +// `r->width` = `a->width` + `b->width` + 1. int bn_uadd_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// bn_usub_consttime behaves like |BN_usub|, but it pessimally sets -// |r->width| = |a->width|. +// bn_usub_consttime behaves like `BN_usub`, but it pessimally sets +// `r->width` = `a->width`. int bn_usub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// bn_abs_sub_consttime sets |r| to the absolute value of |a| - |b|, treating +// bn_abs_sub_consttime sets `r` to the absolute value of `a` - `b`, treating // both inputs as secret. It returns one on success and zero on error. OPENSSL_EXPORT int bn_abs_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// bn_mul_consttime behaves like |BN_mul|, but it rejects negative inputs and -// pessimally sets |r->width| to |a->width| + |b->width|, to avoid leaking -// information about |a| and |b|. +// bn_mul_consttime behaves like `BN_mul`, but it rejects negative inputs and +// pessimally sets `r->width` to `a->width` + `b->width`, to avoid leaking +// information about `a` and `b`. int bn_mul_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// bn_sqrt_consttime behaves like |BN_sqrt|, but it pessimally sets |r->width| -// to 2*|a->width|, to avoid leaking information about |a| and |b|. +// bn_sqrt_consttime behaves like `BN_sqrt`, but it pessimally sets `r->width` +// to 2*`a->width`, to avoid leaking information about `a` and `b`. int bn_sqr_consttime(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); -// bn_div_consttime behaves like |BN_div|, but it rejects negative inputs and +// bn_div_consttime behaves like `BN_div`, but it rejects negative inputs and // treats both inputs, including their magnitudes, as secret. It is, as a -// result, much slower than |BN_div| and should only be used for rare operations -// where Montgomery reduction is not available. |divisor_min_bits| is a -// public lower bound for |BN_num_bits(divisor)|. When |divisor|'s bit width is +// result, much slower than `BN_div` and should only be used for rare operations +// where Montgomery reduction is not available. `divisor_min_bits` is a +// public lower bound for `BN_num_bits(divisor)`. When `divisor`'s bit width is // public, this can speed up the operation. // -// Note that |quotient->width| will be set pessimally to |numerator->width|. +// Note that `quotient->width` will be set pessimally to `numerator->width`. OPENSSL_EXPORT int bn_div_consttime(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, const BIGNUM *divisor, unsigned divisor_min_bits, BN_CTX *ctx); -// bn_is_relatively_prime checks whether GCD(|x|, |y|) is one. On success, it -// returns one and sets |*out_relatively_prime| to one if the GCD was one and +// bn_is_relatively_prime checks whether GCD(`x`, `y`) is one. On success, it +// returns one and sets `*out_relatively_prime` to one if the GCD was one and // zero otherwise. On error, it returns zero. OPENSSL_EXPORT int bn_is_relatively_prime(int *out_relatively_prime, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); -// bn_lcm_consttime sets |r| to LCM(|a|, |b|). It returns one and success and -// zero on error. |a| and |b| are both treated as secret. +// bn_lcm_consttime sets `r` to LCM(`a`, `b`). It returns one and success and +// zero on error. `a` and `b` are both treated as secret. OPENSSL_EXPORT int bn_lcm_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// bn_mont_ctx_init zero-initialies |mont|. +// bn_mont_ctx_init zero-initialies `mont`. void bn_mont_ctx_init(BN_MONT_CTX *mont); -// bn_mont_ctx_cleanup releases memory associated with |mont|, without freeing -// |mont| itself. +// bn_mont_ctx_cleanup releases memory associated with `mont`, without freeing +// `mont` itself. void bn_mont_ctx_cleanup(BN_MONT_CTX *mont); @@ -641,65 +641,65 @@ void bn_mont_ctx_cleanup(BN_MONT_CTX *mont); // // The following functions implement basic constant-time modular arithmetic. -// bn_mod_add_words sets |r| to |a| + |b| (mod |m|), using |tmp| as scratch -// space. Each array is |num| words long. |a| and |b| must be < |m|. Any pair of -// |r|, |a|, and |b| may alias. +// bn_mod_add_words sets `r` to `a` + `b` (mod `m`), using `tmp` as scratch +// space. Each array is `num` words long. `a` and `b` must be < `m`. Any pair of +// `r`, `a`, and `b` may alias. void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, const BN_ULONG *m, BN_ULONG *tmp, size_t num); -// bn_mod_add_consttime acts like |BN_mod_add_quick| but takes a |BN_CTX|. +// bn_mod_add_consttime acts like `BN_mod_add_quick` but takes a `BN_CTX`. int bn_mod_add_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -// bn_mod_sub_words sets |r| to |a| - |b| (mod |m|), using |tmp| as scratch -// space. Each array is |num| words long. |a| and |b| must be < |m|. Any pair of -// |r|, |a|, and |b| may alias. +// bn_mod_sub_words sets `r` to `a` - `b` (mod `m`), using `tmp` as scratch +// space. Each array is `num` words long. `a` and `b` must be < `m`. Any pair of +// `r`, `a`, and `b` may alias. void bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, const BN_ULONG *m, BN_ULONG *tmp, size_t num); -// bn_mod_sub_consttime acts like |BN_mod_sub_quick| but takes a |BN_CTX|. +// bn_mod_sub_consttime acts like `BN_mod_sub_quick` but takes a `BN_CTX`. int bn_mod_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -// bn_mod_lshift1_consttime acts like |BN_mod_lshift1_quick| but takes a -// |BN_CTX|. +// bn_mod_lshift1_consttime acts like `BN_mod_lshift1_quick` but takes a +// `BN_CTX`. int bn_mod_lshift1_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -// bn_mod_lshift_consttime acts like |BN_mod_lshift_quick| but takes a |BN_CTX|. +// bn_mod_lshift_consttime acts like `BN_mod_lshift_quick` but takes a `BN_CTX`. int bn_mod_lshift_consttime(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx); -// bn_mod_inverse_consttime sets |r| to |a|^-1, mod |n|. |a| must be non- -// negative and less than |n|. It returns one on success and zero on error. On -// failure, if the failure was caused by |a| having no inverse mod |n| then -// |*out_no_inverse| will be set to one; otherwise it will be set to zero. +// bn_mod_inverse_consttime sets `r` to `a`^-1, mod `n`. `a` must be non- +// negative and less than `n`. It returns one on success and zero on error. On +// failure, if the failure was caused by `a` having no inverse mod `n` then +// `*out_no_inverse` will be set to one; otherwise it will be set to zero. // -// This function treats both |a| and |n| as secret, provided they are both non- +// This function treats both `a` and `n` as secret, provided they are both non- // zero and the inverse exists. It should only be used for even moduli where // none of the less general implementations are applicable. OPENSSL_EXPORT int bn_mod_inverse_consttime(BIGNUM *r, int *out_no_inverse, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); -// bn_mod_inverse_prime sets |out| to the modular inverse of |a| modulo |p|, +// bn_mod_inverse_prime sets `out` to the modular inverse of `a` modulo `p`, // computed with Fermat's Little Theorem. It returns one on success and zero on -// error. If |mont_p| is NULL, one will be computed temporarily. +// error. If `mont_p` is NULL, one will be computed temporarily. int bn_mod_inverse_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx, const BN_MONT_CTX *mont_p); -// bn_mod_inverse_secret_prime behaves like |bn_mod_inverse_prime| but uses -// |BN_mod_exp_mont_consttime| instead of |BN_mod_exp_mont| in hopes of +// bn_mod_inverse_secret_prime behaves like `bn_mod_inverse_prime` but uses +// `BN_mod_exp_mont_consttime` instead of `BN_mod_exp_mont` in hopes of // protecting the exponent. int bn_mod_inverse_secret_prime(BIGNUM *out, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx, const BN_MONT_CTX *mont_p); -// BN_MONT_CTX_set_locked takes |lock| and checks whether |*pmont| is NULL. If -// so, it creates a new |BN_MONT_CTX| and sets the modulus for it to |mod|. It -// then stores it as |*pmont|. It returns one on success and zero on error. Note -// this function assumes |mod| is public. +// BN_MONT_CTX_set_locked takes `lock` and checks whether `*pmont` is NULL. If +// so, it creates a new `BN_MONT_CTX` and sets the modulus for it to `mod`. It +// then stores it as `*pmont`. It returns one on success and zero on error. Note +// this function assumes `mod` is public. // -// If |*pmont| is already non-NULL then it does nothing and returns one. +// If `*pmont` is already non-NULL then it does nothing and returns one. int BN_MONT_CTX_set_locked(UniquePtr *pmont, Mutex *lock, const BIGNUM *mod, BN_CTX *bn_ctx); @@ -720,80 +720,80 @@ int BN_MONT_CTX_set_locked(UniquePtr *pmont, Mutex *lock, #define BN_SMALL_MAX_WORDS 9 #endif -// bn_mul_small sets |r| to |a|*|b|. |num_r| must be |num_a| + |num_b|. |r| may -// not alias with |a| or |b|. +// bn_mul_small sets `r` to `a`*`b`. `num_r` must be `num_a` + `num_b`. `r` may +// not alias with `a` or `b`. void bn_mul_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a, const BN_ULONG *b, size_t num_b); -// bn_sqr_small sets |r| to |a|^2. |num_r| must be |num_a|*2. |r| and |a| may +// bn_sqr_small sets `r` to `a`^2. `num_r` must be `num_a`*2. `r` and `a` may // not alias. void bn_sqr_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a); -// In the following functions, the modulus must be at most |BN_SMALL_MAX_WORDS| +// In the following functions, the modulus must be at most `BN_SMALL_MAX_WORDS` // words long. -// bn_to_montgomery_small sets |r| to |a| translated to the Montgomery domain. -// |r| and |a| are |num| words long, which must be |mont->N.width|. |a| must be -// fully reduced and may alias |r|. +// bn_to_montgomery_small sets `r` to `a` translated to the Montgomery domain. +// `r` and `a` are `num` words long, which must be `mont->N.width`. `a` must be +// fully reduced and may alias `r`. void bn_to_montgomery_small(BN_ULONG *r, const BN_ULONG *a, size_t num, const BN_MONT_CTX *mont); -// bn_from_montgomery_small sets |r| to |a| translated out of the Montgomery -// domain. |r| and |a| are |num_r| and |num_a| words long, respectively. |num_r| -// must be |mont->N.width|. |a| must be at most |mont->N|^2 and may alias |r|. +// bn_from_montgomery_small sets `r` to `a` translated out of the Montgomery +// domain. `r` and `a` are `num_r` and `num_a` words long, respectively. `num_r` +// must be `mont->N.width`. `a` must be at most `mont->N`^2 and may alias `r`. // -// Unlike most of these functions, only |num_r| is bounded by -// |BN_SMALL_MAX_WORDS|. |num_a| may exceed it, but must be at most 2 * |num_r|. +// Unlike most of these functions, only `num_r` is bounded by +// `BN_SMALL_MAX_WORDS`. `num_a` may exceed it, but must be at most 2 * `num_r`. void bn_from_montgomery_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, size_t num_a, const BN_MONT_CTX *mont); -// bn_mod_mul_montgomery_small sets |r| to |a| * |b| mod |mont->N|. Both inputs -// and outputs are in the Montgomery domain. Each array is |num| words long, -// which must be |mont->N.width|. Any two of |r|, |a|, and |b| may alias. |a| -// and |b| must be reduced on input. +// bn_mod_mul_montgomery_small sets `r` to `a` * `b` mod `mont->N`. Both inputs +// and outputs are in the Montgomery domain. Each array is `num` words long, +// which must be `mont->N.width`. Any two of `r`, `a`, and `b` may alias. `a` +// and `b` must be reduced on input. void bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, size_t num, const BN_MONT_CTX *mont); -// bn_mod_exp_mont_small sets |r| to |a|^|p| mod |mont->N|. It returns one on +// bn_mod_exp_mont_small sets `r` to `a`^`p` mod `mont->N`. It returns one on // success and zero on programmer or internal error. Both inputs and outputs are -// in the Montgomery domain. |r| and |a| are |num| words long, which must be -// |mont->N.width| and at most |BN_SMALL_MAX_WORDS|. |num_p|, measured in bits, -// must fit in |size_t|. |a| must be fully-reduced. This function runs in time -// independent of |a|, but |p| and |mont->N| are public values. |a| must be -// fully-reduced and may alias with |r|. +// in the Montgomery domain. `r` and `a` are `num` words long, which must be +// `mont->N.width` and at most `BN_SMALL_MAX_WORDS`. `num_p`, measured in bits, +// must fit in `size_t`. `a` must be fully-reduced. This function runs in time +// independent of `a`, but `p` and `mont->N` are public values. `a` must be +// fully-reduced and may alias with `r`. // -// Note this function differs from |BN_mod_exp_mont| which uses Montgomery +// Note this function differs from `BN_mod_exp_mont` which uses Montgomery // reduction but takes input and output outside the Montgomery domain. Combine -// this function with |bn_from_montgomery_small| and |bn_to_montgomery_small| +// this function with `bn_from_montgomery_small` and `bn_to_montgomery_small` // if necessary. void bn_mod_exp_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, const BN_ULONG *p, size_t num_p, const BN_MONT_CTX *mont); -// bn_mod_inverse0_prime_mont_small sets |r| to |a|^-1 mod |mont->N|. If |a| is -// zero, |r| is set to zero. |mont->N| must be a prime. |r| and |a| are |num| -// words long, which must be |mont->N.width| and at most |BN_SMALL_MAX_WORDS|. -// |a| must be fully-reduced and may alias |r|. This function runs in time -// independent of |a|, but |mont->N| is a public value. +// bn_mod_inverse0_prime_mont_small sets `r` to `a`^-1 mod `mont->N`. If `a` is +// zero, `r` is set to zero. `mont->N` must be a prime. `r` and `a` are `num` +// words long, which must be `mont->N.width` and at most `BN_SMALL_MAX_WORDS`. +// `a` must be fully-reduced and may alias `r`. This function runs in time +// independent of `a`, but `mont->N` is a public value. void bn_mod_inverse0_prime_mont_small(BN_ULONG *r, const BN_ULONG *a, size_t num, const BN_MONT_CTX *mont); // Word-based byte conversion functions. -// bn_big_endian_to_words interprets |in_len| bytes from |in| as a big-endian, -// unsigned integer and writes the result to |out_len| words in |out|. |out_len| -// must be large enough to represent any |in_len|-byte value. That is, |in_len| -// must be at most |BN_BYTES * out_len|. +// bn_big_endian_to_words interprets `in_len` bytes from `in` as a big-endian, +// unsigned integer and writes the result to `out_len` words in `out`. `out_len` +// must be large enough to represent any `in_len`-byte value. That is, `in_len` +// must be at most `BN_BYTES * out_len`. void bn_big_endian_to_words(BN_ULONG *out, size_t out_len, const uint8_t *in, size_t in_len); -// bn_words_to_big_endian represents |in_len| words from |in| as a big-endian, -// unsigned integer in |out_len| bytes. It writes the result to |out|. |out_len| -// must be large enough to represent |in| without truncation. +// bn_words_to_big_endian represents `in_len` words from `in` as a big-endian, +// unsigned integer in `out_len` bytes. It writes the result to `out`. `out_len` +// must be large enough to represent `in` without truncation. // -// Note |out_len| may be less than |BN_BYTES * in_len| if |in| is known to have +// Note `out_len` may be less than `BN_BYTES * in_len` if `in` is known to have // leading zeros. void bn_words_to_big_endian(uint8_t *out, size_t out_len, const BN_ULONG *in, size_t in_len); diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery.cc.inc index 4bc6247c..4be4ecf7 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery.cc.inc @@ -95,7 +95,7 @@ static int bn_mont_ctx_set_N_and_n0(BN_MONT_CTX *mont, const BIGNUM *mod) { OPENSSL_PUT_ERROR(BN, ERR_R_INTERNAL_ERROR); return 0; } - // |mont->N| is always stored minimally. Computing RR efficiently leaks the + // `mont->N` is always stored minimally. Computing RR efficiently leaks the // size of the modulus. While the modulus may be private in RSA (one of the // primes), their sizes are public, so this is fine. bn_set_minimal_width(&mont->N); @@ -103,8 +103,8 @@ static int bn_mont_ctx_set_N_and_n0(BN_MONT_CTX *mont, const BIGNUM *mod) { // Find n0 such that n0 * N == -1 (mod r). // // Only certain BN_BITS2<=32 platforms actually make use of n0[1]. For the - // others, we could use a shorter R value and use faster |BN_ULONG|-based - // math instead of |uint64_t|-based math, which would be double-precision. + // others, we could use a shorter R value and use faster `BN_ULONG`-based + // math instead of `uint64_t`-based math, which would be double-precision. // However, currently only the assembler files know which is which. static_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2, "BN_MONT_CTX_N0_LIMBS value is invalid"); @@ -134,9 +134,9 @@ int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { // Save RR = R**2 (mod N). R is the smallest power of 2**BN_BITS2 such that R // > mod. Even though the assembly on some 32-bit platforms works with 64-bit - // values, using |BN_BITS2| here, rather than |BN_MONT_CTX_N0_LIMBS * - // BN_BITS2|, is correct because R**2 will still be a multiple of the latter - // as |BN_MONT_CTX_N0_LIMBS| is either one or two. + // values, using `BN_BITS2` here, rather than + // `BN_MONT_CTX_N0_LIMBS * BN_BITS2`, is correct because R**2 will still be a + // multiple of the latter as `BN_MONT_CTX_N0_LIMBS` is either one or two. unsigned lgBigR = mont->N.width * BN_BITS2; BN_zero(&mont->RR); int ok = BN_set_bit(&mont->RR, lgBigR * 2) && @@ -196,9 +196,9 @@ static int bn_from_montgomery_in_place(BN_ULONG *r, size_t num_r, BN_ULONG *a, return 0; } - // Add multiples of |n| to |r| until R = 2^(nl * BN_BITS2) divides it. On - // input, we had |r| < |n| * R, so now |r| < 2 * |n| * R. Note that |r| - // includes |carry| which is stored separately. + // Add multiples of `n` to `r` until R = 2^(nl * BN_BITS2) divides it. On + // input, we had `r` < `n` * R, so now `r` < 2 * `n` * R. Note that `r` + // includes `carry` which is stored separately. BN_ULONG n0 = mont->n0[0]; BN_ULONG carry = 0; for (size_t i = 0; i < num_n; i++) { @@ -206,11 +206,11 @@ static int bn_from_montgomery_in_place(BN_ULONG *r, size_t num_r, BN_ULONG *a, a[i + num_n] = CRYPTO_addc_w(a[i + num_n], v, carry, &carry); } - // Shift |num_n| words to divide by R. We have |a| < 2 * |n|. Note that |a| - // includes |carry| which is stored separately. + // Shift `num_n` words to divide by R. We have `a` < 2 * `n`. Note that `a` + // includes `carry` which is stored separately. a += num_n; - // |a| thus requires at most one additional subtraction |n| to be reduced. + // `a` thus requires at most one additional subtraction `n` to be reduced. bn_reduce_once(r, a, carry, n, num_n); return 1; } @@ -251,8 +251,8 @@ int BN_from_montgomery(BIGNUM *r, const BIGNUM *a, const BN_MONT_CTX *mont, int bssl::bn_one_to_montgomery(BIGNUM *r, const BN_MONT_CTX *mont, BN_CTX *ctx) { - // If the high bit of |n| is set, R = 2^(width*BN_BITS2) < 2 * |n|, so we - // compute R - |n| rather than perform Montgomery reduction. + // If the high bit of `n` is set, R = 2^(width*BN_BITS2) < 2 * `n`, so we + // compute R - `n` rather than perform Montgomery reduction. const BIGNUM *n = &mont->N; if (n->width > 0 && (n->d[n->width - 1] >> (BN_BITS2 - 1)) != 0) { if (!bn_wexpand(r, n->width)) { @@ -306,14 +306,14 @@ int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, } #if defined(OPENSSL_BN_ASM_MONT) - // |bn_mul_mont_words| requires at least 128 bits of limbs. + // `bn_mul_mont_words` requires at least 128 bits of limbs. int num = mont->N.width; if (num >= (128 / BN_BITS2) && a->width == num && b->width == num) { if (!bn_wexpand(r, num)) { return 0; } - // This bound is implied by |bn_mont_ctx_set_N_and_n0|. |bn_mul_mont_words| - // allocates |num| words on the stack, so |num| cannot be too large. + // This bound is implied by `bn_mont_ctx_set_N_and_n0`. `bn_mul_mont_words` + // allocates `num` words on the stack, so `num` cannot be too large. assert((size_t)num <= BN_MONTGOMERY_MAX_WORDS); bn_mul_mont_words(r->d, a->d, b->d, mont->N.d, mont->n0, num); r->neg = 0; @@ -357,7 +357,7 @@ void bssl::bn_mod_mul_montgomery_small(BN_ULONG *r, const BN_ULONG *a, } #if defined(OPENSSL_BN_ASM_MONT) - // |bn_mul_mont_words| requires at least 128 bits of limbs. + // `bn_mul_mont_words` requires at least 128 bits of limbs. if (num >= (128 / BN_BITS2)) { bn_mul_mont_words(r, a, b, mont->N.d, mont->n0, num); return; diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery_inv.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery_inv.cc.inc index e4ee0896..3089f034 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery_inv.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/montgomery_inv.cc.inc @@ -30,30 +30,30 @@ static_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t), "uint64_t is insufficient precision for n0"); uint64_t bssl::bn_mont_n0(const BIGNUM *n) { - // These conditions are checked by the caller, |BN_MONT_CTX_set| or - // |BN_MONT_CTX_new_consttime|. + // These conditions are checked by the caller, `BN_MONT_CTX_set` or + // `BN_MONT_CTX_new_consttime`. assert(!BN_is_zero(n)); assert(!BN_is_negative(n)); assert(BN_is_odd(n)); // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) ensures that we can do integer - // division by |r| by simply ignoring |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, - // we can calculate values modulo |r| by just looking at the lowest - // |BN_MONT_CTX_N0_LIMBS| limbs. This is what makes Montgomery multiplication + // division by `r` by simply ignoring `BN_MONT_CTX_N0_LIMBS` limbs. Similarly, + // we can calculate values modulo `r` by just looking at the lowest + // `BN_MONT_CTX_N0_LIMBS` limbs. This is what makes Montgomery multiplication // efficient. // // As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography // with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a - // multi-limb Montgomery multiplication of |a * b (mod n)|, given the - // unreduced product |t == a * b|, we repeatedly calculate: + // multi-limb Montgomery multiplication of `a * b (mod n)`, given the + // unreduced product `t == a * b`, we repeatedly calculate: // - // t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph). + // t1 := t % r `t1` is `t`'s lowest limb (see previous paragraph). // t2 := t1*n0*n // t3 := t + t2 - // t := t3 / r copy all limbs of |t3| except the lowest to |t|. + // t := t3 / r copy all limbs of `t3` except the lowest to `t`. // // In the last step, it would only make sense to ignore the lowest limb of - // |t3| if it were zero. The middle steps ensure that this is the case: + // `t3` if it were zero. The middle steps ensure that this is the case: // // t3 == 0 (mod r) // t + t2 == 0 (mod r) @@ -64,10 +64,10 @@ uint64_t bssl::bn_mont_n0(const BIGNUM *n) { // n0 == -1/n (mod r) // // Thus, in each iteration of the loop, we multiply by the constant factor - // |n0|, the negative inverse of n (mod r). + // `n0`, the negative inverse of n (mod r). // n_mod_r = n % r. As explained above, this is done by taking the lowest - // |BN_MONT_CTX_N0_LIMBS| limbs of |n|. + // `BN_MONT_CTX_N0_LIMBS` limbs of `n`. uint64_t n_mod_r = n->d[0]; #if BN_MONT_CTX_N0_LIMBS == 2 if (n->width > 1) { @@ -80,7 +80,7 @@ uint64_t bssl::bn_mont_n0(const BIGNUM *n) { return bn_neg_inv_mod_u64(n_mod_r); } -// bn_neg_inv_mod_u64 calculates -1/n mod 2^64. |n| must be odd. +// bn_neg_inv_mod_u64 calculates -1/n mod 2^64. `n` must be odd. static uint64_t bn_neg_inv_mod_u64(uint64_t n) { // This is a modified version of the technique described in // https://crypto.stackexchange.com/a/47496 and diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/mul.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/mul.cc.inc index 82746ad1..3b3951f5 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/mul.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/mul.cc.inc @@ -68,12 +68,12 @@ static void bn_mul_normal(BN_ULONG *r, const BN_ULONG *a, size_t na, } // bn_sub_part_words sets |r| to |a| - |b|. It returns the borrow bit, which is -// one if the operation underflowed and zero otherwise. |cl| is the common -// length, that is, the shorter of len(a) or len(b). |dl| is the delta length, +// one if the operation underflowed and zero otherwise. `cl` is the common +// length, that is, the shorter of len(a) or len(b). `dl` is the delta length, // that is, len(a) - len(b). |r|'s length matches the larger of |a| and |b|, or // cl + abs(dl). // -// TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention +// TODO(davidben): Make this take `size_t`. The `cl` + `dl` calling convention // is confusing. static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int cl, int dl) { @@ -88,15 +88,15 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, b += cl; if (dl < 0) { - // |a| is shorter than |b|. Complete the subtraction as if the excess words - // in |a| were zeros. + // `a` is shorter than `b`. Complete the subtraction as if the excess words + // in `a` were zeros. dl = -dl; for (int i = 0; i < dl; i++) { r[i] = CRYPTO_subc_w(0, b[i], borrow, &borrow); } } else { - // |b| is shorter than |a|. Complete the subtraction as if the excess words - // in |b| were zeros. + // `b` is shorter than `a`. Complete the subtraction as if the excess words + // in `b` were zeros. for (int i = 0; i < dl; i++) { r[i] = CRYPTO_subc_w(a[i], 0, borrow, &borrow); } @@ -107,10 +107,10 @@ static BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, // bn_abs_sub_part_words computes |r| = |a| - |b|, storing the absolute value // and returning a mask of all ones if the result was negative and all zeros if -// the result was positive. |cl| and |dl| follow the |bn_sub_part_words| calling +// the result was positive. `cl` and `dl` follow the `bn_sub_part_words` calling // convention. // -// TODO(davidben): Make this take |size_t|. The |cl| + |dl| calling convention +// TODO(davidben): Make this take `size_t`. The `cl` + `dl` calling convention // is confusing. // // TODO(davidben): This function used to be used as part of a general Karatsuba @@ -144,8 +144,8 @@ int bssl::bn_abs_sub_consttime(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, return 1; } -// bn_mul_impl implements |BN_mul| and |bn_mul_consttime|. Note this function -// breaks |BIGNUM| invariants and may return a negative zero. This is handled by +// bn_mul_impl implements `BN_mul` and `bn_mul_consttime`. Note this function +// breaks `BIGNUM` invariants and may return a negative zero. This is handled by // the callers. static int bn_mul_impl(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { @@ -200,7 +200,7 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { return 0; } - // This additionally fixes any negative zeros created by |bn_mul_impl|. + // This additionally fixes any negative zeros created by `bn_mul_impl`. bn_set_minimal_width(r); return 1; } @@ -221,7 +221,7 @@ void bssl::bn_mul_small(BN_ULONG *r, size_t num_r, const BN_ULONG *a, if (num_r != num_a + num_b) { abort(); } - // TODO(davidben): Should this call |bn_mul_comba4| too? |BN_mul| does not + // TODO(davidben): Should this call `bn_mul_comba4` too? `BN_mul` does not // hit that code. if (num_a == 8 && num_b == 8) { bn_mul_comba8(r, a, b); @@ -255,10 +255,10 @@ static void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, size_t n) { } } - // The final result fits in |max| words, so none of the following operations + // The final result fits in `max` words, so none of the following operations // will overflow. - // Double |r|, giving the contribution of a[i] * a[j] for all i != j. + // Double `r`, giving the contribution of a[i] * a[j] for all i != j. bn_add_words(r, r, r, max); // Add in the contribution of a[i] * a[i] for all i. diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/prime.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/prime.cc.inc index 14eac475..3e94d30a 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/prime.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/prime.cc.inc @@ -204,9 +204,9 @@ static size_t num_trial_division_primes(const BIGNUM *n) { } // BN_PRIME_CHECKS_BLINDED is the iteration count for blinding the constant-time -// primality test. See |BN_primality_test| for details. This number is selected -// so that, for a candidate N-bit RSA prime, picking |BN_PRIME_CHECKS_BLINDED| -// random N-bit numbers will have at least |BN_prime_checks_for_size(N)| values +// primality test. See `BN_primality_test` for details. This number is selected +// so that, for a candidate N-bit RSA prime, picking `BN_PRIME_CHECKS_BLINDED` +// random N-bit numbers will have at least `BN_prime_checks_for_size(N)` values // in range with high probability. // // The following Python script computes the blinding factor needed for the @@ -231,8 +231,8 @@ def choose(a, b): return r def failure_rate(min_uniform, iterations): - """ Returns the probability that, for |iterations| candidate witnesses, fewer - than |min_uniform| of them will be uniform. """ + """ Returns the probability that, for `iterations` candidate witnesses, fewer + than `min_uniform` of them will be uniform. """ prob = 0.0 for i in xrange(min_uniform): prob += (choose(iterations, i) * @@ -353,8 +353,8 @@ loop: return 0; } - // Interleave |ret| and |t|'s primality tests to avoid paying the full - // iteration count on |ret| only to quickly discover |t| is composite. + // Interleave `ret` and `t`'s primality tests to avoid paying the full + // iteration count on `ret` only to quickly discover `t` is composite. // // TODO(davidben): This doesn't quite work because an iteration count of 1 // still runs the blinding mechanism. @@ -387,7 +387,7 @@ loop: static int bn_trial_division(uint16_t *out, const BIGNUM *bn) { const size_t num_primes = num_trial_division_primes(bn); for (size_t i = 1; i < num_primes; i++) { - // During RSA key generation, |bn| may be secret, but only if |bn| was + // During RSA key generation, `bn` may be secret, but only if `bn` was // prime, so it is safe to leak failed trial divisions. if (constant_time_declassify_int(bn_mod_u16_consttime(bn, kPrimes[i]) == 0)) { @@ -407,7 +407,7 @@ int bssl::bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin, const BN_MONT_CTX *mont, BN_CTX *ctx) { // This function corresponds to steps 1 through 3 of FIPS 186-5, B.3.1. const BIGNUM *w = &mont->N; - // Note we do not call |BN_CTX_start| in this function. We intentionally + // Note we do not call `BN_CTX_start` in this function. We intentionally // allocate values in the containing scope so they outlive this function. miller_rabin->w1 = BN_CTX_get(ctx); miller_rabin->m = BN_CTX_get(ctx); @@ -434,7 +434,7 @@ int bssl::bn_miller_rabin_init(BN_MILLER_RABIN *miller_rabin, // Precompute some values in Montgomery form. if (!bn_one_to_montgomery(miller_rabin->one_mont, mont, ctx) || // w - 1 is -1 mod w, so we can compute it in the Montgomery domain, -R, - // with a subtraction. (|one_mont| cannot be zero.) + // with a subtraction. (`one_mont` cannot be zero.) !bn_usub_consttime(miller_rabin->w1_mont, w, miller_rabin->one_mont)) { return 0; } @@ -459,8 +459,8 @@ int bssl::bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, return 0; } - // is_possibly_prime is all ones if we have determined |b| is not a composite - // witness for |w|. This is equivalent to going to step 4.7 in the original + // is_possibly_prime is all ones if we have determined `b` is not a composite + // witness for `w`. This is equivalent to going to step 4.7 in the original // algorithm. To avoid timing leaks, we run the algorithm to the end for prime // inputs. is_possibly_prime = 0; @@ -473,8 +473,8 @@ int bssl::bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, // Step 4.5. // - // To avoid leaking |a|, we run the loop to |w_bits| and mask off all - // iterations once |j| = |a|. + // To avoid leaking `a`, we run the loop to `w_bits` and mask off all + // iterations once `j` = `a`. for (int j = 1; j < miller_rabin->w_bits; j++) { if (constant_time_declassify_w(constant_time_eq_int(j, miller_rabin->a) & ~is_possibly_prime)) { @@ -492,7 +492,7 @@ int bssl::bn_miller_rabin_iteration(const BN_MILLER_RABIN *miller_rabin, // witness. crypto_word_t z_is_w1_mont = BN_equal_consttime(z, miller_rabin->w1_mont); z_is_w1_mont = 0 - z_is_w1_mont; // Make it all zeros or all ones. - is_possibly_prime |= z_is_w1_mont; // Go to step 4.7 if |z_is_w1_mont|. + is_possibly_prime |= z_is_w1_mont; // Go to step 4.7 if `z_is_w1_mont`. // Step 4.5.3. If z = 1 and the loop is not done, the previous value of z // was not -1. There are no non-trivial square roots of 1 modulo a prime, so @@ -514,20 +514,20 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, // generation. We generate RSA keys by selecting two large, secret primes with // rejection sampling. // - // We thus treat |w| as secret if turns out to be a large prime. However, if - // |w| is composite, we treat this and |w| itself as public. (Conversely, if - // |w| is prime, that it is prime is public. Only the value is secret.) This + // We thus treat `w` as secret if turns out to be a large prime. However, if + // `w` is composite, we treat this and `w` itself as public. (Conversely, if + // `w` is prime, that it is prime is public. Only the value is secret.) This // is fine for RSA key generation, but note it is important that we use // rejection sampling, with each candidate prime chosen independently. This // would not work for, e.g., an algorithm which looked for primes in // consecutive integers. These assumptions allow us to discard composites - // quickly. We additionally treat |w| as public when it is a small prime to + // quickly. We additionally treat `w` as public when it is a small prime to // simplify trial decryption and some edge cases. // // One RSA key generation will call this function on exactly two primes and // many more composites. The overall cost is a combination of several factors: // - // 1. Checking if |w| is divisible by a small prime is much faster than + // 1. Checking if `w` is divisible by a small prime is much faster than // learning it is composite by Miller-Rabin (see below for details on that // cost). Trial division by p saves 1/p of Miller-Rabin calls, so this is // worthwhile until p exceeds the ratio of the two costs. @@ -538,11 +538,11 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, // trial decryption, in practice, cost one Miller-Rabin iteration. Only the // two actual primes cost the full iteration count. // - // 3. A Miller-Rabin iteration is a modular exponentiation plus |a| additional - // modular squares, where |a| is the number of factors of two in |w-1|. |a| + // 3. A Miller-Rabin iteration is a modular exponentiation plus `a` additional + // modular squares, where `a` is the number of factors of two in `w-1`. `a` // is likely small (the distribution falls exponentially), but it is also - // potentially secret, so we loop up to its log(w) upper bound when |w| is - // prime. When |w| is composite, we break early, so only two calls pay this + // potentially secret, so we loop up to its log(w) upper bound when `w` is + // prime. When `w` is composite, we break early, so only two calls pay this // cost. (Note that all calls pay the modular exponentiation which is, // itself, log(w) modular multiplications and squares.) // @@ -610,14 +610,14 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, // The following loop performs in inner iteration of the Miller-Rabin // Primality test (Step 4). // - // The algorithm as specified in FIPS 186-5 leaks information on |w|, the RSA + // The algorithm as specified in FIPS 186-5 leaks information on `w`, the RSA // private key. Instead, we run through each iteration unconditionally, // performing modular multiplications, masking off any effects to behave // equivalently to the specified algorithm. // - // We also blind the number of values of |b| we try. Steps 4.1–4.2 say to - // discard out-of-range values. To avoid leaking information on |w|, we use - // |bn_rand_secret_range| which, rather than discarding bad values, adjusts + // We also blind the number of values of `b` we try. Steps 4.1–4.2 say to + // discard out-of-range values. To avoid leaking information on `w`, we use + // `bn_rand_secret_range` which, rather than discarding bad values, adjusts // them to be in range. Though not uniformly selected, these adjusted values // are still usable as Miller-Rabin checks. // @@ -628,14 +628,14 @@ int BN_primality_test(int *out_is_probably_prime, const BIGNUM *w, int checks, // function is more complex and has more timing risk than necessary. // // We count both total iterations and uniform ones and iterate until we've - // reached at least |BN_PRIME_CHECKS_BLINDED| and |iterations|, respectively. + // reached at least `BN_PRIME_CHECKS_BLINDED` and `iterations`, respectively. // If the latter is large enough, it will be the limiting factor with high // probability and we won't leak information. // // Note this blinding does not impact most calls when picking primes because // composites are rejected early. Only the two secret primes see extra work. - // Using |constant_time_lt_w| seems to prevent the compiler from optimizing + // Using `constant_time_lt_w` seems to prevent the compiler from optimizing // this into two jumps. for (int i = 1; constant_time_declassify_w( (i <= BN_PRIME_CHECKS_BLINDED) | diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/random.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/random.cc.inc index 591cb8fa..1dbe27bd 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/random.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/random.cc.inc @@ -94,7 +94,7 @@ int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom) { } // bn_less_than_word_mask returns a mask of all ones if the number represented -// by |len| words at |a| is less than |b| and zero otherwise. It performs this +// by `len` words at |a| is less than |b| and zero otherwise. It performs this // computation in time independent of the value of |a|. |b| is assumed public. static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len, BN_ULONG b) { @@ -112,7 +112,7 @@ static crypto_word_t bn_less_than_word_mask(const BN_ULONG *a, size_t len, for (size_t i = 1; i < len; i++) { mask |= a[i]; } - // |mask| is now zero iff a[1..len-1] are all zero. + // `mask` is now zero iff a[1..len-1] are all zero. mask = constant_time_is_zero_w(mask); mask &= constant_time_lt_w(a[0], b); return mask; @@ -127,7 +127,7 @@ int bssl::bn_in_range_words(const BN_ULONG *a, BN_ULONG min_inclusive, static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask, size_t min_inclusive, const BN_ULONG *max_exclusive, size_t len) { - // The magnitude of |max_exclusive| is assumed public. + // The magnitude of `max_exclusive` is assumed public. size_t words = len; while (words > 0 && max_exclusive[words - 1] == 0) { words--; @@ -137,7 +137,7 @@ static int bn_range_to_mask(size_t *out_words, BN_ULONG *out_mask, return 0; } BN_ULONG mask = max_exclusive[words - 1]; - // This sets all bits in |mask| below the most significant bit. + // This sets all bits in `mask` below the most significant bit. mask |= mask >> 1; mask |= mask >> 2; mask |= mask >> 4; @@ -157,10 +157,10 @@ int bssl::bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive, const uint8_t additional_data[32]) { // This function implements the equivalent of steps 1 through 4 of FIPS 186-5 // appendices A.2.2 and A.3.2, repeating the process on failure. When called - // in those contexts, |max_exclusive| is n and |min_inclusive| is one. + // in those contexts, `max_exclusive` is n and `min_inclusive` is one. - // Compute the bit length of |max_exclusive| (step 1), in terms of a number of - // |words| worth of entropy to fill and a mask of bits to clear in the top + // Compute the bit length of `max_exclusive` (step 1), in terms of a number of + // `words` worth of entropy to fill and a mask of bits to clear in the top // word. size_t words; BN_ULONG mask; @@ -178,8 +178,8 @@ int bssl::bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive, return 0; } - // Use |words| and |mask| together to obtain a string of N bits, where N is - // the bit length of |max_exclusive|. + // Use `words` and `mask` together to obtain a string of N bits, where N is + // the bit length of `max_exclusive`. FIPS_service_indicator_lock_state(); BCM_rand_bytes_with_additional_data( (uint8_t *)out, words * sizeof(BN_ULONG), additional_data); @@ -190,7 +190,7 @@ int bssl::bn_rand_range_words(BN_ULONG *out, BN_ULONG min_inclusive, // comparison may be treated as public. It only reveals how many attempts // were needed before we found a value in range. This is independent of the // final secret output, and has a distribution that depends only on - // |min_inclusive| and |max_exclusive|, both of which are public. + // `min_inclusive` and `max_exclusive`, both of which are public. } while (!constant_time_declassify_int( bn_in_range_words(out, min_inclusive, max_exclusive, words))); return 1; diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.cc.inc index 105daae3..f81dccb7 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.cc.inc @@ -52,7 +52,7 @@ void bssl::RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], assert((uintptr_t)storage % 64 == 0); BN_ULONG *a_inv, *m, *result, *table_s = storage + 40 * 3, *R2 = table_s; - // Note |R2| aliases |table_s|. + // Note `R2` aliases `table_s`. if (((((uintptr_t)storage & 4095) + 320) >> 12) != 0) { result = storage; a_inv = storage + 40; @@ -67,7 +67,7 @@ void bssl::RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], rsaz_1024_norm2red_avx2(a_inv, base_norm); rsaz_1024_norm2red_avx2(R2, RR); - // Convert |R2| from the usual radix, giving R = 2^1024, to RSAZ's radix, + // Convert `R2` from the usual radix, giving R = 2^1024, to RSAZ's radix, // giving R = 2^(36*29) = 2^1044. rsaz_1024_mul_avx2(R2, R2, R2, m, k0); // R2 = 2^2048 * 2^2048 / 2^1044 = 2^3052 @@ -119,7 +119,7 @@ void bssl::RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], wvalue = (wvalue >> (index % 8)) & 31; index -= 5; - rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); // Borrow |a_inv|. + rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); // Borrow `a_inv`. rsaz_1024_mul_avx2(result, result, a_inv, m, k0); } @@ -128,7 +128,7 @@ void bssl::RSAZ_1024_mod_exp_avx2(BN_ULONG result_norm[16], wvalue = p_str[0] & 15; - rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); // Borrow |a_inv|. + rsaz_1024_gather5_avx2(a_inv, table_s, wvalue); // Borrow `a_inv`. rsaz_1024_mul_avx2(result, result, a_inv, m, k0); // Convert from Montgomery. diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.h b/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.h index 9bd3cb9a..26df52a3 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.h +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/rsaz_exp.h @@ -31,11 +31,11 @@ BSSL_NAMESPACE_BEGIN #if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) #define RSAZ_ENABLED -// RSAZ_1024_mod_exp_avx2 sets |result| to |base_norm| raised to |exponent| -// modulo |m_norm|. |base_norm| must be fully-reduced and |exponent| must have -// the high bit set (it is 1024 bits wide). |RR| and |k0| must be |RR| and |n0|, -// respectively, extracted from |m_norm|'s |BN_MONT_CTX|. |storage_words| is a -// temporary buffer that must be aligned to |MOD_EXP_CTIME_ALIGN| bytes. +// RSAZ_1024_mod_exp_avx2 sets `result` to `base_norm` raised to `exponent` +// modulo `m_norm`. `base_norm` must be fully-reduced and `exponent` must have +// the high bit set (it is 1024 bits wide). `RR` and `k0` must be `RR` and `n0`, +// respectively, extracted from `m_norm`'s `BN_MONT_CTX`. `storage_words` is a +// temporary buffer that must be aligned to `MOD_EXP_CTIME_ALIGN` bytes. void RSAZ_1024_mod_exp_avx2(BN_ULONG result[16], const BN_ULONG base_norm[16], const BN_ULONG exponent[16], const BN_ULONG m_norm[16], const BN_ULONG RR[16], @@ -62,43 +62,43 @@ inline int rsaz_avx2_preferred() { // // See crypto/bn/asm/rsaz-avx2.pl for further details. -// rsaz_1024_norm2red_avx2 converts |norm| from |BIGNUM| to RSAZ representation -// and writes the result to |red|. +// rsaz_1024_norm2red_avx2 converts `norm` from `BIGNUM` to RSAZ representation +// and writes the result to `red`. extern "C" void rsaz_1024_norm2red_avx2(BN_ULONG red[40], const BN_ULONG norm[16]); -// rsaz_1024_mul_avx2 computes |a| * |b| mod |n| and writes the result to |ret|. -// Inputs and outputs are in Montgomery form, using RSAZ's representation. |k| -// is -|n|^-1 mod 2^64 or |n0| from |BN_MONT_CTX|. +// rsaz_1024_mul_avx2 computes `a` * `b` mod `n` and writes the result to `ret`. +// Inputs and outputs are in Montgomery form, using RSAZ's representation. `k` +// is -`n`^-1 mod 2^64 or `n0` from `BN_MONT_CTX`. extern "C" void rsaz_1024_mul_avx2(BN_ULONG ret[40], const BN_ULONG a[40], const BN_ULONG b[40], const BN_ULONG n[40], BN_ULONG k); -// rsaz_1024_mul_avx2 computes |a|^(2*|count|) mod |n| and writes the result to -// |ret|. Inputs and outputs are in Montgomery form, using RSAZ's -// representation. |k| is -|n|^-1 mod 2^64 or |n0| from |BN_MONT_CTX|. +// rsaz_1024_mul_avx2 computes `a`^(2*`count`) mod `n` and writes the result to +// `ret`. Inputs and outputs are in Montgomery form, using RSAZ's +// representation. `k` is -`n`^-1 mod 2^64 or `n0` from `BN_MONT_CTX`. extern "C" void rsaz_1024_sqr_avx2(BN_ULONG ret[40], const BN_ULONG a[40], const BN_ULONG n[40], BN_ULONG k, int count); -// rsaz_1024_scatter5_avx2 stores |val| at index |i| of |tbl|. |i| must be +// rsaz_1024_scatter5_avx2 stores `val` at index `i` of `tbl`. `i` must be // positive and at most 31. It is treated as public. Note the table only uses 18 -// |BN_ULONG|s per entry instead of 40. It packs two 29-bit limbs into each -// |BN_ULONG| and only stores 36 limbs rather than the padded 40. +// `BN_ULONG`s per entry instead of 40. It packs two 29-bit limbs into each +// `BN_ULONG` and only stores 36 limbs rather than the padded 40. extern "C" void rsaz_1024_scatter5_avx2(BN_ULONG tbl[32 * 18], const BN_ULONG val[40], int i); -// rsaz_1024_gather5_avx2 loads index |i| of |tbl| and writes it to |val|. |i| -// must be positive and at most 31. It is treated as secret. |tbl| must be +// rsaz_1024_gather5_avx2 loads index `i` of `tbl` and writes it to `val`. `i` +// must be positive and at most 31. It is treated as secret. `tbl` must be // aligned to 32 bytes. extern "C" void rsaz_1024_gather5_avx2(BN_ULONG val[40], const BN_ULONG tbl[32 * 18], int i); -// rsaz_1024_red2norm_avx2 converts |red| from RSAZ to |BIGNUM| representation -// and writes the result to |norm|. The result will be <= the modulus. +// rsaz_1024_red2norm_avx2 converts `red` from RSAZ to `BIGNUM` representation +// and writes the result to `norm`. The result will be <= the modulus. // -// WARNING: The result of this operation may not be fully reduced. |norm| may be +// WARNING: The result of this operation may not be fully reduced. `norm` may be // the modulus instead of zero. This function should be followed by a call to -// |bn_reduce_once|. +// `bn_reduce_once`. extern "C" void rsaz_1024_red2norm_avx2(BN_ULONG norm[16], const BN_ULONG red[40]); diff --git a/third_party/boringssl/src/crypto/fipsmodule/bn/shift.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/bn/shift.cc.inc index 4799bac9..bf96726d 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/bn/shift.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/bn/shift.cc.inc @@ -263,7 +263,7 @@ static int bn_count_low_zero_bits_word(BN_ULONG l) { int bits = 0; #if BN_BITS2 > 32 - // Check if the lower half of |x| are all zero. + // Check if the lower half of `x` are all zero. mask = constant_time_is_zero_w(l << (BN_BITS2 - 32)); // If the lower half is all zeros, it is included in the bit count and we // count the upper half. Otherwise, we count the lower half. @@ -311,7 +311,7 @@ int BN_count_low_zero_bits(const BIGNUM *bn) { ret |= first_nonzero & (i * BN_BITS2 + bits); } - // If got to the end of |bn| and saw no non-zero words, |bn| is zero. |ret| + // If got to the end of `bn` and saw no non-zero words, `bn` is zero. `ret` // will then remain zero. return ret; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/cipher/aead.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/cipher/aead.cc.inc index 0e721ac6..c27e4a7f 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/cipher/aead.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/cipher/aead.cc.inc @@ -113,8 +113,8 @@ void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx) { ctx->aead = nullptr; } -// check_alias returns 1 if |out| is compatible with |in| and 0 otherwise. If -// |in| and |out| alias, we require that |in| == |out|. +// check_alias returns 1 if `out` is compatible with `in` and 0 otherwise. If +// `in` and `out` alias, we require that `in` == `out`. static int check_alias(const uint8_t *in, size_t in_len, const uint8_t *out, size_t out_len) { if (!buffers_alias(in, in_len, out, out_len)) { @@ -178,7 +178,7 @@ int EVP_AEAD_CTX_seal_scatter(const EVP_AEAD_CTX *ctx, uint8_t *out, } }); - // |out_tag| contains both the encryption of |extra_in| and the tag. + // `out_tag` contains both the encryption of `extra_in` and the tag. Span out_tag_span(out_tag, max_out_tag_len); if (out_tag_span.size() < extra_in_len) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BUFFER_TOO_SMALL); @@ -338,7 +338,7 @@ int EVP_AEAD_CTX_sealv(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, } // Enforce aliasing rules: no output may alias any input, with the one - // exception that an iovec member's |in| and |out| pointers may be identical + // exception that an iovec member's `in` and `out` pointers may be identical // for in-place operation. if (!check_iovec_alias(iovecs, aadvecs, out_tag, max_out_tag_len, nonce, nonce_len, nullptr, 0)) { @@ -481,7 +481,7 @@ int EVP_AEAD_CTX_openv(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, } // Enforce aliasing rules: no output may alias any input, with the one - // exception that an iovec member's |in| and |out| pointers may be identical + // exception that an iovec member's `in` and `out` pointers may be identical // for in-place operation. if (!check_iovec_alias(iovecs, aadvecs, nullptr, 0, nonce, nonce_len, nullptr, 0)) { @@ -499,7 +499,7 @@ int EVP_AEAD_CTX_openv(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, std::optional> tag = bssl::iovec::GetAndRemoveSuffix( Span(tagbuf).first(ctx->tag_len), Span(detached_iovecs)); - if (!tag.has_value()) { // I.e. no |ctx->tag_len| bytes available. + if (!tag.has_value()) { // I.e. no `ctx->tag_len` bytes available. OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_BAD_DECRYPT); return 0; } @@ -554,7 +554,7 @@ int EVP_AEAD_CTX_openv_detached(const EVP_AEAD_CTX *ctx, } // Enforce aliasing rules: no output may alias any input, with the one - // exception that an iovec member's |in| and |out| pointers may be identical + // exception that an iovec member's `in` and `out` pointers may be identical // for in-place operation. if (!check_iovec_alias(iovecs, aadvecs, nullptr, 0, nonce, nonce_len, in_tag, in_tag_len)) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/cipher/cipher.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/cipher/cipher.cc.inc index eed5d0ad..49fb979a 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/cipher/cipher.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/cipher/cipher.cc.inc @@ -206,10 +206,10 @@ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, return EVP_CipherInit_ex(ctx, cipher, impl, key, iv, 0); } -// block_remainder returns the number of bytes to remove from |len| to get a -// multiple of |ctx|'s block size. +// block_remainder returns the number of bytes to remove from `len` to get a +// multiple of `ctx`'s block size. static size_t block_remainder(const EVP_CIPHER_CTX *ctx, size_t len) { - // |block_size| must be a power of two. + // `block_size` must be a power of two. assert(ctx->cipher->block_size != 0); assert((ctx->cipher->block_size & (ctx->cipher->block_size - 1)) == 0); return len & (ctx->cipher->block_size - 1); @@ -245,13 +245,13 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, template static int WrapWithPoison(EVP_CIPHER_CTX *ctx, F f) { if (ctx->poisoned) { - // |ctx| has been left in an indeterminate state by a previous failed + // `ctx` has been left in an indeterminate state by a previous failed // operation. Do not allow proceeding. OPENSSL_PUT_ERROR(CIPHER, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } if (!f()) { - // Functions using |WrapWithPoison| may leave |ctx| in an indeterminate + // Functions using `WrapWithPoison` may leave `ctx` in an indeterminate // state. Mark the object as poisoned. ctx->poisoned = 1; return 0; @@ -264,8 +264,8 @@ static int EVP_EncryptUpdate_ex_internal(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { *out_len = 0; - // Ciphers that use blocks may write up to |block_size| extra bytes. Ensure - // the output does not overflow |*out_len|. + // Ciphers that use blocks may write up to `block_size` extra bytes. Ensure + // the output does not overflow `*out_len`. Span in_span(in, in_len); size_t block_size = ctx->cipher->block_size; @@ -422,8 +422,8 @@ static int EVP_DecryptUpdate_ex_internal(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, size_t in_len) { *out_len = 0; - // Ciphers that use blocks may write up to |block_size| extra bytes. Ensure - // the output does not overflow |*out_len|. + // Ciphers that use blocks may write up to `block_size` extra bytes. Ensure + // the output does not overflow `*out_len`. Span in_span(in, in_len); size_t block_size = ctx->cipher->block_size; @@ -614,15 +614,15 @@ int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, const uint8_t *in, out_len = in_len; } - // |EVP_CIPH_FLAG_CUSTOM_CIPHER| never sets the FIPS indicator via - // |EVP_Cipher| because it's complicated whether the operation has completed - // or not. E.g. AES-GCM with a non-NULL |in| argument hasn't completed an - // operation. Callers should use the |EVP_AEAD| API or, at least, - // |EVP_CipherUpdate| etc. + // `EVP_CIPH_FLAG_CUSTOM_CIPHER` never sets the FIPS indicator via + // `EVP_Cipher` because it's complicated whether the operation has completed + // or not. E.g. AES-GCM with a non-NULL `in` argument hasn't completed an + // operation. Callers should use the `EVP_AEAD` API or, at least, + // `EVP_CipherUpdate` etc. // - // This call can't be pushed into |EVP_Cipher_verify_service_indicator| - // because whether |ret| indicates success or not depends on whether - // |EVP_CIPH_FLAG_CUSTOM_CIPHER| is set. (This unreasonable, but matches + // This call can't be pushed into `EVP_Cipher_verify_service_indicator` + // because whether `ret` indicates success or not depends on whether + // `EVP_CIPH_FLAG_CUSTOM_CIPHER` is set. (This unreasonable, but matches // OpenSSL.) if (!(ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER)) { EVP_Cipher_verify_service_indicator(ctx); @@ -680,6 +680,49 @@ int EVP_CipherFinal_ex2(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, } } +size_t EVP_CIPHER_CTX_max_next_update(const EVP_CIPHER_CTX *ctx, + size_t in_len) { + if (in_len == 0) { + return 0; + } + + size_t block_size = ctx->cipher->block_size; + // |block_size| must be a power of 2. + assert(block_size != 0 && (block_size & (block_size - 1)) == 0); + size_t buf_len = ctx->buf_len; + + // Any buffered input is combined with |in_len|, then we round down to a + // multiple of the block size. + size_t ret = (in_len + buf_len) & ~(block_size - 1); + if (!ctx->encrypt && block_size > 1 && !(ctx->flags & EVP_CIPH_NO_PADDING)) { + if (ctx->final_used) { + // There was a buffered decrypted block. Now that it is known to not have + // padding, DecryptUpdate will output it. + ret += block_size; + } + if (block_remainder(ctx, in_len + buf_len) == 0) { + // This call ends on a block boundary. The last block will be buffered in + // |ctx->final| until it is known to have padding. + assert(ret >= block_size); + ret -= block_size; + } + } + return ret; +} + +size_t EVP_CIPHER_CTX_max_final(const EVP_CIPHER_CTX *ctx) { + size_t block_size = ctx->cipher->block_size; + if (block_size == 1 || (ctx->flags & EVP_CIPH_NO_PADDING)) { + return 0; + } + if (ctx->encrypt) { + return block_size; + } else { + // At least one byte will be removed when processing padding. + return block_size - 1; + } +} + const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) { return ctx->cipher; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aes.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aes.cc.inc index 4ddf4b95..83fa9fff 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aes.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aes.cc.inc @@ -93,7 +93,7 @@ static int aes_init_key(EVP_CIPHER_CTX *ctx, const uint8_t *key, if (ret == 0) { vpaes_decrypt_key_to_bsaes(&dat->ks.ks, &dat->ks.ks); } - // If |dat->stream.cbc| is provided, |dat->block| is never used. + // If `dat->stream.cbc` is provided, `dat->block` is never used. dat->block = nullptr; dat->stream.cbc = bsaes_cbc_encrypt; #endif @@ -323,14 +323,14 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { gctx->iv_gen = 1; return 1; } - // Fixed field must be at least 4 bytes and invocation field - // at least 8. + // The fixed field must be at least 4 bytes and the invocation field at + // least 8. if (arg < 4 || (gctx->ivlen - arg) < 8) { return 0; } OPENSSL_memcpy(gctx->iv, ptr, arg); if (c->encrypt) { - // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with + // `BCM_rand_bytes` calls within the fipsmodule should be wrapped with // state lock functions to avoid updating the service indicator with the // DRBG functions. FIPS_service_indicator_lock_state(); @@ -341,7 +341,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { return 1; case EVP_CTRL_GCM_IV_GEN: { - if (gctx->iv_gen == 0 || gctx->key_set == 0) { + if (gctx->iv_gen == 0 || gctx->key_set == 0 || gctx->ivlen < 8) { return 0; } CRYPTO_gcm128_init_ctx(&gctx->key, &gctx->gcm, gctx->iv, gctx->ivlen); @@ -349,8 +349,6 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { arg = gctx->ivlen; } OPENSSL_memcpy(ptr, gctx->iv + gctx->ivlen - arg, arg); - // Invocation field will be at least 8 bytes in size, so no need to check - // wrap around or increment more than last 8 bytes. uint8_t *ctr = gctx->iv + gctx->ivlen - 8; CRYPTO_store_u64_be(ctr, CRYPTO_load_u64_be(ctr) + 1); gctx->iv_set = 1; @@ -358,7 +356,8 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) { } case EVP_CTRL_GCM_SET_IV_INV: - if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt) { + if (gctx->iv_gen == 0 || gctx->key_set == 0 || c->encrypt || arg < 0 || + arg > gctx->ivlen) { return 0; } OPENSSL_memcpy(gctx->iv + gctx->ivlen - arg, ptr, arg); @@ -960,7 +959,7 @@ static int aead_aes_gcm_sealv_randnonce(const EVP_AEAD_CTX *ctx, return 0; } - // |BCM_rand_bytes| calls within the fipsmodule should be wrapped with state + // `BCM_rand_bytes` calls within the fipsmodule should be wrapped with state // lock functions to avoid updating the service indicator with the DRBG // functions. FIPS_service_indicator_lock_state(); diff --git a/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aesccm.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aesccm.cc.inc index f100cf93..de6bfd4f 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aesccm.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/cipher/e_aesccm.cc.inc @@ -67,7 +67,7 @@ static int ccm128_init_state(const struct ccm128_context *ctx, const unsigned M = ctx->M; const unsigned L = ctx->L; - // |L| determines the expected |nonce_len| and the limit for |plaintext_len|. + // `L` determines the expected `nonce_len` and the limit for `plaintext_len`. if (plaintext_len > CRYPTO_ccm128_max_input(ctx)) { OPENSSL_PUT_ERROR(CIPHER, CIPHER_R_TOO_LARGE); return 0; @@ -155,8 +155,8 @@ static int ccm128_init_state(const struct ccm128_context *ctx, return 0; } - // Assemble the first block for encrypting and decrypting. The bottom |L| - // bytes are replaced with a counter and all bit the encoding of |L| is + // Assemble the first block for encrypting and decrypting. The bottom `L` + // bytes are replaced with a counter and all bit the encoding of `L` is // cleared in the first byte. state->nonce[0] &= 7; return 1; diff --git a/third_party/boringssl/src/crypto/fipsmodule/cipher/internal.h b/third_party/boringssl/src/crypto/fipsmodule/cipher/internal.h index 0983b157..105ae43d 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/cipher/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/cipher/internal.h @@ -33,7 +33,7 @@ extern "C" { -// EVP_CIPH_MODE_MASK contains the bits of |flags| that represent the mode. +// EVP_CIPH_MODE_MASK contains the bits of `flags` that represent the mode. #define EVP_CIPH_MODE_MASK 0x3f // EVP_AEAD represents a specific AEAD algorithm. @@ -43,8 +43,8 @@ struct evp_aead_st { uint8_t overhead; uint8_t max_tag_len; - // init initialises an |EVP_AEAD_CTX|. If this call returns zero then - // |cleanup| will not be called for that context. + // init initialises an `EVP_AEAD_CTX`. If this call returns zero then + // `cleanup` will not be called for that context. int (*init)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len, size_t tag_len); int (*init_with_direction)(EVP_AEAD_CTX *, const uint8_t *key, size_t key_len, @@ -96,16 +96,16 @@ struct evp_cipher_st { // cipher. unsigned ctx_size; - // flags contains the OR of a number of flags. See |EVP_CIPH_*|. + // flags contains the OR of a number of flags. See `EVP_CIPH_*`. uint32_t flags; int (*init)(EVP_CIPHER_CTX *ctx, const uint8_t *key, const uint8_t *iv, int enc); - // cipher encrypts/decrypts |in|, write output to |out|. Writes exactly |len| - // bytes, which must be a multiple of the |block_size|. + // cipher encrypts/decrypts `in`, write output to `out`. Writes exactly `len` + // bytes, which must be a multiple of the `block_size`. // - // For ciphers where encryption and decryption operations differ, |init| + // For ciphers where encryption and decryption operations differ, `init` // shall set an internal state for this. // // Returns 1 on success, or 0 on error. @@ -115,22 +115,22 @@ struct evp_cipher_st { // cipher_final finalizes the cipher, performing possible final // authentication checks. // - // Only used for |EVP_CIPH_FLAG_CUSTOM_CIPHER| ciphers. + // Only used for `EVP_CIPH_FLAG_CUSTOM_CIPHER` ciphers. // // Returns 1 on success, or 0 on error. When decrypting, if an error is // returned, the decrypted data must not be used. int (*cipher_final)(EVP_CIPHER_CTX *ctx); - // update_aad adds |in| (of length |inl|) to the authenticated data for the + // update_aad adds `in` (of length `inl`) to the authenticated data for the // encryption operation. // - // Only used for |EVP_CIPH_FLAG_CUSTOM_CIPHER| ciphers. + // Only used for `EVP_CIPH_FLAG_CUSTOM_CIPHER` ciphers. // // Returns 1 on success, or 0 on error. int (*update_aad)(EVP_CIPHER_CTX *ctx, const uint8_t *in, size_t inl); // cleanup, if non-NULL, releases memory associated with the context. It is - // called if |EVP_CTRL_INIT| succeeds. Note that |init| may not have been + // called if `EVP_CTRL_INIT` succeeds. Note that `init` may not have been // called at this point. void (*cleanup)(EVP_CIPHER_CTX *); @@ -141,7 +141,7 @@ struct evp_cipher_st { BSSL_NAMESPACE_BEGIN -// CopySpan copies an entire span of bytes from |from| to |to|. +// CopySpan copies an entire span of bytes from `from` to `to`. // // The spans need to have the same length. inline void CopySpan(Span from, Span to) { @@ -149,7 +149,7 @@ inline void CopySpan(Span from, Span to) { std::copy(from.begin(), from.end(), to.begin()); } -// CopyToPrefix copies a span of bytes from |from| into |to|. It aborts +// CopyToPrefix copies a span of bytes from `from` into `to`. It aborts // if there is not enough space. // // TODO(crbug.com/404286922): Can we simplify this in a C++20 world (e.g. @@ -161,9 +161,9 @@ inline void CopyToPrefix(Span from, Span to) { // Generic CRYPTO_IOVEC/CRYPTO_IVEC helpers. namespace iovec { -// IsValid returns whether the given |CRYPTO_IVEC| or |CRYPTO_IOVEC| is -// valid for use with public APIs, i.e. does not contain more than |SIZE_MAX| -// bytes and not more than |CRYPTO_IOVEC_MAX| chunks. Note that the `EVP_AEAD` +// IsValid returns whether the given `CRYPTO_IVEC` or `CRYPTO_IOVEC` is +// valid for use with public APIs, i.e. does not contain more than `SIZE_MAX` +// bytes and not more than `CRYPTO_IOVEC_MAX` chunks. Note that the `EVP_AEAD` // methods need to accept an arbitrary number of chunks. template inline bool IsValid(Span ivecs) { @@ -181,8 +181,8 @@ inline bool IsValid(Span ivecs) { return true; } -// Length returns the total length in bytes of a given |CRYPTO_IVEC| or -// |CRYPTO_IOVEC|. +// Length returns the total length in bytes of a given `CRYPTO_IVEC` or +// `CRYPTO_IOVEC`. template inline size_t TotalLength(Span ivecs) { size_t total = 0; @@ -192,15 +192,15 @@ inline size_t TotalLength(Span ivecs) { return total; } -// GetAndRemoveSuffix takes |suffix_buf.size()| final bytes from the given -// |CRYPTO_IVEC| or |CRYPTO_IOVEC| (mutating said iovec to no longer contain +// GetAndRemoveSuffix takes `suffix_buf.size()` final bytes from the given +// `CRYPTO_IVEC` or `CRYPTO_IOVEC` (mutating said iovec to no longer contain // those bytes) and returns them. // -// If the byte range is contained in a single chunk of |ivecs|, it will just -// return that span pointing into |ivecs|; otherwise, it will copy the bytes -// into |out| and return that. +// If the byte range is contained in a single chunk of `ivecs`, it will just +// return that span pointing into `ivecs`; otherwise, it will copy the bytes +// into `out` and return that. // -// If |ivecs| is too short, returns |nullopt|. +// If `ivecs` is too short, returns `nullopt`. template inline std::optional> GetAndRemoveSuffix( @@ -221,7 +221,7 @@ inline std::optional> GetAndRemoveSuffix( ivecs.back().len -= suffix_buf.size(); return Span(ivecs.back().*ReadFrom + ivecs.back().len, suffix_buf.size()); } - // Otherwise, collect it into the buffer while trimming |ivecs|. + // Otherwise, collect it into the buffer while trimming `ivecs`. Span remaining = suffix_buf; while (!ivecs.empty()) { Span src(ivecs.back().*ReadFrom, ivecs.back().len); @@ -238,8 +238,8 @@ inline std::optional> GetAndRemoveSuffix( return std::nullopt; } -// GetAndRemoveOutSuffix is like |GetAndRemoveSuffix| but takes from a -// |CRYPTO_IOVEC|'s |out| member instead. +// GetAndRemoveOutSuffix is like `GetAndRemoveSuffix` but takes from a +// `CRYPTO_IOVEC`'s `out` member instead. inline std::optional> GetAndRemoveOutSuffix( Span out, Span iovecs) { return GetAndRemoveSuffix out, CRYPTO_IOVEC head, } } // namespace internal -// ForEachBlockRange iterates over the |ivecs| as follows: +// ForEachBlockRange iterates over the `ivecs` as follows: // -// - |f_whole| gets called on whole blocks crossing |ivecs| chunk boundaries, or +// - `f_whole` gets called on whole blocks crossing `ivecs` chunk boundaries, or // ranges of whole blocks that are entirely in chunks. -// - |f| gets called exactly once, on the last block range which may +// - `f` gets called exactly once, on the last block range which may // end up with a partial block. -// - Both functions receive an |in| pointer that either points into |ivecs| or -// into a chunk assembly buffer and a |len| which indicates the number of -// bytes from |in| that can be accessed. If the function returns 0, +// - Both functions receive an `in` pointer that either points into `ivecs` or +// into a chunk assembly buffer and a `len` which indicates the number of +// bytes from `in` that can be accessed. If the function returns 0, // iteration stops. -// - If |WriteOut| is set, |f_whole| and |f| receive an extra |out| +// - If `WriteOut` is set, `f_whole` and `f` receive an extra `out` // argument to which they can write output. This output will be placed into -// the |ivecs|'s |out| members either during or after the call. If iteration -// was stopped, the contents of |out| are indeterminate. +// the `ivecs`'s `out` members either during or after the call. If iteration +// was stopped, the contents of `out` are indeterminate. // - The return value is true if iteration was not stopped by the callbacks. template < size_t BlockSize, bool WriteOut = false, typename IVec, @@ -310,8 +310,8 @@ inline bool ForEachBlockRange(Span ivecs, const FWhole &f_whole, } }; - // Ensure the last item in |ivecs| is nonempty. This is necessary for - // detecting being at the end and calling |f_final| at the appropriate time. + // Ensure the last item in `ivecs` is nonempty. This is necessary for + // detecting being at the end and calling `f_final` at the appropriate time. Span ivecs_trimmed = ivecs; while (!ivecs_trimmed.empty() && ivecs_trimmed.back().len == 0) { ivecs_trimmed = ivecs_trimmed.first(ivecs_trimmed.size() - 1); @@ -320,7 +320,7 @@ inline bool ForEachBlockRange(Span ivecs, const FWhole &f_whole, return call_func(f_final, IVec{}); } - // Now there are at least two non-empty |ivecs|, and neither the first nor the + // Now there are at least two non-empty `ivecs`, and neither the first nor the // last can be empty. MutableIVec current_range_head = ivecs_trimmed.front(); @@ -356,7 +356,7 @@ inline bool ForEachBlockRange(Span ivecs, const FWhole &f_whole, remove_prefix(collect_from_head, remaining); break; } - // Consume all of |ivec| and advance. + // Consume all of `ivec` and advance. in.Append(Span(collect_from_head.*ReadFrom, collect_from_head.len)); if (collect_from_rest.empty()) { // Nothing left - so this is the final block. @@ -378,12 +378,12 @@ inline bool ForEachBlockRange(Span ivecs, const FWhole &f_whole, } assert(in.size() == BlockSize); - // The above loop ensures this condition by the |break| only happening if - // |collect_from_head| has at least one byte remaining, and the loop + // The above loop ensures this condition by the `break` only happening if + // `collect_from_head` has at least one byte remaining, and the loop // otherwise ensuring as an invariant that the final chunk - which is - // nonempty - is among |collect_from_head| and |collect_from_rest|. + // nonempty - is among `collect_from_head` and `collect_from_rest`. // - // As such, at least one byte is remaining, and thus calling |f_whole| is + // As such, at least one byte is remaining, and thus calling `f_whole` is // appropriate. assert(collect_from_head.len != 0 || !collect_from_rest.empty()); @@ -406,15 +406,15 @@ inline bool ForEachBlockRange(Span ivecs, const FWhole &f_whole, } // If current_range_head.len is zero, then the last item of ivecs is empty. - // That however was excluded at the start of the function to ensure |f_final| + // That however was excluded at the start of the function to ensure `f_final` // is always used for the last call. assert(current_range_head.len != 0); return call_func(f_final, current_range_head); } -// ForEachOutBlockRange is like |ForEachBlockRange| but reads from a -// |CRYPTO_IOVEC|'s |out| member instead. +// ForEachOutBlockRange is like `ForEachBlockRange` but reads from a +// `CRYPTO_IOVEC`'s `out` member instead. template < size_t BlockSize, typename /* int(const uint8_t *in, [uint8_t *out,] size_t len) */ FWhole, @@ -428,7 +428,7 @@ inline int ForEachOutBlockRange(Span iovecs, f_final); } -// ForEachBlockRange_Dynamic is simply |ForEachBlockRange| with a +// ForEachBlockRange_Dynamic is simply `ForEachBlockRange` with a // runtime dispatch on the block size. template < bool WriteOut = false, typename IVec, typename ReadFromT = const uint8_t *, diff --git a/third_party/boringssl/src/crypto/fipsmodule/cmac/cmac.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/cmac/cmac.cc.inc index 18d09afd..93e48f87 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/cmac/cmac.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/cmac/cmac.cc.inc @@ -37,7 +37,7 @@ struct cmac_ctx_st { uint8_t k2[AES_BLOCK_SIZE]; // Last (possibly partial) scratch uint8_t block[AES_BLOCK_SIZE]; - // block_used contains the number of valid bytes in |block|. + // block_used contains the number of valid bytes in `block`. unsigned block_used; }; @@ -115,14 +115,14 @@ int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in) { return 1; } -// binary_field_mul_x_128 treats the 128 bits at |in| as an element of GF(2¹²⁸) -// with a hard-coded reduction polynomial and sets |out| as x times the input. +// binary_field_mul_x_128 treats the 128 bits at `in` as an element of GF(2¹²⁸) +// with a hard-coded reduction polynomial and sets `out` as x times the input. // // See https://tools.ietf.org/html/rfc4493#section-2.3 static void binary_field_mul_x_128(uint8_t out[16], const uint8_t in[16]) { unsigned i; - // Shift |in| to left, including carry. + // Shift `in` to left, including carry. for (i = 0; i < 15; i++) { out[i] = (in[i] << 1) | (in[i + 1] >> 7); } @@ -132,14 +132,14 @@ static void binary_field_mul_x_128(uint8_t out[16], const uint8_t in[16]) { out[i] = (in[i] << 1) ^ ((0 - carry) & 0x87); } -// binary_field_mul_x_64 behaves like |binary_field_mul_x_128| but acts on an +// binary_field_mul_x_64 behaves like `binary_field_mul_x_128` but acts on an // element of GF(2⁶⁴). // // See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38b.pdf static void binary_field_mul_x_64(uint8_t out[8], const uint8_t in[8]) { unsigned i; - // Shift |in| to left, including carry. + // Shift `in` to left, including carry. for (i = 0; i < 7; i++) { out[i] = (in[i] << 1) | (in[i + 1] >> 7); } @@ -156,7 +156,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len, int ret = 0; uint8_t scratch[AES_BLOCK_SIZE]; - // We have to avoid the underlying AES-CBC |EVP_CIPHER| services updating the + // We have to avoid the underlying AES-CBC `EVP_CIPHER` services updating the // indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); @@ -196,7 +196,7 @@ int CMAC_Reset(CMAC_CTX *ctx) { int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) { int ret = 0; - // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the + // We have to avoid the underlying AES-CBC `EVP_Cipher` services updating the // indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); @@ -215,9 +215,9 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) { in_len -= todo; ctx->block_used += todo; - // If |in_len| is zero then either |ctx->block_used| is less than - // |block_size|, in which case we can stop here, or |ctx->block_used| is - // exactly |block_size| but there's no more data to process. In the latter + // If `in_len` is zero then either `ctx->block_used` is less than + // `block_size`, in which case we can stop here, or `ctx->block_used` is + // exactly `block_size` but there's no more data to process. In the latter // case we don't want to process this block now because it might be the last // block and that block is treated specially. if (in_len == 0) { @@ -242,7 +242,7 @@ int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len) { } OPENSSL_memcpy(ctx->block, in, in_len); - // |in_len| is bounded by |block_size|, which fits in |unsigned|. + // `in_len` is bounded by `block_size`, which fits in `unsigned`. static_assert(EVP_MAX_BLOCK_LENGTH < UINT_MAX, "EVP_MAX_BLOCK_LENGTH is too large"); ctx->block_used = (unsigned)in_len; @@ -258,7 +258,7 @@ int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len) { size_t block_size = EVP_CIPHER_CTX_block_size(&ctx->cipher_ctx); assert(block_size <= AES_BLOCK_SIZE); - // We have to avoid the underlying AES-CBC |EVP_Cipher| services updating the + // We have to avoid the underlying AES-CBC `EVP_Cipher` services updating the // indicator state, so we lock the state here. FIPS_service_indicator_lock_state(); diff --git a/third_party/boringssl/src/crypto/fipsmodule/delocate.h b/third_party/boringssl/src/crypto/fipsmodule/delocate.h index 75015480..b9710851 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/delocate.h +++ b/third_party/boringssl/src/crypto/fipsmodule/delocate.h @@ -29,7 +29,7 @@ #if !defined(BORINGSSL_SHARED_LIBRARY) && defined(BORINGSSL_FIPS) && \ !defined(OPENSSL_ASAN) && !defined(OPENSSL_MSAN) #define DEFINE_BSS_GET(type, name, init_expr) \ - /* delocate needs C linkage and for |name| to be unique across BCM. */ \ + /* delocate needs C linkage and for `name` to be unique across BCM. */ \ extern "C" { \ extern type BCM_ADD_PREFIX(name); \ type BCM_ADD_PREFIX(name) init_expr; \ @@ -67,12 +67,12 @@ } \ static void name##_do_init(type *out) -// DEFINE_METHOD_FUNCTION defines a function named |name| which returns a -// method table of type const |type|*. In FIPS mode, to avoid rel.ro data, it +// DEFINE_METHOD_FUNCTION defines a function named `name` which returns a +// method table of type const `type`*. In FIPS mode, to avoid rel.ro data, it // is split into a CRYPTO_once_t-guarded initializer in the module and // unhashed, non-module accessor functions to space reserved in the BSS. The // method table is initialized by a caller-supplied function which takes a -// parameter named |out| of type |type|*. The caller should follow the macro +// parameter named `out` of type `type`*. The caller should follow the macro // invocation with the body of this function: // // DEFINE_METHOD_FUNCTION(EVP_MD, EVP_md4) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/dh/check.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/dh/check.cc.inc index ec8e3584..08488190 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/dh/check.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/dh/check.cc.inc @@ -67,12 +67,12 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { } BN_CTXScope scope(ctx.get()); - // Check |pub_key| is greater than 1. + // Check `pub_key` is greater than 1. if (BN_cmp(pub_key, BN_value_one()) <= 0) { *out_flags |= DH_CHECK_PUBKEY_TOO_SMALL; } - // Check |pub_key| is less than |impl->p| - 1. + // Check `pub_key` is less than `impl->p` - 1. BIGNUM *tmp = BN_CTX_get(ctx.get()); if (tmp == nullptr || !BN_copy(tmp, impl->p.get()) || !BN_sub_word(tmp, 1)) { return 0; @@ -82,9 +82,9 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags) { } if (impl->q != nullptr) { - // Check |pub_key|^|impl->q| is 1 mod |impl->p|. This is necessary for RFC + // Check `pub_key`^`impl->q` is 1 mod `impl->p`. This is necessary for RFC // 5114 groups which are not safe primes but pick a generator on a - // prime-order subgroup of size |impl->q|. + // prime-order subgroup of size `impl->q`. if (!BN_mod_exp_mont(tmp, pub_key, impl->q.get(), impl->p.get(), ctx.get(), nullptr)) { return 0; diff --git a/third_party/boringssl/src/crypto/fipsmodule/dh/dh.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/dh/dh.cc.inc index 9837c6c6..ca8351a9 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/dh/dh.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/dh/dh.cc.inc @@ -145,7 +145,7 @@ int DH_generate_key(DH *dh) { } // Only generate a private key if there's already one. Otherwise, - // |DH_generate_key| recomputes the public key. + // `DH_generate_key` recomputes the public key. const BIGNUM *priv_key = impl->priv_key.get(); UniquePtr new_priv_key; if (priv_key == nullptr) { @@ -159,7 +159,7 @@ int DH_generate_key(DH *dh) { // from [1, min(2^N-1, q-1)]. // // Although SP 800-56A Rev3 now permits a private key length N, - // |impl->priv_length| historically was ignored when q is available. We + // `impl->priv_length` historically was ignored when q is available. We // continue to ignore it and interpret such a configuration as N = len(q). if (!BN_rand_range_ex(new_priv_key.get(), 1, impl->q.get())) { OPENSSL_PUT_ERROR(DH, ERR_R_BN_LIB); @@ -170,10 +170,10 @@ int DH_generate_key(DH *dh) { // the (p-1)/2 subgroup. So, we use q = (p-1)/2. (If g generates a smaller // prime-order subgroup, q will still divide (p-1)/2.) // - // We set N from |impl->priv_length|. Section 5.6.1.1.4 of SP 800-56A Rev3 + // We set N from `impl->priv_length`. Section 5.6.1.1.4 of SP 800-56A Rev3 // says to reject N > len(q), or N > num_bits(p) - 1. However, this logic // originally aligned with PKCS#3, which allows num_bits(p). Instead, we - // clamp |impl->priv_length| before invoking the algorithm. + // clamp `impl->priv_length` before invoking the algorithm. // Compute M = min(2^N, q). UniquePtr priv_key_limit(BN_new()); @@ -302,7 +302,7 @@ int DH_compute_key(unsigned char *out, const BIGNUM *peers_key, DH *dh) { !dh_compute_key(dh, shared_key, peers_key, ctx.get())) { return -1; } - // A |BIGNUM|'s byte count fits in |int|. + // A `BIGNUM`'s byte count fits in `int`. return static_cast(BN_bn2bin(shared_key, out)); } @@ -392,7 +392,7 @@ DH *DH_get_rfc7919_2048() { ffdhe2048_g.get())) { return nullptr; } - // |DH_set0_pqg| takes ownership on success. + // `DH_set0_pqg` takes ownership on success. ffdhe2048_p.release(); ffdhe2048_q.release(); ffdhe2048_g.release(); diff --git a/third_party/boringssl/src/crypto/fipsmodule/dh/internal.h b/third_party/boringssl/src/crypto/fipsmodule/dh/internal.h index 337afa61..598154c0 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/dh/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/dh/internal.h @@ -36,7 +36,7 @@ class DHImpl : public dh_st, public RefCounted { UniquePtr priv_key; // x // priv_length contains the length, in bits, of the private value. If zero, - // the private value will be the same length as |p|. + // the private value will be the same length as `p`. unsigned priv_length = 0; mutable Mutex method_mont_p_lock; @@ -47,12 +47,12 @@ class DHImpl : public dh_st, public RefCounted { ~DHImpl() = default; }; -// dh_check_params_fast checks basic invariants on |dh|'s domain parameters. It -// does not check that |dh| forms a valid group, only that the sizes are within +// dh_check_params_fast checks basic invariants on `dh`'s domain parameters. It +// does not check that `dh` forms a valid group, only that the sizes are within // DoS bounds. int dh_check_params_fast(const DH *dh); -// dh_compute_key_padded_no_self_test does the same as |DH_compute_key_padded|, +// dh_compute_key_padded_no_self_test does the same as `DH_compute_key_padded`, // but doesn't try to run the self-test first. This is for use in the self tests // themselves, to prevent an infinite loop. int dh_compute_key_padded_no_self_test(unsigned char *out, diff --git a/third_party/boringssl/src/crypto/fipsmodule/digest/digest.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/digest/digest.cc.inc index 49b067b7..a7c6317e 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/digest/digest.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/digest/digest.cc.inc @@ -93,8 +93,8 @@ uint32_t EVP_MD_meth_get_flags(const EVP_MD *md) { return EVP_MD_flags(md); } void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags) {} int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { - // |in->digest| may be NULL if this is a signing |EVP_MD_CTX| for, e.g., - // Ed25519 which does not hash with |EVP_MD_CTX|. + // `in->digest` may be NULL if this is a signing `EVP_MD_CTX` for, e.g., + // Ed25519 which does not hash with `EVP_MD_CTX`. if (in == nullptr || (in->pctx == nullptr && in->digest == nullptr)) { OPENSSL_PUT_ERROR(DIGEST, DIGEST_R_INPUT_NOT_INITIALIZED); return 0; @@ -128,9 +128,9 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) { void EVP_MD_CTX_move(EVP_MD_CTX *out, EVP_MD_CTX *in) { EVP_MD_CTX_cleanup(out); - // While not guaranteed, |EVP_MD_CTX| is currently safe to move with |memcpy|. + // While not guaranteed, `EVP_MD_CTX` is currently safe to move with `memcpy`. // bssl-crypto currently relies on this, however, so if we change this, we - // need to box the |HMAC_CTX|. (Relying on this is only fine because we assume + // need to box the `HMAC_CTX`. (Relying on this is only fine because we assume // BoringSSL and bssl-crypto will always be updated atomically. We do not // allow any version skew between the two.) OPENSSL_memcpy(out, in, sizeof(EVP_MD_CTX)); @@ -149,14 +149,12 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) { } int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *engine) { - if (ctx->digest != type) { - assert(type->ctx_size != 0); - assert(type->ctx_size <= sizeof(ctx->md_data)); - ctx->digest = type; - } - - assert(ctx->pctx == nullptr || ctx->pctx_ops != nullptr); + EVP_MD_CTX_cleanup(ctx); + assert(ctx->pctx == nullptr); + assert(type->ctx_size != 0); + assert(type->ctx_size <= sizeof(ctx->md_data)); + ctx->digest = type; ctx->digest->init(ctx); return 1; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/digest/internal.h b/third_party/boringssl/src/crypto/fipsmodule/digest/internal.h index 1174fcc5..52090ceb 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/digest/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/digest/internal.h @@ -32,16 +32,16 @@ struct env_md_st { // md_size contains the size, in bytes, of the resulting digest. unsigned md_size; - // flags contains the OR of |EVP_MD_FLAG_*| values. + // flags contains the OR of `EVP_MD_FLAG_*` values. uint32_t flags; - // init initialises the state in |ctx->md_data|. + // init initialises the state in `ctx->md_data`. void (*init)(EVP_MD_CTX *ctx); - // update hashes |len| bytes of |data| into the state in |ctx->md_data|. + // update hashes `len` bytes of `data` into the state in `ctx->md_data`. void (*update)(EVP_MD_CTX *ctx, const void *data, size_t count); - // final completes the hash and writes |md_size| bytes of digest to |out|. + // final completes the hash and writes `md_size` bytes of digest to `out`. void (*final)(EVP_MD_CTX *ctx, uint8_t *out); // block_size contains the hash's native block size. @@ -51,15 +51,15 @@ struct env_md_st { unsigned ctx_size; }; -// evp_md_pctx_ops contains function pointers to allow the |pctx| member of -// |EVP_MD_CTX| to be manipulated without breaking layering by calling EVP +// evp_md_pctx_ops contains function pointers to allow the `pctx` member of +// `EVP_MD_CTX` to be manipulated without breaking layering by calling EVP // functions. struct evp_md_pctx_ops { - // free is called when an |EVP_MD_CTX| is being freed and the |pctx| also + // free is called when an `EVP_MD_CTX` is being freed and the `pctx` also // needs to be freed. void (*free)(EVP_PKEY_CTX *pctx); - // dup is called when an |EVP_MD_CTX| is copied and so the |pctx| also needs + // dup is called when an `EVP_MD_CTX` is copied and so the `pctx` also needs // to be copied. EVP_PKEY_CTX *(*dup)(EVP_PKEY_CTX *pctx); }; diff --git a/third_party/boringssl/src/crypto/fipsmodule/digest/md32_common.h b/third_party/boringssl/src/crypto/fipsmodule/digest/md32_common.h index 9e237b2b..86f21dcd 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/digest/md32_common.h +++ b/third_party/boringssl/src/crypto/fipsmodule/digest/md32_common.h @@ -44,9 +44,9 @@ BSSL_NAMESPACE_BEGIN // any truncation (e.g. 64 for SHA-224 and SHA-256, 128 for SHA-384 and // SHA-512). // -// |h| is the hash state and is updated by a function of type -// |crypto_md32_block_func|. |data| is the partial unprocessed block and has -// |num| bytes. |Nl| and |Nh| maintain the number of bits processed so far. +// `h` is the hash state and is updated by a function of type +// `crypto_md32_block_func`. `data` is the partial unprocessed block and has +// `num` bytes. `Nl` and `Nh` maintain the number of bits processed so far. // // The template parameter is then a traits struct defined as follows: // @@ -61,8 +61,8 @@ BSSL_NAMESPACE_BEGIN // // big or little endian. // static constexpr bool kLengthIsBigEndian = ...; // -// // HashBlocks incorporates |num_blocks| blocks of input from |data| -// // into |state|. It is assumed the caller has sized |state| and |data| +// // HashBlocks incorporates `num_blocks` blocks of input from `data` +// // into `state`. It is assumed the caller has sized `state` and `data` // // for the hash function. // static void HashBlocks(uint32_t *state, const uint8_t *data, // size_t num_blocks) { @@ -73,7 +73,7 @@ BSSL_NAMESPACE_BEGIN // The reason for this formulation is to encourage the compiler to specialize // all the code for the block size and block function. -// crypto_md32_update hashes |in| to |ctx|. +// crypto_md32_update hashes `in` to `ctx`. template inline void crypto_md32_update(typename Traits::HashContext *ctx, Span in) { @@ -98,7 +98,7 @@ inline void crypto_md32_update(typename Traits::HashContext *ctx, Traits::HashBlocks(ctx->h, ctx->data, 1); in = in.subspan(Traits::kBlockSize - n); ctx->num = 0; - // Keep |data| zeroed when unused. + // Keep `data` zeroed when unused. OPENSSL_memset(ctx->data, 0, Traits::kBlockSize); } else { OPENSSL_memcpy(ctx->data + n, in.data(), in.size()); @@ -120,19 +120,19 @@ inline void crypto_md32_update(typename Traits::HashContext *ctx, } // crypto_md32_final incorporates the partial block and trailing length into the -// digest state in |ctx|. The trailing length is encoded in little-endian if -// |is_big_endian| is zero and big-endian otherwise. |data| must be a buffer of -// length |block_size| with the first |*num| bytes containing a partial block. -// |Nh| and |Nl| contain the total number of bits processed. On return, this -// function clears the partial block in |data| and -// |*num|. +// digest state in `ctx`. The trailing length is encoded in little-endian if +// `is_big_endian` is zero and big-endian otherwise. `data` must be a buffer of +// length `block_size` with the first `*num` bytes containing a partial block. +// `Nh` and `Nl` contain the total number of bits processed. On return, this +// function clears the partial block in `data` and +// `*num`. // -// This function does not serialize |h| into a final digest. This is the +// This function does not serialize `h` into a final digest. This is the // responsibility of the caller. template inline void crypto_md32_final(typename Traits::HashContext *ctx) { static_assert(Traits::kBlockSize == sizeof(ctx->data), "block size is wrong"); - // |data| always has room for at least one byte. A full block would have + // `data` always has room for at least one byte. A full block would have // been consumed. size_t n = ctx->num; assert(n < Traits::kBlockSize); diff --git a/third_party/boringssl/src/crypto/fipsmodule/digestsign/digestsign.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/digestsign/digestsign.cc.inc index 5324107b..89205466 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/digestsign/digestsign.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/digestsign/digestsign.cc.inc @@ -12,9 +12,10 @@ // See the License for the specific language governing permissions and // limitations under the License. -#include +#include #include +#include #include "../../evp/internal.h" #include "../delocate.h" @@ -34,37 +35,34 @@ DEFINE_LOCAL_DATA(struct evp_md_pctx_ops, md_pctx_ops) { out->dup = EVP_PKEY_CTX_dup; } -static int uses_prehash(EVP_MD_CTX *ctx, enum evp_sign_verify_t op) { - return (op == evp_sign) ? (FromOpaque(ctx->pctx)->pmeth->sign != nullptr) - : (FromOpaque(ctx->pctx)->pmeth->verify != nullptr); +static int uses_prehash(EVP_PKEY_CTX *pctx, enum evp_sign_verify_t op) { + return (op == evp_sign) ? (FromOpaque(pctx)->pmeth->sign != nullptr) + : (FromOpaque(pctx)->pmeth->verify != nullptr); } -static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **out_pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey, enum evp_sign_verify_t op) { - if (ctx->pctx == nullptr) { - ctx->pctx = EVP_PKEY_CTX_new(pkey, e); - } - if (ctx->pctx == nullptr) { + UniquePtr pctx(EVP_PKEY_CTX_new(pkey, e)); + if (pctx == nullptr) { return 0; } - ctx->pctx_ops = md_pctx_ops(); if (op == evp_verify) { - if (!EVP_PKEY_verify_init(ctx->pctx)) { + if (!EVP_PKEY_verify_init(pctx.get())) { return 0; } } else { - if (!EVP_PKEY_sign_init(ctx->pctx)) { + if (!EVP_PKEY_sign_init(pctx.get())) { return 0; } } - if (type != nullptr && !EVP_PKEY_CTX_set_signature_md(ctx->pctx, type)) { + if (type != nullptr && !EVP_PKEY_CTX_set_signature_md(pctx.get(), type)) { return 0; } - if (uses_prehash(ctx, op)) { + if (uses_prehash(pctx.get(), op)) { if (type == nullptr) { OPENSSL_PUT_ERROR(EVP, EVP_R_NO_DEFAULT_DIGEST); return 0; @@ -72,10 +70,15 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, if (!EVP_DigestInit_ex(ctx, type, e)) { return 0; } + } else { + EVP_MD_CTX_reset(ctx); } - if (pctx) { - *pctx = ctx->pctx; + assert(ctx->pctx == nullptr); + ctx->pctx_ops = md_pctx_ops(); + ctx->pctx = pctx.release(); + if (out_pctx) { + *out_pctx = ctx->pctx; } return 1; } @@ -91,7 +94,7 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { - if (!uses_prehash(ctx, evp_sign)) { + if (!uses_prehash(ctx->pctx, evp_sign)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } @@ -100,7 +103,7 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { } int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { - if (!uses_prehash(ctx, evp_verify)) { + if (!uses_prehash(ctx->pctx, evp_verify)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } @@ -110,7 +113,7 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len) { int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len) { - if (!uses_prehash(ctx, evp_sign)) { + if (!uses_prehash(ctx->pctx, evp_sign)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } @@ -142,7 +145,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig, int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len) { - if (!uses_prehash(ctx, evp_verify)) { + if (!uses_prehash(ctx->pctx, evp_verify)) { OPENSSL_PUT_ERROR(EVP, EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return 0; } @@ -172,9 +175,9 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len, FIPS_service_indicator_lock_state(); int ret = 0; - if (uses_prehash(ctx, evp_sign)) { - // If |out_sig| is NULL, the caller is only querying the maximum output - // length. |data| should only be incorporated in the final call. + if (uses_prehash(ctx->pctx, evp_sign)) { + // If `out_sig` is NULL, the caller is only querying the maximum output + // length. `data` should only be incorporated in the final call. if (out_sig != nullptr && !EVP_DigestSignUpdate(ctx, data, data_len)) { goto end; } @@ -204,7 +207,7 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len, FIPS_service_indicator_lock_state(); int ret = 0; - if (uses_prehash(ctx, evp_verify)) { + if (uses_prehash(ctx->pctx, evp_verify)) { ret = EVP_DigestVerifyUpdate(ctx, data, len) && EVP_DigestVerifyFinal(ctx, sig, sig_len); goto end; diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/ec.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/ec.cc.inc index 6d7507fb..e23d4363 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/ec.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/ec.cc.inc @@ -99,13 +99,7 @@ DEFINE_METHOD_FUNCTION(EC_GROUP, EC_group_p256) { ec_group_init_static_mont(&out->order, std::size(kP256Order), kP256Order, kP256OrderRR, kP256OrderN0); -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_SMALL) - out->meth = EC_GFp_nistz256_method(); -#else out->meth = EC_GFp_nistp256_method(); -#endif out->generator.group = out; OPENSSL_memcpy(out->generator.raw.X.words, kP256MontGX, sizeof(kP256MontGX)); OPENSSL_memcpy(out->generator.raw.Y.words, kP256MontGY, sizeof(kP256MontGY)); @@ -183,7 +177,7 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, ctx = new_ctx.get(); } - // Historically, |a| and |b| were not required to be fully reduced. + // Historically, `a` and `b` were not required to be fully reduced. // TODO(davidben): Can this be removed? BN_CTXScope scope(ctx); BIGNUM *a_reduced = BN_CTX_get(ctx); @@ -209,10 +203,10 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor) { if (group->curve_name != NID_undef || group->has_order || generator->group != group) { - // |EC_GROUP_set_generator| may only be used with |EC_GROUP|s returned by - // |EC_GROUP_new_curve_GFp| and may only used once on each group. - // |generator| must have been created from |EC_GROUP_new_curve_GFp|, not a - // copy, so that |generator->group->generator| is set correctly. + // `EC_GROUP_set_generator` may only be used with `EC_GROUP`s returned by + // `EC_GROUP_new_curve_GFp` and may only used once on each group. + // `generator` must have been created from `EC_GROUP_new_curve_GFp`, not a + // copy, so that `generator->group->generator` is set correctly. OPENSSL_PUT_ERROR(EC, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -231,7 +225,7 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, // Require that p < 2×order. This simplifies some ECDSA operations. // // Note any curve which did not satisfy this must have been invalid or use a - // tiny prime (less than 17). See the proof in |field_element_to_scalar| in + // tiny prime (less than 17). See the proof in `field_element_to_scalar` in // the ECDSA implementation. UniquePtr tmp(BN_new()); if (tmp == nullptr || !BN_lshift1(tmp.get(), order)) { @@ -251,7 +245,7 @@ int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, group->field_greater_than_order = BN_cmp(&group->field.N, order) > 0; group->generator.raw.X = affine.X; group->generator.raw.Y = affine.Y; - // |raw.Z| was set to 1 by |EC_GROUP_new_curve_GFp|. + // `raw.Z` was set to 1 by `EC_GROUP_new_curve_GFp`. group->has_order = 1; return 1; } @@ -303,7 +297,7 @@ EC_GROUP *EC_GROUP_dup(const EC_GROUP *a) { } auto *custom = static_cast(a); - // Groups are logically immutable (but for |EC_GROUP_set_generator| which must + // Groups are logically immutable (but for `EC_GROUP_set_generator` which must // be called early on), so we simply take a reference. ECCustomGroup *group = const_cast(custom); group->UpRefInternal(); @@ -323,8 +317,8 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored) { return 0; } - // |a| and |b| are both custom curves. We compare the entire curve - // structure. If |a| or |b| is incomplete (due to legacy OpenSSL mistakes, + // `a` and `b` are both custom curves. We compare the entire curve + // structure. If `a` or `b` is incomplete (due to legacy OpenSSL mistakes, // custom curve construction is sadly done in two parts) but otherwise not the // same object, we consider them always unequal. return a->meth != b->meth || // @@ -358,7 +352,7 @@ int EC_GROUP_order_bits(const EC_GROUP *group) { int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) { - // All |EC_GROUP|s have cofactor 1. + // All `EC_GROUP`s have cofactor 1. return BN_set_word(cofactor, 1); } @@ -495,7 +489,7 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, return -1; } - // Note |EC_POINT_cmp| returns zero for equality and non-zero for inequality. + // Note `EC_POINT_cmp` returns zero for equality and non-zero for inequality. return ec_GFp_simple_points_equal(group, &a->raw, &b->raw) ? 0 : 1; } @@ -661,7 +655,7 @@ static int arbitrary_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, int bssl::ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx) { - // Previously, this function set |r| to the point at infinity if there was + // Previously, this function set `r` to the point at infinity if there was // nothing to multiply. But, nobody should be calling this function with // nothing to multiply in the first place. if ((g_scalar == nullptr && p_scalar == nullptr) || @@ -685,8 +679,8 @@ int bssl::ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, ctx = new_ctx.get(); } - // If both |g_scalar| and |p_scalar| are non-NULL, - // |ec_point_mul_scalar_public| would share the doublings between the two + // If both `g_scalar` and `p_scalar` are non-NULL, + // `ec_point_mul_scalar_public` would share the doublings between the two // products, which would be more efficient. However, we conservatively assume // the caller needs a constant-time operation. (ECDSA verification does not // use this function.) @@ -768,7 +762,7 @@ int bssl::ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, // Check the result is on the curve to defend against fault attacks or bugs. // This has negligible cost compared to the multiplication. - if (!ec_GFp_simple_is_on_curve(group, r)) { + if (!constant_time_declassify_int(ec_GFp_simple_is_on_curve(group, r))) { OPENSSL_PUT_ERROR(EC, ERR_R_INTERNAL_ERROR); return 0; } @@ -891,7 +885,7 @@ int bssl::ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, // order. These may not have the same size. However, we must have p < 2×order, // assuming p is not tiny (p >= 17). // - // Thus |bytes| will fit in |order.width + 1| words, and we can reduce by + // Thus `bytes` will fit in `order.width + 1` words, and we can reduce by // performing at most one subtraction. // // Proof: We only work with prime order curves, so the number of points on @@ -905,7 +899,7 @@ int bssl::ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, // p < 2×order // // Additionally, one can manually check this property for built-in curves. It - // is enforced for legacy custom curves in |EC_GROUP_set_generator|. + // is enforced for legacy custom curves in `EC_GROUP_set_generator`. const BIGNUM *order = EC_GROUP_get0_order(group); BN_ULONG words[EC_MAX_WORDS + 1] = {0}; bn_big_endian_to_words(words, order->width + 1, bytes, len); @@ -953,7 +947,7 @@ int EC_GROUP_get_asn1_flag(const EC_GROUP *group) { const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group) { // This function exists purely to give callers a way to call - // |EC_METHOD_get_field_type|. cryptography.io crashes if |EC_GROUP_method_of| + // `EC_METHOD_get_field_type`. cryptography.io crashes if `EC_GROUP_method_of` // returns NULL, so return some other garbage pointer. return (const EC_METHOD *)0x12340000; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/ec_key.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/ec_key.cc.inc index e666baf1..18979b9d 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/ec_key.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/ec_key.cc.inc @@ -160,7 +160,7 @@ const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key) { int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) { auto *impl = FromOpaque(key); - // If |impl| already has a group, it is an error to switch to another one. + // If `impl` already has a group, it is an error to switch to another one. if (impl->group != nullptr) { if (EC_GROUP_cmp(impl->group, group, nullptr) != 0) { OPENSSL_PUT_ERROR(EC, EC_R_GROUP_MISMATCH); @@ -285,7 +285,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) { OPENSSL_PUT_ERROR(EC, ERR_R_EC_LIB); return 0; } - // Leaking this comparison only leaks whether |eckey|'s public key was + // Leaking this comparison only leaks whether `eckey`'s public key was // correct. if (!constant_time_declassify_int(ec_GFp_simple_points_equal( impl->group, &point, &impl->pub_key->raw))) { @@ -480,7 +480,7 @@ int EC_KEY_generate_key(EC_KEY *key) { // The public key is derived from the private key, but it is public. // - // TODO(crbug.com/boringssl/677): This isn't quite right. While |pub_key| + // TODO(crbug.com/boringssl/677): This isn't quite right. While `pub_key` // represents a public point, it is still in Jacobian form and the exact // Jacobian representation is secret. We need to make it affine first. See // discussion in the bug. diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/ec_montgomery.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/ec_montgomery.cc.inc index 4f1f1d38..ca2a8d4d 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/ec_montgomery.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/ec_montgomery.cc.inc @@ -42,7 +42,7 @@ static int ec_GFp_mont_point_get_affine_coordinates(const EC_GROUP *group, } // Transform (X, Y, Z) into (x, y) := (X/Z^2, Y/Z^3). Note the check above - // ensures |point->Z| is non-zero, so the inverse always exists. + // ensures `point->Z` is non-zero, so the inverse always exists. EC_FELEM z1, z2; ec_GFp_mont_felem_inv0(group, &z2, &point->Z); ec_felem_sqr(group, &z1, &z2); @@ -67,7 +67,7 @@ static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group, return 1; } - // Compute prefix products of all Zs. Use |out[i].X| as scratch space + // Compute prefix products of all Zs. Use `out[i].X` as scratch space // to store these values. out[0].X = in[0].Z; for (size_t i = 1; i < num; i++) { @@ -84,7 +84,7 @@ static int ec_GFp_mont_jacobian_to_affine_batch(const EC_GROUP *group, EC_FELEM zinvprod; ec_GFp_mont_felem_inv0(group, &zinvprod, &out[num - 1].X); for (size_t i = num - 1; i < num; i--) { - // Our loop invariant is that |zinvprod| is Z0^-1 * Z1^-1 * ... * Zi^-1. + // Our loop invariant is that `zinvprod` is Z0^-1 * Z1^-1 * ... * Zi^-1. // Recover Zi^-1 by multiplying by the previous product. EC_FELEM zinv, zinv2; if (i == 0) { @@ -174,7 +174,7 @@ void bssl::ec_GFp_mont_add(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG yneq = ec_felem_non_zero_mask(group, &r); - // This case will never occur in the constant-time |ec_GFp_mont_mul|. + // This case will never occur in the constant-time `ec_GFp_mont_mul`. BN_ULONG is_nontrivial_double = ~xneq & ~yneq & z1nz & z2nz; if (constant_time_declassify_w(is_nontrivial_double)) { ec_GFp_mont_dbl(group, out, a); @@ -341,7 +341,7 @@ static int ec_GFp_mont_cmp_x_coordinate(const EC_GROUP *group, // During signing the x coefficient is reduced modulo the group order. // Therefore there is a small possibility, less than 1/2^128, that group_order - // < p.x < P. in that case we need not only to compare against |r| but also to + // < p.x < P. in that case we need not only to compare against `r` but also to // compare against r+group_order. BN_ULONG carry = bn_add_words(r_Z2.words, r->words, group->order.N.d, group->field.N.width); diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/internal.h b/third_party/boringssl/src/crypto/fipsmodule/ec/internal.h index abcb77e7..14fe0066 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/internal.h @@ -50,179 +50,179 @@ static_assert(EC_MAX_WORDS <= BN_SMALL_MAX_WORDS, // Scalars. // An EC_SCALAR is an integer fully reduced modulo the order. Only the first -// |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP| +// `order->width` words are used. An `EC_SCALAR` is specific to an `EC_GROUP` // and must not be mixed between groups. typedef struct { BN_ULONG words[EC_MAX_WORDS]; } EC_SCALAR; -// ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to -// |*out|. It returns one on success and zero if |in| is out of range. +// ec_bignum_to_scalar converts `in` to an `EC_SCALAR` and writes it to +// `*out`. It returns one on success and zero if `in` is out of range. int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const BIGNUM *in); -// ec_scalar_to_bytes serializes |in| as a big-endian bytestring to |out| and -// sets |*out_len| to the number of bytes written. The number of bytes written -// is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. +// ec_scalar_to_bytes serializes `in` as a big-endian bytestring to `out` and +// sets `*out_len` to the number of bytes written. The number of bytes written +// is `BN_num_bytes(&group->order)`, which is at most `EC_MAX_BYTES`. void ec_scalar_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_SCALAR *in); -// ec_scalar_from_bytes deserializes |in| and stores the resulting scalar over -// group |group| to |out|. It returns one on success and zero if |in| is +// ec_scalar_from_bytes deserializes `in` and stores the resulting scalar over +// group `group` to `out`. It returns one on success and zero if `in` is // invalid. int ec_scalar_from_bytes(const EC_GROUP *group, EC_SCALAR *out, const uint8_t *in, size_t len); -// ec_scalar_reduce sets |out| to |words|, reduced modulo the group order. -// |words| must be less than order^2. |num| must be at most twice the width of -// group order. This function treats |words| as secret. +// ec_scalar_reduce sets `out` to `words`, reduced modulo the group order. +// `words` must be less than order^2. `num` must be at most twice the width of +// group order. This function treats `words` as secret. void ec_scalar_reduce(const EC_GROUP *group, EC_SCALAR *out, const BN_ULONG *words, size_t num); -// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from -// zero to |group->order| - 1. It returns one on success and zero on error. +// ec_random_nonzero_scalar sets `out` to a uniformly selected random value from +// zero to `group->order` - 1. It returns one on success and zero on error. int ec_random_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t additional_data[32]); -// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from -// 1 to |group->order| - 1. It returns one on success and zero on error. +// ec_random_nonzero_scalar sets `out` to a uniformly selected random value from +// 1 to `group->order` - 1. It returns one on success and zero on error. int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t additional_data[32]); -// ec_scalar_equal_vartime returns one if |a| and |b| are equal and zero +// ec_scalar_equal_vartime returns one if `a` and `b` are equal and zero // otherwise. Both values are treated as public. int ec_scalar_equal_vartime(const EC_GROUP *group, const EC_SCALAR *a, const EC_SCALAR *b); -// ec_scalar_is_zero returns one if |a| is zero and zero otherwise. +// ec_scalar_is_zero returns one if `a` is zero and zero otherwise. int ec_scalar_is_zero(const EC_GROUP *group, const EC_SCALAR *a); -// ec_scalar_add sets |r| to |a| + |b|. +// ec_scalar_add sets `r` to `a` + `b`. void ec_scalar_add(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, const EC_SCALAR *b); -// ec_scalar_sub sets |r| to |a| - |b|. +// ec_scalar_sub sets `r` to `a` - `b`. void ec_scalar_sub(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, const EC_SCALAR *b); -// ec_scalar_neg sets |r| to -|a|. +// ec_scalar_neg sets `r` to -`a`. void ec_scalar_neg(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); -// ec_scalar_to_montgomery sets |r| to |a| in Montgomery form. +// ec_scalar_to_montgomery sets `r` to `a` in Montgomery form. void ec_scalar_to_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); -// ec_scalar_to_montgomery sets |r| to |a| converted from Montgomery form. +// ec_scalar_to_montgomery sets `r` to `a` converted from Montgomery form. void ec_scalar_from_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); -// ec_scalar_mul_montgomery sets |r| to |a| * |b| where inputs and outputs are +// ec_scalar_mul_montgomery sets `r` to `a` * `b` where inputs and outputs are // in Montgomery form. void ec_scalar_mul_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a, const EC_SCALAR *b); -// ec_scalar_inv0_montgomery sets |r| to |a|^-1 where inputs and outputs are in -// Montgomery form. If |a| is zero, |r| is set to zero. +// ec_scalar_inv0_montgomery sets `r` to `a`^-1 where inputs and outputs are in +// Montgomery form. If `a` is zero, `r` is set to zero. void ec_scalar_inv0_montgomery(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); -// ec_scalar_to_montgomery_inv_vartime sets |r| to |a|^-1 R. That is, it takes -// in |a| not in Montgomery form and computes the inverse in Montgomery form. It -// returns one on success and zero if |a| has no inverse. This function assumes -// |a| is public and may leak information about it via timing. +// ec_scalar_to_montgomery_inv_vartime sets `r` to `a`^-1 R. That is, it takes +// in `a` not in Montgomery form and computes the inverse in Montgomery form. It +// returns one on success and zero if `a` has no inverse. This function assumes +// `a` is public and may leak information about it via timing. // -// Note this is not the same operation as |ec_scalar_inv0_montgomery|. +// Note this is not the same operation as `ec_scalar_inv0_montgomery`. int ec_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, EC_SCALAR *r, const EC_SCALAR *a); -// ec_scalar_select, in constant time, sets |out| to |a| if |mask| is all ones -// and |b| if |mask| is all zeros. +// ec_scalar_select, in constant time, sets `out` to `a` if `mask` is all ones +// and `b` if `mask` is all zeros. void ec_scalar_select(const EC_GROUP *group, EC_SCALAR *out, BN_ULONG mask, const EC_SCALAR *a, const EC_SCALAR *b); // Field elements. -// An EC_FELEM represents a field element. Only the first |field->width| words -// are used. An |EC_FELEM| is specific to an |EC_GROUP| and must not be mixed +// An EC_FELEM represents a field element. Only the first `field->width` words +// are used. An `EC_FELEM` is specific to an `EC_GROUP` and must not be mixed // between groups. Unless otherwise stated, all inputs and outputs are in // Montgomery form. typedef struct { BN_ULONG words[EC_MAX_WORDS]; } EC_FELEM; -// ec_felem_one returns one in |group|'s field. +// ec_felem_one returns one in `group`'s field. const EC_FELEM *ec_felem_one(const EC_GROUP *group); -// ec_bignum_to_felem converts |in| to an |EC_FELEM|. It returns one on success -// and zero if |in| is out of range. +// ec_bignum_to_felem converts `in` to an `EC_FELEM`. It returns one on success +// and zero if `in` is out of range. int ec_bignum_to_felem(const EC_GROUP *group, EC_FELEM *out, const BIGNUM *in); -// ec_felem_to_bignum converts |in| to a |BIGNUM|. It returns one on success and +// ec_felem_to_bignum converts `in` to a `BIGNUM`. It returns one on success and // zero on allocation failure. int ec_felem_to_bignum(const EC_GROUP *group, BIGNUM *out, const EC_FELEM *in); -// ec_felem_to_bytes serializes |in| as a big-endian bytestring to |out| and -// sets |*out_len| to the number of bytes written. The number of bytes written -// is |BN_num_bytes(&group->order)|, which is at most |EC_MAX_BYTES|. +// ec_felem_to_bytes serializes `in` as a big-endian bytestring to `out` and +// sets `*out_len` to the number of bytes written. The number of bytes written +// is `BN_num_bytes(&group->order)`, which is at most `EC_MAX_BYTES`. void ec_felem_to_bytes(const EC_GROUP *group, uint8_t *out, size_t *out_len, const EC_FELEM *in); -// ec_felem_from_bytes deserializes |in| and stores the resulting field element -// to |out|. It returns one on success and zero if |in| is invalid. +// ec_felem_from_bytes deserializes `in` and stores the resulting field element +// to `out`. It returns one on success and zero if `in` is invalid. int ec_felem_from_bytes(const EC_GROUP *group, EC_FELEM *out, const uint8_t *in, size_t len); -// ec_felem_neg sets |out| to -|a|. +// ec_felem_neg sets `out` to -`a`. void ec_felem_neg(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); -// ec_felem_add sets |out| to |a| + |b|. +// ec_felem_add sets `out` to `a` + `b`. void ec_felem_add(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, const EC_FELEM *b); -// ec_felem_add sets |out| to |a| - |b|. +// ec_felem_add sets `out` to `a` - `b`. void ec_felem_sub(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, const EC_FELEM *b); -// ec_felem_non_zero_mask returns all ones if |a| is non-zero and all zeros +// ec_felem_non_zero_mask returns all ones if `a` is non-zero and all zeros // otherwise. BN_ULONG ec_felem_non_zero_mask(const EC_GROUP *group, const EC_FELEM *a); -// ec_felem_select, in constant time, sets |out| to |a| if |mask| is all ones -// and |b| if |mask| is all zeros. +// ec_felem_select, in constant time, sets `out` to `a` if `mask` is all ones +// and `b` if `mask` is all zeros. void ec_felem_select(const EC_GROUP *group, EC_FELEM *out, BN_ULONG mask, const EC_FELEM *a, const EC_FELEM *b); -// ec_felem_equal returns one if |a| and |b| are equal and zero otherwise. +// ec_felem_equal returns one if `a` and `b` are equal and zero otherwise. int ec_felem_equal(const EC_GROUP *group, const EC_FELEM *a, const EC_FELEM *b); -// ec_felem_mul sets |out| to |a| * |b|. +// ec_felem_mul sets `out` to `a` * `b`. void ec_felem_mul(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, const EC_FELEM *b); -// ec_felem_sqr sets |out| to |a|^2. +// ec_felem_sqr sets `out` to `a`^2. void ec_felem_sqr(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); -// ec_felem_to_montgomery sets |out| to |a| converted to Montgomery form. +// ec_felem_to_montgomery sets `out` to `a` converted to Montgomery form. void ec_felem_to_montgomery(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); -// ec_felem_from_montgomery sets |out| to |a| converted from Montgomery form. +// ec_felem_from_montgomery sets `out` to `a` converted from Montgomery form. void ec_felem_from_montgomery(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a); -// ec_felem_reduce sets |out| to |words|, reduced modulo the field size, p. -// |words| must be less than p^2. |num| must be at most twice the width of p. -// This function treats |words| as secret. +// ec_felem_reduce sets `out` to `words`, reduced modulo the field size, p. +// `words` must be less than p^2. `num` must be at most twice the width of p. +// This function treats `words` as secret. void ec_felem_reduce(const EC_GROUP *group, EC_FELEM *out, const BN_ULONG *words, size_t num); -// ec_felem_exp sets |out| to |a|^|exp|. It treats |a| is secret but |exp| as +// ec_felem_exp sets `out` to `a`^`exp`. It treats `a` is secret but `exp` as // public. // // TODO(crbug.com/42290435): hash-to-curve uses this as part of computing a // square root, which is what compressed coordinates ultimately needs to avoid -// |BIGNUM|. Can we unify this a bit? By generalizing to arbitrary +// `BIGNUM`. Can we unify this a bit? By generalizing to arbitrary // exponentiation, we also miss an opportunity to use a specialized addition // chain. We also miss our specialized field arithmetic for P-256. void ec_felem_exp(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, @@ -231,8 +231,8 @@ void ec_felem_exp(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, // Points. // -// Points may represented in affine coordinates as |EC_AFFINE| or Jacobian -// coordinates as |EC_JACOBIAN|. Affine coordinates directly represent a +// Points may represented in affine coordinates as `EC_AFFINE` or Jacobian +// coordinates as `EC_JACOBIAN`. Affine coordinates directly represent a // point on the curve, but point addition over affine coordinates requires // costly field inversions, so arithmetic is done in Jacobian coordinates. // Converting from affine to Jacobian is cheap, while converting from Jacobian @@ -240,8 +240,8 @@ void ec_felem_exp(const EC_GROUP *group, EC_FELEM *out, const EC_FELEM *a, // inversions needed in a sequence of point operations.) // An EC_JACOBIAN represents an elliptic curve point in Jacobian coordinates. -// Unlike |EC_POINT|, it is a plain struct which can be stack-allocated and -// needs no cleanup. It is specific to an |EC_GROUP| and must not be mixed +// Unlike `EC_POINT`, it is a plain struct which can be stack-allocated and +// needs no cleanup. It is specific to an `EC_GROUP` and must not be mixed // between groups. typedef struct { // X, Y, and Z are Jacobian projective coordinates. They represent @@ -256,23 +256,23 @@ typedef struct { EC_FELEM X, Y; } EC_AFFINE; -// ec_affine_to_jacobian converts |p| to Jacobian form and writes the result to -// |*out|. This operation is very cheap and only costs a few copies. +// ec_affine_to_jacobian converts `p` to Jacobian form and writes the result to +// `*out`. This operation is very cheap and only costs a few copies. void ec_affine_to_jacobian(const EC_GROUP *group, EC_JACOBIAN *out, const EC_AFFINE *p); -// ec_jacobian_to_affine converts |p| to affine form and writes the result to -// |*out|. It returns one on success and zero if |p| was the point at infinity. +// ec_jacobian_to_affine converts `p` to affine form and writes the result to +// `*out`. It returns one on success and zero if `p` was the point at infinity. // This operation performs a field inversion and should only be done once per // point. // -// If only extracting the x-coordinate, use |ec_get_x_coordinate_*| which is +// If only extracting the x-coordinate, use `ec_get_x_coordinate_*` which is // slightly faster. int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, const EC_JACOBIAN *p); -// ec_jacobian_to_affine_batch converts |num| points in |in| from Jacobian -// coordinates to affine coordinates and writes the results to |out|. It returns +// ec_jacobian_to_affine_batch converts `num` points in `in` from Jacobian +// coordinates to affine coordinates and writes the results to `out`. It returns // one on success and zero if any of the input points were infinity. // // This function is not implemented for all curves. Add implementations as @@ -280,36 +280,36 @@ int ec_jacobian_to_affine(const EC_GROUP *group, EC_AFFINE *out, int ec_jacobian_to_affine_batch(const EC_GROUP *group, EC_AFFINE *out, const EC_JACOBIAN *in, size_t num); -// ec_point_set_affine_coordinates sets |out|'s to a point with affine -// coordinates |x| and |y|. It returns one if the point is on the curve and -// zero otherwise. If the point is not on the curve, the value of |out| is +// ec_point_set_affine_coordinates sets `out`'s to a point with affine +// coordinates `x` and `y`. It returns one if the point is on the curve and +// zero otherwise. If the point is not on the curve, the value of `out` is // undefined. int ec_point_set_affine_coordinates(const EC_GROUP *group, EC_AFFINE *out, const EC_FELEM *x, const EC_FELEM *y); -// ec_point_mul_no_self_test does the same as |EC_POINT_mul|, but doesn't try to +// ec_point_mul_no_self_test does the same as `EC_POINT_mul`, but doesn't try to // run the self-test first. This is for use in the self tests themselves, to // prevent an infinite loop. int ec_point_mul_no_self_test(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *p, const BIGNUM *p_scalar, BN_CTX *ctx); -// ec_point_mul_scalar sets |r| to |p| * |scalar|. Both inputs are considered +// ec_point_mul_scalar sets `r` to `p` * `scalar`. Both inputs are considered // secret. int ec_point_mul_scalar(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar); -// ec_point_mul_scalar_base sets |r| to generator * |scalar|. |scalar| is +// ec_point_mul_scalar_base sets `r` to generator * `scalar`. `scalar` is // treated as secret. int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *scalar); -// ec_point_mul_scalar_batch sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + -// |p2| * |scalar2|. |p2| may be NULL to skip that term. +// ec_point_mul_scalar_batch sets `r` to `p0` * `scalar0` + `p1` * `scalar1` + +// `p2` * `scalar2`. `p2` may be NULL to skip that term. // // The inputs are treated as secret, however, this function leaks information // about whether intermediate computations add a point to itself. Callers must -// ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly +// ensure that discrete logs between `p0`, `p1`, and `p2` are uniformly // distributed and independent of the scalars, which should be uniformly // selected and not under the attackers control. This ensures the doubling case // will occur with negligible probability. @@ -318,7 +318,7 @@ int ec_point_mul_scalar_base(const EC_GROUP *group, EC_JACOBIAN *r, // needed. // // TODO(davidben): This function does not use base point tables. For now, it is -// only used with the generic |EC_GFp_mont_method| implementation which has +// only used with the generic `EC_GFp_mont_method` implementation which has // none. If generalizing to tuned curves, this may be useful. However, we still // must double up to the least efficient input, so precomputed tables can only // save table setup and allow a wider window size. @@ -329,16 +329,16 @@ int ec_point_mul_scalar_batch(const EC_GROUP *group, EC_JACOBIAN *r, #define EC_MONT_PRECOMP_COMB_SIZE 5 -// An |EC_PRECOMP| stores precomputed information about a point, to optimize +// An `EC_PRECOMP` stores precomputed information about a point, to optimize // repeated multiplications involving it. It is a union so different -// |EC_METHOD|s can store different information in it. +// `EC_METHOD`s can store different information in it. typedef union { EC_AFFINE comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; } EC_PRECOMP; -// ec_init_precomp precomputes multiples of |p| and writes the result to |out|. +// ec_init_precomp precomputes multiples of `p` and writes the result to `out`. // It returns one on success and zero on error. The resulting table may be used -// with |ec_point_mul_scalar_precomp|. This function will fail if |p| is the +// with `ec_point_mul_scalar_precomp`. This function will fail if `p` is the // point at infinity. // // This function is not implemented for all curves. Add implementations as @@ -346,16 +346,16 @@ typedef union { int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, const EC_JACOBIAN *p); -// ec_point_mul_scalar_precomp sets |r| to |p0| * |scalar0| + |p1| * |scalar1| + -// |p2| * |scalar2|. |p1| or |p2| may be NULL to skip the corresponding term. -// The points are represented as |EC_PRECOMP| and must be initialized with -// |ec_init_precomp|. This function runs faster than |ec_point_mul_scalar_batch| +// ec_point_mul_scalar_precomp sets `r` to `p0` * `scalar0` + `p1` * `scalar1` + +// `p2` * `scalar2`. `p1` or `p2` may be NULL to skip the corresponding term. +// The points are represented as `EC_PRECOMP` and must be initialized with +// `ec_init_precomp`. This function runs faster than `ec_point_mul_scalar_batch` // but requires setup work per input point, so it is only appropriate for points // which are used frequently. // // The inputs are treated as secret, however, this function leaks information // about whether intermediate computations add a point to itself. Callers must -// ensure that discrete logs between |p0|, |p1|, and |p2| are uniformly +// ensure that discrete logs between `p0`, `p1`, and `p2` are uniformly // distributed and independent of the scalars, which should be uniformly // selected and not under the attackers control. This ensures the doubling case // will occur with negligible probability. @@ -364,7 +364,7 @@ int ec_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, // needed. // // TODO(davidben): This function does not use base point tables. For now, it is -// only used with the generic |EC_GFp_mont_method| implementation which has +// only used with the generic `EC_GFp_mont_method` implementation which has // none. If generalizing to tuned curves, we should add a parameter for the base // point and arrange for the generic implementation to have base point tables // available. @@ -373,17 +373,17 @@ int ec_point_mul_scalar_precomp(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p1, const EC_SCALAR *scalar1, const EC_PRECOMP *p2, const EC_SCALAR *scalar2); -// ec_point_mul_scalar_public sets |r| to -// generator * |g_scalar| + |p| * |p_scalar|. It assumes that the inputs are +// ec_point_mul_scalar_public sets `r` to +// generator * `g_scalar` + `p` * `p_scalar`. It assumes that the inputs are // public so there is no concern about leaking their values through timing. int ec_point_mul_scalar_public(const EC_GROUP *group, EC_JACOBIAN *r, const EC_SCALAR *g_scalar, const EC_JACOBIAN *p, const EC_SCALAR *p_scalar); -// ec_point_mul_scalar_public_batch sets |r| to the sum of generator * -// |g_scalar| and |points[i]| * |scalars[i]| where |points| and |scalars| have -// |num| elements. It assumes that the inputs are public so there is no concern -// about leaking their values through timing. |g_scalar| may be NULL to skip +// ec_point_mul_scalar_public_batch sets `r` to the sum of generator * +// `g_scalar` and `points[i]` * `scalars[i]` where `points` and `scalars` have +// `num` elements. It assumes that the inputs are public so there is no concern +// about leaking their values through timing. `g_scalar` may be NULL to skip // that term. // // This function is not implemented for all curves. Add implementations as @@ -393,33 +393,33 @@ int ec_point_mul_scalar_public_batch(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *points, const EC_SCALAR *scalars, size_t num); -// ec_point_select, in constant time, sets |out| to |a| if |mask| is all ones -// and |b| if |mask| is all zeros. +// ec_point_select, in constant time, sets `out` to `a` if `mask` is all ones +// and `b` if `mask` is all zeros. void ec_point_select(const EC_GROUP *group, EC_JACOBIAN *out, BN_ULONG mask, const EC_JACOBIAN *a, const EC_JACOBIAN *b); -// ec_affine_select behaves like |ec_point_select| but acts on affine points. +// ec_affine_select behaves like `ec_point_select` but acts on affine points. void ec_affine_select(const EC_GROUP *group, EC_AFFINE *out, BN_ULONG mask, const EC_AFFINE *a, const EC_AFFINE *b); -// ec_precomp_select behaves like |ec_point_select| but acts on |EC_PRECOMP|. +// ec_precomp_select behaves like `ec_point_select` but acts on `EC_PRECOMP`. void ec_precomp_select(const EC_GROUP *group, EC_PRECOMP *out, BN_ULONG mask, const EC_PRECOMP *a, const EC_PRECOMP *b); -// ec_cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group -// order, with |r|. It returns one if the values match and zero if |p| is the -// point at infinity of the values do not match. |p| is treated as public. +// ec_cmp_x_coordinate compares the x (affine) coordinate of `p`, mod the group +// order, with `r`. It returns one if the values match and zero if `p` is the +// point at infinity of the values do not match. `p` is treated as public. int ec_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r); -// ec_get_x_coordinate_as_scalar sets |*out| to |p|'s x-coordinate, modulo -// |group->order|. It returns one on success and zero if |p| is the point at +// ec_get_x_coordinate_as_scalar sets `*out` to `p`'s x-coordinate, modulo +// `group->order`. It returns one on success and zero if `p` is the point at // infinity. int ec_get_x_coordinate_as_scalar(const EC_GROUP *group, EC_SCALAR *out, const EC_JACOBIAN *p); -// ec_get_x_coordinate_as_bytes writes |p|'s affine x-coordinate to |out|, which -// must have at must |max_out| bytes. It sets |*out_len| to the number of bytes +// ec_get_x_coordinate_as_bytes writes `p`'s affine x-coordinate to `out`, which +// must have at must `max_out` bytes. It sets `*out_len` to the number of bytes // written. The value is written big-endian and zero-padded to the size of the // field. This function returns one on success and zero on failure. int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, @@ -427,30 +427,30 @@ int ec_get_x_coordinate_as_bytes(const EC_GROUP *group, uint8_t *out, const EC_JACOBIAN *p); // ec_point_byte_len returns the number of bytes in the byte representation of -// a non-infinity point in |group|, encoded according to |form|, or zero if -// |form| is invalid. +// a non-infinity point in `group`, encoded according to `form`, or zero if +// `form` is invalid. size_t ec_point_byte_len(const EC_GROUP *group, point_conversion_form_t form); -// ec_point_to_bytes encodes |point| according to |form| and writes the result -// |buf|. It returns the size of the output on success or zero on error. At most -// |max_out| bytes will be written. The buffer should be at least -// |ec_point_byte_len| long to guarantee success. +// ec_point_to_bytes encodes `point` according to `form` and writes the result +// `buf`. It returns the size of the output on success or zero on error. At most +// `max_out` bytes will be written. The buffer should be at least +// `ec_point_byte_len` long to guarantee success. size_t ec_point_to_bytes(const EC_GROUP *group, const EC_AFFINE *point, point_conversion_form_t form, uint8_t *buf, size_t max_out); -// ec_point_from_uncompressed parses |in| as a point in uncompressed form and -// sets the result to |out|. It returns one on success and zero if the input was +// ec_point_from_uncompressed parses `in` as a point in uncompressed form and +// sets the result to `out`. It returns one on success and zero if the input was // invalid. int ec_point_from_uncompressed(const EC_GROUP *group, EC_AFFINE *out, const uint8_t *in, size_t len); -// ec_set_to_safe_point sets |out| to an arbitrary point on |group|, either the +// ec_set_to_safe_point sets `out` to an arbitrary point on `group`, either the // generator or the point at infinity. This is used to guard against callers of // external APIs not checking the return value. void ec_set_to_safe_point(const EC_GROUP *group, EC_JACOBIAN *out); -// ec_affine_jacobian_equal returns one if |a| and |b| represent the same point +// ec_affine_jacobian_equal returns one if `a` and `b` represent the same point // and zero otherwise. It treats both inputs as secret. int ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, const EC_JACOBIAN *b); @@ -460,56 +460,56 @@ BSSL_NAMESPACE_END // Implementation details. struct ec_method_st { - // point_get_affine_coordinates sets |*x| and |*y| to the affine coordinates - // of |p|. Either |x| or |y| may be NULL to omit it. It returns one on success - // and zero if |p| is the point at infinity. It leaks whether |p| was the - // point at infinity, but otherwise treats |p| as secret. + // point_get_affine_coordinates sets `*x` and `*y` to the affine coordinates + // of `p`. Either `x` or `y` may be NULL to omit it. It returns one on success + // and zero if `p` is the point at infinity. It leaks whether `p` was the + // point at infinity, but otherwise treats `p` as secret. int (*point_get_affine_coordinates)(const EC_GROUP *, const bssl::EC_JACOBIAN *p, bssl::EC_FELEM *x, bssl::EC_FELEM *y); - // jacobian_to_affine_batch implements |ec_jacobian_to_affine_batch|. + // jacobian_to_affine_batch implements `ec_jacobian_to_affine_batch`. int (*jacobian_to_affine_batch)(const EC_GROUP *group, bssl::EC_AFFINE *out, const bssl::EC_JACOBIAN *in, size_t num); - // add sets |r| to |a| + |b|. + // add sets `r` to `a` + `b`. void (*add)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_JACOBIAN *a, const bssl::EC_JACOBIAN *b); - // dbl sets |r| to |a| + |a|. + // dbl sets `r` to `a` + `a`. void (*dbl)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_JACOBIAN *a); - // mul sets |r| to |scalar|*|p|. + // mul sets `r` to `scalar`*`p`. void (*mul)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_JACOBIAN *p, const bssl::EC_SCALAR *scalar); - // mul_base sets |r| to |scalar|*generator. + // mul_base sets `r` to `scalar`*generator. void (*mul_base)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_SCALAR *scalar); - // mul_batch implements |ec_mul_scalar_batch|. + // mul_batch implements `ec_mul_scalar_batch`. void (*mul_batch)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_JACOBIAN *p0, const bssl::EC_SCALAR *scalar0, const bssl::EC_JACOBIAN *p1, const bssl::EC_SCALAR *scalar1, const bssl::EC_JACOBIAN *p2, const bssl::EC_SCALAR *scalar2); - // mul_public sets |r| to |g_scalar|*generator + |p_scalar|*|p|. It assumes + // mul_public sets `r` to `g_scalar`*generator + `p_scalar`*`p`. It assumes // that the inputs are public so there is no concern about leaking their // values through timing. // - // This function may be omitted if |mul_public_batch| is provided. + // This function may be omitted if `mul_public_batch` is provided. void (*mul_public)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_SCALAR *g_scalar, const bssl::EC_JACOBIAN *p, const bssl::EC_SCALAR *p_scalar); - // mul_public_batch implements |ec_point_mul_scalar_public_batch|. + // mul_public_batch implements `ec_point_mul_scalar_public_batch`. int (*mul_public_batch)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_SCALAR *g_scalar, const bssl::EC_JACOBIAN *points, const bssl::EC_SCALAR *scalars, size_t num); - // init_precomp implements |ec_init_precomp|. + // init_precomp implements `ec_init_precomp`. int (*init_precomp)(const EC_GROUP *group, bssl::EC_PRECOMP *out, const bssl::EC_JACOBIAN *p); - // mul_precomp implements |ec_point_mul_scalar_precomp|. + // mul_precomp implements `ec_point_mul_scalar_precomp`. void (*mul_precomp)(const EC_GROUP *group, bssl::EC_JACOBIAN *r, const bssl::EC_PRECOMP *p0, const bssl::EC_SCALAR *scalar0, @@ -518,18 +518,18 @@ struct ec_method_st { const bssl::EC_PRECOMP *p2, const bssl::EC_SCALAR *scalar2); - // scalar_inv0_montgomery implements |ec_scalar_inv0_montgomery|. + // scalar_inv0_montgomery implements `ec_scalar_inv0_montgomery`. void (*scalar_inv0_montgomery)(const EC_GROUP *group, bssl::EC_SCALAR *out, const bssl::EC_SCALAR *in); // scalar_to_montgomery_inv_vartime implements - // |ec_scalar_to_montgomery_inv_vartime|. + // `ec_scalar_to_montgomery_inv_vartime`. int (*scalar_to_montgomery_inv_vartime)(const EC_GROUP *group, bssl::EC_SCALAR *out, const bssl::EC_SCALAR *in); - // cmp_x_coordinate compares the x (affine) coordinate of |p|, mod the group - // order, with |r|. It returns one if the values match and zero if |p| is the + // cmp_x_coordinate compares the x (affine) coordinate of `p`, mod the group + // order, with `r`. It returns one if the values match and zero if `p` is the // point at infinity of the values do not match. int (*cmp_x_coordinate)(const EC_GROUP *group, const bssl::EC_JACOBIAN *p, const bssl::EC_SCALAR *r); @@ -542,12 +542,12 @@ const EC_METHOD *EC_GFp_mont_method(); BSSL_NAMESPACE_END struct ec_point_st { - // group is an owning reference to |group|, unless this is - // |group->generator|. + // group is an owning reference to `group`, unless this is + // `group->generator`. EC_GROUP *group; - // raw is the group-specific point data. Functions that take |EC_POINT| - // typically check consistency with |EC_GROUP| while functions that take - // |EC_JACOBIAN| do not. Thus accesses to this field should be externally + // raw is the group-specific point data. Functions that take `EC_POINT` + // typically check consistency with `EC_GROUP` while functions that take + // `EC_JACOBIAN` do not. Thus accesses to this field should be externally // checked for consistency. bssl::EC_JACOBIAN raw; } /* EC_POINT */; @@ -555,9 +555,9 @@ struct ec_point_st { struct ec_group_st { const EC_METHOD *meth; - // Unlike all other |EC_POINT|s, |generator| does not own |generator->group| + // Unlike all other `EC_POINT`s, `generator` does not own `generator->group` // to avoid a reference cycle. Additionally, Z is guaranteed to be one, so X - // and Y are suitable for use as an |EC_AFFINE|. Before |has_order| is set, Z + // and Y are suitable for use as an `EC_AFFINE`. Before `has_order` is set, Z // is one, but X and Y are uninitialized. EC_POINT generator; @@ -578,14 +578,14 @@ struct ec_group_st { uint8_t oid[9]; uint8_t oid_len; - // a_is_minus3 is one if |a| is -3 mod |field| and zero otherwise. Point + // a_is_minus3 is one if `a` is -3 mod `field` and zero otherwise. Point // arithmetic is optimized for -3. int a_is_minus3; - // has_order is one if |generator| and |order| have been initialized. + // has_order is one if `generator` and `order` have been initialized. int has_order; - // field_greater_than_order is one if |field| is greater than |order| and zero + // field_greater_than_order is one if `field` is greater than `order` and zero // otherwise. int field_greater_than_order; } /* EC_GROUP */; @@ -620,7 +620,7 @@ void ec_GFp_mont_mul_precomp(const EC_GROUP *group, EC_JACOBIAN *r, const EC_PRECOMP *p2, const EC_SCALAR *scalar2); // ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of -// |scalar| to |out|. |out| must have room for |bits| + 1 elements, each of +// `scalar` to `out`. `out` must have room for `bits` + 1 elements, each of // which will be either zero or odd with an absolute value less than 2^w // satisfying // scalar = \sum_j out[j]*2^j @@ -666,12 +666,8 @@ void ec_GFp_nistp_recode_scalar_bits(crypto_word_t *sign, crypto_word_t *digit, const EC_METHOD *EC_GFp_nistp256_method(); -// EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with -// x86-64 optimized P256. See http://eprint.iacr.org/2013/816. -const EC_METHOD *EC_GFp_nistz256_method(); - -// An EC_WRAPPED_SCALAR is an |EC_SCALAR| with a parallel |BIGNUM| -// representation. It exists to support the |EC_KEY_get0_private_key| API. +// An EC_WRAPPED_SCALAR is an `EC_SCALAR` with a parallel `BIGNUM` +// representation. It exists to support the `EC_KEY_get0_private_key` API. typedef struct { BIGNUM bignum; EC_SCALAR scalar; @@ -683,9 +679,9 @@ class ECKey : public ec_key_st, public RefCounted { EC_GROUP *group = nullptr; - // Ideally |pub_key| would be an |EC_AFFINE| so serializing it does not pay an - // inversion each time, but the |EC_KEY_get0_public_key| API implies public - // keys are stored in an |EC_POINT|-compatible form. + // Ideally `pub_key` would be an `EC_AFFINE` so serializing it does not pay an + // inversion each time, but the `EC_KEY_get0_public_key` API implies public + // keys are stored in an `EC_POINT`-compatible form. EC_POINT *pub_key = nullptr; bssl::EC_WRAPPED_SCALAR *priv_key = nullptr; diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/oct.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/oct.cc.inc index 1ed7cbd2..eb33277d 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/oct.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/oct.cc.inc @@ -162,7 +162,7 @@ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, return 0; } if (buf == nullptr) { - // When |buf| is NULL, just return the number of bytes that would be + // When `buf` is NULL, just return the number of bytes that would be // written, without doing an expensive Jacobian-to-affine conversion. if (ec_GFp_simple_is_at_infinity(group, &point->raw)) { OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/p256-nistz.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/p256-nistz.cc.inc deleted file mode 100644 index 6200d073..00000000 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/p256-nistz.cc.inc +++ /dev/null @@ -1,740 +0,0 @@ -// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. -// Copyright (c) 2014, Intel Corporation. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1) -// (1) Intel Corporation, Israel Development Center, Haifa, Israel -// (2) University of Haifa, Israel -// -// Reference: -// S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with -// 256 Bit Primes" - -#include - -#include -#include -#include - -#include -#include -#include - -#include "../../internal.h" -#include "../bn/internal.h" -#include "../delocate.h" -#include "internal.h" -#include "p256-nistz.h" - - -using namespace bssl; - -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_SMALL) - -typedef P256_POINT_AFFINE PRECOMP256_ROW[64]; - -// One converted into the Montgomery domain -static const BN_ULONG ONE_MONT[P256_LIMBS] = { - TOBN(0x00000000, 0x00000001), - TOBN(0xffffffff, 0x00000000), - TOBN(0xffffffff, 0xffffffff), - TOBN(0x00000000, 0xfffffffe), -}; - -// Precomputed tables for the default generator -#include "p256-nistz-table.h" - -// Recode window to a signed digit, see |ec_GFp_nistp_recode_scalar_bits| in -// util.c for details -static crypto_word_t booth_recode_w5(crypto_word_t in) { - crypto_word_t s, d; - - s = ~((in >> 5) - 1); - d = (1 << 6) - in - 1; - d = (d & s) | (in & ~s); - d = (d >> 1) + (d & 1); - - return (d << 1) + (s & 1); -} - -static crypto_word_t booth_recode_w7(crypto_word_t in) { - crypto_word_t s, d; - - s = ~((in >> 7) - 1); - d = (1 << 8) - in - 1; - d = (d & s) | (in & ~s); - d = (d >> 1) + (d & 1); - - return (d << 1) + (s & 1); -} - -// copy_conditional copies |src| to |dst| if |move| is one and leaves it as-is -// if |move| is zero. -// -// WARNING: this breaks the usual convention of constant-time functions -// returning masks. -static void copy_conditional(BN_ULONG dst[P256_LIMBS], - const BN_ULONG src[P256_LIMBS], BN_ULONG move) { - BN_ULONG mask1 = ((BN_ULONG)0) - move; - BN_ULONG mask2 = ~mask1; - - dst[0] = (src[0] & mask1) ^ (dst[0] & mask2); - dst[1] = (src[1] & mask1) ^ (dst[1] & mask2); - dst[2] = (src[2] & mask1) ^ (dst[2] & mask2); - dst[3] = (src[3] & mask1) ^ (dst[3] & mask2); - if (P256_LIMBS == 8) { - dst[4] = (src[4] & mask1) ^ (dst[4] & mask2); - dst[5] = (src[5] & mask1) ^ (dst[5] & mask2); - dst[6] = (src[6] & mask1) ^ (dst[6] & mask2); - dst[7] = (src[7] & mask1) ^ (dst[7] & mask2); - } -} - -// is_not_zero returns one iff in != 0 and zero otherwise. -// -// WARNING: this breaks the usual convention of constant-time functions -// returning masks. -// -// (define-fun is_not_zero ((in (_ BitVec 64))) (_ BitVec 64) -// (bvlshr (bvor in (bvsub #x0000000000000000 in)) #x000000000000003f) -// ) -// -// (declare-fun x () (_ BitVec 64)) -// -// (assert (and (= x #x0000000000000000) (= (is_not_zero x) -// #x0000000000000001))) (check-sat) -// -// (assert (and (not (= x #x0000000000000000)) (= (is_not_zero x) -// #x0000000000000000))) (check-sat) -// -static BN_ULONG is_not_zero(BN_ULONG in) { - in |= (0 - in); - in >>= BN_BITS2 - 1; - return in; -} - -#if defined(OPENSSL_X86_64) -// Dispatch between CPU variations. The "_adx" suffixed functions use MULX in -// addition to ADCX/ADOX. MULX is part of BMI2, not ADX, so we must check both -// capabilities. -static void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_mul_mont_adx(res, a, b); - } else { - ecp_nistz256_mul_mont_nohw(res, a, b); - } -} - -static void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS]) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_sqr_mont_adx(res, a); - } else { - ecp_nistz256_sqr_mont_nohw(res, a); - } -} - -static void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_ord_mul_mont_adx(res, a, b); - } else { - ecp_nistz256_ord_mul_mont_nohw(res, a, b); - } -} - -static void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - BN_ULONG rep) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_ord_sqr_mont_adx(res, a, rep); - } else { - ecp_nistz256_ord_sqr_mont_nohw(res, a, rep); - } -} - -static void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16], - int index) { - if (CRYPTO_is_AVX2_capable()) { - ecp_nistz256_select_w5_avx2(val, in_t, index); - } else { - ecp_nistz256_select_w5_nohw(val, in_t, index); - } -} - -static void ecp_nistz256_select_w7(P256_POINT_AFFINE *val, - const P256_POINT_AFFINE in_t[64], - int index) { - if (CRYPTO_is_AVX2_capable()) { - ecp_nistz256_select_w7_avx2(val, in_t, index); - } else { - ecp_nistz256_select_w7_nohw(val, in_t, index); - } -} - -static void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_point_double_adx(r, a); - } else { - ecp_nistz256_point_double_nohw(r, a); - } -} - -static void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, - const P256_POINT *b) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_point_add_adx(r, a, b); - } else { - ecp_nistz256_point_add_nohw(r, a, b); - } -} - -static void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a, - const P256_POINT_AFFINE *b) { - if (CRYPTO_is_BMI2_capable() && CRYPTO_is_ADX_capable()) { - ecp_nistz256_point_add_affine_adx(r, a, b); - } else { - ecp_nistz256_point_add_affine_nohw(r, a, b); - } -} -#endif // OPENSSL_X86_64 - -// ecp_nistz256_from_mont sets |res| to |in|, converted from Montgomery domain -// by multiplying with 1. -static void ecp_nistz256_from_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG in[P256_LIMBS]) { - static const BN_ULONG ONE[P256_LIMBS] = {1}; - ecp_nistz256_mul_mont(res, in, ONE); -} - -// ecp_nistz256_mod_inverse_sqr_mont sets |r| to (|in| * 2^-256)^-2 * 2^256 mod -// p. That is, |r| is the modular inverse square of |in| for input and output in -// the Montgomery domain. -static void ecp_nistz256_mod_inverse_sqr_mont(BN_ULONG r[P256_LIMBS], - const BN_ULONG in[P256_LIMBS]) { - // This implements the addition chain described in - // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion - BN_ULONG x2[P256_LIMBS], x3[P256_LIMBS], x6[P256_LIMBS], x12[P256_LIMBS], - x15[P256_LIMBS], x30[P256_LIMBS], x32[P256_LIMBS]; - ecp_nistz256_sqr_mont(x2, in); // 2^2 - 2^1 - ecp_nistz256_mul_mont(x2, x2, in); // 2^2 - 2^0 - - ecp_nistz256_sqr_mont(x3, x2); // 2^3 - 2^1 - ecp_nistz256_mul_mont(x3, x3, in); // 2^3 - 2^0 - - ecp_nistz256_sqr_mont(x6, x3); - for (int i = 1; i < 3; i++) { - ecp_nistz256_sqr_mont(x6, x6); - } // 2^6 - 2^3 - ecp_nistz256_mul_mont(x6, x6, x3); // 2^6 - 2^0 - - ecp_nistz256_sqr_mont(x12, x6); - for (int i = 1; i < 6; i++) { - ecp_nistz256_sqr_mont(x12, x12); - } // 2^12 - 2^6 - ecp_nistz256_mul_mont(x12, x12, x6); // 2^12 - 2^0 - - ecp_nistz256_sqr_mont(x15, x12); - for (int i = 1; i < 3; i++) { - ecp_nistz256_sqr_mont(x15, x15); - } // 2^15 - 2^3 - ecp_nistz256_mul_mont(x15, x15, x3); // 2^15 - 2^0 - - ecp_nistz256_sqr_mont(x30, x15); - for (int i = 1; i < 15; i++) { - ecp_nistz256_sqr_mont(x30, x30); - } // 2^30 - 2^15 - ecp_nistz256_mul_mont(x30, x30, x15); // 2^30 - 2^0 - - ecp_nistz256_sqr_mont(x32, x30); - ecp_nistz256_sqr_mont(x32, x32); // 2^32 - 2^2 - ecp_nistz256_mul_mont(x32, x32, x2); // 2^32 - 2^0 - - BN_ULONG ret[P256_LIMBS]; - ecp_nistz256_sqr_mont(ret, x32); - for (int i = 1; i < 31 + 1; i++) { - ecp_nistz256_sqr_mont(ret, ret); - } // 2^64 - 2^32 - ecp_nistz256_mul_mont(ret, ret, in); // 2^64 - 2^32 + 2^0 - - for (int i = 0; i < 96 + 32; i++) { - ecp_nistz256_sqr_mont(ret, ret); - } // 2^192 - 2^160 + 2^128 - ecp_nistz256_mul_mont(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0 - - for (int i = 0; i < 32; i++) { - ecp_nistz256_sqr_mont(ret, ret); - } // 2^224 - 2^192 + 2^160 + 2^64 - 2^32 - ecp_nistz256_mul_mont(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0 - - for (int i = 0; i < 30; i++) { - ecp_nistz256_sqr_mont(ret, ret); - } // 2^254 - 2^222 + 2^190 + 2^94 - 2^30 - ecp_nistz256_mul_mont(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0 - - ecp_nistz256_sqr_mont(ret, ret); - ecp_nistz256_sqr_mont(r, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2 -} - -// r = p * p_scalar -static void ecp_nistz256_windowed_mul(const EC_GROUP *group, P256_POINT *r, - const EC_JACOBIAN *p, - const EC_SCALAR *p_scalar) { - assert(p != nullptr); - assert(p_scalar != nullptr); - assert(group->field.N.width == P256_LIMBS); - - static const size_t kWindowSize = 5; - static const crypto_word_t kMask = (1 << (5 /* kWindowSize */ + 1)) - 1; - - // A |P256_POINT| is (3 * 32) = 96 bytes, and the 64-byte alignment should - // add no more than 63 bytes of overhead. Thus, |table| should require - // ~1599 ((96 * 16) + 63) bytes of stack space. - alignas(64) P256_POINT table[16]; - uint8_t p_str[33]; - OPENSSL_memcpy(p_str, p_scalar->words, 32); - p_str[32] = 0; - - // table[0] is implicitly (0,0,0) (the point at infinity), therefore it is - // not stored. All other values are actually stored with an offset of -1 in - // table. - P256_POINT *row = table; - assert(group->field.N.width == P256_LIMBS); - OPENSSL_memcpy(row[1 - 1].X, p->X.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(row[1 - 1].Y, p->Y.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(row[1 - 1].Z, p->Z.words, P256_LIMBS * sizeof(BN_ULONG)); - - ecp_nistz256_point_double(&row[2 - 1], &row[1 - 1]); - ecp_nistz256_point_add(&row[3 - 1], &row[2 - 1], &row[1 - 1]); - ecp_nistz256_point_double(&row[4 - 1], &row[2 - 1]); - ecp_nistz256_point_double(&row[6 - 1], &row[3 - 1]); - ecp_nistz256_point_double(&row[8 - 1], &row[4 - 1]); - ecp_nistz256_point_double(&row[12 - 1], &row[6 - 1]); - ecp_nistz256_point_add(&row[5 - 1], &row[4 - 1], &row[1 - 1]); - ecp_nistz256_point_add(&row[7 - 1], &row[6 - 1], &row[1 - 1]); - ecp_nistz256_point_add(&row[9 - 1], &row[8 - 1], &row[1 - 1]); - ecp_nistz256_point_add(&row[13 - 1], &row[12 - 1], &row[1 - 1]); - ecp_nistz256_point_double(&row[14 - 1], &row[7 - 1]); - ecp_nistz256_point_double(&row[10 - 1], &row[5 - 1]); - ecp_nistz256_point_add(&row[15 - 1], &row[14 - 1], &row[1 - 1]); - ecp_nistz256_point_add(&row[11 - 1], &row[10 - 1], &row[1 - 1]); - ecp_nistz256_point_double(&row[16 - 1], &row[8 - 1]); - - BN_ULONG tmp[P256_LIMBS]; - alignas(32) P256_POINT h; - size_t index = 255; - crypto_word_t wvalue = p_str[(index - 1) / 8]; - wvalue = (wvalue >> ((index - 1) % 8)) & kMask; - - ecp_nistz256_select_w5(r, table, booth_recode_w5(wvalue) >> 1); - - while (index >= 5) { - if (index != 255) { - size_t off = (index - 1) / 8; - - wvalue = (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8; - wvalue = (wvalue >> ((index - 1) % 8)) & kMask; - - wvalue = booth_recode_w5(wvalue); - - ecp_nistz256_select_w5(&h, table, wvalue >> 1); - - ecp_nistz256_neg(tmp, h.Y); - copy_conditional(h.Y, tmp, (wvalue & 1)); - - ecp_nistz256_point_add(r, r, &h); - } - - index -= kWindowSize; - - ecp_nistz256_point_double(r, r); - ecp_nistz256_point_double(r, r); - ecp_nistz256_point_double(r, r); - ecp_nistz256_point_double(r, r); - ecp_nistz256_point_double(r, r); - } - - // Final window - wvalue = p_str[0]; - wvalue = (wvalue << 1) & kMask; - - wvalue = booth_recode_w5(wvalue); - - ecp_nistz256_select_w5(&h, table, wvalue >> 1); - - ecp_nistz256_neg(tmp, h.Y); - copy_conditional(h.Y, tmp, wvalue & 1); - - ecp_nistz256_point_add(r, r, &h); -} - -static crypto_word_t calc_first_wvalue(size_t *index, const uint8_t p_str[33]) { - static const size_t kWindowSize = 7; - static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1; - *index = kWindowSize; - - crypto_word_t wvalue = (p_str[0] << 1) & kMask; - return booth_recode_w7(wvalue); -} - -static crypto_word_t calc_wvalue(size_t *index, const uint8_t p_str[33]) { - static const size_t kWindowSize = 7; - static const crypto_word_t kMask = (1 << (7 /* kWindowSize */ + 1)) - 1; - - const size_t off = (*index - 1) / 8; - crypto_word_t wvalue = - (crypto_word_t)p_str[off] | (crypto_word_t)p_str[off + 1] << 8; - wvalue = (wvalue >> ((*index - 1) % 8)) & kMask; - *index += kWindowSize; - - return booth_recode_w7(wvalue); -} - -static void ecp_nistz256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_JACOBIAN *p, - const EC_SCALAR *scalar) { - alignas(32) P256_POINT out; - ecp_nistz256_windowed_mul(group, &out, p, scalar); - - assert(group->field.N.width == P256_LIMBS); - OPENSSL_memcpy(r->X.words, out.X, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Y.words, out.Y, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Z.words, out.Z, P256_LIMBS * sizeof(BN_ULONG)); -} - -static void ecp_nistz256_point_mul_base(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_SCALAR *scalar) { - uint8_t p_str[33]; - OPENSSL_memcpy(p_str, scalar->words, 32); - p_str[32] = 0; - - // First window - size_t index = 0; - crypto_word_t wvalue = calc_first_wvalue(&index, p_str); - - alignas(32) P256_POINT_AFFINE t; - alignas(32) P256_POINT p; - ecp_nistz256_select_w7(&t, ecp_nistz256_precomputed[0], wvalue >> 1); - ecp_nistz256_neg(p.Z, t.Y); - copy_conditional(t.Y, p.Z, wvalue & 1); - - // Convert |t| from affine to Jacobian coordinates. We set Z to zero if |t| - // is infinity and |ONE_MONT| otherwise. |t| was computed from the table, so - // it is infinity iff |wvalue >> 1| is zero. - OPENSSL_memcpy(p.X, t.X, sizeof(p.X)); - OPENSSL_memcpy(p.Y, t.Y, sizeof(p.Y)); - OPENSSL_memset(p.Z, 0, sizeof(p.Z)); - copy_conditional(p.Z, ONE_MONT, is_not_zero(wvalue >> 1)); - - for (int i = 1; i < 37; i++) { - wvalue = calc_wvalue(&index, p_str); - - ecp_nistz256_select_w7(&t, ecp_nistz256_precomputed[i], wvalue >> 1); - - alignas(32) BN_ULONG neg_Y[P256_LIMBS]; - ecp_nistz256_neg(neg_Y, t.Y); - copy_conditional(t.Y, neg_Y, wvalue & 1); - - // Note |ecp_nistz256_point_add_affine| does not work if |p| and |t| are the - // same non-infinity point. - ecp_nistz256_point_add_affine(&p, &p, &t); - } - - assert(group->field.N.width == P256_LIMBS); - OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG)); -} - -static void ecp_nistz256_points_mul_public(const EC_GROUP *group, - EC_JACOBIAN *r, - const EC_SCALAR *g_scalar, - const EC_JACOBIAN *p_, - const EC_SCALAR *p_scalar) { - assert(p_ != nullptr && p_scalar != nullptr && g_scalar != nullptr); - - alignas(32) P256_POINT p; - uint8_t p_str[33]; - OPENSSL_memcpy(p_str, g_scalar->words, 32); - p_str[32] = 0; - - // First window - size_t index = 0; - size_t wvalue = calc_first_wvalue(&index, p_str); - - // Convert |p| from affine to Jacobian coordinates. We set Z to zero if |p| - // is infinity and |ONE_MONT| otherwise. |p| was computed from the table, so - // it is infinity iff |wvalue >> 1| is zero. - if ((wvalue >> 1) != 0) { - OPENSSL_memcpy(p.X, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].X, - sizeof(p.X)); - OPENSSL_memcpy(p.Y, &ecp_nistz256_precomputed[0][(wvalue >> 1) - 1].Y, - sizeof(p.Y)); - OPENSSL_memcpy(p.Z, ONE_MONT, sizeof(p.Z)); - } else { - OPENSSL_memset(p.X, 0, sizeof(p.X)); - OPENSSL_memset(p.Y, 0, sizeof(p.Y)); - OPENSSL_memset(p.Z, 0, sizeof(p.Z)); - } - - if ((wvalue & 1) == 1) { - ecp_nistz256_neg(p.Y, p.Y); - } - - for (int i = 1; i < 37; i++) { - wvalue = calc_wvalue(&index, p_str); - if ((wvalue >> 1) == 0) { - continue; - } - - alignas(32) P256_POINT_AFFINE t; - OPENSSL_memcpy(&t, &ecp_nistz256_precomputed[i][(wvalue >> 1) - 1], - sizeof(t)); - if ((wvalue & 1) == 1) { - ecp_nistz256_neg(t.Y, t.Y); - } - - // Note |ecp_nistz256_point_add_affine| does not work if |p| and |t| are - // the same non-infinity point, so it is important that we compute the - // |g_scalar| term before the |p_scalar| term. - ecp_nistz256_point_add_affine(&p, &p, &t); - } - - alignas(32) P256_POINT tmp; - ecp_nistz256_windowed_mul(group, &tmp, p_, p_scalar); - ecp_nistz256_point_add(&p, &p, &tmp); - - assert(group->field.N.width == P256_LIMBS); - OPENSSL_memcpy(r->X.words, p.X, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Y.words, p.Y, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Z.words, p.Z, P256_LIMBS * sizeof(BN_ULONG)); -} - -static int ecp_nistz256_get_affine(const EC_GROUP *group, - const EC_JACOBIAN *point, EC_FELEM *x, - EC_FELEM *y) { - if (constant_time_declassify_int( - ec_GFp_simple_is_at_infinity(group, point))) { - OPENSSL_PUT_ERROR(EC, EC_R_POINT_AT_INFINITY); - return 0; - } - - BN_ULONG z_inv2[P256_LIMBS]; - assert(group->field.N.width == P256_LIMBS); - ecp_nistz256_mod_inverse_sqr_mont(z_inv2, point->Z.words); - - if (x != nullptr) { - ecp_nistz256_mul_mont(x->words, z_inv2, point->X.words); - } - - if (y != nullptr) { - ecp_nistz256_sqr_mont(z_inv2, z_inv2); // z^-4 - ecp_nistz256_mul_mont(y->words, point->Y.words, point->Z.words); // y * z - ecp_nistz256_mul_mont(y->words, y->words, z_inv2); // y * z^-3 - } - - return 1; -} - -static void ecp_nistz256_add(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_JACOBIAN *a_, const EC_JACOBIAN *b_) { - P256_POINT a, b; - OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(a.Z, a_->Z.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(b.X, b_->X.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(b.Y, b_->Y.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(b.Z, b_->Z.words, P256_LIMBS * sizeof(BN_ULONG)); - ecp_nistz256_point_add(&a, &a, &b); - OPENSSL_memcpy(r->X.words, a.X, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Y.words, a.Y, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG)); -} - -static void ecp_nistz256_dbl(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_JACOBIAN *a_) { - P256_POINT a; - OPENSSL_memcpy(a.X, a_->X.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(a.Y, a_->Y.words, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(a.Z, a_->Z.words, P256_LIMBS * sizeof(BN_ULONG)); - ecp_nistz256_point_double(&a, &a); - OPENSSL_memcpy(r->X.words, a.X, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Y.words, a.Y, P256_LIMBS * sizeof(BN_ULONG)); - OPENSSL_memcpy(r->Z.words, a.Z, P256_LIMBS * sizeof(BN_ULONG)); -} - -static void ecp_nistz256_inv0_mod_ord(const EC_GROUP *group, EC_SCALAR *out, - const EC_SCALAR *in) { - // table[i] stores a power of |in| corresponding to the matching enum value. - enum { - // The following indices specify the power in binary. - i_1 = 0, - i_10, - i_11, - i_101, - i_111, - i_1010, - i_1111, - i_10101, - i_101010, - i_101111, - // The following indices specify 2^N-1, or N ones in a row. - i_x6, - i_x8, - i_x16, - i_x32 - }; - BN_ULONG table[15][P256_LIMBS]; - - // https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion - // - // Even though this code path spares 12 squarings, 4.5%, and 13 - // multiplications, 25%, the overall sign operation is not that much faster, - // not more that 2%. Most of the performance of this function comes from the - // scalar operations. - - // Pre-calculate powers. - OPENSSL_memcpy(table[i_1], in->words, P256_LIMBS * sizeof(BN_ULONG)); - - ecp_nistz256_ord_sqr_mont(table[i_10], table[i_1], 1); - - ecp_nistz256_ord_mul_mont(table[i_11], table[i_1], table[i_10]); - - ecp_nistz256_ord_mul_mont(table[i_101], table[i_11], table[i_10]); - - ecp_nistz256_ord_mul_mont(table[i_111], table[i_101], table[i_10]); - - ecp_nistz256_ord_sqr_mont(table[i_1010], table[i_101], 1); - - ecp_nistz256_ord_mul_mont(table[i_1111], table[i_1010], table[i_101]); - - ecp_nistz256_ord_sqr_mont(table[i_10101], table[i_1010], 1); - ecp_nistz256_ord_mul_mont(table[i_10101], table[i_10101], table[i_1]); - - ecp_nistz256_ord_sqr_mont(table[i_101010], table[i_10101], 1); - - ecp_nistz256_ord_mul_mont(table[i_101111], table[i_101010], table[i_101]); - - ecp_nistz256_ord_mul_mont(table[i_x6], table[i_101010], table[i_10101]); - - ecp_nistz256_ord_sqr_mont(table[i_x8], table[i_x6], 2); - ecp_nistz256_ord_mul_mont(table[i_x8], table[i_x8], table[i_11]); - - ecp_nistz256_ord_sqr_mont(table[i_x16], table[i_x8], 8); - ecp_nistz256_ord_mul_mont(table[i_x16], table[i_x16], table[i_x8]); - - ecp_nistz256_ord_sqr_mont(table[i_x32], table[i_x16], 16); - ecp_nistz256_ord_mul_mont(table[i_x32], table[i_x32], table[i_x16]); - - // Compute |in| raised to the order-2. - ecp_nistz256_ord_sqr_mont(out->words, table[i_x32], 64); - ecp_nistz256_ord_mul_mont(out->words, out->words, table[i_x32]); - static const struct { - uint8_t p, i; - } kChain[27] = {{32, i_x32}, {6, i_101111}, {5, i_111}, {4, i_11}, - {5, i_1111}, {5, i_10101}, {4, i_101}, {3, i_101}, - {3, i_101}, {5, i_111}, {9, i_101111}, {6, i_1111}, - {2, i_1}, {5, i_1}, {6, i_1111}, {5, i_111}, - {4, i_111}, {5, i_111}, {5, i_101}, {3, i_11}, - {10, i_101111}, {2, i_11}, {5, i_11}, {5, i_11}, - {3, i_1}, {7, i_10101}, {6, i_1111}}; - for (const auto &step : kChain) { - ecp_nistz256_ord_sqr_mont(out->words, out->words, step.p); - ecp_nistz256_ord_mul_mont(out->words, out->words, table[step.i]); - } -} - -static int ecp_nistz256_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, - EC_SCALAR *out, - const EC_SCALAR *in) { -#if defined(OPENSSL_X86_64) - if (!CRYPTO_is_AVX_capable()) { - // No AVX support; fallback to generic code. - return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in); - } -#endif - - assert(group->order.N.width == P256_LIMBS); - if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.N.d)) { - return 0; - } - - // The result should be returned in the Montgomery domain. - ec_scalar_to_montgomery(group, out, out); - return 1; -} - -static int ecp_nistz256_cmp_x_coordinate(const EC_GROUP *group, - const EC_JACOBIAN *p, - const EC_SCALAR *r) { - if (ec_GFp_simple_is_at_infinity(group, p)) { - return 0; - } - - assert(group->order.N.width == P256_LIMBS); - assert(group->field.N.width == P256_LIMBS); - - // We wish to compare X/Z^2 with r. This is equivalent to comparing X with - // r*Z^2. Note that X and Z are represented in Montgomery form, while r is - // not. - BN_ULONG r_Z2[P256_LIMBS], Z2_mont[P256_LIMBS], X[P256_LIMBS]; - ecp_nistz256_mul_mont(Z2_mont, p->Z.words, p->Z.words); - ecp_nistz256_mul_mont(r_Z2, r->words, Z2_mont); - ecp_nistz256_from_mont(X, p->X.words); - - if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) { - return 1; - } - - // During signing the x coefficient is reduced modulo the group order. - // Therefore there is a small possibility, less than 1/2^128, that group_order - // < p.x < P. in that case we need not only to compare against |r| but also to - // compare against r+group_order. - BN_ULONG carry = bn_add_words(r_Z2, r->words, group->order.N.d, P256_LIMBS); - if (carry == 0 && bn_less_than_words(r_Z2, group->field.N.d, P256_LIMBS)) { - // r + group_order < p, so compare (r + group_order) * Z^2 against X. - ecp_nistz256_mul_mont(r_Z2, r_Z2, Z2_mont); - if (OPENSSL_memcmp(r_Z2, X, sizeof(r_Z2)) == 0) { - return 1; - } - } - - return 0; -} - -BSSL_NAMESPACE_BEGIN - -DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistz256_method) { - out->point_get_affine_coordinates = ecp_nistz256_get_affine; - out->add = ecp_nistz256_add; - out->dbl = ecp_nistz256_dbl; - out->mul = ecp_nistz256_point_mul; - out->mul_base = ecp_nistz256_point_mul_base; - out->mul_public = ecp_nistz256_points_mul_public; - out->scalar_inv0_montgomery = ecp_nistz256_inv0_mod_ord; - out->scalar_to_montgomery_inv_vartime = - ecp_nistz256_scalar_to_montgomery_inv_vartime; - out->cmp_x_coordinate = ecp_nistz256_cmp_x_coordinate; -} - -BSSL_NAMESPACE_END - -#endif /* !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_SMALL) */ diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/p256-nistz.h b/third_party/boringssl/src/crypto/fipsmodule/ec/p256-nistz.h deleted file mode 100644 index c6963887..00000000 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/p256-nistz.h +++ /dev/null @@ -1,207 +0,0 @@ -// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. -// Copyright (c) 2014, Intel Corporation. All Rights Reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -// Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1) -// (1) Intel Corporation, Israel Development Center, Haifa, Israel -// (2) University of Haifa, Israel -// -// Reference: -// S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with -// 256 Bit Primes" - -#ifndef OPENSSL_HEADER_CRYPTO_FIPSMODULE_EC_P256_NISTZ_H -#define OPENSSL_HEADER_CRYPTO_FIPSMODULE_EC_P256_NISTZ_H - -#include - -#include - -#include "../bn/internal.h" - -#if defined(__cplusplus) -extern "C" { -#endif - - -#if !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_SMALL) - -// P-256 field operations. -// -// An element mod P in P-256 is represented as a little-endian array of -// |P256_LIMBS| |BN_ULONG|s, spanning the full range of values. -// -// The following functions take fully-reduced inputs mod P and give -// fully-reduced outputs. They may be used in-place. - -#define P256_LIMBS (256 / BN_BITS2) - -// ecp_nistz256_neg sets |res| to -|a| mod P. -void ecp_nistz256_neg(BN_ULONG res[P256_LIMBS], const BN_ULONG a[P256_LIMBS]); - -// ecp_nistz256_mul_mont sets |res| to |a| * |b| * 2^-256 mod P. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_mul_mont_nohw(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]); -void ecp_nistz256_mul_mont_adx(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]); -#else -void ecp_nistz256_mul_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]); -#endif - -// ecp_nistz256_sqr_mont sets |res| to |a| * |a| * 2^-256 mod P. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_sqr_mont_nohw(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS]); -void ecp_nistz256_sqr_mont_adx(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS]); -#else -void ecp_nistz256_sqr_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS]); -#endif - - -// P-256 scalar operations. -// -// The following functions compute modulo N, where N is the order of P-256. They -// take fully-reduced inputs and give fully-reduced outputs. - -// ecp_nistz256_ord_mul_mont sets |res| to |a| * |b| where inputs and outputs -// are in Montgomery form. That is, |res| is |a| * |b| * 2^-256 mod N. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_ord_mul_mont_nohw(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]); -void ecp_nistz256_ord_mul_mont_adx(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]); -#else -void ecp_nistz256_ord_mul_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG b[P256_LIMBS]); -#endif - -// ecp_nistz256_ord_sqr_mont sets |res| to |a|^(2*|rep|) where inputs and -// outputs are in Montgomery form. That is, |res| is -// (|a| * 2^-256)^(2*|rep|) * 2^256 mod N. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_ord_sqr_mont_nohw(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], BN_ULONG rep); -void ecp_nistz256_ord_sqr_mont_adx(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], BN_ULONG rep); -#else -void ecp_nistz256_ord_sqr_mont(BN_ULONG res[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], BN_ULONG rep); -#endif - -// beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm. -// Assumption: 0 < a < p < 2^(256) and p is odd. -int beeu_mod_inverse_vartime(BN_ULONG out[P256_LIMBS], - const BN_ULONG a[P256_LIMBS], - const BN_ULONG p[P256_LIMBS]); - - -// P-256 point operations. -// -// The following functions may be used in-place. All coordinates are in the -// Montgomery domain. - -// A P256_POINT represents a P-256 point in Jacobian coordinates. -typedef struct { - BN_ULONG X[P256_LIMBS]; - BN_ULONG Y[P256_LIMBS]; - BN_ULONG Z[P256_LIMBS]; -} P256_POINT; - -// A P256_POINT_AFFINE represents a P-256 point in affine coordinates. Infinity -// is encoded as (0, 0). -typedef struct { - BN_ULONG X[P256_LIMBS]; - BN_ULONG Y[P256_LIMBS]; -} P256_POINT_AFFINE; - -// ecp_nistz256_select_w5 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 16 -// and all zeros (the point at infinity) if |index| is 0. This is done in -// constant time. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_select_w5_nohw(P256_POINT *val, const P256_POINT in_t[16], - int index); -void ecp_nistz256_select_w5_avx2(P256_POINT *val, const P256_POINT in_t[16], - int index); -#else -void ecp_nistz256_select_w5(P256_POINT *val, const P256_POINT in_t[16], - int index); -#endif - -// ecp_nistz256_select_w7 sets |*val| to |in_t[index-1]| if 1 <= |index| <= 64 -// and all zeros (the point at infinity) if |index| is 0. This is done in -// constant time. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_select_w7_nohw(P256_POINT_AFFINE *val, - const P256_POINT_AFFINE in_t[64], int index); -void ecp_nistz256_select_w7_avx2(P256_POINT_AFFINE *val, - const P256_POINT_AFFINE in_t[64], int index); -#else -void ecp_nistz256_select_w7(P256_POINT_AFFINE *val, - const P256_POINT_AFFINE in_t[64], int index); -#endif - -// ecp_nistz256_point_double sets |r| to |a| doubled. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_point_double_nohw(P256_POINT *r, const P256_POINT *a); -void ecp_nistz256_point_double_adx(P256_POINT *r, const P256_POINT *a); -#else -void ecp_nistz256_point_double(P256_POINT *r, const P256_POINT *a); -#endif - -// ecp_nistz256_point_add adds |a| to |b| and places the result in |r|. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_point_add_nohw(P256_POINT *r, const P256_POINT *a, - const P256_POINT *b); -void ecp_nistz256_point_add_adx(P256_POINT *r, const P256_POINT *a, - const P256_POINT *b); -#else -void ecp_nistz256_point_add(P256_POINT *r, const P256_POINT *a, - const P256_POINT *b); -#endif - -// ecp_nistz256_point_add_affine adds |a| to |b| and places the result in -// |r|. |a| and |b| must not represent the same point unless they are both -// infinity. -#if defined(OPENSSL_X86_64) -void ecp_nistz256_point_add_affine_adx(P256_POINT *r, const P256_POINT *a, - const P256_POINT_AFFINE *b); -void ecp_nistz256_point_add_affine_nohw(P256_POINT *r, const P256_POINT *a, - const P256_POINT_AFFINE *b); -#else -void ecp_nistz256_point_add_affine(P256_POINT *r, const P256_POINT *a, - const P256_POINT_AFFINE *b); -#endif - -#endif /* !defined(OPENSSL_NO_ASM) && \ - (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) && \ - !defined(OPENSSL_SMALL) */ - - -#if defined(__cplusplus) -} // extern C -#endif - -#endif // OPENSSL_HEADER_CRYPTO_FIPSMODULE_EC_P256_NISTZ_H diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/p256.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/p256.cc.inc index 49235c6b..6ce9471a 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/p256.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/p256.cc.inc @@ -1,4 +1,6 @@ // Copyright 2020 The BoringSSL Authors +// Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved. +// Copyright (c) 2014, Intel Corporation. All Rights Reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -12,82 +14,347 @@ // See the License for the specific language governing permissions and // limitations under the License. -// An implementation of the NIST P-256 elliptic curve point multiplication. -// 256-bit Montgomery form for 64 and 32-bit. Field operations are generated by -// Fiat, which lives in //third_party/fiat. - #include #include #include -#include #include #include -#include #include #include "../../internal.h" #include "../delocate.h" -#include "./internal.h" - -#include "../../../third_party/fiat/p256_field.c.inc" -#include "../../../third_party/fiat/p256_point.br.c.inc" +#include "internal.h" +#include "p256_internal.h" using namespace bssl; -// utility functions, handwritten - -#if defined(OPENSSL_64_BIT) -#define FIAT_P256_NLIMBS 4 -typedef uint64_t fiat_p256_limb_t; -typedef uint64_t fiat_p256_felem[FIAT_P256_NLIMBS]; -static const fiat_p256_felem fiat_p256_one = {0x1, 0xffffffff00000000, - 0xffffffffffffffff, 0xfffffffe}; -#else // 64BIT; else 32BIT -#define FIAT_P256_NLIMBS 8 -typedef uint32_t fiat_p256_limb_t; -typedef uint32_t fiat_p256_felem[FIAT_P256_NLIMBS]; -static const fiat_p256_felem fiat_p256_one = { - 0x1, 0x0, 0x0, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0x0}; -#endif // 64BIT - - -static void fiat_p256_copy(fiat_p256_limb_t out[FIAT_P256_NLIMBS], - const fiat_p256_limb_t in1[FIAT_P256_NLIMBS]) { - for (size_t i = 0; i < FIAT_P256_NLIMBS; i++) { - out[i] = in1[i]; +static void fiat_p256_opp_conditional(fiat_p256_felem x, crypto_word_t c) { + alignas(32) fiat_p256_felem n; + fiat_p256_opp(n, x); + for (size_t i = 0; i < P256_LIMBS; ++i) { + x[i] = br_cmov(c, n[i], x[i]); } } -static void fiat_p256_cmovznz(fiat_p256_limb_t out[FIAT_P256_NLIMBS], - fiat_p256_limb_t t, - const fiat_p256_limb_t z[FIAT_P256_NLIMBS], - const fiat_p256_limb_t nz[FIAT_P256_NLIMBS]) { - fiat_p256_selectznz(out, !!t, z, nz); +// bit returns the `i`th bit in `in`. +static crypto_word_t bit(const uint8_t in[32], int i) { + if (i < 0 || i >= 256) { + return 0; + } + return (in[i >> 3] >> (i & 7)) & 1; } -static void fiat_p256_from_words(fiat_p256_felem out, - const BN_ULONG in[32 / sizeof(BN_ULONG)]) { - // Typically, |BN_ULONG| and |fiat_p256_limb_t| will be the same type, but on - // 64-bit platforms without |uint128_t|, they are different. However, on - // little-endian systems, |uint64_t[4]| and |uint32_t[8]| have the same - // layout. - OPENSSL_memcpy(out, in, 32); +// point multiplication +static void fiat_p256_select_point_16(fiat_p256_felem dst[3], + const fiat_p256_felem src[16][3], + size_t i) { + OPENSSL_memset(dst, 0, 3 * sizeof(fiat_p256_felem)); + OPENSSL_CLANG_PRAGMA("clang loop unroll_count(4)") + for (size_t j = 0; j < 16; j++) { + constant_time_conditional_memxor(dst, &src[j], 3 * sizeof(fiat_p256_felem), + constant_time_eq_w(i, j)); + } } -static void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) { - fiat_p256_from_words(out, in->words); +// Precompute multiples of `p`. p_pre_comp[i] is (i+1) * `p`. +static void p256_point_mul(fiat_p256_felem out[3], const fiat_p256_felem p[3], + const uint8_t s[32]) { + alignas(32) fiat_p256_felem p_pre_comp[16][3]; + OPENSSL_memcpy(p_pre_comp[0], p, sizeof(p_pre_comp[0])); + for (size_t j = 2; j <= 16; ++j) { + if (j & 1) { + p256_point_add_vartime_if_doubling((uintptr_t)p_pre_comp[j - 1], + (uintptr_t)p_pre_comp[j - 2], + (uintptr_t)p_pre_comp[0]); + } else { + p256_point_double((uintptr_t)p_pre_comp[j - 1], + (uintptr_t)p_pre_comp[(j - 1) / 2]); + } + } + alignas(32) fiat_p256_felem ret[3]; + bool ret_is_zero = true; + + for (size_t i = 51; i < 52; i--) { + if (!ret_is_zero) { + for (size_t k = 4; k < 5; k--) { + p256_point_double((uintptr_t)ret, (uintptr_t)ret); + } + } + + crypto_word_t bits = 0; + OPENSSL_CLANG_PRAGMA("clang loop unroll(full)") + for (size_t k = 5; k < 6; k--) { + bits |= bit(s, i * 5 - 1 + k) << k; + } + crypto_word_t sign, digit; + ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); + + alignas(32) fiat_p256_felem t[3]; + fiat_p256_select_point_16(t, p_pre_comp, digit - 1); + fiat_p256_opp_conditional(t[1], sign); + + if (!ret_is_zero) { + p256_point_add_vartime_if_doubling((uintptr_t)ret, (uintptr_t)ret, + (uintptr_t)t); + } else { + OPENSSL_memcpy(ret, t, sizeof(ret)); + ret_is_zero = false; + } + } + // The first loop iteration will initialize `ret`. + assert(!ret_is_zero); + + OPENSSL_memcpy(out, ret, sizeof(ret)); } -static void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) { - // See |fiat_p256_from_words|. - OPENSSL_memcpy(out->words, in, 32); +// point_mul_public +#include "./p256_table.h" + +static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, + EC_JACOBIAN *r, + const EC_SCALAR *gs, + const EC_JACOBIAN *p, + const EC_SCALAR *ps) { + const uint8_t *g_scalar = (uint8_t *)gs->words; + int8_t p_wNAF[257] = {0}; + + alignas(32) fiat_p256_felem p_pre_comp[1 << (4 - 1)][3]; + OPENSSL_memcpy(p_pre_comp[0][2], &p->Z, 32); + if (!p256_point_iszero((uintptr_t)p_pre_comp[0])) { + ec_compute_wNAF(group, p_wNAF, ps, /*bits=*/256, /*w=*/4); + // Precompute multiples of `p`. p_pre_comp[i] is (2*i+1) * `p`. + OPENSSL_memcpy(p_pre_comp[0][0], &p->X, 32); + OPENSSL_memcpy(p_pre_comp[0][1], &p->Y, 32); + alignas(32) fiat_p256_felem p2[3]; + p256_point_double((uintptr_t)p2, (uintptr_t)p_pre_comp[0]); + for (size_t i = 1; i < std::size(p_pre_comp); i++) { + p256_point_add_nz_nz_neq((uintptr_t)p_pre_comp[i], + (uintptr_t)p_pre_comp[i - 1], (uintptr_t)p2); + } + } + + alignas(32) fiat_p256_felem ret[3] = {}; + bool ret_is_zero = true; // Save some point operations, avoid 0+Q + for (int i = 256; i >= 0; i--) { + if (!ret_is_zero) { + p256_point_double((uintptr_t)ret, (uintptr_t)ret); + } + + if (i <= 31) { + OPENSSL_CLANG_PRAGMA("clang loop unroll(full)") + for (size_t j = 1; j < 2; j--) { + crypto_word_t bits = 0; + OPENSSL_CLANG_PRAGMA("clang loop unroll(full)") + for (size_t k = 3; k < 4; k--) { + bits |= bit(g_scalar, i + j * 32 + k * 64) << k; + } + if (bits != 0) { + if (!ret_is_zero) { + alignas(32) fiat_p256_felem t[3]; + fiat_p256_set_one(t[2]); + OPENSSL_memcpy(t, fiat_p256_g_pre_comp[j][bits - 1], 64); + p256_point_add_affinenz_conditional_vartime_if_doubling( + (uintptr_t)ret, (uintptr_t)ret, (uintptr_t)t, 1); + ret_is_zero = p256_point_iszero((uintptr_t)ret); + } else { + OPENSSL_memcpy(ret, fiat_p256_g_pre_comp[j][bits - 1], + sizeof(fiat_p256_g_pre_comp[j][bits - 1])); + fiat_p256_set_one(ret[2]); + ret_is_zero = false; + } + } + } + } + + int digit = p_wNAF[i]; + if (digit != 0) { + assert(digit & 1); + size_t idx = (size_t)(digit < 0 ? (-digit) >> 1 : digit >> 1); + fiat_p256_felem t[3]; + OPENSSL_memcpy(t, p_pre_comp[idx], sizeof(t)); + if (digit < 0) { + fiat_p256_opp(t[1], t[1]); + } + if (!ret_is_zero) { + p256_point_add_vartime_if_doubling((uintptr_t)ret, (uintptr_t)ret, + (uintptr_t)t); + ret_is_zero = p256_point_iszero((uintptr_t)ret); + } else { + OPENSSL_memcpy(ret, t, sizeof(ret)); + ret_is_zero = false; + } + } + } + + OPENSSL_memcpy(&r->X, ret[0], 32); + OPENSSL_memcpy(&r->Y, ret[1], 32); + OPENSSL_memcpy(&r->Z, ret[2], 32); +} + +// p256_point_mul_base (small and full) + +// fiat_p256_select_point_affine selects the `i`th point from a precomputation +// table and copies it to `dst`. If `n<=i`, the output is (0, 0). +static void fiat_p256_select_point_affine(fiat_p256_felem dst[2], + const fiat_p256_felem src[/*n*/][2], + size_t i, size_t n) { + OPENSSL_memset(dst, 0, 2 * sizeof(fiat_p256_felem)); + OPENSSL_CLANG_PRAGMA("clang loop unroll_count(8)") + for (size_t j = 0; j < n; j++) { + constant_time_conditional_memxor(dst, &src[j], 2 * sizeof(fiat_p256_felem), + constant_time_eq_w(i, j)); + } +} + +static void fiat_p256_conditional_zero_or_one(fiat_p256_felem out, + crypto_word_t c) { + fiat_p256_set_one(out); + crypto_word_t mask = value_barrier_w(~constant_time_is_zero_w(c)); + for (size_t i = 0; i < P256_LIMBS; ++i) { + out[i] &= mask; + } } -// fiat_p256_inv_square calculates |out| = |in|^{-2} +#if defined(OPENSSL_SMALL) + +#ifdef __clang__ +__attribute__((noinline)) // Do not inline into unrolled loop below. +#endif +static void fiat_p256_select_point_affine_15( + fiat_p256_felem dst[2], const fiat_p256_felem src[/*n*/][2], size_t i) { + fiat_p256_select_point_affine(dst, src, i, 15); // Intended to be inlined. +} + +static void p256_point_mul_base(fiat_p256_felem ret[3], const uint8_t s[32]) { + bool ret_is_zero = true; // Save two point operations in the first round. + alignas(32) fiat_p256_felem t[3]; + fiat_p256_set_one(t[2]); + for (size_t i = 31; i < 32; i--) { + if (!ret_is_zero) { + p256_point_double((uintptr_t)ret, (uintptr_t)ret); + } + OPENSSL_CLANG_PRAGMA("clang loop unroll(full)") + for (size_t j = 1; j < 2; j--) { + crypto_word_t bits = 0; + OPENSSL_CLANG_PRAGMA("clang loop unroll(full)") + for (size_t k = 3; k < 4; k--) { + bits |= bit(s, i + 32 * j + 64 * k) << k; + } + fiat_p256_select_point_affine_15(t, fiat_p256_g_pre_comp[j], bits - 1); + + if (!ret_is_zero) { + p256_point_add_affinenz_conditional_vartime_if_doubling( + (uintptr_t)ret, (uintptr_t)ret, (uintptr_t)t, (uintptr_t)bits); + } else { + OPENSSL_memcpy(ret, t, sizeof(t)); + fiat_p256_conditional_zero_or_one(ret[2], bits); + ret_is_zero = false; + } + } + } + + // The first loop iteration will initialize `ret`. + assert(!ret_is_zero); +} +#else // defined(OPENSSL_SMALL) + +/* + * Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1) + * (1) Intel Corporation, Israel Development Center, Haifa, Israel + * (2) University of Haifa, Israel + * + * Reference: + * S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with + * 256 Bit Primes" + */ + +// Precomputed tables for the default generator +typedef fiat_p256_felem PRECOMP256_ROW[64][2]; +#include "p256-nistz-table.h" + +#ifdef __clang__ +__attribute__((noinline)) // Do not inline into unrolled loop below. +#endif +static void fiat_p256_select_point_affine_16(fiat_p256_felem dst[2], + const fiat_p256_felem src[16][2], + size_t i) { + fiat_p256_select_point_affine(dst, src, i, 16); +} + +#ifdef __clang__ +__attribute__((noinline)) // Do not inline into unrolled loop below. +#endif +static void fiat_p256_select_point_affine_64(fiat_p256_felem dst[2], + const fiat_p256_felem src[64][2], + size_t i) { + fiat_p256_select_point_affine(dst, src, i, 64); +} + +// See `ec_GFp_nistp_recode_scalar_bits` in util.c for details +static crypto_word_t booth_recode_w7(crypto_word_t in) { + crypto_word_t s, d; + s = ~((in >> 7) - 1); + d = (1 << 8) - in - 1; + d = (d & s) | (in & ~s); + d = (d >> 1) + (d & 1); + return (d << 1) + (s & 1); +} + +static void p256_point_mul_base(fiat_p256_felem ret[3], const uint8_t s[32]) { + bool ret_is_zero = true; + alignas(32) fiat_p256_felem t[3]; + fiat_p256_set_one(t[2]); + for (size_t i = 36; i < 37; i--) { + // Load 7-bit windows, plus one bit below the window for `booth_recode_w7`, + // i.e. 8 bits from 7 * i - 1 to 7 * (i + 1). + constexpr size_t kMask = (1 << (7 + 1)) - 1; + crypto_word_t wvalue; + if (i == 0) { + wvalue = (s[0] << 1) & kMask; + } else { + size_t first_bit = 7 * i - 1; + size_t idx = first_bit / 8; + // The window may span two bytes. + wvalue = + s[idx] | (static_cast(idx < 31 ? s[idx + 1] : 0) << 8); + wvalue = (wvalue >> (first_bit % 8)) & kMask; + } + wvalue = booth_recode_w7(wvalue); + if (i == 36) { + // The last window has only 4 bits instead of the full 7. + declassify_assert((wvalue >> 1) <= 16); + fiat_p256_select_point_affine_16(t, ecp_nistz256_precomputed[i], + (wvalue >> 1) - 1); + } else { + fiat_p256_select_point_affine_64(t, ecp_nistz256_precomputed[i], + (wvalue >> 1) - 1); + } + fiat_p256_opp_conditional(t[1], wvalue & 1); + + if (!ret_is_zero) { + p256_point_add_affinenz_conditional_vartime_if_doubling( + (uintptr_t)ret, (uintptr_t)ret, (uintptr_t)t, wvalue >> 1); + } else { + OPENSSL_memcpy(ret, t, sizeof(t)); + fiat_p256_conditional_zero_or_one(ret[2], wvalue >> 1); + ret_is_zero = false; + } + } + + // The first loop iteration will initialize `ret`. + assert(!ret_is_zero); +} +#endif // !OPENSSL_SMALL + + +// FIELD-ELEMENT INVERSION + + +// fiat_p256_inv_square calculates `out` = `in`^{-2} // // Based on Fermat's Little Theorem: // a^p = a (mod p) @@ -98,156 +365,182 @@ static void fiat_p256_inv_square(fiat_p256_felem out, // This implements the addition chain described in // https://briansmith.org/ecc-inversion-addition-chains-01#p256_field_inversion fiat_p256_felem x2, x3, x6, x12, x15, x30, x32; - fiat_p256_square(x2, in); // 2^2 - 2^1 - fiat_p256_mul(x2, x2, in); // 2^2 - 2^0 + p256_coord_sqr(x2, in); // 2^2 - 2^1 + p256_coord_mul(x2, x2, in); // 2^2 - 2^0 - fiat_p256_square(x3, x2); // 2^3 - 2^1 - fiat_p256_mul(x3, x3, in); // 2^3 - 2^0 + p256_coord_sqr(x3, x2); // 2^3 - 2^1 + p256_coord_mul(x3, x3, in); // 2^3 - 2^0 - fiat_p256_square(x6, x3); + p256_coord_sqr(x6, x3); for (int i = 1; i < 3; i++) { - fiat_p256_square(x6, x6); - } // 2^6 - 2^3 - fiat_p256_mul(x6, x6, x3); // 2^6 - 2^0 + p256_coord_sqr(x6, x6); // 2^6 - 2^3 + } + p256_coord_mul(x6, x6, x3); // 2^6 - 2^0 - fiat_p256_square(x12, x6); + p256_coord_sqr(x12, x6); for (int i = 1; i < 6; i++) { - fiat_p256_square(x12, x12); - } // 2^12 - 2^6 - fiat_p256_mul(x12, x12, x6); // 2^12 - 2^0 + p256_coord_sqr(x12, x12); // 2^12 - 2^6 + } + p256_coord_mul(x12, x12, x6); // 2^12 - 2^0 - fiat_p256_square(x15, x12); + p256_coord_sqr(x15, x12); for (int i = 1; i < 3; i++) { - fiat_p256_square(x15, x15); - } // 2^15 - 2^3 - fiat_p256_mul(x15, x15, x3); // 2^15 - 2^0 + p256_coord_sqr(x15, x15); // 2^15 - 2^3 + } + p256_coord_mul(x15, x15, x3); // 2^15 - 2^0 - fiat_p256_square(x30, x15); + p256_coord_sqr(x30, x15); for (int i = 1; i < 15; i++) { - fiat_p256_square(x30, x30); - } // 2^30 - 2^15 - fiat_p256_mul(x30, x30, x15); // 2^30 - 2^0 + p256_coord_sqr(x30, x30); // 2^30 - 2^15 + } + p256_coord_mul(x30, x30, x15); // 2^30 - 2^0 - fiat_p256_square(x32, x30); - fiat_p256_square(x32, x32); // 2^32 - 2^2 - fiat_p256_mul(x32, x32, x2); // 2^32 - 2^0 + p256_coord_sqr(x32, x30); + p256_coord_sqr(x32, x32); // 2^32 - 2^2 + p256_coord_mul(x32, x32, x2); // 2^32 - 2^0 fiat_p256_felem ret; - fiat_p256_square(ret, x32); + p256_coord_sqr(ret, x32); for (int i = 1; i < 31 + 1; i++) { - fiat_p256_square(ret, ret); - } // 2^64 - 2^32 - fiat_p256_mul(ret, ret, in); // 2^64 - 2^32 + 2^0 + p256_coord_sqr(ret, ret); // 2^64 - 2^32 + } + p256_coord_mul(ret, ret, in); // 2^64 - 2^32 + 2^0 for (int i = 0; i < 96 + 32; i++) { - fiat_p256_square(ret, ret); - } // 2^192 - 2^160 + 2^128 - fiat_p256_mul(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0 + p256_coord_sqr(ret, ret); // 2^192 - 2^160 + 2^128 + } + p256_coord_mul(ret, ret, x32); // 2^192 - 2^160 + 2^128 + 2^32 - 2^0 for (int i = 0; i < 32; i++) { - fiat_p256_square(ret, ret); - } // 2^224 - 2^192 + 2^160 + 2^64 - 2^32 - fiat_p256_mul(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0 + p256_coord_sqr(ret, ret); // 2^224 - 2^192 + 2^160 + 2^64 - 2^32 + } + p256_coord_mul(ret, ret, x32); // 2^224 - 2^192 + 2^160 + 2^64 - 2^0 for (int i = 0; i < 30; i++) { - fiat_p256_square(ret, ret); - } // 2^254 - 2^222 + 2^190 + 2^94 - 2^30 - fiat_p256_mul(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0 + p256_coord_sqr(ret, ret); // 2^254 - 2^222 + 2^190 + 2^94 - 2^30 + } + p256_coord_mul(ret, ret, x30); // 2^254 - 2^222 + 2^190 + 2^94 - 2^0 - fiat_p256_square(ret, ret); - fiat_p256_square(out, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2 + p256_coord_sqr(ret, ret); + p256_coord_sqr(out, ret); // 2^256 - 2^224 + 2^192 + 2^96 - 2^2 } -// Group operations -// ---------------- -// -// Building on top of the field operations we have the operations on the -// elliptic curve group itself. Points on the curve are represented in Jacobian -// coordinates. - -static void fiat_p256_point_double(fiat_p256_felem x_out, fiat_p256_felem y_out, - fiat_p256_felem z_out, - const fiat_p256_felem x_in, - const fiat_p256_felem y_in, - const fiat_p256_felem z_in) { - uint8_t out[3*32], in[3*32]; - static_assert(sizeof(fiat_p256_felem) == 32); - OPENSSL_memcpy(&in[0], x_in, 32); - OPENSSL_memcpy(&in[32], y_in, 32); - OPENSSL_memcpy(&in[64], z_in, 32); - p256_point_double((br_word_t)out, (br_word_t)in); - OPENSSL_memcpy(x_out, &out[0], 32); - OPENSSL_memcpy(y_out, &out[32], 32); - OPENSSL_memcpy(z_out, &out[64], 32); -} -static void fiat_p256_point_add(fiat_p256_felem x3, fiat_p256_felem y3, - fiat_p256_felem z3, const fiat_p256_felem x1, - const fiat_p256_felem y1, - const fiat_p256_felem z1, - const fiat_p256_felem x2, - const fiat_p256_felem y2, - const fiat_p256_felem z2) { - uint8_t out[3 * 32], in1[3 * 32], in2[3 * 32]; - static_assert(sizeof(fiat_p256_felem) == 32); - OPENSSL_memcpy(&in1[0], x1, 32); - OPENSSL_memcpy(&in1[32], y1, 32); - OPENSSL_memcpy(&in1[64], z1, 32); - OPENSSL_memcpy(&in2[0], x2, 32); - OPENSSL_memcpy(&in2[32], y2, 32); - OPENSSL_memcpy(&in2[64], z2, 32); - p256_point_add_vartime_if_doubling((br_word_t)out, (br_word_t)in1, - (br_word_t)in2); - OPENSSL_memcpy(x3, &out[0], 32); - OPENSSL_memcpy(y3, &out[32], 32); - OPENSSL_memcpy(z3, &out[64], 32); -} -#include "./p256_table.h" +// Arithmetic modulo curve order + + +static void p256_order_inv0(const EC_GROUP *group, EC_SCALAR *out, + const EC_SCALAR *in) { + // table[i] stores a power of `in` corresponding to the matching enum value. + enum { + // The following indices specify the power in binary. + i_1 = 0, + i_10, + i_11, + i_101, + i_111, + i_1010, + i_1111, + i_10101, + i_101010, + i_101111, + // The following indices specify 2^N-1, or N ones in a row. + i_x6, + i_x8, + i_x16, + i_x32 + }; + BN_ULONG table[15][P256_LIMBS]; + + // https://briansmith.org/ecc-inversion-addition-chains-01#p256_scalar_inversion + // This code uses specialized field arithmetic and saves 12 sqr and 13 mul. + + // Pre-calculate powers. + OPENSSL_memcpy(table[i_1], in->words, P256_LIMBS * sizeof(BN_ULONG)); + + p256_order_sqr(group, table[i_10], table[i_1], 1); + + p256_order_mul(group, table[i_11], table[i_1], table[i_10]); + + p256_order_mul(group, table[i_101], table[i_11], table[i_10]); + + p256_order_mul(group, table[i_111], table[i_101], table[i_10]); -// fiat_p256_select_point_affine selects the |idx-1|th point from a -// precomputation table and copies it to out. If |idx| is zero, the output is -// the point at infinity. -static void fiat_p256_select_point_affine( - const fiat_p256_limb_t idx, size_t size, - const fiat_p256_felem pre_comp[/*size*/][2], fiat_p256_felem out[3]) { - OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3); - for (size_t i = 0; i < size; i++) { - fiat_p256_limb_t mismatch = i ^ (idx - 1); - fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]); - fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]); + p256_order_sqr(group, table[i_1010], table[i_101], 1); + + p256_order_mul(group, table[i_1111], table[i_1010], table[i_101]); + + p256_order_sqr(group, table[i_10101], table[i_1010], 1); + p256_order_mul(group, table[i_10101], table[i_10101], table[i_1]); + + p256_order_sqr(group, table[i_101010], table[i_10101], 1); + + p256_order_mul(group, table[i_101111], table[i_101010], table[i_101]); + + p256_order_mul(group, table[i_x6], table[i_101010], table[i_10101]); + + p256_order_sqr(group, table[i_x8], table[i_x6], 2); + p256_order_mul(group, table[i_x8], table[i_x8], table[i_11]); + + p256_order_sqr(group, table[i_x16], table[i_x8], 8); + p256_order_mul(group, table[i_x16], table[i_x16], table[i_x8]); + + p256_order_sqr(group, table[i_x32], table[i_x16], 16); + p256_order_mul(group, table[i_x32], table[i_x32], table[i_x16]); + + // Compute `in` raised to the order-2. + p256_order_sqr(group, out->words, table[i_x32], 64); + p256_order_mul(group, out->words, out->words, table[i_x32]); + static const struct { + uint8_t p, i; + } kChain[27] = {{32, i_x32}, {6, i_101111}, {5, i_111}, {4, i_11}, + {5, i_1111}, {5, i_10101}, {4, i_101}, {3, i_101}, + {3, i_101}, {5, i_111}, {9, i_101111}, {6, i_1111}, + {2, i_1}, {5, i_1}, {6, i_1111}, {5, i_111}, + {4, i_111}, {5, i_111}, {5, i_101}, {3, i_11}, + {10, i_101111}, {2, i_11}, {5, i_11}, {5, i_11}, + {3, i_1}, {7, i_10101}, {6, i_1111}}; + for (const auto &step : kChain) { + p256_order_sqr(group, out->words, out->words, step.p); + p256_order_mul(group, out->words, out->words, table[step.i]); } - fiat_p256_cmovznz(out[2], idx, out[2], fiat_p256_one); } -// fiat_p256_select_point selects the |idx|th point from a precomputation table -// and copies it to out. -static void fiat_p256_select_point(const fiat_p256_limb_t idx, size_t size, - const fiat_p256_felem pre_comp[/*size*/][3], - fiat_p256_felem out[3]) { - OPENSSL_memset(out, 0, sizeof(fiat_p256_felem) * 3); - for (size_t i = 0; i < size; i++) { - fiat_p256_limb_t mismatch = i ^ idx; - fiat_p256_cmovznz(out[0], mismatch, pre_comp[i][0], out[0]); - fiat_p256_cmovznz(out[1], mismatch, pre_comp[i][1], out[1]); - fiat_p256_cmovznz(out[2], mismatch, pre_comp[i][2], out[2]); +static int p256_order_mont_inv_vartime(const EC_GROUP *group, EC_SCALAR *out, + const EC_SCALAR *in) { +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) +#if defined(OPENSSL_X86_64) + if (!CRYPTO_is_AVX_capable()) { + // No AVX support; fallback to generic code. + return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in); } -} +#endif -// fiat_p256_get_bit returns the |i|th bit in |in|. -static crypto_word_t fiat_p256_get_bit(const EC_SCALAR *in, int i) { - if (i < 0 || i >= 256) { + assert(group->order.N.width == P256_LIMBS); + if (!beeu_mod_inverse_vartime(out->words, in->words, group->order.N.d)) { return 0; } -#if defined(OPENSSL_64_BIT) - static_assert(sizeof(BN_ULONG) == 8, "BN_ULONG was not 64-bit"); - return (in->words[i >> 6] >> (i & 63)) & 1; + + // The result should be returned in the Montgomery domain. + ec_scalar_to_montgomery(group, out, out); + return 1; #else - static_assert(sizeof(BN_ULONG) == 4, "BN_ULONG was not 32-bit"); - return (in->words[i >> 5] >> (i & 31)) & 1; + return ec_simple_scalar_to_montgomery_inv_vartime(group, out, in); #endif } -// OPENSSL EC_METHOD FUNCTIONS + +// OPENSSL EC_METHOD WRAPPERS + + +static void fiat_p256_from_generic(fiat_p256_felem out, const EC_FELEM *in) { + OPENSSL_memcpy(out, in->words, 32); +} + +static void fiat_p256_to_generic(EC_FELEM *out, const fiat_p256_felem in) { + OPENSSL_memcpy(out->words, in, 32); +} // Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = // (X/Z^2, Y/Z^3). @@ -267,252 +560,22 @@ static int ec_GFp_nistp256_point_get_affine_coordinates( if (x_out != nullptr) { fiat_p256_felem x; fiat_p256_from_generic(x, &point->X); - fiat_p256_mul(x, x, z2); + p256_coord_mul(x, x, z2); fiat_p256_to_generic(x_out, x); } if (y_out != nullptr) { fiat_p256_felem y; fiat_p256_from_generic(y, &point->Y); - fiat_p256_square(z2, z2); // z^-4 - fiat_p256_mul(y, y, z1); // y * z - fiat_p256_mul(y, y, z2); // y * z^-3 + p256_coord_sqr(z2, z2); // z^-4 + p256_coord_mul(y, y, z1); // y * z + p256_coord_mul(y, y, z2); // y * z^-3 fiat_p256_to_generic(y_out, y); } return 1; } -static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_JACOBIAN *a, const EC_JACOBIAN *b) { - fiat_p256_felem x1, y1, z1, x2, y2, z2; - fiat_p256_from_generic(x1, &a->X); - fiat_p256_from_generic(y1, &a->Y); - fiat_p256_from_generic(z1, &a->Z); - fiat_p256_from_generic(x2, &b->X); - fiat_p256_from_generic(y2, &b->Y); - fiat_p256_from_generic(z2, &b->Z); - fiat_p256_point_add(x1, y1, z1, x1, y1, z1, x2, y2, z2); - fiat_p256_to_generic(&r->X, x1); - fiat_p256_to_generic(&r->Y, y1); - fiat_p256_to_generic(&r->Z, z1); -} - -static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_JACOBIAN *a) { - fiat_p256_felem x, y, z; - fiat_p256_from_generic(x, &a->X); - fiat_p256_from_generic(y, &a->Y); - fiat_p256_from_generic(z, &a->Z); - fiat_p256_point_double(x, y, z, x, y, z); - fiat_p256_to_generic(&r->X, x); - fiat_p256_to_generic(&r->Y, y); - fiat_p256_to_generic(&r->Z, z); -} - -static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, - const EC_JACOBIAN *p, - const EC_SCALAR *scalar) { - fiat_p256_felem p_pre_comp[17][3]; - OPENSSL_memset(&p_pre_comp, 0, sizeof(p_pre_comp)); - // Precompute multiples. - fiat_p256_from_generic(p_pre_comp[1][0], &p->X); - fiat_p256_from_generic(p_pre_comp[1][1], &p->Y); - fiat_p256_from_generic(p_pre_comp[1][2], &p->Z); - for (size_t j = 2; j <= 16; ++j) { - if (j & 1) { - fiat_p256_point_add(p_pre_comp[j][0], p_pre_comp[j][1], p_pre_comp[j][2], - p_pre_comp[1][0], p_pre_comp[1][1], p_pre_comp[1][2], - p_pre_comp[j - 1][0], p_pre_comp[j - 1][1], - p_pre_comp[j - 1][2]); - } else { - fiat_p256_point_double(p_pre_comp[j][0], p_pre_comp[j][1], - p_pre_comp[j][2], p_pre_comp[j / 2][0], - p_pre_comp[j / 2][1], p_pre_comp[j / 2][2]); - } - } - - // Set nq to the point at infinity. - fiat_p256_felem nq[3] = {{0}, {0}, {0}}, ftmp, tmp[3]; - - // Loop over |scalar| msb-to-lsb, incorporating |p_pre_comp| every 5th round. - int skip = 1; // Save two point operations in the first round. - for (size_t i = 255; i < 256; i--) { - // double - if (!skip) { - fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); - } - - // do other additions every 5 doublings - if (i % 5 == 0) { - crypto_word_t bits = fiat_p256_get_bit(scalar, i + 4) << 5; - bits |= fiat_p256_get_bit(scalar, i + 3) << 4; - bits |= fiat_p256_get_bit(scalar, i + 2) << 3; - bits |= fiat_p256_get_bit(scalar, i + 1) << 2; - bits |= fiat_p256_get_bit(scalar, i) << 1; - bits |= fiat_p256_get_bit(scalar, i - 1); - crypto_word_t sign, digit; - ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); - - // select the point to add or subtract, in constant time. - fiat_p256_select_point((fiat_p256_limb_t)digit, 17, - (const fiat_p256_felem(*)[3])p_pre_comp, tmp); - fiat_p256_opp(ftmp, tmp[1]); // (X, -Y, Z) is the negative point. - fiat_p256_cmovznz(tmp[1], (fiat_p256_limb_t)sign, tmp[1], ftmp); - - if (!skip) { - fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], tmp[0], - tmp[1], tmp[2]); - } else { - fiat_p256_copy(nq[0], tmp[0]); - fiat_p256_copy(nq[1], tmp[1]); - fiat_p256_copy(nq[2], tmp[2]); - skip = 0; - } - } - } - - fiat_p256_to_generic(&r->X, nq[0]); - fiat_p256_to_generic(&r->Y, nq[1]); - fiat_p256_to_generic(&r->Z, nq[2]); -} - -static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group, - EC_JACOBIAN *r, - const EC_SCALAR *scalar) { - // Set nq to the point at infinity. - fiat_p256_felem nq[3] = {{0}, {0}, {0}}, tmp[3]; - - int skip = 1; // Save two point operations in the first round. - for (size_t i = 31; i < 32; i--) { - if (!skip) { - fiat_p256_point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); - } - - // First, look 32 bits upwards. - crypto_word_t bits = fiat_p256_get_bit(scalar, i + 224) << 3; - bits |= fiat_p256_get_bit(scalar, i + 160) << 2; - bits |= fiat_p256_get_bit(scalar, i + 96) << 1; - bits |= fiat_p256_get_bit(scalar, i + 32); - // Select the point to add, in constant time. - fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15, - fiat_p256_g_pre_comp[1], tmp); - - if (!skip) { - fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], tmp[0], - tmp[1], tmp[2]); - } else { - fiat_p256_copy(nq[0], tmp[0]); - fiat_p256_copy(nq[1], tmp[1]); - fiat_p256_copy(nq[2], tmp[2]); - skip = 0; - } - - // Second, look at the current position. - bits = fiat_p256_get_bit(scalar, i + 192) << 3; - bits |= fiat_p256_get_bit(scalar, i + 128) << 2; - bits |= fiat_p256_get_bit(scalar, i + 64) << 1; - bits |= fiat_p256_get_bit(scalar, i); - // Select the point to add, in constant time. - fiat_p256_select_point_affine((fiat_p256_limb_t)bits, 15, - fiat_p256_g_pre_comp[0], tmp); - fiat_p256_point_add(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2], tmp[0], - tmp[1], tmp[2]); - } - - fiat_p256_to_generic(&r->X, nq[0]); - fiat_p256_to_generic(&r->Y, nq[1]); - fiat_p256_to_generic(&r->Z, nq[2]); -} - -static void ec_GFp_nistp256_point_mul_public(const EC_GROUP *group, - EC_JACOBIAN *r, - const EC_SCALAR *g_scalar, - const EC_JACOBIAN *p, - const EC_SCALAR *p_scalar) { -#define P256_WSIZE_PUBLIC 4 - // Precompute multiples of |p|. p_pre_comp[i] is (2*i+1) * |p|. - fiat_p256_felem p_pre_comp[1 << (P256_WSIZE_PUBLIC - 1)][3]; - fiat_p256_from_generic(p_pre_comp[0][0], &p->X); - fiat_p256_from_generic(p_pre_comp[0][1], &p->Y); - fiat_p256_from_generic(p_pre_comp[0][2], &p->Z); - fiat_p256_felem p2[3]; - fiat_p256_point_double(p2[0], p2[1], p2[2], p_pre_comp[0][0], - p_pre_comp[0][1], p_pre_comp[0][2]); - for (size_t i = 1; i < std::size(p_pre_comp); i++) { - fiat_p256_point_add(p_pre_comp[i][0], p_pre_comp[i][1], p_pre_comp[i][2], - p_pre_comp[i - 1][0], p_pre_comp[i - 1][1], - p_pre_comp[i - 1][2], p2[0], p2[1], p2[2]); - } - - // Set up the coefficients for |p_scalar|. - int8_t p_wNAF[257]; - ec_compute_wNAF(group, p_wNAF, p_scalar, 256, P256_WSIZE_PUBLIC); - - // Set |ret| to the point at infinity. - int skip = 1; // Save some point operations. - fiat_p256_felem ret[3] = {{0}, {0}, {0}}; - for (int i = 256; i >= 0; i--) { - if (!skip) { - fiat_p256_point_double(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2]); - } - - // For the |g_scalar|, we use the precomputed table without the - // constant-time lookup. - if (i <= 31) { - // First, look 32 bits upwards. - crypto_word_t bits = fiat_p256_get_bit(g_scalar, i + 224) << 3; - bits |= fiat_p256_get_bit(g_scalar, i + 160) << 2; - bits |= fiat_p256_get_bit(g_scalar, i + 96) << 1; - bits |= fiat_p256_get_bit(g_scalar, i + 32); - if (bits != 0) { - size_t index = (size_t)(bits - 1); - fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2], - fiat_p256_g_pre_comp[1][index][0], - fiat_p256_g_pre_comp[1][index][1], fiat_p256_one); - skip = 0; - } - - // Second, look at the current position. - bits = fiat_p256_get_bit(g_scalar, i + 192) << 3; - bits |= fiat_p256_get_bit(g_scalar, i + 128) << 2; - bits |= fiat_p256_get_bit(g_scalar, i + 64) << 1; - bits |= fiat_p256_get_bit(g_scalar, i); - if (bits != 0) { - size_t index = (size_t)(bits - 1); - fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2], - fiat_p256_g_pre_comp[0][index][0], - fiat_p256_g_pre_comp[0][index][1], fiat_p256_one); - skip = 0; - } - } - - int digit = p_wNAF[i]; - if (digit != 0) { - assert(digit & 1); - size_t idx = (size_t)(digit < 0 ? (-digit) >> 1 : digit >> 1); - fiat_p256_felem *y = &p_pre_comp[idx][1], tmp; - if (digit < 0) { - fiat_p256_opp(tmp, p_pre_comp[idx][1]); - y = &tmp; - } - if (!skip) { - fiat_p256_point_add(ret[0], ret[1], ret[2], ret[0], ret[1], ret[2], - p_pre_comp[idx][0], *y, p_pre_comp[idx][2]); - } else { - fiat_p256_copy(ret[0], p_pre_comp[idx][0]); - fiat_p256_copy(ret[1], *y); - fiat_p256_copy(ret[2], p_pre_comp[idx][2]); - skip = 0; - } - } - } - - fiat_p256_to_generic(&r->X, ret[0]); - fiat_p256_to_generic(&r->Y, ret[1]); - fiat_p256_to_generic(&r->Z, ret[2]); -} - static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r) { @@ -525,11 +588,11 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, // not. fiat_p256_felem Z2_mont; fiat_p256_from_generic(Z2_mont, &p->Z); - fiat_p256_mul(Z2_mont, Z2_mont, Z2_mont); + p256_coord_mul(Z2_mont, Z2_mont, Z2_mont); fiat_p256_felem r_Z2; - fiat_p256_from_words(r_Z2, r->words); // r < order < p, so this is valid. - fiat_p256_mul(r_Z2, r_Z2, Z2_mont); + OPENSSL_memcpy(r_Z2, r->words, 32); // r < order < p, so this is valid. + p256_coord_mul(r_Z2, r_Z2, Z2_mont); fiat_p256_felem X; fiat_p256_from_generic(X, &p->X); @@ -541,7 +604,7 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, // During signing the x coefficient is reduced modulo the group order. // Therefore there is a small possibility, less than 1/2^128, that group_order - // < p.x < P. in that case we need not only to compare against |r| but also to + // < p.x < P. in that case we need not only to compare against `r` but also to // compare against r+group_order. assert(group->field.N.width == group->order.N.width); EC_FELEM tmp; @@ -550,7 +613,7 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, if (carry == 0 && bn_less_than_words(tmp.words, group->field.N.d, group->field.N.width)) { fiat_p256_from_generic(r_Z2, &tmp); - fiat_p256_mul(r_Z2, r_Z2, Z2_mont); + p256_coord_mul(r_Z2, r_Z2, Z2_mont); if (OPENSSL_memcmp(&r_Z2, &X, sizeof(r_Z2)) == 0) { return 1; } @@ -559,6 +622,56 @@ static int ec_GFp_nistp256_cmp_x_coordinate(const EC_GROUP *group, return 0; } +static void ec_GFp_nistp256_point_mul(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *p, + const EC_SCALAR *scalar) { + fiat_p256_felem t[3]; + fiat_p256_from_generic(t[0], &p->X); + fiat_p256_from_generic(t[1], &p->Y); + fiat_p256_from_generic(t[2], &p->Z); + p256_point_mul(t, t, (uint8_t *)scalar->words); + + fiat_p256_to_generic(&r->X, t[0]); + fiat_p256_to_generic(&r->Y, t[1]); + fiat_p256_to_generic(&r->Z, t[2]); +} + +static void ec_GFp_nistp256_point_mul_base(const EC_GROUP *group, + EC_JACOBIAN *r, const EC_SCALAR *s) { + alignas(32) fiat_p256_felem ret[3]; + p256_point_mul_base(ret, (uint8_t *)s->words); + fiat_p256_to_generic(&r->X, ret[0]); + fiat_p256_to_generic(&r->Y, ret[1]); + fiat_p256_to_generic(&r->Z, ret[2]); +} + +static void ec_GFp_nistp256_add(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a, const EC_JACOBIAN *b) { + fiat_p256_felem p[3], q[3]; + fiat_p256_from_generic(p[0], &a->X); + fiat_p256_from_generic(p[1], &a->Y); + fiat_p256_from_generic(p[2], &a->Z); + fiat_p256_from_generic(q[0], &b->X); + fiat_p256_from_generic(q[1], &b->Y); + fiat_p256_from_generic(q[2], &b->Z); + p256_point_add_vartime_if_doubling((uintptr_t)p, (uintptr_t)p, (uintptr_t)q); + fiat_p256_to_generic(&r->X, p[0]); + fiat_p256_to_generic(&r->Y, p[1]); + fiat_p256_to_generic(&r->Z, p[2]); +} + +static void ec_GFp_nistp256_dbl(const EC_GROUP *group, EC_JACOBIAN *r, + const EC_JACOBIAN *a) { + fiat_p256_felem p[3]; + fiat_p256_from_generic(p[0], &a->X); + fiat_p256_from_generic(p[1], &a->Y); + fiat_p256_from_generic(p[2], &a->Z); + p256_point_double((uintptr_t)p, (uintptr_t)p); + fiat_p256_to_generic(&r->X, p[0]); + fiat_p256_to_generic(&r->Y, p[1]); + fiat_p256_to_generic(&r->Z, p[2]); +} + BSSL_NAMESPACE_BEGIN DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { @@ -569,9 +682,8 @@ DEFINE_METHOD_FUNCTION(EC_METHOD, EC_GFp_nistp256_method) { out->mul = ec_GFp_nistp256_point_mul; out->mul_base = ec_GFp_nistp256_point_mul_base; out->mul_public = ec_GFp_nistp256_point_mul_public; - out->scalar_inv0_montgomery = ec_simple_scalar_inv0_montgomery; - out->scalar_to_montgomery_inv_vartime = - ec_simple_scalar_to_montgomery_inv_vartime; + out->scalar_inv0_montgomery = p256_order_inv0; + out->scalar_to_montgomery_inv_vartime = p256_order_mont_inv_vartime; out->cmp_x_coordinate = ec_GFp_nistp256_cmp_x_coordinate; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/p256_internal.h b/third_party/boringssl/src/crypto/fipsmodule/ec/p256_internal.h new file mode 100644 index 00000000..20b0ce70 --- /dev/null +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/p256_internal.h @@ -0,0 +1,193 @@ +// Copyright 2026 The BoringSSL Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef OPENSSL_HEADER_EC_P256_INTERNAL_H +#define OPENSSL_HEADER_EC_P256_INTERNAL_H + +#include +#include + +#include "../../internal.h" +#include "../../../third_party/fiat/bedrock_unverified_platform.c.inc" + +#define P256_LIMBS (32 / sizeof(bssl::crypto_word_t)) +typedef bssl::crypto_word_t fiat_p256_felem[P256_LIMBS]; + + +// Choose implementation of arithmetic in the coordinate field. + +#if defined(BORINGSSL_HAS_UINT128) +#include "../../../third_party/fiat/p256_field_64.br.c.inc" + +#include "../../../third_party/fiat/p256_64.h" +#elif defined(OPENSSL_64_BIT) +#include "../../../third_party/fiat/p256_field_64.br.c.inc" + +#include "../../../third_party/fiat/p256_64_msvc.h" +#else +#include "../../../third_party/fiat/p256_field_32.br.c.inc" + +#include "../../../third_party/fiat/p256_32.h" +// Add Bedrock versions of p256_32.h functions for p256_point.br.c.inc to call. +static inline void p256_coord_add(br_word_t out, br_word_t x, br_word_t y) { + fiat_p256_add((uint32_t *)out, (const uint32_t *)x, (const uint32_t *)y); +} +static inline void p256_coord_sub(br_word_t out, br_word_t x, br_word_t y) { + fiat_p256_sub((uint32_t *)out, (const uint32_t *)x, (const uint32_t *)y); +} +#endif + +extern "C" { +#if !defined(OPENSSL_NO_ASM) && (defined(__ELF__) || defined(__APPLE__)) && \ + defined(OPENSSL_X86_64) && !defined(OPENSSL_NANOLIBC) +// These functions are only available with gas and SysV ABI, used by Apple and +// ELF-based platforms. Unlike most of our SysV assembly, they currently rely on +// the SysV redzone. This trips one target which looks like it targets SysV but +// has no redzone. This happens to define `OPENSSL_NANOLIBC`, so gate on that. +// +// TODO(crbug.com/522255483): Come up with a clearer story for the redzone +// situation. +#define FIAT_P256_ADX_ASM +void fiat_p256_adx_mul(uint64_t x0[4], const uint64_t x1[4], + const uint64_t x2[4]); +void fiat_p256_adx_sqr(uint64_t x0[4], const uint64_t x1[4]); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) +void ecp_nistz256_mul_mont(uint64_t pr[4], const uint64_t py[4], uint64_t y0, + uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3); +void ecp_nistz256_sqr_mont(uint64_t pr[4], const uint64_t py[4], uint64_t y0, + uint64_t x0, uint64_t x1, uint64_t x2, uint64_t x3); +#endif +} + +static inline void p256_coord_mul(fiat_p256_felem out, const fiat_p256_felem x, + const fiat_p256_felem y) { +#if defined(FIAT_P256_ADX_ASM) + if (bssl::CRYPTO_is_BMI1_capable() && bssl::CRYPTO_is_BMI2_capable() && + bssl::CRYPTO_is_ADX_capable()) { + return fiat_p256_adx_mul(out, x, y); + } + fiat_p256_mul(out, x, y); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) + ecp_nistz256_mul_mont(out, y, y[0], x[0], x[1], x[2], x[3]); +#else + fiat_p256_mul(out, x, y); +#endif +} + +static inline void p256_coord_sqr(fiat_p256_felem out, + const fiat_p256_felem x) { +#if defined(FIAT_P256_ADX_ASM) + if (bssl::CRYPTO_is_BMI1_capable() && bssl::CRYPTO_is_BMI2_capable() && + bssl::CRYPTO_is_ADX_capable()) { + return fiat_p256_adx_sqr(out, x); + } + fiat_p256_square(out, x); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) + ecp_nistz256_sqr_mont(out, x, x[0], x[0], x[1], x[2], x[3]); +#else + fiat_p256_square(out, x); +#endif +} + +// Add Bedrock versions of these functions for p256_point.br.c.inc to call. +static inline void p256_coord_mul(br_word_t out, br_word_t x, br_word_t y) { + p256_coord_mul((br_word_t *)out, (const br_word_t *)x, (const br_word_t *)y); +} + +static inline void p256_coord_sqr(br_word_t out, br_word_t x) { + p256_coord_sqr((br_word_t *)out, (const br_word_t *)x); +} + + +// Choose implementation of arithmetic in the field modulo curve order. + +extern "C" { + +#if !defined(OPENSSL_NO_ASM) && \ + (defined(OPENSSL_X86_64) || defined(OPENSSL_AARCH64)) +// beeu_mod_inverse_vartime sets out = a^-1 mod p using a Euclidean algorithm. +// Assumption: 0 < a < p < 2^(256) and p is odd. +int beeu_mod_inverse_vartime(BN_ULONG out[4], const BN_ULONG a[4], + const BN_ULONG p[4]); +#endif + +// P-256 scalar operations. +// +// The following functions compute modulo N, where N is the order of P-256. They +// take fully-reduced inputs and give fully-reduced outputs. + +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) +// ecp_nistz256_ord_mul_mont sets `res` to `a` * `b` where inputs and outputs +// are in Montgomery form. That is, `res` is `a` * `b` * 2^-256 mod N. +void ecp_nistz256_ord_mul_mont(BN_ULONG res[4], const BN_ULONG a[4], + const BN_ULONG b[4]); + +// ecp_nistz256_ord_sqr_mont sets `res` to `a`^(2*`rep`) where inputs and +// outputs are in Montgomery form. That is, `res` is +// (`a` * 2^-256)^(2*`rep`) * 2^256 mod N. +void ecp_nistz256_ord_sqr_mont(BN_ULONG res[4], const BN_ULONG a[4], + BN_ULONG rep); + +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) +void ecp_nistz256_ord_mul_mont_nohw(BN_ULONG res[4], const BN_ULONG a[4], + const BN_ULONG b[4]); +void ecp_nistz256_ord_mul_mont_adx(BN_ULONG res[4], const BN_ULONG a[4], + const BN_ULONG b[4]); + +void ecp_nistz256_ord_sqr_mont_nohw(BN_ULONG res[4], const BN_ULONG a[4], + BN_ULONG rep); +void ecp_nistz256_ord_sqr_mont_adx(BN_ULONG res[4], const BN_ULONG a[4], + BN_ULONG rep); +#endif + +} // extern C + +static inline void p256_order_mul(const EC_GROUP *group, + BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], + const BN_ULONG b[P256_LIMBS]) { +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) + return ecp_nistz256_ord_mul_mont(res, a, b); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) + if (bssl::CRYPTO_is_BMI2_capable() && bssl::CRYPTO_is_ADX_capable()) { + return ecp_nistz256_ord_mul_mont_adx(res, a, b); + } + return ecp_nistz256_ord_mul_mont_nohw(res, a, b); +#else + const BIGNUM *order = &group->order.N; + bssl::bn_mod_mul_montgomery_small(res, a, b, order->width, &group->order); +#endif +} + +static inline void p256_order_sqr(const EC_GROUP *group, + BN_ULONG res[P256_LIMBS], + const BN_ULONG a[P256_LIMBS], BN_ULONG rep) { +#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_AARCH64) + return ecp_nistz256_ord_sqr_mont(res, a, rep); +#elif !defined(OPENSSL_NO_ASM) && defined(OPENSSL_X86_64) + if (bssl::CRYPTO_is_BMI2_capable() && bssl::CRYPTO_is_ADX_capable()) { + return ecp_nistz256_ord_sqr_mont_adx(res, a, rep); + } + return ecp_nistz256_ord_sqr_mont_nohw(res, a, rep); +#else + bssl::OPENSSL_memmove(res, a, sizeof(BN_ULONG) * P256_LIMBS); + for (BN_ULONG i = 0; i < rep; i++) { + p256_order_mul(group, res, res, res); + } +#endif +} + +#include "../../../third_party/fiat/p256_point.br.c.inc" + +#endif // OPENSSL_HEADER_EC_P256_INTERNAL_H diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/scalar.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/scalar.cc.inc index 95813258..f8b06429 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/scalar.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/scalar.cc.inc @@ -164,8 +164,8 @@ int bssl::ec_simple_scalar_to_montgomery_inv_vartime(const EC_GROUP *group, // even though for this interface it is not mandatory. // r = a^-1 in the Montgomery domain. This is - // |ec_scalar_to_montgomery| followed by |ec_scalar_inv0_montgomery|, but - // |ec_scalar_inv0_montgomery| followed by |ec_scalar_from_montgomery| is + // `ec_scalar_to_montgomery` followed by `ec_scalar_inv0_montgomery`, but + // `ec_scalar_inv0_montgomery` followed by `ec_scalar_from_montgomery` is // equivalent and slightly more efficient. ec_scalar_inv0_montgomery(group, r, a); ec_scalar_from_montgomery(group, r, r); diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/simple.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/simple.cc.inc index bd3dd1e4..3095ef7c 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/simple.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/simple.cc.inc @@ -99,7 +99,7 @@ void bssl::ec_GFp_simple_point_copy(EC_JACOBIAN *dest, const EC_JACOBIAN *src) { void bssl::ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_JACOBIAN *point) { // Although it is strictly only necessary to zero Z, we zero the entire point - // in case |point| was stack-allocated and yet to be initialized. + // in case `point` was stack-allocated and yet to be initialized. ec_GFp_simple_point_init(point); } @@ -177,7 +177,7 @@ int bssl::ec_GFp_simple_points_equal(const EC_GROUP *group, // restore this optimization by keeping better track of affine vs. Jacobian // forms. See https://crbug.com/boringssl/326. - // If neither |a| or |b| is infinity, we have to decide whether + // If neither `a` or `b` is infinity, we have to decide whether // (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), // or equivalently, whether // (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3). @@ -209,7 +209,7 @@ int bssl::ec_GFp_simple_points_equal(const EC_GROUP *group, int bssl::ec_affine_jacobian_equal(const EC_GROUP *group, const EC_AFFINE *a, const EC_JACOBIAN *b) { - // If |b| is not infinity, we have to decide whether + // If `b` is not infinity, we have to decide whether // (X_a, Y_a) = (X_b/Z_b^2, Y_b/Z_b^3), // or equivalently, whether // (X_a*Z_b^2, Y_a*Z_b^3) = (X_b, Y_b). @@ -236,7 +236,7 @@ int bssl::ec_GFp_simple_cmp_x_coordinate(const EC_GROUP *group, const EC_JACOBIAN *p, const EC_SCALAR *r) { if (ec_GFp_simple_is_at_infinity(group, p)) { - // |ec_get_x_coordinate_as_scalar| will check this internally, but this way + // `ec_get_x_coordinate_as_scalar` will check this internally, but this way // we do not push to the error queue. return 0; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/simple_mul.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/simple_mul.cc.inc index e4a665f9..baff127a 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/simple_mul.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/simple_mul.cc.inc @@ -30,9 +30,9 @@ void bssl::ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, const EC_JACOBIAN *p, const EC_SCALAR *scalar) { // This is a generic implementation for uncommon curves that not do not // warrant a tuned one. It uses unsigned digits so that the doubling case in - // |ec_GFp_mont_add| is always unreachable, erring on safety and simplicity. + // `ec_GFp_mont_add` is always unreachable, erring on safety and simplicity. - // Compute a table of the first 32 multiples of |p| (including infinity). + // Compute a table of the first 32 multiples of `p` (including infinity). EC_JACOBIAN precomp[32]; ec_GFp_simple_point_set_to_infinity(group, &precomp[0]); ec_GFp_simple_point_copy(&precomp[1], p); @@ -44,7 +44,7 @@ void bssl::ec_GFp_mont_mul(const EC_GROUP *group, EC_JACOBIAN *r, } } - // Divide bits in |scalar| into windows. + // Divide bits in `scalar` into windows. unsigned bits = EC_GROUP_order_bits(group); int r_is_at_infinity = 1; for (unsigned i = bits - 1; i < bits; i--) { @@ -142,7 +142,7 @@ void bssl::ec_GFp_mont_mul_batch( ec_GFp_mont_batch_precomp(group, precomp[2], 17, p2); } - // Divide bits in |scalar| into windows. + // Divide bits in `scalar` into windows. unsigned bits = EC_GROUP_order_bits(group); int r_is_at_infinity = 1; for (unsigned i = bits; i <= bits; i--) { @@ -183,7 +183,7 @@ int bssl::ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, // comb[i - 1] stores the ith element of the comb. That is, if i is // b4 * 2^4 + b3 * 2^3 + ... + b0 * 2^0, it stores k * |p|, where k is // b4 * 2^(4*stride) + b3 * 2^(3*stride) + ... + b0 * 2^(0*stride). stride - // here is |ec_GFp_mont_comb_stride|. We store at index i - 1 because the 0th + // here is `ec_GFp_mont_comb_stride`. We store at index i - 1 because the 0th // comb entry is always infinity. EC_JACOBIAN comb[(1 << EC_MONT_PRECOMP_COMB_SIZE) - 1]; unsigned stride = ec_GFp_mont_comb_stride(group); @@ -192,7 +192,7 @@ int bssl::ec_GFp_mont_init_precomp(const EC_GROUP *group, EC_PRECOMP *out, // entries up to 2^0 are filled. comb[(1 << 0) - 1] = *p; for (unsigned i = 1; i < EC_MONT_PRECOMP_COMB_SIZE; i++) { - // Compute entry 2^i by doubling the entry for 2^(i-1) |stride| times. + // Compute entry 2^i by doubling the entry for 2^(i-1) `stride` times. unsigned bit = 1 << i; ec_GFp_mont_dbl(group, &comb[bit - 1], &comb[bit / 2 - 1]); for (unsigned j = 1; j < stride; j++) { @@ -219,15 +219,15 @@ static void ec_GFp_mont_get_comb_window(const EC_GROUP *group, const EC_SCALAR *scalar, unsigned i) { const size_t width = group->order.N.width; unsigned stride = ec_GFp_mont_comb_stride(group); - // Select the bits corresponding to the comb shifted up by |i|. + // Select the bits corresponding to the comb shifted up by `i`. unsigned window = 0; for (unsigned j = 0; j < EC_MONT_PRECOMP_COMB_SIZE; j++) { window |= bn_is_bit_set_words(scalar->words, width, j * stride + i) << j; } - // Select precomp->comb[window - 1]. If |window| is zero, |match| will always - // be zero, which will leave |out| at infinity. + // Select precomp->comb[window - 1]. If `window` is zero, `match` will always + // be zero, which will leave `out` at infinity. OPENSSL_memset(out, 0, sizeof(EC_JACOBIAN)); for (unsigned j = 0; j < std::size(precomp->comb); j++) { BN_ULONG match = constant_time_eq_w(window, j + 1); diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/util.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/util.cc.inc index 5b98ae09..8ca2406f 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/util.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/util.cc.inc @@ -110,7 +110,7 @@ using namespace bssl; // is a prime that is much larger than 2^w. It also only holds when windows // are applied from most significant to least significant, doubling between each // window. It does not apply to more complex table strategies such as -// |EC_GFp_nistz256_method|. +// `EC_GFp_nistz256_method`. // // PROOF: // diff --git a/third_party/boringssl/src/crypto/fipsmodule/ec/wnaf.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ec/wnaf.cc.inc index 74def20d..2592e798 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ec/wnaf.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ec/wnaf.cc.inc @@ -85,8 +85,8 @@ void bssl::ec_compute_wNAF(const EC_GROUP *group, int8_t *out, out[j] = digit; - // Incorporate the next bit. Previously, |window_val| <= |next_bit|, so if - // we shift and add at most one copy of |bit|, this will continue to hold + // Incorporate the next bit. Previously, `window_val` <= `next_bit`, so if + // we shift and add at most one copy of `bit`, this will continue to hold // afterwards. window_val >>= 1; window_val += bit * bn_is_bit_set_words(scalar->words, group->order.N.width, @@ -98,7 +98,7 @@ void bssl::ec_compute_wNAF(const EC_GROUP *group, int8_t *out, assert(window_val == 0); } -// compute_precomp sets |out[i]| to (2*i+1)*p, for i from 0 to |len|. +// compute_precomp sets `out[i]` to (2*i+1)*p, for i from 0 to `len`. static void compute_precomp(const EC_GROUP *group, EC_JACOBIAN *out, const EC_JACOBIAN *p, size_t len) { ec_GFp_simple_point_copy(&out[0], p); @@ -120,10 +120,10 @@ static void lookup_precomp(const EC_GROUP *group, EC_JACOBIAN *out, } } -// EC_WNAF_WINDOW_BITS is the window size to use for |ec_GFp_mont_mul_public|. +// EC_WNAF_WINDOW_BITS is the window size to use for `ec_GFp_mont_mul_public`. #define EC_WNAF_WINDOW_BITS 4 -// EC_WNAF_TABLE_SIZE is the table size to use for |ec_GFp_mont_mul_public|. +// EC_WNAF_TABLE_SIZE is the table size to use for `ec_GFp_mont_mul_public`. #define EC_WNAF_TABLE_SIZE (1 << (EC_WNAF_WINDOW_BITS - 1)) // EC_WNAF_STACK is the number of points worth of data to stack-allocate and diff --git a/third_party/boringssl/src/crypto/fipsmodule/ecdsa/ecdsa.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/ecdsa/ecdsa.cc.inc index 463fc669..b44fbd4b 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ecdsa/ecdsa.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/ecdsa/ecdsa.cc.inc @@ -31,7 +31,7 @@ using namespace bssl; -// digest_to_scalar interprets |digest_len| bytes from |digest| as a scalar for +// digest_to_scalar interprets `digest_len` bytes from `digest` as a scalar for // ECDSA. static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, const uint8_t *digest, size_t digest_len) { @@ -49,8 +49,8 @@ static void digest_to_scalar(const EC_GROUP *group, EC_SCALAR *out, bn_rshift_words(out->words, out->words, 8 - (num_bits & 0x7), order->width); } - // |out| now has the same bit width as |order|, but this only bounds by - // 2*|order|. Subtract the order if out of range. + // `out` now has the same bit width as `order`, but this only bounds by + // 2*`order`. Subtract the order if out of range. // // Montgomery multiplication accepts the looser bounds, so this isn't strictly // necessary, but it is a cleaner abstraction and has no performance impact. @@ -89,8 +89,8 @@ int bssl::ecdsa_verify_fixed_no_self_test(const uint8_t *digest, // u1 = m * s^-1 mod order // u2 = r * s^-1 mod order // - // |s_inv_mont| is in Montgomery form while |m| and |r| are not, so |u1| and - // |u2| will be taken out of Montgomery form, as desired. + // `s_inv_mont` is in Montgomery form while `m` and `r` are not, so `u1` and + // `u2` will be taken out of Montgomery form, as desired. digest_to_scalar(group, &m, digest, digest_len); ec_scalar_mul_montgomery(group, &u1, &m, &s_inv_mont); ec_scalar_mul_montgomery(group, &u2, &r, &s_inv_mont); @@ -144,7 +144,7 @@ static int ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, uint8_t *sig, } // s = priv_key * r. Note if only one parameter is in the Montgomery domain, - // |ec_scalar_mod_mul_montgomery| will compute the answer in the normal + // `ec_scalar_mod_mul_montgomery` will compute the answer in the normal // domain. EC_SCALAR s; ec_scalar_to_montgomery(group, &s, &r); @@ -156,9 +156,9 @@ static int ecdsa_sign_impl(const EC_GROUP *group, int *out_retry, uint8_t *sig, ec_scalar_add(group, &s, &s, &tmp); // s = k^-1 * (m + priv_key * r). First, we compute k^-1 in the Montgomery - // domain. This is |ec_scalar_to_montgomery| followed by - // |ec_scalar_inv0_montgomery|, but |ec_scalar_inv0_montgomery| followed by - // |ec_scalar_from_montgomery| is equivalent and slightly more efficient. + // domain. This is `ec_scalar_to_montgomery` followed by + // `ec_scalar_inv0_montgomery`, but `ec_scalar_inv0_montgomery` followed by + // `ec_scalar_from_montgomery` is equivalent and slightly more efficient. // Then, as above, only one parameter is in the Montgomery domain, so the // result is in the normal domain. Finally, note k is non-zero (or computing r // would fail), so the inverse must exist. @@ -264,7 +264,7 @@ int bssl::ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, goto out; } - // TODO(davidben): Move this inside |ec_random_nonzero_scalar| or lower, so + // TODO(davidben): Move this inside `ec_random_nonzero_scalar` or lower, so // that all scalars we generate are, by default, secret. CONSTTIME_SECRET(k.words, sizeof(k.words)); diff --git a/third_party/boringssl/src/crypto/fipsmodule/ecdsa/internal.h b/third_party/boringssl/src/crypto/fipsmodule/ecdsa/internal.h index 622b688c..90cf9c50 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/ecdsa/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/ecdsa/internal.h @@ -26,21 +26,21 @@ BSSL_NAMESPACE_BEGIN // fixed-width, big-endian format from IEEE P1363. #define ECDSA_MAX_FIXED_LEN (2 * EC_MAX_BYTES) -// ecdsa_sign_fixed behaves like |ECDSA_sign| but uses the fixed-width, +// ecdsa_sign_fixed behaves like `ECDSA_sign` but uses the fixed-width, // big-endian format from IEEE P1363. int ecdsa_sign_fixed(const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len, size_t max_sig_len, const EC_KEY *key); // ecdsa_sign_fixed_with_nonce_for_known_answer_test behaves like -// |ecdsa_sign_fixed| but takes a caller-supplied nonce. This function is used +// `ecdsa_sign_fixed` but takes a caller-supplied nonce. This function is used // as part of known-answer tests in the FIPS module. int ecdsa_sign_fixed_with_nonce_for_known_answer_test( const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len, size_t max_sig_len, const EC_KEY *key, const uint8_t *nonce, size_t nonce_len); -// ecdsa_verify_fixed behaves like |ECDSA_verify| but uses the fixed-width, +// ecdsa_verify_fixed behaves like `ECDSA_verify` but uses the fixed-width, // big-endian format from IEEE P1363. int ecdsa_verify_fixed(const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, const EC_KEY *key); diff --git a/third_party/boringssl/src/crypto/fipsmodule/entropy/sha512.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/entropy/sha512.cc.inc index 53512a86..1d954d0a 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/entropy/sha512.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/entropy/sha512.cc.inc @@ -74,8 +74,8 @@ void SHA384_Init(SHA512_CTX *sha) { } void SHA384_Final(uint8_t out[kSHA384DigestLength], SHA512_CTX *sha) { - // This function must be paired with |SHA384_Init|, which sets - // |sha->md_len| to |kSHA384DigestLength|. + // This function must be paired with `SHA384_Init`, which sets + // `sha->md_len` to `kSHA384DigestLength`. sha512_final_impl(out, kSHA384DigestLength, sha); return; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/hmac/hmac.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/hmac/hmac.cc.inc index 62117602..c753fae3 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/hmac/hmac.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/hmac/hmac.cc.inc @@ -98,10 +98,10 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, md = ctx->md; } - // If either |key| is non-NULL or |md| has changed, initialize with a new key + // If either `key` is non-NULL or `md` has changed, initialize with a new key // rather than rewinding the previous one. // - // TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is + // TODO(davidben,eroman): Passing the previous `md` with a NULL `key` is // ambiguous between using the empty key and reusing the previous key. There // exist callers which intend the latter, but the former is an awkward edge // case. Fix to API to avoid this. @@ -165,7 +165,7 @@ int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len) { FIPS_service_indicator_lock_state(); // TODO(davidben): The only thing that can officially fail here is - // |EVP_MD_CTX_copy_ex|, but even that should be impossible in this case. + // `EVP_MD_CTX_copy_ex`, but even that should be impossible in this case. if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i) || !EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx) || !EVP_DigestUpdate(&ctx->md_ctx, buf, i) || diff --git a/third_party/boringssl/src/crypto/fipsmodule/keccak/internal.h b/third_party/boringssl/src/crypto/fipsmodule/keccak/internal.h index ff10c444..4d11b48b 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/keccak/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/keccak/internal.h @@ -45,28 +45,28 @@ struct BORINGSSL_keccak_st { size_t squeeze_offset; }; -// BORINGSSL_keccak hashes |in_len| bytes from |in| and writes |out_len| bytes -// of output to |out|. If the |config| specifies a fixed-output function, like -// SHA3-256, then |out_len| must be the correct length for that function. +// BORINGSSL_keccak hashes `in_len` bytes from `in` and writes `out_len` bytes +// of output to `out`. If the `config` specifies a fixed-output function, like +// SHA3-256, then `out_len` must be the correct length for that function. OPENSSL_EXPORT void BORINGSSL_keccak(uint8_t *out, size_t out_len, const uint8_t *in, size_t in_len, enum boringssl_keccak_config_t config); -// BORINGSSL_keccak_init prepares |ctx| for absorbing. If the |config| specifies +// BORINGSSL_keccak_init prepares `ctx` for absorbing. If the `config` specifies // a fixed-output function, like SHA3-256, then the output must be squeezed in a -// single call to |BORINGSSL_keccak_squeeze|. In that case, it is recommended to -// use |BORINGSSL_keccak| if the input can be absorbed in a single call. +// single call to `BORINGSSL_keccak_squeeze`. In that case, it is recommended to +// use `BORINGSSL_keccak` if the input can be absorbed in a single call. OPENSSL_EXPORT void BORINGSSL_keccak_init( struct BORINGSSL_keccak_st *ctx, enum boringssl_keccak_config_t config); -// BORINGSSL_keccak_absorb absorbs |in_len| bytes from |in|. +// BORINGSSL_keccak_absorb absorbs `in_len` bytes from `in`. OPENSSL_EXPORT void BORINGSSL_keccak_absorb(struct BORINGSSL_keccak_st *ctx, const uint8_t *in, size_t in_len); -// BORINGSSL_keccak_squeeze writes |out_len| bytes to |out| from |ctx|. If the -// configuration previously passed in |BORINGSSL_keccak_init| specifies a -// fixed-output function, then a single call to |BORINGSSL_keccak_squeeze| is -// allowed, where |out_len| must be the correct length for that function. +// BORINGSSL_keccak_squeeze writes `out_len` bytes to `out` from `ctx`. If the +// configuration previously passed in `BORINGSSL_keccak_init` specifies a +// fixed-output function, then a single call to `BORINGSSL_keccak_squeeze` is +// allowed, where `out_len` must be the correct length for that function. OPENSSL_EXPORT void BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, uint8_t *out, size_t out_len); @@ -84,8 +84,8 @@ OPENSSL_EXPORT void BORINGSSL_keccak_squeeze_x2( struct BORINGSSL_keccak_st ctx[2], uint8_t *outs[2], size_t out_len); // BORINGSSL_keccak_short_x2 performs BORINGSSL_keccak in parallel on two -// same-length strings with same-length outputs. |in_len| must be less than 72 -// (or actually |rate_bytes|). +// same-length strings with same-length outputs. `in_len` must be less than 72 +// (or actually `rate_bytes`). OPENSSL_EXPORT void BORINGSSL_keccak_short_x2( uint8_t *outs[2], size_t out_len, const uint8_t *ins[2], size_t in_len, enum boringssl_keccak_config_t config); diff --git a/third_party/boringssl/src/crypto/fipsmodule/keccak/keccak.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/keccak/keccak.cc.inc index 5008cd46..264c7415 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/keccak/keccak.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/keccak/keccak.cc.inc @@ -232,8 +232,8 @@ void bssl::BORINGSSL_keccak_absorb(struct BORINGSSL_keccak_st *ctx, } const size_t rate_words = ctx->rate_bytes / 8; - // XOR the input. Accessing |ctx->state| as a |uint8_t*| is allowed by strict - // aliasing because we require |uint8_t| to be a character type. + // XOR the input. Accessing `ctx->state` as a `uint8_t*` is allowed by strict + // aliasing because we require `uint8_t` to be a character type. uint8_t *state_bytes = (uint8_t *)ctx->state; // Absorb partial block. @@ -287,8 +287,8 @@ static uint8_t keccak_terminator(struct BORINGSSL_keccak_st *ctx) { } static void keccak_finalize(struct BORINGSSL_keccak_st *ctx) { - // XOR the terminator. Accessing |ctx->state| as a |uint8_t*| is allowed by - // strict aliasing because we require |uint8_t| to be a character type. + // XOR the terminator. Accessing `ctx->state` as a `uint8_t*` is allowed by + // strict aliasing because we require `uint8_t` to be a character type. uint8_t *state_bytes = (uint8_t *)ctx->state; state_bytes[ctx->absorb_offset] ^= keccak_terminator(ctx); state_bytes[ctx->rate_bytes - 1] ^= 0x80; @@ -298,8 +298,8 @@ static void keccak_finalize(struct BORINGSSL_keccak_st *ctx) { #if defined(HAVE_KECCAK_X2) static void keccak_finalize_x2(struct BORINGSSL_keccak_st ctx[2]) { for (size_t i = 0; i < 2; ++i) { - // XOR the terminator. Accessing |ctx->state| as a |uint8_t*| is allowed by - // strict aliasing because we require |uint8_t| to be a character type. + // XOR the terminator. Accessing `ctx->state` as a `uint8_t*` is allowed by + // strict aliasing because we require `uint8_t` to be a character type. uint8_t *state_bytes = (uint8_t *)ctx[i].state; state_bytes[ctx[i].absorb_offset] ^= keccak_terminator(&ctx[i]); state_bytes[ctx[i].rate_bytes - 1] ^= 0x80; @@ -323,8 +323,8 @@ void bssl::BORINGSSL_keccak_squeeze(struct BORINGSSL_keccak_st *ctx, ctx->phase = boringssl_keccak_phase_squeeze; } - // Accessing |ctx->state| as a |uint8_t*| is allowed by strict aliasing - // because we require |uint8_t| to be a character type. + // Accessing `ctx->state` as a `uint8_t*` is allowed by strict aliasing + // because we require `uint8_t` to be a character type. const uint8_t *state_bytes = (const uint8_t *)ctx->state; while (out_len) { if (ctx->squeeze_offset == ctx->rate_bytes) { @@ -375,8 +375,8 @@ void bssl::BORINGSSL_keccak_squeeze_x2(struct BORINGSSL_keccak_st ctx[2], ctx->phase = boringssl_keccak_phase_squeeze; } - // Accessing |ctx->state| as a |uint8_t*| is allowed by strict aliasing - // because we require |uint8_t| to be a character type. + // Accessing `ctx->state` as a `uint8_t*` is allowed by strict aliasing + // because we require `uint8_t` to be a character type. uint8_t *optr[2] = {outs[0], outs[1]}; while (out_len) { if (ctx->squeeze_offset == ctx->rate_bytes) { diff --git a/third_party/boringssl/src/crypto/fipsmodule/mldsa/mldsa.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/mldsa/mldsa.cc.inc index 4bd38854..d5d1e963 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/mldsa/mldsa.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/mldsa/mldsa.cc.inc @@ -62,8 +62,9 @@ constexpr uint32_t kPrime = 8380417; constexpr uint32_t kPrimeNegInverse = 4236238847; constexpr int kDroppedBits = 13; constexpr uint32_t kHalfPrime = (kPrime - 1) / 2; -// 256^-1 mod kPrime, in Montgomery form. -constexpr uint32_t kInverseDegreeMontgomery = 41978; +// 256^-1 * R^2 mod kPrime. This is not 256^-1 in Montgomery form, but 256^-1 +// doubly-converted to Montgomery form. +constexpr uint32_t kInverseDegreeDoubleMontgomery = 41978; // Constants that vary depending on ML-DSA size. // @@ -303,7 +304,7 @@ inline uint32_t reduce_once(uint32_t x) { // We usually add value barriers to selects because Clang turns consecutive // selects with the same condition into a branch instead of CMOV/CSEL. This // condition does not occur in ML-DSA, so omitting it seems to be generally - // safe. However, see |coefficient_from_nibble|. + // safe. However, see `coefficient_from_nibble`. return (mask & x) | (~mask & subtracted); } @@ -341,7 +342,7 @@ inline uint32_t mod_sub(uint32_t a, uint32_t b) { uint32_t r = a - b; // return r < 0 ? r + kPrime : r; uint32_t mask = 0u - (r >> 31); - // See |reduce_once| for why this does not have a value barrier. + // See `reduce_once` for why this does not have a value barrier. return (mask & (r + kPrime)) | (~mask & r); } @@ -366,8 +367,11 @@ inline uint32_t reduce_montgomery(uint64_t x) { return reduce_once(c); } -// Multiply two scalars in the number theoretically transformed state. -inline void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) { +// Montgomery-multiply two scalars in the number theoretically transformed +// state. Each term gains an extra R^-1 term, which is expected to be canceled +// by `scalar_inverse_ntt_montgomery`. +inline void scalar_mult_montgomery(scalar *out, const scalar *lhs, + const scalar *rhs) { for (int i = 0; i < kDegree; i++) { out->c[i] = reduce_montgomery((uint64_t)lhs->c[i] * (uint64_t)rhs->c[i]); } @@ -377,63 +381,85 @@ inline void scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs) { // // FIPS 204, Algorithm 41 (`NTT`). inline void scalar_ntt(scalar *s) { - // Step: 1, 2, 4, 8, ..., 128 - // Offset: 128, 64, 32, 16, ..., 1 - int offset = kDegree; - for (int step = 1; step < kDegree; step <<= 1) { - offset >>= 1; - int k = 0; - for (int i = 0; i < step; i++) { - assert(k == 2 * offset * i); - const uint32_t step_root = kNTTRootsMontgomery[step + i]; - for (int j = k; j < k + offset; j++) { - uint32_t even = s->c[j]; - // |reduce_montgomery| works on values up to kPrime*R and R > 2*kPrime. - // |step_root| < kPrime because it's static data. |s->c[...]| is < - // kPrime by the invariants of that struct. - uint32_t odd = - reduce_montgomery((uint64_t)step_root * (uint64_t)s->c[j + offset]); - s->c[j] = reduce_once(odd + even); - s->c[j + offset] = mod_sub(even, odd); - } - k += 2 * offset; - } - } -} - -// In place inverse number theoretic transform of a given scalar. + // Manually unrolled loop to maximize vectorization. +#define ITER(step, offset) \ + { \ + int k = 0; \ + for (int i = 0; i < step; i++) { \ + const uint32_t step_root = kNTTRootsMontgomery[step + i]; \ + for (int j = k; j < k + offset; j++) { \ + uint32_t even = s->c[j]; \ + /* `reduce_montgomery` works on values up to kPrime*R and R \ + * 2*kPrime. `step_root` < kPrime because it's static data. \ + * `s->c[...]` is < kPrime by the invariants of that struct. */ \ + uint32_t odd = reduce_montgomery((uint64_t)step_root * \ + (uint64_t)s->c[j + offset]); \ + s->c[j] = reduce_once(odd + even); \ + s->c[j + offset] = mod_sub(even, odd); \ + } \ + k += 2 * offset; \ + } \ + } + + ITER(1, 128) + ITER(2, 64) + ITER(4, 32) + ITER(8, 16) + ITER(16, 8) + ITER(32, 4) + ITER(64, 2) + ITER(128, 1) + static_assert(kDegree == 256); +#undef ITER +} + +// In place inverse number theoretic transform of a given scalar, but with each +// term multiplied by an extra factor of R. This is function is intended to be +// used with products that have gone through `reduce_montgomery` one extra time, +// so the extra R^-1 term is canceled out. // // FIPS 204, Algorithm 42 (`NTT^-1`). -inline void scalar_inverse_ntt(scalar *s) { - // Step: 128, 64, 32, 16, ..., 1 - // Offset: 1, 2, 4, 8, ..., 128 - int step = kDegree; - for (int offset = 1; offset < kDegree; offset <<= 1) { - step >>= 1; - int k = 0; - for (int i = 0; i < step; i++) { - assert(k == 2 * offset * i); - const uint32_t step_root = - kPrime - kNTTRootsMontgomery[step + (step - 1 - i)]; - for (int j = k; j < k + offset; j++) { - uint32_t even = s->c[j]; - uint32_t odd = s->c[j + offset]; - s->c[j] = reduce_once(odd + even); - - // |reduce_montgomery| works on values up to kPrime*R and R > 2*kPrime. - // kPrime + even < 2*kPrime because |even| < kPrime, by the invariants - // of that structure. Thus kPrime + even - odd < 2*kPrime because odd >= - // 0, because it's unsigned and less than kPrime. Lastly step_root < - // kPrime, because |kNTTRootsMontgomery| is static data. - s->c[j + offset] = reduce_montgomery((uint64_t)step_root * - (uint64_t)(kPrime + even - odd)); - } - k += 2 * offset; - } - } +inline void scalar_inverse_ntt_montgomery(scalar *s) { + // Manually unrolled loop to maximize vectorization. +#define ITER(step, offset) \ + { \ + int k = 0; \ + for (int i = 0; i < step; i++) { \ + const uint32_t step_root = \ + kPrime - kNTTRootsMontgomery[step + (step - 1 - i)]; \ + for (int j = k; j < k + offset; j++) { \ + uint32_t even = s->c[j]; \ + uint32_t odd = s->c[j + offset]; \ + s->c[j] = reduce_once(odd + even); \ + /* `reduce_montgomery` works on values up to kPrime*R and R > \ + * 2*kPrime. kPrime + even < 2*kPrime because `even` < kPrime, by the \ + * invariants of that structure. Thus kPrime + even - odd < 2*kPrime \ + * because odd >= 0, because it's unsigned and less than kPrime. \ + * Lastly step_root < kPrime, because `kNTTRootsMontgomery` is static \ + * data. */ \ + s->c[j + offset] = reduce_montgomery((uint64_t)step_root * \ + (uint64_t)(kPrime + even - odd)); \ + } \ + k += 2 * offset; \ + } \ + } + + ITER(128, 1) + ITER(64, 2) + ITER(32, 4) + ITER(16, 8) + ITER(8, 16) + ITER(4, 32) + ITER(2, 64) + ITER(1, 128) + static_assert(kDegree == 256); +#undef ITER + + // `kInverseDegreeDoubleMontgomery` has been double-converted to Montgomery + // form, so the result is an extra R term in the final result. for (int i = 0; i < kDegree; i++) { - s->c[i] = reduce_montgomery((uint64_t)s->c[i] * - (uint64_t)kInverseDegreeMontgomery); + s->c[i] = reduce_montgomery(uint64_t{s->c[i]} * + uint64_t{kInverseDegreeDoubleMontgomery}); } } @@ -459,10 +485,10 @@ inline void vector_sub(vector *out, const vector *lhs, } template -inline void vector_mult_scalar(vector *out, const vector *lhs, - const scalar *rhs) { +inline void vector_mult_scalar_montgomery(vector *out, const vector *lhs, + const scalar *rhs) { for (int i = 0; i < X; i++) { - scalar_mult(&out->v[i], &lhs->v[i], rhs); + scalar_mult_montgomery(&out->v[i], &lhs->v[i], rhs); } } @@ -474,20 +500,20 @@ inline void vector_ntt(vector *a) { } template -inline void vector_inverse_ntt(vector *a) { +inline void vector_inverse_ntt_montgomery(vector *a) { for (int i = 0; i < X; i++) { - scalar_inverse_ntt(&a->v[i]); + scalar_inverse_ntt_montgomery(&a->v[i]); } } template -inline void matrix_mult(vector *out, const matrix *m, - const vector *a) { +inline void matrix_mult_montgomery(vector *out, const matrix *m, + const vector *a) { vector_zero(out); for (int i = 0; i < K; i++) { for (int j = 0; j < L; j++) { scalar product; - scalar_mult(&product, &m->v[i][j], &a->v[j]); + scalar_mult_montgomery(&product, &m->v[i][j], &a->v[j]); scalar_add(&out->v[i], &out->v[i], &product); } } @@ -600,8 +626,8 @@ inline uint32_t use_hint_vartime(uint32_t h, uint32_t r) { if (h) { if constexpr (prime_minus_one_over_gamma2() == 32) { if (r0 > 0) { - // (Q-1)/(2 gamma2) = m = 16, thus |mod m| in the spec turns into |& - // 15|. + // (Q-1)/(2 gamma2) = m = 16, thus `mod m` in the spec turns into + // `& 15`. return (r1 + 1) & 15; } else { return (r1 - 1) & 15; @@ -760,8 +786,12 @@ inline void vector_use_hint_vartime(vector *out, const vector *h, /* Bit packing */ +template +inline void scalar_encode(uint8_t *out, const scalar *s); + // FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 4. -inline void scalar_encode_4(uint8_t out[128], const scalar *s) { +template <> +inline void scalar_encode<4>(uint8_t out[128], const scalar *s) { // Every two elements lands on a byte boundary. static_assert(kDegree % 2 == 0, "kDegree must be a multiple of 2"); for (int i = 0; i < kDegree / 2; i++) { @@ -774,7 +804,8 @@ inline void scalar_encode_4(uint8_t out[128], const scalar *s) { } // FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 6. -inline void scalar_encode_6(uint8_t out[192], const scalar *s) { +template <> +inline void scalar_encode<6>(uint8_t out[192], const scalar *s) { // Every four elements lands on a byte boundary. static_assert(kDegree % 4 == 0, "kDegree must be a multiple of 4"); for (int i = 0; i < kDegree / 4; i++) { @@ -793,7 +824,8 @@ inline void scalar_encode_6(uint8_t out[192], const scalar *s) { } // FIPS 204, Algorithm 16 (`SimpleBitPack`). Specialized to bitlen(b) = 10. -inline void scalar_encode_10(uint8_t out[320], const scalar *s) { +template <> +inline void scalar_encode<10>(uint8_t out[320], const scalar *s) { // Every four elements lands on a byte boundary. static_assert(kDegree % 4 == 0, "kDegree must be a multiple of 4"); for (int i = 0; i < kDegree / 4; i++) { @@ -813,8 +845,12 @@ inline void scalar_encode_10(uint8_t out[320], const scalar *s) { } } +template +inline void scalar_encode_signed(uint8_t *out, const scalar *s); + // FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 4 and b = 4. -inline void scalar_encode_signed_4_4(uint8_t out[128], const scalar *s) { +template <> +inline void scalar_encode_signed<4, 4>(uint8_t out[128], const scalar *s) { // Every two elements lands on a byte boundary. static_assert(kDegree % 2 == 0, "kDegree must be a multiple of 2"); for (int i = 0; i < kDegree / 2; i++) { @@ -827,7 +863,8 @@ inline void scalar_encode_signed_4_4(uint8_t out[128], const scalar *s) { } // FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 3 and b = 2. -inline void scalar_encode_signed_3_2(uint8_t out[96], const scalar *s) { +template <> +inline void scalar_encode_signed<3, 2>(uint8_t out[96], const scalar *s) { static_assert(kDegree % 8 == 0, "kDegree must be a multiple of 8"); for (int i = 0; i < kDegree / 8; i++) { uint32_t a = mod_sub(2, s->c[8 * i]); @@ -848,7 +885,9 @@ inline void scalar_encode_signed_3_2(uint8_t out[96], const scalar *s) { // FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 13 and b = // 2^12. -inline void scalar_encode_signed_13_12(uint8_t out[416], const scalar *s) { +template <> +inline void scalar_encode_signed<13, (1u << 12)>(uint8_t out[416], + const scalar *s) { static const uint32_t kMax = 1u << 12; // Every two elements lands on a byte boundary. static_assert(kDegree % 8 == 0, "kDegree must be a multiple of 8"); @@ -888,7 +927,9 @@ inline void scalar_encode_signed_13_12(uint8_t out[416], const scalar *s) { // FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 20 and b = // 2^19. -inline void scalar_encode_signed_20_19(uint8_t out[640], const scalar *s) { +template <> +inline void scalar_encode_signed<20, (1u << 19)>(uint8_t out[640], + const scalar *s) { static const uint32_t kMax = 1u << 19; // Every two elements lands on a byte boundary. static_assert(kDegree % 4 == 0, "kDegree must be a multiple of 4"); @@ -914,7 +955,9 @@ inline void scalar_encode_signed_20_19(uint8_t out[640], const scalar *s) { // FIPS 204, Algorithm 17 (`BitPack`). Specialized to bitlen(a+b) = 18 and b = // 2^17. -inline void scalar_encode_signed_18_17(uint8_t out[576], const scalar *s) { +template <> +inline void scalar_encode_signed<18, (1u << 17)>(uint8_t out[576], + const scalar *s) { static const uint32_t kMax = 1u << 17; static_assert(kDegree % 4 == 0, "kDegree must be a multiple of 4"); for (int i = 0; i < kDegree / 4; i++) { @@ -938,30 +981,12 @@ inline void scalar_encode_signed_18_17(uint8_t out[576], const scalar *s) { } } -// FIPS 204, Algorithm 17 (`BitPack`). -inline void scalar_encode_signed(uint8_t *out, const scalar *s, int bits, - uint32_t max) { - if (bits == 3) { - assert(max == 2); - scalar_encode_signed_3_2(out, s); - } else if (bits == 4) { - assert(max == 4); - scalar_encode_signed_4_4(out, s); - } else if (bits == 20) { - assert(max == 1u << 19); - scalar_encode_signed_20_19(out, s); - } else if (bits == 18) { - assert(max == 1u << 17); - scalar_encode_signed_18_17(out, s); - } else { - assert(bits == 13); - assert(max == 1u << 12); - scalar_encode_signed_13_12(out, s); - } -} +template +inline void scalar_decode(scalar *out, const uint8_t *in); // FIPS 204, Algorithm 18 (`SimpleBitUnpack`). Specialized for bitlen(b) == 10. -inline void scalar_decode_10(scalar *out, const uint8_t in[320]) { +template <> +inline void scalar_decode<10>(scalar *out, const uint8_t in[320]) { static_assert(kDegree % 4 == 0, "kDegree must be a multiple of 4"); for (int i = 0; i < kDegree / 4; i++) { uint32_t v = CRYPTO_load_u32_le(&in[5 * i]); @@ -972,9 +997,13 @@ inline void scalar_decode_10(scalar *out, const uint8_t in[320]) { } } +template +inline int scalar_decode_signed(scalar *out, const uint8_t *in); + // FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 4 and b = // 4. -inline int scalar_decode_signed_4_4(scalar *out, const uint8_t in[128]) { +template <> +inline int scalar_decode_signed<4, 4>(scalar *out, const uint8_t in[128]) { static_assert(kDegree % 8 == 0, "kDegree must be a multiple of 8"); for (int i = 0; i < kDegree / 8; i++) { uint32_t v = CRYPTO_load_u32_le(&in[4 * i]); @@ -1003,7 +1032,8 @@ inline int scalar_decode_signed_4_4(scalar *out, const uint8_t in[128]) { // FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 3 and b = // 2. -inline int scalar_decode_signed_3_2(scalar *out, const uint8_t in[96]) { +template <> +inline int scalar_decode_signed<3, 2>(scalar *out, const uint8_t in[96]) { uint32_t v; uint8_t v_bytes[sizeof(v)] = {0}; static_assert(kDegree % 8 == 0, "kDegree must be a multiple of 8"); @@ -1036,7 +1066,9 @@ inline int scalar_decode_signed_3_2(scalar *out, const uint8_t in[96]) { // FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 13 and b = // 2^12. -inline void scalar_decode_signed_13_12(scalar *out, const uint8_t in[416]) { +template <> +inline int scalar_decode_signed<13, (1u << 12)>(scalar *out, + const uint8_t in[416]) { static const uint32_t kMax = 1u << 12; static const uint32_t k13Bits = (1u << 13) - 1; static const uint32_t k7Bits = (1u << 7) - 1; @@ -1059,11 +1091,14 @@ inline void scalar_decode_signed_13_12(scalar *out, const uint8_t in[416]) { out->c[i * 8 + 6] = mod_sub(kMax, (c >> 14) & k13Bits); out->c[i * 8 + 7] = mod_sub(kMax, (c >> 27) | ((uint32_t)d) << 5); } + return 1; } // FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 18 and b = // 2^17. -inline void scalar_decode_signed_18_17(scalar *out, const uint8_t in[576]) { +template <> +inline int scalar_decode_signed<18, (1u << 17)>(scalar *out, + const uint8_t in[576]) { static const uint32_t kMax = 1u << 17; static_assert(kDegree % 4 == 0, "kDegree must be a multiple of 4"); @@ -1085,11 +1120,14 @@ inline void scalar_decode_signed_18_17(scalar *out, const uint8_t in[576]) { out->c[i * 4 + 2] = mod_sub(kMax, c); out->c[i * 4 + 3] = mod_sub(kMax, d); } + return 1; } // FIPS 204, Algorithm 19 (`BitUnpack`). Specialized to bitlen(a+b) = 20 and b = // 2^19. -inline void scalar_decode_signed_20_19(scalar *out, const uint8_t in[640]) { +template <> +inline int scalar_decode_signed<20, (1u << 19)>(scalar *out, + const uint8_t in[640]) { static const uint32_t kMax = 1u << 19; static const uint32_t k20Bits = (1u << 20) - 1; @@ -1106,33 +1144,10 @@ inline void scalar_decode_signed_20_19(scalar *out, const uint8_t in[640]) { out->c[i * 4 + 2] = mod_sub(kMax, (b >> 8) & k20Bits); out->c[i * 4 + 3] = mod_sub(kMax, (b >> 28) | ((uint32_t)c) << 4); } + return 1; } -// FIPS 204, Algorithm 19 (`BitUnpack`). -inline int scalar_decode_signed(scalar *out, const uint8_t *in, int bits, - uint32_t max) { - if (bits == 3) { - assert(max == 2); - return scalar_decode_signed_3_2(out, in); - } else if (bits == 4) { - assert(max == 4); - return scalar_decode_signed_4_4(out, in); - } else if (bits == 13) { - assert(max == (1u << 12)); - scalar_decode_signed_13_12(out, in); - return 1; - } else if (bits == 18) { - assert(max == (1u << 17)); - scalar_decode_signed_18_17(out, in); - return 1; - } else if (bits == 20) { - assert(max == (1u << 19)); - scalar_decode_signed_20_19(out, in); - return 1; - } else { - abort(); - } -} + /* Expansion functions */ @@ -1140,29 +1155,55 @@ inline int scalar_decode_signed(scalar *out, const uint8_t *in, int bits, // // Rejection samples a Keccak stream to get uniformly distributed elements. This // is used for matrix expansion and only operates on public inputs. -inline void scalar_from_keccak_vartime( - scalar *out, const uint8_t derived_seed[kRhoBytes + 2]) { - BORINGSSL_keccak_st keccak_ctx; - BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128); - BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, kRhoBytes + 2); - assert(keccak_ctx.squeeze_offset == 0); - assert(keccak_ctx.rate_bytes == 168); +inline void scalar_from_keccak_block_vartime(scalar *out, int *done, + const uint8_t block[168]) { + for (size_t i = 0; i < 168 && *done < kDegree; i += 3) { + // FIPS 204, Algorithm 14 (`CoeffFromThreeBytes`). + uint32_t value = (uint32_t)block[i] | ((uint32_t)block[i + 1] << 8) | + (((uint32_t)block[i + 2] & 0x7f) << 16); + if (value < kPrime) { + out->c[(*done)++] = value; + } + } +} + +// FIPS 204, Algorithm 30 (`RejNTTPoly`). +// +// Rejection samples a Keccak stream to get uniformly distributed elements. This +// is used for matrix expansion and only operates on public inputs. +inline void scalar_from_keccak_vartime(scalar *out, + BORINGSSL_keccak_st *keccak_ctx) { + assert(keccak_ctx->squeeze_offset == 0); + assert(keccak_ctx->rate_bytes == 168); static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); int done = 0; while (done < kDegree) { uint8_t block[168]; - BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); - for (size_t i = 0; i < sizeof(block) && done < kDegree; i += 3) { - // FIPS 204, Algorithm 14 (`CoeffFromThreeBytes`). - uint32_t value = (uint32_t)block[i] | ((uint32_t)block[i + 1] << 8) | - (((uint32_t)block[i + 2] & 0x7f) << 16); - if (value < kPrime) { - out->c[done++] = value; - } - } + BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block)); + scalar_from_keccak_block_vartime(out, &done, block); + } +} + +#if defined(HAVE_KECCAK_X2) +inline void scalar_from_keccak_vartime_x2(scalar *out[2], + BORINGSSL_keccak_st keccak_ctx[2]) { + assert(keccak_ctx[0].squeeze_offset == 0); + assert(keccak_ctx[0].rate_bytes == 168); + assert(keccak_ctx[1].squeeze_offset == 0); + assert(keccak_ctx[1].rate_bytes == 168); + static_assert(168 % 3 == 0, "block and coefficient boundaries do not align"); + + int done[2] = {0, 0}; + while (done[0] < kDegree || done[1] < kDegree) { + uint8_t block[2][168]; + uint8_t *blocks[] = {block[0], block[1]}; + BORINGSSL_keccak_squeeze_x2(keccak_ctx, blocks, sizeof(block[0])); + scalar_from_keccak_block_vartime(out[0], &done[0], block[0]); + scalar_from_keccak_block_vartime(out[1], &done[1], block[1]); } } +#endif template inline bool coefficient_from_nibble(uint32_t nibble, uint32_t *result); @@ -1170,8 +1211,8 @@ inline bool coefficient_from_nibble(uint32_t nibble, uint32_t *result); template <> inline bool coefficient_from_nibble<4>(uint32_t nibble, uint32_t *result) { if (constant_time_declassify_int(nibble < 9)) { - // Knowing bounds on |nibble| seems to tempt some versions of Clang to emit - // a branch, if we don't have a barrier in |mod_sub|. + // Knowing bounds on `nibble` seems to tempt some versions of Clang to emit + // a branch, if we don't have a barrier in `mod_sub`. *result = mod_sub(4, value_barrier_u32(nibble)); return true; } @@ -1181,8 +1222,8 @@ inline bool coefficient_from_nibble<4>(uint32_t nibble, uint32_t *result) { template <> inline bool coefficient_from_nibble<2>(uint32_t nibble, uint32_t *result) { if (constant_time_declassify_int(nibble < 15)) { - // Knowing bounds on |nibble| seems to tempt some versions of Clang to emit - // a branch, if we don't have a barrier in |mod_sub|. + // Knowing bounds on `nibble` seems to tempt some versions of Clang to emit + // a branch, if we don't have a barrier in `mod_sub`. // Constant time "nibble % 5". nibble = nibble - 5 * ((205 * nibble) >> 10); *result = mod_sub(2, value_barrier_u32(nibble)); @@ -1191,48 +1232,76 @@ inline bool coefficient_from_nibble<2>(uint32_t nibble, uint32_t *result) { return false; } +template +inline void scalar_uniform_block(scalar *out, int *done, + const uint8_t block[136]) { + for (size_t i = 0; i < 136 && *done < kDegree; ++i) { + uint32_t t0 = block[i] & 0x0F; + uint32_t t1 = block[i] >> 4; + // FIPS 204, Algorithm 15 (`CoefFromHalfByte`). Although both the input + // and output here are secret, it is OK to leak when we rejected a byte. + // Individual bytes of the SHAKE-256 stream are (indistinguishable from) + // independent of each other and the original seed, so leaking information + // about the rejected bytes does not reveal the input or output. + uint32_t v; + if (coefficient_from_nibble(t0, &v)) { + out->c[(*done)++] = v; + } + if (*done < kDegree && coefficient_from_nibble(t1, &v)) { + out->c[(*done)++] = v; + } + } +} + // FIPS 204, Algorithm 31 (`RejBoundedPoly`). template -inline void scalar_uniform(scalar *out, - const uint8_t derived_seed[kSigmaBytes + 2]) { - BORINGSSL_keccak_st keccak_ctx; - BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); - BORINGSSL_keccak_absorb(&keccak_ctx, derived_seed, kSigmaBytes + 2); - assert(keccak_ctx.squeeze_offset == 0); - assert(keccak_ctx.rate_bytes == 136); +inline void scalar_uniform(scalar *out, BORINGSSL_keccak_st *keccak_ctx) { + assert(keccak_ctx->squeeze_offset == 0); + assert(keccak_ctx->rate_bytes == 136); int done = 0; while (done < kDegree) { uint8_t block[136]; - BORINGSSL_keccak_squeeze(&keccak_ctx, block, sizeof(block)); - for (size_t i = 0; i < sizeof(block) && done < kDegree; ++i) { - uint32_t t0 = block[i] & 0x0F; - uint32_t t1 = block[i] >> 4; - // FIPS 204, Algorithm 15 (`CoefFromHalfByte`). Although both the input - // and output here are secret, it is OK to leak when we rejected a byte. - // Individual bytes of the SHAKE-256 stream are (indistinguishable from) - // independent of each other and the original seed, so leaking information - // about the rejected bytes does not reveal the input or output. - uint32_t v; - if (coefficient_from_nibble(t0, &v)) { - out->c[done++] = v; - } - if (done < kDegree && coefficient_from_nibble(t1, &v)) { - out->c[done++] = v; - } - } + BORINGSSL_keccak_squeeze(keccak_ctx, block, sizeof(block)); + scalar_uniform_block(out, &done, block); } } +#if defined(HAVE_KECCAK_X2) +template +inline void scalar_uniform_x2(scalar *out[2], + BORINGSSL_keccak_st keccak_ctx[2]) { + assert(keccak_ctx[0].squeeze_offset == 0); + assert(keccak_ctx[0].rate_bytes == 136); + assert(keccak_ctx[1].squeeze_offset == 0); + assert(keccak_ctx[1].rate_bytes == 136); + + int done[2] = {0, 0}; + while (done[0] < kDegree || done[1] < kDegree) { + uint8_t block[2][136]; + uint8_t *blocks[] = {block[0], block[1]}; + BORINGSSL_keccak_squeeze_x2(keccak_ctx, blocks, sizeof(block[0])); + scalar_uniform_block(out[0], &done[0], block[0]); + scalar_uniform_block(out[1], &done[1], block[1]); + } +} +#endif + // FIPS 204, Algorithm 34 (`ExpandMask`), but just a single step. template inline void scalar_sample_mask(scalar *out, - const uint8_t derived_seed[kRhoPrimeBytes + 2]) { + const uint8_t rho_prime[kRhoPrimeBytes], + size_t index) { uint8_t buf[scalar_le_gamma1_bytes()]; - BORINGSSL_keccak(buf, sizeof(buf), derived_seed, kRhoPrimeBytes + 2, - boringssl_shake256); - - scalar_decode_signed(out, buf, gamma1_bits() + 1, gamma1()); + struct BORINGSSL_keccak_st ctx; + BORINGSSL_keccak_init(&ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&ctx, rho_prime, kRhoPrimeBytes); + uint8_t index_buf[2]; + index_buf[0] = static_cast(index); + index_buf[1] = static_cast(index >> 8); + BORINGSSL_keccak_absorb(&ctx, index_buf, 2); + BORINGSSL_keccak_squeeze(&ctx, buf, sizeof(buf)); + scalar_decode_signed() + 1, gamma1()>(out, buf); } // FIPS 204, Algorithm 29 (`SampleInBall`). @@ -1278,23 +1347,96 @@ inline void scalar_sample_in_ball_vartime(scalar *out, const uint8_t *seed, } } -// FIPS 204, Algorithm 32 (`ExpandA`). +template +inline void matrix_expand_step(scalar *out, const uint8_t rho[kRhoBytes], + int index) { + BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake128); + BORINGSSL_keccak_absorb(&keccak_ctx, rho, kRhoBytes); + uint8_t index_buf[2]; + index_buf[0] = static_cast(index % L); + index_buf[1] = static_cast(index / L); + BORINGSSL_keccak_absorb(&keccak_ctx, index_buf, 2); + scalar_from_keccak_vartime(out, &keccak_ctx); +} + +#if defined(HAVE_KECCAK_X2) +template +inline void matrix_expand_step_x2(matrix *out, + const uint8_t rho[kRhoBytes], int index) { + BORINGSSL_keccak_st keccak_ctx[2]; + BORINGSSL_keccak_init(&keccak_ctx[0], boringssl_shake128); + BORINGSSL_keccak_init(&keccak_ctx[1], boringssl_shake128); + BORINGSSL_keccak_absorb(&keccak_ctx[0], rho, kRhoBytes); + BORINGSSL_keccak_absorb(&keccak_ctx[1], rho, kRhoBytes); + uint8_t index_buf[2]; + index_buf[0] = static_cast(index % L); + index_buf[1] = static_cast(index / L); + BORINGSSL_keccak_absorb(&keccak_ctx[0], index_buf, 2); + index_buf[0] = static_cast((index + 1) % L); + index_buf[1] = static_cast((index + 1) / L); + BORINGSSL_keccak_absorb(&keccak_ctx[1], index_buf, 2); + + scalar *outs[] = {&out->v[index / L][index % L], + &out->v[(index + 1) / L][(index + 1) % L]}; + scalar_from_keccak_vartime_x2(outs, keccak_ctx); +} +#endif + template inline void matrix_expand(matrix *out, const uint8_t rho[kRhoBytes]) { static_assert(K <= 0x100, "K must fit in 8 bits"); static_assert(L <= 0x100, "L must fit in 8 bits"); - uint8_t derived_seed[kRhoBytes + 2]; - OPENSSL_memcpy(derived_seed, rho, kRhoBytes); - for (int i = 0; i < K; i++) { - for (int j = 0; j < L; j++) { - derived_seed[kRhoBytes + 1] = (uint8_t)i; - derived_seed[kRhoBytes] = (uint8_t)j; - scalar_from_keccak_vartime(&out->v[i][j], derived_seed); - } + int index = 0; +#if defined(HAVE_KECCAK_X2) + for (; index + 2 <= K * L; index += 2) { + matrix_expand_step_x2(out, rho, index); } +#endif + + for (; index < K * L; index++) { + matrix_expand_step(&out->v[index / L][index % L], rho, index); + } +} + +template +inline void vector_expand_short_step(scalar *out, + const uint8_t sigma[kSigmaBytes], + int index) { + BORINGSSL_keccak_st keccak_ctx; + BORINGSSL_keccak_init(&keccak_ctx, boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx, sigma, kSigmaBytes); + uint8_t index_buf[2]; + index_buf[0] = static_cast(index); + index_buf[1] = 0; + BORINGSSL_keccak_absorb(&keccak_ctx, index_buf, 2); + scalar_uniform()>(out, &keccak_ctx); } +#if defined(HAVE_KECCAK_X2) +template +inline void vector_expand_short_step_x2(scalar *out0, scalar *out1, + const uint8_t sigma[kSigmaBytes], + int index) { + BORINGSSL_keccak_st keccak_ctx[2]; + BORINGSSL_keccak_init(&keccak_ctx[0], boringssl_shake256); + BORINGSSL_keccak_init(&keccak_ctx[1], boringssl_shake256); + BORINGSSL_keccak_absorb(&keccak_ctx[0], sigma, kSigmaBytes); + BORINGSSL_keccak_absorb(&keccak_ctx[1], sigma, kSigmaBytes); + uint8_t index_buf[2]; + index_buf[0] = static_cast(index); + index_buf[1] = 0; + BORINGSSL_keccak_absorb(&keccak_ctx[0], index_buf, 2); + index_buf[0] = static_cast(index + 1); + index_buf[1] = 0; + BORINGSSL_keccak_absorb(&keccak_ctx[1], index_buf, 2); + + scalar *outs[] = {out0, out1}; + scalar_uniform_x2()>(outs, keccak_ctx); +} +#endif + // FIPS 204, Algorithm 33 (`ExpandS`). template inline void vector_expand_short(vector *s1, vector *s2, @@ -1303,34 +1445,37 @@ inline void vector_expand_short(vector *s1, vector *s2, static_assert(L <= 0x100, "L must fit in 8 bits"); static_assert(K + L <= 0x100, "K+L must fit in 8 bits"); - uint8_t derived_seed[kSigmaBytes + 2]; - OPENSSL_memcpy(derived_seed, sigma, kSigmaBytes); - derived_seed[kSigmaBytes] = 0; - derived_seed[kSigmaBytes + 1] = 0; + scalar *all_scalars[K + L]; for (int i = 0; i < L; i++) { - scalar_uniform()>(&s1->v[i], derived_seed); - ++derived_seed[kSigmaBytes]; + all_scalars[i] = &s1->v[i]; } for (int i = 0; i < K; i++) { - scalar_uniform()>(&s2->v[i], derived_seed); - ++derived_seed[kSigmaBytes]; + all_scalars[L + i] = &s2->v[i]; + } + + int index = 0; +#if defined(HAVE_KECCAK_X2) + for (; index + 2 <= K + L; index += 2) { + vector_expand_short_step_x2(all_scalars[index], all_scalars[index + 1], + sigma, index); + } +#endif + + for (; index < K + L; index++) { + vector_expand_short_step(all_scalars[index], sigma, index); } } // FIPS 204, Algorithm 34 (`ExpandMask`). template inline void vector_expand_mask(vector *out, - const uint8_t seed[kRhoPrimeBytes], + const uint8_t rho_prime[kRhoPrimeBytes], size_t kappa) { assert(kappa + L <= 0x10000); - uint8_t derived_seed[kRhoPrimeBytes + 2]; - OPENSSL_memcpy(derived_seed, seed, kRhoPrimeBytes); for (int i = 0; i < L; i++) { size_t index = kappa + i; - derived_seed[kRhoPrimeBytes] = index & 0xFF; - derived_seed[kRhoPrimeBytes + 1] = (index >> 8) & 0xFF; - scalar_sample_mask(&out->v[i], derived_seed); + scalar_sample_mask(&out->v[i], rho_prime, index); } } @@ -1338,54 +1483,60 @@ inline void vector_expand_mask(vector *out, // FIPS 204, Algorithm 16 (`SimpleBitPack`). // -// Encodes an entire vector into 32*K*|bits| bytes. Note that since 256 +// Encodes an entire vector into 32*K*`bits` bytes. Note that since 256 // (kDegree) is divisible by 8, the individual vector entries will always fill a // whole number of bytes, so we do not need to worry about bit packing here. -template -inline void vector_encode(uint8_t *out, const vector *a, int bits) { - if (bits == 4) { - for (int i = 0; i < K; i++) { - scalar_encode_4(out + i * bits * kDegree / 8, &a->v[i]); - } - } else if (bits == 6) { - for (int i = 0; i < K; i++) { - scalar_encode_6(out + i * bits * kDegree / 8, &a->v[i]); - } - } else { - assert(bits == 10); - for (int i = 0; i < K; i++) { - scalar_encode_10(out + i * bits * kDegree / 8, &a->v[i]); - } +template +inline void vector_encode(uint8_t *out, const vector *a) { + for (int i = 0; i < K; i++) { + scalar_encode(out + i * bits * kDegree / 8, &a->v[i]); } } // FIPS 204, Algorithm 18 (`SimpleBitUnpack`). -template -inline void vector_decode_10(vector *out, const uint8_t *in) { +template +inline void vector_decode(vector *out, const uint8_t *in) { for (int i = 0; i < K; i++) { - scalar_decode_10(&out->v[i], in + i * 10 * kDegree / 8); + scalar_decode(&out->v[i], in + i * bits * kDegree / 8); } } // FIPS 204, Algorithm 17 (`BitPack`). // -// Encodes an entire vector into 32*L*|bits| bytes. Note that since 256 +// Encodes an entire vector into 32*L*`bits` bytes. Note that since 256 // (kDegree) is divisible by 8, the individual vector entries will always fill a // whole number of bytes, so we do not need to worry about bit packing here. -template -inline void vector_encode_signed(uint8_t *out, const vector *a, int bits, - uint32_t max) { +template +inline void vector_encode_signed(uint8_t *out, const vector *a) { for (int i = 0; i < X; i++) { - scalar_encode_signed(out + i * bits * kDegree / 8, &a->v[i], bits, max); + scalar_encode_signed(out + i * bits * kDegree / 8, &a->v[i]); } } -template -inline int vector_decode_signed(vector *out, const uint8_t *in, int bits, - uint32_t max) { +// `vector_encode_signed_ntt` behaves like `vector_encode_signed` but takes its +// input in NTT form. This is only used by the testing-only `skEncode` and +// `skDecode` functions and is not performance-sensitive. +template +inline void vector_encode_signed_ntt(uint8_t *out, const vector *a_ntt) { + vector a = *a_ntt; + vector_inverse_ntt_montgomery(&a); + // `vector_inverse_ntt_montgomery` adds an extra factor of R, which we must + // cancel with a Montgomery reduction. + for (int i = 0; i < X; i++) { + for (int j = 0; j < kDegree; j++) { + a.v[i].c[j] = reduce_montgomery(a.v[i].c[j]); + } + } + + vector_encode_signed(out, &a); +} + +// FIPS 204, Algorithm 19 (`BitUnpack`). +template +inline int vector_decode_signed(vector *out, const uint8_t *in) { for (int i = 0; i < X; i++) { - if (!scalar_decode_signed(&out->v[i], in + i * bits * kDegree / 8, bits, - max)) { + if (!scalar_decode_signed(&out->v[i], + in + i * bits * kDegree / 8)) { return 0; } } @@ -1395,7 +1546,7 @@ inline int vector_decode_signed(vector *out, const uint8_t *in, int bits, // FIPS 204, Algorithm 28 (`w1Encode`). template inline void w1_encode(uint8_t out[w1_bytes()], const vector *w1) { - vector_encode(out, w1, w1_coeffs_bits()); + vector_encode()>(out, w1); } // FIPS 204, Algorithm 20 (`HintBitPack`). @@ -1458,9 +1609,9 @@ template struct private_key { public_key pub; uint8_t k[kKBytes]; - vector s1; - vector s2; - vector t0; + vector s1_ntt; + vector s2_ntt; + vector t0_ntt; }; template @@ -1481,7 +1632,7 @@ inline int mldsa_marshal_public_key(CBB *out, const public_key *pub) { if (!CBB_add_space(out, &vectork_output, 320 * K)) { return 0; } - vector_encode(vectork_output, &pub->t1, 10); + vector_encode<10>(vectork_output, &pub->t1); return 1; } @@ -1499,7 +1650,7 @@ inline int mldsa_parse_public_key(public_key *pub, CBS *in) { if (!CBS_get_bytes(in, &t1_bytes, 320 * K) || CBS_len(in) != 0) { return 0; } - vector_decode_10(&pub->t1, CBS_data(&t1_bytes)); + vector_decode<10>(&pub->t1, CBS_data(&t1_bytes)); // Compute pre-cached values. BORINGSSL_keccak(pub->public_key_hash, sizeof(pub->public_key_hash), @@ -1524,21 +1675,21 @@ inline int mldsa_marshal_private_key(CBB *out, const private_key *priv) { if (!CBB_add_space(out, &vectorl_output, scalar_bytes * L)) { return 0; } - vector_encode_signed(vectorl_output, &priv->s1, plus_minus_eta_bitlen(), - eta()); + vector_encode_signed_ntt(), eta()>(vectorl_output, + &priv->s1_ntt); uint8_t *s2_output; if (!CBB_add_space(out, &s2_output, scalar_bytes * K)) { return 0; } - vector_encode_signed(s2_output, &priv->s2, plus_minus_eta_bitlen(), - eta()); + vector_encode_signed_ntt(), eta()>(s2_output, + &priv->s2_ntt); uint8_t *t0_output; if (!CBB_add_space(out, &t0_output, 416 * K)) { return 0; } - vector_encode_signed(t0_output, &priv->t0, 13, 1 << 12); + vector_encode_signed_ntt<13, (1 << 12)>(t0_output, &priv->t0_ntt); return 1; } @@ -1554,18 +1705,17 @@ inline int mldsa_parse_private_key(private_key *priv, CBS *in) { !CBS_copy_bytes(in, priv->k, sizeof(priv->k)) || !CBS_get_bytes(in, &public_key_hash, kTrBytes) || !CBS_get_bytes(in, &s1_bytes, scalar_bytes * L) || - !vector_decode_signed(&priv->s1, CBS_data(&s1_bytes), - plus_minus_eta_bitlen(), eta()) || + !vector_decode_signed(), eta()>( + &priv->s1_ntt, CBS_data(&s1_bytes)) || !CBS_get_bytes(in, &s2_bytes, scalar_bytes * K) || - !vector_decode_signed(&priv->s2, CBS_data(&s2_bytes), - plus_minus_eta_bitlen(), eta()) || - !CBS_get_bytes(in, &t0_bytes, 416 * K) || - // Note: Decoding 13 bits into (-2^12, 2^12] cannot fail. - !vector_decode_signed(&priv->t0, CBS_data(&t0_bytes), 13, 1 << 12)) { + !vector_decode_signed(), eta()>( + &priv->s2_ntt, CBS_data(&s2_bytes)) || + !CBS_get_bytes(in, &t0_bytes, 416 * K)) { return 0; } - // Compute `t1`, which is not in the `skDecode` input. + // Compute `t1`, which is not in the `skDecode` input. This also computes + // `t0_ntt` and converts `s1_ntt` and `s2_ntt` to NTT form. uint8_t unused[public_key_bytes()]; if (!mldsa_finish_keygen(unused, priv)) { return 0; @@ -1574,7 +1724,7 @@ inline int mldsa_parse_private_key(private_key *priv, CBS *in) { // As a side effect of computing `t1`, we also compute `t0` and // `public_key_hash`. Check they match the received bytes. uint8_t t0_computed[416 * K]; - vector_encode_signed(t0_computed, &priv->t0, 13, 1 << 12); + vector_encode_signed_ntt<13, (1 << 12)>(t0_computed, &priv->t0_ntt); if (!CBS_mem_equal(&public_key_hash, priv->pub.public_key_hash, sizeof(priv->pub.public_key_hash)) || !CBS_mem_equal(&t0_bytes, t0_computed, sizeof(t0_computed))) { @@ -1595,8 +1745,8 @@ inline int mldsa_marshal_signature(CBB *out, const signature *sign) { if (!CBB_add_space(out, &vectorl_output, scalar_le_gamma1_bytes() * L)) { return 0; } - vector_encode_signed(vectorl_output, &sign->z, gamma1_bits() + 1, - gamma1()); + vector_encode_signed() + 1, gamma1()>(vectorl_output, + &sign->z); uint8_t *hint_output; if (!CBB_add_space(out, &hint_output, omega() + K)) { @@ -1615,8 +1765,8 @@ inline int mldsa_parse_signature(signature *sign, CBS *in) { if (!CBS_copy_bytes(in, sign->c_tilde, sizeof(sign->c_tilde)) || !CBS_get_bytes(in, &z_bytes, scalar_le_gamma1_bytes() * L) || // Note: Decoding b+1 bits into (-2^b, 2^b] cannot fail. - !vector_decode_signed(&sign->z, CBS_data(&z_bytes), gamma1_bits() + 1, - gamma1()) || + !vector_decode_signed() + 1, gamma1()>( + &sign->z, CBS_data(&z_bytes)) || !CBS_get_bytes(in, &hint_bytes, omega() + K) || !hint_bit_unpack(&sign->h, CBS_data(&hint_bytes))) { return 0; @@ -1627,6 +1777,9 @@ inline int mldsa_parse_signature(signature *sign, CBS *in) { // FIPS 204, Algorithm 6 (`ML-DSA.KeyGen_internal`), steps 3 and 5–11. // Returns 1 on success and 0 on failure. +// +// On input, `priv->s1_ntt` and `priv->s2_ntt` are not yet in NTT form. They are +// converted to NTT form by this function. template inline int mldsa_finish_keygen( uint8_t out_encoded_public_key[public_key_bytes()], @@ -1636,7 +1789,6 @@ inline int mldsa_finish_keygen( struct Values { enum { kAllowUniquePtr = true }; matrix a_ntt; - vector s1_ntt; vector t; }; auto values = MakeUnique(); @@ -1647,16 +1799,17 @@ inline int mldsa_finish_keygen( // Step 3. matrix_expand(&values->a_ntt, priv->pub.rho); - // Step 5. - OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); - vector_ntt(&values->s1_ntt); - - matrix_mult(&values->t, &values->a_ntt, &values->s1_ntt); - vector_inverse_ntt(&values->t); - vector_add(&values->t, &values->t, &priv->s2); - - // Step 6-7. - vector_power2_round(&priv->pub.t1, &priv->t0, &values->t); + // Step 5. Note that, on input, `s1_ntt` and `s2_ntt` are not yet in NTT form, + // but this function is responsible for converting them to NTT. + vector_ntt(&priv->s1_ntt); + matrix_mult_montgomery(&values->t, &values->a_ntt, &priv->s1_ntt); + vector_inverse_ntt_montgomery(&values->t); + vector_add(&values->t, &values->t, &priv->s2_ntt); + vector_ntt(&priv->s2_ntt); + + // Step 6-7. We store t0 in NTT form. + vector_power2_round(&priv->pub.t1, &priv->t0_ntt, &values->t); + vector_ntt(&priv->t0_ntt); // t1 is public. CONSTTIME_DECLASSIFY(&priv->pub.t1, sizeof(priv->pub.t1)); @@ -1698,8 +1851,9 @@ inline int mldsa_generate_key_external_entropy_no_self_test( CONSTTIME_DECLASSIFY(rho, kRhoBytes); OPENSSL_memcpy(priv->pub.rho, rho, sizeof(priv->pub.rho)); OPENSSL_memcpy(priv->k, k, sizeof(priv->k)); - // Step 4. This is independent of A (step 3) and can be done first. - vector_expand_short(&priv->s1, &priv->s2, sigma); + // Steps 4. This is independent of A (step 3) and can be done first. + // `mldsa_finish_keygen` will convert `s1_ntt` and `s2_ntt` into NTT from. + vector_expand_short(&priv->s1_ntt, &priv->s2_ntt, sigma); // Steps 3 and 5-11. return mldsa_finish_keygen(out_encoded_public_key, priv); } @@ -1734,9 +1888,6 @@ inline int mldsa_sign_mu_no_self_test( struct Values { enum { kAllowUniquePtr = true }; signature sign; - vector s1_ntt; - vector s2_ntt; - vector t0_ntt; matrix a_ntt; vector y; vector w; @@ -1748,15 +1899,6 @@ inline int mldsa_sign_mu_no_self_test( if (values == nullptr) { return 0; } - OPENSSL_memcpy(&values->s1_ntt, &priv->s1, sizeof(values->s1_ntt)); - vector_ntt(&values->s1_ntt); - - OPENSSL_memcpy(&values->s2_ntt, &priv->s2, sizeof(values->s2_ntt)); - vector_ntt(&values->s2_ntt); - - OPENSSL_memcpy(&values->t0_ntt, &priv->t0, sizeof(values->t0_ntt)); - vector_ntt(&values->t0_ntt); - matrix_expand(&values->a_ntt, priv->pub.rho); // kappa must not exceed 2**16/L = 13107. But the probability of it @@ -1768,8 +1910,8 @@ inline int mldsa_sign_mu_no_self_test( OPENSSL_memcpy(y_ntt, &values->y, sizeof(*y_ntt)); vector_ntt(y_ntt); - matrix_mult(&values->w, &values->a_ntt, y_ntt); - vector_inverse_ntt(&values->w); + matrix_mult_montgomery(&values->w, &values->a_ntt, y_ntt); + vector_inverse_ntt_montgomery(&values->w); vector_high_bits(&values->w1, &values->w); uint8_t w1_encoded[w1_bytes()]; @@ -1786,10 +1928,10 @@ inline int mldsa_sign_mu_no_self_test( sizeof(values->sign.c_tilde), tau()); scalar_ntt(&c_ntt); - vector_mult_scalar(&values->cs1, &values->s1_ntt, &c_ntt); - vector_inverse_ntt(&values->cs1); - vector_mult_scalar(&values->cs2, &values->s2_ntt, &c_ntt); - vector_inverse_ntt(&values->cs2); + vector_mult_scalar_montgomery(&values->cs1, &priv->s1_ntt, &c_ntt); + vector_inverse_ntt_montgomery(&values->cs1); + vector_mult_scalar_montgomery(&values->cs2, &priv->s2_ntt, &c_ntt); + vector_inverse_ntt_montgomery(&values->cs2); vector_add(&values->sign.z, &values->y, &values->cs1); @@ -1804,7 +1946,7 @@ inline int mldsa_sign_mu_no_self_test( // https://pq-crystals.org/dilithium/data/dilithium-specification-round3.pdf // describes this leak as OK. Note we leak less than what is described by // the paper; we do not reveal which coefficient violated the bound, and - // we hide which of the |z_max| or |r0_max| bound failed. See also + // we hide which of the `z_max` or `r0_max` bound failed. See also // https://boringssl-review.googlesource.com/c/boringssl/+/67747/comment/2bbab0fa_d241d35a/ uint32_t z_max = vector_max(&values->sign.z); uint32_t r0_max = vector_max_signed(r0); @@ -1820,8 +1962,8 @@ inline int mldsa_sign_mu_no_self_test( } vector *ct0 = &values->w1; - vector_mult_scalar(ct0, &values->t0_ntt, &c_ntt); - vector_inverse_ntt(ct0); + vector_mult_scalar_montgomery(ct0, &priv->t0_ntt, &c_ntt); + vector_inverse_ntt_montgomery(ct0); vector_make_hint(&values->sign.h, ct0, &values->cs2, &values->w); // See above. @@ -1970,16 +2112,16 @@ inline int mldsa_verify_mu_no_self_test( OPENSSL_memcpy(&values->z_ntt, &values->sign.z, sizeof(values->z_ntt)); vector_ntt(&values->z_ntt); - matrix_mult(&values->az_ntt, &values->a_ntt, &values->z_ntt); + matrix_mult_montgomery(&values->az_ntt, &values->a_ntt, &values->z_ntt); vector_scale_power2_round(&values->ct1_ntt, &pub->t1); vector_ntt(&values->ct1_ntt); - vector_mult_scalar(&values->ct1_ntt, &values->ct1_ntt, &c_ntt); + vector_mult_scalar_montgomery(&values->ct1_ntt, &values->ct1_ntt, &c_ntt); vector *const w1 = &values->az_ntt; vector_sub(w1, &values->az_ntt, &values->ct1_ntt); - vector_inverse_ntt(w1); + vector_inverse_ntt_montgomery(w1); vector_use_hint_vartime(w1, &values->sign.h, w1); uint8_t w1_encoded[w1_bytes()]; @@ -2324,8 +2466,8 @@ bcm_status bssl::BCM_mldsa65_check_key_fips(MLDSA65_private_key *private_key) { mldsa::fips::check_key(mldsa::private_key_from_external_65(private_key))); } -// Calls |MLDSA_generate_key_external_entropy| with random bytes from -// |BCM_rand_bytes|. +// Calls `MLDSA_generate_key_external_entropy` with random bytes from +// `BCM_rand_bytes`. bcm_status bssl::BCM_mldsa65_generate_key( uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], uint8_t out_seed[MLDSA_SEED_BYTES], MLDSA65_private_key *out_private_key) { @@ -2429,7 +2571,7 @@ bcm_status bssl::BCM_mldsa65_sign_mu_internal( } // ML-DSA signature in randomized mode, filling the random bytes with -// |BCM_rand_bytes|. +// `BCM_rand_bytes`. bcm_status bssl::BCM_mldsa65_sign( uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], const MLDSA65_private_key *private_key, const uint8_t *msg, size_t msg_len, @@ -2528,7 +2670,7 @@ int bssl::BCM_mldsa65_public_keys_equal(const MLDSA65_public_key *a, const MLDSA65_public_key *b) { auto *a_pub = mldsa::public_key_from_external_65(a); auto *b_pub = mldsa::public_key_from_external_65(b); - // It is sufficient to compare |public_key_hash|. When importing a public key, + // It is sufficient to compare `public_key_hash`. When importing a public key, // the hash must be computed. When importing a private key in expanded form // (an internal testing-only API), the hash is provided, but we recompute it // and check for correctness. @@ -2564,8 +2706,8 @@ bcm_status bssl::BCM_mldsa87_check_key_fips(MLDSA87_private_key *private_key) { mldsa::fips::check_key(mldsa::private_key_from_external_87(private_key))); } -// Calls |MLDSA_generate_key_external_entropy| with random bytes from -// |BCM_rand_bytes|. +// Calls `MLDSA_generate_key_external_entropy` with random bytes from +// `BCM_rand_bytes`. bcm_status bssl::BCM_mldsa87_generate_key( uint8_t out_encoded_public_key[MLDSA87_PUBLIC_KEY_BYTES], uint8_t out_seed[MLDSA_SEED_BYTES], MLDSA87_private_key *out_private_key) { @@ -2669,7 +2811,7 @@ bcm_status bssl::BCM_mldsa87_sign_mu_internal( } // ML-DSA signature in randomized mode, filling the random bytes with -// |BCM_rand_bytes|. +// `BCM_rand_bytes`. bcm_status bssl::BCM_mldsa87_sign( uint8_t out_encoded_signature[MLDSA87_SIGNATURE_BYTES], const MLDSA87_private_key *private_key, const uint8_t *msg, size_t msg_len, @@ -2769,7 +2911,7 @@ int bssl::BCM_mldsa87_public_keys_equal(const MLDSA87_public_key *a, const MLDSA87_public_key *b) { auto *a_pub = mldsa::public_key_from_external_87(a); auto *b_pub = mldsa::public_key_from_external_87(b); - // It is sufficient to compare |public_key_hash|. When importing a public key, + // It is sufficient to compare `public_key_hash`. When importing a public key, // the hash must be computed. When importing a private key in expanded form // (an internal testing-only API), the hash is provided, but we recompute it // and check for correctness. @@ -2805,8 +2947,8 @@ bcm_status bssl::BCM_mldsa44_check_key_fips(MLDSA44_private_key *private_key) { mldsa::fips::check_key(mldsa::private_key_from_external_44(private_key))); } -// Calls |MLDSA_generate_key_external_entropy| with random bytes from -// |BCM_rand_bytes|. +// Calls `MLDSA_generate_key_external_entropy` with random bytes from +// `BCM_rand_bytes`. bcm_status bssl::BCM_mldsa44_generate_key( uint8_t out_encoded_public_key[MLDSA44_PUBLIC_KEY_BYTES], uint8_t out_seed[MLDSA_SEED_BYTES], MLDSA44_private_key *out_private_key) { @@ -2910,7 +3052,7 @@ bcm_status bssl::BCM_mldsa44_sign_mu_internal( } // ML-DSA signature in randomized mode, filling the random bytes with -// |BCM_rand_bytes|. +// `BCM_rand_bytes`. bcm_status bssl::BCM_mldsa44_sign( uint8_t out_encoded_signature[MLDSA44_SIGNATURE_BYTES], const MLDSA44_private_key *private_key, const uint8_t *msg, size_t msg_len, @@ -3010,7 +3152,7 @@ int bssl::BCM_mldsa44_public_keys_equal(const MLDSA44_public_key *a, const MLDSA44_public_key *b) { auto *a_pub = mldsa::public_key_from_external_44(a); auto *b_pub = mldsa::public_key_from_external_44(b); - // It is sufficient to compare |public_key_hash|. When importing a public key, + // It is sufficient to compare `public_key_hash`. When importing a public key, // the hash must be computed. When importing a private key in expanded form // (an internal testing-only API), the hash is provided, but we recompute it // and check for correctness. diff --git a/third_party/boringssl/src/crypto/fipsmodule/mlkem/mlkem.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/mlkem/mlkem.cc.inc index 540b5b39..a73d5d95 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/mlkem/mlkem.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/mlkem/mlkem.cc.inc @@ -212,7 +212,7 @@ inline uint16_t reduce_once(uint16_t x) { // We usually add value barriers to selects because Clang turns consecutive // selects with the same condition into a branch instead of CMOV/CSEL. This // condition does not occur in ML-KEM, so omitting it seems to be safe so far, - // but see |scalar_centered_binomial_distribution_eta_2_with_prf|. + // but see `scalar_centered_binomial_distribution_eta_2_with_prf`. return (mask & x) | (~mask & subtracted); } @@ -236,9 +236,9 @@ inline void vector_zero(vector *out) { // In place number theoretic transform of a given scalar. // Note that MLKEM's kPrime 3329 does not have a 512th root of unity, so this // transform leaves off the last iteration of the usual FFT code, with the 128 -// relevant roots of unity being stored in |kNTTRoots|. This means the output +// relevant roots of unity being stored in `kNTTRoots`. This means the output // should be seen as 128 elements in GF(3329^2), with the coefficients of the -// elements being consecutive entries in |s->c|. +// elements being consecutive entries in `s->c`. inline void scalar_ntt(scalar *s) { // Manually unrolled loop to maximize vectorization. #define ITER(step, offset) \ @@ -278,7 +278,7 @@ inline void vector_ntt(vector *a) { // entries of s->v being interpreted as elements of GF(3329^2). Just as with the // number theoretic transform, this leaves off the first step of the normal iFFT // to account for the fact that 3329 does not have a 512th root of unity, using -// the precomputed 128 roots of unity stored in |kInverseNTTRoots|. +// the precomputed 128 roots of unity stored in `kInverseNTTRoots`. void scalar_inverse_ntt(scalar *s) { // Manually unrolled loop to maximize vectorization. #define ITER(step, offset) \ @@ -334,7 +334,7 @@ inline void scalar_sub(scalar *lhs, const scalar *rhs) { // 3329 does not have a 512th root of unity, this means we have to interpret // the 2*ith and (2*i+1)th entries of the scalar as elements of GF(3329)[X]/(X^2 // - 17^(2*bitreverse(i)+1)) The value of 17^(2*bitreverse(i)+1) mod 3329 is -// stored in the precomputed |kModRoots| table. Note that our Barrett transform +// stored in the precomputed `kModRoots` table. Note that our Barrett transform // only allows us to multiply two reduced numbers together, so we need some // intermediate reduction steps, even if an uint64_t could hold 3 multiplied // numbers. @@ -452,10 +452,10 @@ static void scalar_centered_binomial_distribution_eta_2( uint16_t value = (byte & 1) + ((byte >> 1) & 1); value -= ((byte >> 2) & 1) + ((byte >> 3) & 1); - // Add |kPrime| if |value| underflowed. See |reduce_once| for a discussion + // Add `kPrime` if `value` underflowed. See `reduce_once` for a discussion // on why the value barrier is omitted. While this could have been written // reduce_once(value + kPrime), this is one extra addition and small range - // of |value| tempts some versions of Clang to emit a branch. + // of `value` tempts some versions of Clang to emit a branch. uint16_t mask = 0u - (value >> 15); out->c[i] = ((value + kPrime) & mask) | (value & ~mask); @@ -469,7 +469,7 @@ static void scalar_centered_binomial_distribution_eta_2( } // Algorithm 8 from the spec, with eta fixed to two and the PRF call -// included. Creates binominally distributed elements by sampling 2*|eta| bits, +// included. Creates binominally distributed elements by sampling 2*`eta` bits, // and setting the coefficient to the count of the first bits minus the count of // the second bits, resulting in a centered binomial distribution. Since eta is // two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4, @@ -505,8 +505,8 @@ static void scalar_centered_binomial_distribution_eta_2_with_prf_x2( #endif // Generates a secret vector by using -// |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed -// appending and incrementing |counter| for entry of the vector. +// `scalar_centered_binomial_distribution_eta_2_with_prf`, using the given seed +// appending and incrementing `counter` for entry of the vector. template void vector_generate_secret_eta_2(vector *out, uint8_t *counter, const uint8_t seed[32]) { @@ -576,9 +576,9 @@ void matrix_expand(matrix *out, const uint8_t rho[32]) { } } -// Encodes a scalar of 256 |BITS|-bit words into 32*|BITS| bytes by splitting +// Encodes a scalar of 256 `BITS`-bit words into 32*`BITS` bytes by splitting // and joining into bytes using LSB-first bit order (i.e. opposite to standard -// reading order). See below for examples. If an input is >= 1 << |BITS|, the +// reading order). See below for examples. If an input is >= 1 << `BITS`, the // result is undefined. template void scalar_encode(uint8_t *out, const scalar *s); @@ -704,7 +704,7 @@ void scalar_encode<1>(uint8_t out[32], const scalar *s) { } } -// Encodes an entire vector into 32*|RANK|*|bits| bytes. Note that since 256 +// Encodes an entire vector into 32*`RANK`*`bits` bytes. Note that since 256 // (DEGREE) is divisible by 8, the individual vector entries will always fill a // whole number of bytes, so we do not need to worry about bit packing here. template @@ -714,9 +714,9 @@ void vector_encode(uint8_t *out, const vector *a) { } } -// The inverse of |scalar_encode|. Returns 1 iff the encoded scalar is valid, -// i.e. all components are < |kPrime|. Otherwise, returns 0 and the value of -// |out| is undefined. +// The inverse of `scalar_encode`. Returns 1 iff the encoded scalar is valid, +// i.e. all components are < `kPrime`. Otherwise, returns 0 and the value of +// `out` is undefined. template int scalar_decode(scalar *out, const uint8_t *in); @@ -766,9 +766,9 @@ int scalar_decode<4>(scalar *out, const uint8_t in[128]) { return 1; } -// scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in -// |out|. It returns one on success and zero if any parsed value is >= -// |kPrime|. +// scalar_decode parses `DEGREE * bits` bits from `in` into `DEGREE` values in +// `out`. It returns one on success and zero if any parsed value is >= +// `kPrime`. template <> int scalar_decode<11>(scalar *out, const uint8_t in[352]) { for (int i = 0; i < DEGREE; i += 8) { @@ -831,8 +831,8 @@ int scalar_decode<1>(scalar *out, const uint8_t in[32]) { return 1; } -// Decodes 32*|RANK|*|bits| bytes from |in| into |out|. It returns one on -// success or zero if any parsed value is >= |kPrime|. +// Decodes 32*`RANK`*`bits` bytes from `in` into `out`. It returns one on +// success or zero if any parsed value is >= `kPrime`. template inline int vector_decode(vector *out, const uint8_t *in) { for (int i = 0; i < RANK; i++) { @@ -843,12 +843,12 @@ inline int vector_decode(vector *out, const uint8_t *in) { return 1; } -// Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping +// Compresses (lossily) an input `x` mod 3329 into `bits` many bits by grouping // numbers close to each other together. The formula used is -// round(2^|bits|/kPrime*x) mod 2^|bits|. +// round(2^`bits`/kPrime*x) mod 2^`bits`. // Uses Barrett reduction to achieve constant time. Since we need both the // remainder (for rounding) and the quotient (as the result), we cannot use -// |reduce| here, but need to do the Barrett reduction directly. +// `reduce` here, but need to do the Barrett reduction directly. inline uint16_t compress(uint16_t x, int bits) { uint32_t shifted = (uint32_t)x << bits; uint64_t product = (uint64_t)shifted * kBarrettMultiplier; @@ -865,19 +865,19 @@ inline uint16_t compress(uint16_t x, int bits) { return quotient & ((1 << bits) - 1); } -// Decompresses |x| by using an equi-distant representative. The formula is -// round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to +// Decompresses `x` by using an equi-distant representative. The formula is +// round(kPrime/2^`bits`*x). Note that 2^`bits` being the divisor allows us to // implement this logic using only bit operations. inline uint16_t decompress(uint16_t x, int bits) { uint32_t product = (uint32_t)x * kPrime; uint32_t power = 1 << bits; - // This is |product| % power, since |power| is a power of 2. + // This is `product` % power, since `power` is a power of 2. uint32_t remainder = product & (power - 1); - // This is |product| / power, since |power| is a power of 2. + // This is `product` / power, since `power` is a power of 2. uint32_t lower = product >> bits; - // The rounding logic works since the first half of numbers mod |power| have a - // 0 as first bit, and the second half has a 1 as first bit, since |power| is - // a power of 2. As a 12 bit number, |remainder| is always positive, so we + // The rounding logic works since the first half of numbers mod `power` have a + // 0 as first bit, and the second half has a 1 as first bit, since `power` is + // a power of 2. As a 12 bit number, `remainder` is always positive, so we // will shift in 0s for a right shift. return lower + (remainder >> (bits - 1)); } @@ -1012,7 +1012,7 @@ void mlkem_generate_key_external_seed(uint8_t *out_encoded_public_key, } // Encrypts a message with given randomness to -// the ciphertext in |out|. Without applying the Fujisaki-Okamoto transform this +// the ciphertext in `out`. Without applying the Fujisaki-Okamoto transform this // would not result in a CCA secure scheme, since lattice schemes are vulnerable // to decryption failure oracles. template @@ -1085,8 +1085,8 @@ void mlkem_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], mlkem_decap_no_self_test(out_shared_secret, ciphertext, priv); } -// mlkem_parse_public_key_with_trailing_data parses |in| into |pub| but leaves -// trailing data in |in| for the caller. +// mlkem_parse_public_key_with_trailing_data parses `in` into `pub` but leaves +// trailing data in `in` for the caller. template int mlkem_parse_public_key_with_trailing_data(public_key *pub, CBS *in) { CBS orig_in = *in; @@ -1527,8 +1527,8 @@ const MLKEM1024_public_key *bssl::BCM_mlkem1024_public_of_private( return mlkem::public_key_1024_to_external(&priv->pub); } -// Calls |MLKEM768_encap_external_entropy| with random bytes from -// |BCM_rand_bytes| +// Calls `MLKEM768_encap_external_entropy` with random bytes from +// `BCM_rand_bytes` bcm_infallible bssl::BCM_mlkem768_encap( uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], diff --git a/third_party/boringssl/src/crypto/fipsmodule/rand/android_entropy_client.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/rand/android_entropy_client.cc.inc new file mode 100644 index 00000000..1611052f --- /dev/null +++ b/third_party/boringssl/src/crypto/fipsmodule/rand/android_entropy_client.cc.inc @@ -0,0 +1,82 @@ +// Copyright 2020 The BoringSSL Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// https://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#include + +#if defined(BORINGSSL_FIPS) && defined(OPENSSL_ANDROID) + +#include +#include +#include +#include +#include + +#include "internal.h" + +BSSL_NAMESPACE_BEGIN + +int bssl_get_seed_from_daemon(uint8_t *out_entropy, size_t *inout_entropy_len) { + const int sock = socket(AF_UNIX, SOCK_STREAM, 0); + if (sock < 0) { + return 0; + } + + struct sockaddr_un sun; + memset(&sun, 0, sizeof(sun)); + sun.sun_family = AF_UNIX; + static const char kSocketPath[] = "/dev/socket/prng_seeder"; + static_assert(sizeof(kSocketPath) <= UNIX_PATH_MAX, "kSocketPath too long"); + OPENSSL_memcpy(sun.sun_path, kSocketPath, sizeof(kSocketPath)); + + int ret = 0; + size_t done = 0; + if (connect(sock, (struct sockaddr *)&sun, sizeof(sun))) { + goto out; + } + + uint8_t buffer[BSSL_ENTROPY_DAEMON_RESPONSE_LEN]; + while (done < sizeof(buffer)) { + ssize_t n; + do { + n = read(sock, buffer + done, sizeof(buffer) - done); + } while (n == -1 && errno == EINTR); + + if (n < 1) { + goto out; + } + done += n; + } + + if (done != BSSL_ENTROPY_DAEMON_RESPONSE_LEN) { + // The daemon should always write `BSSL_ENTROPY_DAEMON_RESPONSE_LEN` bytes + // on every connection. + goto out; + } + + if (*inout_entropy_len > sizeof(buffer)) { + *inout_entropy_len = sizeof(buffer); + } + OPENSSL_memcpy(out_entropy, buffer, *inout_entropy_len); + ret = 1; + +out: + if (sock >= 0) { + close(sock); + } + return ret; +} + +BSSL_NAMESPACE_END + +#endif // FIPS && ANDROID diff --git a/third_party/boringssl/src/crypto/fipsmodule/rand/ctrdrbg.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/rand/ctrdrbg.cc.inc index 04f51959..8aa034c6 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rand/ctrdrbg.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/rand/ctrdrbg.cc.inc @@ -241,7 +241,7 @@ int bssl::CTR_DRBG_init(CTR_DRBG_STATE *drbg, int df, const uint8_t *entropy, static_assert(CTR_DRBG_SEED_LEN % AES_BLOCK_SIZE == 0, "not a multiple of AES block size"); -// ctr_inc adds |n| to the last four bytes of |drbg->counter|, treated as a +// ctr_inc adds `n` to the last four bytes of `drbg->counter`, treated as a // big-endian number. static void ctr32_add(CTR_DRBG_STATE *drbg, uint32_t n) { uint32_t ctr = CRYPTO_load_u32_be(drbg->counter + 12); diff --git a/third_party/boringssl/src/crypto/fipsmodule/rand/internal.h b/third_party/boringssl/src/crypto/fipsmodule/rand/internal.h index 0913f008..8895b961 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rand/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/rand/internal.h @@ -25,7 +25,7 @@ BSSL_NAMESPACE_BEGIN // rand_fork_unsafe_buffering_enabled returns whether fork-unsafe buffering has -// been enabled via |RAND_enable_fork_unsafe_buffering|. +// been enabled via `RAND_enable_fork_unsafe_buffering`. int rand_fork_unsafe_buffering_enabled(); BSSL_NAMESPACE_END @@ -43,19 +43,29 @@ struct ctr_drbg_state_st { BSSL_NAMESPACE_BEGIN -// CTR_DRBG_init initialises |*drbg| given |entropy_len| bytes of entropy in -// |entropy| and, optionally, a personalization string up to -// |CTR_DRBG_SEED_LEN| bytes in length. It returns one on success and zero on +// CTR_DRBG_init initialises `*drbg` given `entropy_len` bytes of entropy in +// `entropy` and, optionally, a personalization string up to +// `CTR_DRBG_SEED_LEN` bytes in length. It returns one on success and zero on // error. // -// If `df` is false then `entropy_len` must be |CTR_DRBG_ENTROPY_LEN| and -// |nonce| must be nullptr. +// If `df` is false then `entropy_len` must be `CTR_DRBG_ENTROPY_LEN` and +// `nonce` must be nullptr. OPENSSL_EXPORT int CTR_DRBG_init(CTR_DRBG_STATE *drbg, int df, const uint8_t *entropy, size_t entropy_len, const uint8_t nonce[CTR_DRBG_NONCE_LEN], const uint8_t *personalization, size_t personalization_len); +// BSSL_ENTROPY_DAEMON_RESPONSE_LEN is the number of bytes that the Android +// entropy daemon replies with. +#define BSSL_ENTROPY_DAEMON_RESPONSE_LEN (48 * 10 + 16) + +// bssl_get_seed_from_daemon fetches up to `*inout_entropy_len` bytes of +// entropy from the Android entropy daemon, writing them to `*out_entropy`. +// On successful exit, `*inout_entropy_len` contains the number of bytes +// written. Returns one on success and zero on error. +int bssl_get_seed_from_daemon(uint8_t *out_entropy, size_t *inout_entropy_len); + #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) inline int have_rdrand() { return CRYPTO_is_RDRAND_capable(); } @@ -68,11 +78,11 @@ inline int have_fast_rdrand() { } // CRYPTO_rdrand writes eight bytes of random data from the hardware RNG to -// |out|. It returns one on success or zero on hardware failure. +// `out`. It returns one on success or zero on hardware failure. extern "C" int CRYPTO_rdrand(uint8_t out[8]); -// CRYPTO_rdrand_multiple8_buf fills |len| bytes at |buf| with random data from -// the hardware RNG. The |len| argument must be a multiple of eight. It returns +// CRYPTO_rdrand_multiple8_buf fills `len` bytes at `buf` with random data from +// the hardware RNG. The `len` argument must be a multiple of eight. It returns // one on success and zero on hardware failure. extern "C" int CRYPTO_rdrand_multiple8_buf(uint8_t *buf, size_t len); diff --git a/third_party/boringssl/src/crypto/fipsmodule/rand/rand.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/rand/rand.cc.inc index 9b294416..5d4fc9f3 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rand/rand.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/rand/rand.cc.inc @@ -24,6 +24,7 @@ #include #include #include +#include #include "../../bcm_support.h" #include "../../mem_internal.h" @@ -31,66 +32,186 @@ #include "../delocate.h" #include "internal.h" +#if defined(BORINGSSL_FIPS) +#include "../entropy/internal.h" +#endif + using namespace bssl; -// It's assumed that the operating system always has an unfailing source of -// entropy which is accessed via |CRYPTO_sysrand|. (If the operating system -// entropy source fails, it's up to |CRYPTO_sysrand| to abort the process—we -// don't try to handle it.) +// # Entropy design +// +// Each thread gets its own, thread-local DRBG. These are `rand_thread_state` +// objects. In non-FIPS mode these are seeded from the operating system. It's +// assumed that the operating system always has an unfailing source of entropy +// which is accessed via `CRYPTO_sysrand`. (If the operating system entropy +// source fails, it's up to `CRYPTO_sysrand` to abort the process—we don't try +// to handle it.) +// +// If running in FIPS mode, a compliant entropy source must be used to seed the +// thread-local DRBGs instead. That is either the BoringCrypto jitter source or, +// on Android, a source provided by the OS which is accessed via a UNIX domain +// socket. When seeding from these sources, OS entropy is still used via the +// "additional data" input to the DRBG. But, from a compliance perspective, +// this input is irrelevent. +// +// Since the jitter source takes some time to run, there is a single jitter +// source per address space. It's used to seed a DRBG (`core_drbg`) which, in +// turn, seeds the thread-local DRBGs. Android also uses this core DRBG design +// in order to keep things more uniform across platforms. // -// In addition, the hardware may provide a low-latency RNG. Intel's rdrand -// instruction is the canonical example of this. When a hardware RNG is -// available we don't need to worry about an RNG failure arising from fork()ing -// the process or moving a VM, so we can keep thread-local RNG state and use it -// as an additional-data input to CTR-DRBG. +// The core DRBG will be reseeded in accordance with NIST's reseeding +// requirements. However, since our DRBG configuration allows for 2**48 +// generate calls before reseeding, it's unlikely that any process would +// observe a reseed of that DRBG. +// +// The thread-local DRBGs mean that we have to worry about the process fork()ing +// or the underlying VM getting cloned. Thus we try to mix entropy into each +// generation from the thread-local DRBGs. The hardware may provide a +// low-latency RNG. (Intel's rdrand instruction is the canonical example of +// this.) If available, that'll be used for this additional data. Otherwise +// we'll draw from the OS if it doesn't provide other fork-detection APIs. // // (We assume that the OS entropy is safe from fork()ing and VM duplication. // This might be a bit of a leap of faith, esp on Windows, but there's nothing // that we can do about it.) -// kReseedInterval is the number of generate calls made to CTR-DRBG before -// reseeding. -static const unsigned kReseedInterval = 4096; +#if defined(BORINGSSL_FIPS) +// This #if-block needs to be outside of the anonymous namespace: + +struct core_drbg { + CTR_DRBG_STATE drbg; + // calls is the number of generate calls made on `drbg` since it was last + // (re)seeded. This is bound by `kCoreReseedInterval`. + uint64_t calls = 0; +}; -// CRNGT_BLOCK_SIZE is the number of bytes in a “block” for the purposes of the -// continuous random number generator test in FIPS 140-2, section 4.9.2. -#define CRNGT_BLOCK_SIZE 16 +DEFINE_BSS_GET(struct core_drbg *, g_core_drbg, = nullptr) +DEFINE_STATIC_MUTEX(g_core_drbg_lock) +#endif // FIPS namespace { + +#if defined(BORINGSSL_FIPS) + +// The number of times we'll generate from the core DRBG before reseeding. +// This is within the permitted bounds but so high that this effectively means +// that we'll never reseed it. See SP 800-90Ar1 table 3. +constexpr uint64_t kCoreReseedInterval = (UINT64_C(1) << 48) - 1; +constexpr size_t kCoreDRBGEntropySize = 48; + +#if defined(OPENSSL_ANDROID) +// Android seeds from a system daemon which is responsible for getting +// entropy from a validated source. +void core_drbg_get_entropy(uint8_t entropy[kCoreDRBGEntropySize]) { + uint8_t daemon_buffer[BSSL_ENTROPY_DAEMON_RESPONSE_LEN]; + size_t daemon_buffer_len = sizeof(daemon_buffer); + if (!bssl_get_seed_from_daemon(daemon_buffer, &daemon_buffer_len)) { + // If the daemon isn't running then fallback to system entropy. + CRYPTO_sysrand(entropy, kCoreDRBGEntropySize); + return; + } + SHA384(daemon_buffer, daemon_buffer_len, entropy); +} +#else +// Non-Android platforms use the jitter source. +void core_drbg_get_entropy(uint8_t entropy[kCoreDRBGEntropySize]) { + // This runs the jitter source and takes some milliseconds. + for (unsigned i = 0; i < 100; i++) { + // The internal health checks of the jitter source may cause spurious + // failures, therefore we retry a number of times because failure + // to get entropy is fatal. + if (entropy::GetSeed(entropy)) { + return; + } + } + fprintf(stderr, "Persistent jitter source failure.\n"); + BORINGSSL_FIPS_abort(); +} +#endif + +struct core_drbg *core_drbg_get_locked() { + struct core_drbg **core = g_core_drbg_bss_get(); + if (*core != nullptr) { + return *core; + } + + uint8_t entropy[kCoreDRBGEntropySize]; + core_drbg_get_entropy(entropy); + + *core = New(); + if (!*core) { + BORINGSSL_FIPS_abort(); + } + + uint8_t nonce[CTR_DRBG_NONCE_LEN] = {0}; + static constexpr char kPersonalization[] = "BoringSSL"; + if (!CTR_DRBG_init(&(*core)->drbg, /*df=*/1, entropy, sizeof(entropy), nonce, + reinterpret_cast(kPersonalization), + sizeof(kPersonalization))) { + BORINGSSL_FIPS_abort(); + } + + return *core; +} + +// Draw a seed for a thread-local DRBG from the core DRBG. +void core_drbg_draw_seed(uint8_t *out_seed, size_t len) { + MutexWriteLock lock(g_core_drbg_lock_bss_get()); + + struct core_drbg *const core = core_drbg_get_locked(); + if (core->calls > kCoreReseedInterval) { + uint8_t reseed_entropy[kCoreDRBGEntropySize]; + core_drbg_get_entropy(reseed_entropy); + if (!CTR_DRBG_reseed(&core->drbg, reseed_entropy, + /*additional_data=*/nullptr, 0)) { + BORINGSSL_FIPS_abort(); + } + core->calls = 0; + } + + if (!CTR_DRBG_generate(&core->drbg, out_seed, len, + /*additional_data=*/nullptr, 0)) { + BORINGSSL_FIPS_abort(); + } + core->calls++; +} + +#endif // BORINGSSL_FIPS + +// kReseedInterval is the number of generate calls made to a thread-local +// CTR-DRBG before reseeding. +static const unsigned kReseedInterval = 4096; + // rand_thread_state contains the per-thread state for the RNG. struct rand_thread_state { CTR_DRBG_STATE drbg; uint64_t fork_generation; - // calls is the number of generate calls made on |drbg| since it was last - // (re)seeded. This is bound by |kReseedInterval|. + // calls is the number of generate calls made on `drbg` since it was last + // (re)seeded. This is bound by `kReseedInterval`. unsigned calls; - // last_block_valid is non-zero iff |last_block| contains data from - // |get_seed_entropy|. - int last_block_valid; - // fork_unsafe_buffering is non-zero iff, when |drbg| was last (re)seeded, + // fork_unsafe_buffering is non-zero iff, when `drbg` was last (re)seeded, // fork-unsafe buffering was enabled. int fork_unsafe_buffering; #if defined(BORINGSSL_FIPS) - // last_block contains the previous block from |get_seed_entropy|. - uint8_t last_block[CRNGT_BLOCK_SIZE]; // next and prev form a nullptr-terminated, double-linked list of all states // in a process. struct rand_thread_state *next, *prev; - // clear_drbg_lock synchronizes between uses of |drbg| and - // |rand_thread_state_clear_all| clearing it. This lock should be uncontended + // clear_drbg_lock synchronizes between uses of `drbg` and + // `rand_thread_state_clear_all` clearing it. This lock should be uncontended // in the common case, except on shutdown. Mutex clear_drbg_lock; #endif }; + } // namespace #if defined(BORINGSSL_FIPS) -// thread_states_list is the head of a linked-list of all |rand_thread_state| +// thread_states_list is the head of a linked-list of all `rand_thread_state` // objects in the process, one per thread. This is needed because FIPS requires -// that they be zeroed on process exit, but thread-local destructors aren't -// called when the whole process is exiting. +// the ability to zero them on demand (AS09.28). BoringSSL triggers this with a +// destructor function. DEFINE_BSS_GET(struct rand_thread_state *, thread_states_list, = nullptr) DEFINE_STATIC_MUTEX(thread_states_list_lock) @@ -102,14 +223,21 @@ static void rand_thread_state_clear_all() { cur->clear_drbg_lock.LockWrite(); CTR_DRBG_clear(&cur->drbg); } + + g_core_drbg_lock_bss_get()->LockWrite(); + struct core_drbg **core = g_core_drbg_bss_get(); + if (*core) { + CTR_DRBG_clear(&(*core)->drbg); + } + // The locks are deliberately left locked so that any threads that are still - // running will hang if they try to call |BCM_rand_bytes|. It also ensures - // |rand_thread_state_free| cannot free any thread state while we've taken the + // running will hang if they try to call `BCM_rand_bytes`. It also ensures + // `rand_thread_state_free` cannot free any thread state while we've taken the // lock. } #endif -// rand_thread_state_free frees a |rand_thread_state|. This is called when a +// rand_thread_state_free frees a `rand_thread_state`. This is called when a // thread exits. static void rand_thread_state_free(void *state_in) { struct rand_thread_state *state = @@ -125,8 +253,8 @@ static void rand_thread_state_free(void *state_in) { if (state->prev != nullptr) { state->prev->next = state->next; } else if (*thread_states_list_bss_get() == state) { - // |state->prev| may be nullptr either if it is the head of the list, - // or if |state| is freed before it was added to the list at all. + // `state->prev` may be nullptr either if it is the head of the list, + // or if `state` is freed before it was added to the list at all. // Compare against the head of the list to distinguish these cases. *thread_states_list_bss_get() = state->next; } @@ -145,7 +273,7 @@ static void rand_thread_state_free(void *state_in) { #if defined(OPENSSL_X86_64) && !defined(OPENSSL_NO_ASM) && \ !defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) -// rdrand should only be called if either |have_rdrand| or |have_fast_rdrand| +// rdrand should only be called if either `have_rdrand` or `have_fast_rdrand` // returned true. static int rdrand(uint8_t *buf, const size_t len) { const size_t len_multiple8 = len & ~7; @@ -185,146 +313,26 @@ bcm_status bssl::BCM_rand_bytes_hwrng(uint8_t *buf, const size_t len) { #if defined(BORINGSSL_FIPS) -// In passive entropy mode, entropy is supplied from outside of the module via -// |BCM_rand_load_entropy| and is stored in global instance of the following -// structure. - -struct entropy_buffer { - // bytes contains entropy suitable for seeding a DRBG. - uint8_t bytes[CRNGT_BLOCK_SIZE + CTR_DRBG_SEED_LEN * BORINGSSL_FIPS_OVERREAD]; - // bytes_valid indicates the number of bytes of |bytes| that contain valid - // data. - size_t bytes_valid; - // want_additional_input is true if any of the contents of |bytes| were - // obtained via a method other than from the kernel. In these cases entropy - // from the kernel is also provided via an additional input to the DRBG. - int want_additional_input; -}; - -DEFINE_BSS_GET(struct entropy_buffer, entropy_buffer, = {}) -DEFINE_STATIC_MUTEX(entropy_buffer_lock) - -bcm_infallible bssl::BCM_rand_load_entropy(const uint8_t *entropy, - size_t entropy_len, - int want_additional_input) { - struct entropy_buffer *const buffer = entropy_buffer_bss_get(); - - MutexWriteLock lock(entropy_buffer_lock_bss_get()); - const size_t space = sizeof(buffer->bytes) - buffer->bytes_valid; - if (entropy_len > space) { - entropy_len = space; - } - - OPENSSL_memcpy(&buffer->bytes[buffer->bytes_valid], entropy, entropy_len); - buffer->bytes_valid += entropy_len; - buffer->want_additional_input |= want_additional_input && (entropy_len != 0); - return bcm_infallible::not_approved; -} - -// get_seed_entropy fills |out_entropy_len| bytes of |out_entropy| from the -// global |entropy_buffer|. -static void get_seed_entropy(uint8_t *out_entropy, size_t out_entropy_len, - int *out_want_additional_input) { - struct entropy_buffer *const buffer = entropy_buffer_bss_get(); - if (out_entropy_len > sizeof(buffer->bytes)) { - abort(); - } - - MutexWriteLock lock(entropy_buffer_lock_bss_get()); - while (buffer->bytes_valid < out_entropy_len) { - MutexWriteUnlock unlock(entropy_buffer_lock_bss_get()); - RAND_need_entropy(out_entropy_len - buffer->bytes_valid); - } - - *out_want_additional_input = buffer->want_additional_input; - OPENSSL_memcpy(out_entropy, buffer->bytes, out_entropy_len); - OPENSSL_memmove(buffer->bytes, &buffer->bytes[out_entropy_len], - buffer->bytes_valid - out_entropy_len); - buffer->bytes_valid -= out_entropy_len; - if (buffer->bytes_valid == 0) { - buffer->want_additional_input = 0; - } -} - -// rand_get_seed fills |seed| with entropy. In some cases, it will additionally -// fill |additional_input| with entropy to supplement |seed|. It sets -// |*out_additional_input_len| to the number of extra bytes. +// rand_get_seed fills `seed` with entropy. Since, in FIPS mode, this entropy +// comes from the jitter source / system daemon, `additional_input` will also be +// filled with system entropy. static void rand_get_seed(struct rand_thread_state *state, - uint8_t seed[CTR_DRBG_SEED_LEN], + uint8_t seed[CTR_DRBG_ENTROPY_LEN], uint8_t additional_input[CTR_DRBG_SEED_LEN], size_t *out_additional_input_len) { - uint8_t entropy_bytes[sizeof(state->last_block) + - CTR_DRBG_SEED_LEN * BORINGSSL_FIPS_OVERREAD]; - uint8_t *entropy = entropy_bytes; - size_t entropy_len = sizeof(entropy_bytes); - - if (state->last_block_valid) { - // No need to fill |state->last_block| with entropy from the read. - entropy += sizeof(state->last_block); - entropy_len -= sizeof(state->last_block); - } - - int want_additional_input; - get_seed_entropy(entropy, entropy_len, &want_additional_input); - - if (!state->last_block_valid) { - OPENSSL_memcpy(state->last_block, entropy, sizeof(state->last_block)); - entropy += sizeof(state->last_block); - entropy_len -= sizeof(state->last_block); - } - - // See FIPS 140-2, section 4.9.2. This is the “continuous random number - // generator test” which causes the program to randomly abort. Hopefully the - // rate of failure is small enough not to be a problem in practice. - if (CRYPTO_memcmp(state->last_block, entropy, sizeof(state->last_block)) == - 0) { - fprintf(CRYPTO_get_stderr(), "CRNGT failed.\n"); - BORINGSSL_FIPS_abort(); - } - - assert(entropy_len % CRNGT_BLOCK_SIZE == 0); - for (size_t i = CRNGT_BLOCK_SIZE; i < entropy_len; i += CRNGT_BLOCK_SIZE) { - if (CRYPTO_memcmp(entropy + i - CRNGT_BLOCK_SIZE, entropy + i, - CRNGT_BLOCK_SIZE) == 0) { - fprintf(CRYPTO_get_stderr(), "CRNGT failed.\n"); - BORINGSSL_FIPS_abort(); - } - } - OPENSSL_memcpy(state->last_block, entropy + entropy_len - CRNGT_BLOCK_SIZE, - CRNGT_BLOCK_SIZE); - - assert(entropy_len == BORINGSSL_FIPS_OVERREAD * CTR_DRBG_SEED_LEN); - OPENSSL_memcpy(seed, entropy, CTR_DRBG_SEED_LEN); - - for (size_t i = 1; i < BORINGSSL_FIPS_OVERREAD; i++) { - for (size_t j = 0; j < CTR_DRBG_SEED_LEN; j++) { - seed[j] ^= entropy[CTR_DRBG_SEED_LEN * i + j]; - } - } - - // If we used something other than system entropy then also read from the - // system. This avoids solely relying on the hardware. - // TODO(crbug.com/446280903): Once this change sticks, switch - // |get_seed_entropy| to draw from the OS instead of RDRAND. - *out_additional_input_len = 0; - if (want_additional_input) { - CRYPTO_sysrand(additional_input, CTR_DRBG_SEED_LEN); - *out_additional_input_len = CTR_DRBG_SEED_LEN; - } + core_drbg_draw_seed(seed, CTR_DRBG_ENTROPY_LEN); + CRYPTO_sysrand(additional_input, CTR_DRBG_SEED_LEN); + *out_additional_input_len = CTR_DRBG_SEED_LEN; } #else -// rand_get_seed fills |seed| with entropy. In some cases, it will additionally -// fill |additional_input| with entropy to supplement |seed|. It sets -// |*out_additional_input_len| to the number of extra bytes. +// rand_get_seed fills `seed` with system entropy in a non-FIPS build. static void rand_get_seed(struct rand_thread_state *state, - uint8_t seed[CTR_DRBG_SEED_LEN], + uint8_t seed[CTR_DRBG_ENTROPY_LEN], uint8_t additional_input[CTR_DRBG_SEED_LEN], size_t *out_additional_input_len) { - // If not in FIPS mode, we don't overread from the system entropy source and - // we don't depend only on the hardware RDRAND. - CRYPTO_sysrand(seed, CTR_DRBG_SEED_LEN); + CRYPTO_sysrand(seed, CTR_DRBG_ENTROPY_LEN); *out_additional_input_len = 0; } @@ -349,7 +357,7 @@ bcm_infallible bssl::BCM_rand_bytes_with_additional_data( if (!have_fast_rdrand() || !rdrand(additional_data, sizeof(additional_data))) { // Without a hardware RNG to save us from address-space duplication, the OS - // entropy is used. This can be expensive (one read per |RAND_bytes| call) + // entropy is used. This can be expensive (one read per `RAND_bytes` call) // and so is disabled when we have fork detection, or if the application has // promised not to fork. if (fork_generation != 0 || fork_unsafe_buffering) { @@ -374,16 +382,18 @@ bcm_infallible bssl::BCM_rand_bytes_with_additional_data( rand_thread_state_free)) { // If the system is out of memory, use an ephemeral state on the // stack. + Delete(state); state = &stack_state; } - state->last_block_valid = 0; - uint8_t seed[CTR_DRBG_SEED_LEN]; + uint8_t seed[CTR_DRBG_ENTROPY_LEN]; uint8_t personalization[CTR_DRBG_SEED_LEN] = {0}; size_t personalization_len = 0; rand_get_seed(state, seed, personalization, &personalization_len); - if (!CTR_DRBG_init(&state->drbg, /*df=*/true, seed, 32u, seed + 32, + if (!CTR_DRBG_init(&state->drbg, /*df=*/true, seed, + sizeof(seed) - CTR_DRBG_NONCE_LEN, + seed + sizeof(seed) - CTR_DRBG_NONCE_LEN, personalization, personalization_len)) { abort(); } @@ -406,23 +416,23 @@ bcm_infallible bssl::BCM_rand_bytes_with_additional_data( } if (state->calls >= kReseedInterval || - // If we've forked since |state| was last seeded, reseed. + // If we've forked since `state` was last seeded, reseed. state->fork_generation != fork_generation || - // If |state| was seeded from a state with different fork-safety - // preferences, reseed. Suppose |state| was fork-safe, then forked into + // If `state` was seeded from a state with different fork-safety + // preferences, reseed. Suppose `state` was fork-safe, then forked into // two children, but each of the children never fork and disable fork // safety. The children must reseed to avoid working from the same PRNG // state. state->fork_unsafe_buffering != fork_unsafe_buffering) { - uint8_t seed[CTR_DRBG_SEED_LEN]; + uint8_t seed[CTR_DRBG_ENTROPY_LEN]; uint8_t reseed_additional_data[CTR_DRBG_SEED_LEN] = {0}; size_t reseed_additional_data_len = 0; rand_get_seed(state, seed, reseed_additional_data, &reseed_additional_data_len); #if defined(BORINGSSL_FIPS) - // Take a read lock around accesses to |state->drbg|. This is needed to + // Take a read lock around accesses to `state->drbg`. This is needed to // avoid returning bad entropy if we race with - // |rand_thread_state_clear_all|. + // `rand_thread_state_clear_all`. state->clear_drbg_lock.LockRead(); #endif if (!CTR_DRBG_reseed_ex(&state->drbg, seed, sizeof(seed), @@ -454,7 +464,7 @@ bcm_infallible bssl::BCM_rand_bytes_with_additional_data( out += todo; out_len -= todo; // Though we only check before entering the loop, this cannot add enough to - // overflow a |size_t|. + // overflow a `size_t`. state->calls++; first_call = 0; } @@ -474,9 +484,3 @@ bcm_infallible bssl::BCM_rand_bytes(uint8_t *out, size_t out_len) { BCM_rand_bytes_with_additional_data(out, out_len, kZeroAdditionalData); return bcm_infallible::approved; } - -int RAND_maybe_reseed() { - // Currently does nothing since we don't use jitter entropy yet and so the - // reseeding is quick. - return 0; -} diff --git a/third_party/boringssl/src/crypto/fipsmodule/rsa/internal.h b/third_party/boringssl/src/crypto/fipsmodule/rsa/internal.h index 3a0daf56..ebb70c32 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rsa/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/rsa/internal.h @@ -31,7 +31,7 @@ BSSL_NAMESPACE_BEGIN // TODO(crbug.com/42290480): Raise this limit. 512-bit RSA was factored in 1999. #define OPENSSL_RSA_MIN_MODULUS_BITS 512 -// TODO(davidben): This is inside BCM because |RSA| is inside BCM, but BCM never +// TODO(davidben): This is inside BCM because `RSA` is inside BCM, but BCM never // uses this. Split the RSA type in two. enum rsa_pss_params_t { // No parameters. @@ -67,19 +67,19 @@ class RSAImpl : public rsa_st, public RefCounted { Mutex lock; // Used to cache montgomery values. The creation of these values is protected - // by |lock|. + // by `lock`. UniquePtr mont_n; UniquePtr mont_p; UniquePtr mont_q; - // The following fields are copies of |d|, |dmp1|, and |dmq1|, respectively, + // The following fields are copies of `d`, `dmp1`, and `dmq1`, respectively, // but with the correct widths to prevent side channels. These must use // separate copies due to threading concerns caused by OpenSSL's API // mistakes. See https://github.com/openssl/openssl/issues/5158 and - // the |freeze_private_key| implementation. + // the `freeze_private_key` implementation. UniquePtr d_fixed, dmp1_fixed, dmq1_fixed; - // iqmp_mont is q^-1 mod p in Montgomery form, using |mont_p|. + // iqmp_mont is q^-1 mod p in Montgomery form, using `mont_p`. UniquePtr iqmp_mont; // pss_params is the RSA-PSS parameters associated with the key. This is not @@ -118,26 +118,26 @@ int RSA_padding_check_PKCS1_type_1(uint8_t *out, size_t *out_len, int RSA_padding_add_none(uint8_t *to, size_t to_len, const uint8_t *from, size_t from_len); -// rsa_check_public_key checks that |rsa|'s public modulus and exponent are +// rsa_check_public_key checks that `rsa`'s public modulus and exponent are // within DoS bounds. int rsa_check_public_key(const RSA *rsa); // rsa_private_transform_no_self_test calls either the method-specific -// |private_transform| function (if given) or the generic one. See the comment -// for |private_transform| in |rsa_meth_st|. +// `private_transform` function (if given) or the generic one. See the comment +// for `private_transform` in `rsa_meth_st`. int rsa_private_transform_no_self_test(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len); -// rsa_private_transform acts the same as |rsa_private_transform_no_self_test| +// rsa_private_transform acts the same as `rsa_private_transform_no_self_test` // but, in FIPS mode, performs an RSA self test before calling the default RSA // implementation. int rsa_private_transform(RSA *rsa, uint8_t *out, const uint8_t *in, size_t len); -// rsa_invalidate_key is called after |rsa| has been mutated, to invalidate +// rsa_invalidate_key is called after `rsa` has been mutated, to invalidate // fields derived from the original structure. This function assumes exclusive -// access to |rsa|. In particular, no other thread may be concurrently signing, -// etc., with |rsa|. +// access to `rsa`. In particular, no other thread may be concurrently signing, +// etc., with `rsa`. void rsa_invalidate_key(RSA *rsa); diff --git a/third_party/boringssl/src/crypto/fipsmodule/rsa/padding.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/rsa/padding.cc.inc index 44c8ce45..5d8824b8 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rsa/padding.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/rsa/padding.cc.inc @@ -184,7 +184,7 @@ int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash, if (sLen == RSA_PSS_SALTLEN_DIGEST) { sLen = (int)hLen; } else if (sLen == RSA_PSS_SALTLEN_AUTO) { - // Leave |sLen| negative, which will trigger the logic below to recover and + // Leave `sLen` negative, which will trigger the logic below to recover and // allow any salt length. } else if (sLen < 0) { // Other negative values are reserved. @@ -202,7 +202,7 @@ int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash, EM++; emLen--; } - // |sLen| may be negative for the non-standard salt length recovery mode. + // `sLen` may be negative for the non-standard salt length recovery mode. if (emLen < hLen + 2 || (sLen >= 0 && emLen < hLen + (size_t)sLen + 2)) { OPENSSL_PUT_ERROR(RSA, RSA_R_DATA_TOO_LARGE); goto err; diff --git a/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa.cc.inc index 65109588..edec7acf 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa.cc.inc @@ -407,7 +407,7 @@ struct pkcs1_sig_prefix { int nid; // hash_len is the expected length of the hash function. uint8_t hash_len; - // len is the number of bytes of |bytes| which are valid. + // len is the number of bytes of `bytes` which are valid. uint8_t len; // bytes contains the DER bytes. uint8_t bytes[19]; @@ -551,7 +551,7 @@ int bssl::rsa_sign_no_self_test(int hash_nid, const uint8_t *digest, if (!rsa_check_digest_size(hash_nid, digest_len)) { return 0; } - // All supported digest lengths fit in |unsigned|. + // All supported digest lengths fit in `unsigned`. assert(digest_len <= EVP_MAX_MD_SIZE); static_assert(EVP_MAX_MD_SIZE <= UINT_MAX, "digest too long"); return impl->meth->sign(hash_nid, digest, (unsigned)digest_len, out, @@ -715,8 +715,8 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, return 1; } - // Note |bn_mul_consttime| and |bn_div_consttime| do not scale linearly, but - // checking |ainv| is in range bounds the running time, assuming |m|'s bounds + // Note `bn_mul_consttime` and `bn_div_consttime` do not scale linearly, but + // checking `ainv` is in range bounds the running time, assuming `m`'s bounds // were checked by the caller. BN_CTXScope scope(ctx); BIGNUM *tmp = BN_CTX_get(ctx); @@ -731,8 +731,8 @@ static int check_mod_inverse(int *out_ok, const BIGNUM *a, const BIGNUM *ainv, int RSA_check_key(const RSA *key) { // TODO(davidben): RSA key initialization is spread across - // |rsa_check_public_key|, |RSA_check_key|, |freeze_private_key|, and - // |BN_MONT_CTX_set_locked| as a result of API issues. See + // `rsa_check_public_key`, `RSA_check_key`, `freeze_private_key`, and + // `BN_MONT_CTX_set_locked` as a result of API issues. See // https://crbug.com/boringssl/316. As a result, we inconsistently check RSA // invariants. We should fix this and integrate that logic. @@ -746,7 +746,7 @@ int RSA_check_key(const RSA *key) { return 0; } - // |impl->d| must be bounded by |impl->n|. This ensures bounds on |RSA_bits| + // `impl->d` must be bounded by `impl->n`. This ensures bounds on `RSA_bits` // translate to bounds on the running time of private key operations. if (impl->d != nullptr && (BN_is_negative(impl->d.get()) || BN_cmp(impl->d.get(), impl->n.get()) >= 0)) { @@ -777,8 +777,8 @@ int RSA_check_key(const RSA *key) { BN_init(&dmq1); // Check that p * q == n. Before we multiply, we check that p and q are in - // bounds, to avoid a DoS vector in |bn_mul_consttime| below. Note that - // n was bound by |rsa_check_public_key|. This also implicitly checks p and q + // bounds, to avoid a DoS vector in `bn_mul_consttime` below. Note that + // n was bound by `rsa_check_public_key`. This also implicitly checks p and q // are odd, which is a necessary condition for Montgomery reduction. if (BN_is_negative(impl->p.get()) || constant_time_declassify_int(BN_cmp(impl->p.get(), impl->n.get()) >= 0) || @@ -833,7 +833,7 @@ int RSA_check_key(const RSA *key) { pm1_bits, ctx) || !check_mod_inverse(&dmq1_ok, impl->e.get(), impl->dmq1.get(), &qm1, qm1_bits, ctx) || - // |p| is odd, so |pm1| and |p| have the same bit width. If they didn't, + // `p` is odd, so `pm1` and `p` have the same bit width. If they didn't, // we only need a lower bound anyway. !check_mod_inverse(&iqmp_ok, impl->q.get(), impl->iqmp.get(), impl->p.get(), pm1_bits, ctx)) { @@ -906,12 +906,12 @@ int RSA_check_fips(RSA *key) { // Perform partial public key validation of RSA keys (SP 800-89 5.3.3). // Although this is not for primality testing, SP 800-89 cites an RSA - // primality testing algorithm, so we use |BN_prime_checks_for_generation| to + // primality testing algorithm, so we use `BN_prime_checks_for_generation` to // match. This is only a plausibility test and we expect the value to be // composite, so too few iterations will cause us to reject the key, not use // an implausible one. // - // |key->e| may be nullptr if created with |RSA_new_private_key_no_e|. + // `key->e` may be nullptr if created with `RSA_new_private_key_no_e`. enum bn_primality_result_t primality_result; auto *impl = FromOpaque(key); if (impl->e.get() == nullptr || // @@ -939,7 +939,7 @@ int RSA_check_fips(RSA *key) { } // FIPS pairwise consistency test (FIPS 140-2 4.9.2). Per FIPS 140-2 IG, - // section 9.9, it is not known whether |rsa| will be used for signing or + // section 9.9, it is not known whether `rsa` will be used for signing or // encryption, so either pair-wise consistency self-test is acceptable. We // perform a signing test. uint8_t data[32] = {0}; diff --git a/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa_impl.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa_impl.cc.inc index ba08ae77..2580739c 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa_impl.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/rsa/rsa_impl.cc.inc @@ -97,7 +97,7 @@ int bssl::rsa_check_public_key(const RSA *rsa) { return 0; } - // The upper bound on |e_bits| and lower bound on |n_bits| imply e is + // The upper bound on `e_bits` and lower bound on `n_bits` imply e is // bounded by n. assert(BN_ucmp(impl->n.get(), impl->e.get()) > 0); } @@ -123,9 +123,9 @@ static int ensure_fixed_copy(UniquePtr *out, const BIGNUM *in, return 1; } -// freeze_private_key finishes initializing |rsa|'s private key components. -// After this function has returned, |rsa| may not be changed. This is needed -// because |RSA| is a public struct and, additionally, OpenSSL 1.1.0 opaquified +// freeze_private_key finishes initializing `rsa`'s private key components. +// After this function has returned, `rsa` may not be changed. This is needed +// because `RSA` is a public struct and, additionally, OpenSSL 1.1.0 opaquified // it wrong (see https://github.com/openssl/openssl/issues/5158). static int freeze_private_key(RSAImpl *rsa, BN_CTX *ctx) { rsa->lock.LockRead(); @@ -148,9 +148,9 @@ static int freeze_private_key(RSAImpl *rsa, BN_CTX *ctx) { // Pre-compute various intermediate values, as well as copies of private // exponents with correct widths. Note that other threads may concurrently - // read from |rsa->n|, |rsa->e|, etc., so any fixes must be in separate - // copies. We use |mont_n->N|, |mont_p->N|, and |mont_q->N| as copies of |n|, - // |p|, and |q| with the correct minimal widths. + // read from `rsa->n`, `rsa->e`, etc., so any fixes must be in separate + // copies. We use `mont_n->N`, `mont_p->N`, and `mont_q->N` as copies of `n`, + // `p`, and `q` with the correct minimal widths. if (rsa->mont_n == nullptr) { rsa->mont_n.reset(BN_MONT_CTX_new_for_modulus(rsa->n.get(), ctx)); @@ -160,9 +160,9 @@ static int freeze_private_key(RSAImpl *rsa, BN_CTX *ctx) { } n_fixed = &rsa->mont_n->N; - // The only public upper-bound of |rsa->d| is the bit length of |rsa->n|. The + // The only public upper-bound of `rsa->d` is the bit length of `rsa->n`. The // ASN.1 serialization of RSA private keys unfortunately leaks the byte length - // of |rsa->d|, but normalize it so we only leak it once, rather than per + // of `rsa->d`, but normalize it so we only leak it once, rather than per // operation. if (rsa->d != nullptr && !ensure_fixed_copy(&rsa->d_fixed, rsa->d.get(), n_fixed->width)) { @@ -201,7 +201,7 @@ static int freeze_private_key(RSAImpl *rsa, BN_CTX *ctx) { return 0; } - // Compute |iqmp_mont|, which is |iqmp| in Montgomery form and with the + // Compute `iqmp_mont`, which is `iqmp` in Montgomery form and with the // correct bit width. if (rsa->iqmp_mont == nullptr) { UniquePtr iqmp_mont(BN_new()); @@ -427,18 +427,18 @@ int bssl::rsa_default_private_transform(RSA *rsa, uint8_t *out, if (impl->e == nullptr && (impl->flags & RSA_FLAG_NO_PUBLIC_EXPONENT) == 0) { // Unless the private key was specifically created with an API like - // |RSA_new_private_key_no_e|, don't allow RSA keys to be missing the public + // `RSA_new_private_key_no_e`, don't allow RSA keys to be missing the public // exponent, which disables some fault attack mitigations. (It should not be - // possible to construct such an |RSA| object in the public API.) + // possible to construct such an `RSA` object in the public API.) OPENSSL_PUT_ERROR(RSA, RSA_R_NO_PUBLIC_EXPONENT); return 0; } if (impl->p != nullptr && impl->q != nullptr && impl->e != nullptr && impl->dmp1 != nullptr && impl->dmq1 != nullptr && impl->iqmp != nullptr && - // Require that we can reduce |f| by |impl->p| and |impl->q| in constant + // Require that we can reduce `f` by `impl->p` and `impl->q` in constant // time, which requires primes be the same size, rounded to the Montgomery - // coefficient. (See |mod_montgomery|.) This is not required by RFC 8017, + // coefficient. (See `mod_montgomery`.) This is not required by RFC 8017, // but it is true for keys generated by us and all common implementations. bn_less_than_montgomery_R(impl->q.get(), impl->mont_p.get()) && bn_less_than_montgomery_R(impl->p.get(), impl->mont_q.get())) { @@ -459,8 +459,8 @@ int bssl::rsa_default_private_transform(RSA *rsa, uint8_t *out, // works when the CRT isn't used. That attack is much less likely to succeed // than the CRT attack, but there have likely been improvements since 1997. // - // This check is cheap assuming |e| is small, which we require in - // |rsa_check_public_key|. + // This check is cheap assuming `e` is small, which we require in + // `rsa_check_public_key`. if (impl->e != nullptr) { BIGNUM *vrfy = BN_CTX_get(ctx.get()); if (vrfy == nullptr || @@ -472,7 +472,7 @@ int bssl::rsa_default_private_transform(RSA *rsa, uint8_t *out, } } - // The computation should have left |result| as a maximally-wide number, so + // The computation should have left `result` as a maximally-wide number, so // that it and serializing does not leak information about the magnitude of // the result. // @@ -487,8 +487,8 @@ int bssl::rsa_default_private_transform(RSA *rsa, uint8_t *out, return 1; } -// mod_montgomery sets |r| to |I| mod |p|. |I| must already be fully reduced -// modulo |p| times |q|. It returns one on success and zero on error. +// mod_montgomery sets `r` to `I` mod `p`. `I` must already be fully reduced +// modulo `p` times `q`. It returns one on success and zero on error. static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p, const BN_MONT_CTX *mont_p, const BIGNUM *q, BN_CTX *ctx) { @@ -508,13 +508,13 @@ static int mod_montgomery(BIGNUM *r, const BIGNUM *I, const BIGNUM *p, return 0; } - // By precomputing R^3 mod p (normally |BN_MONT_CTX| only uses R^2 mod p) and - // adjusting the API for |BN_mod_exp_mont_consttime|, we could instead compute + // By precomputing R^3 mod p (normally `BN_MONT_CTX` only uses R^2 mod p) and + // adjusting the API for `BN_mod_exp_mont_consttime`, we could instead compute // I * R mod p here and save a reduction per prime. But this would require // changing the RSAZ code and may not be worth it. Note that the RSAZ code // uses a different radix, so it uses R' = 2^1044. There we'd actually want // R^2 * R', and would further benefit from a precomputed R'^2. It currently - // converts |mont_p->RR| to R'^2. + // converts `mont_p->RR` to R'^2. return 1; } @@ -538,49 +538,49 @@ static int rsa_mod_exp_crt(BIGNUM *r0, const BIGNUM *I, RSAImpl *rsa, return 0; } - // Use the minimal-width versions of |n|, |p|, and |q|. Either works, but if + // Use the minimal-width versions of `n`, `p`, and `q`. Either works, but if // someone gives us non-minimal values, these will be slightly more efficient // on the non-Montgomery operations. BIGNUM *n = &rsa->mont_n->N; BIGNUM *p = &rsa->mont_p->N; BIGNUM *q = &rsa->mont_q->N; - // This is a pre-condition for |mod_montgomery|. It was already checked by the + // This is a pre-condition for `mod_montgomery`. It was already checked by the // caller. declassify_assert(BN_ucmp(I, n) < 0); - if ( // |m1| is the result modulo |q|. + if ( // `m1` is the result modulo `q`. !mod_montgomery(r1, I, q, rsa->mont_q.get(), p, ctx) || !BN_mod_exp_mont_consttime(m1, r1, rsa->dmq1_fixed.get(), q, ctx, rsa->mont_q.get()) || - // |r0| is the result modulo |p|. + // `r0` is the result modulo `p`. !mod_montgomery(r1, I, p, rsa->mont_p.get(), q, ctx) || !BN_mod_exp_mont_consttime(r0, r1, rsa->dmp1_fixed.get(), p, ctx, rsa->mont_p.get()) || - // Compute r0 = r0 - m1 mod p. |m1| is reduced mod |q|, not |p|, so we - // just run |mod_montgomery| again for srsaicity. This could be more - // efficient with more cases: if |p > q|, |m1| is already reduced. If - // |p < q| but they have the same bit width, |bn_reduce_once| suffices. + // Compute r0 = r0 - m1 mod p. `m1` is reduced mod `q`, not `p`, so we + // just run `mod_montgomery` again for srsaicity. This could be more + // efficient with more cases: if `p > q`, `m1` is already reduced. If + // `p < q` but they have the same bit width, `bn_reduce_once` suffices. // However, compared to over 2048 Montgomery multiplications above, this // difference is not measurable. !mod_montgomery(r1, m1, p, rsa->mont_p.get(), q, ctx) || !bn_mod_sub_consttime(r0, r0, r1, p, ctx) || // r0 = r0 * iqmp mod p. We use Montgomery multiplication to compute this - // in constant time. |iqmp_mont| is in Montgomery form and r0 is not, so + // in constant time. `iqmp_mont` is in Montgomery form and r0 is not, so // the result is taken out of Montgomery form. !BN_mod_mul_montgomery(r0, r0, rsa->iqmp_mont.get(), rsa->mont_p.get(), ctx) || // r0 = r0 * q + m1 gives the final result. Reducing modulo q gives m1, so // it is correct mod p. Reducing modulo p gives (r0-m1)*iqmp*q + m1 = r0, // so it is correct mod q. Finally, the result is bounded by [m1, n + m1), - // and the result is at least |m1|, so this must be the unique answer in + // and the result is at least `m1`, so this must be the unique answer in // [0, n). !bn_mul_consttime(r0, r0, q, ctx) || // !bn_uadd_consttime(r0, r0, m1)) { return 0; } - // The result should be bounded by |n|, but fixed-width operations may + // The result should be bounded by `n`, but fixed-width operations may // bound the width slightly higher, so fix it. This trips constant-time checks // because a naive data flow analysis does not realize the excess words are // publicly zero. @@ -600,9 +600,9 @@ static int ensure_bignum(UniquePtr *out) { return *out != nullptr; } -// generate_prime sets |out| to a prime with length |bits| such that |out|-1 is -// relatively prime to |e|. If |p| is non-NULL, |out| will also not be close to -// |p|. |pow2_bits_100| must be 2^(bits-100). +// generate_prime sets `out` to a prime with length `bits` such that `out`-1 is +// relatively prime to `e`. If `p` is non-NULL, `out` will also not be close to +// `p`. `pow2_bits_100` must be 2^(bits-100). // // This function fails with probability around 2^-21. static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, @@ -615,14 +615,14 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, assert(BN_is_pow2(pow2_bits_100)); assert(BN_is_bit_set(pow2_bits_100, bits - 100)); - // See FIPS 186-5 appendix A.1.3, steps 4 and 5. Note |bits| here is nlen/2. + // See FIPS 186-5 appendix A.1.3, steps 4 and 5. Note `bits` here is nlen/2. - // Use the limit from steps 4.7 and 5.8 for most values of |e|. When |e| is 3, + // Use the limit from steps 4.7 and 5.8 for most values of `e`. When `e` is 3, // the 186-5 limit is too low, so we use a higher one. Note this case is not - // reachable from |RSA_generate_key_fips|. + // reachable from `RSA_generate_key_fips`. // - // |limit| determines the failure probability. We must find a prime that is - // not 1 mod |e|. By the prime number theorem, we'll find one with probability + // `limit` determines the failure probability. We must find a prime that is + // not 1 mod `e`. By the prime number theorem, we'll find one with probability // p = (e-1)/e * 2/(ln(2)*bits). Note the second term is doubled because we // discard even numbers. // @@ -659,7 +659,7 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, } for (;;) { - // Generate a random number of length |bits| where the bottom bit is set and + // Generate a random number of length `bits` where the bottom bit is set and // top two bits are set (steps 4.2–4.4 and 5.2–5.4): // // - Setting the top two bits is permitted by steps 4.2.1 and 5.2.1. Doing @@ -673,7 +673,7 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, } if (p != nullptr) { - // If |p| and |out| are too close, try again (step 5.5). + // If `p` and `out` are too close, try again (step 5.5). if (!bn_abs_sub_consttime(tmp, out, p, ctx)) { return 0; } @@ -694,7 +694,7 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, return 0; } if (constant_time_declassify_int(relatively_prime)) { - // Test |out| for primality (steps 4.5.1 and 5.6.1). + // Test `out` for primality (steps 4.5.1 and 5.6.1). int is_probable_prime; if (!BN_primality_test(&is_probable_prime, out, BN_prime_checks_for_generation, ctx, 0, cb)) { @@ -719,7 +719,7 @@ static int generate_prime(BIGNUM *out, int bits, const BIGNUM *e, } // rsa_generate_key_impl generates an RSA key using a generalized version of -// FIPS 186-5 appendix A.1.3. |RSA_generate_key_fips| performs additional checks +// FIPS 186-5 appendix A.1.3. `RSA_generate_key_fips` performs additional checks // for FIPS-compliant key generation. // // This function returns one on success and zero on failure. It has a failure @@ -731,7 +731,7 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, return 0; } - // Always generate RSA keys which are a multiple of 128 bits. Round |bits| + // Always generate RSA keys which are a multiple of 128 bits. Round `bits` // down as needed. bits &= ~127; @@ -743,7 +743,7 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, // Reject excessively large public exponents. Windows CryptoAPI and Go don't // support values larger than 32 bits, so match their limits for generating - // keys. (|rsa_check_public_key| uses a slightly more conservative value, but + // keys. (`rsa_check_public_key` uses a slightly more conservative value, but // we don't need to support generating such keys.) // https://github.com/golang/go/issues/3161 // https://msdn.microsoft.com/en-us/library/aa387685(VS.85).aspx @@ -756,13 +756,13 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, // Catching these here prevents endless loops or slow computation when trying // to generate keys later, and results in a better error code. if ( - // Would fail in |bn_lcm_consttime| as it only allows positive integers. + // Would fail in `bn_lcm_consttime` as it only allows positive integers. BN_is_negative(e_value) || - // Would fail in |generate_prime| as only one |rsa->p|-1 is coprime with - // an even |e_value| and that one is a little bit short. (The R in RSA + // Would fail in `generate_prime` as only one `rsa->p`-1 is coprime with + // an even `e_value` and that one is a little bit short. (The R in RSA // doesn't stand for Rabin.) !BN_is_odd(e_value) || - // Would loop endlessly because it'll always compute an |rsa->d| exponent + // Would loop endlessly because it'll always compute an `rsa->d` exponent // of 1, which is too small. BN_is_one(e_value)) { OPENSSL_PUT_ERROR(RSA, RSA_R_BAD_E_VALUE); @@ -809,10 +809,10 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, } do { - // Generate p and q, each of size |prime_bits|, using the steps outlined in + // Generate p and q, each of size `prime_bits`, using the steps outlined in // appendix FIPS 186-5 appendix C.3.3. // - // Each call to |generate_prime| fails with probability p = 2^-21. The + // Each call to `generate_prime` fails with probability p = 2^-21. The // probability that either call fails is 1 - (1-p)^2, which is around 2^-20. if (!generate_prime(rsa->p.get(), prime_bits, rsa->e.get(), nullptr, pow2_prime_bits_100, ctx.get(), cb) || @@ -845,7 +845,7 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, return 0; } - // Retry if |rsa->d| <= 2^|prime_bits|. See appendix A.3.1's guidance on + // Retry if `rsa->d` <= 2^`prime_bits`. See appendix A.3.1's guidance on // values for d. When we retry, p and q are discarded, so it is safe to leak // this comparison. } while ( @@ -866,7 +866,7 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, } bn_set_minimal_width(rsa->n.get()); - // |rsa->n| is computed from the private key, but is public. + // `rsa->n` is computed from the private key, but is public. bn_declassify(rsa->n.get()); // Calculate q^-1 mod p. @@ -878,8 +878,8 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, return 0; } - // Sanity-check that |rsa->n| has the specified size. This is rsaied by - // |generate_prime|'s bounds. + // Sanity-check that `rsa->n` has the specified size. This is rsaied by + // `generate_prime`'s bounds. if (BN_num_bits(rsa->n.get()) != (unsigned)bits) { OPENSSL_PUT_ERROR(RSA, ERR_R_INTERNAL_ERROR); return 0; @@ -887,7 +887,7 @@ static int rsa_generate_key_impl(RSAImpl *rsa, int bits, const BIGNUM *e_value, // The key generation process is complex and thus error-prone. It could be // disastrous to generate and then use a bad key so double-check that the key - // makes sense. Also, while |rsa| is mutable, fill in the cached components. + // makes sense. Also, while `rsa` is mutable, fill in the cached components. if (!RSA_check_key(rsa) || !freeze_private_key(rsa, ctx.get())) { OPENSSL_PUT_ERROR(RSA, RSA_R_INTERNAL_ERROR); return 0; @@ -909,7 +909,7 @@ static int RSA_generate_key_ex_maybe_fips(RSAImpl *rsa, int bits, UniquePtr tmp; - // |rsa_generate_key_impl|'s 2^-20 failure probability is too high at scale, + // `rsa_generate_key_impl`'s 2^-20 failure probability is too high at scale, // so we run the FIPS algorithm four times, bringing it down to 2^-80. We // should just adjust the retry limit, but FIPS 186-5 prescribes that value // and thus results in unnecessary complexity. @@ -929,8 +929,8 @@ static int RSA_generate_key_ex_maybe_fips(RSAImpl *rsa, int bits, tmp = nullptr; failures++; - // Only retry on |RSA_R_TOO_MANY_ITERATIONS|. This is so a caller-induced - // failure in |BN_GENCB_call| is still fatal. + // Only retry on `RSA_R_TOO_MANY_ITERATIONS`. This is so a caller-induced + // failure in `BN_GENCB_call` is still fatal. } while (failures < 4 && ERR_equals(ERR_peek_error(), ERR_LIB_RSA, RSA_R_TOO_MANY_ITERATIONS)); @@ -992,7 +992,7 @@ BSSL_NAMESPACE_BEGIN DEFINE_METHOD_FUNCTION(RSA_METHOD, RSA_default_method) { // All of the methods are NULL to make it easier for the compiler/linker to // drop unused functions. The wrapper functions will select the appropriate - // |rsa_default_*| implementation. + // `rsa_default_*` implementation. OPENSSL_memset(out, 0, sizeof(RSA_METHOD)); out->common.is_static = 1; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/self_check/fips.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/self_check/fips.cc.inc index 5ed05cbb..e2eaf70b 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/self_check/fips.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/self_check/fips.cc.inc @@ -111,7 +111,7 @@ void bssl::boringssl_fips_inc_counter(enum fips_counter_t counter) { if (!CRYPTO_set_thread_local(OPENSSL_THREAD_LOCAL_FIPS_COUNTERS, array, OPENSSL_free)) { - // |OPENSSL_free| has already been called by |CRYPTO_set_thread_local|. + // `OPENSSL_free` has already been called by `CRYPTO_set_thread_local`. return; } } diff --git a/third_party/boringssl/src/crypto/fipsmodule/self_check/self_check.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/self_check/self_check.cc.inc index 8ea40a18..d54e45f8 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/self_check/self_check.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/self_check/self_check.cc.inc @@ -297,7 +297,7 @@ err: // // Self tests that are slow are deferred until the corresponding algorithm is // actually exercised, in FIPS mode. (In non-FIPS mode these tests are only run -// when requested by |BORINGSSL_self_test|.) +// when requested by `BORINGSSL_self_test`.) static int boringssl_self_test_rsa_sign() { UniquePtr rsa_key(self_test_rsa_private_key()); @@ -484,7 +484,7 @@ static int boringssl_self_test_ecc() { 0xa5, 0x2c, 0xb5, 0x9f, 0xeb, 0x70, 0xae, 0xde, 0x6c, 0xe3, 0xbf, 0xb3, 0xe0, 0x10, 0x54, 0x85, 0xab, 0xd8, 0x61, 0xd7, 0x7b, }; - // kP256PointResult is |kP256Scalar|×|kP256Point|. + // kP256PointResult is `kP256Scalar`×`kP256Point`. static const uint8_t kP256PointResult[65] = { 0x04, 0xf1, 0x63, 0x00, 0x88, 0xc5, 0xd5, 0xe9, 0x05, 0x52, 0xac, 0xb6, 0xec, 0x68, 0x76, 0xb8, 0x73, 0x7f, 0x0f, 0x72, 0x34, 0xe6, diff --git a/third_party/boringssl/src/crypto/fipsmodule/service_indicator/internal.h b/third_party/boringssl/src/crypto/fipsmodule/service_indicator/internal.h index 064618e6..a46b1e0f 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/service_indicator/internal.h +++ b/third_party/boringssl/src/crypto/fipsmodule/service_indicator/internal.h @@ -20,21 +20,21 @@ BSSL_NAMESPACE_BEGIN -// FIPS_service_indicator_before_call and |FIPS_service_indicator_after_call| +// FIPS_service_indicator_before_call and `FIPS_service_indicator_after_call` // both currently return the same local thread counter which is slowly // incremented whenever approved services are called. The -// |CALL_SERVICE_AND_CHECK_APPROVED| macro is strongly recommended over calling +// `CALL_SERVICE_AND_CHECK_APPROVED` macro is strongly recommended over calling // these functions directly. // -// |FIPS_service_indicator_before_call| is intended to be called immediately -// before an approved service, while |FIPS_service_indicator_after_call| should +// `FIPS_service_indicator_before_call` is intended to be called immediately +// before an approved service, while `FIPS_service_indicator_after_call` should // be called immediately after. If the values returned from these two functions // are not equal, this means that the service called in between is deemed to be // approved. If the values are still the same, this means the counter has not // been incremented, and the service called is not approved for FIPS. // -// In non-FIPS builds, |FIPS_service_indicator_before_call| always returns zero -// and |FIPS_service_indicator_after_call| always returns one. Thus calls always +// In non-FIPS builds, `FIPS_service_indicator_before_call` always returns zero +// and `FIPS_service_indicator_after_call` always returns one. Thus calls always // appear to be approved. This is intended to simplify testing. OPENSSL_EXPORT uint64_t FIPS_service_indicator_before_call(); OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(); @@ -45,11 +45,11 @@ OPENSSL_EXPORT uint64_t FIPS_service_indicator_after_call(); // invoked. void FIPS_service_indicator_update_state(); -// FIPS_service_indicator_lock_state and |FIPS_service_indicator_unlock_state| -// stop |FIPS_service_indicator_update_state| from actually updating the service +// FIPS_service_indicator_lock_state and `FIPS_service_indicator_unlock_state` +// stop `FIPS_service_indicator_update_state` from actually updating the service // indicator. This is used when a primitive calls a potentially approved // primitive to avoid false positives. For example, just because a key -// generation calls |BCM_rand_bytes| (and thus the approved DRBG) doesn't mean +// generation calls `BCM_rand_bytes` (and thus the approved DRBG) doesn't mean // that the key generation operation itself is approved. // // This lock nests: i.e. locking twice is fine so long as each lock is paired @@ -57,7 +57,7 @@ void FIPS_service_indicator_update_state(); void FIPS_service_indicator_lock_state(); void FIPS_service_indicator_unlock_state(); -// The following functions may call |FIPS_service_indicator_update_state| if +// The following functions may call `FIPS_service_indicator_update_state` if // their parameter specifies an approved operation. void AEAD_GCM_verify_service_indicator(const EVP_AEAD_CTX *ctx); diff --git a/third_party/boringssl/src/crypto/fipsmodule/service_indicator/service_indicator.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/service_indicator/service_indicator.cc.inc index ef8fb350..20b2b0c0 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/service_indicator/service_indicator.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/service_indicator/service_indicator.cc.inc @@ -34,14 +34,14 @@ using namespace bssl; // state of the FIPS service indicator. struct fips_service_indicator_state { // lock_state records the number of times the indicator has been locked. - // When it is zero (i.e. |STATE_UNLOCKED|) then the indicator can be updated. + // When it is zero (i.e. `STATE_UNLOCKED`) then the indicator can be updated. uint64_t lock_state; // counter is the indicator state. It is incremented when an approved service // completes. uint64_t counter; }; -// service_indicator_get returns a pointer to the |fips_service_indicator_state| +// service_indicator_get returns a pointer to the `fips_service_indicator_state` // for the current thread. It returns nullptr on error. // // FIPS 140-3 requires that the module should provide the service indicator @@ -101,15 +101,15 @@ void bssl::FIPS_service_indicator_lock_state() { return; } - // |FIPS_service_indicator_lock_state| and - // |FIPS_service_indicator_unlock_state| should not under/overflow in normal + // `FIPS_service_indicator_lock_state` and + // `FIPS_service_indicator_unlock_state` should not under/overflow in normal // operation. They are still checked and errors added to facilitate testing in // service_indicator_test.cc. This should only happen if lock/unlock are // called in an incorrect order or multiple times in the same function. const uint64_t new_state = indicator->lock_state + 1; if (new_state < indicator->lock_state) { // Overflow. This would imply that our call stack length has exceeded a - // |uint64_t| which impossible on a 64-bit system. + // `uint64_t` which impossible on a 64-bit system. abort(); } @@ -201,8 +201,8 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, // EVP_PKEY_RSA_PSS SPKIs aren't supported. if (pkey_type == EVP_PKEY_RSA) { // Message digest used in the private key should be of the same type - // as the given one, so we extract the MD type from the |EVP_PKEY| - // and compare it with the type in |ctx|. + // as the given one, so we extract the MD type from the `EVP_PKEY` + // and compare it with the type in `ctx`. const EVP_MD *pctx_md; if (!EVP_PKEY_CTX_get_signature_md(pctx, &pctx_md)) { goto err; @@ -230,7 +230,7 @@ static void evp_md_ctx_verify_service_indicator(const EVP_MD_CTX *ctx, } // The approved RSA key sizes for signing are 2048, 3072 and 4096 bits. - // Note: |EVP_PKEY_size| returns the size in bytes. + // Note: `EVP_PKEY_size` returns the size in bytes. size_t pkey_size = EVP_PKEY_size(FromOpaque(ctx->pctx)->pkey.get()); // Check if the MD type and the RSA key size are approved. @@ -322,7 +322,7 @@ uint64_t bssl::FIPS_service_indicator_before_call() { return 0; } uint64_t bssl::FIPS_service_indicator_after_call() { // One is returned so that the return value is always greater than zero, the - // return value of |FIPS_service_indicator_before_call|. This makes everything + // return value of `FIPS_service_indicator_before_call`. This makes everything // report as "approved" in non-FIPS builds. return 1; } diff --git a/third_party/boringssl/src/crypto/fipsmodule/sha/sha256.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/sha/sha256.cc.inc index 20cfda9a..8a179fd6 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/sha/sha256.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/sha/sha256.cc.inc @@ -106,9 +106,9 @@ static void sha256_final_impl(uint8_t *out, size_t md_len, SHA256_CTX *c) { bcm_infallible bssl::BCM_sha256_final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *c) { - // Ideally we would assert |sha->md_len| is |SHA256_DIGEST_LENGTH| tomatch the - // size hint, but calling code often pairs |SHA224_Init| with |SHA256_Final| - // and expects |sha->md_len| to carry the size over. + // Ideally we would assert `sha->md_len` is `SHA256_DIGEST_LENGTH` tomatch the + // size hint, but calling code often pairs `SHA224_Init` with `SHA256_Final` + // and expects `sha->md_len` to carry the size over. // // TODO(davidben): Add an assert and fix code to match them up. sha256_final_impl(out, c->md_len, c); @@ -117,8 +117,8 @@ bcm_infallible bssl::BCM_sha256_final(uint8_t out[SHA256_DIGEST_LENGTH], bcm_infallible bssl::BCM_sha224_final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *ctx) { - // This function must be paired with |SHA224_Init|, which sets |ctx->md_len| - // to |SHA224_DIGEST_LENGTH|. + // This function must be paired with `SHA224_Init`, which sets `ctx->md_len` + // to `SHA224_DIGEST_LENGTH`. assert(ctx->md_len == SHA224_DIGEST_LENGTH); sha256_final_impl(out, SHA224_DIGEST_LENGTH, ctx); return bcm_infallible::approved; diff --git a/third_party/boringssl/src/crypto/fipsmodule/sha/sha512.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/sha/sha512.cc.inc index f2282f4d..164a80e8 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/sha/sha512.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/sha/sha512.cc.inc @@ -92,8 +92,8 @@ static void sha512_block_data_order(uint64_t state[8], const uint8_t *in, bcm_infallible bssl::BCM_sha384_final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha) { - // This function must be paired with |BCM_sha384_init|, which sets - // |sha->md_len| to |SHA384_DIGEST_LENGTH|. + // This function must be paired with `BCM_sha384_init`, which sets + // `sha->md_len` to `SHA384_DIGEST_LENGTH`. assert(sha->md_len == SHA384_DIGEST_LENGTH); sha512_final_impl(out, SHA384_DIGEST_LENGTH, sha); return bcm_infallible::approved; @@ -111,8 +111,8 @@ bcm_infallible bssl::BCM_sha512_256_update(SHA512_CTX *sha, const void *data, bcm_infallible bssl::BCM_sha512_256_final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha) { - // This function must be paired with |BCM_sha512_256_init|, which sets - // |sha->md_len| to |SHA512_256_DIGEST_LENGTH|. + // This function must be paired with `BCM_sha512_256_init`, which sets + // `sha->md_len` to `SHA512_256_DIGEST_LENGTH`. assert(sha->md_len == SHA512_256_DIGEST_LENGTH); sha512_final_impl(out, SHA512_256_DIGEST_LENGTH, sha); return bcm_infallible::approved; @@ -170,9 +170,9 @@ bcm_infallible bssl::BCM_sha512_update(SHA512_CTX *c, const void *in_data, bcm_infallible bssl::BCM_sha512_final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha) { - // Ideally we would assert |sha->md_len| is |SHA512_DIGEST_LENGTH| to match - // the size hint, but calling code often pairs |BCM_sha384_init| with - // |BCM_sha512_final| and expects |sha->md_len| to carry the size over. + // Ideally we would assert `sha->md_len` is `SHA512_DIGEST_LENGTH` to match + // the size hint, but calling code often pairs `BCM_sha384_init` with + // `BCM_sha512_final` and expects `sha->md_len` to carry the size over. // // TODO(davidben): Add an assert and fix code to match them up. sha512_final_impl(out, sha->md_len, sha); diff --git a/third_party/boringssl/src/crypto/fipsmodule/tls/kdf.cc.inc b/third_party/boringssl/src/crypto/fipsmodule/tls/kdf.cc.inc index 2446a36b..350cd060 100644 --- a/third_party/boringssl/src/crypto/fipsmodule/tls/kdf.cc.inc +++ b/third_party/boringssl/src/crypto/fipsmodule/tls/kdf.cc.inc @@ -29,8 +29,8 @@ using namespace bssl; // tls1_P_hash computes the TLS P_ function as described in RFC 5246, -// section 5. It XORs |out_len| bytes to |out|, using |md| as the hash and -// |secret| as the secret. |label|, |seed1|, and |seed2| are concatenated to +// section 5. It XORs `out_len` bytes to `out`, using `md` as the hash and +// `secret` as the secret. `label`, `seed1`, and `seed2` are concatenated to // form the seed parameter. It returns true on success and false on failure. static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, const uint8_t *secret, size_t secret_len, @@ -60,7 +60,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, unsigned len_u; uint8_t hmac[EVP_MAX_MD_SIZE]; if (!HMAC_CTX_copy_ex(&ctx, &ctx_init) || !HMAC_Update(&ctx, A1, A1_len) || - // Save a copy of |ctx| to compute the next A1 value below. + // Save a copy of `ctx` to compute the next A1 value below. (out_len > chunk && !HMAC_CTX_copy_ex(&ctx_tmp, &ctx)) || !HMAC_Update(&ctx, (const uint8_t *)label, label_len) || !HMAC_Update(&ctx, seed1, seed1_len) || @@ -71,7 +71,7 @@ static int tls1_P_hash(uint8_t *out, size_t out_len, const EVP_MD *md, size_t len = len_u; assert(len == chunk); - // XOR the result into |out|. + // XOR the result into `out`. if (len > out_len) { len = out_len; } @@ -117,14 +117,14 @@ int CRYPTO_tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, int ret = 0; if (digest == EVP_md5_sha1()) { - // If using the MD5/SHA1 PRF, |secret| is partitioned between MD5 and SHA-1. + // If using the MD5/SHA1 PRF, `secret` is partitioned between MD5 and SHA-1. size_t secret_half = secret_len - (secret_len / 2); if (!tls1_P_hash(out, out_len, EVP_md5(), secret, secret_half, label, label_len, seed1, seed1_len, seed2, seed2_len)) { goto end; } - // Note that, if |secret_len| is odd, the two halves share a byte. + // Note that, if `secret_len` is odd, the two halves share a byte. secret += secret_len - secret_half; secret_len = secret_half; digest = EVP_sha1(); diff --git a/third_party/boringssl/src/crypto/hpke/hpke.cc b/third_party/boringssl/src/crypto/hpke/hpke.cc index 2365a53b..0cdec4e3 100644 --- a/third_party/boringssl/src/crypto/hpke/hpke.cc +++ b/third_party/boringssl/src/crypto/hpke/hpke.cc @@ -451,7 +451,7 @@ static int p256_private_key_from_seed(uint8_t out_priv[P256_PRIVATE_KEY_LEN], return 0; } - // |ec_scalar_from_bytes| checks that the scalar is less than the order. + // `ec_scalar_from_bytes` checks that the scalar is less than the order. if (ec_scalar_from_bytes(group, &private_scalar, out_priv, P256_PRIVATE_KEY_LEN) && !ec_scalar_is_zero(group, &private_scalar)) { @@ -994,14 +994,14 @@ void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key) { } int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src) { - // For now, |EVP_HPKE_KEY| is trivially copyable. + // For now, `EVP_HPKE_KEY` is trivially copyable. OPENSSL_memcpy(dst, src, sizeof(EVP_HPKE_KEY)); return 1; } void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in) { EVP_HPKE_KEY_cleanup(out); - // For now, |EVP_HPKE_KEY| is trivially movable. + // For now, `EVP_HPKE_KEY` is trivially movable. // Note that Rust may move this structure. See // bssl-crypto/src/scoped.rs:EvpHpkeKey. OPENSSL_memcpy(out, in, sizeof(EVP_HPKE_KEY)); @@ -1366,7 +1366,7 @@ static void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce, size_t nonce_len) { assert(nonce_len >= 8); - // Write padded big-endian bytes of |ctx->seq| to |out_nonce|. + // Write padded big-endian bytes of `ctx->seq` to `out_nonce`. OPENSSL_memset(out_nonce, 0, nonce_len); uint64_t seq_copy = ctx->seq; for (size_t i = 0; i < 8; i++) { @@ -1374,7 +1374,7 @@ static void hpke_nonce(const EVP_HPKE_CTX *ctx, uint8_t *out_nonce, seq_copy >>= 8; } - // XOR the encoded sequence with the |ctx->base_nonce|. + // XOR the encoded sequence with the `ctx->base_nonce`. for (size_t i = 0; i < nonce_len; i++) { out_nonce[i] ^= ctx->base_nonce[i]; } diff --git a/third_party/boringssl/src/crypto/hrss/hrss.cc b/third_party/boringssl/src/crypto/hrss/hrss.cc index 2915c70c..cef8b17a 100644 --- a/third_party/boringssl/src/crypto/hrss/hrss.cc +++ b/third_party/boringssl/src/crypto/hrss/hrss.cc @@ -57,7 +57,7 @@ using namespace bssl; // // A couple of functions in this file can use vector operations to meaningful // effect. If we're building for a target that has a supported vector unit, -// |HRSS_HAVE_VECTOR_UNIT| will be defined and |vec_t| will be typedefed to a +// `HRSS_HAVE_VECTOR_UNIT` will be defined and `vec_t` will be typedefed to a // 128-bit vector. The following functions abstract over the differences between // NEON and SSE2 for implementing some vector operations. @@ -72,25 +72,25 @@ typedef __m128i vec_t; // vec_capable returns one iff the current platform supports SSE2. static int vec_capable() { return 1; } -// vec_add performs a pair-wise addition of four uint16s from |a| and |b|. +// vec_add performs a pair-wise addition of four uint16s from `a` and `b`. static vec_t vec_add(vec_t a, vec_t b) { return _mm_add_epi16(a, b); } -// vec_sub performs a pair-wise subtraction of four uint16s from |a| and |b|. +// vec_sub performs a pair-wise subtraction of four uint16s from `a` and `b`. static vec_t vec_sub(vec_t a, vec_t b) { return _mm_sub_epi16(a, b); } -// vec_mul multiplies each uint16_t in |a| by |b| and returns the resulting +// vec_mul multiplies each uint16_t in `a` by `b` and returns the resulting // vector. static vec_t vec_mul(vec_t a, uint16_t b) { return _mm_mullo_epi16(a, _mm_set1_epi16(b)); } -// vec_fma multiplies each uint16_t in |b| by |c|, adds the result to |a|, and +// vec_fma multiplies each uint16_t in `b` by `c`, adds the result to `a`, and // returns the resulting vector. static vec_t vec_fma(vec_t a, vec_t b, uint16_t c) { return _mm_add_epi16(a, _mm_mullo_epi16(b, _mm_set1_epi16(c))); } -// vec3_rshift_word right-shifts the 24 uint16_t's in |v| by one uint16. +// vec3_rshift_word right-shifts the 24 uint16_t's in `v` by one uint16. static void vec3_rshift_word(vec_t v[3]) { // Intel's left and right shifting is backwards compared to the order in // memory because they're based on little-endian order of words (and not just @@ -107,7 +107,7 @@ static void vec3_rshift_word(vec_t v[3]) { v[2] |= carry1; } -// vec4_rshift_word right-shifts the 32 uint16_t's in |v| by one uint16. +// vec4_rshift_word right-shifts the 32 uint16_t's in `v` by one uint16. static void vec4_rshift_word(vec_t v[4]) { // Intel's left and right shifting is backwards compared to the order in // memory because they're based on little-endian order of words (and not just @@ -128,13 +128,13 @@ static void vec4_rshift_word(vec_t v[4]) { v[3] |= carry2; } -// vec_merge_3_5 takes the final three uint16_t's from |left|, appends the first -// five from |right|, and returns the resulting vector. +// vec_merge_3_5 takes the final three uint16_t's from `left`, appends the first +// five from `right`, and returns the resulting vector. static vec_t vec_merge_3_5(vec_t left, vec_t right) { return _mm_srli_si128(left, 10) | _mm_slli_si128(right, 6); } -// poly3_vec_lshift1 left-shifts the 768 bits in |a_s|, and in |a_a|, by one +// poly3_vec_lshift1 left-shifts the 768 bits in `a_s`, and in `a_a`, by one // bit. static void poly3_vec_lshift1(vec_t a_s[6], vec_t a_a[6]) { vec_t carry_s = {0}; @@ -155,7 +155,7 @@ static void poly3_vec_lshift1(vec_t a_s[6], vec_t a_a[6]) { } } -// poly3_vec_rshift1 right-shifts the 768 bits in |a_s|, and in |a_a|, by one +// poly3_vec_rshift1 right-shifts the 768 bits in `a_s`, and in `a_a`, by one // bit. static void poly3_vec_rshift1(vec_t a_s[6], vec_t a_a[6]) { vec_t carry_s = {0}; @@ -176,15 +176,15 @@ static void poly3_vec_rshift1(vec_t a_s[6], vec_t a_a[6]) { } } -// vec_broadcast_bit duplicates the least-significant bit in |a| to all bits in +// vec_broadcast_bit duplicates the least-significant bit in `a` to all bits in // a vector and returns the result. static vec_t vec_broadcast_bit(vec_t a) { return _mm_shuffle_epi32(_mm_srai_epi32(_mm_slli_epi64(a, 63), 31), 0b01010101); } -// vec_get_word returns the |i|th uint16_t in |v|. (This is a macro because the -// compiler requires that |i| be a compile-time constant.) +// vec_get_word returns the `i`th uint16_t in `v`. (This is a macro because the +// compiler requires that `i` be a compile-time constant.) #define vec_get_word(v, i) _mm_extract_epi16(v, i) #elif (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && defined(__ARM_NEON) @@ -300,7 +300,7 @@ static void poly2_zero(struct poly2 *p) { OPENSSL_memset(&p->v[0], 0, sizeof(crypto_word_t) * WORDS_PER_POLY); } -// word_reverse returns |in| with the bits in reverse order. +// word_reverse returns `in` with the bits in reverse order. static crypto_word_t word_reverse(crypto_word_t in) { #if defined(OPENSSL_64_BIT) static const crypto_word_t kMasks[6] = { @@ -321,12 +321,12 @@ static crypto_word_t word_reverse(crypto_word_t in) { return in; } -// lsb_to_all replicates the least-significant bit of |v| to all bits of the +// lsb_to_all replicates the least-significant bit of `v` to all bits of the // word. This is used in bit-slicing operations to make a vector from a fixed // value. static crypto_word_t lsb_to_all(crypto_word_t v) { return 0u - (v & 1); } -// poly2_mod_phiN reduces |p| by Φ(N). +// poly2_mod_phiN reduces `p` by Φ(N). static void poly2_mod_phiN(struct poly2 *p) { // m is the term at x^700, replicated to every bit. const crypto_word_t m = @@ -337,8 +337,8 @@ static void poly2_mod_phiN(struct poly2 *p) { p->v[WORDS_PER_POLY - 1] &= (UINT64_C(1) << (BITS_IN_LAST_WORD - 1)) - 1; } -// poly2_reverse_700 reverses the order of the first 700 bits of |in| and writes -// the result to |out|. +// poly2_reverse_700 reverses the order of the first 700 bits of `in` and writes +// the result to `out`. static void poly2_reverse_700(struct poly2 *out, const struct poly2 *in) { struct poly2 t; for (size_t i = 0; i < WORDS_PER_POLY; i++) { @@ -353,7 +353,7 @@ static void poly2_reverse_700(struct poly2 *out, const struct poly2 *in) { out->v[WORDS_PER_POLY - 1] = t.v[0] >> shift; } -// poly2_cswap exchanges the values of |a| and |b| if |swap| is all ones. +// poly2_cswap exchanges the values of `a` and `b` if `swap` is all ones. static void poly2_cswap(struct poly2 *a, struct poly2 *b, crypto_word_t swap) { for (size_t i = 0; i < WORDS_PER_POLY; i++) { const crypto_word_t sum = swap & (a->v[i] ^ b->v[i]); @@ -362,8 +362,8 @@ static void poly2_cswap(struct poly2 *a, struct poly2 *b, crypto_word_t swap) { } } -// poly2_fmadd sets |out| to |out| + |in| * m, where m is either -// |CONSTTIME_TRUE_W| or |CONSTTIME_FALSE_W|. +// poly2_fmadd sets `out` to `out` + `in` * m, where m is either +// `CONSTTIME_TRUE_W` or `CONSTTIME_FALSE_W`. static void poly2_fmadd(struct poly2 *out, const struct poly2 *in, crypto_word_t m) { for (size_t i = 0; i < WORDS_PER_POLY; i++) { @@ -371,7 +371,7 @@ static void poly2_fmadd(struct poly2 *out, const struct poly2 *in, } } -// poly2_lshift1 left-shifts |p| by one bit. +// poly2_lshift1 left-shifts `p` by one bit. static void poly2_lshift1(struct poly2 *p) { crypto_word_t carry = 0; for (size_t i = 0; i < WORDS_PER_POLY; i++) { @@ -382,7 +382,7 @@ static void poly2_lshift1(struct poly2 *p) { } } -// poly2_rshift1 right-shifts |p| by one bit. +// poly2_rshift1 right-shifts `p` by one bit. static void poly2_rshift1(struct poly2 *p) { crypto_word_t carry = 0; for (size_t i = WORDS_PER_POLY - 1; i < WORDS_PER_POLY; i--) { @@ -402,7 +402,7 @@ static void poly2_clear_top_bits(struct poly2 *p) { // Ternary polynomials. // poly3 represents a degree-N polynomial over GF(3). Each coefficient is -// bitsliced across the |s| and |a| arrays, like this: +// bitsliced across the `s` and `a` arrays, like this: // // s | a | value // ----------------- @@ -441,14 +441,14 @@ static void poly3_zero(struct poly3 *p) { poly2_zero(&p->a); } -// poly3_reverse_700 reverses the order of the first 700 terms of |in| and -// writes them to |out|. +// poly3_reverse_700 reverses the order of the first 700 terms of `in` and +// writes them to `out`. static void poly3_reverse_700(struct poly3 *out, const struct poly3 *in) { poly2_reverse_700(&out->a, &in->a); poly2_reverse_700(&out->s, &in->s); } -// poly3_word_mul sets (|out_s|, |out_a|) to (|s1|, |a1|) × (|s2|, |a2|). +// poly3_word_mul sets (`out_s`, `out_a`) to (`s1`, `a1`) × (`s2`, `a2`). static void poly3_word_mul(crypto_word_t *out_s, crypto_word_t *out_a, const crypto_word_t s1, const crypto_word_t a1, const crypto_word_t s2, const crypto_word_t a2) { @@ -456,7 +456,7 @@ static void poly3_word_mul(crypto_word_t *out_s, crypto_word_t *out_a, *out_s = (s1 ^ s2) & *out_a; } -// poly3_word_add sets (|out_s|, |out_a|) to (|s1|, |a1|) + (|s2|, |a2|). +// poly3_word_add sets (`out_s`, `out_a`) to (`s1`, `a1`) + (`s2`, `a2`). static void poly3_word_add(crypto_word_t *out_s, crypto_word_t *out_a, const crypto_word_t s1, const crypto_word_t a1, const crypto_word_t s2, const crypto_word_t a2) { @@ -465,7 +465,7 @@ static void poly3_word_add(crypto_word_t *out_s, crypto_word_t *out_a, *out_a = (a1 ^ a2) | (t ^ s2); } -// poly3_word_sub sets (|out_s|, |out_a|) to (|s1|, |a1|) - (|s2|, |a2|). +// poly3_word_sub sets (`out_s`, `out_a`) to (`s1`, `a1`) - (`s2`, `a2`). static void poly3_word_sub(crypto_word_t *out_s, crypto_word_t *out_a, const crypto_word_t s1, const crypto_word_t a1, const crypto_word_t s2, const crypto_word_t a2) { @@ -474,7 +474,7 @@ static void poly3_word_sub(crypto_word_t *out_s, crypto_word_t *out_a, *out_a = t | (s1 ^ s2); } -// poly3_mul_const sets |p| to |p|×m, where m = (ms, ma). +// poly3_mul_const sets `p` to `p`×m, where m = (ms, ma). static void poly3_mul_const(struct poly3 *p, crypto_word_t ms, crypto_word_t ma) { ms = lsb_to_all(ms); @@ -485,7 +485,7 @@ static void poly3_mul_const(struct poly3 *p, crypto_word_t ms, } } -// poly3_fmadd sets |out| to |out| - |in|×m, where m is (ms, ma). +// poly3_fmadd sets `out` to `out` - `in`×m, where m is (ms, ma). static void poly3_fmsub(struct poly3 *out, const struct poly3 *in, crypto_word_t ms, crypto_word_t ma) { crypto_word_t product_s, product_a; @@ -502,7 +502,7 @@ static crypto_word_t final_bit_to_all(crypto_word_t v) { return lsb_to_all(v >> (BITS_IN_LAST_WORD - 1)); } -// poly3_mod_phiN reduces |p| by Φ(N). +// poly3_mod_phiN reduces `p` by Φ(N). static void poly3_mod_phiN(struct poly3 *p) { // In order to reduce by Φ(N) we subtract by the value of the greatest // coefficient. @@ -539,8 +539,8 @@ struct poly3_span { crypto_word_t *a; }; -// poly3_span_add adds |n| words of values from |a| and |b| and writes the -// result to |out|. +// poly3_span_add adds `n` words of values from `a` and `b` and writes the +// result to `out`. static void poly3_span_add(const struct poly3_span *out, const struct poly3_span *a, const struct poly3_span *b, size_t n) { @@ -549,7 +549,7 @@ static void poly3_span_add(const struct poly3_span *out, } } -// poly3_span_sub subtracts |n| words of |b| from |n| words of |a|. +// poly3_span_sub subtracts `n` words of `b` from `n` words of `a`. static void poly3_span_sub(const struct poly3_span *a, const struct poly3_span *b, size_t n) { for (size_t i = 0; i < n; i++) { @@ -557,11 +557,11 @@ static void poly3_span_sub(const struct poly3_span *a, } } -// poly3_mul_aux is a recursive function that multiplies |n| words from |a| and -// |b| and writes 2×|n| words to |out|. Each call uses 2*ceil(n/2) elements of -// |scratch| and the function recurses, except if |n| == 1, when |scratch| isn't -// used and the recursion stops. For |n| in {11, 22}, the transitive total -// amount of |scratch| needed happens to be 2n+2. +// poly3_mul_aux is a recursive function that multiplies `n` words from `a` and +// `b` and writes 2×`n` words to `out`. Each call uses 2*ceil(n/2) elements of +// `scratch` and the function recurses, except if `n` == 1, when `scratch` isn't +// used and the recursion stops. For `n` in {11, 22}, the transitive total +// amount of `scratch` needed happens to be 2n+2. static void poly3_mul_aux(const struct poly3_span *out, const struct poly3_span *scratch, const struct poly3_span *a, @@ -608,14 +608,14 @@ static void poly3_mul_aux(const struct poly3_span *out, // Karatsuba multiplication. // https://en.wikipedia.org/wiki/Karatsuba_algorithm - // When |n| is odd, the two "halves" will have different lengths. The first + // When `n` is odd, the two "halves" will have different lengths. The first // is always the smaller. const size_t low_len = n / 2; const size_t high_len = n - low_len; const struct poly3_span a_high = {&a->s[low_len], &a->a[low_len]}; const struct poly3_span b_high = {&b->s[low_len], &b->a[low_len]}; - // Store a_1 + a_0 in the first half of |out| and b_1 + b_0 in the second + // Store a_1 + a_0 in the first half of `out` and b_1 + b_0 in the second // half. const struct poly3_span a_cross_sum = *out; const struct poly3_span b_cross_sum = {&out->s[high_len], &out->a[high_len]}; @@ -649,7 +649,7 @@ static void poly3_mul_aux(const struct poly3_span *out, poly3_span_add(&out_mid, &out_mid, scratch, high_len * 2); } -// HRSS_poly3_mul sets |*out| to |x|×|y| mod Φ(N). +// HRSS_poly3_mul sets `*out` to `x`×`y` mod Φ(N). void bssl::HRSS_poly3_mul(struct poly3 *out, const struct poly3 *x, const struct poly3 *y) { crypto_word_t prod_s[WORDS_PER_POLY * 2]; @@ -665,7 +665,7 @@ void bssl::HRSS_poly3_mul(struct poly3 *out, const struct poly3 *x, poly3_mul_aux(&prod_span, &scratch_span, &x_span, &y_span, WORDS_PER_POLY); - // |prod| needs to be reduced mod (𝑥^n - 1), which just involves adding the + // `prod` needs to be reduced mod (𝑥^n - 1), which just involves adding the // upper-half to the lower-half. However, N is 701, which isn't a multiple of // BITS_PER_WORD, so the upper-half vectors all have to be shifted before // being added to the lower-half. @@ -683,8 +683,8 @@ void bssl::HRSS_poly3_mul(struct poly3 *out, const struct poly3 *x, #if defined(HRSS_HAVE_VECTOR_UNIT) && !defined(OPENSSL_AARCH64) -// poly3_vec_cswap swaps (|a_s|, |a_a|) and (|b_s|, |b_a|) if |swap| is -// |0xff..ff|. Otherwise, |swap| must be zero. +// poly3_vec_cswap swaps (`a_s`, `a_a`) and (`b_s`, `b_a`) if `swap` is +// `0xff..ff`. Otherwise, `swap` must be zero. static void poly3_vec_cswap(vec_t a_s[6], vec_t a_a[6], vec_t b_s[6], vec_t b_a[6], const vec_t swap) { for (int i = 0; i < 6; i++) { @@ -698,7 +698,7 @@ static void poly3_vec_cswap(vec_t a_s[6], vec_t a_a[6], vec_t b_s[6], } } -// poly3_vec_fmsub subtracts (|ms|, |ma|) × (|b_s|, |b_a|) from (|a_s|, |a_a|). +// poly3_vec_fmsub subtracts (`ms`, `ma`) × (`b_s`, `b_a`) from (`a_s`, `a_a`). static void poly3_vec_fmsub(vec_t a_s[6], vec_t a_a[6], vec_t b_s[6], vec_t b_a[6], const vec_t ms, const vec_t ma) { for (int i = 0; i < 6; i++) { @@ -716,7 +716,7 @@ static void poly3_vec_fmsub(vec_t a_s[6], vec_t a_a[6], vec_t b_s[6], } } -// poly3_invert_vec sets |*out| to |in|^-1, i.e. such that |out|×|in| == 1 mod +// poly3_invert_vec sets `*out` to `in`^-1, i.e. such that `out`×`in` == 1 mod // Φ(N). static void poly3_invert_vec(struct poly3 *out, const struct poly3 *in) { // This algorithm is taken from section 7.1 of [SAFEGCD]. @@ -737,7 +737,7 @@ static void poly3_invert_vec(struct poly3 *out, const struct poly3 *in) { memset(f_s, 0, sizeof(f_s)); memset(f_a, 0xff, 5 * sizeof(vec_t)); memcpy(&f_a[5], kBottomSixtyOne, sizeof(kBottomSixtyOne)); - // g is the reversal of |in|. + // g is the reversal of `in`. struct poly3 in_reversed; poly3_reverse_700(&in_reversed, in); g_s[5] = kZero; @@ -782,7 +782,7 @@ static void poly3_invert_vec(struct poly3 *out, const struct poly3 *in) { #endif // HRSS_HAVE_VECTOR_UNIT -// HRSS_poly3_invert sets |*out| to |in|^-1, i.e. such that |out|×|in| == 1 mod +// HRSS_poly3_invert sets `*out` to `in`^-1, i.e. such that `out`×`in` == 1 mod // Φ(N). void bssl::HRSS_poly3_invert(struct poly3 *out, const struct poly3 *in) { // The vector version of this function seems slightly slower on AArch64, but @@ -805,7 +805,7 @@ void bssl::HRSS_poly3_invert(struct poly3 *out, const struct poly3 *in) { OPENSSL_memset(&f.s, 0, sizeof(struct poly2)); OPENSSL_memset(&f.a, 0xff, sizeof(struct poly2)); f.a.v[WORDS_PER_POLY - 1] >>= BITS_PER_WORD - BITS_IN_LAST_WORD; - // g is the reversal of |in|. + // g is the reversal of `in`. poly3_reverse_700(&g, in); int delta = 1; @@ -874,14 +874,14 @@ struct poly { }; } // namespace -// poly_normalize zeros out the excess elements of |x| which are included only +// poly_normalize zeros out the excess elements of `x` which are included only // for alignment. static void poly_normalize(struct poly *x) { OPENSSL_memset(&x->v[N], 0, 3 * sizeof(uint16_t)); } -// poly_assert_normalized asserts that the excess elements of |x| are zeroed out -// for the cases that case. (E.g. |poly_mul_vec|.) +// poly_assert_normalized asserts that the excess elements of `x` are zeroed out +// for the cases that case. (E.g. `poly_mul_vec`.) static void poly_assert_normalized(const struct poly *x) { assert(x->v[N] == 0); assert(x->v[N + 1] == 0); @@ -890,20 +890,20 @@ static void poly_assert_normalized(const struct poly *x) { namespace { // POLY_MUL_SCRATCH contains space for the working variables needed by -// |poly_mul|. The contents afterwards may be discarded, but the object may also -// be reused with future |poly_mul| calls to save heap allocations. +// `poly_mul`. The contents afterwards may be discarded, but the object may also +// be reused with future `poly_mul` calls to save heap allocations. // // This object must have 32-byte alignment. struct POLY_MUL_SCRATCH { union { - // This is used by |poly_mul_novec|. + // This is used by `poly_mul_novec`. struct { uint16_t prod[2 * N]; uint16_t scratch[1318]; } novec; #if defined(HRSS_HAVE_VECTOR_UNIT) - // This is used by |poly_mul_vec|. + // This is used by `poly_mul_vec`. struct { vec_t prod[VECS_PER_POLY * 2]; vec_t scratch[172]; @@ -911,7 +911,7 @@ struct POLY_MUL_SCRATCH { #endif #if defined(POLY_RQ_MUL_ASM) - // This is the space used by |poly_Rq_mul|. + // This is the space used by `poly_Rq_mul`. uint8_t rq[POLY_MUL_RQ_SCRATCH_SPACE]; #endif } u; @@ -920,10 +920,10 @@ struct POLY_MUL_SCRATCH { #if defined(HRSS_HAVE_VECTOR_UNIT) -// poly_mul_vec_aux is a recursive function that multiplies |n| words from |a| -// and |b| and writes 2×|n| words to |out|. Each call uses 2*ceil(n/2) elements -// of |scratch| and the function recurses, except if |n| < 3, when |scratch| -// isn't used and the recursion stops. If |n| == |VECS_PER_POLY| then |scratch| +// poly_mul_vec_aux is a recursive function that multiplies `n` words from `a` +// and `b` and writes 2×`n` words to `out`. Each call uses 2*ceil(n/2) elements +// of `scratch` and the function recurses, except if `n` < 3, when `scratch` +// isn't used and the recursion stops. If `n` == `VECS_PER_POLY` then `scratch` // needs 172 elements. static void poly_mul_vec_aux(vec_t *out, vec_t *scratch, const vec_t *a, const vec_t *b, const size_t n) { @@ -1119,14 +1119,14 @@ static void poly_mul_vec_aux(vec_t *out, vec_t *scratch, const vec_t *a, // Karatsuba multiplication. // https://en.wikipedia.org/wiki/Karatsuba_algorithm - // When |n| is odd, the two "halves" will have different lengths. The first is + // When `n` is odd, the two "halves" will have different lengths. The first is // always the smaller. const size_t low_len = n / 2; const size_t high_len = n - low_len; const vec_t *a_high = &a[low_len]; const vec_t *b_high = &b[low_len]; - // Store a_1 + a_0 in the first half of |out| and b_1 + b_0 in the second + // Store a_1 + a_0 in the first half of `out` and b_1 + b_0 in the second // half. for (size_t i = 0; i < low_len; i++) { out[i] = vec_add(a_high[i], a[i]); @@ -1161,7 +1161,7 @@ static void poly_mul_vec_aux(vec_t *out, vec_t *scratch, const vec_t *a, } } -// poly_mul_vec sets |*out| to |x|×|y| mod (𝑥^n - 1). +// poly_mul_vec sets `*out` to `x`×`y` mod (𝑥^n - 1). static void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, const struct poly *x, const struct poly *y) { static_assert(sizeof(out->v) == sizeof(vec_t) * VECS_PER_POLY, @@ -1175,7 +1175,7 @@ static void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, vec_t *const aux_scratch = scratch->u.vec.scratch; poly_mul_vec_aux(prod, aux_scratch, x->vectors, y->vectors, VECS_PER_POLY); - // |prod| needs to be reduced mod (𝑥^n - 1), which just involves adding the + // `prod` needs to be reduced mod (𝑥^n - 1), which just involves adding the // upper-half to the lower-half. However, N is 701, which isn't a multiple of // the vector size, so the upper-half vectors all have to be shifted before // being added to the lower-half. @@ -1192,11 +1192,11 @@ static void poly_mul_vec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, #endif // HRSS_HAVE_VECTOR_UNIT -// poly_mul_novec_aux writes the product of |a| and |b| to |out|, using -// |scratch| as scratch space. It'll use Karatsuba if the inputs are large -// enough to warrant it. Each call uses 2*ceil(n/2) elements of |scratch| and -// the function recurses, except if |n| < 64, when |scratch| isn't used and the -// recursion stops. If |n| == |N| then |scratch| needs 1318 elements. +// poly_mul_novec_aux writes the product of `a` and `b` to `out`, using +// `scratch` as scratch space. It'll use Karatsuba if the inputs are large +// enough to warrant it. Each call uses 2*ceil(n/2) elements of `scratch` and +// the function recurses, except if `n` < 64, when `scratch` isn't used and the +// recursion stops. If `n` == `N` then `scratch` needs 1318 elements. static void poly_mul_novec_aux(uint16_t *out, uint16_t *scratch, const uint16_t *a, const uint16_t *b, size_t n) { static const size_t kSchoolbookLimit = 64; @@ -1214,7 +1214,7 @@ static void poly_mul_novec_aux(uint16_t *out, uint16_t *scratch, // Karatsuba multiplication. // https://en.wikipedia.org/wiki/Karatsuba_algorithm - // When |n| is odd, the two "halves" will have different lengths. The + // When `n` is odd, the two "halves" will have different lengths. The // first is always the smaller. const size_t low_len = n / 2; const size_t high_len = n - low_len; @@ -1249,7 +1249,7 @@ static void poly_mul_novec_aux(uint16_t *out, uint16_t *scratch, } } -// poly_mul_novec sets |*out| to |x|×|y| mod (𝑥^n - 1). +// poly_mul_novec sets `*out` to `x`×`y` mod (𝑥^n - 1). static void poly_mul_novec(struct POLY_MUL_SCRATCH *scratch, struct poly *out, const struct poly *x, const struct poly *y) { uint16_t *const prod = scratch->u.novec.prod; @@ -1285,7 +1285,7 @@ static void poly_mul(struct POLY_MUL_SCRATCH *scratch, struct poly *r, poly_assert_normalized(r); } -// poly_mul_x_minus_1 sets |p| to |p|×(𝑥 - 1) mod (𝑥^n - 1). +// poly_mul_x_minus_1 sets `p` to `p`×(𝑥 - 1) mod (𝑥^n - 1). static void poly_mul_x_minus_1(struct poly *p) { // Multiplying by (𝑥 - 1) means negating each coefficient and adding in // the value of the previous one. @@ -1297,7 +1297,7 @@ static void poly_mul_x_minus_1(struct poly *p) { p->v[0] = orig_final_coefficient - p->v[0]; } -// poly_mod_phiN sets |p| to |p| mod Φ(N). +// poly_mod_phiN sets `p` to `p` mod Φ(N). static void poly_mod_phiN(struct poly *p) { const uint16_t coeff700 = p->v[N - 1]; @@ -1317,7 +1317,7 @@ static void poly_clamp(struct poly *p) { // Conversion functions // -------------------- -// poly2_from_poly sets |*out| to |in| mod 2. +// poly2_from_poly sets `*out` to `in` mod 2. static void poly2_from_poly(struct poly2 *out, const struct poly *in) { crypto_word_t *words = out->v; unsigned shift = 0; @@ -1340,16 +1340,16 @@ static void poly2_from_poly(struct poly2 *out, const struct poly *in) { *words = word; } -// mod3 treats |a| as a signed number and returns |a| mod 3. +// mod3 treats `a` as a signed number and returns `a` mod 3. static uint16_t mod3(int16_t a) { const int16_t q = ((int32_t)a * 21845) >> 16; int16_t ret = a - 3 * q; - // At this point, |ret| is in {0, 1, 2, 3} and that needs to be mapped to {0, + // At this point, `ret` is in {0, 1, 2, 3} and that needs to be mapped to {0, // 1, 2, 0}. return ret & ((ret & (ret >> 1)) - 1); } -// poly3_from_poly sets |*out| to |in|. +// poly3_from_poly sets `*out` to `in`. static void poly3_from_poly(struct poly3 *out, const struct poly *in) { crypto_word_t *words_s = out->s.v; crypto_word_t *words_a = out->a.v; @@ -1385,7 +1385,7 @@ static void poly3_from_poly(struct poly3 *out, const struct poly *in) { *words_a = a; } -// poly3_from_poly_checked sets |*out| to |in|, which has coefficients in {0, 1, +// poly3_from_poly_checked sets `*out` to `in`, which has coefficients in {0, 1, // Q-1}. It returns a mask indicating whether all coefficients were found to be // in that set. static crypto_word_t poly3_from_poly_checked(struct poly3 *out, @@ -1480,7 +1480,7 @@ static void poly_from_poly3(struct poly *out, const struct poly3 *in) { // Polynomial inversion // -------------------- -// poly_invert_mod2 sets |*out| to |in^-1| (i.e. such that |*out|×|in| = 1 mod +// poly_invert_mod2 sets `*out` to `in^-1` (i.e. such that `*out`×`in` = 1 mod // Φ(N)), all mod 2. This isn't useful in itself, but is part of doing inversion // mod Q. static void poly_invert_mod2(struct poly *out, const struct poly *in) { @@ -1495,7 +1495,7 @@ static void poly_invert_mod2(struct poly *out, const struct poly *in) { // f = all ones. OPENSSL_memset(&f, 0xff, sizeof(struct poly2)); f.v[WORDS_PER_POLY - 1] >>= BITS_PER_WORD - BITS_IN_LAST_WORD; - // g is the reversal of |in|. + // g is the reversal of `in`. poly2_from_poly(&g, in); poly2_mod_phiN(&g); poly2_reverse_700(&g, &g); @@ -1531,7 +1531,7 @@ static void poly_invert_mod2(struct poly *out, const struct poly *in) { poly_assert_normalized(out); } -// poly_invert sets |*out| to |in^-1| (i.e. such that |*out|×|in| = 1 mod Φ(N)). +// poly_invert sets `*out` to `in^-1` (i.e. such that `*out`×`in` = 1 mod Φ(N)). static void poly_invert(struct POLY_MUL_SCRATCH *scratch, struct poly *out, const struct poly *in) { // Inversion mod Q, which is done based on the result of inverting mod @@ -1564,7 +1564,7 @@ static void poly_invert(struct POLY_MUL_SCRATCH *scratch, struct poly *out, #define POLY_BYTES 1138 -// poly_marshal serialises all but the final coefficient of |in| to |out|. +// poly_marshal serialises all but the final coefficient of `in` to `out`. static void poly_marshal(uint8_t out[POLY_BYTES], const struct poly *in) { const uint16_t *p = in->v; @@ -1597,10 +1597,10 @@ static void poly_marshal(uint8_t out[POLY_BYTES], const struct poly *in) { out[6] = 0xf & (p[3] >> 9); } -// poly_unmarshal parses the output of |poly_marshal| and sets |out| such that +// poly_unmarshal parses the output of `poly_marshal` and sets `out` such that // all but the final coefficients match, and the final coefficient is calculated -// such that evaluating |out| at one results in zero. It returns one on success -// or zero if |in| is an invalid encoding. +// such that evaluating `out` at one results in zero. It returns one on success +// or zero if `in` is an invalid encoding. static int poly_unmarshal(struct poly *out, const uint8_t in[POLY_BYTES]) { uint16_t *p = out->v; @@ -1651,15 +1651,15 @@ static int poly_unmarshal(struct poly *out, const uint8_t in[POLY_BYTES]) { return 1; } -// mod3_from_modQ maps {0, 1, Q-1, 65535} -> {0, 1, 2, 2}. Note that |v| may +// mod3_from_modQ maps {0, 1, Q-1, 65535} -> {0, 1, 2, 2}. Note that `v` may // have an invalid value when processing attacker-controlled inputs. static uint16_t mod3_from_modQ(uint16_t v) { v &= 3; return v ^ (v >> 1); } -// poly_marshal_mod3 marshals |in| to |out| where the coefficients of |in| are -// all in {0, 1, Q-1, 65535} and |in| is mod Φ(N). (Note that coefficients may +// poly_marshal_mod3 marshals `in` to `out` where the coefficients of `in` are +// all in {0, 1, Q-1, 65535} and `in` is mod Φ(N). (Note that coefficients may // have invalid values when processing attacker-controlled inputs.) static void poly_marshal_mod3(uint8_t out[HRSS_POLY3_BYTES], const struct poly *in) { @@ -1707,7 +1707,7 @@ static void poly_short_sample_plus(struct poly *out, poly_short_sample(out, in); // sum (and the product in the for loop) will overflow. But that's fine - // because |sum| is bound by +/- (N-2), and N < 2^15 so it works out. + // because `sum` is bound by +/- (N-2), and N < 2^15 so it works out. uint16_t sum = 0; for (unsigned i = 0; i < N - 2; i++) { sum += (unsigned)out->v[i] * out->v[i + 1]; @@ -1858,7 +1858,7 @@ struct private_key { // but we need 16-byte alignment. We could annotate the external struct with // that alignment but we can only assume that malloced pointers are 8-byte // aligned in any case. (Even if the underlying malloc returns values with -// 16-byte alignment, |OPENSSL_malloc| will store an 8-byte size prefix and mess +// 16-byte alignment, `OPENSSL_malloc` will store an 8-byte size prefix and mess // that up.) static struct public_key *public_key_from_external( struct HRSS_public_key *ext) { @@ -1869,7 +1869,7 @@ static struct public_key *public_key_from_external( return reinterpret_cast(align_pointer(ext->opaque, 16)); } -// private_key_from_external does the same thing as |public_key_from_external|, +// private_key_from_external does the same thing as `public_key_from_external`, // but for private keys. See the comment on that function about alignment // issues. static struct private_key *private_key_from_external( @@ -1881,8 +1881,8 @@ static struct private_key *private_key_from_external( return reinterpret_cast(align_pointer(ext->opaque, 16)); } -// malloc_align32 returns a pointer to |size| bytes of 32-byte-aligned heap and -// sets |*out_ptr| to a value that can be passed to |OPENSSL_free| to release +// malloc_align32 returns a pointer to `size` bytes of 32-byte-aligned heap and +// sets `*out_ptr` to a value that can be passed to `OPENSSL_free` to release // it. It returns NULL if out of memory. static void *malloc_align32(void **out_ptr, size_t size) { void *ptr = OPENSSL_malloc(size + 31); @@ -1915,7 +1915,7 @@ int HRSS_generate_key( if (!vars) { // If the caller ignores the return value the output will still be safe. // The private key output is randomised in case it's later passed to - // |HRSS_encap|. + // `HRSS_encap`. memset(out_pub, 0, sizeof(struct HRSS_public_key)); RAND_bytes((uint8_t *)out_priv, sizeof(struct HRSS_private_key)); return 0; @@ -2060,7 +2060,7 @@ int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], OPENSSL_memset(vars, 0xff, sizeof(struct vars)); #endif - // This is HMAC, expanded inline rather than using the |HMAC| function so that + // This is HMAC, expanded inline rather than using the `HMAC` function so that // we can avoid dealing with possible allocation failures and so keep this // function infallible. static_assert(sizeof(priv->hmac_key) <= sizeof(vars->masked_key), @@ -2119,26 +2119,26 @@ int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], ok = poly3_from_poly_checked(&vars->r3, &vars->r); // [NTRUCOMP] section 5.1 includes ReEnc2 and a proof that it's valid. Rather - // than do an expensive |poly_mul|, it rebuilds |c'| from |c - lift(m)| - // (called |b|) with: + // than do an expensive `poly_mul`, it rebuilds `c'` from `c - lift(m)` + // (called `b`) with: // t = (−b(1)/N) mod Q // c' = b + tΦ(N) + lift(m) mod Q // // When polynomials are transmitted, the final coefficient is omitted and - // |poly_unmarshal| sets it such that f(1) == 0. Thus c(1) == 0. Also, - // |poly_lift| multiplies the result by (x-1) and therefore evaluating a + // `poly_unmarshal` sets it such that f(1) == 0. Thus c(1) == 0. Also, + // `poly_lift` multiplies the result by (x-1) and therefore evaluating a // lifted polynomial at 1 is also zero. Thus lift(m)(1) == 0 and so // (c - lift(m))(1) == 0. // - // Although we defer the reduction above, |b| is conceptually reduced mod - // Φ(N). In order to do that reduction one subtracts |c[N-1]| from every - // coefficient. Therefore b(1) = -c[N-1]×N. The value of |t|, above, then is - // just recovering |c[N-1]|, and adding tΦ(N) is simply undoing the reduction. + // Although we defer the reduction above, `b` is conceptually reduced mod + // Φ(N). In order to do that reduction one subtracts `c[N-1]` from every + // coefficient. Therefore b(1) = -c[N-1]×N. The value of `t`, above, then is + // just recovering `c[N-1]`, and adding tΦ(N) is simply undoing the reduction. // Therefore b + tΦ(N) + lift(m) = c by construction and we don't need to - // recover |c| at all so long as we do the checks in - // |poly3_from_poly_checked|. + // recover `c` at all so long as we do the checks in + // `poly3_from_poly_checked`. // - // The |poly_marshal| here then is just confirming that |poly_unmarshal| is + // The `poly_marshal` here then is just confirming that `poly_unmarshal` is // strict and could be omitted. static_assert(HRSS_CIPHERTEXT_BYTES == POLY_BYTES, diff --git a/third_party/boringssl/src/crypto/hrss/internal.h b/third_party/boringssl/src/crypto/hrss/internal.h index 78d385b0..185d79ad 100644 --- a/third_party/boringssl/src/crypto/hrss/internal.h +++ b/third_party/boringssl/src/crypto/hrss/internal.h @@ -40,7 +40,7 @@ OPENSSL_EXPORT void HRSS_poly3_invert(struct poly3 *out, // On x86-64, we can use the AVX2 code from [HRSS]. (The authors have given // explicit permission for this and signed a CLA.) However it's 57KB of object -// code, so it's not used if |OPENSSL_SMALL| is defined. +// code, so it's not used if `OPENSSL_SMALL` is defined. #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_SMALL) && \ defined(OPENSSL_X86_64) && defined(OPENSSL_LINUX) #define POLY_RQ_MUL_ASM diff --git a/third_party/boringssl/src/crypto/internal.h b/third_party/boringssl/src/crypto/internal.h index 7c4b509a..dcc109ac 100644 --- a/third_party/boringssl/src/crypto/internal.h +++ b/third_party/boringssl/src/crypto/internal.h @@ -76,7 +76,7 @@ BSSL_NAMESPACE_BEGIN #define NEED_CPUID // OPENSSL_cpuid_setup initializes the platform-specific feature cache. This -// function should not be called directly. Call |OPENSSL_init_cpuid| instead. +// function should not be called directly. Call `OPENSSL_init_cpuid` instead. void OPENSSL_cpuid_setup(); // OPENSSL_init_cpuid initializes the platform-specific feature cache, if @@ -89,7 +89,7 @@ inline void OPENSSL_init_cpuid() {} #if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ !defined(OPENSSL_STATIC_ARMCAP) // OPENSSL_get_armcap_pointer_for_test returns a pointer to -// |OPENSSL_armcap_P| for unit tests. Any modifications to the value must be +// `OPENSSL_armcap_P` for unit tests. Any modifications to the value must be // made before any other function call in BoringSSL. OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(); #endif @@ -113,7 +113,7 @@ typedef __uint128_t uint128_t; #endif #endif -// GCC-like compilers indicate SSE2 with |__SSE2__|. MSVC leaves the caller to +// GCC-like compilers indicate SSE2 with `__SSE2__`. MSVC leaves the caller to // know that x86_64 has SSE2, and uses _M_IX86_FP to indicate SSE2 on x86. // https://learn.microsoft.com/en-us/cpp/preprocessor/predefined-macros?view=msvc-170 #if defined(__SSE2__) || defined(_M_AMD64) || defined(_M_X64) || \ @@ -127,7 +127,7 @@ typedef __uint128_t uint128_t; #endif // For convenience in testing the fallback code, we allow disabling SSE2 -// intrinsics via |OPENSSL_NO_SSE2_FOR_TESTING|. We require SSE2 on x86 and +// intrinsics via `OPENSSL_NO_SSE2_FOR_TESTING`. We require SSE2 on x86 and // x86_64, so we would otherwise need to test such code on a non-x86 platform. // // This does not remove the above requirement for SSE2 support with assembly @@ -151,7 +151,7 @@ typedef __uint128_t uint128_t; OPENSSL_EXPORT void OPENSSL_reset_malloc_counter_for_testing(); // OPENSSL_disable_malloc_failures_for_testing, when malloc testing is enabled, -// disables simulated malloc failures. Calls to |OPENSSL_malloc| will not +// disables simulated malloc failures. Calls to `OPENSSL_malloc` will not // increment the malloc counter or synthesize failures. This may be used to skip // simulating malloc failures in some region of code. OPENSSL_EXPORT void OPENSSL_disable_malloc_failures_for_testing(); @@ -174,10 +174,10 @@ inline void OPENSSL_enable_malloc_failures_for_testing() {} // Pointer utility functions. -// buffers_alias returns one if |a| and |b| alias and zero otherwise. +// buffers_alias returns one if `a` and `b` alias and zero otherwise. inline int buffers_alias(const void *a, size_t a_bytes, const void *b, size_t b_bytes) { - // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated + // Cast `a` and `b` to integers. In C, pointer comparisons between unrelated // objects are undefined whereas pointer to integer conversions are merely // implementation-defined. We assume the implementation defined it in a sane // way. @@ -186,22 +186,22 @@ inline int buffers_alias(const void *a, size_t a_bytes, const void *b, return a_u + a_bytes > b_u && b_u + b_bytes > a_u; } -// spans_alias returns one if |a| and |b| alias, and zero otherwise. +// spans_alias returns one if `a` and `b` alias, and zero otherwise. template inline int spans_alias(Span a, Span b) { return buffers_alias(a.data(), a.size() * sizeof(T), b.data(), b.size() * sizeof(T)); } -// align_pointer returns |ptr|, advanced to |alignment|. |alignment| must be a -// power of two, and |ptr| must have at least |alignment - 1| bytes of scratch +// align_pointer returns `ptr`, advanced to `alignment`. `alignment` must be a +// power of two, and `ptr` must have at least `alignment - 1` bytes of scratch // space. inline void *align_pointer(void *ptr, size_t alignment) { - // |alignment| must be a power of two. + // `alignment` must be a power of two. assert(alignment != 0 && (alignment & (alignment - 1)) == 0); - // Instead of aligning |ptr| as a |uintptr_t| and casting back, compute the + // Instead of aligning `ptr` as a `uintptr_t` and casting back, compute the // offset and advance in pointer space. C guarantees that casting from pointer - // to |uintptr_t| and back gives the same pointer, but general + // to `uintptr_t` and back gives the same pointer, but general // integer-to-pointer conversions are implementation-defined. GCC does define // it in the useful way, but this makes fewer assumptions. uintptr_t offset = (0u - (uintptr_t)ptr) & (alignment - 1); @@ -229,10 +229,10 @@ inline void *align_pointer(void *ptr, size_t alignment) { // c = constant_time_select_w(lt, a, b); // crypto_word_t is the type that most constant-time functions use. Ideally we -// would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit -// pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64 +// would like it to be `size_t`, but NaCl builds in 64-bit mode with 32-bit +// pointers, which means that `size_t` can be 32 bits when `BN_ULONG` is 64 // bits. Since we want to be able to do constant-time operations on a -// |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native +// `BN_ULONG`, `crypto_word_t` is defined as an unsigned value with the native // word length. #if defined(OPENSSL_64_BIT) typedef uint64_t crypto_word_t; @@ -247,11 +247,11 @@ typedef uint32_t crypto_word_t; #define CONSTTIME_TRUE_8 ((uint8_t)0xff) #define CONSTTIME_FALSE_8 ((uint8_t)0) -// value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about +// value_barrier_w returns `a`, but prevents GCC and Clang from reasoning about // the returned value. This is used to mitigate compilers undoing constant-time // code, until we can express our requirements directly in the language. // -// Note the compiler is aware that |value_barrier_w| has no side effects and +// Note the compiler is aware that `value_barrier_w` has no side effects and // always has the same output for a given input. This allows it to eliminate // dead code, move computations across loops, and vectorize. inline crypto_word_t value_barrier_w(crypto_word_t a) { @@ -261,7 +261,7 @@ inline crypto_word_t value_barrier_w(crypto_word_t a) { return a; } -// value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|. +// value_barrier_u32 behaves like `value_barrier_w` but takes a `uint32_t`. inline uint32_t value_barrier_u32(uint32_t a) { #if defined(__GNUC__) || defined(__clang__) __asm__("" : "+r"(a) : /* no inputs */); @@ -269,7 +269,7 @@ inline uint32_t value_barrier_u32(uint32_t a) { return a; } -// value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|. +// value_barrier_u64 behaves like `value_barrier_w` but takes a `uint64_t`. inline uint64_t value_barrier_u64(uint64_t a) { #if defined(__GNUC__) || defined(__clang__) __asm__("" : "+r"(a) : /* no inputs */); @@ -277,7 +277,7 @@ inline uint64_t value_barrier_u64(uint64_t a) { return a; } -// |value_barrier_u8| could be defined as above, but compilers other than +// `value_barrier_u8` could be defined as above, but compilers other than // clang seem to still materialize 0x00..00MM instead of reusing 0x??..??MM. // constant_time_msb_w returns the given value with the MSB copied to all the @@ -321,7 +321,7 @@ inline crypto_word_t constant_time_lt_w(crypto_word_t a, crypto_word_t b) { return constant_time_msb_w(a ^ ((a ^ b) | ((a - b) ^ a))); } -// constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit +// constant_time_lt_8 acts like `constant_time_lt_w` but returns an 8-bit // mask. inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) { return (uint8_t)(constant_time_lt_w(a, b)); @@ -332,7 +332,7 @@ inline crypto_word_t constant_time_ge_w(crypto_word_t a, crypto_word_t b) { return ~constant_time_lt_w(a, b); } -// constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit +// constant_time_ge_8 acts like `constant_time_ge_w` but returns an 8-bit // mask. inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) { return (uint8_t)(constant_time_ge_w(a, b)); @@ -353,7 +353,7 @@ inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) { return constant_time_msb_w(~a & (a - 1)); } -// constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an +// constant_time_is_zero_8 acts like `constant_time_is_zero_w` but returns an // 8-bit mask. inline uint8_t constant_time_is_zero_8(crypto_word_t a) { return (uint8_t)(constant_time_is_zero_w(a)); @@ -364,27 +364,27 @@ inline crypto_word_t constant_time_eq_w(crypto_word_t a, crypto_word_t b) { return constant_time_is_zero_w(a ^ b); } -// constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit +// constant_time_eq_8 acts like `constant_time_eq_w` but returns an 8-bit // mask. inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) { return (uint8_t)(constant_time_eq_w(a, b)); } -// constant_time_eq_int acts like |constant_time_eq_w| but works on int +// constant_time_eq_int acts like `constant_time_eq_w` but works on int // values. inline crypto_word_t constant_time_eq_int(int a, int b) { return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b)); } -// constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit +// constant_time_eq_int_8 acts like `constant_time_eq_int` but returns an 8-bit // mask. inline uint8_t constant_time_eq_int_8(int a, int b) { return constant_time_eq_8((crypto_word_t)(a), (crypto_word_t)(b)); } -// constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all +// constant_time_select_w returns (mask & a) | (~mask & b). When `mask` is all // 1s or all 0s (as returned by the methods above), the select methods return -// either |a| (if |mask| is nonzero) or |b| (if |mask| is zero). +// either `a` (if `mask` is nonzero) or `b` (if `mask` is zero). inline crypto_word_t constant_time_select_w(crypto_word_t mask, crypto_word_t a, crypto_word_t b) { // Clang recognizes this pattern as a select. While it usually transforms it @@ -396,28 +396,28 @@ inline crypto_word_t constant_time_select_w(crypto_word_t mask, crypto_word_t a, return (mask & a) | (~mask & b); } -// constant_time_select_8 acts like |constant_time_select| but operates on +// constant_time_select_8 acts like `constant_time_select` but operates on // 8-bit values. inline uint8_t constant_time_select_8(crypto_word_t mask, uint8_t a, uint8_t b) { - // |mask| is a word instead of |uint8_t| to avoid materializing 0x000..0MM - // Making both |mask| and its value barrier |uint8_t| would allow the compiler + // `mask` is a word instead of `uint8_t` to avoid materializing 0x000..0MM + // Making both `mask` and its value barrier `uint8_t` would allow the compiler // to materialize 0x????..?MM instead, but only clang is that clever. // However, vectorization of bitwise operations seems to work better on - // |uint8_t| than a mix of |uint64_t| and |uint8_t|, so |m| is cast to - // |uint8_t| after the value barrier but before the bitwise operations. + // `uint8_t` than a mix of `uint64_t` and `uint8_t`, so `m` is cast to + // `uint8_t` after the value barrier but before the bitwise operations. uint8_t m = value_barrier_w(mask); return (m & a) | (~m & b); } -// constant_time_select_int acts like |constant_time_select| but operates on +// constant_time_select_int acts like `constant_time_select` but operates on // ints. inline int constant_time_select_int(crypto_word_t mask, int a, int b) { return static_cast(constant_time_select_w( mask, static_cast(a), static_cast(b))); } -// constant_time_select_32 acts like |constant_time_select| but operates on +// constant_time_select_32 acts like `constant_time_select` but operates on // 32-bit values. inline uint32_t constant_time_select_32(crypto_word_t mask, uint32_t a, uint32_t b) { @@ -425,9 +425,9 @@ inline uint32_t constant_time_select_32(crypto_word_t mask, uint32_t a, constant_time_select_w(mask, crypto_word_t{a}, crypto_word_t{b})); } -// constant_time_conditional_memcpy copies |n| bytes from |src| to |dst| if -// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory -// ranges at |dst| and |src| must not overlap, as when calling |memcpy|. +// constant_time_conditional_memcpy copies `n` bytes from `src` to `dst` if +// `mask` is 0xff..ff and does nothing if `mask` is 0. The `n`-byte memory +// ranges at `dst` and `src` must not overlap, as when calling `memcpy`. inline void constant_time_conditional_memcpy(void *dst, const void *src, const size_t n, const crypto_word_t mask) { @@ -439,17 +439,19 @@ inline void constant_time_conditional_memcpy(void *dst, const void *src, } } -// constant_time_conditional_memxor xors |n| bytes from |src| to |dst| if -// |mask| is 0xff..ff and does nothing if |mask| is 0. The |n|-byte memory -// ranges at |dst| and |src| must not overlap, as when calling |memcpy|. +// constant_time_conditional_memxor xors `n` bytes from `src` to `dst` if +// `mask` is 0xff..ff and does nothing if `mask` is 0. The `n`-byte memory +// ranges at `dst` and `src` must not overlap, as when calling `memcpy`. inline void constant_time_conditional_memxor(void *dst, const void *src, size_t n, const crypto_word_t mask) { assert(!buffers_alias(dst, n, src, n)); uint8_t *out = (uint8_t *)dst; const uint8_t *in = (const uint8_t *)src; -#if defined(__GNUC__) && !defined(__clang__) +#if defined(__GNUC__) || defined(__clang__) // gcc 13.2.0 doesn't automatically vectorize this loop regardless of barrier + // clang 16.0.6 vectorizes if alias analysis finds src and dst are disjoint, + // but does not conclude that from the !buffers_alias assert. typedef uint8_t v32u8 __attribute__((vector_size(32), aligned(1), may_alias)); size_t n_vec = n & ~(size_t)31; v32u8 masks = ((uint8_t)mask - (v32u8){}); // broadcast @@ -495,9 +497,9 @@ inline void constant_time_conditional_memxor(void *dst, const void *src, #endif // BORINGSSL_CONSTANT_TIME_VALIDATION inline crypto_word_t constant_time_declassify_w(crypto_word_t v) { - // Return |v| through a value barrier to be safe. Valgrind-based constant-time + // Return `v` through a value barrier to be safe. Valgrind-based constant-time // validation is partly to check the compiler has not undone any constant-time - // work. Any place |BORINGSSL_CONSTANT_TIME_VALIDATION| influences + // work. Any place `BORINGSSL_CONSTANT_TIME_VALIDATION` influences // optimizations, this validation is inaccurate. // // However, by sending pointers through valgrind, we likely inhibit escape @@ -518,8 +520,8 @@ inline int constant_time_declassify_int(int v) { return value_barrier_u32(v); } -// declassify_assert behaves like |assert| but declassifies the result of -// evaluating |expr|. This allows the assertion to branch on the (presumably +// declassify_assert behaves like `assert` but declassifies the result of +// evaluating `expr`. This allows the assertion to branch on the (presumably // public) result, but still ensures that values leading up to the computation // were secret. #define declassify_assert(expr) assert(constant_time_declassify_int(expr)) @@ -540,13 +542,13 @@ typedef pthread_once_t CRYPTO_once_t; #error "Unknown threading library" #endif -// CRYPTO_once calls |init| exactly once per process. This is thread-safe: if -// concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument -// then they will block until |init| completes, but |init| will have only been +// CRYPTO_once calls `init` exactly once per process. This is thread-safe: if +// concurrent threads call `CRYPTO_once` with the same `CRYPTO_once_t` argument +// then they will block until `init` completes, but `init` will have only been // called once. // -// The |once| argument must be a |CRYPTO_once_t| that has been initialised with -// the value |CRYPTO_ONCE_INIT|. +// The `once` argument must be a `CRYPTO_once_t` that has been initialised with +// the value `CRYPTO_ONCE_INIT`. OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)()); @@ -606,20 +608,20 @@ class Atomic { using CRYPTO_refcount_t = Atomic; -// CRYPTO_refcount_inc atomically increments the value at |*count| unless the +// CRYPTO_refcount_inc atomically increments the value at `*count` unless the // value would overflow. It's safe for multiple threads to concurrently call -// this or |CRYPTO_refcount_dec_and_test_zero| on the same -// |CRYPTO_refcount_t|. +// this or `CRYPTO_refcount_dec_and_test_zero` on the same +// `CRYPTO_refcount_t`. OPENSSL_EXPORT void CRYPTO_refcount_inc(CRYPTO_refcount_t *count); -// CRYPTO_refcount_dec_and_test_zero tests the value at |*count|: +// CRYPTO_refcount_dec_and_test_zero tests the value at `*count`: // if it's zero, it crashes the address space. // if it's the maximum value, it returns zero. // otherwise, it atomically decrements it and returns one iff the resulting // value is zero. // // It's safe for multiple threads to concurrently call this or -// |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|. +// `CRYPTO_refcount_inc` on the same `CRYPTO_refcount_t`. OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count); @@ -718,18 +720,18 @@ OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value); // CRYPTO_set_thread_local sets a pointer value for the current thread at the // given index. This function should only be called once per thread for a given -// |index|: rather than update the pointer value itself, update the data that +// `index`: rather than update the pointer value itself, update the data that // is pointed to. // // The destructor function will be called when a thread exits to free this -// thread-local data. All calls to |CRYPTO_set_thread_local| with the same -// |index| should have the same |destructor| argument. The destructor may be +// thread-local data. All calls to `CRYPTO_set_thread_local` with the same +// `index` should have the same `destructor` argument. The destructor may be // called with a NULL argument if a thread that never set a thread-local -// pointer for |index|, exits. The destructor may be called concurrently with +// pointer for `index`, exits. The destructor may be called concurrently with // different arguments. // // This function returns one on success or zero on error. If it returns zero -// then |destructor| has been called with |value| already. +// then `destructor` has been called with `value` already. OPENSSL_EXPORT int CRYPTO_set_thread_local( thread_local_data_t index, void *value, thread_local_destructor_t destructor); @@ -755,20 +757,20 @@ struct ExDataClass { : num_reserved(with_app_data ? 1 : 0) {} StaticMutex lock; - // funcs is a linked list of |ExDataFuncs| structures. It may be traversed - // without serialization only up to |num_funcs|. last points to the final - // entry of |funcs|, or nullptr if empty. + // funcs is a linked list of `ExDataFuncs` structures. It may be traversed + // without serialization only up to `num_funcs`. last points to the final + // entry of `funcs`, or nullptr if empty. ExDataFuncs *funcs = nullptr, *last = nullptr; - // num_funcs is the number of entries in |funcs|. + // num_funcs is the number of entries in `funcs`. Atomic num_funcs = 0; // num_reserved is one if the ex_data index zero is reserved for legacy - // |TYPE_get_app_data| functions. + // `TYPE_get_app_data` functions. uint8_t num_reserved = 0; }; -// CRYPTO_get_ex_new_index_ex allocates a new index for |ex_data_class|. Each +// CRYPTO_get_ex_new_index_ex allocates a new index for `ex_data_class`. Each // class of object should provide a wrapper function that uses the correct -// |ExDataClass|. It returns the new index on success and -1 on error. +// `ExDataClass`. It returns the new index on success and -1 on error. OPENSSL_EXPORT int CRYPTO_get_ex_new_index_ex( ExDataClass *ex_data_class, long argl, void *argp, CRYPTO_EX_free *free_func); @@ -782,10 +784,10 @@ OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val); // function. OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index); -// CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|. +// CRYPTO_new_ex_data initialises a newly allocated `CRYPTO_EX_DATA`. OPENSSL_EXPORT void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad); -// CRYPTO_free_ex_data frees |ad|, which is an object of the given class. +// CRYPTO_free_ex_data frees `ad`, which is an object of the given class. OPENSSL_EXPORT void CRYPTO_free_ex_data(ExDataClass *ex_data_class, CRYPTO_EX_DATA *ad); @@ -831,9 +833,9 @@ inline uint64_t CRYPTO_bswap8(uint64_t x) { // These wrapper functions behave the same as the corresponding C standard // functions, but behave as expected when passed NULL if the length is zero. // -// Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|. +// Note `OPENSSL_memcmp` is a different function from `CRYPTO_memcmp`. -// C++ defines |memchr| as a const-correct overload. +// C++ defines `memchr` as a const-correct overload. inline const void *OPENSSL_memchr(const void *s, int c, size_t n) { if (n == 0) { return nullptr; @@ -886,7 +888,7 @@ inline void *OPENSSL_memset(void *dst, int c, size_t n) { // Loads and stores. // // The following functions load and store sized integers with the specified -// endianness. They use |memcpy|, and so avoid alignment or strict aliasing +// endianness. They use `memcpy`, and so avoid alignment or strict aliasing // requirements on the input and output pointers. inline uint16_t CRYPTO_load_u16_le(const void *in) { @@ -977,7 +979,7 @@ inline crypto_word_t CRYPTO_load_word_be(const void *in) { // Bit rotation functions. // -// Note these functions use |(-shift) & 31|, etc., because shifting by the bit +// Note these functions use `(-shift) & 31`, etc., because shifting by the bit // width is undefined. Both Clang and GCC recognize this pattern as a rotation, // but MSVC does not. Instead, we call MSVC's built-in functions. @@ -1025,7 +1027,7 @@ void BORINGSSL_FIPS_abort() __attribute__((noreturn)); // boringssl_self_test_startup runs all startup self tests and returns one on // success or zero on error. Startup self tests do not include lazy tests. -// Call |BORINGSSL_self_test| to run every self test. +// Call `BORINGSSL_self_test` to run every self test. int boringssl_self_test_startup(); // boringssl_ensure_rsa_sign_self_test checks whether the RSA signing self-test @@ -1059,7 +1061,7 @@ inline void boringssl_ensure_ffdh_self_test() {} #endif // FIPS -// BORINGSSL_check_test checks that |expected| and |actual| are equal. It +// BORINGSSL_check_test checks that `expected` and `actual` are equal. It // returns 1 on success and, on failure, it prints an error message that // includes the hexdumps the two values and returns 0. int BORINGSSL_check_test(Span expected, @@ -1121,16 +1123,16 @@ inline int boringssl_fips_break_test(const char *test) { return 0; } // and AVX512 bits in XCR0, so it is not necessary to check those. (WARNING: See // caveats in cpu_intel.c.) // -// This symbol should only be accessed with |OPENSSL_get_ia32cap|. +// This symbol should only be accessed with `OPENSSL_get_ia32cap`. extern uint32_t OPENSSL_ia32cap_P[4]; -// OPENSSL_get_ia32cap initializes the library if needed and returns the |idx|th -// entry of |OPENSSL_ia32cap_P|. It is marked as a const function so duplicate +// OPENSSL_get_ia32cap initializes the library if needed and returns the `idx`th +// entry of `OPENSSL_ia32cap_P`. It is marked as a const function so duplicate // calls can be merged by the compiler, at least when indices match. OPENSSL_ATTR_CONST uint32_t OPENSSL_get_ia32cap(int idx); -// OPENSSL_adjust_ia32cap adjusts |cap|, which should contain -// |OPENSSL_ia32cap_P|, based on the environment variable value in |env|. This +// OPENSSL_adjust_ia32cap adjusts `cap`, which should contain +// `OPENSSL_ia32cap_P`, based on the environment variable value in `env`. This // function is exposed for unit tests. void OPENSSL_adjust_ia32cap(uint32_t cap[4], const char *env); @@ -1183,8 +1185,8 @@ inline int CRYPTO_is_AESNI_capable() { #endif } -// We intentionally avoid defining a |CRYPTO_is_XSAVE_capable| function. See -// |CRYPTO_cpu_perf_is_like_silvermont|. +// We intentionally avoid defining a `CRYPTO_is_XSAVE_capable` function. See +// `CRYPTO_cpu_perf_is_like_silvermont`. inline int CRYPTO_is_AVX_capable() { #if defined(__AVX__) @@ -1195,7 +1197,7 @@ inline int CRYPTO_is_AVX_capable() { } inline int CRYPTO_is_RDRAND_capable() { - // We intentionally do not check |__RDRND__| here. On some AMD processors, we + // We intentionally do not check `__RDRND__` here. On some AMD processors, we // will act as if the hardware is RDRAND-incapable, even it actually supports // it. See cpu_intel.c. return (OPENSSL_get_ia32cap(1) & (1u << 30)) != 0; @@ -1334,11 +1336,11 @@ inline int CRYPTO_is_VPCLMULQDQ_capable() { #define ARMV8_SHA3 (1 << 7) #if defined(OPENSSL_STATIC_ARMCAP) -// We assume |CRYPTO_is_*_capable| already checked static capabilities. +// We assume `CRYPTO_is_*_capable` already checked static capabilities. inline uint32_t OPENSSL_get_armcap() { return 0; } #else // OPENSSL_armcap_P contains ARM CPU capabilities as a bitmask of the above -// constants. This should only be accessed with |OPENSSL_get_armcap|. +// constants. This should only be accessed with `OPENSSL_get_armcap`. extern uint32_t OPENSSL_armcap_P; // OPENSSL_get_armcap initializes the library if needed and returns ARM CPU @@ -1389,7 +1391,7 @@ inline int CRYPTO_is_ARMv8_PMULL_capable() { } inline int CRYPTO_is_ARMv8_SHA1_capable() { - // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise + // SHA-1 and SHA-2 (only) share `__ARM_FEATURE_SHA2` but otherwise // are dealt with independently. #if defined(OPENSSL_STATIC_ARMCAP_SHA1) || defined(__ARM_FEATURE_SHA2) return 1; @@ -1399,7 +1401,7 @@ inline int CRYPTO_is_ARMv8_SHA1_capable() { } inline int CRYPTO_is_ARMv8_SHA256_capable() { - // SHA-1 and SHA-2 (only) share |__ARM_FEATURE_SHA2| but otherwise + // SHA-1 and SHA-2 (only) share `__ARM_FEATURE_SHA2` but otherwise // are dealt with independently. #if defined(OPENSSL_STATIC_ARMCAP_SHA256) || defined(__ARM_FEATURE_SHA2) return 1; @@ -1409,7 +1411,7 @@ inline int CRYPTO_is_ARMv8_SHA256_capable() { } inline int CRYPTO_is_ARMv8_SHA512_capable() { - // There is no |OPENSSL_STATIC_ARMCAP_SHA512|. + // There is no `OPENSSL_STATIC_ARMCAP_SHA512`. #if defined(__ARM_FEATURE_SHA512) return 1; #else @@ -1418,7 +1420,7 @@ inline int CRYPTO_is_ARMv8_SHA512_capable() { } inline int CRYPTO_is_ARMv8_SHA3_capable() { - // There is no |OPENSSL_STATIC_ARMCAP_SHA3|. + // There is no `OPENSSL_STATIC_ARMCAP_SHA3`. #if defined(__ARM_FEATURE_SHA3) return 1; #else @@ -1446,10 +1448,10 @@ extern "C" uint8_t BORINGSSL_function_hit[8]; #endif // BORINGSSL_DISPATCH_TEST -// OPENSSL_vasprintf_internal is just like |vasprintf(3)|. If |system_malloc| is -// 0, memory will be allocated with |OPENSSL_malloc| and must be freed with -// |OPENSSL_free|. Otherwise the system |malloc| function is used and the memory -// must be freed with the system |free| function. +// OPENSSL_vasprintf_internal is just like `vasprintf(3)`. If `system_malloc` is +// 0, memory will be allocated with `OPENSSL_malloc` and must be freed with +// `OPENSSL_free`. Otherwise the system `malloc` function is used and the memory +// must be freed with the system `free` function. OPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format, va_list args, int system_malloc) OPENSSL_PRINTF_FORMAT_FUNC(2, 0); @@ -1459,7 +1461,7 @@ OPENSSL_EXPORT int OPENSSL_vasprintf_internal(char **str, const char *format, #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION) // CRYPTO_fuzzer_mode_enabled returns whether fuzzer mode is enabled. See -// |CRYPTO_set_fuzzer_mode|. In non-fuzzer builds, this function statically +// `CRYPTO_set_fuzzer_mode`. In non-fuzzer builds, this function statically // returns zero so the codepaths will be deleted by the optimizer. int CRYPTO_fuzzer_mode_enabled(); #else @@ -1469,8 +1471,8 @@ inline int CRYPTO_fuzzer_mode_enabled() { return 0; } // Arithmetic functions. -// CRYPTO_addc_* returns |x + y + carry|, and sets |*out_carry| to the carry -// bit. |carry| must be zero or one. +// CRYPTO_addc_* returns `x + y + carry`, and sets `*out_carry` to the carry +// bit. `carry` must be zero or one. // NOTE: Unoptimized GCC builds may compile these builtins to non-constant-time // code. For correct constant-time behavior, ensure builds are optimized. @@ -1546,8 +1548,8 @@ inline uint64_t CRYPTO_addc_u64(uint64_t x, uint64_t y, uint64_t carry, #endif -// CRYPTO_subc_* returns |x - y - borrow|, and sets |*out_borrow| to the borrow -// bit. |borrow| must be zero or one. +// CRYPTO_subc_* returns `x - y - borrow`, and sets `*out_borrow` to the borrow +// bit. `borrow` must be zero or one. #if OPENSSL_HAS_BUILTIN(__builtin_subc) inline unsigned int CRYPTO_subc_impl(unsigned int x, unsigned int y, @@ -1640,13 +1642,13 @@ class Cleanup { template Cleanup(F func) -> Cleanup; -// DECLARE_OPAQUE_STRUCT defines a public struct |public_name| with an -// implementation struct |impl_name|. +// DECLARE_OPAQUE_STRUCT defines a public struct `public_name` with an +// implementation struct `impl_name`. // -// To prevent accidents, the |public_name| struct will be neither constructable, +// To prevent accidents, the `public_name` struct will be neither constructable, // nor copyable/movable, nor deletable. // -// It must be used from inside the |bssl| namespace; however, |public_name| will +// It must be used from inside the `bssl` namespace; however, `public_name` will // be defined outside. // // Usage: @@ -1666,8 +1668,8 @@ Cleanup(F func) -> Cleanup; // // The implementation struct can be converted to the public struct implicitly; // to convert the public struct to the implementation struct, call -// |FromOpaque| on it. It is explicitly allowed to call |FromOpaque| on a -// |nullptr|. +// `FromOpaque` on it. It is explicitly allowed to call `FromOpaque` on a +// `nullptr`. #define DECLARE_OPAQUE_STRUCT(public_name, impl_name) \ BSSL_NAMESPACE_BEGIN \ class impl_name; \ diff --git a/third_party/boringssl/src/crypto/kyber/internal.h b/third_party/boringssl/src/crypto/kyber/internal.h index 21ec5afd..20a5379d 100644 --- a/third_party/boringssl/src/crypto/kyber/internal.h +++ b/third_party/boringssl/src/crypto/kyber/internal.h @@ -56,15 +56,15 @@ struct KYBER_private_key { #define KYBER_SHARED_SECRET_BYTES 32 // KYBER_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key| and sets |out_private_key| to +// encoded public key to `out_encoded_public_key` and sets `out_private_key` to // the private key. OPENSSL_EXPORT void KYBER_generate_key( uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES], struct KYBER_private_key *out_private_key); -// KYBER_public_from_private sets |*out_public_key| to the public key that -// corresponds to |private_key|. (This is faster than parsing the output of -// |KYBER_generate_key| if, for some reason, you need to encapsulate to a key +// KYBER_public_from_private sets `*out_public_key` to the public key that +// corresponds to `private_key`. (This is faster than parsing the output of +// `KYBER_generate_key` if, for some reason, you need to encapsulate to a key // that was just generated.) OPENSSL_EXPORT void KYBER_public_from_private( struct KYBER_public_key *out_public_key, @@ -73,20 +73,20 @@ OPENSSL_EXPORT void KYBER_public_from_private( // KYBER_CIPHERTEXT_BYTES is number of bytes in the Kyber768 ciphertext. #define KYBER_CIPHERTEXT_BYTES 1088 -// KYBER_encap encrypts a random shared secret for |public_key|, writes the -// ciphertext to |out_ciphertext|, and writes the random shared secret to -// |out_shared_secret|. +// KYBER_encap encrypts a random shared secret for `public_key`, writes the +// ciphertext to `out_ciphertext`, and writes the random shared secret to +// `out_shared_secret`. OPENSSL_EXPORT void KYBER_encap( uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const struct KYBER_public_key *public_key); -// KYBER_decap decrypts a shared secret from |ciphertext| using |private_key| -// and writes it to |out_shared_secret|. If |ciphertext| is invalid, -// |out_shared_secret| is filled with a key that will always be the same for the -// same |ciphertext| and |private_key|, but which appears to be random unless -// one has access to |private_key|. These alternatives occur in constant time. -// Any subsequent symmetric encryption using |out_shared_secret| must use an +// KYBER_decap decrypts a shared secret from `ciphertext` using `private_key` +// and writes it to `out_shared_secret`. If `ciphertext` is invalid, +// `out_shared_secret` is filled with a key that will always be the same for the +// same `ciphertext` and `private_key`, but which appears to be random unless +// one has access to `private_key`. These alternatives occur in constant time. +// Any subsequent symmetric encryption using `out_shared_secret` must use an // authenticated encryption scheme in order to discover the decapsulation // failure. OPENSSL_EXPORT void KYBER_decap( @@ -97,33 +97,33 @@ OPENSSL_EXPORT void KYBER_decap( // Serialisation of keys. -// KYBER_marshal_public_key serializes |public_key| to |out| in the standard +// KYBER_marshal_public_key serializes `public_key` to `out` in the standard // format for Kyber public keys. It returns one on success or zero on allocation // error. OPENSSL_EXPORT int KYBER_marshal_public_key( CBB *out, const struct KYBER_public_key *public_key); // KYBER_parse_public_key parses a public key, in the format generated by -// |KYBER_marshal_public_key|, from |in| and writes the result to -// |out_public_key|. It returns one on success or zero on parse error or if -// there are trailing bytes in |in|. +// `KYBER_marshal_public_key`, from `in` and writes the result to +// `out_public_key`. It returns one on success or zero on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int KYBER_parse_public_key( struct KYBER_public_key *out_public_key, CBS *in); -// KYBER_marshal_private_key serializes |private_key| to |out| in the standard +// KYBER_marshal_private_key serializes `private_key` to `out` in the standard // format for Kyber private keys. It returns one on success or zero on // allocation error. OPENSSL_EXPORT int KYBER_marshal_private_key( CBB *out, const struct KYBER_private_key *private_key); // KYBER_PRIVATE_KEY_BYTES is the length of the data produced by -// |KYBER_marshal_private_key|. +// `KYBER_marshal_private_key`. #define KYBER_PRIVATE_KEY_BYTES 2400 // KYBER_parse_private_key parses a private key, in the format generated by -// |KYBER_marshal_private_key|, from |in| and writes the result to -// |out_private_key|. It returns one on success or zero on parse error or if -// there are trailing bytes in |in|. +// `KYBER_marshal_private_key`, from `in` and writes the result to +// `out_private_key`. It returns one on success or zero on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int KYBER_parse_private_key( struct KYBER_private_key *out_private_key, CBS *in); @@ -142,18 +142,18 @@ OPENSSL_EXPORT int KYBER_parse_private_key( // KYBER_generate_key_external_entropy is a deterministic function to create a // pair of Kyber768 keys, using the supplied entropy. The entropy needs to be // uniformly random generated. This function is should only be used for tests, -// regular callers should use the non-deterministic |KYBER_generate_key| +// regular callers should use the non-deterministic `KYBER_generate_key` // directly. OPENSSL_EXPORT void KYBER_generate_key_external_entropy( uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES], struct KYBER_private_key *out_private_key, const uint8_t entropy[KYBER_GENERATE_KEY_ENTROPY]); -// KYBER_encap_external_entropy behaves like |KYBER_encap|, but uses -// |KYBER_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating -// side will be able to recover |entropy| in full. This function should only be +// KYBER_encap_external_entropy behaves like `KYBER_encap`, but uses +// `KYBER_ENCAP_ENTROPY` bytes of `entropy` for randomization. The decapsulating +// side will be able to recover `entropy` in full. This function should only be // used for tests, regular callers should use the non-deterministic -// |KYBER_encap| directly. +// `KYBER_encap` directly. OPENSSL_EXPORT void KYBER_encap_external_entropy( uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], diff --git a/third_party/boringssl/src/crypto/kyber/kyber.cc b/third_party/boringssl/src/crypto/kyber/kyber.cc index f35ca558..9ecdd4bd 100644 --- a/third_party/boringssl/src/crypto/kyber/kyber.cc +++ b/third_party/boringssl/src/crypto/kyber/kyber.cc @@ -145,7 +145,7 @@ static uint16_t reduce_once(uint16_t x) { // We usually add value barriers to selects because Clang turns consecutive // selects with the same condition into a branch instead of CMOV/CSEL. This // condition does not occur in Kyber, so omitting it seems to be safe so far, - // but see |scalar_centered_binomial_distribution_eta_2_with_prf|. + // but see `scalar_centered_binomial_distribution_eta_2_with_prf`. return (mask & x) | (~mask & subtracted); } @@ -166,9 +166,9 @@ static void vector_zero(vector *out) { OPENSSL_memset(out, 0, sizeof(*out)); } // In place number theoretic transform of a given scalar. // Note that Kyber's kPrime 3329 does not have a 512th root of unity, so this // transform leaves off the last iteration of the usual FFT code, with the 128 -// relevant roots of unity being stored in |kNTTRoots|. This means the output +// relevant roots of unity being stored in `kNTTRoots`. This means the output // should be seen as 128 elements in GF(3329^2), with the coefficients of the -// elements being consecutive entries in |s->c|. +// elements being consecutive entries in `s->c`. static void scalar_ntt(scalar *s) { int offset = DEGREE; // `int` is used here because using `size_t` throughout caused a ~5% slowdown @@ -199,7 +199,7 @@ static void vector_ntt(vector *a) { // entries of s->v being interpreted as elements of GF(3329^2). Just as with the // number theoretic transform, this leaves off the first step of the normal iFFT // to account for the fact that 3329 does not have a 512th root of unity, using -// the precomputed 128 roots of unity stored in |kInverseNTTRoots|. +// the precomputed 128 roots of unity stored in `kInverseNTTRoots`. static void scalar_inverse_ntt(scalar *s) { int step = DEGREE / 2; // `int` is used here because using `size_t` throughout caused a ~5% slowdown @@ -245,7 +245,7 @@ static void scalar_sub(scalar *lhs, const scalar *rhs) { // 3329 does not have a 512th root of unity, this means we have to interpret // the 2*ith and (2*i+1)th entries of the scalar as elements of GF(3329)[X]/(X^2 // - 17^(2*bitreverse(i)+1)) The value of 17^(2*bitreverse(i)+1) mod 3329 is -// stored in the precomputed |kModRoots| table. Note that our Barrett transform +// stored in the precomputed `kModRoots` table. Note that our Barrett transform // only allows us to multiply two reduced numbers together, so we need some // intermediate reduction steps, even if an uint64_t could hold 3 multiplied // numbers. @@ -327,7 +327,7 @@ static void scalar_from_keccak_vartime(scalar *out, } // Algorithm 2 of the Kyber spec, with eta fixed to two and the PRF call -// included. Creates binominally distributed elements by sampling 2*|eta| bits, +// included. Creates binominally distributed elements by sampling 2*`eta` bits, // and setting the coefficient to the count of the first bits minus the count of // the second bits, resulting in a centered binomial distribution. Since eta is // two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4, @@ -343,10 +343,10 @@ static void scalar_centered_binomial_distribution_eta_2_with_prf( uint16_t value = (byte & 1) + ((byte >> 1) & 1); value -= ((byte >> 2) & 1) + ((byte >> 3) & 1); - // Add |kPrime| if |value| underflowed. See |reduce_once| for a discussion + // Add `kPrime` if `value` underflowed. See `reduce_once` for a discussion // on why the value barrier is omitted. While this could have been written // reduce_once(value + kPrime), this is one extra addition and small range - // of |value| tempts some versions of Clang to emit a branch. + // of `value` tempts some versions of Clang to emit a branch. uint16_t mask = 0u - (value >> 15); out->c[i] = value + (kPrime & mask); @@ -360,8 +360,8 @@ static void scalar_centered_binomial_distribution_eta_2_with_prf( } // Generates a secret vector by using -// |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed -// appending and incrementing |counter| for entry of the vector. +// `scalar_centered_binomial_distribution_eta_2_with_prf`, using the given seed +// appending and incrementing `counter` for entry of the vector. static void vector_generate_secret_eta_2(vector *out, uint8_t *counter, const uint8_t seed[32]) { uint8_t input[33]; @@ -426,7 +426,7 @@ static void scalar_encode(uint8_t *out, const scalar *s, int bits) { } } -// scalar_encode_1 is |scalar_encode| specialised for |bits| == 1. +// scalar_encode_1 is `scalar_encode` specialised for `bits` == 1. static void scalar_encode_1(uint8_t out[32], const scalar *s) { for (int i = 0; i < DEGREE; i += 8) { uint8_t out_byte = 0; @@ -438,7 +438,7 @@ static void scalar_encode_1(uint8_t out[32], const scalar *s) { } } -// Encodes an entire vector into 32*|RANK|*|bits| bytes. Note that since 256 +// Encodes an entire vector into 32*`RANK`*`bits` bytes. Note that since 256 // (DEGREE) is divisible by 8, the individual vector entries will always fill a // whole number of bytes, so we do not need to worry about bit packing here. static void vector_encode(uint8_t *out, const vector *a, int bits) { @@ -447,9 +447,9 @@ static void vector_encode(uint8_t *out, const vector *a, int bits) { } } -// scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in -// |out|. It returns one on success and zero if any parsed value is >= -// |kPrime|. +// scalar_decode parses `DEGREE * bits` bits from `in` into `DEGREE` values in +// `out`. It returns one on success and zero if any parsed value is >= +// `kPrime`. static int scalar_decode(scalar *out, const uint8_t *in, int bits) { assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1); @@ -490,7 +490,7 @@ static int scalar_decode(scalar *out, const uint8_t *in, int bits) { return 1; } -// scalar_decode_1 is |scalar_decode| specialised for |bits| == 1. +// scalar_decode_1 is `scalar_decode` specialised for `bits` == 1. static void scalar_decode_1(scalar *out, const uint8_t in[32]) { for (int i = 0; i < DEGREE; i += 8) { uint8_t in_byte = *in; @@ -502,8 +502,8 @@ static void scalar_decode_1(scalar *out, const uint8_t in[32]) { } } -// Decodes 32*|RANK|*|bits| bytes from |in| into |out|. It returns one on -// success or zero if any parsed value is >= |kPrime|. +// Decodes 32*`RANK`*`bits` bytes from `in` into `out`. It returns one on +// success or zero if any parsed value is >= `kPrime`. static int vector_decode(vector *out, const uint8_t *in, int bits) { for (int i = 0; i < RANK; i++) { if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8, bits)) { @@ -513,12 +513,12 @@ static int vector_decode(vector *out, const uint8_t *in, int bits) { return 1; } -// Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping +// Compresses (lossily) an input `x` mod 3329 into `bits` many bits by grouping // numbers close to each other together. The formula used is -// round(2^|bits|/kPrime*x) mod 2^|bits|. +// round(2^`bits`/kPrime*x) mod 2^`bits`. // Uses Barrett reduction to achieve constant time. Since we need both the // remainder (for rounding) and the quotient (as the result), we cannot use -// |reduce| here, but need to do the Barrett reduction directly. +// `reduce` here, but need to do the Barrett reduction directly. static uint16_t compress(uint16_t x, int bits) { uint32_t shifted = (uint32_t)x << bits; uint64_t product = (uint64_t)shifted * kBarrettMultiplier; @@ -535,19 +535,19 @@ static uint16_t compress(uint16_t x, int bits) { return quotient & ((1 << bits) - 1); } -// Decompresses |x| by using an equi-distant representative. The formula is -// round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to +// Decompresses `x` by using an equi-distant representative. The formula is +// round(kPrime/2^`bits`*x). Note that 2^`bits` being the divisor allows us to // implement this logic using only bit operations. static uint16_t decompress(uint16_t x, int bits) { uint32_t product = (uint32_t)x * kPrime; uint32_t power = 1 << bits; - // This is |product| % power, since |power| is a power of 2. + // This is `product` % power, since `power` is a power of 2. uint32_t remainder = product & (power - 1); - // This is |product| / power, since |power| is a power of 2. + // This is `product` / power, since `power` is a power of 2. uint32_t lower = product >> bits; - // The rounding logic works since the first half of numbers mod |power| have a - // 0 as first bit, and the second half has a 1 as first bit, since |power| is - // a power of 2. As a 12 bit number, |remainder| is always positive, so we + // The rounding logic works since the first half of numbers mod `power` have a + // 0 as first bit, and the second half has a 1 as first bit, since `power` is + // a power of 2. As a 12 bit number, `remainder` is always positive, so we // will shift in 0s for a right shift. return lower + (remainder >> (bits - 1)); } @@ -612,8 +612,8 @@ static struct private_key *private_key_from_external( } // namespace -// Calls |KYBER_generate_key_external_entropy| with random bytes from -// |RAND_bytes|. +// Calls `KYBER_generate_key_external_entropy` with random bytes from +// `RAND_bytes`. void bssl::KYBER_generate_key( uint8_t out_encoded_public_key[KYBER_PUBLIC_KEY_BYTES], struct KYBER_private_key *out_private_key) { @@ -683,7 +683,7 @@ void bssl::KYBER_public_from_private( } // Algorithm 5 of the Kyber spec. Encrypts a message with given randomness to -// the ciphertext in |out|. Without applying the Fujisaki-Okamoto transform this +// the ciphertext in `out`. Without applying the Fujisaki-Okamoto transform this // would not result in a CCA secure scheme, since lattice schemes are vulnerable // to decryption failure oracles. static void encrypt_cpa(uint8_t out[KYBER_CIPHERTEXT_BYTES], @@ -718,7 +718,7 @@ static void encrypt_cpa(uint8_t out[KYBER_CIPHERTEXT_BYTES], scalar_encode(out + kCompressedVectorSize, &v, kDV); } -// Calls KYBER_encap_external_entropy| with random bytes from |RAND_bytes| +// Calls `KYBER_encap_external_entropy` with random bytes from `RAND_bytes` void bssl::KYBER_encap(uint8_t out_ciphertext[KYBER_CIPHERTEXT_BYTES], uint8_t out_shared_secret[KYBER_SHARED_SECRET_BYTES], const struct KYBER_public_key *public_key) { @@ -809,8 +809,8 @@ int bssl::KYBER_marshal_public_key(CBB *out, return kyber_marshal_public_key(out, public_key_from_external(public_key)); } -// kyber_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate -// the value of |pub->public_key_hash|. +// kyber_parse_public_key_no_hash parses `in` into `pub` but doesn't calculate +// the value of `pub->public_key_hash`. static int kyber_parse_public_key_no_hash(struct public_key *pub, CBS *in) { CBS t_bytes; if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize) || diff --git a/third_party/boringssl/src/crypto/lhash/internal.h b/third_party/boringssl/src/crypto/lhash/internal.h index 27c77806..6b5e0f84 100644 --- a/third_party/boringssl/src/crypto/lhash/internal.h +++ b/third_party/boringssl/src/crypto/lhash/internal.h @@ -24,8 +24,8 @@ BSSL_NAMESPACE_BEGIN // contracts as needed. One should not use the lh_* functions directly, rather // use the type-safe macro wrappers: // -// A hash table of a specific type of object has type |LHASH_OF(type)|. This -// can be defined (once) with |DEFINE_LHASH_OF(type)|. +// A hash table of a specific type of object has type `LHASH_OF(type)`. This +// can be defined (once) with `DEFINE_LHASH_OF(type)`. // // struct foo { // int bar; @@ -33,10 +33,10 @@ BSSL_NAMESPACE_BEGIN // // DEFINE_LHASH_OF(struct foo) // -// Although note that the hash table will contain /pointers/ to |foo|. +// Although note that the hash table will contain /pointers/ to `foo`. // -// A macro will be defined for each of the |OPENSSL_lh_*| functions below. For -// |LHASH_OF(foo)|, the macros would be |lh_foo_new|, |lh_foo_num_items| etc. +// A macro will be defined for each of the `OPENSSL_lh_*` functions below. For +// `LHASH_OF(foo)`, the macros would be `lh_foo_new`, `lh_foo_num_items` etc. // // TODO(davidben): Now that this type is completely internal, this can just be a // C++ template without any macros. @@ -45,12 +45,12 @@ BSSL_NAMESPACE_BEGIN #define LHASH_OF(type) struct bssl::type##_lhash_st // lhash_cmp_func is a comparison function that returns a value equal, or not -// equal, to zero depending on whether |*a| is equal, or not equal to |*b|, -// respectively. Note the difference between this and |stack_cmp_func| in that +// equal, to zero depending on whether `*a` is equal, or not equal to `*b`, +// respectively. Note the difference between this and `stack_cmp_func` in that // this takes pointers to the objects directly. // // This function's actual type signature is int (*)(const T*, const T*). The -// low-level |lh_*| functions will be passed a type-specific wrapper to call it +// low-level `lh_*` functions will be passed a type-specific wrapper to call it // correctly. typedef int (*lhash_cmp_func)(const void *a, const void *b); typedef int (*lhash_cmp_func_helper)(lhash_cmp_func func, const void *a, @@ -60,7 +60,7 @@ typedef int (*lhash_cmp_func_helper)(lhash_cmp_func func, const void *a, // uint32_t. // // This function's actual type signature is uint32_t (*)(const T*). The -// low-level |lh_*| functions will be passed a type-specific wrapper to call it +// low-level `lh_*` functions will be passed a type-specific wrapper to call it // correctly. typedef uint32_t (*lhash_hash_func)(const void *a); typedef uint32_t (*lhash_hash_func_helper)(lhash_hash_func func, const void *a); @@ -72,45 +72,45 @@ OPENSSL_EXPORT _LHASH *OPENSSL_lh_new(lhash_hash_func hash, lhash_cmp_func comp); // OPENSSL_lh_free frees the hash table itself but none of the elements. See -// |OPENSSL_lh_doall|. +// `OPENSSL_lh_doall`. OPENSSL_EXPORT void OPENSSL_lh_free(_LHASH *lh); -// OPENSSL_lh_num_items returns the number of items in |lh|. +// OPENSSL_lh_num_items returns the number of items in `lh`. OPENSSL_EXPORT size_t OPENSSL_lh_num_items(const _LHASH *lh); -// OPENSSL_lh_retrieve finds an element equal to |data| in the hash table and +// OPENSSL_lh_retrieve finds an element equal to `data` in the hash table and // returns it. If no such element exists, it returns NULL. OPENSSL_EXPORT void *OPENSSL_lh_retrieve(const _LHASH *lh, const void *data, lhash_hash_func_helper call_hash_func, lhash_cmp_func_helper call_cmp_func); -// OPENSSL_lh_retrieve_key finds an element matching |key|, given the specified -// hash and comparison function. This differs from |OPENSSL_lh_retrieve| in that -// the key may be a different type than the values stored in |lh|. |key_hash| -// and |cmp_key| must be compatible with the functions passed into -// |OPENSSL_lh_new|. +// OPENSSL_lh_retrieve_key finds an element matching `key`, given the specified +// hash and comparison function. This differs from `OPENSSL_lh_retrieve` in that +// the key may be a different type than the values stored in `lh`. `key_hash` +// and `cmp_key` must be compatible with the functions passed into +// `OPENSSL_lh_new`. OPENSSL_EXPORT void *OPENSSL_lh_retrieve_key(const _LHASH *lh, const void *key, uint32_t key_hash, int (*cmp_key)(const void *key, const void *value)); -// OPENSSL_lh_insert inserts |data| into the hash table. If an existing element -// is equal to |data| (with respect to the comparison function) then |*old_data| +// OPENSSL_lh_insert inserts `data` into the hash table. If an existing element +// is equal to `data` (with respect to the comparison function) then `*old_data` // will be set to that value and it will be replaced. Otherwise, or in the -// event of an error, |*old_data| will be set to NULL. It returns one on +// event of an error, `*old_data` will be set to NULL. It returns one on // success or zero in the case of an allocation error. OPENSSL_EXPORT int OPENSSL_lh_insert(_LHASH *lh, void **old_data, void *data, lhash_hash_func_helper call_hash_func, lhash_cmp_func_helper call_cmp_func); -// OPENSSL_lh_delete removes an element equal to |data| from the hash table and +// OPENSSL_lh_delete removes an element equal to `data` from the hash table and // returns it. If no such element is found, it returns NULL. OPENSSL_EXPORT void *OPENSSL_lh_delete(_LHASH *lh, const void *data, lhash_hash_func_helper call_hash_func, lhash_cmp_func_helper call_cmp_func); -// OPENSSL_lh_doall_arg calls |func| on each element of the hash table and also -// passes |arg| as the second argument. +// OPENSSL_lh_doall_arg calls `func` on each element of the hash table and also +// passes `arg` as the second argument. // TODO(fork): rename this OPENSSL_EXPORT void OPENSSL_lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), @@ -122,9 +122,9 @@ OPENSSL_EXPORT void OPENSSL_lh_doall_arg(_LHASH *lh, /* We disable MSVC C4191 in this macro, which warns when pointers are cast \ * to the wrong type. While the cast itself is valid, it is often a bug \ * because calling it through the cast is UB. However, we never actually \ - * call functions as |lhash_cmp_func|. The type is just a type-erased \ + * call functions as `lhash_cmp_func`. The type is just a type-erased \ * function pointer. (C does not guarantee function pointers fit in \ - * |void*|, and GCC will warn on this.) Thus we just disable the false \ + * `void*`, and GCC will warn on this.) Thus we just disable the false \ * positive warning. */ \ OPENSSL_MSVC_PRAGMA(warning(push)) \ OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ diff --git a/third_party/boringssl/src/crypto/lhash/lhash.cc b/third_party/boringssl/src/crypto/lhash/lhash.cc index b074bb86..77a0c87e 100644 --- a/third_party/boringssl/src/crypto/lhash/lhash.cc +++ b/third_party/boringssl/src/crypto/lhash/lhash.cc @@ -25,7 +25,7 @@ BSSL_NAMESPACE_BEGIN -// kMinNumBuckets is the minimum size of the buckets array in an |_LHASH|. +// kMinNumBuckets is the minimum size of the buckets array in an `_LHASH`. static const size_t kMinNumBuckets = 16; // kMaxAverageChainLength contains the maximum, average chain length. When the @@ -39,22 +39,22 @@ static const size_t kMinAverageChainLength = 1; struct LHASH_ITEM { void *data = nullptr; LHASH_ITEM *next = nullptr; - // hash contains the cached, hash value of |data|. + // hash contains the cached, hash value of `data`. uint32_t hash = 0; }; struct _LHASH { // num_items contains the total number of items in the hash table. size_t num_items = 0; - // buckets is an array of |num_buckets| pointers. Each points to the head of + // buckets is an array of `num_buckets` pointers. Each points to the head of // a chain of LHASH_ITEM objects that have the same hash value, mod - // |num_buckets|. + // `num_buckets`. LHASH_ITEM **buckets = nullptr; - // num_buckets contains the length of |buckets|. This value is always >= + // num_buckets contains the length of `buckets`. This value is always >= // kMinNumBuckets. size_t num_buckets = 0; - // callback_depth contains the current depth of |lh_doall| or |lh_doall_arg| - // calls. If non-zero then this suppresses resizing of the |buckets| array, + // callback_depth contains the current depth of `lh_doall` or `lh_doall_arg` + // calls. If non-zero then this suppresses resizing of the `buckets` array, // which would otherwise disrupt the iteration. unsigned callback_depth = 0; @@ -101,12 +101,12 @@ void OPENSSL_lh_free(_LHASH *lh) { size_t OPENSSL_lh_num_items(const _LHASH *lh) { return lh->num_items; } // get_next_ptr_and_hash returns a pointer to the pointer that points to the -// item equal to |data|. In other words, it searches for an item equal to |data| +// item equal to `data`. In other words, it searches for an item equal to `data` // and, if it's at the start of a chain, then it returns a pointer to an -// element of |lh->buckets|, otherwise it returns a pointer to the |next| -// element of the previous item in the chain. If an element equal to |data| is -// not found, it returns a pointer that points to a NULL pointer. If |out_hash| -// is not NULL, then it also puts the hash value of |data| in |*out_hash|. +// element of `lh->buckets`, otherwise it returns a pointer to the `next` +// element of the previous item in the chain. If an element equal to `data` is +// not found, it returns a pointer that points to a NULL pointer. If `out_hash` +// is not NULL, then it also puts the hash value of `data` in `*out_hash`. static LHASH_ITEM **get_next_ptr_and_hash(const _LHASH *lh, uint32_t *out_hash, const void *data, lhash_hash_func_helper call_hash_func, @@ -127,8 +127,8 @@ static LHASH_ITEM **get_next_ptr_and_hash(const _LHASH *lh, uint32_t *out_hash, return ret; } -// get_next_ptr_by_key behaves like |get_next_ptr_and_hash| but takes a key -// which may be a different type from the values stored in |lh|. +// get_next_ptr_by_key behaves like `get_next_ptr_and_hash` but takes a key +// which may be a different type from the values stored in `lh`. static LHASH_ITEM **get_next_ptr_by_key(const _LHASH *lh, const void *key, uint32_t key_hash, int (*cmp_key)(const void *key, @@ -160,8 +160,8 @@ void *OPENSSL_lh_retrieve_key(const _LHASH *lh, const void *key, return *next_ptr == nullptr ? nullptr : (*next_ptr)->data; } -// lh_rebucket allocates a new array of |new_num_buckets| pointers and -// redistributes the existing items into it before making it |lh->buckets| and +// lh_rebucket allocates a new array of `new_num_buckets` pointers and +// redistributes the existing items into it before making it `lh->buckets` and // freeing the old array. static void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) { LHASH_ITEM **new_buckets, *cur, *next; @@ -192,7 +192,7 @@ static void lh_rebucket(_LHASH *lh, const size_t new_num_buckets) { lh->buckets = new_buckets; } -// lh_maybe_resize resizes the |buckets| array if needed. +// lh_maybe_resize resizes the `buckets` array if needed. static void lh_maybe_resize(_LHASH *lh) { size_t avg_chain_length; @@ -234,14 +234,14 @@ int OPENSSL_lh_insert(_LHASH *lh, void **old_data, void *data, if (*next_ptr != nullptr) { - // An element equal to |data| already exists in the hash table. It will be + // An element equal to `data` already exists in the hash table. It will be // replaced. *old_data = (*next_ptr)->data; (*next_ptr)->data = data; return 1; } - // An element equal to |data| doesn't exist in the hash table yet. + // An element equal to `data` doesn't exist in the hash table yet. item = New(); if (item == nullptr) { return 0; @@ -287,7 +287,7 @@ void OPENSSL_lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), void *arg) { } if (lh->callback_depth < UINT_MAX) { - // |callback_depth| is a saturating counter. + // `callback_depth` is a saturating counter. lh->callback_depth++; } @@ -304,7 +304,7 @@ void OPENSSL_lh_doall_arg(_LHASH *lh, void (*func)(void *, void *), void *arg) { } // The callback may have added or removed elements and the non-zero value of - // |callback_depth| will have suppressed any resizing. Thus any needed + // `callback_depth` will have suppressed any resizing. Thus any needed // resizing is done here. lh_maybe_resize(lh); } diff --git a/third_party/boringssl/src/crypto/mem.cc b/third_party/boringssl/src/crypto/mem.cc index 28ab3deb..faedd533 100644 --- a/third_party/boringssl/src/crypto/mem.cc +++ b/third_party/boringssl/src/crypto/mem.cc @@ -69,14 +69,14 @@ static void __asan_unpoison_memory_region(const void *addr, size_t size) {} #endif #if defined(BORINGSSL_DETECT_SDALLOCX) -// sdallocx is a sized |free| function. By passing the size (which we happen to +// sdallocx is a sized `free` function. By passing the size (which we happen to // always know in BoringSSL), the malloc implementation can save work. We cannot -// depend on |sdallocx| being available, however, so it's a weak symbol. +// depend on `sdallocx` being available, however, so it's a weak symbol. // -// This mechanism is kept opt-in because it assumes that, when |sdallocx| is -// defined, it is part of the same allocator as |malloc|. This is usually true -// but may break if |malloc| does not implement |sdallocx|, but some other -// allocator with |sdallocx| is imported which does. +// This mechanism is kept opt-in because it assumes that, when `sdallocx` is +// defined, it is part of the same allocator as `malloc`. This is usually true +// but may break if `malloc` does not implement `sdallocx`, but some other +// allocator with `sdallocx` is imported which does. WEAK_SYMBOL_FUNC(void, sdallocx, (void *ptr, size_t size, int flags)) #else static void (*const sdallocx)(void *ptr, size_t size, int flags) = nullptr; @@ -84,8 +84,8 @@ static void (*const sdallocx)(void *ptr, size_t size, int flags) = nullptr; // The following three functions can be defined to override default heap // allocation and freeing. If defined, it is the responsibility of -// |OPENSSL_memory_free| to zero out the memory before returning it to the -// system. |OPENSSL_memory_free| will not be passed NULL pointers. +// `OPENSSL_memory_free` to zero out the memory before returning it to the +// system. `OPENSSL_memory_free` will not be passed NULL pointers. // // WARNING: These functions are called on every allocation and free in // BoringSSL across the entire process. They may be called by any code in the diff --git a/third_party/boringssl/src/crypto/mem_internal.h b/third_party/boringssl/src/crypto/mem_internal.h index 78c3348d..7b28cca2 100644 --- a/third_party/boringssl/src/crypto/mem_internal.h +++ b/third_party/boringssl/src/crypto/mem_internal.h @@ -33,24 +33,24 @@ BSSL_NAMESPACE_BEGIN // Internal allocation-dependent functions. // // This header is separate from crypto/internal.h because there are some files -// which must avoid |OPENSSL_malloc|, to avoid a circular dependency, but +// which must avoid `OPENSSL_malloc`, to avoid a circular dependency, but // need other support routines in crypto/internal.h. (See -// |_BORINGSSL_PROHIBIT_OPENSSL_MALLOC|.) +// `_BORINGSSL_PROHIBIT_OPENSSL_MALLOC`.) // Memory allocation. -// New behaves like |new| but uses |OPENSSL_malloc| for memory allocation. It +// New behaves like `new` but uses `OPENSSL_malloc` for memory allocation. It // returns nullptr on allocation error. It only implements single-object // allocation and not new T[n]. // // When called with no arguments, it performs value-initialization, not // default-initialization. This means that, if selects a non-user-provided // constructor, the object will be zero-initialized. (As in any C++ type, once -// |T| gains a user-provided constructors, it is responsible for initializing +// `T` gains a user-provided constructors, it is responsible for initializing // all fields explicitly.) // -// Note: unlike |new|, this does not support non-public constructors. +// Note: unlike `new`, this does not support non-public constructors. template T *New(Args &&...args) { void *t = OPENSSL_malloc(sizeof(T)); @@ -60,9 +60,9 @@ T *New(Args &&...args) { return new (t) T(std::forward(args)...); } -// Delete behaves like |delete| but uses |OPENSSL_free| to release memory. +// Delete behaves like `delete` but uses `OPENSSL_free` to release memory. // -// Note: unlike |delete| this does not support non-public destructors. +// Note: unlike `delete` this does not support non-public destructors. template void Delete(T *t) { if (t != nullptr) { @@ -74,9 +74,9 @@ void Delete(T *t) { namespace internal { // All types with kAllowUniquePtr set may be used with UniquePtr. Other types -// may be C structs which require a |BORINGSSL_MAKE_DELETER| registration. Where +// may be C structs which require a `BORINGSSL_MAKE_DELETER` registration. Where // an internal type cannot be annotated (e.g. an alias of std::variant), use -// |BORINGSSL_MAKE_DELETER(T, Delete)|. +// `BORINGSSL_MAKE_DELETER(T, Delete)`. template struct DeleterImpl> { static void Free(T *t) { Delete(t); } @@ -93,7 +93,7 @@ struct DeleterImpl> { // All types with kAllowRefCountedUniquePtr types also automatically get an // UpRef function. Other types may be C structs which require a -// |BORINGSSL_MAKE_UP_REF| registration. +// `BORINGSSL_MAKE_UP_REF` registration. template > inline UniquePtr UpRef(const T *v) { if (v != nullptr) { @@ -106,7 +106,7 @@ inline UniquePtr UpRef(const UniquePtr &ptr) { return UpRef(ptr.get()); } -// MakeUnique behaves like |std::make_unique| but returns nullptr on allocation +// MakeUnique behaves like `std::make_unique` but returns nullptr on allocation // error. template UniquePtr MakeUnique(Args &&...args) { @@ -128,7 +128,7 @@ class RefCounted { // These methods are intentionally named differently from `bssl::UpRef` to // avoid a collision. Only the implementations of `FOO_up_ref` and `FOO_free` - // should call these. |DecRefInternal| returns true if the object was freed + // should call these. `DecRefInternal` returns true if the object was freed // and false if there are still references. void UpRefInternal() const { // Safety: the folowing call does not mutate anything other than the atomic @@ -168,7 +168,7 @@ class RefCounted { // Containers. -// Array is an owning array of elements of |T|. +// Array is an owning array of elements of `T`. template class Array { public: @@ -244,9 +244,9 @@ class Array { size_ = 0; } - // Init replaces the array with a newly-allocated array of |new_size| - // value-constructed copies of |T|. It returns true on success and false on - // error. If |T| is a primitive type like |uint8_t|, value-construction means + // Init replaces the array with a newly-allocated array of `new_size` + // value-constructed copies of `T`. It returns true on success and false on + // error. If `T` is a primitive type like `uint8_t`, value-construction means // it will be zero-initialized. [[nodiscard]] bool Init(size_t new_size) { if (!InitUninitialized(new_size)) { @@ -256,8 +256,8 @@ class Array { return true; } - // InitForOverwrite behaves like |Init| but it default-constructs each element - // instead. This means that, if |T| is a primitive type, the array will be + // InitForOverwrite behaves like `Init` but it default-constructs each element + // instead. This means that, if `T` is a primitive type, the array will be // uninitialized and thus must be filled in by the caller. [[nodiscard]] bool InitForOverwrite(size_t new_size) { if (!InitUninitialized(new_size)) { @@ -267,10 +267,10 @@ class Array { return true; } - // CopyFrom replaces the array with a newly-allocated copy of |in|. It returns + // CopyFrom replaces the array with a newly-allocated copy of `in`. It returns // true on success and false on error. // - // |in| may not alias |this|. + // `in` may not alias `this`. [[nodiscard]] bool CopyFrom(Span in) { BSSL_CHECK(!spans_alias(MakeConstSpan(*this), in)); if (!InitUninitialized(in.size())) { @@ -280,7 +280,7 @@ class Array { return true; } - // Shrink shrinks the stored size of the array to |new_size|. It crashes if + // Shrink shrinks the stored size of the array to `new_size`. It crashes if // the new size is larger. Note this does not shrink the allocation itself. void Shrink(size_t new_size) { if (new_size > size_) { @@ -292,7 +292,7 @@ class Array { private: // InitUninitialized replaces the array with a newly-allocated array of - // |new_size| elements, but whose constructor has not yet run. On success, the + // `new_size` elements, but whose constructor has not yet run. On success, the // elements must be constructed before returning control to the caller. bool InitUninitialized(size_t new_size) { Reset(); @@ -316,7 +316,7 @@ class Array { size_t size_ = 0; }; -// Vector is a resizable array of elements of |T|. +// Vector is a resizable array of elements of `T`. template class Vector { public: @@ -384,7 +384,7 @@ class Vector { size_--; } - // Push adds |elem| at the end of the internal array, growing if necessary. It + // Push adds `elem` at the end of the internal array, growing if necessary. It // returns false when allocation fails. [[nodiscard]] bool Push(T elem) { if (!MaybeGrow(1)) { @@ -395,7 +395,7 @@ class Vector { return true; } - // CopyFrom replaces the contents of the array with a copy of |in|. It returns + // CopyFrom replaces the contents of the array with a copy of `in`. It returns // true on success and false on allocation error. [[nodiscard]] bool CopyFrom(Span in) { Array copy; @@ -409,7 +409,7 @@ class Vector { return true; } - // Append appends the contents of |in| to the array. It returns true on + // Append appends the contents of `in` to the array. It returns true on // success and false on allocation error. [[nodiscard]] bool Append(Span in) { if (!MaybeGrow(in.size())) { @@ -420,7 +420,7 @@ class Vector { return true; } - // AppendMove moves the contents of |in| and appends them to the array. It + // AppendMove moves the contents of `in` and appends them to the array. It // returns true on success and false on allocation error. [[nodiscard]] bool AppendMove(Span in) { if (!MaybeGrow(in.size())) { @@ -431,7 +431,7 @@ class Vector { return true; } - // EraseIf removes all elements that satisfy the predicate |pred|. + // EraseIf removes all elements that satisfy the predicate `pred`. template void EraseIf(Pred pred) { auto it = std::remove_if(begin(), end(), pred); @@ -440,7 +440,7 @@ class Vector { } private: - // If there is no room for |num| elements, creates a new backing array with + // If there is no room for `num` elements, creates a new backing array with // double the size of the old one and copies elements over. [[nodiscard]] bool MaybeGrow(size_t num) { constexpr size_t kDefaultSize = 16; @@ -475,12 +475,12 @@ class Vector { return true; } - // data_ is a pointer to |capacity_| objects of size |T|, the first |size_| of + // data_ is a pointer to `capacity_` objects of size `T`, the first `size_` of // which are constructed. T *data_ = nullptr; - // |size_| is the number of elements stored in this Vector. + // `size_` is the number of elements stored in this Vector. size_t size_ = 0; - // |capacity_| is the number of elements allocated in this Vector. + // `capacity_` is the number of elements allocated in this Vector. size_t capacity_ = 0; }; @@ -560,8 +560,8 @@ class InplaceVector { Shrink(size_ - 1); } - // Shrink resizes the vector to |new_size|, which must not be larger than the - // current size. Unlike |Resize|, this can be called when |T| is not + // Shrink resizes the vector to `new_size`, which must not be larger than the + // current size. Unlike `Resize`, this can be called when `T` is not // default-constructible. void Shrink(size_t new_size) { BSSL_CHECK(new_size <= size_); @@ -569,8 +569,8 @@ class InplaceVector { size_ = static_cast>(new_size); } - // TryResize resizes the vector to |new_size| and returns true, or returns - // false if |new_size| is too large. Any newly-added elements are + // TryResize resizes the vector to `new_size` and returns true, or returns + // false if `new_size` is too large. Any newly-added elements are // value-initialized. [[nodiscard]] bool TryResize(size_t new_size) { if (new_size <= size_) { @@ -585,7 +585,7 @@ class InplaceVector { return true; } - // TryResizeForOverwrite behaves like |TryResize|, but newly-added elements + // TryResizeForOverwrite behaves like `TryResize`, but newly-added elements // are default-initialized, so POD types may contain uninitialized values that // the caller is responsible for filling in. [[nodiscard]] bool TryResizeForOverwrite(size_t new_size) { @@ -601,10 +601,10 @@ class InplaceVector { return true; } - // TryCopyFrom sets the vector to a copy of |in| and returns true, or returns - // false if |in| is too large. + // TryCopyFrom sets the vector to a copy of `in` and returns true, or returns + // false if `in` is too large. // - // |in| may not alias |this|. + // `in` may not alias `this`. [[nodiscard]] bool TryCopyFrom(Span in) { BSSL_CHECK(!spans_alias(MakeConstSpan(*this), in)); if (in.size() > capacity()) { @@ -616,8 +616,8 @@ class InplaceVector { return true; } - // TryAppend appends the vector by a copy of |in| and returns true, or - // returns false if |in| is too large. + // TryAppend appends the vector by a copy of `in` and returns true, or + // returns false if `in` is too large. [[nodiscard]] bool TryAppend(Span in) { if (in.size() > capacity() - size()) { return false; @@ -627,7 +627,7 @@ class InplaceVector { return true; } - // TryPushBack appends |val| to the vector and returns a pointer to the + // TryPushBack appends `val` to the vector and returns a pointer to the // newly-inserted value, or nullptr if the vector is at capacity. [[nodiscard]] T *TryPushBack(T val) { if (size() >= capacity()) { @@ -639,7 +639,7 @@ class InplaceVector { return ret; } - // The following methods behave like their |Try*| counterparts, but abort the + // The following methods behave like their `Try*` counterparts, but abort the // program on failure. void Resize(size_t size) { BSSL_CHECK(TryResize(size)); } void ResizeForOverwrite(size_t size) { @@ -653,7 +653,7 @@ class InplaceVector { return *ret; } - // EraseIf removes all elements that satisfy the predicate |pred|. + // EraseIf removes all elements that satisfy the predicate `pred`. template void EraseIf(Pred pred) { auto it = std::remove_if(begin(), end(), pred); diff --git a/third_party/boringssl/src/crypto/obj/obj.cc b/third_party/boringssl/src/crypto/obj/obj.cc index a6e6e5a8..98b4745c 100644 --- a/third_party/boringssl/src/crypto/obj/obj.cc +++ b/third_party/boringssl/src/crypto/obj/obj.cc @@ -29,7 +29,7 @@ #include "../internal.h" #include "../lhash/internal.h" -// obj_data.h must be included after the definition of |ASN1_OBJECT|. +// obj_data.h must be included after the definition of `ASN1_OBJECT`. #include "obj_dat.h" @@ -42,7 +42,7 @@ DEFINE_LHASH_OF(ASN1_OBJECT) BSSL_NAMESPACE_END static StaticMutex global_added_lock; -// These globals are protected by |global_added_lock|. +// These globals are protected by `global_added_lock`. static LHASH_OF(ASN1_OBJECT) *global_added_by_data = nullptr; static LHASH_OF(ASN1_OBJECT) *global_added_by_nid = nullptr; static LHASH_OF(ASN1_OBJECT) *global_added_by_short_name = nullptr; @@ -57,63 +57,48 @@ static int obj_next_nid() { } ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *o) { - ASN1_OBJECT *r; - unsigned char *data = nullptr; - char *sn = nullptr, *ln = nullptr; - if (o == nullptr) { return nullptr; } if (!(o->flags & ASN1_OBJECT_FLAG_DYNAMIC)) { // TODO(fork): this is a little dangerous. - return (ASN1_OBJECT *)o; + return const_cast(o); } - r = ASN1_OBJECT_new(); + UniquePtr r(ASN1_OBJECT_new()); if (r == nullptr) { OPENSSL_PUT_ERROR(OBJ, ERR_R_ASN1_LIB); return nullptr; } - r->ln = r->sn = nullptr; - // once data is attached to an object, it remains const + // All fields of the object will be allocated. + r->flags = o->flags | ASN1_OBJECT_FLAG_DYNAMIC | + ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA; + r->data = reinterpret_cast(OPENSSL_memdup(o->data, o->length)); if (o->length != 0 && r->data == nullptr) { - goto err; + return nullptr; } r->length = o->length; r->nid = o->nid; if (o->ln != nullptr) { - ln = OPENSSL_strdup(o->ln); - if (ln == nullptr) { - goto err; + r->ln = OPENSSL_strdup(o->ln); + if (r->ln == nullptr) { + return nullptr; } } if (o->sn != nullptr) { - sn = OPENSSL_strdup(o->sn); - if (sn == nullptr) { - goto err; + r->sn = OPENSSL_strdup(o->sn); + if (r->sn == nullptr) { + return nullptr; } } - r->sn = sn; - r->ln = ln; - - r->flags = - o->flags | (ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | - ASN1_OBJECT_FLAG_DYNAMIC_DATA); - return r; - -err: - OPENSSL_free(ln); - OPENSSL_free(sn); - OPENSSL_free(data); - OPENSSL_free(r); - return nullptr; + return r.release(); } int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { @@ -142,14 +127,14 @@ size_t OBJ_length(const ASN1_OBJECT *obj) { } static const ASN1_OBJECT *get_builtin_object(int nid) { - // |NID_undef| is stored separately, so all the indices are off by one. The + // `NID_undef` is stored separately, so all the indices are off by one. The // caller of this function must have a valid built-in, non-undef NID. BSSL_CHECK(nid > 0 && nid < NUM_NID); return &kObjects[nid - 1]; } -// obj_cmp is called to search the kNIDsInOIDOrder array. The |key| argument is -// an |ASN1_OBJECT|* that we're looking for and |element| is a pointer to an +// obj_cmp is called to search the kNIDsInOIDOrder array. The `key` argument is +// an `ASN1_OBJECT`* that we're looking for and `element` is a pointer to an // unsigned int in the array. static int obj_cmp(const void *key, const void *element) { uint16_t nid = *((const uint16_t *)element); @@ -200,7 +185,7 @@ int OBJ_cbs2nid(const CBS *cbs) { } // short_name_cmp is called to search the kNIDsInShortNameOrder array. The -// |key| argument is name that we're looking for and |element| is a pointer to +// `key` argument is name that we're looking for and `element` is a pointer to // an unsigned int in the array. static int short_name_cmp(const void *key, const void *element) { const char *name = (const char *)key; @@ -234,7 +219,7 @@ int OBJ_sn2nid(const char *short_name) { } // long_name_cmp is called to search the kNIDsInLongNameOrder array. The -// |key| argument is name that we're looking for and |element| is a pointer to +// `key` argument is name that we're looking for and `element` is a pointer to // an unsigned int in the array. static int long_name_cmp(const void *key, const void *element) { const char *name = (const char *)key; @@ -450,7 +435,7 @@ static int cmp_long_name(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { return strcmp(a->ln, b->ln); } -// obj_add_object inserts |obj| into the various global hashes for run-time +// obj_add_object inserts `obj` into the various global hashes for run-time // added objects. It returns one on success or zero otherwise. static int obj_add_object(ASN1_OBJECT *obj) { obj->flags &= ~(ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | @@ -479,10 +464,10 @@ static int obj_add_object(ASN1_OBJECT *obj) { return 0; } - // We don't pay attention to |old_object| (which contains any previous object + // We don't pay attention to `old_object` (which contains any previous object // that was evicted from the hashes) because we don't have a reference count // on ASN1_OBJECT values. Also, we should never have duplicates nids and so - // should always have objects in |global_added_by_nid|. + // should always have objects in `global_added_by_nid`. ASN1_OBJECT *old_object; int ok = lh_ASN1_OBJECT_insert(global_added_by_nid, &old_object, obj); if (obj->length != 0 && obj->data != nullptr) { diff --git a/third_party/boringssl/src/crypto/pem/internal.h b/third_party/boringssl/src/crypto/pem/internal.h index 656dffba..ac1c9381 100644 --- a/third_party/boringssl/src/crypto/pem/internal.h +++ b/third_party/boringssl/src/crypto/pem/internal.h @@ -23,21 +23,21 @@ BSSL_NAMESPACE_BEGIN -// PEM_get_EVP_CIPHER_INFO decodes |header| as a PEM header block and writes the -// specified cipher and IV to |cipher|. It returns one on success and zero on -// error. |header| must be a NUL-terminated string. If |header| does not +// PEM_get_EVP_CIPHER_INFO decodes `header` as a PEM header block and writes the +// specified cipher and IV to `cipher`. It returns one on success and zero on +// error. `header` must be a NUL-terminated string. If `header` does not // specify encryption, this function will return success and set -// |cipher->cipher| to NULL. +// `cipher->cipher` to NULL. int PEM_get_EVP_CIPHER_INFO(const char *header, EVP_CIPHER_INFO *cipher); -// PEM_do_header decrypts |*len| bytes from |data| in-place according to the -// information in |cipher|. On success, it returns one and sets |*len| to the -// length of the plaintext. Otherwise, it returns zero. If |cipher| specifies -// encryption, the key is derived from a password returned from |callback|. +// PEM_do_header decrypts `*len` bytes from `data` in-place according to the +// information in `cipher`. On success, it returns one and sets `*len` to the +// length of the plaintext. Otherwise, it returns zero. If `cipher` specifies +// encryption, the key is derived from a password returned from `callback`. int PEM_do_header(const EVP_CIPHER_INFO *cipher, uint8_t *data, size_t *len, pem_password_cb *callback, void *u); -// PEM_read_bio_inner differs from |PEM_read_bio| on the out pointer |len| +// PEM_read_bio_inner differs from `PEM_read_bio` on the out pointer `len` // so that it guarantee non-negativeness on this output and it takes in // owned types. int PEM_read_bio_inner(BIO *bp, bssl::UniquePtr *name, diff --git a/third_party/boringssl/src/crypto/pem/pem_info.cc b/third_party/boringssl/src/crypto/pem/pem_info.cc index a75e7e41..55d00401 100644 --- a/third_party/boringssl/src/crypto/pem/pem_info.cc +++ b/third_party/boringssl/src/crypto/pem/pem_info.cc @@ -175,7 +175,7 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, // not decrypt private keys. if (key_type != EVP_PKEY_NONE && strlen(header.get()) > 10) { if (data.size() > INT_MAX) { - // We need the data to fit in |info| which forces the size to + // We need the data to fit in `info` which forces the size to // fit in one int type. goto err; } @@ -196,7 +196,7 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, } size_t size; data.Release(reinterpret_cast(&info->enc_data), &size); - // Safety: we checked that |size| <= |INT_MAX|. + // Safety: we checked that `size` <= `INT_MAX`. info->enc_len = static_cast(size); } else if (parse_function != nullptr) { EVP_CIPHER_INFO cipher; diff --git a/third_party/boringssl/src/crypto/pem/pem_lib.cc b/third_party/boringssl/src/crypto/pem/pem_lib.cc index 3fb85159..7d34c700 100644 --- a/third_party/boringssl/src/crypto/pem/pem_lib.cc +++ b/third_party/boringssl/src/crypto/pem/pem_lib.cc @@ -45,7 +45,7 @@ using namespace bssl; static int load_iv(const char **fromp, unsigned char *to, size_t num); static int check_pem(const std::string_view nm, const std::string_view name); -// PEM_proc_type appends a Proc-Type header to |buf|, determined by |type|. +// PEM_proc_type appends a Proc-Type header to `buf`, determined by `type`. static void PEM_proc_type(char buf[PEM_BUFSIZE], int type) { const char *str; @@ -64,8 +64,8 @@ static void PEM_proc_type(char buf[PEM_BUFSIZE], int type) { OPENSSL_strlcat(buf, "\n", PEM_BUFSIZE); } -// PEM_dek_info appends a DEK-Info header to |buf|, with an algorithm of |type| -// and a single parameter, specified by hex-encoding |len| bytes from |str|. +// PEM_dek_info appends a DEK-Info header to `buf`, with an algorithm of `type` +// and a single parameter, specified by hex-encoding `len` bytes from `str`. static void PEM_dek_info(char buf[PEM_BUFSIZE], const char *type, size_t len, char *str) { static const unsigned char map[17] = "0123456789ABCDEF"; @@ -155,7 +155,7 @@ static int check_pem(const std::string_view nm, const std::string_view name) { } static const EVP_CIPHER *cipher_by_name(const std::string_view name) { - // This is similar to the (deprecated) function |EVP_get_cipherbyname|. Note + // This is similar to the (deprecated) function `EVP_get_cipherbyname`. Note // the PEM code assumes that ciphers have at least 8 bytes of IV, at most 20 // bytes of overhead and generally behave like CBC mode. if (name == SN_des_cbc) { @@ -207,9 +207,9 @@ int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, } // Release the buffer to the caller. - // Note that |PEM_do_header| may have reduced the length after decrypting + // Note that `PEM_do_header` may have reduced the length after decrypting // in-place. - // This will not overflow because |data.size()| was checked to fit in |long| + // This will not overflow because `data.size()` was checked to fit in `long` // above. data.Release(pdata, &unused); *plen = static_cast(ulen); @@ -360,7 +360,7 @@ int bssl::PEM_do_header(const EVP_CIPHER_INFO *cipher, unsigned char *data, return 0; } - // Safety: we have checked |*len| before narrowing so that |EVP_DecryptUpdate| + // Safety: we have checked `*len` before narrowing so that `EVP_DecryptUpdate` // can safely work with it. size_t out_len1 = 0; size_t out_len2 = 0; @@ -425,7 +425,7 @@ int bssl::PEM_get_EVP_CIPHER_INFO(const char *header, EVP_CIPHER_INFO *cipher) { return 0; } // The IV parameter must be at least 8 bytes long to be used as the salt in - // the KDF. (This should not happen given |cipher_by_name|.) + // the KDF. (This should not happen given `cipher_by_name`.) if (EVP_CIPHER_iv_length(cipher->cipher) < 8) { assert(0); OPENSSL_PUT_ERROR(PEM, PEM_R_UNSUPPORTED_ENCRYPTION); @@ -721,7 +721,7 @@ int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, *name = owned_name.release(); *header = owned_header.release(); owned_data.Release(data, &ulen); - // Safety: we checked that |ulen| <= |LONG_MAX|. + // Safety: we checked that `ulen` <= `LONG_MAX`. *len = static_cast(ulen); return 1; } diff --git a/third_party/boringssl/src/crypto/pkcs7/internal.h b/third_party/boringssl/src/crypto/pkcs7/internal.h index b85f2be7..a6ab04e7 100644 --- a/third_party/boringssl/src/crypto/pkcs7/internal.h +++ b/third_party/boringssl/src/crypto/pkcs7/internal.h @@ -21,16 +21,16 @@ BSSL_NAMESPACE_BEGIN // pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7 -// SignedData blob from |cbs| and sets |*out| to point to the rest of the -// input. If the input is in BER format, then |*der_bytes| will be set to a +// SignedData blob from `cbs` and sets `*out` to point to the rest of the +// input. If the input is in BER format, then `*der_bytes` will be set to a // pointer that needs to be freed by the caller once they have finished -// processing |*out| (which will be pointing into |*der_bytes|). +// processing `*out` (which will be pointing into `*der_bytes`). // -// It returns one on success or zero on error. On error, |*der_bytes| is +// It returns one on success or zero on error. On error, `*der_bytes` is // NULL. int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs); -// pkcs7_add_signed_data writes a PKCS#7, SignedData structure to |out|. While +// pkcs7_add_signed_data writes a PKCS#7, SignedData structure to `out`. While // doing so it makes callbacks to let the caller fill in parts of the structure. // All callbacks are ignored if NULL and return one on success or zero on error. // @@ -38,9 +38,9 @@ int pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs); // it is always 1. In CMS, it depends on the features used. // digest_algos_cb: may write AlgorithmIdentifiers into the given CBB, which // is a SET of digest algorithms. -// cert_crl_cb: may write the |certificates| or |crls| fields. +// cert_crl_cb: may write the `certificates` or `crls` fields. // (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1) -// signer_infos_cb: may write the contents of the |signerInfos| field. +// signer_infos_cb: may write the contents of the `signerInfos` field. // (See https://datatracker.ietf.org/doc/html/rfc2315#section-9.1) // // pkcs7_add_signed_data returns one on success or zero on error. @@ -51,9 +51,9 @@ int pkcs7_add_signed_data(CBB *out, uint64_t signed_data_version, void *arg); // pkcs7_add_external_signature writes a PKCS#7 or CMS SignedData structure to -// |out|, containing an external (i.e. the contents are not included) signature, -// using |sign_cert| and |key| to sign the contents of |data| with |md|. If -// |use_key_id| is true (CMS-only), the SignerInfo specifies the signer with key +// `out`, containing an external (i.e. the contents are not included) signature, +// using `sign_cert` and `key` to sign the contents of `data` with `md`. If +// `use_key_id` is true (CMS-only), the SignerInfo specifies the signer with key // identifier. Otherwise, it uses issuer and serial number (PKCS#7 or CMS v1). // The SignedData will have no embedded certificates and no attributes. // diff --git a/third_party/boringssl/src/crypto/pkcs7/pkcs7.cc b/third_party/boringssl/src/crypto/pkcs7/pkcs7.cc index 71e9ab84..6ae6a082 100644 --- a/third_party/boringssl/src/crypto/pkcs7/pkcs7.cc +++ b/third_party/boringssl/src/crypto/pkcs7/pkcs7.cc @@ -35,12 +35,12 @@ static const uint8_t kPKCS7SignedData[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02}; // pkcs7_parse_header reads the non-certificate/non-CRL prefix of a PKCS#7 -// SignedData blob from |cbs| and sets |*out| to point to the rest of the -// input. If the input is in BER format, then |*der_bytes| will be set to a +// SignedData blob from `cbs` and sets `*out` to point to the rest of the +// input. If the input is in BER format, then `*der_bytes` will be set to a // pointer that needs to be freed by the caller once they have finished -// processing |*out| (which will be pointing into |*der_bytes|). +// processing `*out` (which will be pointing into `*der_bytes`). // -// It returns one on success or zero on error. On error, |*der_bytes| is +// It returns one on success or zero on error. On error, `*der_bytes` is // NULL. int bssl::pkcs7_parse_header(uint8_t **der_bytes, CBS *out, CBS *cbs) { CBS in, content_info, content_type, wrapped_signed_data, signed_data; @@ -151,7 +151,7 @@ static int pkcs7_bundle_raw_certificates_cb(CBB *out, void *arg) { } } - // |certificates| is a implicitly-tagged SET OF. + // `certificates` is a implicitly-tagged SET OF. return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out); } diff --git a/third_party/boringssl/src/crypto/pkcs7/pkcs7_x509.cc b/third_party/boringssl/src/crypto/pkcs7/pkcs7_x509.cc index 07975b2c..f639215a 100644 --- a/third_party/boringssl/src/crypto/pkcs7/pkcs7_x509.cc +++ b/third_party/boringssl/src/crypto/pkcs7/pkcs7_x509.cc @@ -199,7 +199,7 @@ static int pkcs7_bundle_certificates_cb(CBB *out, void *arg) { } } - // |certificates| is a implicitly-tagged SET OF. + // `certificates` is a implicitly-tagged SET OF. return CBB_flush_asn1_set_of(&certificates) && CBB_flush(out); } @@ -232,7 +232,7 @@ static int pkcs7_bundle_crls_cb(CBB *out, void *arg) { } } - // |crl_data| is a implicitly-tagged SET OF. + // `crl_data` is a implicitly-tagged SET OF. return CBB_flush_asn1_set_of(&crl_data) && CBB_flush(out); } @@ -403,7 +403,7 @@ static int write_signer_digest_algos(CBB *digest_algos_set, void *arg) { // write_signer_info writes the SignerInfo structure from // https://www.rfc-editor.org/rfc/rfc2315.html#section-9.2 and -// https://www.rfc-editor.org/rfc/rfc5652.html#section-5.3 to |out|. It returns +// https://www.rfc-editor.org/rfc/rfc5652.html#section-5.3 to `out`. It returns // one on success or zero on error. static int write_signer_info(CBB *out, void *arg) { auto *si_data = static_cast(arg); diff --git a/third_party/boringssl/src/crypto/pkcs8/internal.h b/third_party/boringssl/src/crypto/pkcs8/internal.h index 89cdf9cd..f45c6b93 100644 --- a/third_party/boringssl/src/crypto/pkcs8/internal.h +++ b/third_party/boringssl/src/crypto/pkcs8/internal.h @@ -28,9 +28,9 @@ struct pkcs8_priv_key_info_st { BSSL_NAMESPACE_BEGIN -// pkcs8_pbe_decrypt decrypts |in| using the PBE scheme described by -// |algorithm|, which should be a serialized AlgorithmIdentifier structure. On -// success, it sets |*out| to a newly-allocated buffer containing the decrypted +// pkcs8_pbe_decrypt decrypts `in` using the PBE scheme described by +// `algorithm`, which should be a serialized AlgorithmIdentifier structure. On +// success, it sets `*out` to a newly-allocated buffer containing the decrypted // result and returns one. Otherwise, it returns zero. int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm, const char *pass, size_t pass_len, const uint8_t *in, @@ -41,17 +41,17 @@ int pkcs8_pbe_decrypt(uint8_t **out, size_t *out_len, CBS *algorithm, #define PKCS12_MAC_ID 3 // pkcs12_key_gen runs the PKCS#12 key derivation function as specified in -// RFC 7292, appendix B. On success, it writes the resulting |out_len| bytes of -// key material to |out| and returns one. Otherwise, it returns zero. |id| -// should be one of the |PKCS12_*_ID| values. +// RFC 7292, appendix B. On success, it writes the resulting `out_len` bytes of +// key material to `out` and returns one. Otherwise, it returns zero. `id` +// should be one of the `PKCS12_*_ID` values. int pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len, uint8_t id, uint32_t iterations, size_t out_len, uint8_t *out, const EVP_MD *md); -// pkcs12_pbe_encrypt_init configures |ctx| for encrypting with a PBES1 scheme +// pkcs12_pbe_encrypt_init configures `ctx` for encrypting with a PBES1 scheme // defined in PKCS#12, or a PBES2 scheme defined in PKCS#5. The algorithm is -// determined as in |PKCS8_encrypt|. It writes the corresponding -// AlgorithmIdentifier to |out|. +// determined as in `PKCS8_encrypt`. It writes the corresponding +// AlgorithmIdentifier to `out`. int pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg_nid, const EVP_CIPHER *alg_cipher, uint32_t iterations, const char *pass, size_t pass_len, @@ -63,8 +63,8 @@ struct pbe_suite { uint8_t oid_len; const EVP_CIPHER *(*cipher_func)(); const EVP_MD *(*md_func)(); - // decrypt_init initialize |ctx| for decrypting. The password is specified by - // |pass| and |pass_len|. |param| contains the serialized parameters field of + // decrypt_init initialize `ctx` for decrypting. The password is specified by + // `pass` and `pass_len`. `param` contains the serialized parameters field of // the AlgorithmIdentifier. // // It returns one on success and zero on error. @@ -74,22 +74,22 @@ struct pbe_suite { #define PKCS5_SALT_LEN 16 -// pkcs5_pbe2_nid_to_cipher returns the |EVP_CIPHER| for |nid| if |nid| is +// pkcs5_pbe2_nid_to_cipher returns the `EVP_CIPHER` for `nid` if `nid` is // supported with PKCS#5 PBES2, and nullptr otherwise. const EVP_CIPHER *pkcs5_pbe2_nid_to_cipher(int nid); int PKCS5_pbe2_decrypt_init(const struct pbe_suite *suite, EVP_CIPHER_CTX *ctx, const char *pass, size_t pass_len, CBS *param); -// PKCS5_pbe2_encrypt_init configures |ctx| for encrypting with PKCS #5 PBES2, +// PKCS5_pbe2_encrypt_init configures `ctx` for encrypting with PKCS #5 PBES2, // as defined in RFC 2998, with the specified parameters. It writes the -// corresponding AlgorithmIdentifier to |out|. +// corresponding AlgorithmIdentifier to `out`. int PKCS5_pbe2_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len); -// pkcs12_iterations_acceptable returns one if |iterations| is a reasonable +// pkcs12_iterations_acceptable returns one if `iterations` is a reasonable // number of PBKDF2 iterations and zero otherwise. int pkcs12_iterations_acceptable(uint64_t iterations); diff --git a/third_party/boringssl/src/crypto/pkcs8/pkcs8.cc b/third_party/boringssl/src/crypto/pkcs8/pkcs8.cc index e7f388aa..2bc9d603 100644 --- a/third_party/boringssl/src/crypto/pkcs8/pkcs8.cc +++ b/third_party/boringssl/src/crypto/pkcs8/pkcs8.cc @@ -78,14 +78,14 @@ int bssl::pkcs12_key_gen(const char *pass, size_t pass_len, const uint8_t *salt, size_t pass_raw_len = 0, I_len = 0; { - // If |pass| is NULL, we use the empty string rather than {0, 0} as the raw + // If `pass` is NULL, we use the empty string rather than {0, 0} as the raw // password. if (pass != nullptr && !pkcs12_encode_password(pass, pass_len, &pass_raw, &pass_raw_len)) { goto err; } - // In the spec, |block_size| is called "v", but measured in bits. + // In the spec, `block_size` is called "v", but measured in bits. size_t block_size = EVP_MD_block_size(md); // 1. Construct a string, D (the "diversifier"), by concatenating v/8 copies @@ -275,7 +275,7 @@ static const struct bssl::pbe_suite kBuiltinPBE[] = { static const struct bssl::pbe_suite *get_pkcs12_pbe_suite(int pbe_nid) { for (const auto &pbe : kBuiltinPBE) { if (pbe.pbe_nid == pbe_nid && - // If |cipher_func| or |md_func| are missing, this is a PBES2 scheme. + // If `cipher_func` or `md_func` are missing, this is a PBES2 scheme. pbe.cipher_func != nullptr && pbe.md_func != nullptr) { return &pbe; } @@ -289,8 +289,8 @@ int bssl::pkcs12_pbe_encrypt_init(CBB *out, EVP_CIPHER_CTX *ctx, int alg_nid, uint32_t iterations, const char *pass, size_t pass_len, const uint8_t *salt, size_t salt_len) { - // TODO(davidben): OpenSSL has since extended |pbe_nid| to control either - // the PBES1 scheme or the PBES2 PRF. E.g. passing |NID_hmacWithSHA256| will + // TODO(davidben): OpenSSL has since extended `pbe_nid` to control either + // the PBES1 scheme or the PBES2 PRF. E.g. passing `NID_hmacWithSHA256` will // select PBES2 with HMAC-SHA256 as the PRF. Implement this if anything uses // it. See 5693a30813a031d3921a016a870420e7eb93ec90 in OpenSSL. if (alg_nid == -1) { diff --git a/third_party/boringssl/src/crypto/pkcs8/pkcs8_x509.cc b/third_party/boringssl/src/crypto/pkcs8/pkcs8_x509.cc index 3f18013d..a8625a59 100644 --- a/third_party/boringssl/src/crypto/pkcs8/pkcs8_x509.cc +++ b/third_party/boringssl/src/crypto/pkcs8/pkcs8_x509.cc @@ -210,7 +210,7 @@ static int PKCS12_handle_sequence( CBS in; int ret = 0; - // Although a BER->DER conversion is done at the beginning of |PKCS12_parse|, + // Although a BER->DER conversion is done at the beginning of `PKCS12_parse`, // the ASN.1 data gets wrapped in OCTETSTRINGs and/or encrypted and the // conversion cannot see through those wrappings. So each time we step // through one we need to convert to DER again. @@ -269,7 +269,7 @@ static const uint8_t kX509Certificate[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x16, 0x01}; // parse_bag_attributes parses the bagAttributes field of a SafeBag structure. -// It sets |*out_friendly_name| to a newly-allocated copy of the friendly name, +// It sets `*out_friendly_name` to a newly-allocated copy of the friendly name, // encoded as a UTF-8 string, or NULL if there is none. It returns one on // success and zero on error. static int parse_bag_attributes(CBS *attrs, uint8_t **out_friendly_name, @@ -853,7 +853,7 @@ int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey, } // OpenSSL selects the last certificate which matches the private key as - // |out_cert|. + // `out_cert`. *out_cert = nullptr; size_t num_certs = sk_X509_num(ca_certs); if (*out_pkey != nullptr && num_certs > 0) { @@ -1011,9 +1011,9 @@ static int add_cert_safe_contents(CBB *cbb, X509 *cert, return CBB_flush(cbb); } -// add_encrypted_data encrypts |in| with |pbe_nid| and |pbe_cipher|, writing the -// result to |out|. It returns one on success and zero on error. |pbe_nid| and -// |pbe_cipher| are interpreted as in |PKCS8_encrypt|. +// add_encrypted_data encrypts `in` with `pbe_nid` and `pbe_cipher`, writing the +// result to `out`. It returns one on success and zero on error. `pbe_nid` and +// `pbe_cipher` are interpreted as in `PKCS8_encrypt`. static int add_encrypted_data(CBB *out, int pbe_nid, const EVP_CIPHER *pbe_cipher, const char *password, size_t password_len, @@ -1129,7 +1129,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, // key-specific encryption container, PKCS8ShroudedKeyBag, which is used // instead. - // Note that |password| may be NULL to specify no password, rather than the + // Note that `password` may be NULL to specify no password, rather than the // empty string. They are encoded differently in PKCS#12. (One is the empty // byte array and the other is NUL-terminated UCS-2.) size_t password_len = password != nullptr ? strlen(password) : 0; @@ -1160,7 +1160,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || !CBB_add_asn1(&auth_safe_wrapper, &auth_safe_data, CBS_ASN1_OCTETSTRING) || - // See https://tools.ietf.org/html/rfc7292#section-4.1. |auth_safe|'s + // See https://tools.ietf.org/html/rfc7292#section-4.1. `auth_safe`'s // contains a SEQUENCE of ContentInfos. !CBB_add_asn1(&auth_safe_data, &content_infos, CBS_ASN1_SEQUENCE)) { goto err; @@ -1267,7 +1267,7 @@ PKCS12 *PKCS12_create(const char *password, const char *name, { // Compute the MAC. Match OpenSSL in using SHA-1 as the hash function. The - // MAC covers |auth_safe_data|. + // MAC covers `auth_safe_data`. const EVP_MD *mac_md = EVP_sha1(); uint8_t mac_salt[PKCS5_SALT_LEN]; uint8_t mac[EVP_MAX_MD_SIZE]; diff --git a/third_party/boringssl/src/crypto/poly1305/poly1305.cc b/third_party/boringssl/src/crypto/poly1305/poly1305.cc index 2d71558f..05bfff8c 100644 --- a/third_party/boringssl/src/crypto/poly1305/poly1305.cc +++ b/third_party/boringssl/src/crypto/poly1305/poly1305.cc @@ -48,8 +48,8 @@ static struct poly1305_state_st *poly1305_aligned_state(poly1305_state *state) { return reinterpret_cast(align_pointer(state, 64)); } -// poly1305_blocks updates |state| given some amount of input data. This -// function may only be called with a |len| that is not a multiple of 16 at the +// poly1305_blocks updates `state` given some amount of input data. This +// function may only be called with a `len` that is not a multiple of 16 at the // end of the data. Otherwise the input must be buffered into 16 byte blocks. static void poly1305_update(struct poly1305_state_st *state, const uint8_t *in, size_t len) { diff --git a/third_party/boringssl/src/crypto/pool/internal.h b/third_party/boringssl/src/crypto/pool/internal.h index 6f8165ff..49d9b8fe 100644 --- a/third_party/boringssl/src/crypto/pool/internal.h +++ b/third_party/boringssl/src/crypto/pool/internal.h @@ -73,11 +73,11 @@ class CryptoBufferPool : public crypto_buffer_pool_st, public: CryptoBufferPool(); - // Hash returns the hash of |data|. + // Hash returns the hash of `data`. uint32_t Hash(Span data) const; - // FindBufferLocked looks for a buffer with hash |hash| and contents |data|. - // It returns it if found and nullptr otherwise. |handle_->lock_| must be + // FindBufferLocked looks for a buffer with hash `hash` and contents `data`. + // It returns it if found and nullptr otherwise. `handle_->lock_` must be // locked for reading or writing before calling this. CryptoBuffer *FindBufferLocked(uint32_t hash, Span data); diff --git a/third_party/boringssl/src/crypto/pool/pool.cc b/third_party/boringssl/src/crypto/pool/pool.cc index c9f7bc80..8b1f5bc5 100644 --- a/third_party/boringssl/src/crypto/pool/pool.cc +++ b/third_party/boringssl/src/crypto/pool/pool.cc @@ -31,12 +31,12 @@ using namespace bssl; static uint32_t CRYPTO_BUFFER_hash(const CryptoBuffer *buf) { // This function must be called while there is a read or write lock on the - // pool, so it is safe to read |pool_|. + // pool, so it is safe to read `pool_`. return buf->pool_handle_->pool_->Hash(buf->span()); } static int CRYPTO_BUFFER_cmp(const CryptoBuffer *a, const CryptoBuffer *b) { - // Only |CRYPTO_BUFFER|s from the same pool have compatible hashes. + // Only `CRYPTO_BUFFER`s from the same pool have compatible hashes. assert(a->pool_handle_ != nullptr); assert(a->pool_handle_ == b->pool_handle_); return a->span() == b->span() ? 0 : 1; @@ -96,11 +96,11 @@ int CRYPTO_BUFFER_POOL_up_ref(CRYPTO_BUFFER_POOL *pool) { } void CryptoBuffer::UpRefInternal() const { - // This is safe in the case that |buf->pool| is NULL because it's just + // This is safe in the case that `buf->pool` is NULL because it's just // standard reference counting in that case. // - // This is also safe if |buf->pool| is non-NULL because, if it were racing - // with |CRYPTO_BUFFER_free| then the two callers must have independent + // This is also safe if `buf->pool` is non-NULL because, if it were racing + // with `CRYPTO_BUFFER_free` then the two callers must have independent // references already and so the reference count will never hit zero. CRYPTO_refcount_inc(&references_); } @@ -123,9 +123,9 @@ void CryptoBuffer::DecRefInternal() { // we can free this buffer. It is possible the pool was already destroyed, // but it cannot be destroyed concurrently. // - // Note it is possible |buf| is no longer in the pool, if it was replaced by + // Note it is possible `buf` is no longer in the pool, if it was replaced by // a static version. If that static version was since removed, it is even - // possible for |found| to be NULL. + // possible for `found` to be NULL. if (CryptoBufferPool *pool = pool_handle_->pool_; pool != nullptr) { CryptoBuffer *found = lh_CryptoBuffer_retrieve(pool->bufs_, this); if (found == this) { @@ -180,7 +180,7 @@ static UniquePtr crypto_buffer_new_with_pool( MutexReadLock lock(&pool->handle_->lock_); CryptoBuffer *duplicate = pool->FindBufferLocked(hash, data); if (data_is_static && duplicate != nullptr && !duplicate->data_is_static_) { - // If the new |CRYPTO_BUFFER| would have static data, but the duplicate + // If the new `CRYPTO_BUFFER` would have static data, but the duplicate // does not, we replace the old one with the new static version. duplicate = nullptr; } @@ -197,7 +197,7 @@ static UniquePtr crypto_buffer_new_with_pool( MutexWriteLock lock(&pool->handle_->lock_); CryptoBuffer *duplicate = pool->FindBufferLocked(hash, data); if (data_is_static && duplicate != nullptr && !duplicate->data_is_static_) { - // If the new |CRYPTO_BUFFER| would have static data, but the duplicate does + // If the new `CRYPTO_BUFFER` would have static data, but the duplicate does // not, we replace the old one with the new static version. duplicate = nullptr; } @@ -205,8 +205,8 @@ static UniquePtr crypto_buffer_new_with_pool( return UpRef(duplicate); } - // Insert |buf| into the pool. Note |old| may be non-NULL if a match was found - // but ignored. |pool->bufs_| does not increment refcounts, so there is no + // Insert `buf` into the pool. Note `old` may be non-NULL if a match was found + // but ignored. `pool->bufs_` does not increment refcounts, so there is no // need to clean up after the replacement. buf->pool_handle_ = UpRef(pool->handle_); CryptoBuffer *old = nullptr; diff --git a/third_party/boringssl/src/crypto/rand/deterministic.cc b/third_party/boringssl/src/crypto/rand/deterministic.cc index d2fcceee..187e2c13 100644 --- a/third_party/boringssl/src/crypto/rand/deterministic.cc +++ b/third_party/boringssl/src/crypto/rand/deterministic.cc @@ -28,7 +28,7 @@ using namespace bssl; -// g_num_calls is the number of calls to |CRYPTO_sysrand| that have occurred. +// g_num_calls is the number of calls to `CRYPTO_sysrand` that have occurred. // // This is intentionally not thread-safe. If the fuzzer mode is ever used in a // multi-threaded program, replace this with a thread-local. (A mutex would not diff --git a/third_party/boringssl/src/crypto/rand/fork_detect.cc b/third_party/boringssl/src/crypto/rand/fork_detect.cc index ecee4361..4216887f 100644 --- a/third_party/boringssl/src/crypto/rand/fork_detect.cc +++ b/third_party/boringssl/src/crypto/rand/fork_detect.cc @@ -60,10 +60,10 @@ static bool wipeonfork(void *addr, size_t page_size) { #if defined(OPENSSL_LINUX) // Linux flavor, >=4.14. // Some versions of qemu (up to at least 5.0.0-rc4, see linux-user/syscall.c) - // ignore |madvise| calls and just return zero (i.e. success). But we need to + // ignore `madvise` calls and just return zero (i.e. success). But we need to // know whether MADV_WIPEONFORK actually took effect. Therefore try an invalid - // call to check that the implementation of |madvise| is actually rejecting - // unknown |advice| values. + // call to check that the implementation of `madvise` is actually rejecting + // unknown `advice` values. return madvise(addr, page_size, -1) != 0 && madvise(addr, page_size, MADV_WIPEONFORK) == 0; #elif defined(MAP_INHERIT_ZERO) @@ -113,7 +113,7 @@ uint64_t bssl::CRYPTO_get_fork_generation() { // In a single-threaded process, there are obviously no races because there's // only a single mutator in the address space. // - // In a multi-threaded environment, |CRYPTO_once| ensures that the flag byte + // In a multi-threaded environment, `CRYPTO_once` ensures that the flag byte // is initialised atomically, even if multiple threads enter this function // concurrently. // @@ -123,8 +123,8 @@ uint64_t bssl::CRYPTO_get_fork_generation() { Atomic *const flag_ptr = g_fork_detect_addr; if (flag_ptr == nullptr) { - // Our kernel is too old to support |MADV_WIPEONFORK| or - // |g_force_madv_wipeonfork| is set. + // Our kernel is too old to support `MADV_WIPEONFORK` or + // `g_force_madv_wipeonfork` is set. if (g_force_madv_wipeonfork && g_force_madv_wipeonfork_enabled) { // A constant generation number to simulate support, even if the kernel // doesn't support it. @@ -143,7 +143,7 @@ uint64_t bssl::CRYPTO_get_fork_generation() { // avoids cacheline contention in the PRNG. uint64_t *const generation_ptr = &g_fork_generation; if (flag_ptr->load() != 0) { - // If we observe a non-zero flag, it is safe to read |generation_ptr| + // If we observe a non-zero flag, it is safe to read `generation_ptr` // without a lock. The flag and generation number are fixed for this copy of // the address space. return *generation_ptr; @@ -162,8 +162,8 @@ uint64_t bssl::CRYPTO_get_fork_generation() { current_generation = 1; } - // We must update |generation_ptr| before |flag_ptr|. Other threads may - // observe |flag_ptr| without taking a lock. + // We must update `generation_ptr` before `flag_ptr`. Other threads may + // observe `flag_ptr` without taking a lock. *generation_ptr = current_generation; flag_ptr->store(1); } diff --git a/third_party/boringssl/src/crypto/rand/getentropy.cc b/third_party/boringssl/src/crypto/rand/getentropy.cc index 7e85d8ab..c39296b1 100644 --- a/third_party/boringssl/src/crypto/rand/getentropy.cc +++ b/third_party/boringssl/src/crypto/rand/getentropy.cc @@ -35,10 +35,10 @@ using namespace bssl; void bssl::CRYPTO_init_sysrand() {} -// CRYPTO_sysrand puts |requested| random bytes into |out|. +// CRYPTO_sysrand puts `requested` random bytes into `out`. void bssl::CRYPTO_sysrand(uint8_t *out, size_t requested) { while (requested > 0) { - // |getentropy| can only request 256 bytes at a time. + // `getentropy` can only request 256 bytes at a time. size_t todo = requested <= 256 ? requested : 256; if (getentropy(out, todo) != 0) { perror("getentropy() failed"); diff --git a/third_party/boringssl/src/crypto/rand/passive.cc b/third_party/boringssl/src/crypto/rand/passive.cc deleted file mode 100644 index a791ec0c..00000000 --- a/third_party/boringssl/src/crypto/rand/passive.cc +++ /dev/null @@ -1,180 +0,0 @@ -// Copyright 2020 The BoringSSL Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// https://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -#include - -#include "../bcm_support.h" -#include "../fipsmodule/bcm_interface.h" -#include "../internal.h" - -#if defined(BORINGSSL_FIPS) - -#include - -using namespace bssl; - -// passive_get_seed_entropy writes |out_entropy_len| bytes of entropy, suitable -// for seeding a DRBG, to |out_entropy|. It sets |*out_used_cpu| to one if the -// entropy came directly from the CPU and zero if it came from the OS. It -// actively obtains entropy from the CPU/OS -static void passive_get_seed_entropy(uint8_t *out_entropy, - size_t out_entropy_len, - int *out_want_additional_input) { - *out_want_additional_input = 0; - if (bcm_success(BCM_rand_bytes_hwrng(out_entropy, out_entropy_len))) { - *out_want_additional_input = 1; - } else { - CRYPTO_sysrand(out_entropy, out_entropy_len); - } -} - -#define ENTROPY_READ_LEN \ - (/* last_block size */ 16 + CTR_DRBG_SEED_LEN * BORINGSSL_FIPS_OVERREAD) - -#if defined(OPENSSL_ANDROID) - -#include -#include -#include -#include -#include - -// socket_history_t enumerates whether the entropy daemon should be contacted -// for a given entropy request. Values other than socket_not_yet_attempted are -// sticky so if the first attempt to read from the daemon fails it's assumed -// that the daemon is not present and no more attempts will be made. If the -// first attempt is successful then attempts will be made forever more. -enum class socket_history_t { - // initial value, no connections to the entropy daemon have been made yet. - socket_not_yet_attempted = 0, - // reading from the entropy daemon was successful - socket_success, - // reading from the entropy daemon failed. - socket_failed, -}; - -static std::atomic g_socket_history{ - socket_history_t::socket_not_yet_attempted}; - -// DAEMON_RESPONSE_LEN is the number of bytes that the entropy daemon replies -// with. -#define DAEMON_RESPONSE_LEN 496 - -static_assert(ENTROPY_READ_LEN == DAEMON_RESPONSE_LEN, - "entropy daemon response length mismatch"); - -static int get_seed_from_daemon(uint8_t *out_entropy, size_t out_entropy_len) { - // |RAND_need_entropy| should never call this function for more than - // |DAEMON_RESPONSE_LEN| bytes. - if (out_entropy_len > DAEMON_RESPONSE_LEN) { - abort(); - } - - const socket_history_t socket_history = - g_socket_history.load(std::memory_order_acquire); - if (socket_history == socket_history_t::socket_failed) { - return 0; - } - - int ret = 0; - static const char kSocketPath[] = "/dev/socket/prng_seeder"; - struct sockaddr_un sun; - uint8_t buffer[DAEMON_RESPONSE_LEN]; - size_t done = 0; - const int sock = socket(AF_UNIX, SOCK_STREAM, 0); - if (sock < 0) { - goto out; - } - - memset(&sun, 0, sizeof(sun)); - sun.sun_family = AF_UNIX; - static_assert(sizeof(kSocketPath) <= UNIX_PATH_MAX, "kSocketPath too long"); - OPENSSL_memcpy(sun.sun_path, kSocketPath, sizeof(kSocketPath)); - - if (connect(sock, (struct sockaddr *)&sun, sizeof(sun))) { - goto out; - } - - while (done < sizeof(buffer)) { - ssize_t n; - do { - n = read(sock, buffer + done, sizeof(buffer) - done); - } while (n == -1 && errno == EINTR); - - if (n < 1) { - goto out; - } - done += n; - } - - if (done != DAEMON_RESPONSE_LEN) { - // The daemon should always write |DAEMON_RESPONSE_LEN| bytes on every - // connection. - goto out; - } - - assert(out_entropy_len <= DAEMON_RESPONSE_LEN); - OPENSSL_memcpy(out_entropy, buffer, out_entropy_len); - ret = 1; - -out: - if (socket_history == socket_history_t::socket_not_yet_attempted) { - socket_history_t expected = socket_history_t::socket_not_yet_attempted; - // If another thread has already updated |g_socket_history| then we defer - // to their value. - g_socket_history.compare_exchange_strong( - expected, - (ret == 0) ? socket_history_t::socket_failed - : socket_history_t::socket_success, - std::memory_order_release, std::memory_order_relaxed); - } - - close(sock); - return ret; -} - -#else - -static int get_seed_from_daemon(uint8_t *out_entropy, size_t out_entropy_len) { - return 0; -} - -#endif // OPENSSL_ANDROID - -// RAND_need_entropy is called by the FIPS module when it has blocked because of -// a lack of entropy. This signal is used as an indication to feed it more. -void bssl::RAND_need_entropy(size_t bytes_needed) { - uint8_t buf[ENTROPY_READ_LEN]; - size_t todo = sizeof(buf); - if (todo > bytes_needed) { - todo = bytes_needed; - } - - int want_additional_input; - if (get_seed_from_daemon(buf, todo)) { - want_additional_input = 1; - } else { - passive_get_seed_entropy(buf, todo, &want_additional_input); - } - - if (boringssl_fips_break_test("CRNG")) { - // This breaks the "continuous random number generator test" defined in FIPS - // 140-2, section 4.9.2, and implemented in |rand_get_seed|. - OPENSSL_memset(buf, 0, todo); - } - - BCM_rand_load_entropy(buf, todo, want_additional_input); -} - -#endif // FIPS diff --git a/third_party/boringssl/src/crypto/rand/rand.cc b/third_party/boringssl/src/crypto/rand/rand.cc index 2aa30270..ea304bd2 100644 --- a/third_party/boringssl/src/crypto/rand/rand.cc +++ b/third_party/boringssl/src/crypto/rand/rand.cc @@ -30,7 +30,7 @@ int RAND_bytes(uint8_t *buf, size_t len) { int RAND_pseudo_bytes(uint8_t *buf, size_t len) { return RAND_bytes(buf, len); } void RAND_seed(const void *buf, int num) { - // OpenSSH calls |RAND_seed| before jailing on the assumption that any needed + // OpenSSH calls `RAND_seed` before jailing on the assumption that any needed // file descriptors etc will be opened. uint8_t unused; RAND_bytes(&unused, sizeof(unused)); diff --git a/third_party/boringssl/src/crypto/rand/urandom.cc b/third_party/boringssl/src/crypto/rand/urandom.cc index d06ade71..b5aabde1 100644 --- a/third_party/boringssl/src/crypto/rand/urandom.cc +++ b/third_party/boringssl/src/crypto/rand/urandom.cc @@ -49,7 +49,7 @@ static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) { #if defined(OPENSSL_MSAN) if (ret > 0) { - // MSAN doesn't recognise |syscall| and thus doesn't notice that we have + // MSAN doesn't recognise `syscall` and thus doesn't notice that we have // initialised the output buffer. __msan_unpoison(buf, ret); } @@ -58,17 +58,17 @@ static ssize_t boringssl_getrandom(void *buf, size_t buf_len, unsigned flags) { return ret; } -// kHaveGetrandom in |urandom_fd| signals that |getrandom| or |getentropy| is +// kHaveGetrandom in `urandom_fd` signals that `getrandom` or `getentropy` is // available and should be used instead. static const int kHaveGetrandom = -3; -// urandom_fd is a file descriptor to /dev/urandom. It's protected by |once|. +// urandom_fd is a file descriptor to /dev/urandom. It's protected by `once`. static int urandom_fd; static CRYPTO_once_t rand_once = CRYPTO_ONCE_INIT; // init_once initializes the state of this module to values previously -// requested. This is the only function that modifies |urandom_fd|, which may be +// requested. This is the only function that modifies `urandom_fd`, which may be // read safely after calling the once. static void init_once() { int have_getrandom; @@ -115,7 +115,7 @@ static void init_once() { void bssl::CRYPTO_init_sysrand() { CRYPTO_once(&rand_once, init_once); } -// CRYPTO_sysrand writes |len| bytes of entropy into |out|. +// CRYPTO_sysrand writes `len` bytes of entropy into `out`. void bssl::CRYPTO_sysrand(uint8_t *out, size_t len) { if (len == 0) { return; @@ -123,7 +123,7 @@ void bssl::CRYPTO_sysrand(uint8_t *out, size_t len) { CRYPTO_init_sysrand(); - // Clear |errno| so it has defined value if |read| or |getrandom| + // Clear `errno` so it has defined value if `read` or `getrandom` // "successfully" returns zero. errno = 0; while (len > 0) { diff --git a/third_party/boringssl/src/crypto/rsa/internal.h b/third_party/boringssl/src/crypto/rsa/internal.h index fa56db7b..ce057a70 100644 --- a/third_party/boringssl/src/crypto/rsa/internal.h +++ b/third_party/boringssl/src/crypto/rsa/internal.h @@ -28,21 +28,21 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(uint8_t *out, size_t *out_len, size_t param_len, const EVP_MD *md, const EVP_MD *mgf1md); -// rsa_pss_params_get_md returns the hash function used with |params|. This also +// rsa_pss_params_get_md returns the hash function used with `params`. This also // specifies the MGF-1 hash and the salt length because we do not support other // configurations. const EVP_MD *rsa_pss_params_get_md(rsa_pss_params_t params); -// rsa_marshal_pss_params marshals |params| as a DER-encoded RSASSA-PSS-params -// (RFC 4055). It returns one on success and zero on error. If |params| is -// |rsa_pss_params_none|, this function gives an error. +// rsa_marshal_pss_params marshals `params` as a DER-encoded RSASSA-PSS-params +// (RFC 4055). It returns one on success and zero on error. If `params` is +// `rsa_pss_params_none`, this function gives an error. int rsa_marshal_pss_params(CBB *cbb, rsa_pss_params_t params); // rsa_marshal_pss_params decodes a DER-encoded RSASSA-PSS-params // (RFC 4055). It returns one on success and zero on error. On success, it sets -// |*out| to the result. If |allow_explicit_trailer| is non-zero, an explicit +// `*out` to the result. If `allow_explicit_trailer` is non-zero, an explicit // encoding of the trailerField is allowed, although it is not valid DER. This -// function never outputs |rsa_pss_params_none|. +// function never outputs `rsa_pss_params_none`. int rsa_parse_pss_params(CBS *cbs, rsa_pss_params_t *out, int allow_explicit_trailer); diff --git a/third_party/boringssl/src/crypto/rsa/rsa_asn1.cc b/third_party/boringssl/src/crypto/rsa/rsa_asn1.cc index 3869de62..eb61d5ee 100644 --- a/third_party/boringssl/src/crypto/rsa/rsa_asn1.cc +++ b/third_party/boringssl/src/crypto/rsa/rsa_asn1.cc @@ -326,14 +326,14 @@ int bssl::rsa_parse_pss_params(CBS *cbs, rsa_pss_params_t *out, if (!CBS_get_asn1(cbs, ¶ms, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(¶ms, &hash_wrapper, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 0) || - // |hash_wrapper| will be parsed below. + // `hash_wrapper` will be parsed below. !CBS_get_asn1(¶ms, &mask_wrapper, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 1) || !CBS_get_asn1(&mask_wrapper, &mask_alg, CBS_ASN1_SEQUENCE) || !CBS_get_asn1(&mask_alg, &mask_oid, CBS_ASN1_OBJECT) || // We only support MGF-1. Span(mask_oid) != kMGF1OID || - // The remainder of |mask_alg| will be parsed below. + // The remainder of `mask_alg` will be parsed below. CBS_len(&mask_wrapper) != 0 || !CBS_get_asn1(¶ms, &salt_wrapper, CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC | 2) || diff --git a/third_party/boringssl/src/crypto/rsa/rsa_crypt.cc b/third_party/boringssl/src/crypto/rsa/rsa_crypt.cc index 16085c53..fe4e2d94 100644 --- a/third_party/boringssl/src/crypto/rsa/rsa_crypt.cc +++ b/third_party/boringssl/src/crypto/rsa/rsa_crypt.cc @@ -254,7 +254,7 @@ static int rsa_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len, // PKCS#1 v1.5 decryption. See "PKCS #1 v2.2: RSA Cryptography // Standard", section 7.2.2. if (from_len < RSA_PKCS1_PADDING_SIZE) { - // |from| is zero-padded to the size of the RSA modulus, a public value, so + // `from` is zero-padded to the size of the RSA modulus, a public value, so // this can be rejected in non-constant time. OPENSSL_PUT_ERROR(RSA, RSA_R_KEY_SIZE_TOO_SMALL); return 0; @@ -278,16 +278,16 @@ static int rsa_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len, // We must have found the end of PS. valid_index &= ~looking_for_index; - // PS must be at least 8 bytes long, and it starts two bytes into |from|. + // PS must be at least 8 bytes long, and it starts two bytes into `from`. valid_index &= constant_time_ge_w(zero_index, 2 + 8); // Skip the zero byte. zero_index++; // NOTE: Although this logic attempts to be constant time, the API contracts - // of this function and |RSA_decrypt| with |RSA_PKCS1_PADDING| make it + // of this function and `RSA_decrypt` with `RSA_PKCS1_PADDING` make it // impossible to completely avoid Bleichenbacher's attack. Consumers should - // use |RSA_PADDING_NONE| and perform the padding check in constant-time + // use `RSA_PADDING_NONE` and perform the padding check in constant-time // combined with a swap to a random session key or other mitigation. CONSTTIME_DECLASSIFY(&valid_index, sizeof(valid_index)); CONSTTIME_DECLASSIFY(&zero_index, sizeof(zero_index)); @@ -300,7 +300,7 @@ static int rsa_padding_check_PKCS1_type_2(uint8_t *out, size_t *out_len, const size_t msg_len = from_len - zero_index; if (msg_len > max_out) { // This shouldn't happen because this function is always called with - // |max_out| as the key size and |from_len| is bounded by the key size. + // `max_out` as the key size and `from_len` is bounded by the key size. OPENSSL_PUT_ERROR(RSA, RSA_R_PKCS_DECODING_ERROR); return 0; } diff --git a/third_party/boringssl/src/crypto/rsa/rsa_extra.cc b/third_party/boringssl/src/crypto/rsa/rsa_extra.cc index 58015bd4..96fe4e02 100644 --- a/third_party/boringssl/src/crypto/rsa/rsa_extra.cc +++ b/third_party/boringssl/src/crypto/rsa/rsa_extra.cc @@ -20,11 +20,11 @@ void RSA_blinding_off(RSA *rsa) {} const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa) { // We do not currently implement this function. By default, we will not parse - // |EVP_PKEY_RSA_PSS|. Callers that opt in with a BoringSSL-specific API are + // `EVP_PKEY_RSA_PSS`. Callers that opt in with a BoringSSL-specific API are // currently assumed to not need this function. Callers that need that opt-in // and this functionality should contact the BoringSSL team. // - // If we do add support later, the |maskHash| field should be filled in for + // If we do add support later, the `maskHash` field should be filled in for // OpenSSL compatibility. return nullptr; } diff --git a/third_party/boringssl/src/crypto/spake2plus/internal.h b/third_party/boringssl/src/crypto/spake2plus/internal.h index 7344c57e..2ca85ce4 100644 --- a/third_party/boringssl/src/crypto/spake2plus/internal.h +++ b/third_party/boringssl/src/crypto/spake2plus/internal.h @@ -64,14 +64,14 @@ constexpr size_t kSecretSize = 32; // step of the SPAKE2+ protocol. See the following for more details: // https://www.rfc-editor.org/rfc/rfc9383.html#section-3.2 // -// The |password| argument is the mandatory prover password. The |out_w0|, -// |out_w1|, and |out_registration_record| arguments are where the password +// The `password` argument is the mandatory prover password. The `out_w0`, +// `out_w1`, and `out_registration_record` arguments are where the password // verifiers (w0 and w1) and registration record (L) are stored, respectively. -// The prover is given |out_w0| and |out_w1| while the verifier is given -// |out_w0| and |out_registration_record|. +// The prover is given `out_w0` and `out_w1` while the verifier is given +// `out_w0` and `out_registration_record`. // -// To ensure success, |out_w0| and |out_w1| must be of length |kVerifierSize|, -// and |out_registration_record| of size |kRegistrationRecordSize|. +// To ensure success, `out_w0` and `out_w1` must be of length `kVerifierSize`, +// and `out_registration_record` of size `kRegistrationRecordSize`. [[nodiscard]] OPENSSL_EXPORT bool Register( Span out_w0, Span out_w1, Span out_registration_record, Span password, @@ -87,10 +87,10 @@ class OPENSSL_EXPORT Prover { // Init creates a new prover, which can only be used for a single execution of // the protocol. // - // The |context| argument is an application-specific value meant to constrain - // the protocol execution. The |w0| and |w1| arguments are password verifier + // The `context` argument is an application-specific value meant to constrain + // the protocol execution. The `w0` and `w1` arguments are password verifier // values computed during the offline registration phase of the protocol. The - // |id_prover| and |id_verifier| arguments allow optional, opaque names to be + // `id_prover` and `id_verifier` arguments allow optional, opaque names to be // bound into the protocol. See the following for more information about how // these identities may be chosen: // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2 @@ -100,20 +100,20 @@ class OPENSSL_EXPORT Prover { Span w0, Span w1, Span x = Span()); - // GenerateShare computes a SPAKE2+ share and writes it to |out_share|. + // GenerateShare computes a SPAKE2+ share and writes it to `out_share`. // - // This function can only be called once for a given |Prover|. To ensure - // success, |out_share| must be |kShareSize| bytes. + // This function can only be called once for a given `Prover`. To ensure + // success, `out_share` must be `kShareSize` bytes. [[nodiscard]] bool GenerateShare(Span out_share); // ComputeConfirmation computes a SPAKE2+ key confirmation - // message and writes it to |out_confirm|. It also computes the shared secret - // and writes it to |out_secret|. + // message and writes it to `out_confirm`. It also computes the shared secret + // and writes it to `out_secret`. // - // This function can only be called once for a given |Prover|. + // This function can only be called once for a given `Prover`. // - // To ensure success, |out_confirm| must be |kConfirmSize| bytes - // and |out_secret| must be |kSecretSize| bytes. + // To ensure success, `out_confirm` must be `kConfirmSize` bytes + // and `out_secret` must be `kSecretSize` bytes. [[nodiscard]] bool ComputeConfirmation(Span out_confirm, Span out_secret, Span peer_share, @@ -146,12 +146,12 @@ class OPENSSL_EXPORT Verifier { // Init creates a new verifier, which can only be used for a single execution // of the protocol. // - // The |context| argument is an application-specific value meant to constrain - // the protocol execution. The |w0| and |registration_record| arguments are - // required, and are computed by the prover via |Register|. Only the prover - // can produce |w0| and |registration_record|, as they require + // The `context` argument is an application-specific value meant to constrain + // the protocol execution. The `w0` and `registration_record` arguments are + // required, and are computed by the prover via `Register`. Only the prover + // can produce `w0` and `registration_record`, as they require // knowledge of the password. The prover must securely transmit this to the - // verifier out-of-band. The |id_prover| and |id_verifier| arguments allow + // verifier out-of-band. The `id_prover` and `id_verifier` arguments allow // optional, opaque names to be bound into the protocol. See the following for // more information about how these identities may be chosen: // https://www.rfc-editor.org/rfc/rfc9383.html#name-definition-of-spake2 @@ -163,23 +163,23 @@ class OPENSSL_EXPORT Verifier { Span y = Span()); // ProcessProverShare computes a SPAKE2+ share from an input share, - // |prover_share|, and writes it to |out_share|. It also computes the key - // confirmation message and writes it to |out_confirm|. Finally, it computes - // the shared secret and writes it to |out_secret|. + // `prover_share`, and writes it to `out_share`. It also computes the key + // confirmation message and writes it to `out_confirm`. Finally, it computes + // the shared secret and writes it to `out_secret`. // - // This function can only be called once for a given |Verifier|. + // This function can only be called once for a given `Verifier`. // - // To ensure success, |out_share| must be |kShareSize| bytes, |out_confirm| - // must be |kConfirmSize| bytes, and |out_secret| must be |kSecretSize| bytes. + // To ensure success, `out_share` must be `kShareSize` bytes, `out_confirm` + // must be `kConfirmSize` bytes, and `out_secret` must be `kSecretSize` bytes. [[nodiscard]] bool ProcessProverShare(Span out_share, Span out_confirm, Span out_secret, Span prover_share); // VerifyProverConfirmation verifies a SPAKE2+ key confirmation message, - // |prover_confirm|. + // `prover_confirm`. // - // This function can only be called once for a given |Verifier|. + // This function can only be called once for a given `Verifier`. [[nodiscard]] bool VerifyProverConfirmation(Span peer_confirm); private: diff --git a/third_party/boringssl/src/crypto/stack/stack.cc b/third_party/boringssl/src/crypto/stack/stack.cc index 89b4f954..1628c23e 100644 --- a/third_party/boringssl/src/crypto/stack/stack.cc +++ b/third_party/boringssl/src/crypto/stack/stack.cc @@ -29,14 +29,14 @@ using namespace bssl; struct stack_st { - // num contains the number of valid pointers in |data|. + // num contains the number of valid pointers in `data`. size_t num; void **data; - // sorted is non-zero if the values pointed to by |data| are in ascending - // order, based on |comp|. + // sorted is non-zero if the values pointed to by `data` are in ascending + // order, based on `comp`. int sorted; // num_alloc contains the number of pointers allocated in the buffer pointed - // to by |data|, which may be larger than |num|. + // to by `data`, which may be larger than `num`. size_t num_alloc; // comp is an optional comparison function. OPENSSL_sk_cmp_func comp; @@ -124,8 +124,8 @@ void OPENSSL_sk_pop_free_ex(OPENSSL_STACK *sk, OPENSSL_sk_free(sk); } -// Historically, |sk_pop_free| called the function as |OPENSSL_sk_free_func| -// directly. This is undefined in C. Some callers called |sk_pop_free| directly, +// Historically, `sk_pop_free` called the function as `OPENSSL_sk_free_func` +// directly. This is undefined in C. Some callers called `sk_pop_free` directly, // so we must maintain a compatibility version for now. static void call_free_func_legacy(OPENSSL_sk_free_func func, void *ptr) { func(ptr); @@ -271,20 +271,20 @@ int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, const void *p, // The stack is sorted, so binary search to find the element. // - // |lo| and |hi| maintain a half-open interval of where the answer may be. All - // indices such that |lo <= idx < hi| are candidates. + // `lo` and `hi` maintain a half-open interval of where the answer may be. All + // indices such that `lo <= idx < hi` are candidates. size_t lo = 0, hi = sk->num; while (lo < hi) { - // Bias |mid| towards |lo|. See the |r == 0| case below. + // Bias `mid` towards `lo`. See the `r == 0` case below. size_t mid = lo + (hi - lo - 1) / 2; assert(lo <= mid && mid < hi); int r = call_cmp_func(sk->comp, p, sk->data[mid]); if (r > 0) { - lo = mid + 1; // |mid| is too low. + lo = mid + 1; // `mid` is too low. } else if (r < 0) { - hi = mid; // |mid| is too high. + hi = mid; // `mid` is too high. } else { - // |mid| matches. However, this function returns the earliest match, so we + // `mid` matches. However, this function returns the earliest match, so we // can only return if the range has size one. if (hi - lo == 1) { if (out_index != nullptr) { @@ -292,8 +292,8 @@ int OPENSSL_sk_find(const OPENSSL_STACK *sk, size_t *out_index, const void *p, } return 1; } - // The sample is biased towards |lo|. |mid| can only be |hi - 1| if - // |hi - lo| was one, so this makes forward progress. + // The sample is biased towards `lo`. `mid` can only be `hi - 1` if + // `hi - lo` was one, so this makes forward progress. assert(mid + 1 < hi); hi = mid + 1; } diff --git a/third_party/boringssl/src/crypto/thread_win.cc b/third_party/boringssl/src/crypto/thread_win.cc index 5fce1bcc..d87c2963 100644 --- a/third_party/boringssl/src/crypto/thread_win.cc +++ b/third_party/boringssl/src/crypto/thread_win.cc @@ -57,10 +57,10 @@ static void thread_local_init() { static void NTAPI thread_local_destructor(PVOID module, DWORD reason, PVOID reserved) { - // Only free memory on |DLL_THREAD_DETACH|, not |DLL_PROCESS_DETACH|. In + // Only free memory on `DLL_THREAD_DETACH`, not `DLL_PROCESS_DETACH`. In // VS2015's debug runtime, the C runtime has been unloaded by the time - // |DLL_PROCESS_DETACH| runs. See https://crbug.com/575795. This is consistent - // with |pthread_key_create| which does not call destructors on process exit, + // `DLL_PROCESS_DETACH` runs. See https://crbug.com/575795. This is consistent + // with `pthread_key_create` which does not call destructors on process exit, // only thread exit. if (reason != DLL_THREAD_DETACH) { return; @@ -103,7 +103,7 @@ static void NTAPI thread_local_destructor(PVOID module, DWORD reason, // a reference to p_thread_callback_boringssl to prevent whole program // optimization from discarding the variable. // -// Note, in the prefixed build, |p_thread_callback_boringssl| may be a macro. +// Note, in the prefixed build, `p_thread_callback_boringssl` may be a macro. #define STRINGIFY(x) #x #define EXPAND_AND_STRINGIFY(x) STRINGIFY(x) #ifdef _WIN64 @@ -160,13 +160,13 @@ PIMAGE_TLS_CALLBACK p_thread_callback_boringssl = thread_local_destructor; #endif // _WIN64 static void **get_thread_locals() { - // |TlsGetValue| clears the last error even on success, so that callers may + // `TlsGetValue` clears the last error even on success, so that callers may // distinguish it successfully returning NULL or failing. It is documented to - // never fail if the argument is a valid index from |TlsAlloc|, so we do not + // never fail if the argument is a valid index from `TlsAlloc`, so we do not // need to handle this. // // However, this error-mangling behavior interferes with the caller's use of - // |GetLastError|. In particular |SSL_get_error| queries the error queue to + // `GetLastError`. In particular `SSL_get_error` queries the error queue to // determine whether the caller should look at the OS's errors. To avoid // destroying state, save and restore the Windows error. // diff --git a/third_party/boringssl/src/crypto/trust_token/internal.h b/third_party/boringssl/src/crypto/trust_token/internal.h index d3afc172..cb3aed51 100644 --- a/third_party/boringssl/src/crypto/trust_token/internal.h +++ b/third_party/boringssl/src/crypto/trust_token/internal.h @@ -44,8 +44,8 @@ BSSL_NAMESPACE_BEGIN typedef struct { // TODO(https://crbug.com/boringssl/334): These should store - // |bssl::EC_PRECOMP| so that |TRUST_TOKEN_finish_issuance| can use - // |ec_point_mul_scalar_precomp|. + // `bssl::EC_PRECOMP` so that `TRUST_TOKEN_finish_issuance` can use + // `ec_point_mul_scalar_precomp`. bssl::EC_AFFINE pub0; bssl::EC_AFFINE pub1; bssl::EC_AFFINE pubs; @@ -75,7 +75,7 @@ typedef struct pmb_pretoken_st { bssl::EC_AFFINE Tp; } TRUST_TOKEN_PRETOKEN; -// TRUST_TOKEN_PRETOKEN_free releases the memory associated with |token|. +// TRUST_TOKEN_PRETOKEN_free releases the memory associated with `token`. OPENSSL_EXPORT void TRUST_TOKEN_PRETOKEN_free(TRUST_TOKEN_PRETOKEN *token); DEFINE_NAMESPACED_STACK_OF(TRUST_TOKEN_PRETOKEN) @@ -88,8 +88,8 @@ DEFINE_NAMESPACED_STACK_OF(TRUST_TOKEN_PRETOKEN) // construction with validity verification, described in appendix H, // construction 6. -// The following functions implement the corresponding |TRUST_TOKENS_METHOD| -// functions for |TRUST_TOKENS_experiment_v1|'s PMBTokens construction which +// The following functions implement the corresponding `TRUST_TOKENS_METHOD` +// functions for `TRUST_TOKENS_experiment_v1`'s PMBTokens construction which // uses P-384. int pmbtoken_exp1_generate_key(CBB *out_private, CBB *out_public); int pmbtoken_exp1_derive_key_from_secret(CBB *out_private, CBB *out_public, @@ -120,8 +120,8 @@ int pmbtoken_exp1_read(const TRUST_TOKEN_ISSUER_KEY *key, // function is used to confirm H was computed as expected. OPENSSL_EXPORT int pmbtoken_exp1_get_h_for_testing(uint8_t out[97]); -// The following functions implement the corresponding |TRUST_TOKENS_METHOD| -// functions for |TRUST_TOKENS_experiment_v2|'s PMBTokens construction which +// The following functions implement the corresponding `TRUST_TOKENS_METHOD` +// functions for `TRUST_TOKENS_experiment_v2`'s PMBTokens construction which // uses P-384. int pmbtoken_exp2_generate_key(CBB *out_private, CBB *out_public); int pmbtoken_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public, @@ -152,8 +152,8 @@ int pmbtoken_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, // function is used to confirm H was computed as expected. OPENSSL_EXPORT int pmbtoken_exp2_get_h_for_testing(uint8_t out[97]); -// The following functions implement the corresponding |TRUST_TOKENS_METHOD| -// functions for |TRUST_TOKENS_pst_v1|'s PMBTokens construction which uses +// The following functions implement the corresponding `TRUST_TOKENS_METHOD` +// functions for `TRUST_TOKENS_pst_v1`'s PMBTokens construction which uses // P-384. int pmbtoken_pst1_generate_key(CBB *out_private, CBB *out_public); int pmbtoken_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public, @@ -191,11 +191,11 @@ OPENSSL_EXPORT int pmbtoken_pst1_get_h_for_testing(uint8_t out[97]); // and provide anonymous tokens. This implementation uses TrustToken DSTs and // the DLEQ batching primitive from // https://eprint.iacr.org/2020/072/20200324:214215. -// VOPRF only uses the |pub|' field of the TRUST_TOKEN_CLIENT_KEY and -// |xs|/|pubs| fields of the TRUST_TOKEN_ISSUER_KEY. +// VOPRF only uses the `pub`' field of the TRUST_TOKEN_CLIENT_KEY and +// `xs`/`pubs` fields of the TRUST_TOKEN_ISSUER_KEY. -// The following functions implement the corresponding |TRUST_TOKENS_METHOD| -// functions for |TRUST_TOKENS_experiment_v2|'s VOPRF construction which uses +// The following functions implement the corresponding `TRUST_TOKENS_METHOD` +// functions for `TRUST_TOKENS_experiment_v2`'s VOPRF construction which uses // P-384. int voprf_exp2_generate_key(CBB *out_private, CBB *out_public); int voprf_exp2_derive_key_from_secret(CBB *out_private, CBB *out_public, @@ -221,8 +221,8 @@ int voprf_exp2_read(const TRUST_TOKEN_ISSUER_KEY *key, size_t token_len, int include_message, const uint8_t *msg, size_t msg_len); -// The following functions implement the corresponding |TRUST_TOKENS_METHOD| -// functions for |TRUST_TOKENS_pst_v1|'s VOPRF construction which uses P-384. +// The following functions implement the corresponding `TRUST_TOKENS_METHOD` +// functions for `TRUST_TOKENS_pst_v1`'s VOPRF construction which uses P-384. int voprf_pst1_generate_key(CBB *out_private, CBB *out_public); int voprf_pst1_derive_key_from_secret(CBB *out_private, CBB *out_public, const uint8_t *secret, size_t secret_len); @@ -259,33 +259,33 @@ BSSL_NAMESPACE_END struct trust_token_method_st { // generate_key generates a fresh keypair and writes their serialized - // forms into |out_private| and |out_public|. It returns one on success and + // forms into `out_private` and `out_public`. It returns one on success and // zero on failure. int (*generate_key)(CBB *out_private, CBB *out_public); // derive_key_from_secret deterministically derives a keypair based on - // |secret| and writes their serialized forms into |out_private| and - // |out_public|. It returns one on success and zero on failure. + // `secret` and writes their serialized forms into `out_private` and + // `out_public`. It returns one on success and zero on failure. int (*derive_key_from_secret)(CBB *out_private, CBB *out_public, const uint8_t *secret, size_t secret_len); - // client_key_from_bytes decodes a client key from |in| and sets |key| + // client_key_from_bytes decodes a client key from `in` and sets `key` // to the resulting key. It returns one on success and zero // on failure. int (*client_key_from_bytes)(bssl::TRUST_TOKEN_CLIENT_KEY *key, const uint8_t *in, size_t len); - // issuer_key_from_bytes decodes a issuer key from |in| and sets |key| + // issuer_key_from_bytes decodes a issuer key from `in` and sets `key` // to the resulting key. It returns one on success and zero // on failure. int (*issuer_key_from_bytes)(bssl::TRUST_TOKEN_ISSUER_KEY *key, const uint8_t *in, size_t len); - // blind generates a new issuance request for |count| tokens. If - // |include_message| is set, then |msg| is used to derive the token nonces. On - // success, it returns a newly-allocated |STACK_OF(TRUST_TOKEN_PRETOKEN)| and - // writes a request to the issuer to |cbb|. On failure, it returns NULL. The - // |STACK_OF(TRUST_TOKEN_PRETOKEN)|s should be passed to |pmbtoken_unblind| + // blind generates a new issuance request for `count` tokens. If + // `include_message` is set, then `msg` is used to derive the token nonces. On + // success, it returns a newly-allocated `STACK_OF(TRUST_TOKEN_PRETOKEN)` and + // writes a request to the issuer to `cbb`. On failure, it returns NULL. The + // `STACK_OF(TRUST_TOKEN_PRETOKEN)`s should be passed to `pmbtoken_unblind` // when the server responds. // // This function implements the AT.Usr0 operation. @@ -293,9 +293,9 @@ struct trust_token_method_st { int include_message, const uint8_t *msg, size_t msg_len); - // sign parses a request for |num_requested| tokens from |cbs| and - // issues |num_to_issue| tokens with |key| and a private metadata value of - // |private_metadata|. It then writes the response to |cbb|. It returns one on + // sign parses a request for `num_requested` tokens from `cbs` and + // issues `num_to_issue` tokens with `key` and a private metadata value of + // `private_metadata`. It then writes the response to `cbb`. It returns one on // success and zero on failure. // // This function implements the AT.Sig operation. @@ -303,11 +303,11 @@ struct trust_token_method_st { size_t num_requested, size_t num_to_issue, uint8_t private_metadata); - // unblind processes an issuance response for |count| tokens from |cbs| - // and unblinds the signed tokens. |pretokens| are the pre-tokens returned - // from the corresponding |blind| call. On success, the function returns a - // newly-allocated |STACK_OF(TRUST_TOKEN)| containing the resulting tokens. - // Each token's serialization will have |key_id| prepended. Otherwise, it + // unblind processes an issuance response for `count` tokens from `cbs` + // and unblinds the signed tokens. `pretokens` are the pre-tokens returned + // from the corresponding `blind` call. On success, the function returns a + // newly-allocated `STACK_OF(TRUST_TOKEN)` containing the resulting tokens. + // Each token's serialization will have `key_id` prepended. Otherwise, it // returns NULL. // // This function implements the AT.Usr1 operation. @@ -316,11 +316,11 @@ struct trust_token_method_st { const bssl::StackOfTrustTokenPretoken *pretokens, CBS *cbs, size_t count, uint32_t key_id); - // read parses a token from |token| and verifies it using |key|. If - // |include_message| is set, then the nonce is derived from |msg| and the salt + // read parses a token from `token` and verifies it using `key`. If + // `include_message` is set, then the nonce is derived from `msg` and the salt // in the token. On success, it returns one and stores the nonce and private - // metadata bit in |out_nonce| and |*out_private_metadata|. Otherwise, it - // returns zero. Note that, unlike the output of |unblind|, |token| does not + // metadata bit in `out_nonce` and `*out_private_metadata`. Otherwise, it + // returns zero. Note that, unlike the output of `unblind`, `token` does not // have a four-byte key ID prepended. int (*read)(const bssl::TRUST_TOKEN_ISSUER_KEY *key, uint8_t out_nonce[TRUST_TOKEN_NONCE_SIZE], @@ -363,7 +363,7 @@ struct trust_token_client_st { // keys is the set of public keys that are supported by the client for // issuance/redemptions. - // TODO(crbug.com/42290036): Replace this and |num_keys| with an + // TODO(crbug.com/42290036): Replace this and `num_keys` with an // InplaceVector. struct bssl::trust_token_client_key_st keys[6]; diff --git a/third_party/boringssl/src/crypto/trust_token/pmbtoken.cc b/third_party/boringssl/src/crypto/trust_token/pmbtoken.cc index 95f1fd3d..1f446dff 100644 --- a/third_party/boringssl/src/crypto/trust_token/pmbtoken.cc +++ b/third_party/boringssl/src/crypto/trust_token/pmbtoken.cc @@ -337,7 +337,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind( } for (size_t i = 0; i < count; i++) { - // Insert |pretoken| into |pretokens| early to simplify error-handling. + // Insert `pretoken` into `pretokens` early to simplify error-handling. TRUST_TOKEN_PRETOKEN *pretoken = New(); if (pretoken == nullptr || !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) { @@ -356,7 +356,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *pmbtoken_blind( OPENSSL_memcpy(pretoken->t, pretoken->salt, TRUST_TOKEN_NONCE_SIZE); } - // We sample |pretoken->r| in Montgomery form to simplify inverting. + // We sample `pretoken->r` in Montgomery form to simplify inverting. if (!ec_random_nonzero_scalar(group, &pretoken->r, kDefaultAdditionalData)) { goto err; @@ -833,7 +833,7 @@ static int pmbtoken_sign(const PMBTOKEN_METHOD *method, uint8_t s[TRUST_TOKEN_NONCE_SIZE]; RAND_bytes(s, TRUST_TOKEN_NONCE_SIZE); - // The |jacobians| and |affines| contain Sp, Wp, and Wsp. + // The `jacobians` and `affines` contain Sp, Wp, and Wsp. EC_JACOBIAN jacobians[3]; EC_AFFINE affines[3]; if (!method->hash_s(group, &jacobians[0], &Tp_affine, s) || @@ -996,7 +996,7 @@ static STACK_OF(TRUST_TOKEN) *pmbtoken_unblind( goto err; } - // Serialize the token. Include |key_id| to avoid an extra copy in the layer + // Serialize the token. Include `key_id` to avoid an extra copy in the layer // above. CBB token_cbb; size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); @@ -1106,7 +1106,7 @@ static int pmbtoken_read(const PMBTOKEN_METHOD *method, } // We perform three multiplications with S and T. This is enough that it is - // worth using |ec_point_mul_scalar_precomp|. + // worth using `ec_point_mul_scalar_precomp`. EC_JACOBIAN S_jacobian; EC_PRECOMP S_precomp, T_precomp; ec_affine_to_jacobian(group, &S_jacobian, &S); @@ -1198,7 +1198,7 @@ static PMBTOKEN_METHOD pmbtoken_exp1_method; static CRYPTO_once_t pmbtoken_exp1_method_once = CRYPTO_ONCE_INIT; static void pmbtoken_exp1_init_method_impl() { - // This is the output of |ec_hash_to_scalar_p384_xmd_sha512_draft07| with DST + // This is the output of `ec_hash_to_scalar_p384_xmd_sha512_draft07` with DST // "PMBTokens Experiment V1 HashH" and message "generator". static const uint8_t kH[] = { 0x04, 0x82, 0xd5, 0x68, 0xf5, 0x39, 0xf6, 0x08, 0x19, 0xa1, 0x75, @@ -1373,7 +1373,7 @@ static PMBTOKEN_METHOD pmbtoken_exp2_method; static CRYPTO_once_t pmbtoken_exp2_method_once = CRYPTO_ONCE_INIT; static void pmbtoken_exp2_init_method_impl() { - // This is the output of |ec_hash_to_scalar_p384_xmd_sha512_draft07| with DST + // This is the output of `ec_hash_to_scalar_p384_xmd_sha512_draft07` with DST // "PMBTokens Experiment V2 HashH" and message "generator". static const uint8_t kH[] = { 0x04, 0xbc, 0x27, 0x24, 0x99, 0xfa, 0xc9, 0xa4, 0x74, 0x6f, 0xf9, @@ -1548,7 +1548,7 @@ static PMBTOKEN_METHOD pmbtoken_pst1_method; static CRYPTO_once_t pmbtoken_pst1_method_once = CRYPTO_ONCE_INIT; static void pmbtoken_pst1_init_method_impl() { - // This is the output of |ec_hash_to_scalar_p384_xmd_sha384| with DST + // This is the output of `ec_hash_to_scalar_p384_xmd_sha384` with DST // "PMBTokens PST V1 HashH" and message "generator". static const uint8_t kH[] = { 0x04, 0x4c, 0xfa, 0xd4, 0x33, 0x6d, 0x8c, 0x4e, 0x18, 0xce, 0x1a, diff --git a/third_party/boringssl/src/crypto/trust_token/voprf.cc b/third_party/boringssl/src/crypto/trust_token/voprf.cc index 1a302b23..4dcb9896 100644 --- a/third_party/boringssl/src/crypto/trust_token/voprf.cc +++ b/third_party/boringssl/src/crypto/trust_token/voprf.cc @@ -211,7 +211,7 @@ static STACK_OF(TRUST_TOKEN_PRETOKEN) *voprf_blind(const VOPRF_METHOD *method, } for (size_t i = 0; i < count; i++) { - // Insert |pretoken| into |pretokens| early to simplify error-handling. + // Insert `pretoken` into `pretokens` early to simplify error-handling. TRUST_TOKEN_PRETOKEN *pretoken = New(); if (pretoken == nullptr || !sk_TRUST_TOKEN_PRETOKEN_push(pretokens, pretoken)) { @@ -617,7 +617,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind_tt( goto err; } - // Serialize the token. Include |key_id| to avoid an extra copy in the layer + // Serialize the token. Include `key_id` to avoid an extra copy in the layer // above. CBB token_cbb; size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); @@ -1009,7 +1009,7 @@ static STACK_OF(TRUST_TOKEN) *voprf_unblind( goto err; } - // Serialize the token. Include |key_id| to avoid an extra copy in the layer + // Serialize the token. Include `key_id` to avoid an extra copy in the layer // above. CBB token_cbb; size_t point_len = ec_point_byte_len(group, POINT_CONVERSION_UNCOMPRESSED); diff --git a/third_party/boringssl/src/crypto/x509/a_sign.cc b/third_party/boringssl/src/crypto/x509/a_sign.cc index a430bff3..3e313d47 100644 --- a/third_party/boringssl/src/crypto/x509/a_sign.cc +++ b/third_party/boringssl/src/crypto/x509/a_sign.cc @@ -47,12 +47,12 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *asn, EVP_MD_CTX *ctx) { - // Historically, this function called |EVP_MD_CTX_cleanup| on return. Some + // Historically, this function called `EVP_MD_CTX_cleanup` on return. Some // callers rely on this to avoid memory leaks. Cleanup cleanup = [&] { EVP_MD_CTX_cleanup(ctx); }; // Write out the requested copies of the AlgorithmIdentifier. This may modify - // |asn|, so we must do it first. + // `asn`, so we must do it first. if ((algor1 != nullptr && !x509_digest_sign_algorithm(ctx, algor1)) || (algor2 != nullptr && !x509_digest_sign_algorithm(ctx, algor2))) { return 0; @@ -78,7 +78,7 @@ int bssl::x509_sign_to_bit_string(EVP_MD_CTX *ctx, ASN1_BIT_STRING *out, EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx); size_t sig_len = EVP_PKEY_size(pkey); if (sig_len > INT_MAX) { - // Ensure the signature will fit in |out|. + // Ensure the signature will fit in `out`. OPENSSL_PUT_ERROR(X509, ERR_R_OVERFLOW); return 0; } diff --git a/third_party/boringssl/src/crypto/x509/algorithm.cc b/third_party/boringssl/src/crypto/x509/algorithm.cc index 4330fb4d..2a5a6da2 100644 --- a/third_party/boringssl/src/crypto/x509/algorithm.cc +++ b/third_party/boringssl/src/crypto/x509/algorithm.cc @@ -27,8 +27,8 @@ using namespace bssl; // TODO(crbug.com/42290422): Rewrite this logic to recognize signature // algorithms without pulling in the OID table. We can enumerate every supported -// signature algorithm into a small enum and convert them to/from |EVP_PKEY_CTX| -// and |X509_ALGOR|. +// signature algorithm into a small enum and convert them to/from `EVP_PKEY_CTX` +// and `X509_ALGOR`. // Restrict the digests that are allowed in X509 certificates static int x509_digest_nid_ok(const int digest_nid) { diff --git a/third_party/boringssl/src/crypto/x509/asn1_gen.cc b/third_party/boringssl/src/crypto/x509/asn1_gen.cc index 27b84465..4fb4f500 100644 --- a/third_party/boringssl/src/crypto/x509/asn1_gen.cc +++ b/third_party/boringssl/src/crypto/x509/asn1_gen.cc @@ -48,11 +48,11 @@ using namespace bssl; #define ASN1_GEN_FORMAT_HEX 3 #define ASN1_GEN_FORMAT_BITLIST 4 -// generate_v3 converts |str| into an ASN.1 structure and writes the result to -// |cbb|. It returns one on success and zero on error. |depth| bounds recursion, -// and |format| specifies the current format modifier. +// generate_v3 converts `str` into an ASN.1 structure and writes the result to +// `cbb`. It returns one on success and zero on error. `depth` bounds recursion, +// and `format` specifies the current format modifier. // -// If |tag| is non-zero, the structure is implicitly tagged with |tag|. |tag| +// If `tag` is non-zero, the structure is implicitly tagged with `tag`. `tag` // must not have the constructed bit set. static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, CBS_ASN1_TAG tag, int format, int depth); @@ -69,7 +69,7 @@ ASN1_TYPE *bssl::ASN1_generate_v3(const char *str, const X509V3_CTX *cnf) { // While not strictly necessary to avoid a DoS (we rely on any super-linear // checks being performed internally), cap the overall output to - // |ASN1_GEN_MAX_OUTPUT| so the externally-visible behavior is consistent. + // `ASN1_GEN_MAX_OUTPUT` so the externally-visible behavior is consistent. if (CBB_len(cbb.get()) > ASN1_GEN_MAX_OUTPUT) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); return nullptr; @@ -84,7 +84,7 @@ static int cbs_str_equal(const CBS *cbs, const char *str) { OPENSSL_memcmp(CBS_data(cbs), str, strlen(str)) == 0; } -// parse_tag decodes a tag specifier in |cbs|. It returns the tag on success or +// parse_tag decodes a tag specifier in `cbs`. It returns the tag on success or // zero on error. static CBS_ASN1_TAG parse_tag(const CBS *cbs) { CBS copy = *cbs; @@ -151,7 +151,7 @@ static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, } // Process modifiers. This function uses a mix of NUL-terminated strings and - // |CBS|. Several functions only work with NUL-terminated strings, so we need + // `CBS`. Several functions only work with NUL-terminated strings, so we need // to keep track of when a slice spans the whole buffer. for (;;) { // Skip whitespace. @@ -241,7 +241,7 @@ static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, tag = tag == 0 ? CBS_ASN1_SET : (tag | CBS_ASN1_CONSTRUCTED); return generate_wrapped(cbb, str, cnf, tag, /*padding=*/0, format, depth); } else { - // If this was not a recognized modifier, rewind |str| to before splitting + // If this was not a recognized modifier, rewind `str` to before splitting // on the comma. The type itself consumes all remaining input. str = str_old; break; @@ -412,9 +412,9 @@ static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, return 0; } - // |maxsize| is measured in code points, rather than bytes, but pass it in + // `maxsize` is measured in code points, rather than bytes, but pass it in // as a loose cap so fuzzers can exit from excessively long inputs - // earlier. This limit is not load-bearing because |ASN1_mbstring_ncopy|'s + // earlier. This limit is not load-bearing because `ASN1_mbstring_ncopy`'s // output is already linear in the input. ASN1_STRING *obj = nullptr; if (ASN1_mbstring_ncopy(&obj, (const uint8_t *)value, -1, encoding, @@ -493,8 +493,8 @@ static int generate_v3(CBB *cbb, const char *str, const X509V3_CTX *cnf, ASN1_GEN_FORMAT_ASCII, depth + 1)) { return 0; } - // This recursive call, by referencing |section|, is the one place - // where |generate_v3|'s output can be super-linear in the input. + // This recursive call, by referencing `section`, is the one place + // where `generate_v3`'s output can be super-linear in the input. // Check bounds here. if (CBB_len(&child) > ASN1_GEN_MAX_OUTPUT) { OPENSSL_PUT_ERROR(ASN1, ASN1_R_TOO_LONG); diff --git a/third_party/boringssl/src/crypto/x509/by_dir.cc b/third_party/boringssl/src/crypto/x509/by_dir.cc index 545ffd95..a1aeecfa 100644 --- a/third_party/boringssl/src/crypto/x509/by_dir.cc +++ b/third_party/boringssl/src/crypto/x509/by_dir.cc @@ -15,6 +15,9 @@ #include #include +#include +#include + #include #include #include @@ -25,36 +28,77 @@ #include "internal.h" -using namespace bssl; - BSSL_NAMESPACE_BEGIN -typedef struct lookup_dir_hashes_st { - uint32_t hash; - int suffix; -} BY_DIR_HASH; +// A ByDirEntry tracks state for a single directory, notably the starting suffix +// for CRL lookups. +class ByDirEntry { + public: + static constexpr bool kAllowUniquePtr = true; -typedef struct lookup_dir_entry_st { - Mutex lock; - char *dir; - int dir_type; - STACK_OF(BY_DIR_HASH) *hashes; -} BY_DIR_ENTRY; + ByDirEntry() = default; -typedef struct lookup_dir_st { - STACK_OF(BY_DIR_ENTRY) *dirs; -} BY_DIR; + static UniquePtr Create(int dir_type, std::string_view dir) { + auto ret = MakeUnique(); + ret->dir_type_ = dir_type; + ret->dir_.reset(OPENSSL_strndup(dir.data(), dir.size())); + if (ret->dir_ == nullptr) { + return nullptr; + } + return ret; + } -DEFINE_NAMESPACED_STACK_OF(BY_DIR_HASH) -DEFINE_NAMESPACED_STACK_OF(BY_DIR_ENTRY) + int dir_type() const { return dir_type_; } + const char *dir() const { return dir_.get(); } -BSSL_NAMESPACE_END + int GetCRLSuffix(uint32_t hash) const { + MutexReadLock lock(&lock_); + auto it = std::lower_bound(crl_suffixes_.begin(), crl_suffixes_.end(), hash); + if (it == crl_suffixes_.end() || it->hash != hash) { + return 0; + } + return it->suffix; + } + + bool UpdateCRLSuffix(uint32_t hash, int suffix) { + MutexWriteLock lock(&lock_); + auto it = std::lower_bound(crl_suffixes_.begin(), crl_suffixes_.end(), hash); + if (it != crl_suffixes_.end() && it->hash == hash) { + it->suffix = std::max(suffix, it->suffix); + return true; + } + if (!crl_suffixes_.Push(CRLSuffix{hash, suffix})) { + return false; + } + std::sort(crl_suffixes_.begin(), crl_suffixes_.end()); + return true; + } + + private: + struct CRLSuffix { + uint32_t hash; + int suffix; + bool operator<(uint32_t h) const { return hash < h; } + bool operator<(const CRLSuffix &other) const { return hash < other.hash; } + }; + + UniquePtr dir_; + int dir_type_ = 0; + mutable Mutex lock_; + // crl_suffixes_ is kept sorted. + // TODO(davidben): This should be a hash table. Insertions are O(N log N). + Vector crl_suffixes_; +}; + +struct ByDir { + Vector> dirs; +}; static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **ret); static int new_dir(X509_LOOKUP *lu); static void free_dir(X509_LOOKUP *lu); -static int add_cert_dir(BY_DIR *ctx, const char *dir, int type); +static int add_cert_dir(ByDir *ctx, const char *dir, int type); static int get_cert_by_subject(X509_LOOKUP *xl, int type, const X509_NAME *name, X509_OBJECT *ret); static const X509_LOOKUP_METHOD x509_dir_lookup = { @@ -64,74 +108,36 @@ static const X509_LOOKUP_METHOD x509_dir_lookup = { get_cert_by_subject, // get_by_subject }; -const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir() { return &x509_dir_lookup; } - static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, char **retp) { - int ret = 0; - char *dir = nullptr; - - BY_DIR *ld = reinterpret_cast(ctx->method_data); - + ByDir *ld = reinterpret_cast(ctx->method_data); switch (cmd) { case X509_L_ADD_DIR: if (argl == X509_FILETYPE_DEFAULT) { - dir = (char *)getenv(X509_get_default_cert_dir_env()); - if (dir) { - ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); - } else { - ret = - add_cert_dir(ld, X509_get_default_cert_dir(), X509_FILETYPE_PEM); - } - if (!ret) { + const char *dir = getenv(X509_get_default_cert_dir_env()); + if (!add_cert_dir(ld, dir ? dir : X509_get_default_cert_dir(), + X509_FILETYPE_PEM)) { OPENSSL_PUT_ERROR(X509, X509_R_LOADING_CERT_DIR); + return 0; } - } else { - ret = add_cert_dir(ld, argp, (int)argl); + return 1; } - break; + return add_cert_dir(ld, argp, (int)argl); } - return ret; + return 0; } static int new_dir(X509_LOOKUP *lu) { - BY_DIR *a; - - if ((a = New()) == nullptr) { + ByDir *a = New(); + if (a == nullptr) { return 0; } - a->dirs = nullptr; lu->method_data = a; return 1; } -static void by_dir_hash_free(BY_DIR_HASH *hash) { Delete(hash); } - -static int by_dir_hash_cmp(const BY_DIR_HASH *const *a, - const BY_DIR_HASH *const *b) { - if ((*a)->hash > (*b)->hash) { - return 1; - } - if ((*a)->hash < (*b)->hash) { - return -1; - } - return 0; -} - -static void by_dir_entry_free(BY_DIR_ENTRY *ent) { - if (ent != nullptr) { - Delete(ent->dir); - sk_BY_DIR_HASH_pop_free(ent->hashes, by_dir_hash_free); - Delete(ent); - } -} - static void free_dir(X509_LOOKUP *lu) { - BY_DIR *a = reinterpret_cast(lu->method_data); - if (a != nullptr) { - sk_BY_DIR_ENTRY_pop_free(a->dirs, by_dir_entry_free); - Delete(a); - } + Delete(reinterpret_cast(lu->method_data)); } #if defined(OPENSSL_WINDOWS) @@ -140,78 +146,53 @@ static void free_dir(X509_LOOKUP *lu) { #define DIR_HASH_SEPARATOR ':' #endif -static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) { - size_t j, len; - const char *s, *ss, *p; - - if (dir == nullptr || !*dir) { +static int add_cert_dir(ByDir *ctx, const char *inp, int type) { + if (inp == nullptr || !*inp) { OPENSSL_PUT_ERROR(X509, X509_R_INVALID_DIRECTORY); return 0; } - s = dir; - p = s; + std::string_view rest = inp; do { - if (*p == DIR_HASH_SEPARATOR || *p == '\0') { - BY_DIR_ENTRY *ent; - ss = s; - s = p + 1; - len = p - ss; - if (len == 0) { - continue; - } - for (j = 0; j < sk_BY_DIR_ENTRY_num(ctx->dirs); j++) { - ent = sk_BY_DIR_ENTRY_value(ctx->dirs, j); - if (strlen(ent->dir) == len && strncmp(ent->dir, ss, len) == 0) { - break; - } - } - if (j < sk_BY_DIR_ENTRY_num(ctx->dirs)) { - continue; - } - if (ctx->dirs == nullptr) { - ctx->dirs = sk_BY_DIR_ENTRY_new_null(); - if (!ctx->dirs) { - return 0; - } - } - ent = New(); - if (!ent) { - return 0; - } - ent->dir_type = type; - ent->hashes = sk_BY_DIR_HASH_new(by_dir_hash_cmp); - ent->dir = OPENSSL_strndup(ss, len); - if (ent->dir == nullptr || ent->hashes == nullptr || - !sk_BY_DIR_ENTRY_push(ctx->dirs, ent)) { - by_dir_entry_free(ent); - return 0; - } + // Split by `DIR_HASH_SEPARATOR`. + size_t sep = rest.find(DIR_HASH_SEPARATOR); + std::string_view dir; + if (sep == std::string_view::npos) { + dir = rest; + rest = std::string_view(); + } else { + dir = rest.substr(0, sep); + rest = rest.substr(sep + 1); } - } while (*p++ != '\0'); + if (dir.empty()) { + continue; + } + // Ignore duplicates. + if (std::any_of(ctx->dirs.begin(), ctx->dirs.end(), + [&](const auto &ent) { return ent->dir() == dir; })) { + continue; + } + auto ent = ByDirEntry::Create(type, dir); + if (ent == nullptr || !ctx->dirs.Push(std::move(ent))) { + return 0; + } + } while (!rest.empty()); return 1; } static int get_cert_by_subject(X509_LOOKUP *xl, int type, const X509_NAME *name, X509_OBJECT *ret) { - UniquePtr lookup_cert; - UniquePtr lookup_crl; - int ok = 0; - size_t i; - int k; - uint32_t h; - uint32_t hash_array[2]; - int hash_index; - char *b = nullptr; - X509_OBJECT stmp, *tmp; - const char *postfix = ""; - if (name == nullptr) { return 0; } + // Set up an `X509_OBJECT` to compare against. + UniquePtr lookup_cert; + UniquePtr lookup_crl; + X509_OBJECT stmp; + const char *postfix = ""; stmp.type = type; - BY_DIR *ctx = reinterpret_cast(xl->method_data); + ByDir *ctx = reinterpret_cast(xl->method_data); if (type == X509_LU_X509) { lookup_cert.reset(X509_new()); if (lookup_cert == nullptr || @@ -230,123 +211,89 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, const X509_NAME *name, postfix = "r"; } else { OPENSSL_PUT_ERROR(X509, X509_R_WRONG_LOOKUP_TYPE); - goto finish; + return 0; } - hash_array[0] = X509_NAME_hash(name); - hash_array[1] = X509_NAME_hash_old(name); - for (hash_index = 0; hash_index < 2; ++hash_index) { - h = hash_array[hash_index]; - for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) { - BY_DIR_ENTRY *ent; - size_t idx; - BY_DIR_HASH htmp, *hent; - ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i); - if (type == X509_LU_CRL && ent->hashes) { - htmp.hash = h; - MutexReadLock lock(&ent->lock); - if (sk_BY_DIR_HASH_find(ent->hashes, &idx, &htmp)) { - hent = sk_BY_DIR_HASH_value(ent->hashes, idx); - k = hent->suffix; - } else { - hent = nullptr; - k = 0; - } - } else { - k = 0; - hent = nullptr; + // Try both new and old hashes. + const uint32_t hashes[] = {X509_NAME_hash(name), X509_NAME_hash_old(name)}; + for (uint32_t hash : hashes) { + for (UniquePtr &ent : ctx->dirs) { + // If a CRL, start from the previously saved suffix. Updated CRLs are + // expected to be added until new filenames. + // TODO(crbug.com/42290566): Is this what we want? + int suffix = 0; + if (type == X509_LU_CRL) { + suffix = ent->GetCRLSuffix(hash); } + + // The directory format handles hash collections by incrementing a suffix + // on the file name. Load every suffix into the cache. for (;;) { - OPENSSL_free(b); - if (OPENSSL_asprintf(&b, "%s/%08" PRIx32 ".%s%d", ent->dir, h, postfix, - k) == -1) { + char *path = nullptr; + if (OPENSSL_asprintf(&path, "%s/%08" PRIx32 ".%s%d", ent->dir(), hash, + postfix, suffix) == -1) { OPENSSL_PUT_ERROR(X509, ERR_R_BUF_LIB); - b = nullptr; - goto finish; + return 0; } + UniquePtr free_path(path); if (type == X509_LU_X509) { - if ((X509_load_cert_file(xl, b, ent->dir_type)) == 0) { - // Don't expose the lower level error, All of these boil - // down to "we could not find a CA". + if ((X509_load_cert_file(xl, path, ent->dir_type())) == 0) { + // Don't expose the lower level error, All of these boil down to "we + // could not find a CA". ERR_clear_error(); break; } } else if (type == X509_LU_CRL) { - if ((X509_load_crl_file(xl, b, ent->dir_type)) == 0) { - // Don't expose the lower level error, All of these boil - // down to "we could not find a CRL". + if ((X509_load_crl_file(xl, path, ent->dir_type())) == 0) { + // Don't expose the lower level error, All of these boil down to "we + // could not find a CRL". ERR_clear_error(); break; } } - // The lack of a CA or CRL will be caught higher up - k++; + // The lack of a CA or CRL will be caught higher up. + suffix++; } - // we have added it to the cache so now pull it out again + // We have added it to the cache so now pull it out again. auto *store_impl = FromOpaque(xl->store_ctx); store_impl->objs_lock.LockWrite(); - tmp = nullptr; + const X509_OBJECT *found = nullptr; sk_X509_OBJECT_sort(store_impl->objs.get()); + size_t idx; if (sk_X509_OBJECT_find(store_impl->objs.get(), &idx, &stmp)) { - tmp = sk_X509_OBJECT_value(store_impl->objs.get(), idx); + found = sk_X509_OBJECT_value(store_impl->objs.get(), idx); } store_impl->objs_lock.UnlockWrite(); - // If a CRL, update the last file suffix added for this - - if (type == X509_LU_CRL) { - ent->lock.LockWrite(); - // Look for entry again in case another thread added an entry - // first. - if (!hent) { - htmp.hash = h; - sk_BY_DIR_HASH_sort(ent->hashes); - if (sk_BY_DIR_HASH_find(ent->hashes, &idx, &htmp)) { - hent = sk_BY_DIR_HASH_value(ent->hashes, idx); - } - } - if (!hent) { - hent = New(); - if (hent == nullptr) { - ent->lock.UnlockWrite(); - ok = 0; - goto finish; - } - hent->hash = h; - hent->suffix = k; - if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { - ent->lock.UnlockWrite(); - Delete(hent); - ok = 0; - goto finish; - } - sk_BY_DIR_HASH_sort(ent->hashes); - } else if (hent->suffix < k) { - hent->suffix = k; - } - - ent->lock.UnlockWrite(); + // If a CRL, store the last suffix we saw, to skip already loaded files + // next time. + // TODO(crbug.com/42290566): Is this what we want? + if (type == X509_LU_CRL && !ent->UpdateCRLSuffix(hash, suffix)) { + return 0; } - if (tmp != nullptr) { - ok = 1; - ret->type = tmp->type; - OPENSSL_memcpy(&ret->data, &tmp->data, sizeof(ret->data)); - - // Clear any errors that might have been raised processing empty - // or malformed files. + if (found != nullptr) { + // Clear any errors that might have been raised processing empty or + // malformed files. ERR_clear_error(); - // If we were going to up the reference count, we would need - // to do it on a perl 'type' basis - goto finish; + // TODO(crbug.com/42290561): This should manage the reference counts + // correctly but does not. + ret->type = found->type; + OPENSSL_memcpy(&ret->data, &found->data, sizeof(ret->data)); + return 1; } } } -finish: - OPENSSL_free(b); - return ok; + + return 0; +} + +BSSL_NAMESPACE_END + +const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir() { + return &bssl::x509_dir_lookup; } int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *name, int type) { diff --git a/third_party/boringssl/src/crypto/x509/internal.h b/third_party/boringssl/src/crypto/x509/internal.h index 7257fcf4..c1a9dc4e 100644 --- a/third_party/boringssl/src/crypto/x509/internal.h +++ b/third_party/boringssl/src/crypto/x509/internal.h @@ -46,9 +46,9 @@ int x509_parse_public_key(CBS *cbs, X509_PUBKEY *out, int x509_marshal_public_key(CBB *cbb, const X509_PUBKEY *in); int x509_pubkey_set1(X509_PUBKEY *key, EVP_PKEY *pkey); -// X509_PUBKEY is an |ASN1_ITEM| whose ASN.1 type is SubjectPublicKeyInfo and C -// type is |X509_PUBKEY*|. -// TODO(crbug.com/42290417): Remove this when |X509| and |X509_REQ| no longer +// X509_PUBKEY is an `ASN1_ITEM` whose ASN.1 type is SubjectPublicKeyInfo and C +// type is `X509_PUBKEY*`. +// TODO(crbug.com/42290417): Remove this when `X509` and `X509_REQ` no longer // depend on the tables. DECLARE_ASN1_ITEM(X509_PUBKEY) @@ -62,8 +62,8 @@ struct X509_name_entry_st { BSSL_NAMESPACE_BEGIN -// X509_NAME_ENTRY is an |ASN1_ITEM| whose ASN.1 type is AttributeTypeAndValue -// (RFC 5280) and C type is |X509_NAME_ENTRY*|. +// X509_NAME_ENTRY is an `ASN1_ITEM` whose ASN.1 type is AttributeTypeAndValue +// (RFC 5280) and C type is `X509_NAME_ENTRY*`. DECLARE_ASN1_ITEM(X509_NAME_ENTRY) struct X509_NAME_CACHE { @@ -90,8 +90,8 @@ struct x509_attributes_st { BSSL_NAMESPACE_BEGIN -// X509_ATTRIBUTE is an |ASN1_ITEM| whose ASN.1 type is Attribute (RFC 2986) and -// C type is |X509_ATTRIBUTE*|. +// X509_ATTRIBUTE is an `ASN1_ITEM` whose ASN.1 type is Attribute (RFC 2986) and +// C type is `X509_ATTRIBUTE*`. DECLARE_ASN1_ITEM(X509_ATTRIBUTE) typedef struct x509_cert_aux_st { @@ -111,14 +111,14 @@ struct X509_extension_st { ASN1_OCTET_STRING *value; } /* X509_EXTENSION */; -// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC -// 5280) and C type is |X509_EXTENSION*|. +// X509_EXTENSION is an `ASN1_ITEM` whose ASN.1 type is X.509 Extension (RFC +// 5280) and C type is `X509_EXTENSION*`. DECLARE_ASN1_ITEM(X509_EXTENSION) BSSL_NAMESPACE_BEGIN -// X509_EXTENSIONS is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE of Extension -// (RFC 5280) and C type is |STACK_OF(X509_EXTENSION)*|. +// X509_EXTENSIONS is an `ASN1_ITEM` whose ASN.1 type is SEQUENCE of Extension +// (RFC 5280) and C type is `STACK_OF(X509_EXTENSION)*`. DECLARE_ASN1_ITEM(X509_EXTENSIONS) class X509Impl : public x509_st, public RefCounted { @@ -126,7 +126,7 @@ class X509Impl : public x509_st, public RefCounted { X509Impl(); // TBSCertificate fields: - uint8_t version = X509_VERSION_1; // One of the |X509_VERSION_*| constants. + uint8_t version = X509_VERSION_1; // One of the `X509_VERSION_*` constants. ASN1_INTEGER serialNumber; X509_ALGOR tbs_sig_alg; X509Name issuer; @@ -142,8 +142,8 @@ class X509Impl : public x509_st, public RefCounted { ASN1_BIT_STRING signature; // Other state: // buf, if not nullptr, contains a copy of the serialized Certificate. - // TODO(davidben): Now every parsed |X509| has an underlying |CRYPTO_BUFFER|, - // but |X509|s created peacemeal do not. Can we make this more uniform? + // TODO(davidben): Now every parsed `X509` has an underlying `CRYPTO_BUFFER`, + // but `X509`s created peacemeal do not. Can we make this more uniform? CRYPTO_BUFFER *buf = nullptr; CRYPTO_EX_DATA ex_data; // These contain copies of various extension values @@ -167,8 +167,8 @@ class X509Impl : public x509_st, public RefCounted { int x509_marshal_tbs_cert(CBB *cbb, const X509 *x509); -// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C -// type is |X509*|. +// X509 is an `ASN1_ITEM` whose ASN.1 type is X.509 Certificate (RFC 5280) and C +// type is `X509*`. DECLARE_ASN1_ITEM(X509) typedef struct { @@ -192,8 +192,8 @@ struct X509_req_st { BSSL_NAMESPACE_BEGIN -// X509_REQ is an |ASN1_ITEM| whose ASN.1 type is CertificateRequest (RFC 2986) -// and C type is |X509_REQ*|. +// X509_REQ is an `ASN1_ITEM` whose ASN.1 type is CertificateRequest (RFC 2986) +// and C type is `X509_REQ*`. DECLARE_ASN1_ITEM(X509_REQ) BSSL_NAMESPACE_END @@ -208,9 +208,9 @@ struct x509_revoked_st { BSSL_NAMESPACE_BEGIN -// X509_REVOKED is an |ASN1_ITEM| whose ASN.1 type is an element of the +// X509_REVOKED is an `ASN1_ITEM` whose ASN.1 type is an element of the // revokedCertificates field of TBSCertList (RFC 5280) and C type is -// |X509_REVOKED*|. +// `X509_REVOKED*`. DECLARE_ASN1_ITEM(X509_REVOKED) typedef struct { @@ -261,16 +261,16 @@ struct X509_crl_st { BSSL_NAMESPACE_BEGIN -// X509_CRL is an |ASN1_ITEM| whose ASN.1 type is X.509 CertificateList (RFC -// 5280) and C type is |X509_CRL*|. +// X509_CRL is an `ASN1_ITEM` whose ASN.1 type is X.509 CertificateList (RFC +// 5280) and C type is `X509_CRL*`. DECLARE_ASN1_ITEM(X509_CRL) -// GENERAL_NAME is an |ASN1_ITEM| whose ASN.1 type is GeneralName and C type is -// |GENERAL_NAME*|. +// GENERAL_NAME is an `ASN1_ITEM` whose ASN.1 type is GeneralName and C type is +// `GENERAL_NAME*`. DECLARE_ASN1_ITEM(GENERAL_NAME) -// GENERAL_NAMES is an |ASN1_ITEM| whose ASN.1 type is SEQUENCE OF GeneralName -// and C type is |GENERAL_NAMES*|, aka |STACK_OF(GENERAL_NAME)*|. +// GENERAL_NAMES is an `ASN1_ITEM` whose ASN.1 type is SEQUENCE OF GeneralName +// and C type is `GENERAL_NAMES*`, aka `STACK_OF(GENERAL_NAME)*`. DECLARE_ASN1_ITEM(GENERAL_NAMES) BSSL_NAMESPACE_END @@ -305,12 +305,12 @@ struct x509_object_st { BSSL_NAMESPACE_BEGIN -// NETSCAPE_SPKI is an |ASN1_ITEM| whose ASN.1 type is -// SignedPublicKeyAndChallenge and C type is |NETSCAPE_SPKI*|. +// NETSCAPE_SPKI is an `ASN1_ITEM` whose ASN.1 type is +// SignedPublicKeyAndChallenge and C type is `NETSCAPE_SPKI*`. DECLARE_ASN1_ITEM(NETSCAPE_SPKI) -// NETSCAPE_SPKAC is an |ASN1_ITEM| whose ASN.1 type is PublicKeyAndChallenge -// and C type is |NETSCAPE_SPKAC*|. +// NETSCAPE_SPKAC is an `ASN1_ITEM` whose ASN.1 type is PublicKeyAndChallenge +// and C type is `NETSCAPE_SPKAC*`. DECLARE_ASN1_ITEM(NETSCAPE_SPKAC) BSSL_NAMESPACE_END @@ -375,7 +375,7 @@ struct x509_store_ctx_st { X509_VERIFY_PARAM *param; // trusted_stack, if non-NULL, is a set of trusted certificates to consider - // instead of those from |X509_STORE|. + // instead of those from `X509_STORE`. STACK_OF(X509) *trusted_stack; // Callbacks for various operations @@ -406,20 +406,20 @@ int X509_CERT_AUX_print(BIO *bp, X509_CERT_AUX *x, int indent); // RSA-PSS functions. -// x509_rsa_pss_to_ctx configures |ctx| for an RSA-PSS operation based on -// signature algorithm parameters in |sigalg| (which must have type -// |NID_rsassaPss|) and key |pkey|. It returns one on success and zero on +// x509_rsa_pss_to_ctx configures `ctx` for an RSA-PSS operation based on +// signature algorithm parameters in `sigalg` (which must have type +// `NID_rsassaPss`) and key `pkey`. It returns one on success and zero on // error. int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, EVP_PKEY *pkey); -// x509_rsa_pss_to_ctx sets |algor| to the signature algorithm parameters for -// |ctx|, which must have been configured for an RSA-PSS signing operation. It +// x509_rsa_pss_to_ctx sets `algor` to the signature algorithm parameters for +// `ctx`, which must have been configured for an RSA-PSS signing operation. It // returns one on success and zero on error. int x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor); // x509_print_rsa_pss_params prints a human-readable representation of RSA-PSS -// parameters in |sigalg| to |bp|. It returns one on success and zero on +// parameters in `sigalg` to `bp`. It returns one on success and zero on // error. int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent, ASN1_PCTX *pctx); @@ -427,25 +427,25 @@ int x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, int indent, // Signature algorithm functions. -// x509_digest_sign_algorithm encodes the signing parameters of |ctx| as an -// AlgorithmIdentifier and saves the result in |algor|. It returns one on +// x509_digest_sign_algorithm encodes the signing parameters of `ctx` as an +// AlgorithmIdentifier and saves the result in `algor`. It returns one on // success, or zero on error. int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor); -// x509_digest_verify_init sets up |ctx| for a signature verification operation -// with public key |pkey| and parameters from |algor|. The |ctx| argument must -// have been initialised with |EVP_MD_CTX_init|. It returns one on success, or +// x509_digest_verify_init sets up `ctx` for a signature verification operation +// with public key `pkey` and parameters from `algor`. The `ctx` argument must +// have been initialised with `EVP_MD_CTX_init`. It returns one on success, or // zero on error. int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg, EVP_PKEY *pkey); -// x509_verify_signature verifies a |signature| using |sigalg| and |pkey| over -// |in|. It returns one if the signature is valid and zero on error. +// x509_verify_signature verifies a `signature` using `sigalg` and `pkey` over +// `in`. It returns one if the signature is valid and zero on error. int x509_verify_signature(const X509_ALGOR *sigalg, const ASN1_BIT_STRING *signature, Span in, EVP_PKEY *pkey); -// x509_sign_to_bit_string signs |in| using |ctx| and saves the result in |out|. +// x509_sign_to_bit_string signs `in` using `ctx` and saves the result in `out`. // It returns the length of the signature on success and zero on error. int x509_sign_to_bit_string(EVP_MD_CTX *ctx, ASN1_BIT_STRING *out, Span in); @@ -453,124 +453,124 @@ int x509_sign_to_bit_string(EVP_MD_CTX *ctx, ASN1_BIT_STRING *out, // Path-building functions. -// X509_policy_check checks certificate policies in |certs|. |user_policies| is -// the user-initial-policy-set. If |user_policies| is NULL or empty, it is -// interpreted as anyPolicy. |flags| is a set of |X509_V_FLAG_*| values to -// apply. It returns |X509_V_OK| on success and |X509_V_ERR_*| on error. It -// additionally sets |*out_current_cert| to the certificate where the error +// X509_policy_check checks certificate policies in `certs`. `user_policies` is +// the user-initial-policy-set. If `user_policies` is NULL or empty, it is +// interpreted as anyPolicy. `flags` is a set of `X509_V_FLAG_*` values to +// apply. It returns `X509_V_OK` on success and `X509_V_ERR_*` on error. It +// additionally sets `*out_current_cert` to the certificate where the error // occurred. If the function succeeded, or the error applies to the entire -// chain, it sets |*out_current_cert| to NULL. +// chain, it sets `*out_current_cert` to NULL. int X509_policy_check(const STACK_OF(X509) *certs, const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, X509 **out_current_cert); -// x509_check_issued_with_callback calls |X509_check_issued|, but allows the +// x509_check_issued_with_callback calls `X509_check_issued`, but allows the // verify callback to override the result. It returns one on success and zero on // error. // // TODO(davidben): Reduce the scope of the verify callback and remove this. The -// callback only runs with |X509_V_FLAG_CB_ISSUER_CHECK|, which is only used by +// callback only runs with `X509_V_FLAG_CB_ISSUER_CHECK`, which is only used by // one internal project and rust-openssl, who use it by mistake. int x509_check_issued_with_callback(X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer); -// x509v3_bytes_to_hex encodes |len| bytes from |in| to hex and returns a +// x509v3_bytes_to_hex encodes `len` bytes from `in` to hex and returns a // newly-allocated NUL-terminated string containing the result, or NULL on // allocation error. // -// This function was historically named |hex_to_string| in OpenSSL. Despite the -// name, |hex_to_string| converted to hex. +// This function was historically named `hex_to_string` in OpenSSL. Despite the +// name, `hex_to_string` converted to hex. OPENSSL_EXPORT char *x509v3_bytes_to_hex(const uint8_t *in, size_t len); -// x509v3_hex_string_to_bytes decodes |str| in hex and returns a newly-allocated -// array containing the result, or NULL on error. On success, it sets |*len| to +// x509v3_hex_string_to_bytes decodes `str` in hex and returns a newly-allocated +// array containing the result, or NULL on error. On success, it sets `*len` to // the length of the result. Colon separators between bytes in the input are // allowed and ignored. // -// This function was historically named |string_to_hex| in OpenSSL. Despite the -// name, |string_to_hex| converted from hex. +// This function was historically named `string_to_hex` in OpenSSL. Despite the +// name, `string_to_hex` converted from hex. unsigned char *x509v3_hex_to_bytes(const char *str, size_t *len); -// x509v3_conf_name_matches returns one if |name| is equal to |cmp| or begins -// with |cmp| followed by '.', and zero otherwise. +// x509v3_conf_name_matches returns one if `name` is equal to `cmp` or begins +// with `cmp` followed by '.', and zero otherwise. int x509v3_conf_name_matches(const char *name, const char *cmp); -// x509v3_looks_like_dns_name returns one if |in| looks like a DNS name and zero +// x509v3_looks_like_dns_name returns one if `in` looks like a DNS name and zero // otherwise. OPENSSL_EXPORT int x509v3_looks_like_dns_name(const unsigned char *in, size_t len); // x509v3_cache_extensions fills in a number of fields relating to X.509 -// extensions in |x|. It returns one on success and zero if some extensions were +// extensions in `x`. It returns one on success and zero if some extensions were // invalid. OPENSSL_EXPORT int x509v3_cache_extensions(X509 *x); -// x509v3_a2i_ipadd decodes |ipasc| as an IPv4 or IPv6 address. IPv6 addresses +// x509v3_a2i_ipadd decodes `ipasc` as an IPv4 or IPv6 address. IPv6 addresses // use colon-separated syntax while IPv4 addresses use dotted decimal syntax. If // it decodes an IPv4 address, it writes the result to the first four bytes of -// |ipout| and returns four. If it decodes an IPv6 address, it writes the result -// to all 16 bytes of |ipout| and returns 16. Otherwise, it returns zero. +// `ipout` and returns four. If it decodes an IPv6 address, it writes the result +// to all 16 bytes of `ipout` and returns 16. Otherwise, it returns zero. int x509v3_a2i_ipadd(unsigned char ipout[16], const char *ipasc); -// A |BIT_STRING_BITNAME| is used to contain a list of bit names. +// A `BIT_STRING_BITNAME` is used to contain a list of bit names. typedef struct { int bitnum; const char *lname; const char *sname; } BIT_STRING_BITNAME; -// x509V3_add_value_asn1_string appends a |CONF_VALUE| with the specified name -// and value to |*extlist|. if |*extlist| is NULL, it sets |*extlist| to a -// newly-allocated |STACK_OF(CONF_VALUE)| first. It returns one on success and +// x509V3_add_value_asn1_string appends a `CONF_VALUE` with the specified name +// and value to `*extlist`. if `*extlist` is NULL, it sets `*extlist` to a +// newly-allocated `STACK_OF(CONF_VALUE)` first. It returns one on success and // zero on error. int x509V3_add_value_asn1_string(const char *name, const ASN1_STRING *value, STACK_OF(CONF_VALUE) **extlist); -// X509V3_NAME_from_section adds attributes to |nm| by interpreting the -// key/value pairs in |dn_sk|. It returns one on success and zero on error. -// |chtype|, which should be one of |MBSTRING_*| constants, determines the +// X509V3_NAME_from_section adds attributes to `nm` by interpreting the +// key/value pairs in `dn_sk`. It returns one on success and zero on error. +// `chtype`, which should be one of `MBSTRING_*` constants, determines the // character encoding used to interpret values. int X509V3_NAME_from_section(X509_NAME *nm, const STACK_OF(CONF_VALUE) *dn_sk, int chtype); -// X509V3_bool_from_string decodes |str| as a boolean. On success, it returns -// one and sets |*out_bool| to resulting value. Otherwise, it returns zero. +// X509V3_bool_from_string decodes `str` as a boolean. On success, it returns +// one and sets `*out_bool` to resulting value. Otherwise, it returns zero. int X509V3_bool_from_string(const char *str, ASN1_BOOLEAN *out_bool); -// X509V3_get_value_bool decodes |value| as a boolean. On success, it returns -// one and sets |*out_bool| to the resulting value. Otherwise, it returns zero. +// X509V3_get_value_bool decodes `value` as a boolean. On success, it returns +// one and sets `*out_bool` to the resulting value. Otherwise, it returns zero. int X509V3_get_value_bool(const CONF_VALUE *value, ASN1_BOOLEAN *out_bool); -// X509V3_get_value_int decodes |value| as an integer. On success, it returns -// one and sets |*aint| to the resulting value. Otherwise, it returns zero. If -// |*aint| was non-NULL at the start of the function, it frees the previous +// X509V3_get_value_int decodes `value` as an integer. On success, it returns +// one and sets `*aint` to the resulting value. Otherwise, it returns zero. If +// `*aint` was non-NULL at the start of the function, it frees the previous // value before writing a new one. int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); -// X509V3_get_section behaves like |NCONF_get_section| but queries |ctx|'s +// X509V3_get_section behaves like `NCONF_get_section` but queries `ctx`'s // config database. const STACK_OF(CONF_VALUE) *X509V3_get_section(const X509V3_CTX *ctx, const char *section); -// X509V3_add_value appends a |CONF_VALUE| containing |name| and |value| to -// |*extlist|. It returns one on success and zero on error. If |*extlist| is -// NULL, it sets |*extlist| to a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the result. Either |name| or |value| may be NULL to omit the +// X509V3_add_value appends a `CONF_VALUE` containing `name` and `value` to +// `*extlist`. It returns one on success and zero on error. If `*extlist` is +// NULL, it sets `*extlist` to a newly-allocated `STACK_OF(CONF_VALUE)` +// containing the result. Either `name` or `value` may be NULL to omit the // field. // -// On failure, if |*extlist| was NULL, |*extlist| will remain NULL when the +// On failure, if `*extlist` was NULL, `*extlist` will remain NULL when the // function returns. int X509V3_add_value(const char *name, const char *value, STACK_OF(CONF_VALUE) **extlist); -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores the value -// "TRUE" if |asn1_bool| is non-zero and "FALSE" otherwise. +// X509V3_add_value_bool behaves like `X509V3_add_value` but stores the value +// "TRUE" if `asn1_bool` is non-zero and "FALSE" otherwise. int X509V3_add_value_bool(const char *name, int asn1_bool, STACK_OF(CONF_VALUE) **extlist); -// X509V3_add_value_bool behaves like |X509V3_add_value| but stores a string -// representation of |aint|. Note this string representation may be decimal or -// hexadecimal, depending on the size of |aint|. +// X509V3_add_value_bool behaves like `X509V3_add_value` but stores a string +// representation of `aint`. Note this string representation may be decimal or +// hexadecimal, depending on the size of `aint`. int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, STACK_OF(CONF_VALUE) **extlist); @@ -580,7 +580,7 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); ERR_add_error_data(6, "section:", (val)->section, ",name:", (val)->name, \ ",value:", (val)->value); -// GENERAL_NAME_cmp returns zero if |a| and |b| are equal and a non-zero +// GENERAL_NAME_cmp returns zero if `a` and `b` are equal and a non-zero // value otherwise. Note this function does not provide a comparison suitable // for sorting. // @@ -588,8 +588,8 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); OPENSSL_EXPORT int GENERAL_NAME_cmp(const GENERAL_NAME *a, const GENERAL_NAME *b); -// X509_VERIFY_PARAM_lookup returns a pre-defined |X509_VERIFY_PARAM| named by -// |name|, or NULL if no such name is defined. +// X509_VERIFY_PARAM_lookup returns a pre-defined `X509_VERIFY_PARAM` named by +// `name`, or NULL if no such name is defined. const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, @@ -614,12 +614,12 @@ int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname); void x509_name_init(X509_NAME *name); void x509_name_cleanup(X509_NAME *name); -// x509_parse_name parses a DER-encoded, X.509 Name from |cbs| and writes the -// result to |*out|. It returns one on success and zero on error. +// x509_parse_name parses a DER-encoded, X.509 Name from `cbs` and writes the +// result to `*out`. It returns one on success and zero on error. int x509_parse_name(CBS *cbs, X509_NAME *out); -// x509_marshal_name marshals |in| as a DER-encoded, X.509 Name and writes the -// result to |out|. It returns one on success and zero on error. +// x509_marshal_name marshals `in` as a DER-encoded, X.509 Name and writes the +// result to `out`. It returns one on success and zero on error. int x509_marshal_name(CBB *out, const X509_NAME *in); const X509_NAME_CACHE *x509_name_get_cache(const X509_NAME *name); @@ -630,12 +630,12 @@ int x509_name_copy(X509_NAME *dst, const X509_NAME *src); void x509_algor_init(X509_ALGOR *alg); void x509_algor_cleanup(X509_ALGOR *alg); -// x509_parse_algorithm parses a DER-encoded, AlgorithmIdentifier from |cbs| and -// writes the result to |*out|. It returns one on success and zero on error. +// x509_parse_algorithm parses a DER-encoded, AlgorithmIdentifier from `cbs` and +// writes the result to `*out`. It returns one on success and zero on error. int x509_parse_algorithm(CBS *cbs, X509_ALGOR *out); -// x509_marshal_algorithm marshals |in| as a DER-encoded, AlgorithmIdentifier -// and writes the result to |out|. It returns one on success and zero on error. +// x509_marshal_algorithm marshals `in` as a DER-encoded, AlgorithmIdentifier +// and writes the result to `out`. It returns one on success and zero on error. int x509_marshal_algorithm(CBB *out, const X509_ALGOR *in); diff --git a/third_party/boringssl/src/crypto/x509/name_print.cc b/third_party/boringssl/src/crypto/x509/name_print.cc index e4db871e..758a9fb1 100644 --- a/third_party/boringssl/src/crypto/x509/name_print.cc +++ b/third_party/boringssl/src/crypto/x509/name_print.cc @@ -24,11 +24,11 @@ static int maybe_write(BIO *out, const void *buf, int len) { - // If |out| is NULL, ignore the output but report the length. + // If `out` is NULL, ignore the output but report the length. return out == nullptr || BIO_write(out, buf, len) == len; } -// do_indent prints |indent| spaces to |out|. +// do_indent prints `indent` spaces to `out`. static int do_indent(BIO *out, int indent) { for (int i = 0; i < indent; i++) { if (!maybe_write(out, " ", 1)) { @@ -174,7 +174,7 @@ int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, unsigned long flags) { BIO *bio = nullptr; if (fp != nullptr) { - // If |fp| is NULL, this function returns the number of bytes without + // If `fp` is NULL, this function returns the number of bytes without // writing. bio = BIO_new_fp(fp, BIO_NOCLOSE); if (bio == nullptr) { diff --git a/third_party/boringssl/src/crypto/x509/policy.cc b/third_party/boringssl/src/crypto/x509/policy.cc index 0ab37547..b2c5fbab 100644 --- a/third_party/boringssl/src/crypto/x509/policy.cc +++ b/third_party/boringssl/src/crypto/x509/policy.cc @@ -93,13 +93,13 @@ struct X509PolicyNode { bool mapped = false; // reachable is whether this node is reachable from some valid policy in the - // end-entity certificate. It is computed during |has_explicit_policy|. + // end-entity certificate. It is computed during `has_explicit_policy`. bool reachable = false; }; // An X509PolicyLevel is the collection of nodes at the same depth in the // policy graph. This structure can also be used to represent a level's -// "expected_policy_set" values. See |process_policy_mappings|. +// "expected_policy_set" values. See `process_policy_mappings`. class X509PolicyLevel { public: bool has_any_policy() const { return has_any_policy_; } @@ -116,7 +116,7 @@ class X509PolicyLevel { nodes_.clear(); } - // Find returns the node corresponding to |policy|, or nullptr if none exists. + // Find returns the node corresponding to `policy`, or nullptr if none exists. X509PolicyNode *Find(const ASN1_OBJECT *policy) { // The list is sorted, so we can binary search. auto it = std::lower_bound( @@ -130,9 +130,9 @@ class X509PolicyLevel { return &*it; } - // AddNodes adds the nodes in |nodes|. It returns true on success and false on - // error. No policy in |nodes| may already be present. This method leaves - // the objects in |nodes| in a moved-from state. + // AddNodes adds the nodes in `nodes`. It returns true on success and false on + // error. No policy in `nodes` may already be present. This method leaves + // the objects in `nodes` in a moved-from state. // // This method re-sorts the nodes, so it runs in time proportional to the // total size of the level. However, each level is only added to three times @@ -151,7 +151,7 @@ class X509PolicyLevel { return true; } - // EraseNodesIf removes all nodes that satisfy the predicate |pred|. + // EraseNodesIf removes all nodes that satisfy the predicate `pred`. template void EraseNodesIf(Pred pred) { nodes_.EraseIf(pred); @@ -170,11 +170,11 @@ int policyinfo_cmp(const POLICYINFO *const *a, const POLICYINFO *const *b) { return OBJ_cmp((*a)->policyid, (*b)->policyid); } -// process_certificate_policies updates |level| to incorporate |x509|'s +// process_certificate_policies updates `level` to incorporate `x509`'s // certificate policies extension. This implements steps (d) and (e) of RFC -// 5280, section 6.1.3. |level| must contain the previous level's +// 5280, section 6.1.3. `level` must contain the previous level's // "expected_policy_set" information. For all but the top-most level, this is -// the output of |process_policy_mappings|. |any_policy_allowed| specifies +// the output of `process_policy_mappings`. `any_policy_allowed` specifies // whether anyPolicy is allowed or inhibited, taking into account the exception // for self-issued certificates. bool process_certificate_policies(const X509 *x509, X509PolicyLevel *level, @@ -210,20 +210,20 @@ bool process_certificate_policies(const X509 *x509, X509PolicyLevel *level, } if (i > 0 && OBJ_cmp(sk_POLICYINFO_value(policies.get(), i - 1)->policyid, policy->policyid) == 0) { - // Per RFC 5280, section 4.2.1.4, |policies| may not have duplicates. + // Per RFC 5280, section 4.2.1.4, `policies` may not have duplicates. OPENSSL_PUT_ERROR(X509, X509_R_INVALID_POLICY_EXTENSION); return false; } } // This does the same thing as RFC 5280, section 6.1.3, step (d), though in - // a slightly different order. |level| currently contains + // a slightly different order. `level` currently contains // "expected_policy_set" values of the previous level. See - // |process_policy_mappings| for details. + // `process_policy_mappings` for details. const bool previous_level_has_any_policy = level->has_any_policy(); // First, we handle steps (d.1.i) and (d.2). The net effect of these two - // steps is to intersect |level| with |policies|, ignoring anyPolicy if it + // steps is to intersect `level` with `policies`, ignoring anyPolicy if it // is inhibited. if (!cert_has_any_policy || !any_policy_allowed) { level->EraseNodesIf([&](const X509PolicyNode &node) { @@ -241,7 +241,7 @@ bool process_certificate_policies(const X509 *x509, X509PolicyLevel *level, if (previous_level_has_any_policy) { Vector new_nodes; for (const POLICYINFO *policy : policies.get()) { - // Though we've reordered the steps slightly, |policy| is in |level| if + // Though we've reordered the steps slightly, `policy` is in `level` if // and only if it would have been a match in step (d.1.ii). if (!is_any_policy(policy->policyid) && level->Find(policy->policyid) == nullptr) { @@ -269,21 +269,21 @@ int compare_subject_policy(const POLICY_MAPPING *const *a, return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); } -// process_policy_mappings processes the policy mappings extension of |cert|, -// whose corresponding graph level is |level|. |mapping_allowed| specifies +// process_policy_mappings processes the policy mappings extension of `cert`, +// whose corresponding graph level is `level`. `mapping_allowed` specifies // whether policy mapping is inhibited at this point. On success, it returns an -// |X509PolicyLevel| containing the "expected_policy_set" for |level|. On error, +// `X509PolicyLevel` containing the "expected_policy_set" for `level`. On error, // it returns std::nullopt. This implements steps (a) and (b) of RFC 5280, // section 6.1.4. // -// We represent the "expected_policy_set" as an |X509PolicyLevel|. -// |has_any_policy| indicates whether there is an anyPolicy node with +// We represent the "expected_policy_set" as an `X509PolicyLevel`. +// `has_any_policy` indicates whether there is an anyPolicy node with // "expected_policy_set" of {anyPolicy}. If a node with policy oid P1 contains // P2 in its "expected_policy_set", the level will contain a node of policy P2 -// with P1 in |parent_policies|. +// with P1 in `parent_policies`. // -// This is equivalent to the |X509PolicyLevel| that would result if the next -// certificates contained anyPolicy. |process_certificate_policies| will filter +// This is equivalent to the `X509PolicyLevel` that would result if the next +// certificates contained anyPolicy. `process_certificate_policies` will filter // this result down to compute the actual level. std::optional process_policy_mappings(const X509 *cert, X509PolicyLevel *level, @@ -317,12 +317,12 @@ std::optional process_policy_mappings(const X509 *cert, sk_POLICY_MAPPING_sort(mappings.get()); if (mapping_allowed) { - // Mark nodes as mapped, and add any nodes to |level| which may be + // Mark nodes as mapped, and add any nodes to `level` which may be // needed as part of RFC 5280, section 6.1.4, step (b.1). Vector new_nodes; const ASN1_OBJECT *last_policy = nullptr; for (const POLICY_MAPPING *mapping : mappings.get()) { - // There may be multiple mappings with the same |issuerDomainPolicy|. + // There may be multiple mappings with the same `issuerDomainPolicy`. if (last_policy != nullptr && OBJ_cmp(mapping->issuerDomainPolicy, last_policy) == 0) { continue; @@ -353,7 +353,7 @@ std::optional process_policy_mappings(const X509 *cert, // RFC 5280, section 6.1.4, step (b.2). If mapping is inhibited, delete // all mapped nodes. level->EraseNodesIf([&](const X509PolicyNode &node) { - // |mappings| must have been sorted by |compare_issuer_policy|. + // `mappings` must have been sorted by `compare_issuer_policy`. assert(sk_POLICY_MAPPING_is_sorted(mappings.get())); // Check if the node was mapped. POLICY_MAPPING mapping; @@ -367,7 +367,7 @@ std::optional process_policy_mappings(const X509 *cert, } // If a node was not mapped, it retains the original "explicit_policy_set" - // value, itself. Add those to |mappings|. + // value, itself. Add those to `mappings`. if (mappings == nullptr) { mappings.reset(sk_POLICY_MAPPING_new_null()); if (mappings == nullptr) { @@ -394,10 +394,10 @@ std::optional process_policy_mappings(const X509 *cert, sk_POLICY_MAPPING_set_cmp_func(mappings.get(), compare_subject_policy); sk_POLICY_MAPPING_sort(mappings.get()); - // Convert |mappings| to our "expected_policy_set" representation. + // Convert `mappings` to our "expected_policy_set" representation. Vector next_nodes; for (POLICY_MAPPING *mapping : mappings.get()) { - // Skip mappings where |issuerDomainPolicy| does not appear in the graph. + // Skip mappings where `issuerDomainPolicy` does not appear in the graph. if (!level->has_any_policy() && level->Find(mapping->issuerDomainPolicy) == nullptr) { continue; @@ -411,7 +411,7 @@ std::optional process_policy_mappings(const X509 *cert, } } - // |mapping| is going to be destroyed, so steal its policy object. + // `mapping` is going to be destroyed, so steal its policy object. UniquePtr policy( std::exchange(mapping->issuerDomainPolicy, nullptr)); if (!next_nodes.back().parent_policies.Push(std::move(policy))) { @@ -427,9 +427,9 @@ std::optional process_policy_mappings(const X509 *cert, return next; } -// apply_skip_certs, if |skip_certs| is non-NULL, sets |*value| to the minimum -// of its current value and |skip_certs|. It returns true on success and false -// if |skip_certs| is negative. +// apply_skip_certs, if `skip_certs` is non-NULL, sets `*value` to the minimum +// of its current value and `skip_certs`. It returns true on success and false +// if `skip_certs` is negative. bool apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) { if (skip_certs == nullptr) { return true; @@ -441,7 +441,7 @@ bool apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) { return false; } - // If |skip_certs| does not fit in |uint64_t|, it must exceed |*value|. + // If `skip_certs` does not fit in `uint64_t`, it must exceed `*value`. uint64_t u64; if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) { *value = (size_t)u64; @@ -450,8 +450,8 @@ bool apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) { return true; } -// process_policy_constraints updates |*explicit_policy|, |*policy_mapping|, and -// |*inhibit_any_policy| according to |x509|'s policy constraints and inhibit +// process_policy_constraints updates `*explicit_policy`, `*policy_mapping`, and +// `*inhibit_any_policy` according to `x509`'s policy constraints and inhibit // anyPolicy extensions. It returns one on success and zero on error. This // implements steps (i) and (j) of RFC 5280, section 6.1.4. bool process_policy_constraints(const X509 *x509, size_t *explicit_policy, @@ -489,9 +489,9 @@ bool process_policy_constraints(const X509 *x509, size_t *explicit_policy, } // has_explicit_policy returns true if the set of authority-space policy OIDs -// |levels| has some non-empty intersection with |user_policies|, and false +// `levels` has some non-empty intersection with `user_policies`, and false // otherwise. This mirrors the logic in RFC 5280, section 6.1.5, step (g). This -// function modifies |levels| and should only be called at the end of policy +// function modifies `levels` and should only be called at the end of policy // evaluation. bool has_explicit_policy(Span levels, const STACK_OF(ASN1_OBJECT) *user_policies) { @@ -505,7 +505,7 @@ bool has_explicit_policy(Span levels, // Step (g.ii). If the policy graph is not empty and the user set contains // anyPolicy, the intersection is the entire (non-empty) graph. // - // If |user_policies| is empty, we interpret it as having a single anyPolicy + // If `user_policies` is empty, we interpret it as having a single anyPolicy // value. The caller may also have supplied anyPolicy explicitly. if (sk_ASN1_OBJECT_num(user_policies) == 0) { return true; @@ -539,15 +539,15 @@ bool has_explicit_policy(Span levels, continue; } if (node.parent_is_any_policy()) { - // |node|'s parent is anyPolicy and is part of "valid_policy_node_set". - // If it exists in |user_policies|, the intersection is non-empty and we + // `node`'s parent is anyPolicy and is part of "valid_policy_node_set". + // If it exists in `user_policies`, the intersection is non-empty and we // can return immediately. if (sk_ASN1_OBJECT_find(user_policies, /*out_index=*/nullptr, node.policy.get())) { return true; } } else if (i > 0) { - // |node|'s parents are concrete policies. Mark the parents reachable, + // `node`'s parents are concrete policies. Mark the parents reachable, // to be inspected by the next loop iteration. X509PolicyLevel &prev = levels[i - 1]; for (const auto &parent_policy : node.parent_policies) { @@ -605,7 +605,7 @@ int X509_policy_check(const STACK_OF(X509) *certs, level->set_has_any_policy(true); } - // RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| is + // RFC 5280, section 6.1.3, steps (d) and (e). `any_policy_allowed` is // computed as in step (d.2). const int any_policy_allowed = inhibit_any_policy > 0 || (i > 0 && is_self_issued); @@ -638,7 +638,7 @@ int X509_policy_check(const STACK_OF(X509) *certs, // RFC 5280, section 6.1.4, step (h-j) for non-leaves, and section 6.1.5, // step (a-b) for leaves. In the leaf case, RFC 5280 says only to update - // |explicit_policy|, but |policy_mapping| and |inhibit_any_policy| are no + // `explicit_policy`, but `policy_mapping` and `inhibit_any_policy` are no // longer read at this point, so we use the same process. if (i == 0 || !is_self_issued) { if (explicit_policy > 0) { @@ -661,10 +661,10 @@ int X509_policy_check(const STACK_OF(X509) *certs, // RFC 5280, section 6.1.5, step (g). We do not output the policy set, so it // is only necessary to check if the user-constrained-policy-set is not empty. if (explicit_policy == 0) { - // Build a sorted copy of |user_policies| for more efficient lookup. + // Build a sorted copy of `user_policies` for more efficient lookup. STACK_OF(ASN1_OBJECT) *user_policies_sorted = nullptr; - // |user_policies_sorted|'s contents are owned by |user_policies|, so we do - // not use |sk_ASN1_OBJECT_pop_free|. + // `user_policies_sorted`'s contents are owned by `user_policies`, so we do + // not use `sk_ASN1_OBJECT_pop_free`. Cleanup cleanup = [&] { sk_ASN1_OBJECT_free(user_policies_sorted); }; if (user_policies != nullptr) { user_policies_sorted = sk_ASN1_OBJECT_dup(user_policies); diff --git a/third_party/boringssl/src/crypto/x509/rsa_pss.cc b/third_party/boringssl/src/crypto/x509/rsa_pss.cc index 4aa21235..f1489114 100644 --- a/third_party/boringssl/src/crypto/x509/rsa_pss.cc +++ b/third_party/boringssl/src/crypto/x509/rsa_pss.cc @@ -100,7 +100,7 @@ int bssl::x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) { return 0; } - // Encode |params| to an |ASN1_STRING|. + // Encode `params` to an `ASN1_STRING`. uint8_t buf[128]; // The largest param fits comfortably in 128 bytes. CBB cbb; CBB_init_fixed(&cbb, buf, sizeof(buf)); @@ -117,7 +117,7 @@ int bssl::x509_rsa_ctx_to_pss(EVP_MD_CTX *ctx, X509_ALGOR *algor) { params_str.get())) { return 0; } - params_str.release(); // |X509_ALGOR_set0| took ownership. + params_str.release(); // `X509_ALGOR_set0` took ownership. return 1; } @@ -154,7 +154,7 @@ int bssl::x509_print_rsa_pss_params(BIO *bp, const X509_ALGOR *sigalg, uint32_t salt_len = 0; switch (params) { case rsa_pss_none: - // |rsa_pss_decode| will never return this. + // `rsa_pss_decode` will never return this. OPENSSL_PUT_ERROR(X509, ERR_R_INTERNAL_ERROR); return 0; case rsa_pss_sha256: diff --git a/third_party/boringssl/src/crypto/x509/t_crl.cc b/third_party/boringssl/src/crypto/x509/t_crl.cc index 5ef99ab3..54f08bc0 100644 --- a/third_party/boringssl/src/crypto/x509/t_crl.cc +++ b/third_party/boringssl/src/crypto/x509/t_crl.cc @@ -41,7 +41,7 @@ int X509_CRL_print(BIO *out, const X509_CRL *x) { if (BIO_printf(out, "Certificate Revocation List (CRL):\n") <= 0 || BIO_printf(out, "%8sVersion %ld (0x%lx)\n", "", version + 1, (unsigned long)version) <= 0 || - // Note this and the other |X509_signature_print| call both print the + // Note this and the other `X509_signature_print` call both print the // outer signature algorithm, rather than printing the inner and outer // ones separately. This matches OpenSSL, though it was probably a bug. !X509_signature_print(out, sig_alg, nullptr)) { @@ -77,7 +77,7 @@ int X509_CRL_print(BIO *out, const X509_CRL *x) { return 0; } - // TODO(crbug.com/442860745): |X509_CRL_get_REVOKED| is not const-correct. + // TODO(crbug.com/442860745): `X509_CRL_get_REVOKED` is not const-correct. const STACK_OF(X509_REVOKED) *rev = X509_CRL_get_REVOKED(const_cast(x)); if (sk_X509_REVOKED_num(rev) > 0) { diff --git a/third_party/boringssl/src/crypto/x509/t_req.cc b/third_party/boringssl/src/crypto/x509/t_req.cc index 8eeac078..012dd890 100644 --- a/third_party/boringssl/src/crypto/x509/t_req.cc +++ b/third_party/boringssl/src/crypto/x509/t_req.cc @@ -64,7 +64,7 @@ int X509_REQ_print_ex(BIO *bio, const X509_REQ *x, unsigned long nmflags, } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_REQ_get_version(x); - // Only zero, |X509_REQ_VERSION_1|, is valid but our parser accepts some + // Only zero, `X509_REQ_VERSION_1`, is valid but our parser accepts some // invalid values for compatibility. assert(0 <= l && l <= 2); if (BIO_printf(bio, "%8sVersion: %ld (0x%lx)\n", "", l + 1, @@ -108,7 +108,7 @@ int X509_REQ_print_ex(BIO *bio, const X509_REQ *x, unsigned long nmflags, } } else { for (size_t i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { - // TODO(crbug.com/442860745): |X509_ATTRIBUTE| accessors are not + // TODO(crbug.com/442860745): `X509_ATTRIBUTE` accessors are not // const-correct. X509_ATTRIBUTE *a = sk_X509_ATTRIBUTE_value(sk, i); const ASN1_OBJECT *aobj = X509_ATTRIBUTE_get0_object(a); diff --git a/third_party/boringssl/src/crypto/x509/t_x509.cc b/third_party/boringssl/src/crypto/x509/t_x509.cc index 69c8d859..1d7de414 100644 --- a/third_party/boringssl/src/crypto/x509/t_x509.cc +++ b/third_party/boringssl/src/crypto/x509/t_x509.cc @@ -93,7 +93,7 @@ int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflags, return 0; } } else { - ERR_clear_error(); // Clear |ASN1_INTEGER_get_uint64|'s error. + ERR_clear_error(); // Clear `ASN1_INTEGER_get_uint64`'s error. const char *neg = (serial->type == V_ASN1_NEG_INTEGER) ? " (Negative)" : ""; if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) { diff --git a/third_party/boringssl/src/crypto/x509/v3_akey.cc b/third_party/boringssl/src/crypto/x509/v3_akey.cc index 9f5df55f..1b9ef887 100644 --- a/third_party/boringssl/src/crypto/x509/v3_akey.cc +++ b/third_party/boringssl/src/crypto/x509/v3_akey.cc @@ -86,36 +86,29 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID( return nullptr; } -// Currently two options: keyid: use the issuers subject keyid, the value -// 'always' means its is an error if the issuer certificate doesn't have a -// key id. issuer: use the issuers cert issuer and serial number. The default -// is to only use this if keyid is not present. With the option 'always' this -// is always included. - +// Currently two options: +// +// - keyid: Use the issuer's subject key ID. The value 'always' means it's an +// error if the issuer certificate doesn't have one. +// +// - issuer: Use the issuer's issuer and serial number. The default is to only +// use this if the key ID is not present. The value 'always' means it's always +// included. static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const STACK_OF(CONF_VALUE) *values) { - char keyid = 0, issuer = 0; - int j; - ASN1_OCTET_STRING *ikeyid = nullptr; - X509_NAME *isname = nullptr; - GENERAL_NAMES *gens = nullptr; - GENERAL_NAME *gen = nullptr; - ASN1_INTEGER *serial = nullptr; - const X509 *cert; - AUTHORITY_KEYID *akeyid; - - for (size_t i = 0; i < sk_CONF_VALUE_num(values); i++) { - const CONF_VALUE *cnf = sk_CONF_VALUE_value(values, i); + enum Option { kOff = 0, kOn = 1, kAlways = 2 }; + Option use_key_id = kOff, use_issuer = kOff; + for (const CONF_VALUE *cnf : values) { if (!strcmp(cnf->name, "keyid")) { - keyid = 1; + use_key_id = kOn; if (cnf->value && !strcmp(cnf->value, "always")) { - keyid = 2; + use_key_id = kAlways; } } else if (!strcmp(cnf->name, "issuer")) { - issuer = 1; + use_issuer = kOn; if (cnf->value && !strcmp(cnf->value, "always")) { - issuer = 2; + use_issuer = kAlways; } } else { OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNKNOWN_OPTION); @@ -132,51 +125,50 @@ static void *v2i_AUTHORITY_KEYID(const X509V3_EXT_METHOD *method, return nullptr; } - cert = ctx->issuer_cert; - - if (keyid) { - j = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); - const X509_EXTENSION *ext; - if ((j >= 0) && (ext = X509_get_ext(cert, j))) { - ikeyid = reinterpret_cast(X509V3_EXT_d2i(ext)); + UniquePtr key_id; + if (use_key_id != kOff) { + int critical; + key_id.reset(static_cast(X509_get_ext_d2i( + ctx->issuer_cert, NID_subject_key_identifier, &critical, nullptr))); + if (key_id == nullptr && critical != -1) { + return nullptr; // Syntax error in the extension. } - if (keyid == 2 && !ikeyid) { + if (use_key_id == kAlways && key_id == nullptr) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); return nullptr; } } - if ((issuer && !ikeyid) || (issuer == 2)) { - isname = X509_NAME_dup(X509_get_issuer_name(cert)); - serial = ASN1_INTEGER_dup(X509_get0_serialNumber(cert)); - if (!isname || !serial) { + UniquePtr serial; + UniquePtr issuer_gens; + if ((use_issuer == kOn && key_id == nullptr) || use_issuer == kAlways) { + UniquePtr issuer_name( + X509_NAME_dup(X509_get_issuer_name(ctx->issuer_cert))); + serial.reset(ASN1_INTEGER_dup(X509_get0_serialNumber(ctx->issuer_cert))); + if (issuer_name == nullptr || serial == nullptr) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS); - goto err; + return nullptr; } - } - - if (!(akeyid = AUTHORITY_KEYID_new())) { - goto err; - } - - if (isname) { - if (!(gens = sk_GENERAL_NAME_new_null()) || !(gen = GENERAL_NAME_new()) || - !sk_GENERAL_NAME_push(gens, gen)) { - goto err; + // AKID wraps the issuer name in a GeneralNames structure. + UniquePtr gen(GENERAL_NAME_new()); + if (gen == nullptr) { + return nullptr; } gen->type = GEN_DIRNAME; - gen->d.dirn = isname; + gen->d.directoryName = issuer_name.release(); + issuer_gens.reset(sk_GENERAL_NAME_new_null()); + if (issuer_gens == nullptr || + !PushToStack(issuer_gens.get(), std::move(gen))) { + return nullptr; + } } - akeyid->issuer = gens; - akeyid->serial = serial; - akeyid->keyid = ikeyid; - - return akeyid; - -err: - X509_NAME_free(isname); - ASN1_INTEGER_free(serial); - ASN1_OCTET_STRING_free(ikeyid); - return nullptr; + UniquePtr akid(AUTHORITY_KEYID_new()); + if (akid == nullptr) { + return nullptr; + } + akid->issuer = issuer_gens.release(); + akid->serial = serial.release(); + akid->keyid = key_id.release(); + return akid.release(); } diff --git a/third_party/boringssl/src/crypto/x509/v3_alt.cc b/third_party/boringssl/src/crypto/x509/v3_alt.cc index 8aa2da8f..e64d323d 100644 --- a/third_party/boringssl/src/crypto/x509/v3_alt.cc +++ b/third_party/boringssl/src/crypto/x509/v3_alt.cc @@ -121,7 +121,7 @@ STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) { // Note the error-handling for this function relies on there being at most - // one |X509V3_add_value| call. If there were two and the second failed, we + // one `X509V3_add_value` call. If there were two and the second failed, we // would need to sometimes free the first call's result. unsigned char *p; char oline[256], htmp[5]; @@ -325,7 +325,7 @@ static int copy_issuer(const X509V3_CTX *ctx, GENERAL_NAMES *gens) { if (!sk_GENERAL_NAME_push(gens, gen)) { goto err; } - // Ownership of |gen| has moved from |ialt| to |gens|. + // Ownership of `gen` has moved from `ialt` to `gens`. sk_GENERAL_NAME_set(ialt, j, nullptr); } diff --git a/third_party/boringssl/src/crypto/x509/v3_conf.cc b/third_party/boringssl/src/crypto/x509/v3_conf.cc index d3d8e508..2d478c91 100644 --- a/third_party/boringssl/src/crypto/x509/v3_conf.cc +++ b/third_party/boringssl/src/crypto/x509/v3_conf.cc @@ -45,7 +45,7 @@ static unsigned char *generic_asn1(const char *value, const X509V3_CTX *ctx, X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, const X509V3_CTX *ctx, const char *name, const char *value) { - // If omitted, fill in an empty |X509V3_CTX|. + // If omitted, fill in an empty `X509V3_CTX`. X509V3_CTX ctx_tmp; if (ctx == nullptr) { X509V3_set_ctx(&ctx_tmp, nullptr, nullptr, nullptr, nullptr, 0); @@ -68,7 +68,7 @@ X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, const X509V3_CTX *ctx, X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, const X509V3_CTX *ctx, int ext_nid, const char *value) { - // If omitted, fill in an empty |X509V3_CTX|. + // If omitted, fill in an empty `X509V3_CTX`. X509V3_CTX ctx_tmp; if (ctx == nullptr) { X509V3_set_ctx(&ctx_tmp, nullptr, nullptr, nullptr, nullptr, 0); @@ -105,9 +105,9 @@ static X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx, // Now get internal extension representation based on type if (method->v2i) { if (*value == '@') { - // TODO(davidben): This is the only place where |X509V3_EXT_nconf|'s - // |conf| parameter is used. All other codepaths use the copy inside - // |ctx|. Should this be switched and then the parameter ignored? + // TODO(davidben): This is the only place where `X509V3_EXT_nconf`'s + // `conf` parameter is used. All other codepaths use the copy inside + // `ctx`. Should this be switched and then the parameter ignored? if (conf == nullptr) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_CONFIG_DATABASE); return nullptr; @@ -136,7 +136,7 @@ static X509_EXTENSION *do_ext_nconf(const CONF *conf, const X509V3_CTX *ctx, // TODO(davidben): Should this check be removed? This matches OpenSSL, but // r2i-based extensions do not necessarily require a config database. The // two built-in extensions only use it some of the time, and already handle - // |X509V3_get_section| returning NULL. + // `X509V3_get_section` returning NULL. if (!ctx->db) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_CONFIG_DATABASE); return nullptr; diff --git a/third_party/boringssl/src/crypto/x509/v3_cpols.cc b/third_party/boringssl/src/crypto/x509/v3_cpols.cc index f69c82d6..840262e5 100644 --- a/third_party/boringssl/src/crypto/x509/v3_cpols.cc +++ b/third_party/boringssl/src/crypto/x509/v3_cpols.cc @@ -15,6 +15,8 @@ #include #include +#include + #include #include #include @@ -38,12 +40,11 @@ static void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, static void print_qualifiers(BIO *out, const STACK_OF(POLICYQUALINFO) *quals, int indent); static void print_notice(BIO *out, const USERNOTICE *notice, int indent); -static POLICYINFO *policy_section(const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *polstrs, - int ia5org); -static POLICYQUALINFO *notice_section(const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *unot, - int ia5org); +static UniquePtr policy_section(const X509V3_CTX *ctx, + const STACK_OF(CONF_VALUE) *polstrs, + int ia5org); +static UniquePtr notice_section( + const X509V3_CTX *ctx, const STACK_OF(CONF_VALUE) *unot, int ia5org); static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, const STACK_OF(CONF_VALUE) *nos); @@ -110,186 +111,169 @@ IMPLEMENT_ASN1_FUNCTIONS_const(CERTIFICATEPOLICIES) static void *r2i_certpol(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *value) { - STACK_OF(POLICYINFO) *pols = sk_POLICYINFO_new_null(); + UniquePtr pols(sk_POLICYINFO_new_null()); if (pols == nullptr) { return nullptr; } - STACK_OF(CONF_VALUE) *vals = X509V3_parse_list(value); - - { - if (vals == nullptr) { - OPENSSL_PUT_ERROR(X509V3, ERR_R_X509V3_LIB); - goto err; + UniquePtr vals(X509V3_parse_list(value)); + if (vals == nullptr) { + OPENSSL_PUT_ERROR(X509V3, ERR_R_X509V3_LIB); + return nullptr; + } + int ia5org = 0; + for (const CONF_VALUE *cnf : vals.get()) { + if (cnf->value || !cnf->name) { + OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_POLICY_IDENTIFIER); + X509V3_conf_err(cnf); + return nullptr; } - int ia5org = 0; - for (size_t i = 0; i < sk_CONF_VALUE_num(vals); i++) { - const CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); - if (cnf->value || !cnf->name) { - OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_POLICY_IDENTIFIER); + UniquePtr pol; + const char *pstr = cnf->name; + if (!strcmp(pstr, "ia5org")) { + ia5org = 1; + continue; + } else if (*pstr == '@') { + const STACK_OF(CONF_VALUE) *polsect = X509V3_get_section(ctx, pstr + 1); + if (!polsect) { + OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION); + X509V3_conf_err(cnf); - goto err; + return nullptr; } - POLICYINFO *pol; - const char *pstr = cnf->name; - if (!strcmp(pstr, "ia5org")) { - ia5org = 1; - continue; - } else if (*pstr == '@') { - const STACK_OF(CONF_VALUE) *polsect = X509V3_get_section(ctx, pstr + 1); - if (!polsect) { - OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION); - - X509V3_conf_err(cnf); - goto err; - } - pol = policy_section(ctx, polsect, ia5org); - if (!pol) { - goto err; - } - } else { - ASN1_OBJECT *pobj = OBJ_txt2obj(cnf->name, 0); - if (pobj == nullptr) { - OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(cnf); - goto err; - } - pol = POLICYINFO_new(); - if (pol == nullptr) { - ASN1_OBJECT_free(pobj); - goto err; - } - pol->policyid = pobj; + pol = policy_section(ctx, polsect, ia5org); + if (!pol) { + return nullptr; + } + } else { + UniquePtr pobj(OBJ_txt2obj(cnf->name, 0)); + if (pobj == nullptr) { + OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER); + X509V3_conf_err(cnf); + return nullptr; } - if (!sk_POLICYINFO_push(pols, pol)) { - POLICYINFO_free(pol); - goto err; + pol.reset(POLICYINFO_new()); + if (pol == nullptr) { + return nullptr; } + pol->policyid = pobj.release(); + } + if (!PushToStack(pols.get(), std::move(pol))) { + return nullptr; } - sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); - return pols; } - -err: - sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); - sk_POLICYINFO_pop_free(pols, POLICYINFO_free); - return nullptr; + return pols.release(); } -static POLICYINFO *policy_section(const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *polstrs, - int ia5org) { - POLICYINFO *pol; - POLICYQUALINFO *qual; - if (!(pol = POLICYINFO_new())) { - goto err; +static UniquePtr policy_section(const X509V3_CTX *ctx, + const STACK_OF(CONF_VALUE) *polstrs, + int ia5org) { + UniquePtr pol(POLICYINFO_new()); + if (pol == nullptr) { + return nullptr; } - for (size_t i = 0; i < sk_CONF_VALUE_num(polstrs); i++) { - const CONF_VALUE *cnf = sk_CONF_VALUE_value(polstrs, i); + for (const CONF_VALUE *cnf : polstrs) { if (!strcmp(cnf->name, "policyIdentifier")) { ASN1_OBJECT *pobj; if (!(pobj = OBJ_txt2obj(cnf->value, 0))) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OBJECT_IDENTIFIER); X509V3_conf_err(cnf); - goto err; + return nullptr; } + ASN1_OBJECT_free(pol->policyid); pol->policyid = pobj; } else if (x509v3_conf_name_matches(cnf->name, "CPS")) { - if (!pol->qualifiers) { + if (pol->qualifiers == nullptr) { pol->qualifiers = sk_POLICYQUALINFO_new_null(); } - if (!(qual = POLICYQUALINFO_new())) { - goto err; - } - if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) { - goto err; + UniquePtr qual(POLICYQUALINFO_new()); + if (qual == nullptr || pol->qualifiers == nullptr) { + return nullptr; } qual->pqualid = OBJ_nid2obj(NID_id_qt_cps); if (qual->pqualid == nullptr) { OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR); - goto err; + return nullptr; } qual->d.cpsuri = ASN1_IA5STRING_new(); if (qual->d.cpsuri == nullptr) { - goto err; + return nullptr; } if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) { - goto err; + return nullptr; + } + if (!PushToStack(pol->qualifiers, std::move(qual))) { + return nullptr; } } else if (x509v3_conf_name_matches(cnf->name, "userNotice")) { if (*cnf->value != '@') { OPENSSL_PUT_ERROR(X509V3, X509V3_R_EXPECTED_A_SECTION_NAME); X509V3_conf_err(cnf); - goto err; + return nullptr; } const STACK_OF(CONF_VALUE) *unot = X509V3_get_section(ctx, cnf->value + 1); if (!unot) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_SECTION); X509V3_conf_err(cnf); - goto err; + return nullptr; } - qual = notice_section(ctx, unot, ia5org); - if (!qual) { - goto err; + UniquePtr qual = notice_section(ctx, unot, ia5org); + if (qual == nullptr) { + return nullptr; } - if (!pol->qualifiers) { + if (pol->qualifiers == nullptr) { pol->qualifiers = sk_POLICYQUALINFO_new_null(); } - if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) { - goto err; + if (pol->qualifiers == nullptr || + !PushToStack(pol->qualifiers, std::move(qual))) { + return nullptr; } } else { OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION); X509V3_conf_err(cnf); - goto err; + return nullptr; } } if (!pol->policyid) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_NO_POLICY_IDENTIFIER); - goto err; + return nullptr; } return pol; - -err: - POLICYINFO_free(pol); - return nullptr; } -static POLICYQUALINFO *notice_section(const X509V3_CTX *ctx, - const STACK_OF(CONF_VALUE) *unot, - int ia5org) { - USERNOTICE *notice; - POLICYQUALINFO *qual; - if (!(qual = POLICYQUALINFO_new())) { - goto err; +static UniquePtr notice_section( + const X509V3_CTX *ctx, const STACK_OF(CONF_VALUE) *unot, int ia5org) { + UniquePtr qual(POLICYQUALINFO_new()); + if (qual == nullptr) { + return nullptr; } qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice); if (qual->pqualid == nullptr) { OPENSSL_PUT_ERROR(X509V3, ERR_R_INTERNAL_ERROR); - goto err; + return nullptr; } - if (!(notice = USERNOTICE_new())) { - goto err; + USERNOTICE *notice = USERNOTICE_new(); + if (notice == nullptr) { + return nullptr; } qual->d.usernotice = notice; - for (size_t i = 0; i < sk_CONF_VALUE_num(unot); i++) { - const CONF_VALUE *cnf = sk_CONF_VALUE_value(unot, i); + for (const CONF_VALUE *cnf : unot) { if (!strcmp(cnf->name, "explicitText")) { notice->exptext = ASN1_VISIBLESTRING_new(); if (notice->exptext == nullptr) { - goto err; + return nullptr; } if (!ASN1_STRING_set(notice->exptext, cnf->value, strlen(cnf->value))) { - goto err; + return nullptr; } } else if (!strcmp(cnf->name, "organization")) { NOTICEREF *nref; if (!notice->noticeref) { if (!(nref = NOTICEREF_new())) { - goto err; + return nullptr; } notice->noticeref = nref; } else { @@ -302,49 +286,41 @@ static POLICYQUALINFO *notice_section(const X509V3_CTX *ctx, } if (!ASN1_STRING_set(nref->organization, cnf->value, strlen(cnf->value))) { - goto err; + return nullptr; } } else if (!strcmp(cnf->name, "noticeNumbers")) { NOTICEREF *nref; - STACK_OF(CONF_VALUE) *nos; if (!notice->noticeref) { if (!(nref = NOTICEREF_new())) { - goto err; + return nullptr; } notice->noticeref = nref; } else { nref = notice->noticeref; } - nos = X509V3_parse_list(cnf->value); - if (!nos || !sk_CONF_VALUE_num(nos)) { + UniquePtr nos(X509V3_parse_list(cnf->value)); + if (!nos || !sk_CONF_VALUE_num(nos.get())) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_NUMBERS); X509V3_conf_err(cnf); - sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); - goto err; + return nullptr; } - int ret = nref_nos(nref->noticenos, nos); - sk_CONF_VALUE_pop_free(nos, X509V3_conf_free); - if (!ret) { - goto err; + if (!nref_nos(nref->noticenos, nos.get())) { + return nullptr; } } else { OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_OPTION); X509V3_conf_err(cnf); - goto err; + return nullptr; } } if (notice->noticeref && (!notice->noticeref->noticenos || !notice->noticeref->organization)) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_NEED_ORGANIZATION_AND_NUMBERS); - goto err; + return nullptr; } return qual; - -err: - POLICYQUALINFO_free(qual); - return nullptr; } static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, diff --git a/third_party/boringssl/src/crypto/x509/v3_crld.cc b/third_party/boringssl/src/crypto/x509/v3_crld.cc index 61225ad4..85575518 100644 --- a/third_party/boringssl/src/crypto/x509/v3_crld.cc +++ b/third_party/boringssl/src/crypto/x509/v3_crld.cc @@ -78,8 +78,8 @@ static STACK_OF(GENERAL_NAME) *gnames_from_sectname(const X509V3_CTX *ctx, return gens; } -// set_dist_point_name decodes a DistributionPointName from |cnf| and writes the -// result in |*pdp|. It returns 1 on success, -1 on error, and 0 if |cnf| used +// set_dist_point_name decodes a DistributionPointName from `cnf` and writes the +// result in `*pdp`. It returns 1 on success, -1 on error, and 0 if `cnf` used // an unrecognized input type. The zero return can be used by callers to support // additional syntax. static int set_dist_point_name(DIST_POINT_NAME **pdp, const X509V3_CTX *ctx, @@ -87,8 +87,8 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, const X509V3_CTX *ctx, STACK_OF(GENERAL_NAME) *fnm = nullptr; STACK_OF(X509_NAME_ENTRY) *rnm = nullptr; if (!strcmp(cnf->name, "fullname")) { - // If |cnf| comes from |X509V3_parse_list|, which is possible for a v2i - // function, |cnf->value| may be NULL. + // If `cnf` comes from `X509V3_parse_list`, which is possible for a v2i + // function, `cnf->value` may be NULL. if (cnf->value == nullptr) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE); return -1; @@ -98,8 +98,8 @@ static int set_dist_point_name(DIST_POINT_NAME **pdp, const X509V3_CTX *ctx, goto err; } } else if (!strcmp(cnf->name, "relativename")) { - // If |cnf| comes from |X509V3_parse_list|, which is possible for a v2i - // function, |cnf->value| may be NULL. + // If `cnf` comes from `X509V3_parse_list`, which is possible for a v2i + // function, `cnf->value` may be NULL. if (cnf->value == nullptr) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_MISSING_VALUE); return -1; diff --git a/third_party/boringssl/src/crypto/x509/v3_lib.cc b/third_party/boringssl/src/crypto/x509/v3_lib.cc index 2289afd3..676e38c2 100644 --- a/third_party/boringssl/src/crypto/x509/v3_lib.cc +++ b/third_party/boringssl/src/crypto/x509/v3_lib.cc @@ -35,7 +35,7 @@ using namespace bssl; static bssl::Vector *ext_list = nullptr; int X509V3_EXT_add(X509V3_EXT_METHOD *ext) { - // We only support |ASN1_ITEM|-based extensions. + // We only support `ASN1_ITEM`-based extensions. assert(ext->it != nullptr); // TODO(crbug.com/42290461): This API is not locked and doesn't check for diff --git a/third_party/boringssl/src/crypto/x509/v3_ncons.cc b/third_party/boringssl/src/crypto/x509/v3_ncons.cc index 58c15960..2a7c2673 100644 --- a/third_party/boringssl/src/crypto/x509/v3_ncons.cc +++ b/third_party/boringssl/src/crypto/x509/v3_ncons.cc @@ -56,7 +56,7 @@ int equal_case(const CBS *a, const CBS *b) { if (CBS_len(a) != CBS_len(b)) { return 0; } - // Note we cannot use |OPENSSL_strncasecmp| because that would stop + // Note we cannot use `OPENSSL_strncasecmp` because that would stop // iterating at NUL. const uint8_t *a_data = CBS_data(a), *b_data = CBS_data(b); for (size_t i = 0; i < CBS_len(a); i++) { @@ -354,7 +354,7 @@ int nc_dns(const ASN1_IA5STRING *dns, const ASN1_IA5STRING *base, } } - // If |base_cbs| begins with a '.', do a simple suffix comparison. This is + // If `base_cbs` begins with a '.', do a simple suffix comparison. This is // not part of RFC5280, but is part of OpenSSL's original behavior. if (starts_with(&base_cbs, '.')) { if (has_suffix_case(&dns_cbs, &base_cbs)) { diff --git a/third_party/boringssl/src/crypto/x509/v3_purp.cc b/third_party/boringssl/src/crypto/x509/v3_purp.cc index 8d7a2915..ec5aa376 100644 --- a/third_party/boringssl/src/crypto/x509/v3_purp.cc +++ b/third_party/boringssl/src/crypto/x509/v3_purp.cc @@ -60,9 +60,9 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca); static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca); -// X509_TRUST_NONE is not a valid |X509_TRUST_*| constant. It is used by -// |X509_PURPOSE_ANY| to indicate that it has no corresponding trust type and -// cannot be used with |X509_STORE_CTX_set_purpose|. +// X509_TRUST_NONE is not a valid `X509_TRUST_*` constant. It is used by +// `X509_PURPOSE_ANY` to indicate that it has no corresponding trust type and +// cannot be used with `X509_STORE_CTX_set_purpose`. #define X509_TRUST_NONE (-1) static const X509_PURPOSE xstandard[] = { @@ -79,7 +79,7 @@ static const X509_PURPOSE xstandard[] = { {X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, check_purpose_crl_sign, "crlsign"}, {X509_PURPOSE_ANY, X509_TRUST_NONE, no_check, "any"}, - // |X509_PURPOSE_OCSP_HELPER| performs no actual checks. OpenSSL's OCSP + // `X509_PURPOSE_OCSP_HELPER` performs no actual checks. OpenSSL's OCSP // implementation relied on the caller performing EKU and KU checks. {X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, no_check, "ocsphelper"}, {X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, check_purpose_timestamp_sign, @@ -100,9 +100,9 @@ int X509_check_purpose(X509 *x, int id, int ca) { if (pt == nullptr) { return 0; } - // Historically, |check_purpose| implementations other than |X509_PURPOSE_ANY| - // called |check_ca|. This is redundant with the |X509_V_ERR_INVALID_CA| - // logic, but |X509_check_purpose| is public API, so we preserve this + // Historically, `check_purpose` implementations other than `X509_PURPOSE_ANY` + // called `check_ca`. This is redundant with the `X509_V_ERR_INVALID_CA` + // logic, but `X509_check_purpose` is public API, so we preserve this // behavior. if (ca && id != X509_PURPOSE_ANY && !check_ca(x)) { return 0; @@ -219,7 +219,7 @@ int bssl::x509v3_cache_extensions(X509 *x) { impl->ex_flags |= EXFLAG_INVALID; impl->ex_pathlen = 0; } else { - // TODO(davidben): |ASN1_INTEGER_get| returns -1 on overflow, + // TODO(davidben): `ASN1_INTEGER_get` returns -1 on overflow, // which currently acts as if the constraint isn't present. This // works (an overflowing path length constraint may as well be // infinity), but Chromium's verifier simply treats values above @@ -347,7 +347,7 @@ int bssl::x509v3_cache_extensions(X509 *x) { return (impl->ex_flags & EXFLAG_INVALID) == 0; } -// check_ca returns one if |x| should be considered a CA certificate and zero +// check_ca returns one if `x` should be considered a CA certificate and zero // otherwise. static int check_ca(const X509 *x) { // keyUsage if present should allow cert signing @@ -370,9 +370,9 @@ int X509_check_ca(const X509 *x) { return check_ca(x); } -// check_purpose returns one if |x| is a valid part of a certificate path for -// extended key usage |required_xku| and at least one of key usages in -// |required_kus|. |ca| indicates whether |x| is a CA or end-entity certificate. +// check_purpose returns one if `x` is a valid part of a certificate path for +// extended key usage `required_xku` and at least one of key usages in +// `required_kus`. `ca` indicates whether `x` is a CA or end-entity certificate. static int check_purpose(const X509 *x, int ca, int required_xku, int required_kus) { // Check extended key usage on the entire chain. @@ -528,8 +528,8 @@ int bssl::X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid) { } uint32_t X509_get_extension_flags(X509 *x) { - // Ignore the return value. On failure, |impl->ex_flags| will include - // |EXFLAG_INVALID|. + // Ignore the return value. On failure, `impl->ex_flags` will include + // `EXFLAG_INVALID`. x509v3_cache_extensions(x); const auto *impl = FromOpaque(x); return impl->ex_flags; @@ -544,7 +544,7 @@ uint32_t X509_get_key_usage(X509 *x) { return impl->ex_kusage; } // If there is no extension, key usage is unconstrained, so set all bits to - // one. Note that, although we use |UINT32_MAX|, |ex_kusage| only contains the + // one. Note that, although we use `UINT32_MAX`, `ex_kusage` only contains the // first 16 bits when the extension is present. return UINT32_MAX; } diff --git a/third_party/boringssl/src/crypto/x509/v3_utl.cc b/third_party/boringssl/src/crypto/x509/v3_utl.cc index 6605c5c0..5fbf0d53 100644 --- a/third_party/boringssl/src/crypto/x509/v3_utl.cc +++ b/third_party/boringssl/src/crypto/x509/v3_utl.cc @@ -61,7 +61,7 @@ static int x509V3_add_len_value(const char *name, const char *value, goto err; } if (!omit_value) { - // |CONF_VALUE| cannot represent strings with NULs. + // `CONF_VALUE` cannot represent strings with NULs. if (OPENSSL_memchr(value, 0, value_len)) { OPENSSL_PUT_ERROR(X509V3, X509V3_R_INVALID_VALUE); goto err; @@ -496,12 +496,12 @@ unsigned char *bssl::x509v3_hex_to_bytes(const char *str, size_t *len) { } int bssl::x509v3_conf_name_matches(const char *name, const char *cmp) { - // |name| must begin with |cmp|. + // `name` must begin with `cmp`. size_t len = strlen(cmp); if (strncmp(name, cmp, len) != 0) { return 0; } - // |name| must either be equal to |cmp| or begin with |cmp|, followed by '.'. + // `name` must either be equal to `cmp` or begin with `cmp`, followed by '.'. return name[len] == '\0' || name[len] == '.'; } @@ -575,7 +575,7 @@ static int append_ia5(UniquePtr *sk, if (email->data == nullptr || email->length == 0) { return 1; } - // |OPENSSL_STRING| cannot represent strings with embedded NULs. Do not + // `OPENSSL_STRING` cannot represent strings with embedded NULs. Do not // report them as outputs. if (OPENSSL_memchr(email->data, 0, email->length) != nullptr) { return 1; @@ -873,7 +873,7 @@ static int do_check_string(const ASN1_STRING *a, int cmp_type, equal_fn equal, return -1; } // We check the common name against DNS name constraints if it passes - // |x509v3_looks_like_dns_name|. Thus we must not consider common names + // `x509v3_looks_like_dns_name`. Thus we must not consider common names // for DNS fallbacks if they fail this check. if (check_type == GEN_DNS && !x509v3_looks_like_dns_name(astr, astrlen)) { rv = 0; @@ -1095,8 +1095,8 @@ int bssl::x509v3_a2i_ipadd(uint8_t ipout[16], const char *ipasc) { } // get_ipv4_component consumes one IPv4 component, terminated by either '.' or -// the end of the string, from |*str|. On success, it returns one, sets |*out| -// to the component, and advances |*str| to the first unconsumed character. On +// the end of the string, from `*str`. On success, it returns one, sets `*out` +// to the component, and advances `*str` to the first unconsumed character. On // invalid input, it returns zero. static int get_ipv4_component(uint8_t *out_byte, const char **str) { // Store a slightly larger intermediary so the overflow check is easier. @@ -1123,8 +1123,8 @@ static int get_ipv4_component(uint8_t *out_byte, const char **str) { } } -// get_ipv4_dot consumes a '.' from |*str| and advances it. It returns one on -// success and zero if |*str| does not point to a '.'. +// get_ipv4_dot consumes a '.' from `*str` and advances it. It returns one on +// success and zero if `*str` does not point to a '.'. static int get_ipv4_dot(const char **str) { if (**str != '.') { return 0; diff --git a/third_party/boringssl/src/crypto/x509/x509.cc b/third_party/boringssl/src/crypto/x509/x509.cc index 05bedc6b..6b134369 100644 --- a/third_party/boringssl/src/crypto/x509/x509.cc +++ b/third_party/boringssl/src/crypto/x509/x509.cc @@ -19,7 +19,7 @@ #include -// |X509_R_UNSUPPORTED_ALGORITHM| is no longer emitted, but continue to define +// `X509_R_UNSUPPORTED_ALGORITHM` is no longer emitted, but continue to define // it to avoid downstream churn. OPENSSL_DECLARE_ERROR_REASON(X509, UNSUPPORTED_ALGORITHM) diff --git a/third_party/boringssl/src/crypto/x509/x509_att.cc b/third_party/boringssl/src/crypto/x509/x509_att.cc index 654db948..2499364f 100644 --- a/third_party/boringssl/src/crypto/x509/x509_att.cc +++ b/third_party/boringssl/src/crypto/x509/x509_att.cc @@ -103,7 +103,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, if (attrtype == 0) { // Do nothing. This is used to create an empty value set in - // |X509_ATTRIBUTE_create_by_*|. This is invalid, but supported by OpenSSL. + // `X509_ATTRIBUTE_create_by_*`. This is invalid, but supported by OpenSSL. return 1; } @@ -114,9 +114,9 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, // This function is several functions in one. if (attrtype & MBSTRING_FLAG) { - // |data| is an encoded string. We must decode and re-encode it to |attr|'s - // preferred ASN.1 type. Note |len| may be -1, in which case - // |ASN1_STRING_set_by_NID| calls |strlen| automatically. + // `data` is an encoded string. We must decode and re-encode it to `attr`'s + // preferred ASN.1 type. Note `len` may be -1, in which case + // `ASN1_STRING_set_by_NID` calls `strlen` automatically. ASN1_STRING *str = ASN1_STRING_set_by_NID(nullptr, reinterpret_cast(data), len, attrtype, OBJ_obj2nid(attr->object)); @@ -126,8 +126,8 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, } asn1_type_set0_string(typ, str); } else if (len != -1) { - // |attrtype| must be a valid |ASN1_STRING| type. |data| and |len| is a - // value in the corresponding |ASN1_STRING| representation. + // `attrtype` must be a valid `ASN1_STRING` type. `data` and `len` is a + // value in the corresponding `ASN1_STRING` representation. ASN1_STRING *str = ASN1_STRING_type_new(attrtype); if (str == nullptr || !ASN1_STRING_set(str, data, len)) { ASN1_STRING_free(str); @@ -135,7 +135,7 @@ int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, } asn1_type_set0_string(typ, str); } else { - // |attrtype| must be a valid |ASN1_TYPE| type. |data| is a pointer to an + // `attrtype` must be a valid `ASN1_TYPE` type. `data` is a pointer to an // object of the corresponding type. if (!ASN1_TYPE_set1(typ, attrtype, data)) { goto err; diff --git a/third_party/boringssl/src/crypto/x509/x509_cmp.cc b/third_party/boringssl/src/crypto/x509/x509_cmp.cc index 1f66e660..d385a0e8 100644 --- a/third_party/boringssl/src/crypto/x509/x509_cmp.cc +++ b/third_party/boringssl/src/crypto/x509/x509_cmp.cc @@ -101,7 +101,7 @@ uint32_t X509_subject_name_hash_old(const X509 *x) { int X509_cmp(const X509 *a, const X509 *b) { const auto *a_impl = FromOpaque(a); const auto *b_impl = FromOpaque(b); - // Fill in the |cert_hash| fields. + // Fill in the `cert_hash` fields. // // TODO(davidben): This may fail, in which case the the hash will be all // zeros. This produces a consistent comparison (failures are sticky), but diff --git a/third_party/boringssl/src/crypto/x509/x509_lu.cc b/third_party/boringssl/src/crypto/x509/x509_lu.cc index 4adee727..126bf334 100644 --- a/third_party/boringssl/src/crypto/x509/x509_lu.cc +++ b/third_party/boringssl/src/crypto/x509/x509_lu.cc @@ -87,14 +87,14 @@ static int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, if (ctx->method == nullptr || ctx->method->get_by_subject == nullptr) { return 0; } - // Note |get_by_subject| leaves |ret| in an inconsistent state. It has - // pointers to an |X509| or |X509_CRL|, but has not bumped the refcount yet. + // Note `get_by_subject` leaves `ret` in an inconsistent state. It has + // pointers to an `X509` or `X509_CRL`, but has not bumped the refcount yet. // For now, the caller is expected to fix this, but ideally we'd fix the - // |X509_LOOKUP| convention itself. + // `X509_LOOKUP` convention itself. return ctx->method->get_by_subject(ctx, type, name, ret) > 0; } -// x509_object_cmp_name compares |a| against the specified type and name. This +// x509_object_cmp_name compares `a` against the specified type and name. This // avoids needing to construct a reference certificate or CRL. static int x509_object_cmp_name(const X509_OBJECT *a, int type, const X509_NAME *name) { @@ -197,7 +197,7 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, int type, } // TODO(crbug.com/boringssl/685): This should call - // |X509_OBJECT_free_contents|. + // `X509_OBJECT_free_contents`. ret->type = tmp->type; ret->data = tmp->data; X509_OBJECT_up_ref_count(ret); @@ -297,22 +297,22 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, const X509_NAME *name, int *out_num_match) { sk_X509_OBJECT_sort(h); - // Find the first matching object. |sk_X509_OBJECT_find| would require - // constructing an |X509| or |X509_CRL| object, so implement our own binary + // Find the first matching object. `sk_X509_OBJECT_find` would require + // constructing an `X509` or `X509_CRL` object, so implement our own binary // search. size_t start = 0, end = sk_X509_OBJECT_num(h); while (end - start > 1) { - // Bias |mid| towards |start|. The range has more than one element, so |mid| + // Bias `mid` towards `start`. The range has more than one element, so `mid` // is not the last element. size_t mid = start + (end - start - 1) / 2; assert(start <= mid && mid + 1 < end); int r = x509_object_cmp_name(sk_X509_OBJECT_value(h, mid), type, name); if (r < 0) { - start = mid + 1; // |mid| is too low. + start = mid + 1; // `mid` is too low. } else if (r > 0) { - end = mid; // |mid| is too high. + end = mid; // `mid` is too high. } else { - // |mid| matches, but we need to keep searching to find the first match. + // `mid` matches, but we need to keep searching to find the first match. end = mid + 1; } } @@ -332,7 +332,7 @@ static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, int type, } } - assert(start <= INT_MAX); // |STACK_OF(T)| never stores more than |INT_MAX|. + assert(start <= INT_MAX); // `STACK_OF(T)` never stores more than `INT_MAX`. return static_cast(start); } @@ -501,7 +501,7 @@ int X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx, X509_OBJECT_free_contents(&obj); // Else find index of first cert accepted by - // |x509_check_issued_with_callback|. + // `x509_check_issued_with_callback`. X509Store *store = FromOpaque(ctx->ctx); MutexWriteLock lock(&store->objs_lock); int idx = X509_OBJECT_idx_by_subject(store->objs.get(), X509_LU_X509, xn); @@ -512,7 +512,7 @@ int X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx, // See if we've run past the matches. // // This works because the objects are sorted by type, then subject - // name, using |x509_object_cmp|. + // name, using `x509_object_cmp`. if (pobj->type != X509_LU_X509) { return 0; } diff --git a/third_party/boringssl/src/crypto/x509/x509_req.cc b/third_party/boringssl/src/crypto/x509/x509_req.cc index ee7203b3..be68c4fe 100644 --- a/third_party/boringssl/src/crypto/x509/x509_req.cc +++ b/third_party/boringssl/src/crypto/x509/x509_req.cc @@ -86,7 +86,7 @@ STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(const X509_REQ *req) { } const X509_ATTRIBUTE *attr = X509_REQ_get_attr(req, idx); - // TODO(davidben): |X509_ATTRIBUTE_get0_type| is not const-correct. It should + // TODO(davidben): `X509_ATTRIBUTE_get0_type` is not const-correct. It should // take and return a const pointer. const ASN1_TYPE *ext = X509_ATTRIBUTE_get0_type((X509_ATTRIBUTE *)attr, 0); if (!ext || ext->type != V_ASN1_SEQUENCE) { diff --git a/third_party/boringssl/src/crypto/x509/x509_set.cc b/third_party/boringssl/src/crypto/x509/x509_set.cc index 1833804b..26abf2dc 100644 --- a/third_party/boringssl/src/crypto/x509/x509_set.cc +++ b/third_party/boringssl/src/crypto/x509/x509_set.cc @@ -73,7 +73,7 @@ int X509_set_subject_name(X509 *x, const X509_NAME *name) { } int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) { - // TODO(crbug.com/42290309): Check that |tm->type| is correct. + // TODO(crbug.com/42290309): Check that `tm->type` is correct. auto *impl = FromOpaque(x); return ASN1_STRING_copy(&impl->notBefore, tm); } @@ -88,23 +88,23 @@ const ASN1_TIME *X509_get0_notBefore(const X509 *x) { } ASN1_TIME *X509_getm_notBefore(X509 *x) { - // Note this function takes a const |X509| pointer in OpenSSL. We require - // non-const as this allows mutating |x|. If it comes up for compatibility, + // Note this function takes a const `X509` pointer in OpenSSL. We require + // non-const as this allows mutating `x`. If it comes up for compatibility, // we can relax this. auto *impl = FromOpaque(x); return &impl->notBefore; } ASN1_TIME *X509_get_notBefore(const X509 *x509) { - // In OpenSSL, this function is an alias for |X509_getm_notBefore|, but our - // |X509_getm_notBefore| is const-correct. |X509_get_notBefore| was + // In OpenSSL, this function is an alias for `X509_getm_notBefore`, but our + // `X509_getm_notBefore` is const-correct. `X509_get_notBefore` was // originally a macro, so it needs to capture both get0 and getm use cases. const auto *impl = FromOpaque(x509); return const_cast(&impl->notBefore); } int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) { - // TODO(crbug.com/42290309): Check that |tm->type| is correct. + // TODO(crbug.com/42290309): Check that `tm->type` is correct. auto *impl = FromOpaque(x); return ASN1_STRING_copy(&impl->notAfter, tm); } @@ -119,16 +119,16 @@ const ASN1_TIME *X509_get0_notAfter(const X509 *x) { } ASN1_TIME *X509_getm_notAfter(X509 *x) { - // Note this function takes a const |X509| pointer in OpenSSL. We require - // non-const as this allows mutating |x|. If it comes up for compatibility, + // Note this function takes a const `X509` pointer in OpenSSL. We require + // non-const as this allows mutating `x`. If it comes up for compatibility, // we can relax this. auto *impl = FromOpaque(x); return &impl->notAfter; } ASN1_TIME *X509_get_notAfter(const X509 *x509) { - // In OpenSSL, this function is an alias for |X509_getm_notAfter|, but our - // |X509_getm_notAfter| is const-correct. |X509_get_notAfter| was + // In OpenSSL, this function is an alias for `X509_getm_notAfter`, but our + // `X509_getm_notAfter` is const-correct. `X509_get_notAfter` was // originally a macro, so it needs to capture both get0 and getm use cases. const auto *impl = FromOpaque(x509); return const_cast(&impl->notAfter); diff --git a/third_party/boringssl/src/crypto/x509/x509_vfy.cc b/third_party/boringssl/src/crypto/x509/x509_vfy.cc index a619d496..5405038f 100644 --- a/third_party/boringssl/src/crypto/x509/x509_vfy.cc +++ b/third_party/boringssl/src/crypto/x509/x509_vfy.cc @@ -84,8 +84,8 @@ static int internal_verify(X509_STORE_CTX *ctx); static int null_callback(int ok, X509_STORE_CTX *e) { return ok; } -// cert_self_signed checks if |x| is self-signed. If |x| is valid, it returns -// one and sets |*out_is_self_signed| to the result. If |x| is invalid, it +// cert_self_signed checks if `x` is self-signed. If `x` is valid, it returns +// one and sets `*out_is_self_signed` to the result. If `x` is invalid, it // returns zero. static int cert_self_signed(X509 *x, int *out_is_self_signed) { if (!x509v3_cache_extensions(x)) { @@ -102,7 +102,7 @@ static int call_verify_cb(int ok, X509_STORE_CTX *ctx) { // of success or failure. Insert that callers check correctly. // // TODO(davidben): Also use this wrapper to constrain which errors may be - // suppressed, and ensure all |verify_cb| calls remember to fill in an error. + // suppressed, and ensure all `verify_cb` calls remember to fill in an error. BSSL_CHECK(ok == 0 || ok == 1); return ok; } @@ -185,7 +185,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { int num = (int)sk_X509_num(ctx->chain); X509 *x = sk_X509_value(ctx->chain, num - 1); - // |param->depth| does not include the leaf certificate or the trust anchor, + // `param->depth` does not include the leaf certificate or the trust anchor, // so the maximum size is 2 more. int max_chain = param->depth >= INT_MAX - 2 ? INT_MAX : param->depth + 2; @@ -391,7 +391,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx) { !check_revocation(ctx) || // !internal_verify(ctx) || // !check_name_constraints(ctx) || - // TODO(davidben): Does |check_policy| still need to be conditioned on + // TODO(davidben): Does `check_policy` still need to be conditioned on // |!bad_chain|? DoS concerns have been resolved. (!bad_chain && !check_policy(ctx))) { goto end; @@ -535,7 +535,7 @@ static int reject_dns_name_in_common_name(X509 *x509) { return X509_V_ERR_OUT_OF_MEM; } // Only process attributes that look like host names. Note it is - // important that this check be mirrored in |X509_check_host|. + // important that this check be mirrored in `X509_check_host`. int looks_like_dns = x509v3_looks_like_dns_name(idval, (size_t)idlen); OPENSSL_free(idval); if (looks_like_dns) { @@ -583,7 +583,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) { } // Name constraints do not match against the common name, but - // |X509_check_host| still implements the legacy behavior where, on + // `X509_check_host` still implements the legacy behavior where, on // certificates lacking a SAN list, DNS-like names in the common name are // checked instead. // @@ -603,7 +603,7 @@ static int check_name_constraints(X509_STORE_CTX *ctx) { return 0; default: ctx->error = rv; - ctx->error_depth = i; + ctx->error_depth = 0; ctx->current_cert = leaf; if (!call_verify_cb(0, ctx)) { return 0; @@ -732,8 +732,8 @@ static int check_cert(X509_STORE_CTX *ctx) { ctx->current_crl_issuer = nullptr; ctx->current_crl_score = 0; - // Try to retrieve the relevant CRL. Note that |get_crl| sets - // |current_crl_issuer| and |current_crl_score|, which |check_crl| then reads. + // Try to retrieve the relevant CRL. Note that `get_crl` sets + // `current_crl_issuer` and `current_crl_score`, which `check_crl` then reads. // // TODO(davidben): The awkward internal calling convention is a historical // artifact of when these functions were user-overridable callbacks, even @@ -846,8 +846,8 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509 **pissuer, X509_CRL_get0_lastUpdate(crl)) == 0) { continue; } - // ASN1_TIME_diff never returns inconsistent signs for |day| - // and |sec|. + // ASN1_TIME_diff never returns inconsistent signs for `day` + // and `sec`. if (day <= 0 && sec <= 0) { continue; } @@ -1270,7 +1270,7 @@ static int internal_verify(X509_STORE_CTX *ctx) { // First, don't allow the verify callback to suppress // X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY, which will simplify the // signature check. Then replace jumping into the middle of the loop. It's - // trying to ensure that all certificates see |check_cert_time|, then checking + // trying to ensure that all certificates see `check_cert_time`, then checking // the root's self signature when requested, but not breaking partial chains // in the process. int n = (int)sk_X509_num(ctx->chain); @@ -1428,7 +1428,7 @@ X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx) { } X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx) { - // In OpenSSL, an |X509_STORE_CTX| sometimes has a parent context during CRL + // In OpenSSL, an `X509_STORE_CTX` sometimes has a parent context during CRL // path validation for indirect CRLs. We require the CRL to be issued // somewhere along the certificate path, so this is always NULL. return nullptr; @@ -1447,7 +1447,7 @@ void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { } int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { - // If |purpose| is zero, this function historically silently did nothing. + // If `purpose` is zero, this function historically silently did nothing. if (purpose == 0) { return 1; } @@ -1470,7 +1470,7 @@ int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { } int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { - // If |trust| is zero, this function historically silently did nothing. + // If `trust` is zero, this function historically silently did nothing. if (trust == 0) { return 1; } diff --git a/third_party/boringssl/src/crypto/x509/x509_vpm.cc b/third_party/boringssl/src/crypto/x509/x509_vpm.cc index 75079814..e5b99639 100644 --- a/third_party/boringssl/src/crypto/x509/x509_vpm.cc +++ b/third_party/boringssl/src/crypto/x509/x509_vpm.cc @@ -117,8 +117,8 @@ static void copy_int_param(T *dest, const T *src, T default_val, } } -// x509_verify_param_merge merges fields from |src| to |dest|. If both |src| and -// |dest| have some field set, |prefer_src| determines whether |src| or |dest|'s +// x509_verify_param_merge merges fields from `src` to `dest`. If both `src` and +// `dest` have some field set, `prefer_src` determines whether `src` or `dest`'s // version is used. static int x509_verify_param_merge(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src, @@ -136,12 +136,12 @@ static int x509_verify_param_merge(X509_VERIFY_PARAM *dest, copy_int_param(&dest->trust, &src->trust, /*default_val=*/0, prefer_src); copy_int_param(&dest->depth, &src->depth, /*default_val=*/-1, prefer_src); - // |check_time|, unlike all other parameters, does not honor |prefer_src|. - // This means |X509_VERIFY_PARAM_set1| will not overwrite it. This behavior + // `check_time`, unlike all other parameters, does not honor `prefer_src`. + // This means `X509_VERIFY_PARAM_set1` will not overwrite it. This behavior // comes from OpenSSL but may have been a bug. if (!(dest->flags & X509_V_FLAG_USE_CHECK_TIME)) { dest->check_time = src->check_time; - // The source |X509_V_FLAG_USE_CHECK_TIME| flag, if set, is copied below. + // The source `X509_V_FLAG_USE_CHECK_TIME` flag, if set, is copied below. } dest->flags |= src->flags; @@ -186,14 +186,14 @@ static int x509_verify_param_merge(X509_VERIFY_PARAM *dest, int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) { // Prefer the destination. That is, this function only changes unset - // parameters in |dest|. + // parameters in `dest`. return x509_verify_param_merge(dest, src, /*prefer_src=*/false); } int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) { - // Prefer the source. That is, values in |to| are only preserved if they were - // unset in |from|. + // Prefer the source. That is, values in `to` are only preserved if they were + // unset in `from`. return x509_verify_param_merge(to, from, /*prefer_src=*/true); } diff --git a/third_party/boringssl/src/crypto/x509/x509name.cc b/third_party/boringssl/src/crypto/x509/x509name.cc index 4225d10e..273d6b43 100644 --- a/third_party/boringssl/src/crypto/x509/x509name.cc +++ b/third_party/boringssl/src/crypto/x509/x509name.cc @@ -255,7 +255,7 @@ int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *entry, int loc, if (!sk_X509_NAME_ENTRY_insert(sk, new_entry.get(), loc)) { return 0; } - new_entry.release(); // |sk| took ownership. + new_entry.release(); // `sk` took ownership. if (inc) { n = (int)sk_X509_NAME_ENTRY_num(sk); for (int i = loc + 1; i < n; i++) { diff --git a/third_party/boringssl/src/crypto/x509/x_algor.cc b/third_party/boringssl/src/crypto/x509/x_algor.cc index b20c5092..35dd6da9 100644 --- a/third_party/boringssl/src/crypto/x509/x_algor.cc +++ b/third_party/boringssl/src/crypto/x509/x_algor.cc @@ -209,7 +209,7 @@ int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md) { nullptr); } -// X509_ALGOR_cmp returns 0 if |a| and |b| are equal and non-zero otherwise. +// X509_ALGOR_cmp returns 0 if `a` and `b` are equal and non-zero otherwise. int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) { int rv; rv = OBJ_cmp(a->algorithm, b->algorithm); diff --git a/third_party/boringssl/src/crypto/x509/x_all.cc b/third_party/boringssl/src/crypto/x509/x_all.cc index e9e59c43..118c7b0d 100644 --- a/third_party/boringssl/src/crypto/x509/x_all.cc +++ b/third_party/boringssl/src/crypto/x509/x_all.cc @@ -64,7 +64,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { } int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) { - // Historically, this function called |EVP_MD_CTX_cleanup| on return. Some + // Historically, this function called `EVP_MD_CTX_cleanup` on return. Some // callers rely on this to avoid memory leaks. Cleanup cleanup = [&] { EVP_MD_CTX_cleanup(ctx); }; diff --git a/third_party/boringssl/src/crypto/x509/x_crl.cc b/third_party/boringssl/src/crypto/x509/x_crl.cc index f2e0f797..5bb2522c 100644 --- a/third_party/boringssl/src/crypto/x509/x_crl.cc +++ b/third_party/boringssl/src/crypto/x509/x_crl.cc @@ -227,7 +227,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, // Convert IDP into a more convenient form // // TODO(davidben): Each of these flags are already booleans, so this is not -// really more convenient. We can probably remove |idp_flags|. +// really more convenient. We can probably remove `idp_flags`. static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { int idp_only = 0; // Set various flags according to IDP @@ -248,7 +248,7 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp) { // Per RFC 5280, section 5.2.5, at most one of onlyContainsUserCerts, // onlyContainsCACerts, and onlyContainsAttributeCerts may be true. // - // TODO(crbug.com/boringssl/443): Move this check to the |ISSUING_DIST_POINT| + // TODO(crbug.com/boringssl/443): Move this check to the `ISSUING_DIST_POINT` // parser. if (idp_only > 1) { crl->idp_flags |= IDP_INVALID; diff --git a/third_party/boringssl/src/crypto/x509/x_name.cc b/third_party/boringssl/src/crypto/x509/x_name.cc index 66ba94f0..9b2afc9a 100644 --- a/third_party/boringssl/src/crypto/x509/x_name.cc +++ b/third_party/boringssl/src/crypto/x509/x_name.cc @@ -37,7 +37,7 @@ using namespace bssl; -// X509_NAME_MAX is the length of the maximum encoded |X509_NAME| we accept. +// X509_NAME_MAX is the length of the maximum encoded `X509_NAME` we accept. #define X509_NAME_MAX (1024 * 1024) static int asn1_marshal_string_canon(CBB *cbb, const ASN1_STRING *in); @@ -239,7 +239,7 @@ const X509_NAME_CACHE *bssl::x509_name_get_cache(const X509_NAME *name) { X509_NAME_CACHE *expected = nullptr; if (impl->cache.compare_exchange_strong(expected, new_cache.get())) { - // We won the race. |impl| now owns |new_cache|. + // We won the race. `impl` now owns `new_cache`. return new_cache.release(); } @@ -268,7 +268,7 @@ int bssl::x509_name_copy(X509_NAME *dst, const X509_NAME *src) { return 0; } // Callers sometimes try to set a name back to itself. We check this after - // |x509_name_get_cache| because, if |src| was so broken that it could not be + // `x509_name_get_cache` because, if `src` was so broken that it could not be // serialized, we used to return an error. (It's not clear if this codepath is // even possible.) if (dst == src) { diff --git a/third_party/boringssl/src/crypto/x509/x_pubkey.cc b/third_party/boringssl/src/crypto/x509/x_pubkey.cc index 828dec03..8cf2846a 100644 --- a/third_party/boringssl/src/crypto/x509/x_pubkey.cc +++ b/third_party/boringssl/src/crypto/x509/x_pubkey.cc @@ -68,9 +68,9 @@ static void x509_pubkey_changed(X509_PUBKEY *pub, EVP_PKEY_free(pub->pkey); pub->pkey = nullptr; - // Re-encode the |X509_PUBKEY| to DER and parse it with EVP's APIs. If the - // operation fails, clear errors. An |X509_PUBKEY| whose key we cannot parse - // is still a valid SPKI. It just cannot be converted to an |EVP_PKEY|. + // Re-encode the `X509_PUBKEY` to DER and parse it with EVP's APIs. If the + // operation fails, clear errors. An `X509_PUBKEY` whose key we cannot parse + // is still a valid SPKI. It just cannot be converted to an `EVP_PKEY`. ScopedCBB cbb; if (!CBB_init(cbb.get(), 64) || !x509_marshal_public_key(cbb.get(), pub)) { ERR_clear_error(); @@ -130,7 +130,7 @@ int i2d_X509_PUBKEY(const X509_PUBKEY *key, uint8_t **outp) { BSSL_NAMESPACE_BEGIN -// TODO(crbug.com/42290417): Remove this when |X509| and |X509_REQ| no longer +// TODO(crbug.com/42290417): Remove this when `X509` and `X509_REQ` no longer // depend on the tables. IMPLEMENT_EXTERN_ASN1_SIMPLE(X509_PUBKEY, X509_PUBKEY_new, X509_PUBKEY_free, CBS_ASN1_SEQUENCE, x509_parse_public_key_default, @@ -147,9 +147,9 @@ int bssl::x509_pubkey_set1(X509_PUBKEY *key, EVP_PKEY *pkey) { CBS cbs; CBS_init(&cbs, CBB_data(cbb.get()), CBB_len(cbb.get())); - // TODO(crbug.com/42290364): Use an |EVP_PKEY_ALG| derived from |pkey|. - // |X509_PUBKEY_get0| does not currently work when setting, say, an - // |EVP_PKEY_RSA_PSS| key. + // TODO(crbug.com/42290364): Use an `EVP_PKEY_ALG` derived from `pkey`. + // `X509_PUBKEY_get0` does not currently work when setting, say, an + // `EVP_PKEY_RSA_PSS` key. return x509_parse_public_key(&cbs, key, GetDefaultEVPAlgorithms()); } diff --git a/third_party/boringssl/src/crypto/x509/x_x509.cc b/third_party/boringssl/src/crypto/x509/x_x509.cc index f47df483..a7b7e4c4 100644 --- a/third_party/boringssl/src/crypto/x509/x_x509.cc +++ b/third_party/boringssl/src/crypto/x509/x_x509.cc @@ -134,7 +134,7 @@ X509 *X509_parse_with_algorithms(CRYPTO_BUFFER *buf, return nullptr; } // The version must be one of v1(0), v2(1), or v3(2). - // TODO(https://crbug.com/42290225): Also reject |X509_VERSION_1|. v1 is + // TODO(https://crbug.com/42290225): Also reject `X509_VERSION_1`. v1 is // DEFAULT, so DER requires it be omitted. if (version != X509_VERSION_1 && version != X509_VERSION_2 && version != X509_VERSION_3) { @@ -227,8 +227,8 @@ static UniquePtr x509_parse(CBS *cbs) { int bssl::x509_marshal_tbs_cert(CBB *cbb, const X509 *x509) { auto *impl = FromOpaque(x509); if (impl->buf != nullptr) { - // Replay the saved TBSCertificate from the |CRYPTO_BUFFER|, to verify - // exactly what we parsed. The |CRYPTO_BUFFER| contains the full + // Replay the saved TBSCertificate from the `CRYPTO_BUFFER`, to verify + // exactly what we parsed. The `CRYPTO_BUFFER` contains the full // Certificate, so we need to find the TBSCertificate portion. CBS cbs, cert, tbs; CRYPTO_BUFFER_init_CBS(impl->buf, &cbs); diff --git a/third_party/boringssl/src/crypto/x509/x_x509a.cc b/third_party/boringssl/src/crypto/x509/x_x509a.cc index 3c5e841f..5e6030c2 100644 --- a/third_party/boringssl/src/crypto/x509/x_x509a.cc +++ b/third_party/boringssl/src/crypto/x509/x_x509a.cc @@ -58,7 +58,7 @@ int X509_alias_set1(X509 *x, const uint8_t *name, ossl_ssize_t len) { auto *impl = FromOpaque(x); X509_CERT_AUX *aux; // TODO(davidben): Empty aliases are not meaningful in PKCS#12, and the - // getters cannot quite represent them. Also erase the object if |len| is + // getters cannot quite represent them. Also erase the object if `len` is // zero. if (!name) { if (!impl || !impl->aux || !impl->aux->alias) { @@ -81,7 +81,7 @@ int X509_keyid_set1(X509 *x, const uint8_t *id, ossl_ssize_t len) { auto *impl = FromOpaque(x); X509_CERT_AUX *aux; // TODO(davidben): Empty key IDs are not meaningful in PKCS#12, and the - // getters cannot quite represent them. Also erase the object if |len| is + // getters cannot quite represent them. Also erase the object if `len` is // zero. if (!id) { if (!impl || !impl->aux || !impl->aux->keyid) { diff --git a/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_64_win_asm.inc b/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_64_win_asm.inc index e29d4bed..7ab85dfd 100644 --- a/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_64_win_asm.inc +++ b/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_64_win_asm.inc @@ -227,38 +227,14 @@ %define chacha20_poly1305_seal BORINGSSL_PREFIX %+ _chacha20_poly1305_seal %define chacha20_poly1305_seal_avx2 BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_avx2 %define chacha20_poly1305_seal_sse41 BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_sse41 -%define ecp_nistz256_div_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2 -%define ecp_nistz256_mul_by_2 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2 -%define ecp_nistz256_mul_by_3 BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3 %define ecp_nistz256_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont -%define ecp_nistz256_mul_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_adx -%define ecp_nistz256_mul_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_nohw -%define ecp_nistz256_neg BORINGSSL_PREFIX %+ _ecp_nistz256_neg %define ecp_nistz256_ord_mul_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont %define ecp_nistz256_ord_mul_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_adx %define ecp_nistz256_ord_mul_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_nohw %define ecp_nistz256_ord_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont %define ecp_nistz256_ord_sqr_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_adx %define ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_nohw -%define ecp_nistz256_point_add BORINGSSL_PREFIX %+ _ecp_nistz256_point_add -%define ecp_nistz256_point_add_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_adx -%define ecp_nistz256_point_add_affine BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine -%define ecp_nistz256_point_add_affine_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_adx -%define ecp_nistz256_point_add_affine_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_nohw -%define ecp_nistz256_point_add_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_nohw -%define ecp_nistz256_point_double BORINGSSL_PREFIX %+ _ecp_nistz256_point_double -%define ecp_nistz256_point_double_adx BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_adx -%define ecp_nistz256_point_double_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_nohw -%define ecp_nistz256_select_w5 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5 -%define ecp_nistz256_select_w5_avx2 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_avx2 -%define ecp_nistz256_select_w5_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_nohw -%define ecp_nistz256_select_w7 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7 -%define ecp_nistz256_select_w7_avx2 BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_avx2 -%define ecp_nistz256_select_w7_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_nohw %define ecp_nistz256_sqr_mont BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont -%define ecp_nistz256_sqr_mont_adx BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_adx -%define ecp_nistz256_sqr_mont_nohw BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_nohw -%define ecp_nistz256_sub BORINGSSL_PREFIX %+ _ecp_nistz256_sub %define fiat_curve25519_adx_mul BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul %define fiat_curve25519_adx_square BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square %define fiat_p256_adx_mul BORINGSSL_PREFIX %+ _fiat_p256_adx_mul diff --git a/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_win_asm.inc b/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_win_asm.inc index 060a50b5..24eb9000 100644 --- a/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_win_asm.inc +++ b/third_party/boringssl/src/gen/boringssl_prefix_symbols_internal_x86_win_asm.inc @@ -227,38 +227,14 @@ %define _chacha20_poly1305_seal _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal %define _chacha20_poly1305_seal_avx2 _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_avx2 %define _chacha20_poly1305_seal_sse41 _ %+ BORINGSSL_PREFIX %+ _chacha20_poly1305_seal_sse41 -%define _ecp_nistz256_div_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_div_by_2 -%define _ecp_nistz256_mul_by_2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_2 -%define _ecp_nistz256_mul_by_3 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_by_3 %define _ecp_nistz256_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont -%define _ecp_nistz256_mul_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_adx -%define _ecp_nistz256_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_mul_mont_nohw -%define _ecp_nistz256_neg _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_neg %define _ecp_nistz256_ord_mul_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont %define _ecp_nistz256_ord_mul_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_adx %define _ecp_nistz256_ord_mul_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_mul_mont_nohw %define _ecp_nistz256_ord_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont %define _ecp_nistz256_ord_sqr_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_adx %define _ecp_nistz256_ord_sqr_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_ord_sqr_mont_nohw -%define _ecp_nistz256_point_add _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add -%define _ecp_nistz256_point_add_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_adx -%define _ecp_nistz256_point_add_affine _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine -%define _ecp_nistz256_point_add_affine_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_adx -%define _ecp_nistz256_point_add_affine_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_affine_nohw -%define _ecp_nistz256_point_add_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_add_nohw -%define _ecp_nistz256_point_double _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double -%define _ecp_nistz256_point_double_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_adx -%define _ecp_nistz256_point_double_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_point_double_nohw -%define _ecp_nistz256_select_w5 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5 -%define _ecp_nistz256_select_w5_avx2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_avx2 -%define _ecp_nistz256_select_w5_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w5_nohw -%define _ecp_nistz256_select_w7 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7 -%define _ecp_nistz256_select_w7_avx2 _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_avx2 -%define _ecp_nistz256_select_w7_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_select_w7_nohw %define _ecp_nistz256_sqr_mont _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont -%define _ecp_nistz256_sqr_mont_adx _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_adx -%define _ecp_nistz256_sqr_mont_nohw _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sqr_mont_nohw -%define _ecp_nistz256_sub _ %+ BORINGSSL_PREFIX %+ _ecp_nistz256_sub %define _fiat_curve25519_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_mul %define _fiat_curve25519_adx_square _ %+ BORINGSSL_PREFIX %+ _fiat_curve25519_adx_square %define _fiat_p256_adx_mul _ %+ BORINGSSL_PREFIX %+ _fiat_p256_adx_mul diff --git a/third_party/boringssl/src/include/openssl/aead.h b/third_party/boringssl/src/include/openssl/aead.h index d23c16dc..82523f13 100644 --- a/third_party/boringssl/src/include/openssl/aead.h +++ b/third_party/boringssl/src/include/openssl/aead.h @@ -29,22 +29,22 @@ extern "C" { // message has a unique, per-message nonce and, optionally, additional data // which is authenticated but not included in the ciphertext. // -// The |EVP_AEAD_CTX_init| function initialises an |EVP_AEAD_CTX| structure and -// performs any precomputation needed to use |aead| with |key|. The length of -// the key, |key_len|, is given in bytes. +// The `EVP_AEAD_CTX_init` function initialises an `EVP_AEAD_CTX` structure and +// performs any precomputation needed to use `aead` with `key`. The length of +// the key, `key_len`, is given in bytes. // -// The |tag_len| argument contains the length of the tags, in bytes, and allows +// The `tag_len` argument contains the length of the tags, in bytes, and allows // for the processing of truncated authenticators. A zero value indicates that // the default tag length should be used and this is defined as -// |EVP_AEAD_DEFAULT_TAG_LENGTH| in order to make the code clear. Using +// `EVP_AEAD_DEFAULT_TAG_LENGTH` in order to make the code clear. Using // truncated tags increases an attacker's chance of creating a valid forgery. // Be aware that the attacker's chance may increase more than exponentially as // would naively be expected. // -// When no longer needed, the initialised |EVP_AEAD_CTX| structure must be -// passed to |EVP_AEAD_CTX_cleanup|, which will deallocate any memory used. +// When no longer needed, the initialised `EVP_AEAD_CTX` structure must be +// passed to `EVP_AEAD_CTX_cleanup`, which will deallocate any memory used. // -// With an |EVP_AEAD_CTX| in hand, one can seal and open messages. These +// With an `EVP_AEAD_CTX` in hand, one can seal and open messages. These // operations are intended to meet the standard notions of privacy and // authenticity for authenticated encryption. For formal definitions see // Bellare and Namprempre, "Authenticated encryption: relations among notions @@ -53,7 +53,7 @@ extern "C" { // http://www-cse.ucsd.edu/~mihir/papers/oem.html. // // When sealing messages, a nonce must be given. The length of the nonce is -// fixed by the AEAD in use and is returned by |EVP_AEAD_nonce_length|. *The +// fixed by the AEAD in use and is returned by `EVP_AEAD_nonce_length`. *The // nonce must be unique for all messages with the same key*. This is critically // important - nonce reuse may completely undermine the security of the AEAD. // Nonces may be predictable and public, so long as they are unique. Uniqueness @@ -77,12 +77,12 @@ extern "C" { // violated. // // The "seal" and "open" operations also permit additional data to be -// authenticated via the |ad| parameter. This data is not included in the +// authenticated via the `ad` parameter. This data is not included in the // ciphertext and must be identical for both the "seal" and "open" call. This // permits implicit context to be authenticated but may be empty if not needed. // -// The "seal" and "open" operations may work in-place if the |out| and |in| -// arguments are equal. Otherwise, if |out| and |in| alias, input data may be +// The "seal" and "open" operations may work in-place if the `out` and `in` +// arguments are equal. Otherwise, if `out` and `in` alias, input data may be // overwritten before it is read. This situation will cause an error. // // The "seal" and "open" operations return one on success and zero on error. @@ -135,7 +135,7 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_xchacha20_poly1305(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_ctr_hmac_sha256(void); // EVP_aead_aes_256_ctr_hmac_sha256 is AES-256 in CTR mode with HMAC-SHA256 for -// authentication. See |EVP_aead_aes_128_ctr_hmac_sha256| for details. +// authentication. See `EVP_aead_aes_128_ctr_hmac_sha256` for details. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_ctr_hmac_sha256(void); // EVP_aead_aes_128_gcm_siv is AES-128 in GCM-SIV mode. See RFC 8452. @@ -200,20 +200,20 @@ OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_eax(void); // Utility functions. // EVP_AEAD_key_length returns the length, in bytes, of the keys used by -// |aead|. +// `aead`. OPENSSL_EXPORT size_t EVP_AEAD_key_length(const EVP_AEAD *aead); // EVP_AEAD_nonce_length returns the length, in bytes, of the per-message nonce -// for |aead|. +// for `aead`. OPENSSL_EXPORT size_t EVP_AEAD_nonce_length(const EVP_AEAD *aead); // EVP_AEAD_max_overhead returns the maximum number of additional bytes added -// by the act of sealing data with |aead|. +// by the act of sealing data with `aead`. OPENSSL_EXPORT size_t EVP_AEAD_max_overhead(const EVP_AEAD *aead); -// EVP_AEAD_max_tag_len returns the maximum tag length when using |aead|. This -// is the largest value that can be passed as |tag_len| to -// |EVP_AEAD_CTX_init|. +// EVP_AEAD_max_tag_len returns the maximum tag length when using `aead`. This +// is the largest value that can be passed as `tag_len` to +// `EVP_AEAD_CTX_init`. OPENSSL_EXPORT size_t EVP_AEAD_max_tag_len(const EVP_AEAD *aead); @@ -224,7 +224,7 @@ union evp_aead_ctx_st_state { uint64_t alignment; }; -// An evp_aead_ctx_st (typedefed as |EVP_AEAD_CTX| in base.h) represents an AEAD +// An evp_aead_ctx_st (typedefed as `EVP_AEAD_CTX` in base.h) represents an AEAD // algorithm configured with a specific key and message-independent IV. struct evp_aead_ctx_st { const EVP_AEAD *aead; @@ -257,119 +257,119 @@ struct evp_aead_ctx_st { // be used. #define EVP_AEAD_DEFAULT_TAG_LENGTH 0 -// EVP_AEAD_CTX_zero sets an uninitialized |ctx| to the zero state. It must be -// initialized with |EVP_AEAD_CTX_init| before use. It is safe, but not -// necessary, to call |EVP_AEAD_CTX_cleanup| in this state. This may be used for -// more uniform cleanup of |EVP_AEAD_CTX|. +// EVP_AEAD_CTX_zero sets an uninitialized `ctx` to the zero state. It must be +// initialized with `EVP_AEAD_CTX_init` before use. It is safe, but not +// necessary, to call `EVP_AEAD_CTX_cleanup` in this state. This may be used for +// more uniform cleanup of `EVP_AEAD_CTX`. OPENSSL_EXPORT void EVP_AEAD_CTX_zero(EVP_AEAD_CTX *ctx); -// EVP_AEAD_CTX_new allocates an |EVP_AEAD_CTX|, calls |EVP_AEAD_CTX_init| and -// returns the |EVP_AEAD_CTX|, or NULL on error. +// EVP_AEAD_CTX_new allocates an `EVP_AEAD_CTX`, calls `EVP_AEAD_CTX_init` and +// returns the `EVP_AEAD_CTX`, or NULL on error. OPENSSL_EXPORT EVP_AEAD_CTX *EVP_AEAD_CTX_new(const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len); -// EVP_AEAD_CTX_free calls |EVP_AEAD_CTX_cleanup| and |OPENSSL_free| on -// |ctx|. +// EVP_AEAD_CTX_free calls `EVP_AEAD_CTX_cleanup` and `OPENSSL_free` on +// `ctx`. OPENSSL_EXPORT void EVP_AEAD_CTX_free(EVP_AEAD_CTX *ctx); -// EVP_AEAD_CTX_init initializes |ctx| for the given AEAD algorithm. The |impl| +// EVP_AEAD_CTX_init initializes `ctx` for the given AEAD algorithm. The `impl` // argument is ignored and should be NULL. Authentication tags may be truncated -// by passing a size as |tag_len|. A |tag_len| of zero indicates the default +// by passing a size as `tag_len`. A `tag_len` of zero indicates the default // tag length and this is defined as EVP_AEAD_DEFAULT_TAG_LENGTH for // readability. // // Returns 1 on success. Otherwise returns 0 and pushes to the error stack. In -// the error case, you do not need to call |EVP_AEAD_CTX_cleanup|, but it's +// the error case, you do not need to call `EVP_AEAD_CTX_cleanup`, but it's // harmless to do so. OPENSSL_EXPORT int EVP_AEAD_CTX_init(EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len, ENGINE *impl); -// EVP_AEAD_CTX_cleanup frees any data allocated by |ctx|. It is a no-op to -// call |EVP_AEAD_CTX_cleanup| on a |EVP_AEAD_CTX| that has been |memset| to +// EVP_AEAD_CTX_cleanup frees any data allocated by `ctx`. It is a no-op to +// call `EVP_AEAD_CTX_cleanup` on a `EVP_AEAD_CTX` that has been `memset` to // all zeros. OPENSSL_EXPORT void EVP_AEAD_CTX_cleanup(EVP_AEAD_CTX *ctx); -// EVP_AEAD_CTX_seal encrypts and authenticates |in_len| bytes from |in| and -// authenticates |ad_len| bytes from |ad| and writes the result to |out|. It +// EVP_AEAD_CTX_seal encrypts and authenticates `in_len` bytes from `in` and +// authenticates `ad_len` bytes from `ad` and writes the result to `out`. It // returns one on success and zero otherwise. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// At most |max_out_len| bytes are written to |out| and, in order to ensure -// success, |max_out_len| should be |in_len| plus the result of -// |EVP_AEAD_max_overhead|. On successful return, |*out_len| is set to the +// At most `max_out_len` bytes are written to `out` and, in order to ensure +// success, `max_out_len` should be `in_len` plus the result of +// `EVP_AEAD_max_overhead`. On successful return, `*out_len` is set to the // actual number of bytes written. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_seal| never results in a partial output. If |max_out_len| is -// insufficient, zero will be returned. If any error occurs, |out| will be -// filled with zero bytes and |*out_len| set to zero. +// `EVP_AEAD_CTX_seal` never results in a partial output. If `max_out_len` is +// insufficient, zero will be returned. If any error occurs, `out` will be +// filled with zero bytes and `*out_len` set to zero. // -// If |in| and |out| alias then |out| must be == |in|. +// If `in` and `out` alias then `out` must be == `in`. OPENSSL_EXPORT int EVP_AEAD_CTX_seal(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len); -// EVP_AEAD_CTX_open authenticates |in_len| bytes from |in| and |ad_len| bytes -// from |ad| and decrypts at most |in_len| bytes into |out|. It returns one on +// EVP_AEAD_CTX_open authenticates `in_len` bytes from `in` and `ad_len` bytes +// from `ad` and decrypts at most `in_len` bytes into `out`. It returns one on // success and zero otherwise. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// At most |in_len| bytes are written to |out|. In order to ensure success, -// |max_out_len| should be at least |in_len|. On successful return, |*out_len| +// At most `in_len` bytes are written to `out`. In order to ensure success, +// `max_out_len` should be at least `in_len`. On successful return, `*out_len` // is set to the the actual number of bytes written. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_open| never results in a partial output. If |max_out_len| is -// insufficient, zero will be returned. If any error occurs, |out| will be -// filled with zero bytes and |*out_len| set to zero. +// `EVP_AEAD_CTX_open` never results in a partial output. If `max_out_len` is +// insufficient, zero will be returned. If any error occurs, `out` will be +// filled with zero bytes and `*out_len` set to zero. // -// If |in| and |out| alias then |out| must be == |in|. +// If `in` and `out` alias then `out` must be == `in`. OPENSSL_EXPORT int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len); -// EVP_AEAD_CTX_seal_scatter encrypts and authenticates |in_len| bytes from |in| -// and authenticates |ad_len| bytes from |ad|. It writes |in_len| bytes of -// ciphertext to |out| and the authentication tag to |out_tag|. It returns one +// EVP_AEAD_CTX_seal_scatter encrypts and authenticates `in_len` bytes from `in` +// and authenticates `ad_len` bytes from `ad`. It writes `in_len` bytes of +// ciphertext to `out` and the authentication tag to `out_tag`. It returns one // on success and zero otherwise. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// Exactly |in_len| bytes are written to |out|, and up to -// |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful -// return, |*out_tag_len| is set to the actual number of bytes written to -// |out_tag|. +// Exactly `in_len` bytes are written to `out`, and up to +// `EVP_AEAD_max_overhead+extra_in_len` bytes to `out_tag`. On successful +// return, `*out_tag_len` is set to the actual number of bytes written to +// `out_tag`. // -// |extra_in| may point to an additional plaintext input buffer if the cipher -// supports it. If present, |extra_in_len| additional bytes of plaintext are +// `extra_in` may point to an additional plaintext input buffer if the cipher +// supports it. If present, `extra_in_len` additional bytes of plaintext are // encrypted and authenticated, and the ciphertext is written (before the tag) -// to |out_tag|. |max_out_tag_len| must be sized to allow for the additional -// |extra_in_len| bytes. +// to `out_tag`. `max_out_tag_len` must be sized to allow for the additional +// `extra_in_len` bytes. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_seal_scatter| never results in a partial output. If -// |max_out_tag_len| is insufficient, zero will be returned. If any error -// occurs, |out| and |out_tag| will be filled with zero bytes and |*out_tag_len| +// `EVP_AEAD_CTX_seal_scatter` never results in a partial output. If +// `max_out_tag_len` is insufficient, zero will be returned. If any error +// occurs, `out` and `out_tag` will be filled with zero bytes and `*out_tag_len` // set to zero. // -// If |in| and |out| alias then |out| must be == |in|. |out_tag| may not alias +// If `in` and `out` alias then `out` must be == `in`. `out_tag` may not alias // any other argument. OPENSSL_EXPORT int EVP_AEAD_CTX_seal_scatter( const EVP_AEAD_CTX *ctx, uint8_t *out, uint8_t *out_tag, @@ -377,81 +377,81 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_seal_scatter( size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *extra_in, size_t extra_in_len, const uint8_t *ad, size_t ad_len); -// EVP_AEAD_CTX_open_gather decrypts and authenticates |in_len| bytes from |in| -// and authenticates |ad_len| bytes from |ad| using |in_tag_len| bytes of -// authentication tag from |in_tag|. If successful, it writes |in_len| bytes of -// plaintext to |out|. It returns one on success and zero otherwise. +// EVP_AEAD_CTX_open_gather decrypts and authenticates `in_len` bytes from `in` +// and authenticates `ad_len` bytes from `ad` using `in_tag_len` bytes of +// authentication tag from `in_tag`. If successful, it writes `in_len` bytes of +// plaintext to `out`. It returns one on success and zero otherwise. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_open_gather| never results in a partial output. If any error -// occurs, |out| will be filled with zero bytes. +// `EVP_AEAD_CTX_open_gather` never results in a partial output. If any error +// occurs, `out` will be filled with zero bytes. // -// If |in| and |out| alias then |out| must be == |in|. +// If `in` and `out` alias then `out` must be == `in`. OPENSSL_EXPORT int EVP_AEAD_CTX_open_gather( const EVP_AEAD_CTX *ctx, uint8_t *out, const uint8_t *nonce, size_t nonce_len, const uint8_t *in, size_t in_len, const uint8_t *in_tag, size_t in_tag_len, const uint8_t *ad, size_t ad_len); -// crypto_ivec_st (aka |CRYPTO_IVEC|) combines a pointer to input data with its +// crypto_ivec_st (aka `CRYPTO_IVEC`) combines a pointer to input data with its // length. It is usually passed as an array of length of at most -// |CRYPTO_IOVEC_MAX|. +// `CRYPTO_IOVEC_MAX`. struct crypto_ivec_st { const uint8_t *in; size_t len; }; -// crypto_iovec_st (aka |CRYPTO_IOVEC| combines a pointer to input data and a +// crypto_iovec_st (aka `CRYPTO_IOVEC` combines a pointer to input data and a // pointer to an output buffer with their common length. It is usually passed -// as an array of length of at most |CRYPTO_IOVEC_MAX|. +// as an array of length of at most `CRYPTO_IOVEC_MAX`. struct crypto_iovec_st { - // |out| and |in| must be disjoint or equal + // `out` and `in` must be disjoint or equal uint8_t *out; const uint8_t *in; size_t len; }; -// CRYPTO_IOVEC_MAX is the maximum number of entries in an |CRYPTO_IOVEC| or -// |CRYPTO_IVEC| parameter. +// CRYPTO_IOVEC_MAX is the maximum number of entries in an `CRYPTO_IOVEC` or +// `CRYPTO_IVEC` parameter. #define CRYPTO_IOVEC_MAX 16 -// EVP_AEAD_CTX_sealv encrypts and authenticates the |in| bytes from |iovec| -// and authenticates the |aadvec| bytes. It writes the same amount of -// ciphertext to the |out| pointers of |iovec| and the authentication tag to -// |out_tag|. It returns one on success and zero otherwise. +// EVP_AEAD_CTX_sealv encrypts and authenticates the `in` bytes from `iovec` +// and authenticates the `aadvec` bytes. It writes the same amount of +// ciphertext to the `out` pointers of `iovec` and the authentication tag to +// `out_tag`. It returns one on success and zero otherwise. // -// This function computes the same output as |EVP_AEAD_CTX_seal_scatter|, but +// This function computes the same output as `EVP_AEAD_CTX_seal_scatter`, but // without requiring the input or output to be a contiguous buffer. The // individual input and output pieces are logically concatenated for a single // operation; their boundaries are not semantically significant and will not // impact the output. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// Exactly |len| bytes are written to each |out| member of the |iovec|, and up -// to |EVP_AEAD_max_overhead+extra_in_len| bytes to |out_tag|. On successful -// return, |*out_tag_len| is set to the actual number of bytes written to -// |out_tag|. +// Exactly `len` bytes are written to each `out` member of the `iovec`, and up +// to `EVP_AEAD_max_overhead+extra_in_len` bytes to `out_tag`. On successful +// return, `*out_tag_len` is set to the actual number of bytes written to +// `out_tag`. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_sealv| never results in a partial output. If |max_out_tag_len| -// is insufficient, zero will be returned. If any error occurs, the |out| -// members of the |iovec| and |out_tag| will be filled with zero bytes and -// |*out_tag_len| set to zero. +// `EVP_AEAD_CTX_sealv` never results in a partial output. If `max_out_tag_len` +// is insufficient, zero will be returned. If any error occurs, the `out` +// members of the `iovec` and `out_tag` will be filled with zero bytes and +// `*out_tag_len` set to zero. // // No output pointer may alias any other pointer passed to this function either -// directly or via |iovec| and |aadvec|, with the one exception that it is -// permitted for the same |iovec| member's |in| and |out| members to be equal +// directly or via `iovec` and `aadvec`, with the one exception that it is +// permitted for the same `iovec` member's `in` and `out` members to be equal // (in-place operation). // -// |num_iovec| and |num_aadvec| must be <= |CRYPTO_IOVEC_MAX|. +// `num_iovec` and `num_aadvec` must be <= `CRYPTO_IOVEC_MAX`. OPENSSL_EXPORT int EVP_AEAD_CTX_sealv(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, size_t num_iovec, uint8_t *out_tag, size_t *out_tag_len, @@ -459,80 +459,80 @@ int EVP_AEAD_CTX_sealv(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, size_t nonce_len, const CRYPTO_IVEC *aadvec, size_t num_aadvec); -// EVP_AEAD_CTX_openv authenticates the |in| bytes from |iovec| and |aadvec|, -// and decrypts the |in| bytes to the |out| pointers of |iovec|. It returns one +// EVP_AEAD_CTX_openv authenticates the `in` bytes from `iovec` and `aadvec`, +// and decrypts the `in` bytes to the `out` pointers of `iovec`. It returns one // on success and zero otherwise. // -// This function computes the same output as |EVP_AEAD_CTX_open|, but without +// This function computes the same output as `EVP_AEAD_CTX_open`, but without // requiring the input or output to be a contiguous buffer. The individual // input and output pieces are logically concatenated for a single operation; // their boundaries are not semantically significant and will not impact the // output. // // This function may (and usually will) output less than the total length of -// |iovec|. In this case, it outputs to a prefix of |iovec|'s output space, +// `iovec`. In this case, it outputs to a prefix of `iovec`'s output space, // then returns the length of what was actually written. // // In AEADs with a fixed-length authentication tag, the tag is treated as if it // were appended to the ciphertext, and successful outputs will always be // exactly the tag length shorter. To open with a separate, detached tag, -// either provide it as a separate |CRYPTO_IOVEC|, or use -// |EVP_AEAD_CTX_openv_detached|. The latter may be more convenient, one does -// not need consider the possibility of output to the final |CRYPTO_IOVEC|. +// either provide it as a separate `CRYPTO_IOVEC`, or use +// `EVP_AEAD_CTX_openv_detached`. The latter may be more convenient, one does +// not need consider the possibility of output to the final `CRYPTO_IOVEC`. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_openv| never results in a partial output. If any error occurs, -// |out| will be filled with zero bytes and |*out_len| set to zero. +// `EVP_AEAD_CTX_openv` never results in a partial output. If any error occurs, +// `out` will be filled with zero bytes and `*out_len` set to zero. // // No output pointer may alias any other pointer passed to this function either -// directly or via |iovec| and |aadvec|, with the one exception that it is -// permitted for the same |iovec| member's |in| and |out| members to be equal +// directly or via `iovec` and `aadvec`, with the one exception that it is +// permitted for the same `iovec` member's `in` and `out` members to be equal // (in-place operation). // -// |num_iovec| and |num_aadvec| must be <= |CRYPTO_IOVEC_MAX|. +// `num_iovec` and `num_aadvec` must be <= `CRYPTO_IOVEC_MAX`. OPENSSL_EXPORT int EVP_AEAD_CTX_openv(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, size_t num_iovec, size_t *out_total_bytes, const uint8_t *nonce, size_t nonce_len, const CRYPTO_IVEC *aadvec, size_t num_aadvec); -// EVP_AEAD_CTX_openv_detached authenticates the |in| bytes from |iovec| and -// |aadvec| using |in_tag_len| bytes of authentication tag from |in_tag|. If -// successful, it writes the plaintext of the |in| bytes to the |out| pointers -// of |iovec|. It returns one on success and zero otherwise. +// EVP_AEAD_CTX_openv_detached authenticates the `in` bytes from `iovec` and +// `aadvec` using `in_tag_len` bytes of authentication tag from `in_tag`. If +// successful, it writes the plaintext of the `in` bytes to the `out` pointers +// of `iovec`. It returns one on success and zero otherwise. // // This function is usable with AEADs whose output can be split into a // ciphertext portion, with the same length as the plaintext, and a // fixed-length authentication tag. If the AEAD has a variable-length overhead, // this function will return zero. Such AEADs can only be used with -// |EVP_AEAD_CTX_openv|. +// `EVP_AEAD_CTX_openv`. // -// This function computes the same output as |EVP_AEAD_CTX_open|, but with a +// This function computes the same output as `EVP_AEAD_CTX_open`, but with a // detached tag and without requiring the input or output to be a contiguous // buffer. The individual input and output pieces are logically concatenated // for a single operation; their boundaries are not semantically significant // and will not impact the output. // // This function may be called concurrently with itself or any other seal/open -// function on the same |EVP_AEAD_CTX|. +// function on the same `EVP_AEAD_CTX`. // -// The length of |nonce|, |nonce_len|, must be equal to the result of -// |EVP_AEAD_nonce_length| for this AEAD. +// The length of `nonce`, `nonce_len`, must be equal to the result of +// `EVP_AEAD_nonce_length` for this AEAD. // -// |EVP_AEAD_CTX_openv_detached| never results in a partial output. If any -// error occurs, |out| will be filled with zero bytes. +// `EVP_AEAD_CTX_openv_detached` never results in a partial output. If any +// error occurs, `out` will be filled with zero bytes. // // No output pointer may alias any other pointer passed to this function either -// directly or via |iovec| and |aadvec|, with the one exception that it is -// permitted for the same |iovec| member's |in| and |out| members to be equal +// directly or via `iovec` and `aadvec`, with the one exception that it is +// permitted for the same `iovec` member's `in` and `out` members to be equal // (in-place operation). // -// |num_iovec| and |num_aadvec| must be <= |CRYPTO_IOVEC_MAX|. +// `num_iovec` and `num_aadvec` must be <= `CRYPTO_IOVEC_MAX`. OPENSSL_EXPORT int EVP_AEAD_CTX_openv_detached(const EVP_AEAD_CTX *ctx, const CRYPTO_IOVEC *iovec, size_t num_iovec, @@ -540,45 +540,61 @@ int EVP_AEAD_CTX_openv_detached(const EVP_AEAD_CTX *ctx, const uint8_t *in_tag, size_t in_tag_len, const CRYPTO_IVEC *aadvec, size_t num_aadvec); -// EVP_AEAD_CTX_aead returns the underlying AEAD for |ctx|, or NULL if one has +// EVP_AEAD_CTX_aead returns the underlying AEAD for `ctx`, or NULL if one has // not been set. OPENSSL_EXPORT const EVP_AEAD *EVP_AEAD_CTX_aead(const EVP_AEAD_CTX *ctx); // TLS-specific AEAD algorithms. // -// These AEAD primitives do not meet the definition of generic AEADs. They are -// all specific to TLS and should not be used outside of that context. They must -// be initialized with |EVP_AEAD_CTX_init_with_direction|, are stateful, and may -// not be used concurrently. Any nonces are used as IVs, so they must be -// unpredictable. They only accept an |ad| parameter of length 11 (the standard -// TLS one with length omitted). +// WARNING: These `EVP_AEAD` objects primitives do not meet the definition of +// generic AEADs. They are all specific to TLS and should not be used outside of +// that context. They break the usual guarantees around `EVP_AEAD_CTX`, +// including statefulness, thread-safety, initialization conventions, and +// security requirements around the nonce parameter. +// The following functions implement legacy TLS CBC cipher suites. +// +// WARNING: These functions are effectively internal implementation details of +// libssl, not general-purpose constructions. They are not true AEADs and differ +// from a normal `EVP_AEAD` in many ways: +// +// * They must be initialized with `EVP_AEAD_CTX_init_with_direction`, not +// `EVP_AEAD_CTX_init`. +// +// * The resulting `EVP_AEAD_CTX`s are stateful. Neither `EVP_AEAD_CTX_open*` +// nor `EVP_AEAD_CTX_seal*` can be called concurrently. +// +// * The `ad` parameter must have length 11 (the standard TLS one with length +// omitted). +// +// * The `nonce` parameter is used as a CBC IV and must be unpredictable, not +// just unique. +// +// * The `*_implicit_iv` variants implicitly set the IV to the last block of the +// previous message. They are vulnerable the BEAST attack unless the caller +// applies record-splitting mitigations externally. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha1_tls_implicit_iv(void); - OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_cbc_sha256_tls(void); - OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_cbc_sha1_tls_implicit_iv(void); - OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls(void); OPENSSL_EXPORT const EVP_AEAD *EVP_aead_des_ede3_cbc_sha1_tls_implicit_iv(void); -// EVP_aead_aes_128_gcm_tls12 is AES-128 in Galois Counter Mode using the TLS -// 1.2 nonce construction. +// The following functions behave like `EVP_aead_aes_128_gcm` or +// `EVP_aead_aes_256_gcm`, except that seal operations fail if nonces do not +// match the TLS 1.2 or TLS 1.3 nonce construction. +// +// These functions are only applicable for callers that want an extra AEAD-level +// nonce check. `EVP_aead_aes_128_gcm` and `EVP_aead_aes_256_gcm` are otherwise +// suitable for implementing TLS and will produce the same output. +// +// WARNING: `EVP_AEAD_CTX` objects initialized with these `EVP_AEAD`s are +// stateful. `EVP_AEAD_CTX_seal*` cannot be called concurrently. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls12(void); - -// EVP_aead_aes_256_gcm_tls12 is AES-256 in Galois Counter Mode using the TLS -// 1.2 nonce construction. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls12(void); - -// EVP_aead_aes_128_gcm_tls13 is AES-128 in Galois Counter Mode using the TLS -// 1.3 nonce construction. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_128_gcm_tls13(void); - -// EVP_aead_aes_256_gcm_tls13 is AES-256 in Galois Counter Mode using the TLS -// 1.3 nonce construction. OPENSSL_EXPORT const EVP_AEAD *EVP_aead_aes_256_gcm_tls13(void); @@ -590,15 +606,14 @@ enum evp_aead_direction_t { evp_aead_seal, }; -// EVP_AEAD_CTX_init_with_direction calls |EVP_AEAD_CTX_init| for normal -// AEADs. For TLS-specific and SSL3-specific AEADs, it initializes |ctx| for a -// given direction. +// EVP_AEAD_CTX_init_with_direction calls `EVP_AEAD_CTX_init` for normal +// AEADs. For TLS-specific AEADs, it initializes `ctx` for a given direction. OPENSSL_EXPORT int EVP_AEAD_CTX_init_with_direction( EVP_AEAD_CTX *ctx, const EVP_AEAD *aead, const uint8_t *key, size_t key_len, size_t tag_len, enum evp_aead_direction_t dir); -// EVP_AEAD_CTX_get_iv sets |*out_len| to the length of the IV for |ctx| and -// sets |*out_iv| to point to that many bytes of the current IV. This is only +// EVP_AEAD_CTX_get_iv sets `*out_len` to the length of the IV for `ctx` and +// sets `*out_iv` to point to that many bytes of the current IV. This is only // meaningful for AEADs with implicit IVs (i.e. CBC mode in TLS 1.0). // // It returns one on success or zero on error. @@ -606,17 +621,17 @@ OPENSSL_EXPORT int EVP_AEAD_CTX_get_iv(const EVP_AEAD_CTX *ctx, const uint8_t **out_iv, size_t *out_len); // EVP_AEAD_CTX_tag_len computes the exact byte length of the tag written by -// |EVP_AEAD_CTX_seal_scatter| and writes it to |*out_tag_len|. It returns one -// on success or zero on error. |in_len| and |extra_in_len| must equal the -// arguments of the same names passed to |EVP_AEAD_CTX_seal_scatter|. +// `EVP_AEAD_CTX_seal_scatter` and writes it to `*out_tag_len`. It returns one +// on success or zero on error. `in_len` and `extra_in_len` must equal the +// arguments of the same names passed to `EVP_AEAD_CTX_seal_scatter`. // // To compute the exact byte length of the output written by -// |EVP_AEAD_CTX_seal|, set |extra_in_len| to zero and add |in_len| to the +// `EVP_AEAD_CTX_seal`, set `extra_in_len` to zero and add `in_len` to the // result. // -// To compute the exact byte length of the tag written by |EVP_AEAD_CTX_sealv|, -// set |in_len| to the sum of |len| over the entire |iovec|, and set -// |extra_in_len| to zero. +// To compute the exact byte length of the tag written by `EVP_AEAD_CTX_sealv`, +// set `in_len` to the sum of `len` over the entire `iovec`, and set +// `extra_in_len` to zero. OPENSSL_EXPORT int EVP_AEAD_CTX_tag_len(const EVP_AEAD_CTX *ctx, size_t *out_tag_len, const size_t in_len, diff --git a/third_party/boringssl/src/include/openssl/aes.h b/third_party/boringssl/src/include/openssl/aes.h index eee88a51..5dd0cfdc 100644 --- a/third_party/boringssl/src/include/openssl/aes.h +++ b/third_party/boringssl/src/include/openssl/aes.h @@ -41,39 +41,39 @@ struct aes_key_st { }; typedef struct aes_key_st AES_KEY; -// AES_set_encrypt_key configures |aeskey| to encrypt with the |bits|-bit key, -// |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a -// negative number if |bits| is an invalid AES key size. +// AES_set_encrypt_key configures `aeskey` to encrypt with the `bits`-bit key, +// `key`. `key` must point to `bits`/8 bytes. It returns zero on success and a +// negative number if `bits` is an invalid AES key size. // // WARNING: this function breaks the usual return value convention. OPENSSL_EXPORT int AES_set_encrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey); -// AES_set_decrypt_key configures |aeskey| to decrypt with the |bits|-bit key, -// |key|. |key| must point to |bits|/8 bytes. It returns zero on success and a -// negative number if |bits| is an invalid AES key size. +// AES_set_decrypt_key configures `aeskey` to decrypt with the `bits`-bit key, +// `key`. `key` must point to `bits`/8 bytes. It returns zero on success and a +// negative number if `bits` is an invalid AES key size. // // WARNING: this function breaks the usual return value convention. OPENSSL_EXPORT int AES_set_decrypt_key(const uint8_t *key, unsigned bits, AES_KEY *aeskey); -// AES_encrypt encrypts a single block from |in| to |out| with |key|. The |in| -// and |out| pointers may overlap. +// AES_encrypt encrypts a single block from `in` to `out` with `key`. The `in` +// and `out` pointers may overlap. OPENSSL_EXPORT void AES_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); -// AES_decrypt decrypts a single block from |in| to |out| with |key|. The |in| -// and |out| pointers may overlap. +// AES_decrypt decrypts a single block from `in` to `out` with `key`. The `in` +// and `out` pointers may overlap. OPENSSL_EXPORT void AES_decrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key); // Block cipher modes. -// AES_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) |len| -// bytes from |in| to |out|. The |num| parameter must be set to zero on the -// first call and |ivec| will be incremented. This function may be called -// in-place with |in| equal to |out|, but otherwise the buffers may not +// AES_ctr128_encrypt encrypts (or decrypts, it's the same in CTR mode) `len` +// bytes from `in` to `out`. The `num` parameter must be set to zero on the +// first call and `ivec` will be incremented. This function may be called +// in-place with `in` equal to `out`, but otherwise the buffers may not // partially overlap. A partial overlap may overwrite input data before it is // read. OPENSSL_EXPORT void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, @@ -82,34 +82,34 @@ OPENSSL_EXPORT void AES_ctr128_encrypt(const uint8_t *in, uint8_t *out, uint8_t ecount_buf[AES_BLOCK_SIZE], unsigned int *num); -// AES_ecb_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) a single, -// 16 byte block from |in| to |out|. This function may be called in-place with -// |in| equal to |out|, but otherwise the buffers may not partially overlap. A +// AES_ecb_encrypt encrypts (or decrypts, if `enc` == `AES_DECRYPT`) a single, +// 16 byte block from `in` to `out`. This function may be called in-place with +// `in` equal to `out`, but otherwise the buffers may not partially overlap. A // partial overlap may overwrite input data before it is read. OPENSSL_EXPORT void AES_ecb_encrypt(const uint8_t *in, uint8_t *out, const AES_KEY *key, const int enc); -// AES_cbc_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len| -// bytes from |in| to |out|. The length must be a multiple of the block size. -// This function may be called in-place with |in| equal to |out|, but otherwise +// AES_cbc_encrypt encrypts (or decrypts, if `enc` == `AES_DECRYPT`) `len` +// bytes from `in` to `out`. The length must be a multiple of the block size. +// This function may be called in-place with `in` equal to `out`, but otherwise // the buffers may not partially overlap. A partial overlap may overwrite input // data before it is read. OPENSSL_EXPORT void AES_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t *ivec, const int enc); -// AES_ofb128_encrypt encrypts (or decrypts, it's the same in OFB mode) |len| -// bytes from |in| to |out|. The |num| parameter must be set to zero on the -// first call. This function may be called in-place with |in| equal to |out|, +// AES_ofb128_encrypt encrypts (or decrypts, it's the same in OFB mode) `len` +// bytes from `in` to `out`. The `num` parameter must be set to zero on the +// first call. This function may be called in-place with `in` equal to `out`, // but otherwise the buffers may not partially overlap. A partial overlap may // overwrite input data before it is read. OPENSSL_EXPORT void AES_ofb128_encrypt(const uint8_t *in, uint8_t *out, size_t len, const AES_KEY *key, uint8_t *ivec, int *num); -// AES_cfb128_encrypt encrypts (or decrypts, if |enc| == |AES_DECRYPT|) |len| -// bytes from |in| to |out|. The |num| parameter must be set to zero on the -// first call. This function may be called in-place with |in| equal to |out|, +// AES_cfb128_encrypt encrypts (or decrypts, if `enc` == `AES_DECRYPT`) `len` +// bytes from `in` to `out`. The `num` parameter must be set to zero on the +// first call. This function may be called in-place with `in` equal to `out`, // but otherwise the buffers may not partially overlap. A partial overlap may // overwrite input data before it is read. OPENSSL_EXPORT void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, @@ -123,18 +123,18 @@ OPENSSL_EXPORT void AES_cfb128_encrypt(const uint8_t *in, uint8_t *out, // should never be used except to interoperate with existing systems that use // this mode. -// AES_wrap_key performs AES key wrap on |in| which must be a multiple of 8 -// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV. -// |key| must have been configured for encryption. On success, it writes -// |in_len| + 8 bytes to |out| and returns |in_len| + 8. Otherwise, it returns +// AES_wrap_key performs AES key wrap on `in` which must be a multiple of 8 +// bytes. `iv` must point to an 8 byte value or be NULL to use the default IV. +// `key` must have been configured for encryption. On success, it writes +// `in_len` + 8 bytes to `out` and returns `in_len` + 8. Otherwise, it returns // -1. OPENSSL_EXPORT int AES_wrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out, const uint8_t *in, size_t in_len); -// AES_unwrap_key performs AES key unwrap on |in| which must be a multiple of 8 -// bytes. |iv| must point to an 8 byte value or be NULL to use the default IV. -// |key| must have been configured for decryption. On success, it writes -// |in_len| - 8 bytes to |out| and returns |in_len| - 8. Otherwise, it returns +// AES_unwrap_key performs AES key unwrap on `in` which must be a multiple of 8 +// bytes. `iv` must point to an 8 byte value or be NULL to use the default IV. +// `key` must have been configured for decryption. On success, it writes +// `in_len` - 8 bytes to `out` and returns `in_len` - 8. Otherwise, it returns // -1. OPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, uint8_t *out, const uint8_t *in, @@ -147,20 +147,20 @@ OPENSSL_EXPORT int AES_unwrap_key(const AES_KEY *key, const uint8_t *iv, // 5649. They should never be used except to interoperate with existing systems // that use this mode. -// AES_wrap_key_padded performs a padded AES key wrap on |in| which must be -// between 1 and 2^32-1 bytes. |key| must have been configured for encryption. -// On success it writes at most |max_out| bytes of ciphertext to |out|, sets -// |*out_len| to the number of bytes written, and returns one. On failure it -// returns zero. To ensure success, set |max_out| to at least |in_len| + 15. +// AES_wrap_key_padded performs a padded AES key wrap on `in` which must be +// between 1 and 2^32-1 bytes. `key` must have been configured for encryption. +// On success it writes at most `max_out` bytes of ciphertext to `out`, sets +// `*out_len` to the number of bytes written, and returns one. On failure it +// returns zero. To ensure success, set `max_out` to at least `in_len` + 15. OPENSSL_EXPORT int AES_wrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len, size_t max_out, const uint8_t *in, size_t in_len); -// AES_unwrap_key_padded performs a padded AES key unwrap on |in| which must be -// a multiple of 8 bytes. |key| must have been configured for decryption. On -// success it writes at most |max_out| bytes to |out|, sets |*out_len| to the +// AES_unwrap_key_padded performs a padded AES key unwrap on `in` which must be +// a multiple of 8 bytes. `key` must have been configured for decryption. On +// success it writes at most `max_out` bytes to `out`, sets `*out_len` to the // number of bytes written, and returns one. On failure it returns zero. Setting -// |max_out| to |in_len| is a sensible estimate. +// `max_out` to `in_len` is a sensible estimate. OPENSSL_EXPORT int AES_unwrap_key_padded(const AES_KEY *key, uint8_t *out, size_t *out_len, size_t max_out, const uint8_t *in, size_t in_len); diff --git a/third_party/boringssl/src/include/openssl/asm_base.h b/third_party/boringssl/src/include/openssl/asm_base.h index 926eb6f3..ce190347 100644 --- a/third_party/boringssl/src/include/openssl/asm_base.h +++ b/third_party/boringssl/src/include/openssl/asm_base.h @@ -25,7 +25,7 @@ // Every assembly file must include this header. Some linker features require // all object files to be tagged with some section metadata. This header file, // when included in assembly, adds that metadata. It also makes defines like -// |OPENSSL_X86_64| available and includes the prefixing macros. +// `OPENSSL_X86_64` available and includes the prefixing macros. // // Including this header in an assembly file imples: // @@ -70,7 +70,7 @@ #if defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64) -// We require the ARM assembler provide |__ARM_ARCH| from Arm C Language +// We require the ARM assembler provide `__ARM_ARCH` from Arm C Language // Extensions (ACLE). This is supported in GCC 4.8+ and Clang 3.2+. MSVC does // not implement ACLE, but we require Clang's assembler on Windows. #if !defined(__ARM_ARCH) @@ -92,12 +92,12 @@ // features which require emitting a .note.gnu.property section with the // appropriate architecture-dependent feature bits set. // -// |AARCH64_SIGN_LINK_REGISTER| and |AARCH64_VALIDATE_LINK_REGISTER| expand to -// PACIxSP and AUTIxSP, respectively. |AARCH64_SIGN_LINK_REGISTER| should be +// `AARCH64_SIGN_LINK_REGISTER` and `AARCH64_VALIDATE_LINK_REGISTER` expand to +// PACIxSP and AUTIxSP, respectively. `AARCH64_SIGN_LINK_REGISTER` should be // used immediately before saving the LR register (x30) to the stack. -// |AARCH64_VALIDATE_LINK_REGISTER| should be used immediately after restoring -// it. Note |AARCH64_SIGN_LINK_REGISTER|'s modifications to LR must be undone -// with |AARCH64_VALIDATE_LINK_REGISTER| before RET. The SP register must also +// `AARCH64_VALIDATE_LINK_REGISTER` should be used immediately after restoring +// it. Note `AARCH64_SIGN_LINK_REGISTER`'s modifications to LR must be undone +// with `AARCH64_VALIDATE_LINK_REGISTER` before RET. The SP register must also // have the same value at the two points. For example: // // .global f @@ -110,11 +110,11 @@ // AARCH64_VALIDATE_LINK_REGISTER // ret // -// |AARCH64_VALID_CALL_TARGET| expands to BTI 'c'. Either it, or -// |AARCH64_SIGN_LINK_REGISTER|, must be used at every point that may be an +// `AARCH64_VALID_CALL_TARGET` expands to BTI 'c'. Either it, or +// `AARCH64_SIGN_LINK_REGISTER`, must be used at every point that may be an // indirect call target. In particular, all symbols exported from a file must // begin with one of these macros. For example, a leaf function that does not -// save LR can instead use |AARCH64_VALID_CALL_TARGET|: +// save LR can instead use `AARCH64_VALID_CALL_TARGET`: // // .globl return_zero // return_zero: @@ -123,7 +123,7 @@ // ret // // A non-leaf function which does not immediately save LR may need both macros -// because |AARCH64_SIGN_LINK_REGISTER| appears late. For example, the function +// because `AARCH64_SIGN_LINK_REGISTER` appears late. For example, the function // may jump to an alternate implementation before setting up the stack: // // .globl with_early_jump @@ -145,7 +145,7 @@ // // These annotations are only required with indirect calls. Private symbols that // are only the target of direct calls do not require annotations. Also note -// that |AARCH64_VALID_CALL_TARGET| is only valid for indirect calls (BLR), not +// that `AARCH64_VALID_CALL_TARGET` is only valid for indirect calls (BLR), not // indirect jumps (BR). Indirect jumps in assembly are currently not supported // and would require a macro for BTI 'j'. // @@ -206,6 +206,14 @@ #endif #endif // ARM || AARCH64 +#if defined(__APPLE__) +// Require all Apple assembly to be compatible with `.subsections_via_symbols`. +// Perlasm output will automatically no-op it by marking all non-initials with +// `.alt_entry`. Other assembly must either do something similar or be +// compatible with the optimization. +.subsections_via_symbols +#endif + #endif // __ASSEMBLER__ #endif // OPENSSL_HEADER_ASM_BASE_H diff --git a/third_party/boringssl/src/include/openssl/asn1.h b/third_party/boringssl/src/include/openssl/asn1.h index e8913822..e599b544 100644 --- a/third_party/boringssl/src/include/openssl/asn1.h +++ b/third_party/boringssl/src/include/openssl/asn1.h @@ -36,7 +36,7 @@ extern "C" { // particularly prone to behavior changes and API removals, as BoringSSL // iterates on these issues. // -// Use the new |CBS| and |CBB| library in instead. +// Use the new `CBS` and `CBB` library in instead. // Tag constants. @@ -63,7 +63,7 @@ extern "C" { #define V_ASN1_PRIMITIVE_TAG 0x1f // V_ASN1_MAX_UNIVERSAL is the highest supported universal tag number. It is -// necessary to avoid ambiguity with |V_ASN1_NEG| and |MBSTRING_FLAG|. +// necessary to avoid ambiguity with `V_ASN1_NEG` and `MBSTRING_FLAG`. // // TODO(davidben): Make this private. #define V_ASN1_MAX_UNIVERSAL 0xff @@ -71,7 +71,7 @@ extern "C" { // V_ASN1_UNDEF is used in some APIs to indicate an ASN.1 element is omitted. #define V_ASN1_UNDEF (-1) -// V_ASN1_OTHER is used in |ASN1_TYPE| to indicate a non-universal ASN.1 type. +// V_ASN1_OTHER is used in `ASN1_TYPE` to indicate a non-universal ASN.1 type. #define V_ASN1_OTHER (-3) // V_ASN1_ANY is used by the ASN.1 templates to indicate an ANY type. @@ -107,8 +107,8 @@ extern "C" { #define V_ASN1_UNIVERSALSTRING 28 #define V_ASN1_BMPSTRING 30 -// The following constants are used for |ASN1_STRING| values that represent -// negative INTEGER and ENUMERATED values. See |ASN1_STRING| for more details. +// The following constants are used for `ASN1_STRING` values that represent +// negative INTEGER and ENUMERATED values. See `ASN1_STRING` for more details. #define V_ASN1_NEG 0x100 #define V_ASN1_NEG_INTEGER (V_ASN1_INTEGER | V_ASN1_NEG) #define V_ASN1_NEG_ENUMERATED (V_ASN1_ENUMERATED | V_ASN1_NEG) @@ -133,12 +133,12 @@ extern "C" { #define B_ASN1_GENERALIZEDTIME 0x8000 #define B_ASN1_SEQUENCE 0x10000 -// ASN1_tag2bit converts |tag| from the tag number of a universal type to a -// corresponding |B_ASN1_*| constant, or zero if |tag| has no bitmask. +// ASN1_tag2bit converts `tag` from the tag number of a universal type to a +// corresponding `B_ASN1_*` constant, or zero if `tag` has no bitmask. OPENSSL_EXPORT unsigned long ASN1_tag2bit(int tag); -// ASN1_tag2str returns a string representation of |tag|, interpret as a tag -// number for a universal type, or |V_ASN1_NEG_*|. +// ASN1_tag2str returns a string representation of `tag`, interpret as a tag +// number for a universal type, or `V_ASN1_NEG_*`. OPENSSL_EXPORT const char *ASN1_tag2str(int tag); @@ -149,36 +149,36 @@ OPENSSL_EXPORT const char *ASN1_tag2str(int tag); #if 0 // Sample functions -// d2i_SAMPLE parses a structure from up to |len| bytes at |*inp|. On success, -// it advances |*inp| by the number of bytes read and returns a newly-allocated -// |SAMPLE| object containing the parsed structure. If |out| is non-NULL, it -// additionally frees the previous value at |*out| and updates |*out| to the +// d2i_SAMPLE parses a structure from up to `len` bytes at `*inp`. On success, +// it advances `*inp` by the number of bytes read and returns a newly-allocated +// `SAMPLE` object containing the parsed structure. If `out` is non-NULL, it +// additionally frees the previous value at `*out` and updates `*out` to the // result. If parsing or allocating the result fails, it returns NULL. // // This function does not reject trailing data in the input. This allows the // caller to parse a sequence of concatenated structures. Callers parsing only -// one structure should check for trailing data by comparing the updated |*inp| +// one structure should check for trailing data by comparing the updated `*inp` // with the end of the input. // -// Note: If |out| and |*out| are both non-NULL, the object at |*out| is not +// Note: If `out` and `*out` are both non-NULL, the object at `*out` is not // updated in-place. Instead, it is freed, and the pointer is updated to the -// new object. This differs from OpenSSL. Callers are recommended to set |out| +// new object. This differs from OpenSSL. Callers are recommended to set `out` // to NULL and instead use the return value. SAMPLE *d2i_SAMPLE(SAMPLE **out, const uint8_t **inp, long len); -// i2d_SAMPLE marshals |in|. On error, it returns a negative value. On success, -// it returns the length of the result and outputs it via |outp| as follows: +// i2d_SAMPLE marshals `in`. On error, it returns a negative value. On success, +// it returns the length of the result and outputs it via `outp` as follows: // -// If |outp| is NULL, the function writes nothing. This mode can be used to size +// If `outp` is NULL, the function writes nothing. This mode can be used to size // buffers. // -// If |outp| is non-NULL but |*outp| is NULL, the function sets |*outp| to a +// If `outp` is non-NULL but `*outp` is NULL, the function sets `*outp` to a // newly-allocated buffer containing the result. The caller is responsible for -// releasing |*outp| with |OPENSSL_free|. This mode is recommended for most +// releasing `*outp` with `OPENSSL_free`. This mode is recommended for most // callers. // -// If |outp| and |*outp| are non-NULL, the function writes the result to -// |*outp|, which must have enough space available, and advances |*outp| just +// If `outp` and `*outp` are non-NULL, the function writes the result to +// `*outp`, which must have enough space available, and advances `*outp` just // past the output. // // WARNING: In the third mode, the function does not internally check output @@ -189,7 +189,7 @@ int i2d_SAMPLE(const SAMPLE *in, uint8_t **outp); #endif // Sample functions // The following typedefs are sometimes used for pointers to functions like -// |d2i_SAMPLE| and |i2d_SAMPLE|. Note, however, that these act on |void*|. +// `d2i_SAMPLE` and `i2d_SAMPLE`. Note, however, that these act on `void*`. // Calling a function with a different pointer type is undefined in C, so this // is only valid with a wrapper. typedef void *d2i_of_void(void **, const unsigned char **, long); @@ -198,214 +198,214 @@ typedef int i2d_of_void(const void *, unsigned char **); // ASN.1 types. // -// An |ASN1_ITEM| represents an ASN.1 type and allows working with ASN.1 types +// An `ASN1_ITEM` represents an ASN.1 type and allows working with ASN.1 types // generically. // -// |ASN1_ITEM|s use a different namespace from C types and are accessed via -// |ASN1_ITEM_*| macros. So, for example, |ASN1_OCTET_STRING| is both a C type -// and the name of an |ASN1_ITEM|, referenced as -// |ASN1_ITEM_rptr(ASN1_OCTET_STRING)|. +// `ASN1_ITEM`s use a different namespace from C types and are accessed via +// `ASN1_ITEM_*` macros. So, for example, `ASN1_OCTET_STRING` is both a C type +// and the name of an `ASN1_ITEM`, referenced as +// `ASN1_ITEM_rptr(ASN1_OCTET_STRING)`. // -// Each |ASN1_ITEM| has a corresponding C type, typically with the same name, +// Each `ASN1_ITEM` has a corresponding C type, typically with the same name, // which represents values in the ASN.1 type. This type is either a pointer type -// or |ASN1_BOOLEAN|. When it is a pointer, NULL pointers represent omitted +// or `ASN1_BOOLEAN`. When it is a pointer, NULL pointers represent omitted // values. For example, an OCTET STRING value is declared with the C type -// |ASN1_OCTET_STRING*| and uses the |ASN1_ITEM| named |ASN1_OCTET_STRING|. An +// `ASN1_OCTET_STRING*` and uses the `ASN1_ITEM` named `ASN1_OCTET_STRING`. An // OPTIONAL OCTET STRING uses the same C type and represents an omitted value -// with a NULL pointer. |ASN1_BOOLEAN| is described in a later section. +// with a NULL pointer. `ASN1_BOOLEAN` is described in a later section. -// DECLARE_ASN1_ITEM declares an |ASN1_ITEM| with name |name|. The |ASN1_ITEM| -// may be referenced with |ASN1_ITEM_rptr|. Uses of this macro should document +// DECLARE_ASN1_ITEM declares an `ASN1_ITEM` with name `name`. The `ASN1_ITEM` +// may be referenced with `ASN1_ITEM_rptr`. Uses of this macro should document // the corresponding ASN.1 and C types. #define DECLARE_ASN1_ITEM(name) extern OPENSSL_EXPORT const ASN1_ITEM name##_it; -// ASN1_ITEM_rptr returns the |const ASN1_ITEM *| named |name|. +// ASN1_ITEM_rptr returns the `const ASN1_ITEM *` named `name`. #define ASN1_ITEM_rptr(name) (&(name##_it)) -// ASN1_ITEM_EXP is an abstraction for referencing an |ASN1_ITEM| in a +// ASN1_ITEM_EXP is an abstraction for referencing an `ASN1_ITEM` in a // constant-initialized structure, such as a method table. It exists because, on -// some OpenSSL platforms, |ASN1_ITEM| references are indirected through -// functions. Structures reference the |ASN1_ITEM| by declaring a field like -// |ASN1_ITEM_EXP *item| and initializing it with |ASN1_ITEM_ref|. +// some OpenSSL platforms, `ASN1_ITEM` references are indirected through +// functions. Structures reference the `ASN1_ITEM` by declaring a field like +// `ASN1_ITEM_EXP *item` and initializing it with `ASN1_ITEM_ref`. typedef const ASN1_ITEM ASN1_ITEM_EXP; -// ASN1_ITEM_ref returns an |ASN1_ITEM_EXP*| for the |ASN1_ITEM| named |name|. +// ASN1_ITEM_ref returns an `ASN1_ITEM_EXP*` for the `ASN1_ITEM` named `name`. #define ASN1_ITEM_ref(name) (&(name##_it)) -// ASN1_ITEM_ptr converts |iptr|, which must be an |ASN1_ITEM_EXP*| to a -// |const ASN1_ITEM*|. +// ASN1_ITEM_ptr converts `iptr`, which must be an `ASN1_ITEM_EXP*` to a +// `const ASN1_ITEM*`. #define ASN1_ITEM_ptr(iptr) (iptr) -// ASN1_VALUE_st (aka |ASN1_VALUE|) is an opaque type used as a placeholder for -// the C type corresponding to an |ASN1_ITEM|. +// ASN1_VALUE_st (aka `ASN1_VALUE`) is an opaque type used as a placeholder for +// the C type corresponding to an `ASN1_ITEM`. typedef struct ASN1_VALUE_st ASN1_VALUE; -// ASN1_item_new allocates a new value of the C type corresponding to |it|, or +// ASN1_item_new allocates a new value of the C type corresponding to `it`, or // NULL on error. On success, the caller must release the value with -// |ASN1_item_free|, or the corresponding C type's free function, when done. The +// `ASN1_item_free`, or the corresponding C type's free function, when done. The // new value will initialize fields of the value to some default state, such as // an empty string. Note, however, that this default state sometimes omits // required values, such as with CHOICE types. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Casting the result of this function to the wrong type is a // potentially exploitable memory error. Callers must ensure the value is used -// consistently with |it|. Prefer using type-specific functions such as -// |ASN1_OCTET_STRING_new|. +// consistently with `it`. Prefer using type-specific functions such as +// `ASN1_OCTET_STRING_new`. OPENSSL_EXPORT ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); -// ASN1_item_free releases memory associated with |val|, which must be an object -// of the C type corresponding to |it|. +// ASN1_item_free releases memory associated with `val`, which must be an object +// of the C type corresponding to `it`. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Passing a pointer of the wrong type into this function is a -// potentially exploitable memory error. Callers must ensure |val| is consistent -// with |it|. Prefer using type-specific functions such as -// |ASN1_OCTET_STRING_free|. +// potentially exploitable memory error. Callers must ensure `val` is consistent +// with `it`. Prefer using type-specific functions such as +// `ASN1_OCTET_STRING_free`. OPENSSL_EXPORT void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); -// ASN1_item_d2i parses the ASN.1 type |it| from up to |len| bytes at |*inp|. -// It behaves like |d2i_SAMPLE|, except that |out| and the return value are cast -// to |ASN1_VALUE| pointers. +// ASN1_item_d2i parses the ASN.1 type `it` from up to `len` bytes at `*inp`. +// It behaves like `d2i_SAMPLE`, except that `out` and the return value are cast +// to `ASN1_VALUE` pointers. // // TODO(https://crbug.com/boringssl/444): C strict aliasing forbids type-punning -// |T*| and |ASN1_VALUE*| the way this function signature does. When that bug is -// resolved, we will need to pick which type |*out| is (probably |T*|). Do not -// use a non-NULL |out| to avoid ending up on the wrong side of this question. +// `T*` and `ASN1_VALUE*` the way this function signature does. When that bug is +// resolved, we will need to pick which type `*out` is (probably `T*`). Do not +// use a non-NULL `out` to avoid ending up on the wrong side of this question. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Casting the result of this function to the wrong type, or passing a // pointer of the wrong type into this function, are potentially exploitable -// memory errors. Callers must ensure |out| is consistent with |it|. Prefer -// using type-specific functions such as |d2i_ASN1_OCTET_STRING|. +// memory errors. Callers must ensure `out` is consistent with `it`. Prefer +// using type-specific functions such as `d2i_ASN1_OCTET_STRING`. OPENSSL_EXPORT ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **out, const unsigned char **inp, long len, const ASN1_ITEM *it); -// ASN1_item_i2d marshals |val| as the ASN.1 type associated with |it|, as -// described in |i2d_SAMPLE|. +// ASN1_item_i2d marshals `val` as the ASN.1 type associated with `it`, as +// described in `i2d_SAMPLE`. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Passing a pointer of the wrong type into this function is a -// potentially exploitable memory error. Callers must ensure |val| is consistent -// with |it|. Prefer using type-specific functions such as -// |i2d_ASN1_OCTET_STRING|. +// potentially exploitable memory error. Callers must ensure `val` is consistent +// with `it`. Prefer using type-specific functions such as +// `i2d_ASN1_OCTET_STRING`. OPENSSL_EXPORT int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **outp, const ASN1_ITEM *it); -// ASN1_item_dup returns a newly-allocated copy of |x|, or NULL on error. |x| -// must be an object of |it|'s C type. +// ASN1_item_dup returns a newly-allocated copy of `x`, or NULL on error. `x` +// must be an object of `it`'s C type. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Casting the result of this function to the wrong type, or passing a // pointer of the wrong type into this function, are potentially exploitable // memory errors. Prefer using type-specific functions such as -// |ASN1_STRING_dup|. +// `ASN1_STRING_dup`. OPENSSL_EXPORT void *ASN1_item_dup(const ASN1_ITEM *it, void *x); -// The following functions behave like |ASN1_item_d2i| but read from |in| -// instead. |out| is the same parameter as in |ASN1_item_d2i|, but written with -// |void*| instead. The return values similarly match. +// The following functions behave like `ASN1_item_d2i` but read from `in` +// instead. `out` is the same parameter as in `ASN1_item_d2i`, but written with +// `void*` instead. The return values similarly match. // -// These functions may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// These functions may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // -// WARNING: These functions do not bound how much data is read from |in|. +// WARNING: These functions do not bound how much data is read from `in`. // Parsing an untrusted input could consume unbounded memory. OPENSSL_EXPORT void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *out); OPENSSL_EXPORT void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *out); -// The following functions behave like |ASN1_item_i2d| but write to |out| -// instead. |in| is the same parameter as in |ASN1_item_i2d|, but written with -// |void*| instead. +// The following functions behave like `ASN1_item_i2d` but write to `out` +// instead. `in` is the same parameter as in `ASN1_item_i2d`, but written with +// `void*` instead. // -// These functions may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// These functions may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. OPENSSL_EXPORT int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, const void *in); OPENSSL_EXPORT int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, const void *in); -// ASN1_item_unpack parses |oct|'s contents as |it|'s ASN.1 type. It returns a -// newly-allocated instance of |it|'s C type on success, or NULL on error. +// ASN1_item_unpack parses `oct`'s contents as `it`'s ASN.1 type. It returns a +// newly-allocated instance of `it`'s C type on success, or NULL on error. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Casting the result of this function to the wrong type is a // potentially exploitable memory error. Callers must ensure the value is used -// consistently with |it|. +// consistently with `it`. OPENSSL_EXPORT void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it); -// ASN1_item_pack marshals |obj| as |it|'s ASN.1 type. If |out| is NULL, it -// returns a newly-allocated |ASN1_STRING| with the result, or NULL on error. -// If |out| is non-NULL, but |*out| is NULL, it does the same but additionally -// sets |*out| to the result. If both |out| and |*out| are non-NULL, it writes -// the result to |*out| and returns |*out| on success or NULL on error. +// ASN1_item_pack marshals `obj` as `it`'s ASN.1 type. If `out` is NULL, it +// returns a newly-allocated `ASN1_STRING` with the result, or NULL on error. +// If `out` is non-NULL, but `*out` is NULL, it does the same but additionally +// sets `*out` to the result. If both `out` and `*out` are non-NULL, it writes +// the result to `*out` and returns `*out` on success or NULL on error. // -// This function may not be used with |ASN1_ITEM|s whose C type is -// |ASN1_BOOLEAN|. +// This function may not be used with `ASN1_ITEM`s whose C type is +// `ASN1_BOOLEAN`. // // WARNING: Passing a pointer of the wrong type into this function is a -// potentially exploitable memory error. Callers must ensure |val| is consistent -// with |it|. +// potentially exploitable memory error. Callers must ensure `val` is consistent +// with `it`. OPENSSL_EXPORT ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **out); // Booleans. // -// This library represents ASN.1 BOOLEAN values with |ASN1_BOOLEAN|, which is an +// This library represents ASN.1 BOOLEAN values with `ASN1_BOOLEAN`, which is an // integer type. FALSE is zero, TRUE is 0xff, and an omitted OPTIONAL BOOLEAN is // -1. -// ASN1_BOOLEAN_FALSE is FALSE as an |ASN1_BOOLEAN|. +// ASN1_BOOLEAN_FALSE is FALSE as an `ASN1_BOOLEAN`. #define ASN1_BOOLEAN_FALSE 0 -// ASN1_BOOLEAN_TRUE is TRUE as an |ASN1_BOOLEAN|. Some code incorrectly uses -// 1, so prefer |b != ASN1_BOOLEAN_FALSE| over |b == ASN1_BOOLEAN_TRUE|. +// ASN1_BOOLEAN_TRUE is TRUE as an `ASN1_BOOLEAN`. Some code incorrectly uses +// 1, so prefer `b != ASN1_BOOLEAN_FALSE` over `b == ASN1_BOOLEAN_TRUE`. #define ASN1_BOOLEAN_TRUE 0xff -// ASN1_BOOLEAN_NONE, in contexts where the |ASN1_BOOLEAN| represents an +// ASN1_BOOLEAN_NONE, in contexts where the `ASN1_BOOLEAN` represents an // OPTIONAL BOOLEAN, is an omitted value. Using this value in other contexts is // undefined and may be misinterpreted as TRUE. #define ASN1_BOOLEAN_NONE (-1) -// d2i_ASN1_BOOLEAN parses a DER-encoded ASN.1 BOOLEAN from up to |len| bytes at -// |*inp|. On success, it advances |*inp| by the number of bytes read and -// returns the result. If |out| is non-NULL, it additionally writes the result -// to |*out|. On error, it returns |ASN1_BOOLEAN_NONE|. +// d2i_ASN1_BOOLEAN parses a DER-encoded ASN.1 BOOLEAN from up to `len` bytes at +// `*inp`. On success, it advances `*inp` by the number of bytes read and +// returns the result. If `out` is non-NULL, it additionally writes the result +// to `*out`. On error, it returns `ASN1_BOOLEAN_NONE`. // // This function does not reject trailing data in the input. This allows the // caller to parse a sequence of concatenated structures. Callers parsing only -// one structure should check for trailing data by comparing the updated |*inp| +// one structure should check for trailing data by comparing the updated `*inp` // with the end of the input. // -// WARNING: This function's is slightly different from other |d2i_*| functions -// because |ASN1_BOOLEAN| is not a pointer type. +// WARNING: This function's is slightly different from other `d2i_*` functions +// because `ASN1_BOOLEAN` is not a pointer type. OPENSSL_EXPORT ASN1_BOOLEAN d2i_ASN1_BOOLEAN(ASN1_BOOLEAN *out, const unsigned char **inp, long len); -// i2d_ASN1_BOOLEAN marshals |a| as a DER-encoded ASN.1 BOOLEAN, as described in -// |i2d_SAMPLE|. +// i2d_ASN1_BOOLEAN marshals `a` as a DER-encoded ASN.1 BOOLEAN, as described in +// `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_BOOLEAN(ASN1_BOOLEAN a, unsigned char **outp); -// The following |ASN1_ITEM|s have ASN.1 type BOOLEAN and C type |ASN1_BOOLEAN|. -// |ASN1_TBOOLEAN| and |ASN1_FBOOLEAN| must be marked OPTIONAL. When omitted, +// The following `ASN1_ITEM`s have ASN.1 type BOOLEAN and C type `ASN1_BOOLEAN`. +// `ASN1_TBOOLEAN` and `ASN1_FBOOLEAN` must be marked OPTIONAL. When omitted, // they are parsed as TRUE and FALSE, respectively, rather than -// |ASN1_BOOLEAN_NONE|. +// `ASN1_BOOLEAN_NONE`. DECLARE_ASN1_ITEM(ASN1_BOOLEAN) DECLARE_ASN1_ITEM(ASN1_TBOOLEAN) DECLARE_ASN1_ITEM(ASN1_FBOOLEAN) @@ -415,71 +415,71 @@ DECLARE_ASN1_ITEM(ASN1_FBOOLEAN) // // ASN.1 contains a myriad of string types, as well as types that contain data // that may be encoded into a string. This library uses a single type, -// |ASN1_STRING|, to represent most values. +// `ASN1_STRING`, to represent most values. -// An asn1_string_st (aka |ASN1_STRING|) represents a value of a string-like -// ASN.1 type. It contains a |type| field, and a byte string |data| field with a +// An asn1_string_st (aka `ASN1_STRING`) represents a value of a string-like +// ASN.1 type. It contains a `type` field, and a byte string `data` field with a // type-specific representation. This type-specific representation does not // always correspond to the DER encoding of the type. // -// If |type| is one of |V_ASN1_OCTET_STRING|, |V_ASN1_UTF8STRING|, -// |V_ASN1_NUMERICSTRING|, |V_ASN1_PRINTABLESTRING|, |V_ASN1_T61STRING|, -// |V_ASN1_VIDEOTEXSTRING|, |V_ASN1_IA5STRING|, |V_ASN1_GRAPHICSTRING|, -// |V_ASN1_ISO64STRING|, |V_ASN1_VISIBLESTRING|, |V_ASN1_GENERALSTRING|, -// |V_ASN1_UNIVERSALSTRING|, or |V_ASN1_BMPSTRING|, the object represents an +// If `type` is one of `V_ASN1_OCTET_STRING`, `V_ASN1_UTF8STRING`, +// `V_ASN1_NUMERICSTRING`, `V_ASN1_PRINTABLESTRING`, `V_ASN1_T61STRING`, +// `V_ASN1_VIDEOTEXSTRING`, `V_ASN1_IA5STRING`, `V_ASN1_GRAPHICSTRING`, +// `V_ASN1_ISO64STRING`, `V_ASN1_VISIBLESTRING`, `V_ASN1_GENERALSTRING`, +// `V_ASN1_UNIVERSALSTRING`, or `V_ASN1_BMPSTRING`, the object represents an // ASN.1 string type. The data contains the byte representation of the // string. // -// If |type| is |V_ASN1_BIT_STRING|, the object represents a BIT STRING value. +// If `type` is `V_ASN1_BIT_STRING`, the object represents a BIT STRING value. // See bit string documentation below for the data and flags. // -// If |type| is one of |V_ASN1_INTEGER|, |V_ASN1_NEG_INTEGER|, -// |V_ASN1_ENUMERATED|, or |V_ASN1_NEG_ENUMERATED|, the object represents an +// If `type` is one of `V_ASN1_INTEGER`, `V_ASN1_NEG_INTEGER`, +// `V_ASN1_ENUMERATED`, or `V_ASN1_NEG_ENUMERATED`, the object represents an // INTEGER or ENUMERATED value. See integer documentation below for details. // -// If |type| is |V_ASN1_GENERALIZEDTIME| or |V_ASN1_UTCTIME|, the object +// If `type` is `V_ASN1_GENERALIZEDTIME` or `V_ASN1_UTCTIME`, the object // represents a GeneralizedTime or UTCTime value, respectively. The data // contains the DER encoding of the value. For example, the UNIX epoch would be // "19700101000000Z" for a GeneralizedTime and "700101000000Z" for a UTCTime. // -// If |type| is |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or |V_ASN1_OTHER|, the object +// If `type` is `V_ASN1_SEQUENCE`, `V_ASN1_SET`, or `V_ASN1_OTHER`, the object // represents a SEQUENCE, SET, or arbitrary ASN.1 value, respectively. Unlike // the above cases, the data contains the DER encoding of the entire structure, // including the header. If the value is explicitly or implicitly tagged, this // too will be reflected in the data field. As this case handles unknown types, // the contents are not checked when parsing or serializing. // -// Other values of |type| do not represent a valid ASN.1 value, though -// default-constructed objects may set |type| to -1. Such objects cannot be +// Other values of `type` do not represent a valid ASN.1 value, though +// default-constructed objects may set `type` to -1. Such objects cannot be // serialized. // -// |ASN1_STRING| additionally has the following typedefs: |ASN1_BIT_STRING|, -// |ASN1_BMPSTRING|, |ASN1_ENUMERATED|, |ASN1_GENERALIZEDTIME|, -// |ASN1_GENERALSTRING|, |ASN1_IA5STRING|, |ASN1_INTEGER|, |ASN1_OCTET_STRING|, -// |ASN1_PRINTABLESTRING|, |ASN1_T61STRING|, |ASN1_TIME|, -// |ASN1_UNIVERSALSTRING|, |ASN1_UTCTIME|, |ASN1_UTF8STRING|, and -// |ASN1_VISIBLESTRING|. Other than |ASN1_TIME|, these correspond to universal -// ASN.1 types. |ASN1_TIME| represents a CHOICE of UTCTime and GeneralizedTime, +// `ASN1_STRING` additionally has the following typedefs: `ASN1_BIT_STRING`, +// `ASN1_BMPSTRING`, `ASN1_ENUMERATED`, `ASN1_GENERALIZEDTIME`, +// `ASN1_GENERALSTRING`, `ASN1_IA5STRING`, `ASN1_INTEGER`, `ASN1_OCTET_STRING`, +// `ASN1_PRINTABLESTRING`, `ASN1_T61STRING`, `ASN1_TIME`, +// `ASN1_UNIVERSALSTRING`, `ASN1_UTCTIME`, `ASN1_UTF8STRING`, and +// `ASN1_VISIBLESTRING`. Other than `ASN1_TIME`, these correspond to universal +// ASN.1 types. `ASN1_TIME` represents a CHOICE of UTCTime and GeneralizedTime, // with a cutoff of 2049, as used in Section 4.1.2.5 of RFC 5280. // // For clarity, callers are encouraged to use the appropriate typedef when -// available. They are the same type as |ASN1_STRING|, so a caller may freely -// pass them into functions expecting |ASN1_STRING|, such as -// |ASN1_STRING_length|. -// -// If a function returns an |ASN1_STRING| where the typedef or ASN.1 structure -// implies constraints on |type|, callers may assume that |type| is correct. -// However, if a function takes an |ASN1_STRING| as input, callers must ensure -// |type| matches. These invariants are not captured by the C type system and +// available. They are the same type as `ASN1_STRING`, so a caller may freely +// pass them into functions expecting `ASN1_STRING`, such as +// `ASN1_STRING_length`. +// +// If a function returns an `ASN1_STRING` where the typedef or ASN.1 structure +// implies constraints on `type`, callers may assume that `type` is correct. +// However, if a function takes an `ASN1_STRING` as input, callers must ensure +// `type` matches. These invariants are not captured by the C type system and // may not be checked at runtime. For example, callers may assume the output of -// |X509_get0_serialNumber| has type |V_ASN1_INTEGER| or |V_ASN1_NEG_INTEGER|. -// Callers must not pass a string of type |V_ASN1_OCTET_STRING| to -// |X509_set_serialNumber|. Doing so may break invariants on the |X509| object -// and break the |X509_get0_serialNumber| invariant. +// `X509_get0_serialNumber` has type `V_ASN1_INTEGER` or `V_ASN1_NEG_INTEGER`. +// Callers must not pass a string of type `V_ASN1_OCTET_STRING` to +// `X509_set_serialNumber`. Doing so may break invariants on the `X509` object +// and break the `X509_get0_serialNumber` invariant. // // TODO(https://crbug.com/boringssl/445): This is very unfriendly. Getting the // type field wrong should not cause memory errors, but it may do strange -// things. We should add runtime checks to anything that consumes |ASN1_STRING|s +// things. We should add runtime checks to anything that consumes `ASN1_STRING`s // from the caller. struct asn1_string_st { int length; @@ -488,91 +488,91 @@ struct asn1_string_st { long flags; }; -// ASN1_STRING_type_new returns a newly-allocated empty |ASN1_STRING| object of -// type |type|, or NULL on error. +// ASN1_STRING_type_new returns a newly-allocated empty `ASN1_STRING` object of +// type `type`, or NULL on error. OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_type_new(int type); -// ASN1_STRING_new returns a newly-allocated empty |ASN1_STRING| object with an +// ASN1_STRING_new returns a newly-allocated empty `ASN1_STRING` object with an // arbitrary type. Prefer one of the type-specific constructors, such as -// |ASN1_OCTET_STRING_new|, or |ASN1_STRING_type_new|. +// `ASN1_OCTET_STRING_new`, or `ASN1_STRING_type_new`. OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_new(void); -// ASN1_STRING_free releases memory associated with |str|. +// ASN1_STRING_free releases memory associated with `str`. OPENSSL_EXPORT void ASN1_STRING_free(ASN1_STRING *str); -// ASN1_STRING_copy sets |dst| to a copy of |str|. It returns one on success and +// ASN1_STRING_copy sets `dst` to a copy of `str`. It returns one on success and // zero on error. OPENSSL_EXPORT int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str); -// ASN1_STRING_dup returns a newly-allocated copy of |str|, or NULL on error. +// ASN1_STRING_dup returns a newly-allocated copy of `str`, or NULL on error. OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *str); -// ASN1_STRING_type returns the type of |str|. This value will be one of the -// |V_ASN1_*| constants. +// ASN1_STRING_type returns the type of `str`. This value will be one of the +// `V_ASN1_*` constants. OPENSSL_EXPORT int ASN1_STRING_type(const ASN1_STRING *str); -// ASN1_STRING_get0_data returns a pointer to |str|'s contents. Callers should -// use |ASN1_STRING_length| to determine the length of the string. The string +// ASN1_STRING_get0_data returns a pointer to `str`'s contents. Callers should +// use `ASN1_STRING_length` to determine the length of the string. The string // may have embedded NUL bytes and may not be NUL-terminated. // -// The contents of an |ASN1_STRING| encode the value in some type-specific +// The contents of an `ASN1_STRING` encode the value in some type-specific // representation that does not always correspond to the DER encoding of the -// type. See the documentation for |ASN1_STRING| for details. +// type. See the documentation for `ASN1_STRING` for details. OPENSSL_EXPORT const unsigned char *ASN1_STRING_get0_data( const ASN1_STRING *str); -// ASN1_STRING_data returns a mutable pointer to |str|'s contents. Callers -// should use |ASN1_STRING_length| to determine the length of the string. The +// ASN1_STRING_data returns a mutable pointer to `str`'s contents. Callers +// should use `ASN1_STRING_length` to determine the length of the string. The // string may have embedded NUL bytes and may not be NUL-terminated. // -// The contents of an |ASN1_STRING| encode the value in some type-specific +// The contents of an `ASN1_STRING` encode the value in some type-specific // representation that does not always correspond to the DER encoding of the -// type. See the documentation for |ASN1_STRING| for details. +// type. See the documentation for `ASN1_STRING` for details. // -// Prefer |ASN1_STRING_get0_data|. +// Prefer `ASN1_STRING_get0_data`. OPENSSL_EXPORT unsigned char *ASN1_STRING_data(ASN1_STRING *str); -// ASN1_STRING_length returns the length of |str|, in bytes. +// ASN1_STRING_length returns the length of `str`, in bytes. // -// The contents of an |ASN1_STRING| encode the value in some type-specific +// The contents of an `ASN1_STRING` encode the value in some type-specific // representation that does not always correspond to the DER encoding of the -// type. See the documentation for |ASN1_STRING| for details. +// type. See the documentation for `ASN1_STRING` for details. OPENSSL_EXPORT int ASN1_STRING_length(const ASN1_STRING *str); -// ASN1_STRING_cmp compares |a| and |b|'s type and contents. It returns an -// integer equal to, less than, or greater than zero if |a| is equal to, less -// than, or greater than |b|, respectively. This function compares by length, -// then data, then type. Note the data compared is the |ASN1_STRING| internal +// ASN1_STRING_cmp compares `a` and `b`'s type and contents. It returns an +// integer equal to, less than, or greater than zero if `a` is equal to, less +// than, or greater than `b`, respectively. This function compares by length, +// then data, then type. Note the data compared is the `ASN1_STRING` internal // representation and the type order is arbitrary. While this comparison is -// suitable for sorting, callers should not rely on the exact order when |a| -// and |b| are different types. +// suitable for sorting, callers should not rely on the exact order when `a` +// and `b` are different types. // -// Note that, if |a| and |b| are INTEGERs, this comparison does not order the -// values numerically. For a numerical comparison, use |ASN1_INTEGER_cmp|. +// Note that, if `a` and `b` are INTEGERs, this comparison does not order the +// values numerically. For a numerical comparison, use `ASN1_INTEGER_cmp`. OPENSSL_EXPORT int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b); -// ASN1_STRING_set sets the contents of |str| to a copy of |len| bytes from -// |data|. It returns one on success and zero on error. If |data| is NULL, it +// ASN1_STRING_set sets the contents of `str` to a copy of `len` bytes from +// `data`. It returns one on success and zero on error. If `data` is NULL, it // updates the length and allocates the buffer as needed, but does not // initialize the contents. // -// If |str| is a BIT STRING, this function sets the number of unused bits to -// zero. |ASN1_BIT_STRING_set1| may be used to set a BIT STRING that is not a +// If `str` is a BIT STRING, this function sets the number of unused bits to +// zero. `ASN1_BIT_STRING_set1` may be used to set a BIT STRING that is not a // whole number of bytes. OPENSSL_EXPORT int ASN1_STRING_set(ASN1_STRING *str, const void *data, ossl_ssize_t len); -// ASN1_STRING_set0 sets the contents of |str| to |len| bytes from |data|. It -// takes ownership of |data|, which must have been allocated with -// |OPENSSL_malloc|. +// ASN1_STRING_set0 sets the contents of `str` to `len` bytes from `data`. It +// takes ownership of `data`, which must have been allocated with +// `OPENSSL_malloc`. // -// If |str| is a BIT STRING, this function sets the number of unused bits to -// zero. |ASN1_BIT_STRING_set1| may be used to set a BIT STRING that is not a +// If `str` is a BIT STRING, this function sets the number of unused bits to +// zero. `ASN1_BIT_STRING_set1` may be used to set a BIT STRING that is not a // whole number of bytes. OPENSSL_EXPORT void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); -// The following functions call |ASN1_STRING_type_new| with the corresponding -// |V_ASN1_*| constant. +// The following functions call `ASN1_STRING_type_new` with the corresponding +// `V_ASN1_*` constant. OPENSSL_EXPORT ASN1_BMPSTRING *ASN1_BMPSTRING_new(void); OPENSSL_EXPORT ASN1_GENERALSTRING *ASN1_GENERALSTRING_new(void); OPENSSL_EXPORT ASN1_IA5STRING *ASN1_IA5STRING_new(void); @@ -583,7 +583,7 @@ OPENSSL_EXPORT ASN1_UNIVERSALSTRING *ASN1_UNIVERSALSTRING_new(void); OPENSSL_EXPORT ASN1_UTF8STRING *ASN1_UTF8STRING_new(void); OPENSSL_EXPORT ASN1_VISIBLESTRING *ASN1_VISIBLESTRING_new(void); -// The following functions call |ASN1_STRING_free|. +// The following functions call `ASN1_STRING_free`. OPENSSL_EXPORT void ASN1_BMPSTRING_free(ASN1_BMPSTRING *str); OPENSSL_EXPORT void ASN1_GENERALSTRING_free(ASN1_GENERALSTRING *str); OPENSSL_EXPORT void ASN1_IA5STRING_free(ASN1_IA5STRING *str); @@ -594,9 +594,9 @@ OPENSSL_EXPORT void ASN1_UNIVERSALSTRING_free(ASN1_UNIVERSALSTRING *str); OPENSSL_EXPORT void ASN1_UTF8STRING_free(ASN1_UTF8STRING *str); OPENSSL_EXPORT void ASN1_VISIBLESTRING_free(ASN1_VISIBLESTRING *str); -// The following functions parse up to |len| bytes from |*inp| as a +// The following functions parse up to `len` bytes from `*inp` as a // DER-encoded ASN.1 value of the corresponding type, as described in -// |d2i_SAMPLE|. +// `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_BMPSTRING *d2i_ASN1_BMPSTRING(ASN1_BMPSTRING **out, const uint8_t **inp, long len); @@ -621,8 +621,8 @@ OPENSSL_EXPORT ASN1_UTF8STRING *d2i_ASN1_UTF8STRING(ASN1_UTF8STRING **out, OPENSSL_EXPORT ASN1_VISIBLESTRING *d2i_ASN1_VISIBLESTRING( ASN1_VISIBLESTRING **out, const uint8_t **inp, long len); -// The following functions marshal |in| as a DER-encoded ASN.1 value of the -// corresponding type, as described in |i2d_SAMPLE|. +// The following functions marshal `in` as a DER-encoded ASN.1 value of the +// corresponding type, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_BMPSTRING(const ASN1_BMPSTRING *in, uint8_t **outp); OPENSSL_EXPORT int i2d_ASN1_GENERALSTRING(const ASN1_GENERALSTRING *in, uint8_t **outp); @@ -639,8 +639,8 @@ OPENSSL_EXPORT int i2d_ASN1_UTF8STRING(const ASN1_UTF8STRING *in, OPENSSL_EXPORT int i2d_ASN1_VISIBLESTRING(const ASN1_VISIBLESTRING *in, uint8_t **outp); -// The following |ASN1_ITEM|s have the ASN.1 type referred to in their name and -// C type |ASN1_STRING*|. The C type may also be written as the corresponding +// The following `ASN1_ITEM`s have the ASN.1 type referred to in their name and +// C type `ASN1_STRING*`. The C type may also be written as the corresponding // typedef. DECLARE_ASN1_ITEM(ASN1_BMPSTRING) DECLARE_ASN1_ITEM(ASN1_GENERALSTRING) @@ -652,27 +652,27 @@ DECLARE_ASN1_ITEM(ASN1_UNIVERSALSTRING) DECLARE_ASN1_ITEM(ASN1_UTF8STRING) DECLARE_ASN1_ITEM(ASN1_VISIBLESTRING) -// ASN1_OCTET_STRING_dup calls |ASN1_STRING_dup|. +// ASN1_OCTET_STRING_dup calls `ASN1_STRING_dup`. OPENSSL_EXPORT ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup( const ASN1_OCTET_STRING *a); -// ASN1_OCTET_STRING_cmp calls |ASN1_STRING_cmp|. +// ASN1_OCTET_STRING_cmp calls `ASN1_STRING_cmp`. OPENSSL_EXPORT int ASN1_OCTET_STRING_cmp(const ASN1_OCTET_STRING *a, const ASN1_OCTET_STRING *b); -// ASN1_OCTET_STRING_set calls |ASN1_STRING_set|. +// ASN1_OCTET_STRING_set calls `ASN1_STRING_set`. OPENSSL_EXPORT int ASN1_OCTET_STRING_set(ASN1_OCTET_STRING *str, const unsigned char *data, int len); -// ASN1_STRING_to_UTF8 converts |in| to UTF-8. On success, sets |*out| to a +// ASN1_STRING_to_UTF8 converts `in` to UTF-8. On success, sets `*out` to a // newly-allocated buffer containing the resulting string and returns the length -// of the string. The caller must call |OPENSSL_free| to release |*out| when +// of the string. The caller must call `OPENSSL_free` to release `*out` when // done. On error, it returns a negative number. OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in); // The following formats define encodings for use with functions like -// |ASN1_mbstring_copy|. Note |MBSTRING_ASC| refers to Latin-1, not ASCII. +// `ASN1_mbstring_copy`. Note `MBSTRING_ASC` refers to Latin-1, not ASCII. #define MBSTRING_FLAG 0x1000 #define MBSTRING_UTF8 (MBSTRING_FLAG) #define MBSTRING_ASC (MBSTRING_FLAG | 1) @@ -687,80 +687,80 @@ OPENSSL_EXPORT int ASN1_STRING_to_UTF8(unsigned char **out, // PKCS9STRING_TYPE contains the valid string types in a PKCS9String. #define PKCS9STRING_TYPE (DIRSTRING_TYPE | B_ASN1_IA5STRING) -// ASN1_mbstring_copy converts |len| bytes from |in| to an ASN.1 string. If -// |len| is -1, |in| must be NUL-terminated and the length is determined by -// |strlen|. |in| is decoded according to |inform|, which must be one of -// |MBSTRING_*|. |mask| determines the set of valid output types and is a -// bitmask containing a subset of |B_ASN1_PRINTABLESTRING|, |B_ASN1_IA5STRING|, -// |B_ASN1_T61STRING|, |B_ASN1_BMPSTRING|, |B_ASN1_UNIVERSALSTRING|, and -// |B_ASN1_UTF8STRING|, in that preference order. This function chooses the -// first output type in |mask| which can represent |in|. It interprets T61String +// ASN1_mbstring_copy converts `len` bytes from `in` to an ASN.1 string. If +// `len` is -1, `in` must be NUL-terminated and the length is determined by +// `strlen`. `in` is decoded according to `inform`, which must be one of +// `MBSTRING_*`. `mask` determines the set of valid output types and is a +// bitmask containing a subset of `B_ASN1_PRINTABLESTRING`, `B_ASN1_IA5STRING`, +// `B_ASN1_T61STRING`, `B_ASN1_BMPSTRING`, `B_ASN1_UNIVERSALSTRING`, and +// `B_ASN1_UTF8STRING`, in that preference order. This function chooses the +// first output type in `mask` which can represent `in`. It interprets T61String // as Latin-1, rather than T.61. // -// If |mask| is zero, |DIRSTRING_TYPE| is used by default. +// If `mask` is zero, `DIRSTRING_TYPE` is used by default. // -// On success, this function returns the |V_ASN1_*| constant corresponding to -// the selected output type and, if |out| and |*out| are both non-NULL, updates -// the object at |*out| with the result. If |out| is non-NULL and |*out| is -// NULL, it instead sets |*out| to a newly-allocated |ASN1_STRING| containing -// the result. If |out| is NULL, it returns the selected output type without -// constructing an |ASN1_STRING|. On error, this function returns -1. +// On success, this function returns the `V_ASN1_*` constant corresponding to +// the selected output type and, if `out` and `*out` are both non-NULL, updates +// the object at `*out` with the result. If `out` is non-NULL and `*out` is +// NULL, it instead sets `*out` to a newly-allocated `ASN1_STRING` containing +// the result. If `out` is NULL, it returns the selected output type without +// constructing an `ASN1_STRING`. On error, this function returns -1. OPENSSL_EXPORT int ASN1_mbstring_copy(ASN1_STRING **out, const uint8_t *in, ossl_ssize_t len, int inform, unsigned long mask); -// ASN1_mbstring_ncopy behaves like |ASN1_mbstring_copy| but returns an error if -// the input is less than |minsize| or greater than |maxsize| codepoints long. A -// |maxsize| value of zero is ignored. Note the sizes are measured in +// ASN1_mbstring_ncopy behaves like `ASN1_mbstring_copy` but returns an error if +// the input is less than `minsize` or greater than `maxsize` codepoints long. A +// `maxsize` value of zero is ignored. Note the sizes are measured in // codepoints, not output bytes. OPENSSL_EXPORT int ASN1_mbstring_ncopy(ASN1_STRING **out, const uint8_t *in, ossl_ssize_t len, int inform, unsigned long mask, ossl_ssize_t minsize, ossl_ssize_t maxsize); -// ASN1_STRING_set_by_NID behaves like |ASN1_mbstring_ncopy|, but determines -// |mask|, |minsize|, and |maxsize| based on |nid|. When |nid| is a recognized +// ASN1_STRING_set_by_NID behaves like `ASN1_mbstring_ncopy`, but determines +// `mask`, `minsize`, and `maxsize` based on `nid`. When `nid` is a recognized // X.509 attribute type, it will pick a suitable ASN.1 string type and bounds. -// For most attribute types, it preferentially chooses UTF8String. If |nid| is +// For most attribute types, it preferentially chooses UTF8String. If `nid` is // unrecognized, it uses UTF8String by default. This function will also enforce // any known attribute-specific constraints on the sizes of the string and fail // if the size is invalid. In RFC 5280, these bounds are specified by // constraints like "SIZE (1..ub-common-name)" in ASN.1. // -// Slightly unlike |ASN1_mbstring_ncopy|, this function interprets |out| and -// returns its result as follows: If |out| is NULL, it returns a newly-allocated -// |ASN1_STRING| containing the result. If |out| is non-NULL and -// |*out| is NULL, it additionally sets |*out| to the result. If both |out| and -// |*out| are non-NULL, it instead updates the object at |*out| and returns -// |*out|. In all cases, it returns NULL on error. -// -// This function supports the following NIDs: |NID_countryName|, -// |NID_dnQualifier|, |NID_domainComponent|, |NID_friendlyName|, -// |NID_givenName|, |NID_initials|, |NID_localityName|, |NID_ms_csp_name|, -// |NID_name|, |NID_organizationalUnitName|, |NID_organizationName|, -// |NID_pkcs9_challengePassword|, |NID_pkcs9_emailAddress|, -// |NID_pkcs9_unstructuredAddress|, |NID_pkcs9_unstructuredName|, -// |NID_serialNumber|, |NID_stateOrProvinceName|, and |NID_surname|. Additional -// NIDs may be registered with |ASN1_STRING_set_by_NID|, but it is recommended -// to call |ASN1_mbstring_ncopy| directly instead. +// Slightly unlike `ASN1_mbstring_ncopy`, this function interprets `out` and +// returns its result as follows: If `out` is NULL, it returns a newly-allocated +// `ASN1_STRING` containing the result. If `out` is non-NULL and +// `*out` is NULL, it additionally sets `*out` to the result. If both `out` and +// `*out` are non-NULL, it instead updates the object at `*out` and returns +// `*out`. In all cases, it returns NULL on error. +// +// This function supports the following NIDs: `NID_countryName`, +// `NID_dnQualifier`, `NID_domainComponent`, `NID_friendlyName`, +// `NID_givenName`, `NID_initials`, `NID_localityName`, `NID_ms_csp_name`, +// `NID_name`, `NID_organizationalUnitName`, `NID_organizationName`, +// `NID_pkcs9_challengePassword`, `NID_pkcs9_emailAddress`, +// `NID_pkcs9_unstructuredAddress`, `NID_pkcs9_unstructuredName`, +// `NID_serialNumber`, `NID_stateOrProvinceName`, and `NID_surname`. Additional +// NIDs may be registered with `ASN1_STRING_set_by_NID`, but it is recommended +// to call `ASN1_mbstring_ncopy` directly instead. OPENSSL_EXPORT ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in, ossl_ssize_t len, int inform, int nid); -// STABLE_NO_MASK causes |ASN1_STRING_TABLE_add| to allow types other than +// STABLE_NO_MASK causes `ASN1_STRING_TABLE_add` to allow types other than // UTF8String. #define STABLE_NO_MASK 0x02 -// ASN1_STRING_TABLE_add registers the corresponding parameters with |nid|, for -// use with |ASN1_STRING_set_by_NID|. It returns one on success and zero on -// error. It is an error to call this function if |nid| is a built-in NID, or +// ASN1_STRING_TABLE_add registers the corresponding parameters with `nid`, for +// use with `ASN1_STRING_set_by_NID`. It returns one on success and zero on +// error. It is an error to call this function if `nid` is a built-in NID, or // was already registered by a previous call. // // WARNING: This function affects global state in the library. If two libraries // in the same address space register information for the same OID, one call // will fail. Prefer directly passing the desired parameters to -// |ASN1_mbstring_copy| or |ASN1_mbstring_ncopy| instead. +// `ASN1_mbstring_copy` or `ASN1_mbstring_ncopy` instead. OPENSSL_EXPORT int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, unsigned long mask, unsigned long flags); @@ -768,11 +768,11 @@ OPENSSL_EXPORT int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, // Multi-strings. // -// A multi-string, or "MSTRING", is an |ASN1_STRING| that represents a CHOICE of +// A multi-string, or "MSTRING", is an `ASN1_STRING` that represents a CHOICE of // several string or string-like types, such as X.509's DirectoryString. The -// |ASN1_STRING|'s type field determines which type is used. +// `ASN1_STRING`'s type field determines which type is used. // -// Multi-string types are associated with a bitmask, using the |B_ASN1_*| +// Multi-string types are associated with a bitmask, using the `B_ASN1_*` // constants, which defines which types are valid. // B_ASN1_DIRECTORYSTRING is a bitmask of types allowed in an X.509 @@ -781,16 +781,16 @@ OPENSSL_EXPORT int ASN1_STRING_TABLE_add(int nid, long minsize, long maxsize, (B_ASN1_PRINTABLESTRING | B_ASN1_TELETEXSTRING | B_ASN1_BMPSTRING | \ B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING) -// DIRECTORYSTRING_new returns a newly-allocated |ASN1_STRING| with type -1, or -// NULL on error. The resulting |ASN1_STRING| is not a valid X.509 +// DIRECTORYSTRING_new returns a newly-allocated `ASN1_STRING` with type -1, or +// NULL on error. The resulting `ASN1_STRING` is not a valid X.509 // DirectoryString until initialized with a value. OPENSSL_EXPORT ASN1_STRING *DIRECTORYSTRING_new(void); -// DIRECTORYSTRING_free calls |ASN1_STRING_free|. +// DIRECTORYSTRING_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void DIRECTORYSTRING_free(ASN1_STRING *str); -// d2i_DIRECTORYSTRING parses up to |len| bytes from |*inp| as a DER-encoded -// X.509 DirectoryString (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_DIRECTORYSTRING parses up to `len` bytes from `*inp` as a DER-encoded +// X.509 DirectoryString (RFC 5280), as described in `d2i_SAMPLE`. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts // BER, but this will be removed in the future. @@ -800,8 +800,8 @@ OPENSSL_EXPORT void DIRECTORYSTRING_free(ASN1_STRING *str); OPENSSL_EXPORT ASN1_STRING *d2i_DIRECTORYSTRING(ASN1_STRING **out, const uint8_t **inp, long len); -// i2d_DIRECTORYSTRING marshals |in| as a DER-encoded X.509 DirectoryString (RFC -// 5280), as described in |i2d_SAMPLE|. +// i2d_DIRECTORYSTRING marshals `in` as a DER-encoded X.509 DirectoryString (RFC +// 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_DIRECTORYSTRING(const ASN1_STRING *in, uint8_t **outp); // B_ASN1_DISPLAYTEXT is a bitmask of types allowed in an X.509 DisplayText (RFC @@ -810,16 +810,16 @@ OPENSSL_EXPORT int i2d_DIRECTORYSTRING(const ASN1_STRING *in, uint8_t **outp); (B_ASN1_IA5STRING | B_ASN1_VISIBLESTRING | B_ASN1_BMPSTRING | \ B_ASN1_UTF8STRING) -// DISPLAYTEXT_new returns a newly-allocated |ASN1_STRING| with type -1, or NULL -// on error. The resulting |ASN1_STRING| is not a valid X.509 DisplayText until +// DISPLAYTEXT_new returns a newly-allocated `ASN1_STRING` with type -1, or NULL +// on error. The resulting `ASN1_STRING` is not a valid X.509 DisplayText until // initialized with a value. OPENSSL_EXPORT ASN1_STRING *DISPLAYTEXT_new(void); -// DISPLAYTEXT_free calls |ASN1_STRING_free|. +// DISPLAYTEXT_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void DISPLAYTEXT_free(ASN1_STRING *str); -// d2i_DISPLAYTEXT parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// DisplayText (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_DISPLAYTEXT parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// DisplayText (RFC 5280), as described in `d2i_SAMPLE`. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts // BER, but this will be removed in the future. @@ -829,8 +829,8 @@ OPENSSL_EXPORT void DISPLAYTEXT_free(ASN1_STRING *str); OPENSSL_EXPORT ASN1_STRING *d2i_DISPLAYTEXT(ASN1_STRING **out, const uint8_t **inp, long len); -// i2d_DISPLAYTEXT marshals |in| as a DER-encoded X.509 DisplayText (RFC 5280), -// as described in |i2d_SAMPLE|. +// i2d_DISPLAYTEXT marshals `in` as a DER-encoded X.509 DisplayText (RFC 5280), +// as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_DISPLAYTEXT(const ASN1_STRING *in, uint8_t **outp); @@ -843,7 +843,7 @@ OPENSSL_EXPORT int i2d_DISPLAYTEXT(const ASN1_STRING *in, uint8_t **outp); // Some BIT STRINGs represent a bitmask of named bits, such as the X.509 key // usage extension in RFC 5280, section 4.2.1.3. For such bit strings, DER // imposes an additional restriction that trailing zero bits are removed. Some -// functions like |ASN1_BIT_STRING_set_bit| help in maintaining this. +// functions like `ASN1_BIT_STRING_set_bit` help in maintaining this. // // Other BIT STRINGs are arbitrary strings of bits used as identifiers and do // not have this constraint, such as the X.509 issuerUniqueID field. @@ -854,50 +854,51 @@ OPENSSL_EXPORT int i2d_DISPLAYTEXT(const ASN1_STRING *in, uint8_t **outp); // AlgorithmIdentifier. While some unknown algorithm could choose to store // arbitrary bit strings, all supported algorithms use a byte string, with bit // order matching the DER encoding. Callers interpreting a BIT STRING as a byte -// string should use |ASN1_BIT_STRING_num_bytes| instead of |ASN1_STRING_length| -// and reject bit strings that are not a whole number of bytes. +// string should reject bit strings that are not a whole number of bytes by +// requiring that `ASN1_BIT_STRING_unused_bits` returns zero; the byte length is +// returned by `ASN1_STRING_length`. // -// This library represents BIT STRINGs as |ASN1_STRING|s with type -// |V_ASN1_BIT_STRING|. The data contains the encoded form of the BIT STRING, +// This library represents BIT STRINGs as `ASN1_STRING`s with type +// `V_ASN1_BIT_STRING`. The data contains the encoded form of the BIT STRING, // including any padding bits added to round to a whole number of bytes, but // excluding the leading byte containing the number of padding bits. Instead, -// the bottom three bits of |flags| contain the number of padding bits. For +// the bottom three bits of `flags` contain the number of padding bits. For // example, DER encodes the BIT STRING {1, 0} as {0x06, 0x80 = 0b10_000000}. The -// |ASN1_STRING| representation has data of {0x80} and flags of 6. +// `ASN1_STRING` representation has data of {0x80} and flags of 6. -// ASN1_BIT_STRING_new calls |ASN1_STRING_type_new| with |V_ASN1_BIT_STRING|. +// ASN1_BIT_STRING_new calls `ASN1_STRING_type_new` with `V_ASN1_BIT_STRING`. OPENSSL_EXPORT ASN1_BIT_STRING *ASN1_BIT_STRING_new(void); -// ASN1_BIT_STRING_free calls |ASN1_STRING_free|. +// ASN1_BIT_STRING_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void ASN1_BIT_STRING_free(ASN1_BIT_STRING *str); -// d2i_ASN1_BIT_STRING parses up to |len| bytes from |*inp| as a DER-encoded -// ASN.1 BIT STRING, as described in |d2i_SAMPLE|. +// d2i_ASN1_BIT_STRING parses up to `len` bytes from `*inp` as a DER-encoded +// ASN.1 BIT STRING, as described in `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out, const uint8_t **inp, long len); -// i2d_ASN1_BIT_STRING marshals |in| as a DER-encoded ASN.1 BIT STRING, as -// described in |i2d_SAMPLE|. +// i2d_ASN1_BIT_STRING marshals `in` as a DER-encoded ASN.1 BIT STRING, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_BIT_STRING(const ASN1_BIT_STRING *in, uint8_t **outp); -// c2i_ASN1_BIT_STRING decodes |len| bytes from |*inp| as the contents of a +// c2i_ASN1_BIT_STRING decodes `len` bytes from `*inp` as the contents of a // DER-encoded BIT STRING, excluding the tag and length. It behaves like -// |d2i_SAMPLE| except, on success, it always consumes all |len| bytes. +// `d2i_SAMPLE` except, on success, it always consumes all `len` bytes. OPENSSL_EXPORT ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out, const uint8_t **inp, long len); -// i2c_ASN1_BIT_STRING encodes |in| as the contents of a DER-encoded BIT STRING, -// excluding the tag and length. If |outp| is non-NULL, it writes the result to -// |*outp|, advances |*outp| just past the output, and returns the number of -// bytes written. |*outp| must have space available for the result. If |outp| is +// i2c_ASN1_BIT_STRING encodes `in` as the contents of a DER-encoded BIT STRING, +// excluding the tag and length. If `outp` is non-NULL, it writes the result to +// `*outp`, advances `*outp` just past the output, and returns the number of +// bytes written. `*outp` must have space available for the result. If `outp` is // NULL, it returns the number of bytes without writing anything. On error, it // returns a value <= 0. // -// Note this function differs slightly from |i2d_SAMPLE|. If |outp| is non-NULL -// and |*outp| is NULL, it does not allocate a new buffer. +// Note this function differs slightly from `i2d_SAMPLE`. If `outp` is non-NULL +// and `*outp` is NULL, it does not allocate a new buffer. // // TODO(davidben): This function currently returns zero on error instead of -1, // but it is also mostly infallible. I've currently documented <= 0 to suggest @@ -905,44 +906,44 @@ OPENSSL_EXPORT ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out, OPENSSL_EXPORT int i2c_ASN1_BIT_STRING(const ASN1_BIT_STRING *in, uint8_t **outp); -// ASN1_BIT_STRING is an |ASN1_ITEM| with ASN.1 type BIT STRING and C type -// |ASN1_BIT_STRING*|. +// ASN1_BIT_STRING is an `ASN1_ITEM` with ASN.1 type BIT STRING and C type +// `ASN1_BIT_STRING*`. DECLARE_ASN1_ITEM(ASN1_BIT_STRING) // ASN1_BIT_STRING_unused_bits returns the number of unused bits in the last -// byte of |str|. If |str| is empty (i.e. |ASN1_STRING_length| is zero), this +// byte of `str`. If `str` is empty (i.e. `ASN1_STRING_length` is zero), this // always returns zero. Otherwise it returns a number between 0 and 7. OPENSSL_EXPORT uint8_t ASN1_BIT_STRING_unused_bits(const ASN1_BIT_STRING *str); -// ASN1_BIT_STRING_set calls |ASN1_STRING_set|. +// ASN1_BIT_STRING_set calls `ASN1_STRING_set`. OPENSSL_EXPORT int ASN1_BIT_STRING_set(ASN1_BIT_STRING *str, const uint8_t *data, ossl_ssize_t length); -// ASN1_BIT_STRING_set1 sets |str| to a BIT STRING containing |length| bytes -// from |data|. It returns one on success and zero on error. The least -// significant |unused_bits| of the last byte of |data| are removed from the bit -// string. The removed bits must all be zero. |unused_bits| must be between 0 -// and 7, and must be 0 if |length| is zero. +// ASN1_BIT_STRING_set1 sets `str` to a BIT STRING containing `length` bytes +// from `data`. It returns one on success and zero on error. The least +// significant `unused_bits` of the last byte of `data` are removed from the bit +// string. The removed bits must all be zero. `unused_bits` must be between 0 +// and 7, and must be 0 if `length` is zero. OPENSSL_EXPORT int ASN1_BIT_STRING_set1(ASN1_BIT_STRING *str, const uint8_t *data, size_t length, int unused_bits); -// ASN1_BIT_STRING_set_bit sets bit |n| of |str| to one if |value| is non-zero -// and zero if |value| is zero, resizing |str| as needed. It then truncates -// trailing zeros in |str| to align with the DER representation for a bit string -// with named bits. It returns one on success and zero on error. |n| is indexed +// ASN1_BIT_STRING_set_bit sets bit `n` of `str` to one if `value` is non-zero +// and zero if `value` is zero, resizing `str` as needed. It then truncates +// trailing zeros in `str` to align with the DER representation for a bit string +// with named bits. It returns one on success and zero on error. `n` is indexed // beginning from zero. OPENSSL_EXPORT int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *str, int n, int value); -// ASN1_BIT_STRING_get_bit returns one if bit |n| of |a| is in bounds and set, -// and zero otherwise. |n| is indexed beginning from zero. +// ASN1_BIT_STRING_get_bit returns one if bit `n` of `a` is in bounds and set, +// and zero otherwise. `n` is indexed beginning from zero. OPENSSL_EXPORT int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *str, int n); -// ASN1_BIT_STRING_check returns one if |str| only contains bits that are set in -// the |flags_len| bytes pointed by |flags|. Otherwise it returns zero. Bits in -// |flags| are arranged according to the DER representation, so bit 0 -// corresponds to the MSB of |flags[0]|. +// ASN1_BIT_STRING_check returns one if `str` only contains bits that are set in +// the `flags_len` bytes pointed by `flags`. Otherwise it returns zero. Bits in +// `flags` are arranged according to the DER representation, so bit 0 +// corresponds to the MSB of `flags[0]`. OPENSSL_EXPORT int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *str, const unsigned char *flags, int flags_len); @@ -950,162 +951,162 @@ OPENSSL_EXPORT int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *str, // Integers and enumerated values. // -// INTEGER and ENUMERATED values are represented as |ASN1_STRING|s where the +// INTEGER and ENUMERATED values are represented as `ASN1_STRING`s where the // data contains the big-endian encoding of the absolute value of the integer. // The sign bit is encoded in the type: non-negative values have a type of -// |V_ASN1_INTEGER| or |V_ASN1_ENUMERATED|, while negative values have a type of -// |V_ASN1_NEG_INTEGER| or |V_ASN1_NEG_ENUMERATED|. Note this differs from DER's +// `V_ASN1_INTEGER` or `V_ASN1_ENUMERATED`, while negative values have a type of +// `V_ASN1_NEG_INTEGER` or `V_ASN1_NEG_ENUMERATED`. Note this differs from DER's // two's complement representation. // -// The data in the |ASN1_STRING| may not have leading zeros. Note this means +// The data in the `ASN1_STRING` may not have leading zeros. Note this means // zero is represented as the empty string. Parsing functions will never return // invalid representations. If an invalid input is constructed, the marshaling // functions will skip leading zeros, however other functions, such as -// |ASN1_INTEGER_cmp| or |ASN1_INTEGER_get|, may not return the correct result. +// `ASN1_INTEGER_cmp` or `ASN1_INTEGER_get`, may not return the correct result. DEFINE_STACK_OF(ASN1_INTEGER) -// ASN1_INTEGER_new calls |ASN1_STRING_type_new| with |V_ASN1_INTEGER|. The +// ASN1_INTEGER_new calls `ASN1_STRING_type_new` with `V_ASN1_INTEGER`. The // resulting object has value zero. OPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_new(void); -// ASN1_INTEGER_free calls |ASN1_STRING_free|. +// ASN1_INTEGER_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void ASN1_INTEGER_free(ASN1_INTEGER *str); -// ASN1_INTEGER_dup calls |ASN1_STRING_dup|. +// ASN1_INTEGER_dup calls `ASN1_STRING_dup`. OPENSSL_EXPORT ASN1_INTEGER *ASN1_INTEGER_dup(const ASN1_INTEGER *x); -// d2i_ASN1_INTEGER parses up to |len| bytes from |*inp| as a DER-encoded -// ASN.1 INTEGER, as described in |d2i_SAMPLE|. +// d2i_ASN1_INTEGER parses up to `len` bytes from `*inp` as a DER-encoded +// ASN.1 INTEGER, as described in `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **out, const uint8_t **inp, long len); -// i2d_ASN1_INTEGER marshals |in| as a DER-encoded ASN.1 INTEGER, as -// described in |i2d_SAMPLE|. +// i2d_ASN1_INTEGER marshals `in` as a DER-encoded ASN.1 INTEGER, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp); -// c2i_ASN1_INTEGER decodes |len| bytes from |*inp| as the contents of a +// c2i_ASN1_INTEGER decodes `len` bytes from `*inp` as the contents of a // DER-encoded INTEGER, excluding the tag and length. It behaves like -// |d2i_SAMPLE| except, on success, it always consumes all |len| bytes. +// `d2i_SAMPLE` except, on success, it always consumes all `len` bytes. OPENSSL_EXPORT ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **in, const uint8_t **outp, long len); -// i2c_ASN1_INTEGER encodes |in| as the contents of a DER-encoded INTEGER, -// excluding the tag and length. If |outp| is non-NULL, it writes the result to -// |*outp|, advances |*outp| just past the output, and returns the number of -// bytes written. |*outp| must have space available for the result. If |outp| is +// i2c_ASN1_INTEGER encodes `in` as the contents of a DER-encoded INTEGER, +// excluding the tag and length. If `outp` is non-NULL, it writes the result to +// `*outp`, advances `*outp` just past the output, and returns the number of +// bytes written. `*outp` must have space available for the result. If `outp` is // NULL, it returns the number of bytes without writing anything. On error, it // returns a value <= 0. // -// Note this function differs slightly from |i2d_SAMPLE|. If |outp| is non-NULL -// and |*outp| is NULL, it does not allocate a new buffer. +// Note this function differs slightly from `i2d_SAMPLE`. If `outp` is non-NULL +// and `*outp` is NULL, it does not allocate a new buffer. // // TODO(davidben): This function currently returns zero on error instead of -1, // but it is also mostly infallible. I've currently documented <= 0 to suggest // callers work with both. OPENSSL_EXPORT int i2c_ASN1_INTEGER(const ASN1_INTEGER *in, uint8_t **outp); -// ASN1_INTEGER is an |ASN1_ITEM| with ASN.1 type INTEGER and C type -// |ASN1_INTEGER*|. +// ASN1_INTEGER is an `ASN1_ITEM` with ASN.1 type INTEGER and C type +// `ASN1_INTEGER*`. DECLARE_ASN1_ITEM(ASN1_INTEGER) -// ASN1_INTEGER_set_uint64 sets |a| to an INTEGER with value |v|. It returns one +// ASN1_INTEGER_set_uint64 sets `a` to an INTEGER with value `v`. It returns one // on success and zero on error. OPENSSL_EXPORT int ASN1_INTEGER_set_uint64(ASN1_INTEGER *out, uint64_t v); -// ASN1_INTEGER_set_int64 sets |a| to an INTEGER with value |v|. It returns one +// ASN1_INTEGER_set_int64 sets `a` to an INTEGER with value `v`. It returns one // on success and zero on error. OPENSSL_EXPORT int ASN1_INTEGER_set_int64(ASN1_INTEGER *out, int64_t v); -// ASN1_INTEGER_get_uint64 converts |a| to a |uint64_t|. On success, it returns -// one and sets |*out| to the result. If |a| did not fit or has the wrong type, +// ASN1_INTEGER_get_uint64 converts `a` to a `uint64_t`. On success, it returns +// one and sets `*out` to the result. If `a` did not fit or has the wrong type, // it returns zero. OPENSSL_EXPORT int ASN1_INTEGER_get_uint64(uint64_t *out, const ASN1_INTEGER *a); -// ASN1_INTEGER_get_int64 converts |a| to a |int64_t|. On success, it returns -// one and sets |*out| to the result. If |a| did not fit or has the wrong type, +// ASN1_INTEGER_get_int64 converts `a` to a `int64_t`. On success, it returns +// one and sets `*out` to the result. If `a` did not fit or has the wrong type, // it returns zero. OPENSSL_EXPORT int ASN1_INTEGER_get_int64(int64_t *out, const ASN1_INTEGER *a); -// BN_to_ASN1_INTEGER sets |ai| to an INTEGER with value |bn| and returns |ai| -// on success or NULL or error. If |ai| is NULL, it returns a newly-allocated -// |ASN1_INTEGER| on success instead, which the caller must release with -// |ASN1_INTEGER_free|. +// BN_to_ASN1_INTEGER sets `ai` to an INTEGER with value `bn` and returns `ai` +// on success or NULL or error. If `ai` is NULL, it returns a newly-allocated +// `ASN1_INTEGER` on success instead, which the caller must release with +// `ASN1_INTEGER_free`. OPENSSL_EXPORT ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); -// ASN1_INTEGER_to_BN sets |bn| to the value of |ai| and returns |bn| on success -// or NULL or error. If |bn| is NULL, it returns a newly-allocated |BIGNUM| on -// success instead, which the caller must release with |BN_free|. +// ASN1_INTEGER_to_BN sets `bn` to the value of `ai` and returns `bn` on success +// or NULL or error. If `bn` is NULL, it returns a newly-allocated `BIGNUM` on +// success instead, which the caller must release with `BN_free`. OPENSSL_EXPORT BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); -// ASN1_INTEGER_cmp compares the values of |x| and |y|. It returns an integer -// equal to, less than, or greater than zero if |x| is equal to, less than, or -// greater than |y|, respectively. +// ASN1_INTEGER_cmp compares the values of `x` and `y`. It returns an integer +// equal to, less than, or greater than zero if `x` is equal to, less than, or +// greater than `y`, respectively. OPENSSL_EXPORT int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y); -// ASN1_ENUMERATED_new calls |ASN1_STRING_type_new| with |V_ASN1_ENUMERATED|. +// ASN1_ENUMERATED_new calls `ASN1_STRING_type_new` with `V_ASN1_ENUMERATED`. // The resulting object has value zero. OPENSSL_EXPORT ASN1_ENUMERATED *ASN1_ENUMERATED_new(void); -// ASN1_ENUMERATED_free calls |ASN1_STRING_free|. +// ASN1_ENUMERATED_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void ASN1_ENUMERATED_free(ASN1_ENUMERATED *str); -// d2i_ASN1_ENUMERATED parses up to |len| bytes from |*inp| as a DER-encoded -// ASN.1 ENUMERATED, as described in |d2i_SAMPLE|. +// d2i_ASN1_ENUMERATED parses up to `len` bytes from `*inp` as a DER-encoded +// ASN.1 ENUMERATED, as described in `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **out, const uint8_t **inp, long len); -// i2d_ASN1_ENUMERATED marshals |in| as a DER-encoded ASN.1 ENUMERATED, as -// described in |i2d_SAMPLE|. +// i2d_ASN1_ENUMERATED marshals `in` as a DER-encoded ASN.1 ENUMERATED, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_ENUMERATED(const ASN1_ENUMERATED *in, uint8_t **outp); -// ASN1_ENUMERATED is an |ASN1_ITEM| with ASN.1 type ENUMERATED and C type -// |ASN1_ENUMERATED*|. +// ASN1_ENUMERATED is an `ASN1_ITEM` with ASN.1 type ENUMERATED and C type +// `ASN1_ENUMERATED*`. DECLARE_ASN1_ITEM(ASN1_ENUMERATED) -// ASN1_ENUMERATED_set_uint64 sets |a| to an ENUMERATED with value |v|. It +// ASN1_ENUMERATED_set_uint64 sets `a` to an ENUMERATED with value `v`. It // returns one on success and zero on error. OPENSSL_EXPORT int ASN1_ENUMERATED_set_uint64(ASN1_ENUMERATED *out, uint64_t v); -// ASN1_ENUMERATED_set_int64 sets |a| to an ENUMERATED with value |v|. It +// ASN1_ENUMERATED_set_int64 sets `a` to an ENUMERATED with value `v`. It // returns one on success and zero on error. OPENSSL_EXPORT int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *out, int64_t v); -// ASN1_ENUMERATED_get_uint64 converts |a| to a |uint64_t|. On success, it -// returns one and sets |*out| to the result. If |a| did not fit or has the +// ASN1_ENUMERATED_get_uint64 converts `a` to a `uint64_t`. On success, it +// returns one and sets `*out` to the result. If `a` did not fit or has the // wrong type, it returns zero. OPENSSL_EXPORT int ASN1_ENUMERATED_get_uint64(uint64_t *out, const ASN1_ENUMERATED *a); -// ASN1_ENUMERATED_get_int64 converts |a| to a |int64_t|. On success, it -// returns one and sets |*out| to the result. If |a| did not fit or has the +// ASN1_ENUMERATED_get_int64 converts `a` to a `int64_t`. On success, it +// returns one and sets `*out` to the result. If `a` did not fit or has the // wrong type, it returns zero. OPENSSL_EXPORT int ASN1_ENUMERATED_get_int64(int64_t *out, const ASN1_ENUMERATED *a); -// BN_to_ASN1_ENUMERATED sets |ai| to an ENUMERATED with value |bn| and returns -// |ai| on success or NULL or error. If |ai| is NULL, it returns a -// newly-allocated |ASN1_ENUMERATED| on success instead, which the caller must -// release with |ASN1_ENUMERATED_free|. +// BN_to_ASN1_ENUMERATED sets `ai` to an ENUMERATED with value `bn` and returns +// `ai` on success or NULL or error. If `ai` is NULL, it returns a +// newly-allocated `ASN1_ENUMERATED` on success instead, which the caller must +// release with `ASN1_ENUMERATED_free`. OPENSSL_EXPORT ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); -// ASN1_ENUMERATED_to_BN sets |bn| to the value of |ai| and returns |bn| on -// success or NULL or error. If |bn| is NULL, it returns a newly-allocated -// |BIGNUM| on success instead, which the caller must release with |BN_free|. +// ASN1_ENUMERATED_to_BN sets `bn` to the value of `ai` and returns `bn` on +// success or NULL or error. If `bn` is NULL, it returns a newly-allocated +// `BIGNUM` on success instead, which the caller must release with `BN_free`. OPENSSL_EXPORT BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn); // Time. // -// GeneralizedTime and UTCTime values are represented as |ASN1_STRING|s. The -// type field is |V_ASN1_GENERALIZEDTIME| or |V_ASN1_UTCTIME|, respectively. The +// GeneralizedTime and UTCTime values are represented as `ASN1_STRING`s. The +// type field is `V_ASN1_GENERALIZEDTIME` or `V_ASN1_UTCTIME`, respectively. The // data field contains the DER encoding of the value. For example, the UNIX // epoch would be "19700101000000Z" for a GeneralizedTime and "700101000000Z" // for a UTCTime. @@ -1116,49 +1117,49 @@ OPENSSL_EXPORT BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, // BER, and the additional restrictions from RFC 5280, but future versions may. // Callers should not rely on fractional seconds and non-UTC time zones. // -// The |ASN1_TIME| typedef is a multi-string representing the X.509 Time type, +// The `ASN1_TIME` typedef is a multi-string representing the X.509 Time type, // which is a CHOICE of GeneralizedTime and UTCTime, using UTCTime when the // value is in range. -// ASN1_UTCTIME_new calls |ASN1_STRING_type_new| with |V_ASN1_UTCTIME|. The +// ASN1_UTCTIME_new calls `ASN1_STRING_type_new` with `V_ASN1_UTCTIME`. The // resulting object contains empty contents and must be initialized to be a // valid UTCTime. OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_new(void); -// ASN1_UTCTIME_free calls |ASN1_STRING_free|. +// ASN1_UTCTIME_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void ASN1_UTCTIME_free(ASN1_UTCTIME *str); -// d2i_ASN1_UTCTIME parses up to |len| bytes from |*inp| as a DER-encoded -// ASN.1 UTCTime, as described in |d2i_SAMPLE|. +// d2i_ASN1_UTCTIME parses up to `len` bytes from `*inp` as a DER-encoded +// ASN.1 UTCTime, as described in `d2i_SAMPLE`. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts // BER, but this will be removed in the future. OPENSSL_EXPORT ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **out, const uint8_t **inp, long len); -// i2d_ASN1_UTCTIME marshals |in| as a DER-encoded ASN.1 UTCTime, as -// described in |i2d_SAMPLE|. +// i2d_ASN1_UTCTIME marshals `in` as a DER-encoded ASN.1 UTCTime, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_UTCTIME(const ASN1_UTCTIME *in, uint8_t **outp); -// ASN1_UTCTIME is an |ASN1_ITEM| with ASN.1 type UTCTime and C type -// |ASN1_UTCTIME*|. +// ASN1_UTCTIME is an `ASN1_ITEM` with ASN.1 type UTCTime and C type +// `ASN1_UTCTIME*`. DECLARE_ASN1_ITEM(ASN1_UTCTIME) -// ASN1_UTCTIME_check returns one if |a| is a valid UTCTime and zero otherwise. +// ASN1_UTCTIME_check returns one if `a` is a valid UTCTime and zero otherwise. OPENSSL_EXPORT int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); -// ASN1_UTCTIME_set represents |posix_time| as a UTCTime and writes the result -// to |s|. It returns |s| on success and NULL on error. If |s| is NULL, it -// returns a newly-allocated |ASN1_UTCTIME| instead. +// ASN1_UTCTIME_set represents `posix_time` as a UTCTime and writes the result +// to `s`. It returns `s` on success and NULL on error. If `s` is NULL, it +// returns a newly-allocated `ASN1_UTCTIME` instead. // // Note this function may fail if the time is out of range for UTCTime. OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, int64_t posix_time); -// ASN1_UTCTIME_adj adds |offset_day| days and |offset_sec| seconds to -// |posix_time| and writes the result to |s| as a UTCTime. It returns |s| on -// success and NULL on error. If |s| is NULL, it returns a newly-allocated -// |ASN1_UTCTIME| instead. +// ASN1_UTCTIME_adj adds `offset_day` days and `offset_sec` seconds to +// `posix_time` and writes the result to `s` as a UTCTime. It returns `s` on +// success and NULL on error. If `s` is NULL, it returns a newly-allocated +// `ASN1_UTCTIME` instead. // // Note this function may fail if the time overflows or is out of range for // UTCTime. @@ -1166,51 +1167,51 @@ OPENSSL_EXPORT ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, int64_t posix_time, int offset_day, long offset_sec); -// ASN1_UTCTIME_set_string sets |s| to a UTCTime whose contents are a copy of -// |str|. It returns one on success and zero on error or if |str| is not a valid +// ASN1_UTCTIME_set_string sets `s` to a UTCTime whose contents are a copy of +// `str`. It returns one on success and zero on error or if `str` is not a valid // UTCTime. // -// If |s| is NULL, this function validates |str| without copying it. +// If `s` is NULL, this function validates `str` without copying it. OPENSSL_EXPORT int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); -// ASN1_GENERALIZEDTIME_new calls |ASN1_STRING_type_new| with -// |V_ASN1_GENERALIZEDTIME|. The resulting object contains empty contents and +// ASN1_GENERALIZEDTIME_new calls `ASN1_STRING_type_new` with +// `V_ASN1_GENERALIZEDTIME`. The resulting object contains empty contents and // must be initialized to be a valid GeneralizedTime. OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_new(void); -// ASN1_GENERALIZEDTIME_free calls |ASN1_STRING_free|. +// ASN1_GENERALIZEDTIME_free calls `ASN1_STRING_free`. OPENSSL_EXPORT void ASN1_GENERALIZEDTIME_free(ASN1_GENERALIZEDTIME *str); -// d2i_ASN1_GENERALIZEDTIME parses up to |len| bytes from |*inp| as a -// DER-encoded ASN.1 GeneralizedTime, as described in |d2i_SAMPLE|. +// d2i_ASN1_GENERALIZEDTIME parses up to `len` bytes from `*inp` as a +// DER-encoded ASN.1 GeneralizedTime, as described in `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME( ASN1_GENERALIZEDTIME **out, const uint8_t **inp, long len); -// i2d_ASN1_GENERALIZEDTIME marshals |in| as a DER-encoded ASN.1 -// GeneralizedTime, as described in |i2d_SAMPLE|. +// i2d_ASN1_GENERALIZEDTIME marshals `in` as a DER-encoded ASN.1 +// GeneralizedTime, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_GENERALIZEDTIME(const ASN1_GENERALIZEDTIME *in, uint8_t **outp); -// ASN1_GENERALIZEDTIME is an |ASN1_ITEM| with ASN.1 type GeneralizedTime and C -// type |ASN1_GENERALIZEDTIME*|. +// ASN1_GENERALIZEDTIME is an `ASN1_ITEM` with ASN.1 type GeneralizedTime and C +// type `ASN1_GENERALIZEDTIME*`. DECLARE_ASN1_ITEM(ASN1_GENERALIZEDTIME) -// ASN1_GENERALIZEDTIME_check returns one if |a| is a valid GeneralizedTime and +// ASN1_GENERALIZEDTIME_check returns one if `a` is a valid GeneralizedTime and // zero otherwise. OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); -// ASN1_GENERALIZEDTIME_set represents |posix_time| as a GeneralizedTime and -// writes the result to |s|. It returns |s| on success and NULL on error. If |s| -// is NULL, it returns a newly-allocated |ASN1_GENERALIZEDTIME| instead. +// ASN1_GENERALIZEDTIME_set represents `posix_time` as a GeneralizedTime and +// writes the result to `s`. It returns `s` on success and NULL on error. If `s` +// is NULL, it returns a newly-allocated `ASN1_GENERALIZEDTIME` instead. // // Note this function may fail if the time is out of range for GeneralizedTime. OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set( ASN1_GENERALIZEDTIME *s, int64_t posix_time); -// ASN1_GENERALIZEDTIME_adj adds |offset_day| days and |offset_sec| seconds to -// |posix_time| and writes the result to |s| as a GeneralizedTime. It returns -// |s| on success and NULL on error. If |s| is NULL, it returns a -// newly-allocated |ASN1_GENERALIZEDTIME| instead. +// ASN1_GENERALIZEDTIME_adj adds `offset_day` days and `offset_sec` seconds to +// `posix_time` and writes the result to `s` as a GeneralizedTime. It returns +// `s` on success and NULL on error. If `s` is NULL, it returns a +// newly-allocated `ASN1_GENERALIZEDTIME` instead. // // Note this function may fail if the time overflows or is out of range for // GeneralizedTime. @@ -1218,110 +1219,110 @@ OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj( ASN1_GENERALIZEDTIME *s, int64_t posix_time, int offset_day, long offset_sec); -// ASN1_GENERALIZEDTIME_set_string sets |s| to a GeneralizedTime whose contents -// are a copy of |str|. It returns one on success and zero on error or if |str| +// ASN1_GENERALIZEDTIME_set_string sets `s` to a GeneralizedTime whose contents +// are a copy of `str`. It returns one on success and zero on error or if `str` // is not a valid GeneralizedTime. // -// If |s| is NULL, this function validates |str| without copying it. +// If `s` is NULL, this function validates `str` without copying it. OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str); // B_ASN1_TIME is a bitmask of types allowed in an X.509 Time. #define B_ASN1_TIME (B_ASN1_UTCTIME | B_ASN1_GENERALIZEDTIME) -// ASN1_TIME_new returns a newly-allocated |ASN1_TIME| with type -1, or NULL on -// error. The resulting |ASN1_TIME| is not a valid X.509 Time until initialized +// ASN1_TIME_new returns a newly-allocated `ASN1_TIME` with type -1, or NULL on +// error. The resulting `ASN1_TIME` is not a valid X.509 Time until initialized // with a value. OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_new(void); -// ASN1_TIME_free releases memory associated with |str|. +// ASN1_TIME_free releases memory associated with `str`. OPENSSL_EXPORT void ASN1_TIME_free(ASN1_TIME *str); -// d2i_ASN1_TIME parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// Time (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_ASN1_TIME parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// Time (RFC 5280), as described in `d2i_SAMPLE`. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts // BER, but this will be removed in the future. OPENSSL_EXPORT ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **out, const uint8_t **inp, long len); -// i2d_ASN1_TIME marshals |in| as a DER-encoded X.509 Time (RFC 5280), as -// described in |i2d_SAMPLE|. +// i2d_ASN1_TIME marshals `in` as a DER-encoded X.509 Time (RFC 5280), as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_TIME(const ASN1_TIME *in, uint8_t **outp); -// ASN1_TIME_diff computes |to| - |from|. On success, it sets |*out_days| to the -// difference in days, rounded towards zero, sets |*out_seconds| to the +// ASN1_TIME_diff computes `to` - `from`. On success, it sets `*out_days` to the +// difference in days, rounded towards zero, sets `*out_seconds` to the // remainder, and returns one. On error, it returns zero. // -// If |from| is before |to|, both outputs will be <= 0, with at least one -// negative. If |from| is after |to|, both will be >= 0, with at least one +// If `from` is before `to`, both outputs will be <= 0, with at least one +// negative. If `from` is after `to`, both will be >= 0, with at least one // positive. If they are equal, ignoring fractional seconds, both will be zero. // -// Note this function may fail on overflow, or if |from| or |to| cannot be +// Note this function may fail on overflow, or if `from` or `to` cannot be // decoded. OPENSSL_EXPORT int ASN1_TIME_diff(int *out_days, int *out_seconds, const ASN1_TIME *from, const ASN1_TIME *to); -// ASN1_TIME_set_posix represents |posix_time| as a GeneralizedTime or UTCTime -// and writes the result to |s|. As in RFC 5280, section 4.1.2.5, it uses -// UTCTime when the time fits and GeneralizedTime otherwise. It returns |s| on -// success and NULL on error. If |s| is NULL, it returns a newly-allocated -// |ASN1_TIME| instead. +// ASN1_TIME_set_posix represents `posix_time` as a GeneralizedTime or UTCTime +// and writes the result to `s`. As in RFC 5280, section 4.1.2.5, it uses +// UTCTime when the time fits and GeneralizedTime otherwise. It returns `s` on +// success and NULL on error. If `s` is NULL, it returns a newly-allocated +// `ASN1_TIME` instead. // // Note this function may fail if the time is out of range for GeneralizedTime. OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set_posix(ASN1_TIME *s, int64_t posix_time); -// ASN1_TIME_set is exactly the same as |ASN1_TIME_set_posix| but with a +// ASN1_TIME_set is exactly the same as `ASN1_TIME_set_posix` but with a // time_t as input for compatibility. OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t time); -// ASN1_TIME_adj adds |offset_day| days and |offset_sec| seconds to -// |posix_time| and writes the result to |s|. As in RFC 5280, section 4.1.2.5, +// ASN1_TIME_adj adds `offset_day` days and `offset_sec` seconds to +// `posix_time` and writes the result to `s`. As in RFC 5280, section 4.1.2.5, // it uses UTCTime when the time fits and GeneralizedTime otherwise. It returns -// |s| on success and NULL on error. If |s| is NULL, it returns a -// newly-allocated |ASN1_GENERALIZEDTIME| instead. +// `s` on success and NULL on error. If `s` is NULL, it returns a +// newly-allocated `ASN1_GENERALIZEDTIME` instead. // // Note this function may fail if the time overflows or is out of range for // GeneralizedTime. OPENSSL_EXPORT ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, int64_t posix_time, int offset_day, long offset_sec); -// ASN1_TIME_check returns one if |t| is a valid UTCTime or GeneralizedTime, and -// zero otherwise. |t|'s type determines which check is performed. This +// ASN1_TIME_check returns one if `t` is a valid UTCTime or GeneralizedTime, and +// zero otherwise. `t`'s type determines which check is performed. This // function does not enforce that UTCTime was used when possible. OPENSSL_EXPORT int ASN1_TIME_check(const ASN1_TIME *t); -// ASN1_TIME_to_generalizedtime converts |t| to a GeneralizedTime. If |out| is -// NULL, it returns a newly-allocated |ASN1_GENERALIZEDTIME| on success, or NULL -// on error. If |out| is non-NULL and |*out| is NULL, it additionally sets -// |*out| to the result. If |out| and |*out| are non-NULL, it instead updates -// the object pointed by |*out| and returns |*out| on success or NULL on error. +// ASN1_TIME_to_generalizedtime converts `t` to a GeneralizedTime. If `out` is +// NULL, it returns a newly-allocated `ASN1_GENERALIZEDTIME` on success, or NULL +// on error. If `out` is non-NULL and `*out` is NULL, it additionally sets +// `*out` to the result. If `out` and `*out` are non-NULL, it instead updates +// the object pointed by `*out` and returns `*out` on success or NULL on error. OPENSSL_EXPORT ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime( const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); -// ASN1_TIME_set_string behaves like |ASN1_UTCTIME_set_string| if |str| is a -// valid UTCTime, and |ASN1_GENERALIZEDTIME_set_string| if |str| is a valid -// GeneralizedTime. If |str| is neither, it returns zero. +// ASN1_TIME_set_string behaves like `ASN1_UTCTIME_set_string` if `str` is a +// valid UTCTime, and `ASN1_GENERALIZEDTIME_set_string` if `str` is a valid +// GeneralizedTime. If `str` is neither, it returns zero. OPENSSL_EXPORT int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); -// ASN1_TIME_set_string_X509 behaves like |ASN1_TIME_set_string| except it +// ASN1_TIME_set_string_X509 behaves like `ASN1_TIME_set_string` except it // additionally converts GeneralizedTime to UTCTime if it is in the range where // UTCTime is used. See RFC 5280, section 4.1.2.5. OPENSSL_EXPORT int ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str); -// ASN1_TIME_to_time_t converts |t| to a time_t value in |out|. On +// ASN1_TIME_to_time_t converts `t` to a time_t value in `out`. On // success, one is returned. On failure, zero is returned. This function // will fail if the time can not be represented in a time_t. OPENSSL_EXPORT int ASN1_TIME_to_time_t(const ASN1_TIME *t, time_t *out); -// ASN1_TIME_to_posix converts |t| to a POSIX time value in |out|. On +// ASN1_TIME_to_posix converts `t` to a POSIX time value in `out`. On // success, one is returned. On failure, zero is returned. OPENSSL_EXPORT int ASN1_TIME_to_posix(const ASN1_TIME *t, int64_t *out); -// ASN1_TIME_to_posix_nonstandard converts |t| to a POSIX time value in -// |out|. It is exactly the same as |ASN1_TIME_to_posix| but allows for +// ASN1_TIME_to_posix_nonstandard converts `t` to a POSIX time value in +// `out`. It is exactly the same as `ASN1_TIME_to_posix` but allows for // non-standard four-digit timezone offsets on UTC times. On success, one is -// returned. On failure, zero is returned. |ASN1_TIME_to_posix| should normally +// returned. On failure, zero is returned. `ASN1_TIME_to_posix` should normally // be used instead of this function. OPENSSL_EXPORT int ASN1_TIME_to_posix_nonstandard( const ASN1_TIME *t, int64_t *out); @@ -1332,120 +1333,120 @@ OPENSSL_EXPORT int ASN1_TIME_to_posix_nonstandard( // NULL values. // // This library represents the ASN.1 NULL value by a non-NULL pointer to the -// opaque type |ASN1_NULL|. An omitted OPTIONAL ASN.1 NULL value is a NULL -// pointer. Unlike other pointer types, it is not necessary to free |ASN1_NULL| +// opaque type `ASN1_NULL`. An omitted OPTIONAL ASN.1 NULL value is a NULL +// pointer. Unlike other pointer types, it is not necessary to free `ASN1_NULL` // pointers, but it is safe to do so. // ASN1_NULL_new returns an opaque, non-NULL pointer. It is safe to call -// |ASN1_NULL_free| on the result, but not necessary. +// `ASN1_NULL_free` on the result, but not necessary. OPENSSL_EXPORT ASN1_NULL *ASN1_NULL_new(void); // ASN1_NULL_free does nothing. OPENSSL_EXPORT void ASN1_NULL_free(ASN1_NULL *null); -// d2i_ASN1_NULL parses a DER-encoded ASN.1 NULL value from up to |len| bytes -// at |*inp|, as described in |d2i_SAMPLE|. +// d2i_ASN1_NULL parses a DER-encoded ASN.1 NULL value from up to `len` bytes +// at `*inp`, as described in `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_NULL *d2i_ASN1_NULL(ASN1_NULL **out, const uint8_t **inp, long len); -// i2d_ASN1_NULL marshals |in| as a DER-encoded ASN.1 NULL value, as described -// in |i2d_SAMPLE|. +// i2d_ASN1_NULL marshals `in` as a DER-encoded ASN.1 NULL value, as described +// in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_NULL(const ASN1_NULL *in, uint8_t **outp); -// ASN1_NULL is an |ASN1_ITEM| with ASN.1 type NULL and C type |ASN1_NULL*|. +// ASN1_NULL is an `ASN1_ITEM` with ASN.1 type NULL and C type `ASN1_NULL*`. DECLARE_ASN1_ITEM(ASN1_NULL) // Object identifiers. // -// An |ASN1_OBJECT| represents a ASN.1 OBJECT IDENTIFIER. See also obj.h for -// additional functions relating to |ASN1_OBJECT|. +// An `ASN1_OBJECT` represents a ASN.1 OBJECT IDENTIFIER. See also obj.h for +// additional functions relating to `ASN1_OBJECT`. // // TODO(davidben): What's the relationship between asn1.h and obj.h? Most of -// obj.h deals with the large NID table, but then functions like |OBJ_get0_data| -// or |OBJ_dup| are general |ASN1_OBJECT| functions. +// obj.h deals with the large NID table, but then functions like `OBJ_get0_data` +// or `OBJ_dup` are general `ASN1_OBJECT` functions. DEFINE_STACK_OF(ASN1_OBJECT) -// ASN1_OBJECT_create returns a newly-allocated |ASN1_OBJECT| with |len| bytes -// from |data| as the encoded OID, or NULL on error. |data| should contain the +// ASN1_OBJECT_create returns a newly-allocated `ASN1_OBJECT` with `len` bytes +// from `data` as the encoded OID, or NULL on error. `data` should contain the // DER-encoded identifier, excluding the tag and length. // -// |nid| should be |NID_undef|. Passing a NID value that does not match |data| -// will cause some functions to misbehave. |sn| and |ln| should be NULL. If +// `nid` should be `NID_undef`. Passing a NID value that does not match `data` +// will cause some functions to misbehave. `sn` and `ln` should be NULL. If // non-NULL, they are stored as short and long names, respectively, but these -// values have no effect for |ASN1_OBJECT|s created through this function. +// values have no effect for `ASN1_OBJECT`s created through this function. // // TODO(davidben): Should we just ignore all those parameters? NIDs and names -// are only relevant for |ASN1_OBJECT|s in the obj.h table. +// are only relevant for `ASN1_OBJECT`s in the obj.h table. OPENSSL_EXPORT ASN1_OBJECT *ASN1_OBJECT_create(int nid, const uint8_t *data, size_t len, const char *sn, const char *ln); -// ASN1_OBJECT_free releases memory associated with |a|. If |a| is a static -// |ASN1_OBJECT|, returned from |OBJ_nid2obj|, this function does nothing. +// ASN1_OBJECT_free releases memory associated with `a`. If `a` is a static +// `ASN1_OBJECT`, returned from `OBJ_nid2obj`, this function does nothing. OPENSSL_EXPORT void ASN1_OBJECT_free(ASN1_OBJECT *a); -// d2i_ASN1_OBJECT parses a DER-encoded ASN.1 OBJECT IDENTIFIER from up to |len| -// bytes at |*inp|, as described in |d2i_SAMPLE|. +// d2i_ASN1_OBJECT parses a DER-encoded ASN.1 OBJECT IDENTIFIER from up to `len` +// bytes at `*inp`, as described in `d2i_SAMPLE`. OPENSSL_EXPORT ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **out, const uint8_t **inp, long len); -// i2d_ASN1_OBJECT marshals |in| as a DER-encoded ASN.1 OBJECT IDENTIFIER, as -// described in |i2d_SAMPLE|. +// i2d_ASN1_OBJECT marshals `in` as a DER-encoded ASN.1 OBJECT IDENTIFIER, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_OBJECT(const ASN1_OBJECT *in, uint8_t **outp); -// c2i_ASN1_OBJECT decodes |len| bytes from |*inp| as the contents of a +// c2i_ASN1_OBJECT decodes `len` bytes from `*inp` as the contents of a // DER-encoded OBJECT IDENTIFIER, excluding the tag and length. It behaves like -// |d2i_SAMPLE| except, on success, it always consumes all |len| bytes. +// `d2i_SAMPLE` except, on success, it always consumes all `len` bytes. OPENSSL_EXPORT ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **out, const uint8_t **inp, long len); -// ASN1_OBJECT is an |ASN1_ITEM| with ASN.1 type OBJECT IDENTIFIER and C type -// |ASN1_OBJECT*|. +// ASN1_OBJECT is an `ASN1_ITEM` with ASN.1 type OBJECT IDENTIFIER and C type +// `ASN1_OBJECT*`. DECLARE_ASN1_ITEM(ASN1_OBJECT) // Arbitrary elements. -// An asn1_type_st (aka |ASN1_TYPE|) represents an arbitrary ASN.1 element, -// typically used for ANY types. It contains a |type| field and a |value| union -// dependent on |type|. +// An asn1_type_st (aka `ASN1_TYPE`) represents an arbitrary ASN.1 element, +// typically used for ANY types. It contains a `type` field and a `value` union +// dependent on `type`. // // WARNING: This struct has a complex representation. Callers must not construct -// |ASN1_TYPE| values manually. Use |ASN1_TYPE_set| and |ASN1_TYPE_set1| +// `ASN1_TYPE` values manually. Use `ASN1_TYPE_set` and `ASN1_TYPE_set1` // instead. Additionally, callers performing non-trivial operations on this type -// are encouraged to use |CBS| and |CBB| from , and -// convert to or from |ASN1_TYPE| with |d2i_ASN1_TYPE| or |i2d_ASN1_TYPE|. +// are encouraged to use `CBS` and `CBB` from , and +// convert to or from `ASN1_TYPE` with `d2i_ASN1_TYPE` or `i2d_ASN1_TYPE`. // -// The |type| field corresponds to the tag of the ASN.1 element being +// The `type` field corresponds to the tag of the ASN.1 element being // represented: // -// If |type| is a |V_ASN1_*| constant for an ASN.1 string-like type, as defined -// by |ASN1_STRING|, the tag matches the constant. |value| contains an -// |ASN1_STRING| pointer (equivalently, one of the more specific typedefs). See -// |ASN1_STRING| for details on the representation. Unlike |ASN1_STRING|, -// |ASN1_TYPE| does not use the |V_ASN1_NEG| flag for negative INTEGER and -// ENUMERATE values. For a negative value, the |ASN1_TYPE|'s |type| will be -// |V_ASN1_INTEGER| or |V_ASN1_ENUMERATED|, but |value| will an |ASN1_STRING| -// whose |type| is |V_ASN1_NEG_INTEGER| or |V_ASN1_NEG_ENUMERATED|. +// If `type` is a `V_ASN1_*` constant for an ASN.1 string-like type, as defined +// by `ASN1_STRING`, the tag matches the constant. `value` contains an +// `ASN1_STRING` pointer (equivalently, one of the more specific typedefs). See +// `ASN1_STRING` for details on the representation. Unlike `ASN1_STRING`, +// `ASN1_TYPE` does not use the `V_ASN1_NEG` flag for negative INTEGER and +// ENUMERATE values. For a negative value, the `ASN1_TYPE`'s `type` will be +// `V_ASN1_INTEGER` or `V_ASN1_ENUMERATED`, but `value` will an `ASN1_STRING` +// whose `type` is `V_ASN1_NEG_INTEGER` or `V_ASN1_NEG_ENUMERATED`. // -// If |type| is |V_ASN1_OBJECT|, the tag is OBJECT IDENTIFIER and |value| -// contains an |ASN1_OBJECT| pointer. +// If `type` is `V_ASN1_OBJECT`, the tag is OBJECT IDENTIFIER and `value` +// contains an `ASN1_OBJECT` pointer. // -// If |type| is |V_ASN1_NULL|, the tag is NULL. |value| contains a NULL pointer. +// If `type` is `V_ASN1_NULL`, the tag is NULL. `value` contains a NULL pointer. // -// If |type| is |V_ASN1_BOOLEAN|, the tag is BOOLEAN. |value| contains an -// |ASN1_BOOLEAN|. +// If `type` is `V_ASN1_BOOLEAN`, the tag is BOOLEAN. `value` contains an +// `ASN1_BOOLEAN`. // -// If |type| is |V_ASN1_SEQUENCE|, |V_ASN1_SET|, or |V_ASN1_OTHER|, the tag is -// SEQUENCE, SET, or some arbitrary tag, respectively. |value| uses the -// corresponding |ASN1_STRING| representation. Although any type may be -// represented in |V_ASN1_OTHER|, the parser will always return the more +// If `type` is `V_ASN1_SEQUENCE`, `V_ASN1_SET`, or `V_ASN1_OTHER`, the tag is +// SEQUENCE, SET, or some arbitrary tag, respectively. `value` uses the +// corresponding `ASN1_STRING` representation. Although any type may be +// represented in `V_ASN1_OTHER`, the parser will always return the more // specific encoding when available. // -// Other values of |type| do not represent a valid ASN.1 value, though -// default-constructed objects may set |type| to -1. Such objects cannot be +// Other values of `type` do not represent a valid ASN.1 value, though +// default-constructed objects may set `type` to -1. Such objects cannot be // serialized. struct asn1_type_st { int type; @@ -1477,18 +1478,18 @@ struct asn1_type_st { DEFINE_STACK_OF(ASN1_TYPE) -// ASN1_TYPE_new returns a newly-allocated |ASN1_TYPE|, or NULL on allocation +// ASN1_TYPE_new returns a newly-allocated `ASN1_TYPE`, or NULL on allocation // failure. The resulting object has type -1 and must be initialized to be // a valid ANY value. OPENSSL_EXPORT ASN1_TYPE *ASN1_TYPE_new(void); -// ASN1_TYPE_free releases memory associated with |a|. +// ASN1_TYPE_free releases memory associated with `a`. OPENSSL_EXPORT void ASN1_TYPE_free(ASN1_TYPE *a); -// d2i_ASN1_TYPE parses up to |len| bytes from |*inp| as an ASN.1 value of any -// type, as described in |d2i_SAMPLE|. Note this function only validates +// d2i_ASN1_TYPE parses up to `len` bytes from `*inp` as an ASN.1 value of any +// type, as described in `d2i_SAMPLE`. Note this function only validates // primitive, universal types supported by this library. Values of type -// |V_ASN1_SEQUENCE|, |V_ASN1_SET|, |V_ASN1_OTHER|, or an unsupported primitive +// `V_ASN1_SEQUENCE`, `V_ASN1_SET`, `V_ASN1_OTHER`, or an unsupported primitive // type must be validated by the caller when interpreting. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts @@ -1496,46 +1497,46 @@ OPENSSL_EXPORT void ASN1_TYPE_free(ASN1_TYPE *a); OPENSSL_EXPORT ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **out, const uint8_t **inp, long len); -// i2d_ASN1_TYPE marshals |in| as DER, as described in |i2d_SAMPLE|. +// i2d_ASN1_TYPE marshals `in` as DER, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_TYPE(const ASN1_TYPE *in, uint8_t **outp); -// ASN1_ANY is an |ASN1_ITEM| with ASN.1 type ANY and C type |ASN1_TYPE*|. Note -// the |ASN1_ITEM| name and C type do not match. +// ASN1_ANY is an `ASN1_ITEM` with ASN.1 type ANY and C type `ASN1_TYPE*`. Note +// the `ASN1_ITEM` name and C type do not match. DECLARE_ASN1_ITEM(ASN1_ANY) -// ASN1_TYPE_get returns the type of |a|, which will be one of the |V_ASN1_*| -// constants, or zero if |a| is not fully initialized. +// ASN1_TYPE_get returns the type of `a`, which will be one of the `V_ASN1_*` +// constants, or zero if `a` is not fully initialized. OPENSSL_EXPORT int ASN1_TYPE_get(const ASN1_TYPE *a); -// ASN1_TYPE_set sets |a| to an |ASN1_TYPE| of type |type| and value |value|, -// releasing the previous contents of |a|. +// ASN1_TYPE_set sets `a` to an `ASN1_TYPE` of type `type` and value `value`, +// releasing the previous contents of `a`. // -// If |type| is |V_ASN1_BOOLEAN|, |a| is set to FALSE if |value| is NULL and -// TRUE otherwise. If setting |a| to TRUE, |value| may be an invalid pointer, +// If `type` is `V_ASN1_BOOLEAN`, `a` is set to FALSE if `value` is NULL and +// TRUE otherwise. If setting `a` to TRUE, `value` may be an invalid pointer, // such as (void*)1. // -// If |type| is |V_ASN1_NULL|, |value| must be NULL. +// If `type` is `V_ASN1_NULL`, `value` must be NULL. // -// For other values of |type|, this function takes ownership of |value|, which -// must point to an object of the corresponding type. See |ASN1_TYPE| for +// For other values of `type`, this function takes ownership of `value`, which +// must point to an object of the corresponding type. See `ASN1_TYPE` for // details. OPENSSL_EXPORT void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); -// ASN1_TYPE_set1 behaves like |ASN1_TYPE_set| except it does not take ownership -// of |value|. It returns one on success and zero on error. +// ASN1_TYPE_set1 behaves like `ASN1_TYPE_set` except it does not take ownership +// of `value`. It returns one on success and zero on error. OPENSSL_EXPORT int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); -// ASN1_TYPE_cmp returns zero if |a| and |b| are equal and some non-zero value +// ASN1_TYPE_cmp returns zero if `a` and `b` are equal and some non-zero value // otherwise. Note this function can only be used for equality checks, not an // ordering. OPENSSL_EXPORT int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY; -// d2i_ASN1_SEQUENCE_ANY parses up to |len| bytes from |*inp| as a DER-encoded -// ASN.1 SEQUENCE OF ANY structure, as described in |d2i_SAMPLE|. The resulting -// |ASN1_SEQUENCE_ANY| owns its contents and thus must be released with -// |sk_ASN1_TYPE_pop_free| and |ASN1_TYPE_free|, not |sk_ASN1_TYPE_free|. +// d2i_ASN1_SEQUENCE_ANY parses up to `len` bytes from `*inp` as a DER-encoded +// ASN.1 SEQUENCE OF ANY structure, as described in `d2i_SAMPLE`. The resulting +// `ASN1_SEQUENCE_ANY` owns its contents and thus must be released with +// `sk_ASN1_TYPE_pop_free` and `ASN1_TYPE_free`, not `sk_ASN1_TYPE_free`. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts // BER, but this will be removed in the future. @@ -1543,15 +1544,15 @@ OPENSSL_EXPORT ASN1_SEQUENCE_ANY *d2i_ASN1_SEQUENCE_ANY(ASN1_SEQUENCE_ANY **out, const uint8_t **inp, long len); -// i2d_ASN1_SEQUENCE_ANY marshals |in| as a DER-encoded SEQUENCE OF ANY -// structure, as described in |i2d_SAMPLE|. +// i2d_ASN1_SEQUENCE_ANY marshals `in` as a DER-encoded SEQUENCE OF ANY +// structure, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_SEQUENCE_ANY(const ASN1_SEQUENCE_ANY *in, uint8_t **outp); -// d2i_ASN1_SET_ANY parses up to |len| bytes from |*inp| as a DER-encoded ASN.1 -// SET OF ANY structure, as described in |d2i_SAMPLE|. The resulting -// |ASN1_SEQUENCE_ANY| owns its contents and thus must be released with -// |sk_ASN1_TYPE_pop_free| and |ASN1_TYPE_free|, not |sk_ASN1_TYPE_free|. +// d2i_ASN1_SET_ANY parses up to `len` bytes from `*inp` as a DER-encoded ASN.1 +// SET OF ANY structure, as described in `d2i_SAMPLE`. The resulting +// `ASN1_SEQUENCE_ANY` owns its contents and thus must be released with +// `sk_ASN1_TYPE_pop_free` and `ASN1_TYPE_free`, not `sk_ASN1_TYPE_free`. // // TODO(https://crbug.com/boringssl/354): This function currently also accepts // BER, but this will be removed in the future. @@ -1559,8 +1560,8 @@ OPENSSL_EXPORT ASN1_SEQUENCE_ANY *d2i_ASN1_SET_ANY(ASN1_SEQUENCE_ANY **out, const uint8_t **inp, long len); -// i2d_ASN1_SET_ANY marshals |in| as a DER-encoded SET OF ANY structure, as -// described in |i2d_SAMPLE|. +// i2d_ASN1_SET_ANY marshals `in` as a DER-encoded SET OF ANY structure, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ASN1_SET_ANY(const ASN1_SEQUENCE_ANY *in, uint8_t **outp); @@ -1571,25 +1572,25 @@ OPENSSL_EXPORT int i2d_ASN1_SET_ANY(const ASN1_SEQUENCE_ANY *in, // functions may be used for debugging and logging. However, the output should // not be consumed programmatically. They may be ambiguous or lose information. -// ASN1_UTCTIME_print writes a human-readable representation of |a| to |out|. It +// ASN1_UTCTIME_print writes a human-readable representation of `a` to `out`. It // returns one on success and zero on error. OPENSSL_EXPORT int ASN1_UTCTIME_print(BIO *out, const ASN1_UTCTIME *a); -// ASN1_GENERALIZEDTIME_print writes a human-readable representation of |a| to -// |out|. It returns one on success and zero on error. +// ASN1_GENERALIZEDTIME_print writes a human-readable representation of `a` to +// `out`. It returns one on success and zero on error. OPENSSL_EXPORT int ASN1_GENERALIZEDTIME_print(BIO *out, const ASN1_GENERALIZEDTIME *a); -// ASN1_TIME_print writes a human-readable representation of |a| to |out|. It +// ASN1_TIME_print writes a human-readable representation of `a` to `out`. It // returns one on success and zero on error. OPENSSL_EXPORT int ASN1_TIME_print(BIO *out, const ASN1_TIME *a); -// ASN1_STRING_print writes a human-readable representation of |str| to |out|. +// ASN1_STRING_print writes a human-readable representation of `str` to `out`. // It returns one on success and zero on error. Unprintable characters are // replaced with '.'. OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); -// The following flags must not collide with |XN_FLAG_*|. +// The following flags must not collide with `XN_FLAG_*`. // ASN1_STRFLGS_ESC_2253 causes characters to be escaped as in RFC 2253, section // 2.4. @@ -1610,12 +1611,12 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); // byte in the UTF-8 encoding treated as an individual character for purposes of // escape sequences. If not set, each Unicode codepoint in the string is treated // as a character, with wide characters escaped as "\Uxxxx" or "\Wxxxxxxxx". -// Note this can be ambiguous if |ASN1_STRFLGS_ESC_*| are all unset. In that +// Note this can be ambiguous if `ASN1_STRFLGS_ESC_*` are all unset. In that // case, backslashes are not escaped, but wide characters are. #define ASN1_STRFLGS_UTF8_CONVERT 0x10ul // ASN1_STRFLGS_IGNORE_TYPE causes the string type to be ignored. The -// |ASN1_STRING| in-memory representation will be printed directly. +// `ASN1_STRING` in-memory representation will be printed directly. #define ASN1_STRFLGS_IGNORE_TYPE 0x20ul // ASN1_STRFLGS_SHOW_TYPE causes the string type to be included in the output. @@ -1625,15 +1626,15 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); // RFC 2253 hexstring notation, such as "#0123456789ABCDEF". #define ASN1_STRFLGS_DUMP_ALL 0x80ul -// ASN1_STRFLGS_DUMP_UNKNOWN behaves like |ASN1_STRFLGS_DUMP_ALL| but only +// ASN1_STRFLGS_DUMP_UNKNOWN behaves like `ASN1_STRFLGS_DUMP_ALL` but only // applies to values of unknown type. If unset, unknown values will print // their contents as single-byte characters with escape sequences. #define ASN1_STRFLGS_DUMP_UNKNOWN 0x100ul // ASN1_STRFLGS_DUMP_DER causes hexdumped strings (as determined by -// |ASN1_STRFLGS_DUMP_ALL| or |ASN1_STRFLGS_DUMP_UNKNOWN|) to print the entire +// `ASN1_STRFLGS_DUMP_ALL` or `ASN1_STRFLGS_DUMP_UNKNOWN`) to print the entire // DER element as in RFC 2253, rather than only the contents of the -// |ASN1_STRING|. +// `ASN1_STRING`. #define ASN1_STRFLGS_DUMP_DER 0x200ul // ASN1_STRFLGS_RFC2253 causes the string to be escaped as in RFC 2253, @@ -1643,103 +1644,103 @@ OPENSSL_EXPORT int ASN1_STRING_print(BIO *out, const ASN1_STRING *str); ASN1_STRFLGS_UTF8_CONVERT | ASN1_STRFLGS_DUMP_UNKNOWN | \ ASN1_STRFLGS_DUMP_DER) -// ASN1_STRING_print_ex writes a human-readable representation of |str| to -// |out|. It returns the number of bytes written on success and -1 on error. If -// |out| is NULL, it returns the number of bytes it would have written, without +// ASN1_STRING_print_ex writes a human-readable representation of `str` to +// `out`. It returns the number of bytes written on success and -1 on error. If +// `out` is NULL, it returns the number of bytes it would have written, without // writing anything. // -// The |flags| should be a combination of combination of |ASN1_STRFLGS_*| +// The `flags` should be a combination of combination of `ASN1_STRFLGS_*` // constants. See the documentation for each flag for how it controls the -// output. If unsure, use |ASN1_STRFLGS_RFC2253|. +// output. If unsure, use `ASN1_STRFLGS_RFC2253`. OPENSSL_EXPORT int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags); -// ASN1_STRING_print_ex_fp behaves like |ASN1_STRING_print_ex| but writes to a -// |FILE| rather than a |BIO|. +// ASN1_STRING_print_ex_fp behaves like `ASN1_STRING_print_ex` but writes to a +// `FILE` rather than a `BIO`. OPENSSL_EXPORT int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags); -// i2a_ASN1_INTEGER writes a human-readable representation of |a| to |bp|. It +// i2a_ASN1_INTEGER writes a human-readable representation of `a` to `bp`. It // returns the number of bytes written on success, or a negative number on -// error. On error, this function may have written a partial output to |bp|. +// error. On error, this function may have written a partial output to `bp`. OPENSSL_EXPORT int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a); -// i2a_ASN1_ENUMERATED writes a human-readable representation of |a| to |bp|. It +// i2a_ASN1_ENUMERATED writes a human-readable representation of `a` to `bp`. It // returns the number of bytes written on success, or a negative number on -// error. On error, this function may have written a partial output to |bp|. +// error. On error, this function may have written a partial output to `bp`. OPENSSL_EXPORT int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a); -// i2a_ASN1_OBJECT writes a human-readable representation of |a| to |bp|. It +// i2a_ASN1_OBJECT writes a human-readable representation of `a` to `bp`. It // returns the number of bytes written on success, or a negative number on -// error. On error, this function may have written a partial output to |bp|. +// error. On error, this function may have written a partial output to `bp`. OPENSSL_EXPORT int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a); -// i2a_ASN1_STRING writes a text representation of |a|'s contents to |bp|. It +// i2a_ASN1_STRING writes a text representation of `a`'s contents to `bp`. It // returns the number of bytes written on success, or a negative number on -// error. On error, this function may have written a partial output to |bp|. -// |type| is ignored. +// error. On error, this function may have written a partial output to `bp`. +// `type` is ignored. // -// This function does not decode |a| into a Unicode string. It only hex-encodes -// the internal representation of |a|. This is suitable for printing an OCTET +// This function does not decode `a` into a Unicode string. It only hex-encodes +// the internal representation of `a`. This is suitable for printing an OCTET // STRING, but may not be human-readable for any other string type. OPENSSL_EXPORT int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type); -// i2t_ASN1_OBJECT calls |OBJ_obj2txt| with |always_return_oid| set to zero. +// i2t_ASN1_OBJECT calls `OBJ_obj2txt` with `always_return_oid` set to zero. OPENSSL_EXPORT int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a); // Low-level encoding functions. -// ASN1_get_object parses a BER element from up to |max_len| bytes at |*inp|. It -// returns |V_ASN1_CONSTRUCTED| if it successfully parsed a constructed element, +// ASN1_get_object parses a BER element from up to `max_len` bytes at `*inp`. It +// returns `V_ASN1_CONSTRUCTED` if it successfully parsed a constructed element, // zero if it successfully parsed a primitive element, and 0x80 on error. On -// success, it additionally advances |*inp| to the element body, sets -// |*out_length|, |*out_tag|, and |*out_class| to the element's length, tag +// success, it additionally advances `*inp` to the element body, sets +// `*out_length`, `*out_tag`, and `*out_class` to the element's length, tag // number, and tag class, respectively, // // Unlike OpenSSL, this function only supports DER. Indefinite and non-minimal // lengths are rejected. // -// This function is difficult to use correctly. Use |CBS_get_asn1| and related +// This function is difficult to use correctly. Use `CBS_get_asn1` and related // functions from bytestring.h. OPENSSL_EXPORT int ASN1_get_object(const unsigned char **inp, long *out_length, int *out_tag, int *out_class, long max_len); -// ASN1_put_object writes the header for a DER or BER element to |*outp| and -// advances |*outp| by the number of bytes written. The caller is responsible -// for ensuring |*outp| has enough space for the output. The header describes an -// element with length |length|, tag number |tag|, and class |xclass|. |xclass| -// should be one of the |V_ASN1_*| tag class constants. The element is primitive -// if |constructed| is zero and constructed if it is one or two. If -// |constructed| is two, |length| is ignored and the element uses +// ASN1_put_object writes the header for a DER or BER element to `*outp` and +// advances `*outp` by the number of bytes written. The caller is responsible +// for ensuring `*outp` has enough space for the output. The header describes an +// element with length `length`, tag number `tag`, and class `xclass`. `xclass` +// should be one of the `V_ASN1_*` tag class constants. The element is primitive +// if `constructed` is zero and constructed if it is one or two. If +// `constructed` is two, `length` is ignored and the element uses // indefinite-length encoding. // -// Use |CBB_add_asn1| instead. +// Use `CBB_add_asn1` instead. OPENSSL_EXPORT void ASN1_put_object(unsigned char **outp, int constructed, int length, int tag, int xclass); -// ASN1_put_eoc writes two zero bytes to |*outp|, advances |*outp| to point past +// ASN1_put_eoc writes two zero bytes to `*outp`, advances `*outp` to point past // those bytes, and returns two. // // Use definite-length encoding instead. OPENSSL_EXPORT int ASN1_put_eoc(unsigned char **outp); // ASN1_object_size returns the number of bytes needed to encode a DER or BER -// value with length |length| and tag number |tag|, or -1 on error. |tag| should -// not include the constructed bit or tag class. If |constructed| is zero or +// value with length `length` and tag number `tag`, or -1 on error. `tag` should +// not include the constructed bit or tag class. If `constructed` is zero or // one, the result uses a definite-length encoding with minimally-encoded -// length, as in DER. If |constructed| is two, the result uses BER +// length, as in DER. If `constructed` is two, the result uses BER // indefinite-length encoding. // -// Use |CBB_add_asn1| instead. +// Use `CBB_add_asn1` instead. OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag); // Function declaration macros. // // The following macros declare functions for ASN.1 types. Prefer writing the -// prototypes directly. Particularly when |type|, |itname|, or |name| differ, +// prototypes directly. Particularly when `type`, `itname`, or `name` differ, // the macros can be difficult to understand. #define DECLARE_ASN1_FUNCTIONS(type) DECLARE_ASN1_FUNCTIONS_name(type, type) @@ -1782,21 +1783,21 @@ OPENSSL_EXPORT int ASN1_object_size(int constructed, int length, int tag); // lacked this flag, it enabled an implicit truncation behavior. This has since // been removed. // -// TODO(crbug.com/443769299): Remove this when |ASN1_STRING| is opaque. For now, -// we continue to set it in various codepaths, in case code is querying |flags| +// TODO(crbug.com/443769299): Remove this when `ASN1_STRING` is opaque. For now, +// we continue to set it in various codepaths, in case code is querying `flags` // manually, even though it does nothing. #define ASN1_STRING_FLAG_BITS_LEFT 0x08 -// ASN1_BIT_STRING_num_bytes computes the length of |str| in bytes. If |str|'s -// bit length is a multiple of 8, it sets |*out| to the byte length and returns +// ASN1_BIT_STRING_num_bytes computes the length of `str` in bytes. If `str`'s +// bit length is a multiple of 8, it sets `*out` to the byte length and returns // one. Otherwise, it returns zero. // -// This function may be used with |ASN1_STRING_get0_data| to interpret |str| as +// This function may be used with `ASN1_STRING_get0_data` to interpret `str` as // a byte string. // // This function is no longer necessary. The byte length is always equal to -// |ASN1_STRING_length| and callers can check for a whole number of bytes by -// checking if |ASN1_BIT_STRING_unused_bits| is zero. +// `ASN1_STRING_length` and callers can check for a whole number of bytes by +// checking if `ASN1_BIT_STRING_unused_bits` is zero. OPENSSL_EXPORT int ASN1_BIT_STRING_num_bytes(const ASN1_BIT_STRING *str, size_t *out); @@ -1806,13 +1807,13 @@ OPENSSL_EXPORT void ASN1_STRING_set_default_mask(unsigned long mask); // ASN1_STRING_set_default_mask_asc returns one. OPENSSL_EXPORT int ASN1_STRING_set_default_mask_asc(const char *p); -// ASN1_STRING_get_default_mask returns |B_ASN1_UTF8STRING|. +// ASN1_STRING_get_default_mask returns `B_ASN1_UTF8STRING`. OPENSSL_EXPORT unsigned long ASN1_STRING_get_default_mask(void); // ASN1_STRING_TABLE_cleanup does nothing. OPENSSL_EXPORT void ASN1_STRING_TABLE_cleanup(void); -// M_ASN1_* are legacy aliases for various |ASN1_STRING| functions. Use the +// M_ASN1_* are legacy aliases for various `ASN1_STRING` functions. Use the // functions themselves. #define M_ASN1_STRING_length(x) ASN1_STRING_length(x) #define M_ASN1_STRING_type(x) ASN1_STRING_type(x) @@ -1860,30 +1861,30 @@ OPENSSL_EXPORT void ASN1_STRING_TABLE_cleanup(void); #define M_ASN1_UTF8STRING_new() ASN1_UTF8STRING_new() #define M_ASN1_UTF8STRING_free(a) ASN1_UTF8STRING_free(a) -// ASN1_INTEGER_set sets |a| to an INTEGER with value |v|. It returns one on +// ASN1_INTEGER_set sets `a` to an INTEGER with value `v`. It returns one on // success and zero on error. // -// Use |ASN1_INTEGER_set_uint64| and |ASN1_INTEGER_set_int64| instead. +// Use `ASN1_INTEGER_set_uint64` and `ASN1_INTEGER_set_int64` instead. OPENSSL_EXPORT int ASN1_INTEGER_set(ASN1_INTEGER *a, long v); -// ASN1_ENUMERATED_set sets |a| to an ENUMERATED with value |v|. It returns one +// ASN1_ENUMERATED_set sets `a` to an ENUMERATED with value `v`. It returns one // on success and zero on error. // -// Use |ASN1_ENUMERATED_set_uint64| and |ASN1_ENUMERATED_set_int64| instead. +// Use `ASN1_ENUMERATED_set_uint64` and `ASN1_ENUMERATED_set_int64` instead. OPENSSL_EXPORT int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); -// ASN1_INTEGER_get returns the value of |a| as a |long|, or -1 if |a| is out of +// ASN1_INTEGER_get returns the value of `a` as a `long`, or -1 if `a` is out of // range or the wrong type. // // WARNING: This function's return value cannot distinguish errors from -1. -// Use |ASN1_INTEGER_get_uint64| and |ASN1_INTEGER_get_int64| instead. +// Use `ASN1_INTEGER_get_uint64` and `ASN1_INTEGER_get_int64` instead. OPENSSL_EXPORT long ASN1_INTEGER_get(const ASN1_INTEGER *a); -// ASN1_ENUMERATED_get returns the value of |a| as a |long|, or -1 if |a| is out +// ASN1_ENUMERATED_get returns the value of `a` as a `long`, or -1 if `a` is out // of range or the wrong type. // // WARNING: This function's return value cannot distinguish errors from -1. -// Use |ASN1_ENUMERATED_get_uint64| and |ASN1_ENUMERATED_get_int64| instead. +// Use `ASN1_ENUMERATED_get_uint64` and `ASN1_ENUMERATED_get_int64` instead. OPENSSL_EXPORT long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); diff --git a/third_party/boringssl/src/include/openssl/asn1t.h b/third_party/boringssl/src/include/openssl/asn1t.h index 22b1688f..b89adb8b 100644 --- a/third_party/boringssl/src/include/openssl/asn1t.h +++ b/third_party/boringssl/src/include/openssl/asn1t.h @@ -26,8 +26,8 @@ extern "C" { /* Legacy ASN.1 library template definitions. * * This header is used to define new types in OpenSSL's ASN.1 implementation. It - * is deprecated and will be unexported from the library. Use the new |CBS| and - * |CBB| library in instead. */ + * is deprecated and will be unexported from the library. Use the new `CBS` and + * `CBB` library in instead. */ typedef struct ASN1_TEMPLATE_st ASN1_TEMPLATE; diff --git a/third_party/boringssl/src/include/openssl/base.h b/third_party/boringssl/src/include/openssl/base.h index 961e542a..82d5a847 100644 --- a/third_party/boringssl/src/include/openssl/base.h +++ b/third_party/boringssl/src/include/openssl/base.h @@ -51,7 +51,7 @@ extern "C" { #if defined(__APPLE__) -// Note |TARGET_OS_MAC| is set for all Apple OS variants. |TARGET_OS_OSX| +// Note `TARGET_OS_MAC` is set for all Apple OS variants. `TARGET_OS_OSX` // targets macOS specifically. #if defined(TARGET_OS_OSX) && TARGET_OS_OSX #define OPENSSL_MACOS @@ -73,7 +73,7 @@ extern "C" { // A consumer may use this symbol in the preprocessor to temporarily build // against multiple revisions of BoringSSL at the same time. It is not // recommended to do so for longer than is necessary. -#define BORINGSSL_API_VERSION 40 +#define BORINGSSL_API_VERSION 42 #if defined(BORINGSSL_SHARED_LIBRARY) @@ -182,7 +182,7 @@ extern "C" { #if defined(BORINGSSL_ALWAYS_USE_STATIC_INLINE) // Add OPENSSL_UNUSED so that, should an inline function be emitted via macro -// (e.g. a |STACK_OF(T)| implementation) in a source file without tripping +// (e.g. a `STACK_OF(T)` implementation) in a source file without tripping // clang's -Wunused-function. #define OPENSSL_INLINE static inline OPENSSL_UNUSED #else @@ -208,23 +208,23 @@ enum ssl_verify_result_t BORINGSSL_ENUM_INT; #endif // ossl_ssize_t is a signed type which is large enough to fit the size of any -// valid memory allocation. We prefer using |size_t|, but sometimes we need a +// valid memory allocation. We prefer using `size_t`, but sometimes we need a // signed type for OpenSSL API compatibility. This type can be used in such // cases to avoid overflow. // -// Not all |size_t| values fit in |ossl_ssize_t|, but all |size_t| values that +// Not all `size_t` values fit in `ossl_ssize_t`, but all `size_t` values that // are sizes of or indices into C objects, can be converted without overflow. typedef ptrdiff_t ossl_ssize_t; -// CBS_ASN1_TAG is the type used by |CBS| and |CBB| for ASN.1 tags. See that +// CBS_ASN1_TAG is the type used by `CBS` and `CBB` for ASN.1 tags. See that // header for details. This type is defined in base.h as a forward declaration. typedef uint32_t CBS_ASN1_TAG; // CRYPTO_THREADID is a dummy value. typedef int CRYPTO_THREADID; -// An |ASN1_NULL| is an opaque type. asn1.h represents the ASN.1 NULL value as -// an opaque, non-NULL |ASN1_NULL*| pointer. +// An `ASN1_NULL` is an opaque type. asn1.h represents the ASN.1 NULL value as +// an opaque, non-NULL `ASN1_NULL*` pointer. typedef struct asn1_null_st ASN1_NULL; // CRYPTO_MUST_BE_NULL is an opaque type that is never returned from BoringSSL. @@ -365,7 +365,7 @@ typedef struct x509_store_st X509_STORE; typedef void *OPENSSL_BLOCK; -// BSSL_CHECK aborts if |condition| is not true. +// BSSL_CHECK aborts if `condition` is not true. #define BSSL_CHECK(condition) \ do { \ if (!(condition)) { \ diff --git a/third_party/boringssl/src/include/openssl/base64.h b/third_party/boringssl/src/include/openssl/base64.h index ca265cd8..752cb93e 100644 --- a/third_party/boringssl/src/include/openssl/base64.h +++ b/third_party/boringssl/src/include/openssl/base64.h @@ -33,29 +33,29 @@ extern "C" { // Encoding -// EVP_EncodeBlock encodes |src_len| bytes from |src| and writes the -// result to |dst| with a trailing NUL. It returns the number of bytes +// EVP_EncodeBlock encodes `src_len` bytes from `src` and writes the +// result to `dst` with a trailing NUL. It returns the number of bytes // written, not including this trailing NUL. OPENSSL_EXPORT size_t EVP_EncodeBlock(uint8_t *dst, const uint8_t *src, size_t src_len); -// EVP_EncodedLength sets |*out_len| to the number of bytes that will be needed -// to call |EVP_EncodeBlock| on an input of length |len|. This includes the -// final NUL that |EVP_EncodeBlock| writes. It returns one on success or zero +// EVP_EncodedLength sets `*out_len` to the number of bytes that will be needed +// to call `EVP_EncodeBlock` on an input of length `len`. This includes the +// final NUL that `EVP_EncodeBlock` writes. It returns one on success or zero // on error. OPENSSL_EXPORT int EVP_EncodedLength(size_t *out_len, size_t len); // Decoding -// EVP_DecodedLength sets |*out_len| to the maximum number of bytes that will -// be needed to call |EVP_DecodeBase64| on an input of length |len|. It returns -// one on success or zero if |len| is not a valid length for a base64-encoded +// EVP_DecodedLength sets `*out_len` to the maximum number of bytes that will +// be needed to call `EVP_DecodeBase64` on an input of length `len`. It returns +// one on success or zero if `len` is not a valid length for a base64-encoded // string. OPENSSL_EXPORT int EVP_DecodedLength(size_t *out_len, size_t len); -// EVP_DecodeBase64 decodes |in_len| bytes from base64 and writes -// |*out_len| bytes to |out|. |max_out| is the size of the output +// EVP_DecodeBase64 decodes `in_len` bytes from base64 and writes +// `*out_len` bytes to `out`. `max_out` is the size of the output // buffer. If it is not enough for the maximum output size, the // operation fails. It returns one on success or zero on error. OPENSSL_EXPORT int EVP_DecodeBase64(uint8_t *out, size_t *out_len, @@ -69,15 +69,15 @@ OPENSSL_EXPORT int EVP_DecodeBase64(uint8_t *out, size_t *out_len, // very specific to PEM. It is also very lenient of invalid input. Use of any of // these functions is thus deprecated. -// EVP_ENCODE_CTX_new returns a newly-allocated |EVP_ENCODE_CTX| or NULL on -// error. The caller must release the result with |EVP_ENCODE_CTX_free| when +// EVP_ENCODE_CTX_new returns a newly-allocated `EVP_ENCODE_CTX` or NULL on +// error. The caller must release the result with `EVP_ENCODE_CTX_free` when // done. OPENSSL_EXPORT EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void); -// EVP_ENCODE_CTX_free releases memory associated with |ctx|. +// EVP_ENCODE_CTX_free releases memory associated with `ctx`. OPENSSL_EXPORT void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); -// EVP_EncodeInit initialises |*ctx|, which is typically stack +// EVP_EncodeInit initialises `*ctx`, which is typically stack // allocated, for an encoding operation. // // NOTE: The encoding operation breaks its output with newlines every @@ -85,29 +85,29 @@ OPENSSL_EXPORT void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); // EVP_EncodeBlock to encode raw base64. OPENSSL_EXPORT void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); -// EVP_EncodeUpdate encodes |in_len| bytes from |in| and writes an encoded -// version of them to |out| and sets |*out_len| to the number of bytes written. -// Some state may be contained in |ctx| so |EVP_EncodeFinal| must be used to +// EVP_EncodeUpdate encodes `in_len` bytes from `in` and writes an encoded +// version of them to `out` and sets `*out_len` to the number of bytes written. +// Some state may be contained in `ctx` so `EVP_EncodeFinal` must be used to // flush it before using the encoded data. OPENSSL_EXPORT void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, size_t in_len); -// EVP_EncodeFinal flushes any remaining output bytes from |ctx| to |out| and -// sets |*out_len| to the number of bytes written. +// EVP_EncodeFinal flushes any remaining output bytes from `ctx` to `out` and +// sets `*out_len` to the number of bytes written. OPENSSL_EXPORT void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len); -// EVP_DecodeInit initialises |*ctx|, which is typically stack allocated, for +// EVP_DecodeInit initialises `*ctx`, which is typically stack allocated, for // a decoding operation. // // TODO(davidben): This isn't a straight-up base64 decode either. Document // and/or fix exactly what's going on here; maximum line length and such. OPENSSL_EXPORT void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); -// EVP_DecodeUpdate decodes |in_len| bytes from |in| and writes the decoded -// data to |out| and sets |*out_len| to the number of bytes written. Some state -// may be contained in |ctx| so |EVP_DecodeFinal| must be used to flush it +// EVP_DecodeUpdate decodes `in_len` bytes from `in` and writes the decoded +// data to `out` and sets `*out_len` to the number of bytes written. Some state +// may be contained in `ctx` so `EVP_DecodeFinal` must be used to flush it // before using the encoded data. // // It returns -1 on error, one if a full line of input was processed and zero @@ -116,14 +116,14 @@ OPENSSL_EXPORT int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, size_t in_len); -// EVP_DecodeFinal flushes any remaining output bytes from |ctx| to |out| and -// sets |*out_len| to the number of bytes written. It returns one on success +// EVP_DecodeFinal flushes any remaining output bytes from `ctx` to `out` and +// sets `*out_len` to the number of bytes written. It returns one on success // and minus one on error. OPENSSL_EXPORT int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, uint8_t *out, int *out_len); -// EVP_DecodeBlock encodes |src_len| bytes from |src| and writes the result to -// |dst|. It returns the number of bytes written or -1 on error. +// EVP_DecodeBlock encodes `src_len` bytes from `src` and writes the result to +// `dst`. It returns the number of bytes written or -1 on error. // // WARNING: EVP_DecodeBlock's return value does not take padding into // account. It also strips leading whitespace and trailing @@ -133,9 +133,9 @@ OPENSSL_EXPORT int EVP_DecodeBlock(uint8_t *dst, const uint8_t *src, struct evp_encode_ctx_st { - // data_used indicates the number of bytes of |data| that are valid. When - // encoding, |data| will be filled and encoded as a lump. When decoding, only - // the first four bytes of |data| will be used. + // data_used indicates the number of bytes of `data` that are valid. When + // encoding, `data` will be filled and encoded as a lump. When decoding, only + // the first four bytes of `data` will be used. unsigned data_used; uint8_t data[48]; diff --git a/third_party/boringssl/src/include/openssl/bio.h b/third_party/boringssl/src/include/openssl/bio.h index 5c3dda0c..dc4bca2d 100644 --- a/third_party/boringssl/src/include/openssl/bio.h +++ b/third_party/boringssl/src/include/openssl/bio.h @@ -37,60 +37,66 @@ extern "C" { DEFINE_STACK_OF(BIO) // BIO_new creates a new BIO with the given method and a reference count of one. -// It returns the fresh |BIO|, or NULL on error. +// It returns the fresh `BIO`, or NULL on error. OPENSSL_EXPORT BIO *BIO_new(const BIO_METHOD *method); -// BIO_free decrements the reference count of |bio|. If the reference count +// BIO_free decrements the reference count of `bio`. If the reference count // drops to zero, it calls the destroy callback, if present, on the method and -// frees |bio| itself. If |bio| is part of a chain (see |BIO_push|), this will -// also free the next |BIO| in the chain, and so on. +// frees `bio` itself. If `bio` is part of a chain (see `BIO_push`), this will +// also free the next `BIO` in the chain, and so on. // -// It returns one if |bio| was NULL or freed. It returns zero if |bio| was +// It returns one if `bio` was NULL or freed. It returns zero if `bio` was // shared and some other owner still owns a reference count to it. // // WARNING: Do not use the return value. Returning zero is not a sign of an -// error, nor an indication to retry the operation. |BIO| is a reference-counted -// type. A given |BIO| object may be shared between multiple parts of an +// error, nor an indication to retry the operation. `BIO` is a reference-counted +// type. A given `BIO` object may be shared between multiple parts of an // application. To correctly track the reference count, without leaks or // use-after-free, each part of the application must release only the reference // counts it owns. OPENSSL_EXPORT int BIO_free(BIO *bio); -// BIO_vfree performs the same actions as |BIO_free|, but has a void return +// BIO_vfree performs the same actions as `BIO_free`, but has a void return // value. This is provided for API-compat. // // TODO(fork): remove. OPENSSL_EXPORT void BIO_vfree(BIO *bio); -// BIO_up_ref increments the reference count of |bio| and returns one. +// BIO_up_ref increments the reference count of `bio` and returns one. OPENSSL_EXPORT int BIO_up_ref(BIO *bio); // Basic I/O. -// BIO_read attempts to read |len| bytes into |data|. It returns the number of +// BIO_read attempts to read `len` bytes into `data`. It returns the number of // bytes read, zero on EOF, or a negative number on error. OPENSSL_EXPORT int BIO_read(BIO *bio, void *data, int len); -// BIO_gets reads a line from |bio| and writes at most |size| bytes into |buf|. +// BIO_gets reads a line from `bio` and writes at most `size` bytes into `buf`. // It returns the number of bytes read or a negative number on error. This // function's output always includes a trailing NUL byte, so it will read at -// most |size - 1| bytes. +// most `size - 1` bytes. // // If the function read a complete line, the output will include the newline -// character, '\n'. If no newline was found before |size - 1| bytes or EOF, it +// character, '\n'. If no newline was found before `size - 1` bytes or EOF, it // outputs the bytes which were available. OPENSSL_EXPORT int BIO_gets(BIO *bio, char *buf, int size); -// BIO_write writes |len| bytes from |data| to |bio|. It returns the number of +// BIO_write_ex writes `len` bytes from `data` to `bio`. On success, it returns +// one and sets `*out_written` to the number of bytes written. Otherwise, it +// returns zero. `out_written` may be NULL to ignore the value. +OPENSSL_EXPORT int BIO_write_ex(BIO *bio, const void *data, size_t len, + size_t *out_written); + +// BIO_write writes `len` bytes from `data` to `bio`. It returns the number of // bytes written or a negative number on error. OPENSSL_EXPORT int BIO_write(BIO *bio, const void *data, int len); -// BIO_write_all writes |len| bytes from |data| to |bio|, looping as necessary. +// BIO_write_all writes `len` bytes from `data` to `bio`, looping as necessary. // It returns one if all bytes were successfully written and zero on error. OPENSSL_EXPORT int BIO_write_all(BIO *bio, const void *data, size_t len); -// BIO_puts writes a NUL terminated string from |buf| to |bio|. It returns the +// BIO_puts writes a NUL terminated string from `buf` to `bio`. It returns the // number of bytes written or a negative number on error. OPENSSL_EXPORT int BIO_puts(BIO *bio, const char *buf); @@ -102,23 +108,23 @@ OPENSSL_EXPORT int BIO_flush(BIO *bio); // Low-level control functions. // // These are generic functions for sending control requests to a BIO. In -// general one should use the wrapper functions like |BIO_get_close|. +// general one should use the wrapper functions like `BIO_get_close`. -// BIO_ctrl sends the control request |cmd| to |bio|. The |cmd| argument should -// be one of the |BIO_C_*| values. +// BIO_ctrl sends the control request `cmd` to `bio`. The `cmd` argument should +// be one of the `BIO_C_*` values. OPENSSL_EXPORT long BIO_ctrl(BIO *bio, int cmd, long larg, void *parg); -// BIO_ptr_ctrl acts like |BIO_ctrl| but passes the address of a |void*| -// pointer as |parg| and returns the value that is written to it, or NULL if +// BIO_ptr_ctrl acts like `BIO_ctrl` but passes the address of a `void*` +// pointer as `parg` and returns the value that is written to it, or NULL if // the control request returns <= 0. OPENSSL_EXPORT char *BIO_ptr_ctrl(BIO *bp, int cmd, long larg); -// BIO_int_ctrl acts like |BIO_ctrl| but passes the address of a copy of |iarg| -// as |parg|. +// BIO_int_ctrl acts like `BIO_ctrl` but passes the address of a copy of `iarg` +// as `parg`. OPENSSL_EXPORT long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); -// BIO_reset resets |bio| to its initial state, the precise meaning of which -// depends on the concrete type of |bio|. It normally returns one on success and +// BIO_reset resets `bio` to its initial state, the precise meaning of which +// depends on the concrete type of `bio`. It normally returns one on success and // <= 0 otherwise. However, for file and fd BIOs, it returns zero on success and // a negative number on error. // @@ -126,29 +132,29 @@ OPENSSL_EXPORT long BIO_int_ctrl(BIO *bp, int cmd, long larg, int iarg); // in this library. OPENSSL_EXPORT int BIO_reset(BIO *bio); -// BIO_eof returns non-zero when |bio| has reached end-of-file. The precise -// meaning of which depends on the concrete type of |bio|. Note that in the +// BIO_eof returns non-zero when `bio` has reached end-of-file. The precise +// meaning of which depends on the concrete type of `bio`. Note that in the // case of BIO_pair this always returns non-zero. OPENSSL_EXPORT int BIO_eof(BIO *bio); -// BIO_set_flags ORs |flags| with |bio->flags|. Unless otherwise documented, -// flags are private to either BoringSSL or the custom |BIO_METHOD|. +// BIO_set_flags ORs `flags` with `bio->flags`. Unless otherwise documented, +// flags are private to either BoringSSL or the custom `BIO_METHOD`. OPENSSL_EXPORT void BIO_set_flags(BIO *bio, int flags); -// BIO_clear_flags ANDs |bio->flags| with the bitwise-complement of |flags|. +// BIO_clear_flags ANDs `bio->flags` with the bitwise-complement of `flags`. // Unless otherwise documented, flags are private to either BoringSSL or the -// custom |BIO_METHOD|. +// custom `BIO_METHOD`. OPENSSL_EXPORT void BIO_clear_flags(BIO *bio, int flags); -// BIO_test_flags returns |bio->flags| AND |flags|. +// BIO_test_flags returns `bio->flags` AND `flags`. OPENSSL_EXPORT int BIO_test_flags(const BIO *bio, int flags); -// BIO_should_read returns non-zero if |bio| encountered a temporary error +// BIO_should_read returns non-zero if `bio` encountered a temporary error // while reading (i.e. EAGAIN), indicating that the caller should retry the // read. OPENSSL_EXPORT int BIO_should_read(const BIO *bio); -// BIO_should_write returns non-zero if |bio| encountered a temporary error +// BIO_should_write returns non-zero if `bio` encountered a temporary error // while writing (i.e. EAGAIN), indicating that the caller should retry the // write. OPENSSL_EXPORT int BIO_should_write(const BIO *bio); @@ -158,10 +164,10 @@ OPENSSL_EXPORT int BIO_should_write(const BIO *bio); // it was a permanent error and it returns zero. OPENSSL_EXPORT int BIO_should_retry(const BIO *bio); -// BIO_should_io_special returns non-zero if |bio| encountered a temporary +// BIO_should_io_special returns non-zero if `bio` encountered a temporary // error while performing a special I/O operation, indicating that the caller // should retry. The operation that caused the error is returned by -// |BIO_get_retry_reason|. +// `BIO_get_retry_reason`. OPENSSL_EXPORT int BIO_should_io_special(const BIO *bio); // BIO_RR_CONNECT indicates that a connect would have blocked @@ -171,62 +177,62 @@ OPENSSL_EXPORT int BIO_should_io_special(const BIO *bio); #define BIO_RR_ACCEPT 0x03 // BIO_get_retry_reason returns the special I/O operation that needs to be -// retried. The return value is one of the |BIO_RR_*| values. +// retried. The return value is one of the `BIO_RR_*` values. OPENSSL_EXPORT int BIO_get_retry_reason(const BIO *bio); // BIO_set_retry_reason sets the special I/O operation that needs to be retried -// to |reason|, which should be one of the |BIO_RR_*| values. +// to `reason`, which should be one of the `BIO_RR_*` values. OPENSSL_EXPORT void BIO_set_retry_reason(BIO *bio, int reason); -// BIO_set_retry_read sets the |BIO_FLAGS_READ| and |BIO_FLAGS_SHOULD_RETRY| -// flags on |bio|. +// BIO_set_retry_read sets the `BIO_FLAGS_READ` and `BIO_FLAGS_SHOULD_RETRY` +// flags on `bio`. OPENSSL_EXPORT void BIO_set_retry_read(BIO *bio); -// BIO_set_retry_write sets the |BIO_FLAGS_WRITE| and |BIO_FLAGS_SHOULD_RETRY| -// flags on |bio|. +// BIO_set_retry_write sets the `BIO_FLAGS_WRITE` and `BIO_FLAGS_SHOULD_RETRY` +// flags on `bio`. OPENSSL_EXPORT void BIO_set_retry_write(BIO *bio); -// BIO_get_retry_flags gets the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|, -// |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|. +// BIO_get_retry_flags gets the `BIO_FLAGS_READ`, `BIO_FLAGS_WRITE`, +// `BIO_FLAGS_IO_SPECIAL` and `BIO_FLAGS_SHOULD_RETRY` flags from `bio`. OPENSSL_EXPORT int BIO_get_retry_flags(BIO *bio); -// BIO_clear_retry_flags clears the |BIO_FLAGS_READ|, |BIO_FLAGS_WRITE|, -// |BIO_FLAGS_IO_SPECIAL| and |BIO_FLAGS_SHOULD_RETRY| flags from |bio|. +// BIO_clear_retry_flags clears the `BIO_FLAGS_READ`, `BIO_FLAGS_WRITE`, +// `BIO_FLAGS_IO_SPECIAL` and `BIO_FLAGS_SHOULD_RETRY` flags from `bio`. OPENSSL_EXPORT void BIO_clear_retry_flags(BIO *bio); -// BIO_method_type returns the type of |bio|, which is one of the |BIO_TYPE_*| +// BIO_method_type returns the type of `bio`, which is one of the `BIO_TYPE_*` // values. OPENSSL_EXPORT int BIO_method_type(const BIO *bio); typedef int BIO_info_cb(BIO *, int, int); -// BIO_callback_ctrl allows the callback function to be manipulated. The |cmd| -// arg will generally be |BIO_CTRL_SET_CALLBACK| but arbitrary command values -// can be interpreted by the |BIO|. +// BIO_callback_ctrl allows the callback function to be manipulated. The `cmd` +// arg will generally be `BIO_CTRL_SET_CALLBACK` but arbitrary command values +// can be interpreted by the `BIO`. OPENSSL_EXPORT long BIO_callback_ctrl(BIO *bio, int cmd, BIO_info_cb *fp); // BIO_pending returns the number of bytes pending to be read. OPENSSL_EXPORT size_t BIO_pending(const BIO *bio); -// BIO_ctrl_pending calls |BIO_pending| and exists only for compatibility with +// BIO_ctrl_pending calls `BIO_pending` and exists only for compatibility with // OpenSSL. OPENSSL_EXPORT size_t BIO_ctrl_pending(const BIO *bio); // BIO_wpending returns the number of bytes pending to be written. OPENSSL_EXPORT size_t BIO_wpending(const BIO *bio); -// BIO_set_close sets the close flag for |bio|. The meaning of which depends on -// the type of |bio| but, for example, a memory BIO interprets the close flag +// BIO_set_close sets the close flag for `bio`. The meaning of which depends on +// the type of `bio` but, for example, a memory BIO interprets the close flag // as meaning that it owns its buffer. It returns one on success and zero // otherwise. OPENSSL_EXPORT int BIO_set_close(BIO *bio, int close_flag); // BIO_number_read returns the number of bytes that have been read from -// |bio|. +// `bio`. OPENSSL_EXPORT uint64_t BIO_number_read(const BIO *bio); // BIO_number_written returns the number of bytes that have been written to -// |bio|. +// `bio`. OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio); @@ -236,41 +242,41 @@ OPENSSL_EXPORT uint64_t BIO_number_written(const BIO *bio); // the next etc. The most common case is a buffering BIO, which accepts and // buffers writes until flushed into the next BIO in the chain. -// BIO_push adds |appended_bio| to the end of the chain with |bio| at the head. -// It returns |bio|. Note that |appended_bio| may be the head of a chain itself +// BIO_push adds `appended_bio` to the end of the chain with `bio` at the head. +// It returns `bio`. Note that `appended_bio` may be the head of a chain itself // and thus this function can be used to join two chains. // -// BIO_push takes ownership of the caller's reference to |appended_bio|. +// BIO_push takes ownership of the caller's reference to `appended_bio`. OPENSSL_EXPORT BIO *BIO_push(BIO *bio, BIO *appended_bio); -// BIO_pop removes |bio| from the head of a chain and returns the next BIO in +// BIO_pop removes `bio` from the head of a chain and returns the next BIO in // the chain, or NULL if there is no next BIO. // -// The caller takes ownership of the chain's reference to |bio|. +// The caller takes ownership of the chain's reference to `bio`. OPENSSL_EXPORT BIO *BIO_pop(BIO *bio); -// BIO_next returns the next BIO in the chain after |bio|, or NULL if there is +// BIO_next returns the next BIO in the chain after `bio`, or NULL if there is // no such BIO. OPENSSL_EXPORT BIO *BIO_next(BIO *bio); // BIO_find_type walks a chain of BIOs and returns the first that matches -// |type|, which is one of the |BIO_TYPE_*| values. +// `type`, which is one of the `BIO_TYPE_*` values. // -// If |type & 0xff| is non-zero, i.e. |type| is a complete type and contains an -// "index" component, the function looks for an exact match. If |type & 0xff| is -// zero, i.e. |type| just specifies |BIO_TYPE_DESCRIPTOR|, |BIO_TYPE_FILTER|, -// and |BIO_TYPE_SOURCE_SINK| bits, the function looks for any BIO whose type +// If `type & 0xff` is non-zero, i.e. `type` is a complete type and contains an +// "index" component, the function looks for an exact match. If `type & 0xff` is +// zero, i.e. `type` just specifies `BIO_TYPE_DESCRIPTOR`, `BIO_TYPE_FILTER`, +// and `BIO_TYPE_SOURCE_SINK` bits, the function looks for any BIO whose type // contains at least one of those bits. OPENSSL_EXPORT BIO *BIO_find_type(BIO *bio, int type); -// BIO_copy_next_retry sets the retry flags and |retry_reason| of |bio| from +// BIO_copy_next_retry sets the retry flags and `retry_reason` of `bio` from // the next BIO in the chain. OPENSSL_EXPORT void BIO_copy_next_retry(BIO *bio); // Printf functions. -// BIO_printf behaves like |printf| but outputs to |bio| rather than a |FILE|. +// BIO_printf behaves like `printf` but outputs to `bio` rather than a `FILE`. // It returns the number of bytes written or a negative number on error. OPENSSL_EXPORT int BIO_printf(BIO *bio, const char *format, ...) OPENSSL_PRINTF_FORMAT_FUNC(2, 3); @@ -278,98 +284,98 @@ OPENSSL_EXPORT int BIO_printf(BIO *bio, const char *format, ...) // Utility functions. -// BIO_indent prints min(|indent|, |max_indent|) spaces. It returns one on +// BIO_indent prints min(`indent`, `max_indent`) spaces. It returns one on // success and zero otherwise. OPENSSL_EXPORT int BIO_indent(BIO *bio, unsigned indent, unsigned max_indent); -// BIO_hexdump writes a hex dump of |data| to |bio|. Each line will be indented -// by |indent| spaces. It returns one on success and zero otherwise. +// BIO_hexdump writes a hex dump of `data` to `bio`. Each line will be indented +// by `indent` spaces. It returns one on success and zero otherwise. OPENSSL_EXPORT int BIO_hexdump(BIO *bio, const uint8_t *data, size_t len, unsigned indent); -// ERR_print_errors prints the current contents of the error stack to |bio| +// ERR_print_errors prints the current contents of the error stack to `bio` // using human readable strings where possible. OPENSSL_EXPORT void ERR_print_errors(BIO *bio); -// BIO_read_asn1 reads a single ASN.1 object from |bio|. If successful it sets -// |*out| to be an allocated buffer (that should be freed with |OPENSSL_free|), -// |*out_size| to the length, in bytes, of that buffer and returns one. +// BIO_read_asn1 reads a single ASN.1 object from `bio`. If successful it sets +// `*out` to be an allocated buffer (that should be freed with `OPENSSL_free`), +// `*out_size` to the length, in bytes, of that buffer and returns one. // Otherwise it returns zero. // -// If the length of the object is greater than |max_len| or 2^32 then the +// If the length of the object is greater than `max_len` or 2^32 then the // function will fail. Long-form tags are not supported. If the length of the -// object is indefinite the full contents of |bio| are read, unless it would be -// greater than |max_len|, in which case the function fails. +// object is indefinite the full contents of `bio` are read, unless it would be +// greater than `max_len`, in which case the function fails. // // If the function fails then some unknown amount of data may have been read -// from |bio|. +// from `bio`. OPENSSL_EXPORT int BIO_read_asn1(BIO *bio, uint8_t **out, size_t *out_len, size_t max_len); // Memory BIOs. // -// Memory BIOs can be used as a read-only source (with |BIO_new_mem_buf|) or a -// writable sink (with |BIO_new|, |BIO_s_mem| and |BIO_mem_contents|). Data +// Memory BIOs can be used as a read-only source (with `BIO_new_mem_buf`) or a +// writable sink (with `BIO_new`, `BIO_s_mem` and `BIO_mem_contents`). Data // written to a writable, memory BIO can be recalled by reading from it. // -// Calling |BIO_reset| on a read-only BIO resets it to the original contents. +// Calling `BIO_reset` on a read-only BIO resets it to the original contents. // On a writable BIO, it clears any data. // -// If the close flag is set to |BIO_NOCLOSE| (not the default) then the -// underlying |BUF_MEM| will not be freed when the |BIO| is freed. +// If the close flag is set to `BIO_NOCLOSE` (not the default) then the +// underlying `BUF_MEM` will not be freed when the `BIO` is freed. // -// Memory BIOs support |BIO_gets| and |BIO_puts|. +// Memory BIOs support `BIO_gets` and `BIO_puts`. // -// |BIO_ctrl_pending| returns the number of bytes currently stored. +// `BIO_ctrl_pending` returns the number of bytes currently stored. -// BIO_NOCLOSE and |BIO_CLOSE| can be used as symbolic arguments when a "close +// BIO_NOCLOSE and `BIO_CLOSE` can be used as symbolic arguments when a "close // flag" is passed to a BIO function. #define BIO_NOCLOSE 0 #define BIO_CLOSE 1 -// BIO_s_mem returns a |BIO_METHOD| that uses a in-memory buffer. +// BIO_s_mem returns a `BIO_METHOD` that uses a in-memory buffer. OPENSSL_EXPORT const BIO_METHOD *BIO_s_mem(void); -// BIO_new_mem_buf creates read-only BIO that reads from |len| bytes at |buf|. +// BIO_new_mem_buf creates read-only BIO that reads from `len` bytes at `buf`. // It returns the BIO or NULL on error. This function does not copy or take -// ownership of |buf|. The caller must ensure the memory pointed to by |buf| -// outlives the |BIO|. +// ownership of `buf`. The caller must ensure the memory pointed to by `buf` +// outlives the `BIO`. // -// If |len| is negative, then |buf| is treated as a NUL-terminated string, but +// If `len` is negative, then `buf` is treated as a NUL-terminated string, but // don't depend on this in new code. OPENSSL_EXPORT BIO *BIO_new_mem_buf(const void *buf, ossl_ssize_t len); -// BIO_mem_contents sets |*out_contents| to point to the current contents of -// |bio| and |*out_len| to contain the length of that data. It returns one on +// BIO_mem_contents sets `*out_contents` to point to the current contents of +// `bio` and `*out_len` to contain the length of that data. It returns one on // success and zero otherwise. OPENSSL_EXPORT int BIO_mem_contents(const BIO *bio, const uint8_t **out_contents, size_t *out_len); -// BIO_get_mem_data sets |*contents| to point to the current contents of |bio| +// BIO_get_mem_data sets `*contents` to point to the current contents of `bio` // and returns the length of the data. // -// WARNING: don't use this, use |BIO_mem_contents|. A return value of zero from +// WARNING: don't use this, use `BIO_mem_contents`. A return value of zero from // this function can mean either that it failed or that the memory buffer is // empty. OPENSSL_EXPORT long BIO_get_mem_data(BIO *bio, char **contents); -// BIO_get_mem_ptr sets |*out| to a BUF_MEM containing the current contents of -// |bio|. It returns one on success or zero on error. +// BIO_get_mem_ptr sets `*out` to a BUF_MEM containing the current contents of +// `bio`. It returns one on success or zero on error. OPENSSL_EXPORT int BIO_get_mem_ptr(BIO *bio, BUF_MEM **out); -// BIO_set_mem_buf sets |b| as the contents of |bio|. If |take_ownership| is -// non-zero, then |b| will be freed when |bio| is closed. Returns one on +// BIO_set_mem_buf sets `b` as the contents of `bio`. If `take_ownership` is +// non-zero, then `b` will be freed when `bio` is closed. Returns one on // success or zero otherwise. OPENSSL_EXPORT int BIO_set_mem_buf(BIO *bio, BUF_MEM *b, int take_ownership); // BIO_set_mem_eof_return sets the value that will be returned from reading -// |bio| when empty. If |eof_value| is zero then an empty memory BIO will -// return EOF (that is it will return zero and |BIO_should_retry| will be -// false). If |eof_value| is non zero then it will return |eof_value| when it -// is empty and it will set the read retry flag (that is |BIO_read_retry| is -// true). To avoid ambiguity with a normal positive return value, |eof_value| +// `bio` when empty. If `eof_value` is zero then an empty memory BIO will +// return EOF (that is it will return zero and `BIO_should_retry` will be +// false). If `eof_value` is non zero then it will return `eof_value` when it +// is empty and it will set the read retry flag (that is `BIO_read_retry` is +// true). To avoid ambiguity with a normal positive return value, `eof_value` // should be set to a negative value, typically -1. // // For a read-only BIO, the default is zero (EOF). For a writable BIO, the @@ -379,149 +385,149 @@ OPENSSL_EXPORT int BIO_set_mem_eof_return(BIO *bio, int eof_value); // File descriptor BIOs. // -// File descriptor BIOs are wrappers around the system's |read| and |write| -// functions. If the close flag is set then then |close| is called on the +// File descriptor BIOs are wrappers around the system's `read` and `write` +// functions. If the close flag is set then then `close` is called on the // underlying file descriptor when the BIO is freed. // -// |BIO_reset| attempts to seek the file pointer to the start of file using -// |lseek|. +// `BIO_reset` attempts to seek the file pointer to the start of file using +// `lseek`. #if !defined(OPENSSL_NO_POSIX_IO) -// BIO_s_fd returns a |BIO_METHOD| for file descriptor fds. +// BIO_s_fd returns a `BIO_METHOD` for file descriptor fds. OPENSSL_EXPORT const BIO_METHOD *BIO_s_fd(void); -// BIO_new_fd creates a new file descriptor BIO wrapping |fd|. If |close_flag| -// is non-zero, then |fd| will be closed when the BIO is. +// BIO_new_fd creates a new file descriptor BIO wrapping `fd`. If `close_flag` +// is non-zero, then `fd` will be closed when the BIO is. OPENSSL_EXPORT BIO *BIO_new_fd(int fd, int close_flag); #endif -// BIO_set_fd sets the file descriptor of |bio| to |fd|. If |close_flag| is -// non-zero then |fd| will be closed when |bio| is. It returns one on success +// BIO_set_fd sets the file descriptor of `bio` to `fd`. If `close_flag` is +// non-zero then `fd` will be closed when `bio` is. It returns one on success // or zero on error. // -// This function may also be used with socket BIOs (see |BIO_s_socket| and -// |BIO_new_socket|). +// This function may also be used with socket BIOs (see `BIO_s_socket` and +// `BIO_new_socket`). OPENSSL_EXPORT int BIO_set_fd(BIO *bio, int fd, int close_flag); -// BIO_get_fd returns the file descriptor currently in use by |bio| or -1 if -// |bio| does not wrap a file descriptor. If there is a file descriptor and -// |out_fd| is not NULL, it also sets |*out_fd| to the file descriptor. +// BIO_get_fd returns the file descriptor currently in use by `bio` or -1 if +// `bio` does not wrap a file descriptor. If there is a file descriptor and +// `out_fd` is not NULL, it also sets `*out_fd` to the file descriptor. // -// This function may also be used with socket BIOs (see |BIO_s_socket| and -// |BIO_new_socket|). +// This function may also be used with socket BIOs (see `BIO_s_socket` and +// `BIO_new_socket`). OPENSSL_EXPORT int BIO_get_fd(BIO *bio, int *out_fd); // File BIOs. // -// File BIOs are wrappers around a C |FILE| object. +// File BIOs are wrappers around a C `FILE` object. // -// |BIO_flush| on a file BIO calls |fflush| on the wrapped stream. +// `BIO_flush` on a file BIO calls `fflush` on the wrapped stream. // -// |BIO_reset| attempts to seek the file pointer to the start of file using -// |fseek|. +// `BIO_reset` attempts to seek the file pointer to the start of file using +// `fseek`. // -// Setting the close flag causes |fclose| to be called on the stream when the +// Setting the close flag causes `fclose` to be called on the stream when the // BIO is freed. -// BIO_s_file returns a BIO_METHOD that wraps a |FILE|. +// BIO_s_file returns a BIO_METHOD that wraps a `FILE`. OPENSSL_EXPORT const BIO_METHOD *BIO_s_file(void); -// BIO_new_file creates a file BIO by opening |filename| with the given mode. -// See the |fopen| manual page for details of the mode argument. On Windows, -// files may be opened in either binary or text mode so, as in |fopen|, callers -// must specify the desired option in |mode|. +// BIO_new_file creates a file BIO by opening `filename` with the given mode. +// See the `fopen` manual page for details of the mode argument. On Windows, +// files may be opened in either binary or text mode so, as in `fopen`, callers +// must specify the desired option in `mode`. OPENSSL_EXPORT BIO *BIO_new_file(const char *filename, const char *mode); -// BIO_FP_TEXT indicates the |FILE| should be switched to text mode on Windows. +// BIO_FP_TEXT indicates the `FILE` should be switched to text mode on Windows. // It has no effect on non-Windows platforms. #define BIO_FP_TEXT 0x10 -// BIO_new_fp creates a new file BIO that wraps |file|. If |flags| contains -// |BIO_CLOSE|, then |fclose| will be called on |file| when the BIO is closed. +// BIO_new_fp creates a new file BIO that wraps `file`. If `flags` contains +// `BIO_CLOSE`, then `fclose` will be called on `file` when the BIO is closed. // -// On Windows, if |flags| contains |BIO_FP_TEXT|, this function will -// additionally switch |file| to text mode. This is not recommended, but may be -// required for OpenSSL compatibility. If |file| was not already in text mode, -// mode changes can cause unflushed data in |file| to be written in unexpected -// ways. See |_setmode| in Windows documentation for details. +// On Windows, if `flags` contains `BIO_FP_TEXT`, this function will +// additionally switch `file` to text mode. This is not recommended, but may be +// required for OpenSSL compatibility. If `file` was not already in text mode, +// mode changes can cause unflushed data in `file` to be written in unexpected +// ways. See `_setmode` in Windows documentation for details. // -// Unlike OpenSSL, if |flags| does not contain |BIO_FP_TEXT|, the translation -// mode of |file| is left as-is. In OpenSSL, |file| will be set to binary, with +// Unlike OpenSSL, if `flags` does not contain `BIO_FP_TEXT`, the translation +// mode of `file` is left as-is. In OpenSSL, `file` will be set to binary, with // the same pitfalls as above. BoringSSL does not do this so that wrapping a -// |FILE| in a |BIO| will not inadvertently change its state. +// `FILE` in a `BIO` will not inadvertently change its state. // // To avoid these pitfalls, callers should set the desired translation mode when // opening the file. If targeting just BoringSSL, this is sufficient. If -// targeting both OpenSSL and BoringSSL, callers should set |BIO_FP_TEXT| to +// targeting both OpenSSL and BoringSSL, callers should set `BIO_FP_TEXT` to // match the desired state of the file. OPENSSL_EXPORT BIO *BIO_new_fp(FILE *file, int flags); -// BIO_get_fp sets |*out_file| to the current |FILE| for |bio|. It returns one +// BIO_get_fp sets `*out_file` to the current `FILE` for `bio`. It returns one // on success and zero otherwise. OPENSSL_EXPORT int BIO_get_fp(BIO *bio, FILE **out_file); -// BIO_set_fp sets the |FILE| for |bio|. If |flags| contains |BIO_CLOSE| then -// |fclose| will be called on |file| when |bio| is closed. It returns one on +// BIO_set_fp sets the `FILE` for `bio`. If `flags` contains `BIO_CLOSE` then +// `fclose` will be called on `file` when `bio` is closed. It returns one on // success and zero otherwise. // -// On Windows, if |flags| contains |BIO_FP_TEXT|, this function will -// additionally switch |file| to text mode. This is not recommended, but may be -// required for OpenSSL compatibility. If |file| was not already in text mode, -// mode changes can cause unflushed data in |file| to be written in unexpected -// ways. See |_setmode| in Windows documentation for details. +// On Windows, if `flags` contains `BIO_FP_TEXT`, this function will +// additionally switch `file` to text mode. This is not recommended, but may be +// required for OpenSSL compatibility. If `file` was not already in text mode, +// mode changes can cause unflushed data in `file` to be written in unexpected +// ways. See `_setmode` in Windows documentation for details. // -// Unlike OpenSSL, if |flags| does not contain |BIO_FP_TEXT|, the translation -// mode of |file| is left as-is. In OpenSSL, |file| will be set to binary, with +// Unlike OpenSSL, if `flags` does not contain `BIO_FP_TEXT`, the translation +// mode of `file` is left as-is. In OpenSSL, `file` will be set to binary, with // the same pitfalls as above. BoringSSL does not do this so that wrapping a -// |FILE| in a |BIO| will not inadvertently change its state. +// `FILE` in a `BIO` will not inadvertently change its state. // // To avoid these pitfalls, callers should set the desired translation mode when // opening the file. If targeting just BoringSSL, this is sufficient. If -// targeting both OpenSSL and BoringSSL, callers should set |BIO_FP_TEXT| to +// targeting both OpenSSL and BoringSSL, callers should set `BIO_FP_TEXT` to // match the desired state of the file. OPENSSL_EXPORT int BIO_set_fp(BIO *bio, FILE *file, int flags); -// BIO_read_filename opens |filename| for reading and sets the result as the -// |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE| -// will be closed when |bio| is freed. On Windows, the file is opened in binary +// BIO_read_filename opens `filename` for reading and sets the result as the +// `FILE` for `bio`. It returns one on success and zero otherwise. The `FILE` +// will be closed when `bio` is freed. On Windows, the file is opened in binary // mode. OPENSSL_EXPORT int BIO_read_filename(BIO *bio, const char *filename); -// BIO_write_filename opens |filename| for writing and sets the result as the -// |FILE| for |bio|. It returns one on success and zero otherwise. The |FILE| -// will be closed when |bio| is freed. On Windows, the file is opened in binary +// BIO_write_filename opens `filename` for writing and sets the result as the +// `FILE` for `bio`. It returns one on success and zero otherwise. The `FILE` +// will be closed when `bio` is freed. On Windows, the file is opened in binary // mode. OPENSSL_EXPORT int BIO_write_filename(BIO *bio, const char *filename); -// BIO_append_filename opens |filename| for appending and sets the result as -// the |FILE| for |bio|. It returns one on success and zero otherwise. The -// |FILE| will be closed when |bio| is freed. On Windows, the file is opened in +// BIO_append_filename opens `filename` for appending and sets the result as +// the `FILE` for `bio`. It returns one on success and zero otherwise. The +// `FILE` will be closed when `bio` is freed. On Windows, the file is opened in // binary mode. OPENSSL_EXPORT int BIO_append_filename(BIO *bio, const char *filename); -// BIO_rw_filename opens |filename| for reading and writing and sets the result -// as the |FILE| for |bio|. It returns one on success and zero otherwise. The -// |FILE| will be closed when |bio| is freed. On Windows, the file is opened in +// BIO_rw_filename opens `filename` for reading and writing and sets the result +// as the `FILE` for `bio`. It returns one on success and zero otherwise. The +// `FILE` will be closed when `bio` is freed. On Windows, the file is opened in // binary mode. OPENSSL_EXPORT int BIO_rw_filename(BIO *bio, const char *filename); -// BIO_tell returns the file offset of |bio|, or a negative number on error or -// if |bio| does not support the operation. +// BIO_tell returns the file offset of `bio`, or a negative number on error or +// if `bio` does not support the operation. // -// TODO(crbug.com/42290329): On platforms where |long| is 32-bit, this function +// TODO(crbug.com/42290329): On platforms where `long` is 32-bit, this function // cannot report 64-bit offsets. OPENSSL_EXPORT long BIO_tell(BIO *bio); -// BIO_seek sets the file offset of |bio| to |offset|. It returns a non-negative -// number on success and a negative number on error. If |bio| is a file -// descriptor |BIO|, it returns the resulting file offset on success. If |bio| -// is a file |BIO|, it returns zero on success. +// BIO_seek sets the file offset of `bio` to `offset`. It returns a non-negative +// number on success and a negative number on error. If `bio` is a file +// descriptor `BIO`, it returns the resulting file offset on success. If `bio` +// is a file `BIO`, it returns zero on success. // // WARNING: This function's return value conventions differs from most functions // in this library. // -// TODO(crbug.com/42290329): On platforms where |long| is 32-bit, this function +// TODO(crbug.com/42290329): On platforms where `long` is 32-bit, this function // cannot handle 64-bit offsets. OPENSSL_EXPORT long BIO_seek(BIO *bio, long offset); @@ -529,21 +535,21 @@ OPENSSL_EXPORT long BIO_seek(BIO *bio, long offset); // Socket BIOs. // // Socket BIOs behave like file descriptor BIOs but, on Windows systems, wrap -// the system's |recv| and |send| functions instead of |read| and |write|. On +// the system's `recv` and `send` functions instead of `read` and `write`. On // Windows, file descriptors are provided by C runtime and are not // interchangeable with sockets. // -// Socket BIOs may be used with |BIO_set_fd| and |BIO_get_fd|. +// Socket BIOs may be used with `BIO_set_fd` and `BIO_get_fd`. // -// TODO(davidben): Add separate APIs and fix the internals to use |SOCKET|s +// TODO(davidben): Add separate APIs and fix the internals to use `SOCKET`s // around rather than rely on int casts. #if !defined(OPENSSL_NO_SOCK) OPENSSL_EXPORT const BIO_METHOD *BIO_s_socket(void); // BIO_new_socket allocates and initialises a fresh BIO which will read and -// write to the socket |fd|. If |close_flag| is |BIO_CLOSE| then closing the -// BIO will close |fd|. It returns the fresh |BIO| or NULL on error. +// write to the socket `fd`. If `close_flag` is `BIO_CLOSE` then closing the +// BIO will close `fd`. It returns the fresh `BIO` or NULL on error. OPENSSL_EXPORT BIO *BIO_new_socket(int fd, int close_flag); #endif // !OPENSSL_NO_SOCK @@ -557,38 +563,38 @@ OPENSSL_EXPORT BIO *BIO_new_socket(int fd, int close_flag); OPENSSL_EXPORT const BIO_METHOD *BIO_s_connect(void); // BIO_new_connect returns a BIO that connects to the given hostname and port. -// The |host_and_optional_port| argument should be of the form +// The `host_and_optional_port` argument should be of the form // "www.example.com" or "www.example.com:443". If the port is omitted, it must -// be provided with |BIO_set_conn_port|. +// be provided with `BIO_set_conn_port`. // // It returns the new BIO on success, or NULL on error. OPENSSL_EXPORT BIO *BIO_new_connect(const char *host_and_optional_port); -// BIO_set_conn_hostname sets |host_and_optional_port| as the hostname and -// optional port that |bio| will connect to. If the port is omitted, it must be -// provided with |BIO_set_conn_port|. +// BIO_set_conn_hostname sets `host_and_optional_port` as the hostname and +// optional port that `bio` will connect to. If the port is omitted, it must be +// provided with `BIO_set_conn_port`. // // It returns one on success and zero otherwise. OPENSSL_EXPORT int BIO_set_conn_hostname(BIO *bio, const char *host_and_optional_port); -// BIO_set_conn_port sets |port_str| as the port or service name that |bio| +// BIO_set_conn_port sets `port_str` as the port or service name that `bio` // will connect to. It returns one on success and zero otherwise. OPENSSL_EXPORT int BIO_set_conn_port(BIO *bio, const char *port_str); -// BIO_set_conn_int_port sets |*port| as the port that |bio| will connect to. +// BIO_set_conn_int_port sets `*port` as the port that `bio` will connect to. // It returns one on success and zero otherwise. OPENSSL_EXPORT int BIO_set_conn_int_port(BIO *bio, const int *port); -// BIO_set_nbio sets whether |bio| will use non-blocking I/O operations. It +// BIO_set_nbio sets whether `bio` will use non-blocking I/O operations. It // returns one on success and zero otherwise. This only works for connect BIOs -// and must be called before |bio| is connected to take effect. +// and must be called before `bio` is connected to take effect. // // For socket and fd BIOs, callers must configure blocking vs. non-blocking I/O // using the underlying platform APIs. OPENSSL_EXPORT int BIO_set_nbio(BIO *bio, int on); -// BIO_do_connect connects |bio| if it has not been connected yet. It returns +// BIO_do_connect connects `bio` if it has not been connected yet. It returns // one on success and <= 0 otherwise. OPENSSL_EXPORT int BIO_do_connect(BIO *bio); #endif // !OPENSSL_NO_SOCK @@ -607,7 +613,7 @@ OPENSSL_EXPORT int BIO_do_connect(BIO *bio); the previous write operation. */ // BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT is unsupported as it is unused by consumers -// and depends on |timeval|, which is not 2038-clean on all platforms. +// and depends on `timeval`, which is not 2038-clean on all platforms. #define BIO_CTRL_DGRAM_GET_PEER 46 @@ -619,154 +625,187 @@ OPENSSL_EXPORT int BIO_do_connect(BIO *bio); // BIO pairs provide a "loopback" like system: a pair of BIOs where data // written to one can be read from the other and vice versa. -// BIO_new_bio_pair sets |*out1| and |*out2| to two freshly created BIOs where +// BIO_new_bio_pair sets `*out1` and `*out2` to two freshly created BIOs where // data written to one can be read from the other and vice versa. The -// |writebuf1| argument gives the size of the buffer used in |*out1| and -// |writebuf2| for |*out2|. It returns one on success and zero on error. +// `writebuf1` argument gives the size of the buffer used in `*out1` and +// `writebuf2` for `*out2`. It returns one on success and zero on error. OPENSSL_EXPORT int BIO_new_bio_pair(BIO **out1, size_t writebuf1, BIO **out2, size_t writebuf2); // BIO_ctrl_get_read_request returns the number of bytes that the other side of -// |bio| tried (unsuccessfully) to read. +// `bio` tried (unsuccessfully) to read. OPENSSL_EXPORT size_t BIO_ctrl_get_read_request(BIO *bio); -// BIO_ctrl_get_write_guarantee returns the number of bytes that |bio| (which -// must have been returned by |BIO_new_bio_pair|) will accept on the next -// |BIO_write| call. +// BIO_ctrl_get_write_guarantee returns the number of bytes that `bio` (which +// must have been returned by `BIO_new_bio_pair`) will accept on the next +// `BIO_write` call. OPENSSL_EXPORT size_t BIO_ctrl_get_write_guarantee(BIO *bio); -// BIO_shutdown_wr marks |bio| as closed, from the point of view of the other -// side of the pair. Future |BIO_write| calls on |bio| will fail. It returns +// BIO_shutdown_wr marks `bio` as closed, from the point of view of the other +// side of the pair. Future `BIO_write` calls on `bio` will fail. It returns // one on success and zero otherwise. OPENSSL_EXPORT int BIO_shutdown_wr(BIO *bio); // Custom BIOs. // -// Consumers can create custom |BIO|s by filling in a |BIO_METHOD| and using +// Consumers can create custom `BIO`s by filling in a `BIO_METHOD` and using // low-level control functions to set state. -// BIO_get_new_index returns a new "type" value for a custom |BIO|, or -1 on +// BIO_get_new_index returns a new "type" value for a custom `BIO`, or -1 on // error. OPENSSL_EXPORT int BIO_get_new_index(void); -// BIO_meth_new returns a newly-allocated |BIO_METHOD| or NULL on allocation -// error. The |type| specifies the type that will be returned by -// |BIO_method_type|. If this is unnecessary, this value may be zero. The |name| +// BIO_meth_new returns a newly-allocated `BIO_METHOD` or NULL on allocation +// error. The `type` specifies the type that will be returned by +// `BIO_method_type`. If this is unnecessary, this value may be zero. The `name` // parameter is vestigial and may be NULL. // -// Use the |BIO_meth_set_*| functions below to initialize the |BIO_METHOD|. The -// function implementations may use |BIO_set_data| and |BIO_get_data| to add -// method-specific state to associated |BIO|s. Additionally, |BIO_set_init| must -// be called after an associated |BIO| is fully initialized. State set via -// |BIO_set_data| may be released by configuring a destructor with -// |BIO_meth_set_destroy|. +// Use the `BIO_meth_set_*` functions below to initialize the `BIO_METHOD`. The +// function implementations may use `BIO_set_data` and `BIO_get_data` to add +// method-specific state to associated `BIO`s. Additionally, `BIO_set_init` must +// be called after an associated `BIO` is fully initialized. State set via +// `BIO_set_data` may be released by configuring a destructor with +// `BIO_meth_set_destroy`. OPENSSL_EXPORT BIO_METHOD *BIO_meth_new(int type, const char *name); -// BIO_meth_free releases memory associated with |method|. +// BIO_meth_free releases memory associated with `method`. OPENSSL_EXPORT void BIO_meth_free(BIO_METHOD *method); -// BIO_meth_set_create sets a function to be called on |BIO_new| for |method| +// BIO_meth_set_create sets a function to be called on `BIO_new` for `method` // and returns one. The function should return one on success and zero on // error. OPENSSL_EXPORT int BIO_meth_set_create(BIO_METHOD *method, int (*create_func)(BIO *)); -// BIO_meth_set_destroy sets a function to release data associated with a |BIO| +// BIO_meth_set_destroy sets a function to release data associated with a `BIO` // and returns one. The function's return value is ignored. // -// As the |BIO| is about to be destroyed, it is not necessary for |destroy_func| -// to clear the BIO's state with |BIO_set_data| or |BIO_set_init|. There is no -// harm in clearing them, but the |BIO| will not be passed to |BIO| operations, -// unless |destroy_func| itself does so. +// As the `BIO` is about to be destroyed, it is not necessary for `destroy_func` +// to clear the BIO's state with `BIO_set_data` or `BIO_set_init`. There is no +// harm in clearing them, but the `BIO` will not be passed to `BIO` operations, +// unless `destroy_func` itself does so. OPENSSL_EXPORT int BIO_meth_set_destroy(BIO_METHOD *method, int (*destroy_func)(BIO *)); -// BIO_meth_set_write sets the implementation of |BIO_write| for |method| and -// returns one. |BIO_METHOD|s which implement |BIO_write| should also implement -// |BIO_CTRL_FLUSH|. (See |BIO_meth_set_ctrl|.) +// BIO_meth_set_write_ex sets the implementation of `BIO_write_ex` for `method` +// and returns one. `BIO_METHOD`s which implement `BIO_write_ex` should also +// implement `BIO_CTRL_FLUSH`. (See `BIO_meth_set_ctrl`.) +// +// `write_ex_func` can assume `BIO_get_init` returns one, the input size is +// greater than zero, and `out_written` is non-NULL. Those cases are handled +// before calling into the `BIO_METHOD`. +// +// If configured, `write_ex_func` will also be used to implement `BIO_write`, +// with the `BIO` framework converting the conventions. `BIO_meth_set_write_ex` +// and `BIO_meth_set_write` should not be configured on the same `BIO_METHOD`. +// Prefer `BIO_meth_set_write_ex` for a `size_t`-based API. +OPENSSL_EXPORT int BIO_meth_set_write_ex( + BIO_METHOD *method, + int (*write_ex_func)(BIO *, const char *, size_t, size_t *)); + +// BIO_meth_set_write sets the implementation of `BIO_write` for `method` and +// returns one. `BIO_METHOD`s which implement `BIO_write` should also implement +// `BIO_CTRL_FLUSH`. (See `BIO_meth_set_ctrl`.) +// +// `write_func` can assume `BIO_get_init` returns one and the input size is +// greater than zero. Those cases are handled before calling into the +// `BIO_METHOD`. +// +// If configured, `write_func` will also be used to implement `BIO_write_ex`, +// with the `BIO` framework converting the conventions. `BIO_meth_set_write_ex` +// and `BIO_meth_set_write` should not be configured on the same `BIO_METHOD`. +// Prefer `BIO_meth_set_write_ex` for a `size_t`-based API. OPENSSL_EXPORT int BIO_meth_set_write(BIO_METHOD *method, int (*write_func)(BIO *, const char *, int)); -// BIO_meth_set_read sets the implementation of |BIO_read| for |method| and +// BIO_meth_set_read sets the implementation of `BIO_read` for `method` and // returns one. +// +// `read_func` can assume `BIO_get_init` returns one and the output size is +// greater than zero. Those cases are handled before calling into the +// `BIO_METHOD`. OPENSSL_EXPORT int BIO_meth_set_read(BIO_METHOD *method, int (*read_func)(BIO *, char *, int)); -// BIO_meth_set_gets sets the implementation of |BIO_gets| for |method| and +// BIO_meth_set_gets sets the implementation of `BIO_gets` for `method` and // returns one. +// +// `gets_func` can assume `BIO_get_init` returns one and the output size is +// greater than zero. Those cases are handled before calling into the +// `BIO_METHOD`. OPENSSL_EXPORT int BIO_meth_set_gets(BIO_METHOD *method, int (*gets_func)(BIO *, char *, int)); -// BIO_meth_set_ctrl sets the implementation of |BIO_ctrl| for |method| and +// BIO_meth_set_ctrl sets the implementation of `BIO_ctrl` for `method` and // returns one. OPENSSL_EXPORT int BIO_meth_set_ctrl(BIO_METHOD *method, long (*ctrl_func)(BIO *, int, long, void *)); -// BIO_meth_set_callback_ctrl sets the implementation of |BIO_callback_ctrl| for -// |method| and returns one. +// BIO_meth_set_callback_ctrl sets the implementation of `BIO_callback_ctrl` for +// `method` and returns one. OPENSSL_EXPORT int BIO_meth_set_callback_ctrl( BIO_METHOD *method, long (*callback_ctrl_func)(BIO *, int, BIO_info_cb *)); -// BIO_set_data sets custom data on |bio|. It may be retried with -// |BIO_get_data|. +// BIO_set_data sets custom data on `bio`. It may be retried with +// `BIO_get_data`. // -// This function should only be called by the implementation of a custom |BIO|. -// In particular, the data pointer of a built-in |BIO| is private to the -// library. For other uses, see |BIO_set_ex_data| and |BIO_set_app_data|. +// This function should only be called by the implementation of a custom `BIO`. +// In particular, the data pointer of a built-in `BIO` is private to the +// library. For other uses, see `BIO_set_ex_data` and `BIO_set_app_data`. OPENSSL_EXPORT void BIO_set_data(BIO *bio, void *ptr); -// BIO_get_data returns custom data on |bio| set by |BIO_get_data|. +// BIO_get_data returns custom data on `bio` set by `BIO_get_data`. // -// This function should only be called by the implementation of a custom |BIO|. -// In particular, the data pointer of a built-in |BIO| is private to the -// library. For other uses, see |BIO_get_ex_data| and |BIO_get_app_data|. +// This function should only be called by the implementation of a custom `BIO`. +// In particular, the data pointer of a built-in `BIO` is private to the +// library. For other uses, see `BIO_get_ex_data` and `BIO_get_app_data`. OPENSSL_EXPORT void *BIO_get_data(BIO *bio); -// BIO_set_init sets whether |bio| has been fully initialized. Until fully -// initialized, |BIO_read| and |BIO_write| will fail. +// BIO_set_init sets whether `bio` has been fully initialized. Until fully +// initialized, `BIO_read` and `BIO_write` will fail. OPENSSL_EXPORT void BIO_set_init(BIO *bio, int init); -// BIO_get_init returns whether |bio| has been fully initialized. +// BIO_get_init returns whether `bio` has been fully initialized. OPENSSL_EXPORT int BIO_get_init(BIO *bio); -// These are values of the |cmd| argument to |BIO_ctrl|. +// These are values of the `cmd` argument to `BIO_ctrl`. -// BIO_CTRL_RESET implements |BIO_reset|. The arguments are unused. +// BIO_CTRL_RESET implements `BIO_reset`. The arguments are unused. #define BIO_CTRL_RESET 1 -// BIO_CTRL_EOF implements |BIO_eof|. The arguments are unused. +// BIO_CTRL_EOF implements `BIO_eof`. The arguments are unused. #define BIO_CTRL_EOF 2 // BIO_CTRL_INFO is a legacy command that returns information specific to the -// type of |BIO|. It is not safe to call generically and should not be -// implemented in new |BIO| types. +// type of `BIO`. It is not safe to call generically and should not be +// implemented in new `BIO` types. #define BIO_CTRL_INFO 3 -// BIO_CTRL_GET_CLOSE returns the close flag set by |BIO_CTRL_SET_CLOSE|. The +// BIO_CTRL_GET_CLOSE returns the close flag set by `BIO_CTRL_SET_CLOSE`. The // arguments are unused. #define BIO_CTRL_GET_CLOSE 8 -// BIO_CTRL_SET_CLOSE implements |BIO_set_close|. The |larg| argument is the +// BIO_CTRL_SET_CLOSE implements `BIO_set_close`. The `larg` argument is the // close flag. #define BIO_CTRL_SET_CLOSE 9 -// BIO_CTRL_PENDING implements |BIO_pending|. The arguments are unused. +// BIO_CTRL_PENDING implements `BIO_pending`. The arguments are unused. #define BIO_CTRL_PENDING 10 -// BIO_CTRL_FLUSH implements |BIO_flush|. The arguments are unused. +// BIO_CTRL_FLUSH implements `BIO_flush`. The arguments are unused. #define BIO_CTRL_FLUSH 11 -// BIO_CTRL_WPENDING implements |BIO_wpending|. The arguments are unused. +// BIO_CTRL_WPENDING implements `BIO_wpending`. The arguments are unused. #define BIO_CTRL_WPENDING 13 // BIO_CTRL_SET_CALLBACK sets an informational callback of type // int cb(BIO *bio, int state, int ret) #define BIO_CTRL_SET_CALLBACK 14 -// BIO_CTRL_GET_CALLBACK returns the callback set by |BIO_CTRL_SET_CALLBACK|. +// BIO_CTRL_GET_CALLBACK returns the callback set by `BIO_CTRL_SET_CALLBACK`. #define BIO_CTRL_GET_CALLBACK 15 // The following are never used, but are defined to aid porting existing code. @@ -780,7 +819,7 @@ OPENSSL_EXPORT int BIO_get_init(BIO *bio); // ex_data functions. // -// See |ex_data.h| for details. +// See `ex_data.h` for details. OPENSSL_EXPORT int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, @@ -795,19 +834,19 @@ OPENSSL_EXPORT void *BIO_get_ex_data(const BIO *bio, int idx); // Deprecated functions. -// BIO_free_all calls |BIO_free|. Code that targets BoringSSL does not need to -// call a separate free function for |BIO|s that are part of a chain. +// BIO_free_all calls `BIO_free`. Code that targets BoringSSL does not need to +// call a separate free function for `BIO`s that are part of a chain. OPENSSL_EXPORT void BIO_free_all(BIO *bio); typedef BIO_info_cb bio_info_cb; -// BIO_f_base64 returns a filter |BIO| that base64-encodes data written into -// it, and decodes data read from it. |BIO_gets| is not supported. Call -// |BIO_flush| when done writing, to signal that no more data are to be -// encoded. The flag |BIO_FLAGS_BASE64_NO_NL| may be set to encode all the data +// BIO_f_base64 returns a filter `BIO` that base64-encodes data written into +// it, and decodes data read from it. `BIO_gets` is not supported. Call +// `BIO_flush` when done writing, to signal that no more data are to be +// encoded. The flag `BIO_FLAGS_BASE64_NO_NL` may be set to encode all the data // on one line. // -// Use |EVP_EncodeBlock| and |EVP_DecodeBase64| instead. +// Use `EVP_EncodeBlock` and `EVP_DecodeBase64` instead. OPENSSL_EXPORT const BIO_METHOD *BIO_f_base64(void); OPENSSL_EXPORT void BIO_set_retry_special(BIO *bio); @@ -815,41 +854,41 @@ OPENSSL_EXPORT void BIO_set_retry_special(BIO *bio); // BIO_set_write_buffer_size returns zero. OPENSSL_EXPORT int BIO_set_write_buffer_size(BIO *bio, int buffer_size); -// BIO_set_shutdown sets a method-specific "shutdown" bit on |bio|. +// BIO_set_shutdown sets a method-specific "shutdown" bit on `bio`. OPENSSL_EXPORT void BIO_set_shutdown(BIO *bio, int shutdown); // BIO_get_shutdown returns the method-specific "shutdown" bit. OPENSSL_EXPORT int BIO_get_shutdown(BIO *bio); -// BIO_meth_set_puts returns one. |BIO_puts| is implemented with |BIO_write| in +// BIO_meth_set_puts returns one. `BIO_puts` is implemented with `BIO_write` in // BoringSSL. OPENSSL_EXPORT int BIO_meth_set_puts(BIO_METHOD *method, int (*puts)(BIO *, const char *)); #if !defined(OPENSSL_NO_SOCK) // The following functions return function pointers, possibly NULL, which are -// compatible with the corresponding |BIO_meth_set_*| function. |method| must be -// |BIO_s_socket| or the program will abort. +// compatible with the corresponding `BIO_meth_set_*` function. `method` must be +// `BIO_s_socket` or the program will abort. // // Using these functions is inherently unsafe and fragile. It is not possible to // use them in a future-proof way. See // https://github.com/openssl/openssl/issues/26047 for details. BoringSSL // implements them solely for compatibility with Folly and older versions of // PostgreSQL. To work around the future-proofing problems, the return values -// may diverge from the true implementation of |BIO_s_socket|. +// may diverge from the true implementation of `BIO_s_socket`. // // Caller should not use these functions. They are not necessary to define -// custom |BIO_METHOD|s. Instead, callers should either: +// custom `BIO_METHOD`s. Instead, callers should either: // -// - Define a custom |BIO_METHOD| that owns a socket |BIO| somewhere in the -// custom data. See |BIO_set_data|. +// - Define a custom `BIO_METHOD` that owns a socket `BIO` somewhere in the +// custom data. See `BIO_set_data`. // -// - Define a custom |BIO_METHOD| that wraps a socket |BIO| as a filter. See -// |BIO_push| and |BIO_next|. +// - Define a custom `BIO_METHOD` that wraps a socket `BIO` as a filter. See +// `BIO_push` and `BIO_next`. // -// - Define a custom |BIO_METHOD| without |BIO_s_socket| at all. If not using -// the built-in read or write functions, |BIO_s_socket| only provides a no-op -// |BIO_CTRL_FLUSH| implementation. This can be implemented by the caller. +// - Define a custom `BIO_METHOD` without `BIO_s_socket` at all. If not using +// the built-in read or write functions, `BIO_s_socket` only provides a no-op +// `BIO_CTRL_FLUSH` implementation. This can be implemented by the caller. OPENSSL_EXPORT int (*BIO_meth_get_write(const BIO_METHOD *method))(BIO *, const char *, int); @@ -881,8 +920,8 @@ OPENSSL_EXPORT long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *method))( // or change the data in any way. #define BIO_FLAGS_MEM_RDONLY 0x200 -// BIO_TYPE_DESCRIPTOR denotes that the |BIO| responds to the |BIO_C_SET_FD| -// (|BIO_set_fd|) and |BIO_C_GET_FD| (|BIO_get_fd|) control hooks. +// BIO_TYPE_DESCRIPTOR denotes that the `BIO` responds to the `BIO_C_SET_FD` +// (`BIO_set_fd`) and `BIO_C_GET_FD` (`BIO_get_fd`) control hooks. #define BIO_TYPE_DESCRIPTOR 0x0100 // socket, fd, connect or accept #define BIO_TYPE_FILTER 0x0200 #define BIO_TYPE_SOURCE_SINK 0x0400 @@ -912,7 +951,7 @@ OPENSSL_EXPORT long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *method))( #define BIO_TYPE_ASN1 (22 | BIO_TYPE_FILTER) #define BIO_TYPE_COMP (23 | BIO_TYPE_FILTER) -// BIO_TYPE_START is the first user-allocated |BIO| type. No pre-defined type, +// BIO_TYPE_START is the first user-allocated `BIO` type. No pre-defined type, // flag bits aside, may exceed this value. #define BIO_TYPE_START 128 diff --git a/third_party/boringssl/src/include/openssl/blake2.h b/third_party/boringssl/src/include/openssl/blake2.h index 2284591b..7511e090 100644 --- a/third_party/boringssl/src/include/openssl/blake2.h +++ b/third_party/boringssl/src/include/openssl/blake2.h @@ -36,22 +36,22 @@ struct blake2b_state_st { uint8_t block[BLAKE2B_CBLOCK]; }; -// BLAKE2B256_Init initialises |b2b| to perform a BLAKE2b-256 hash. There are no -// pointers inside |b2b| thus release of |b2b| is purely managed by the caller. +// BLAKE2B256_Init initialises `b2b` to perform a BLAKE2b-256 hash. There are no +// pointers inside `b2b` thus release of `b2b` is purely managed by the caller. OPENSSL_EXPORT void BLAKE2B256_Init(BLAKE2B_CTX *b2b); -// BLAKE2B256_Update appends |len| bytes from |data| to the digest being -// calculated by |b2b|. +// BLAKE2B256_Update appends `len` bytes from `data` to the digest being +// calculated by `b2b`. OPENSSL_EXPORT void BLAKE2B256_Update(BLAKE2B_CTX *b2b, const void *data, size_t len); -// BLAKE2B256_Final completes the digest calculated by |b2b| and writes -// |BLAKE2B256_DIGEST_LENGTH| bytes to |out|. +// BLAKE2B256_Final completes the digest calculated by `b2b` and writes +// `BLAKE2B256_DIGEST_LENGTH` bytes to `out`. OPENSSL_EXPORT void BLAKE2B256_Final(uint8_t out[BLAKE2B256_DIGEST_LENGTH], BLAKE2B_CTX *b2b); -// BLAKE2B256 writes the BLAKE2b-256 digset of |len| bytes from |data| to -// |out|. +// BLAKE2B256 writes the BLAKE2b-256 digset of `len` bytes from `data` to +// `out`. OPENSSL_EXPORT void BLAKE2B256(const uint8_t *data, size_t len, uint8_t out[BLAKE2B256_DIGEST_LENGTH]); diff --git a/third_party/boringssl/src/include/openssl/bn.h b/third_party/boringssl/src/include/openssl/bn.h index f0b53346..dbb83765 100644 --- a/third_party/boringssl/src/include/openssl/bn.h +++ b/third_party/boringssl/src/include/openssl/bn.h @@ -43,10 +43,10 @@ extern "C" { // BN_ULONG is the native word size when working with big integers. // // Note: on some platforms, inttypes.h does not define print format macros in -// C++ unless |__STDC_FORMAT_MACROS| defined. This is due to text in C99 which +// C++ unless `__STDC_FORMAT_MACROS` defined. This is due to text in C99 which // was never adopted in any C++ standard and explicitly overruled in C++11. As -// this is a public header, bn.h does not define |__STDC_FORMAT_MACROS| itself. -// Projects which use |BN_*_FMT*| with outdated C headers may need to define it +// this is a public header, bn.h does not define `__STDC_FORMAT_MACROS` itself. +// Projects which use `BN_*_FMT*` with outdated C headers may need to define it // externally. #if defined(OPENSSL_64_BIT) typedef uint64_t BN_ULONG; @@ -70,26 +70,26 @@ typedef uint32_t BN_ULONG; // BN_new creates a new, allocated BIGNUM and initialises it. OPENSSL_EXPORT BIGNUM *BN_new(void); -// BN_init initialises a stack allocated |BIGNUM|. +// BN_init initialises a stack allocated `BIGNUM`. OPENSSL_EXPORT void BN_init(BIGNUM *bn); -// BN_free frees the data referenced by |bn| and, if |bn| was originally -// allocated on the heap, frees |bn| also. +// BN_free frees the data referenced by `bn` and, if `bn` was originally +// allocated on the heap, frees `bn` also. OPENSSL_EXPORT void BN_free(BIGNUM *bn); -// BN_clear_free erases and frees the data referenced by |bn| and, if |bn| was -// originally allocated on the heap, frees |bn| also. +// BN_clear_free erases and frees the data referenced by `bn` and, if `bn` was +// originally allocated on the heap, frees `bn` also. OPENSSL_EXPORT void BN_clear_free(BIGNUM *bn); -// BN_dup allocates a new BIGNUM and sets it equal to |src|. It returns the +// BN_dup allocates a new BIGNUM and sets it equal to `src`. It returns the // allocated BIGNUM on success or NULL otherwise. OPENSSL_EXPORT BIGNUM *BN_dup(const BIGNUM *src); -// BN_copy sets |dest| equal to |src| and returns |dest| or NULL on allocation +// BN_copy sets `dest` equal to `src` and returns `dest` or NULL on allocation // failure. OPENSSL_EXPORT BIGNUM *BN_copy(BIGNUM *dest, const BIGNUM *src); -// BN_clear sets |bn| to zero and erases the old data. +// BN_clear sets `bn` to zero and erases the old data. OPENSSL_EXPORT void BN_clear(BIGNUM *bn); // BN_value_one returns a static BIGNUM with value 1. @@ -99,140 +99,140 @@ OPENSSL_EXPORT const BIGNUM *BN_value_one(void); // Basic functions. // BN_num_bits returns the minimum number of bits needed to represent the -// absolute value of |bn|. +// absolute value of `bn`. OPENSSL_EXPORT unsigned BN_num_bits(const BIGNUM *bn); // BN_num_bytes returns the minimum number of bytes needed to represent the -// absolute value of |bn|. +// absolute value of `bn`. // -// While |size_t| is the preferred type for byte counts, callers can assume that -// |BIGNUM|s are bounded such that this value, and its corresponding bit count, -// will always fit in |int|. +// While `size_t` is the preferred type for byte counts, callers can assume that +// `BIGNUM`s are bounded such that this value, and its corresponding bit count, +// will always fit in `int`. OPENSSL_EXPORT unsigned BN_num_bytes(const BIGNUM *bn); -// BN_zero sets |bn| to zero. +// BN_zero sets `bn` to zero. OPENSSL_EXPORT void BN_zero(BIGNUM *bn); -// BN_one sets |bn| to one. It returns one on success or zero on allocation +// BN_one sets `bn` to one. It returns one on success or zero on allocation // failure. OPENSSL_EXPORT int BN_one(BIGNUM *bn); -// BN_set_word sets |bn| to |value|. It returns one on success or zero on +// BN_set_word sets `bn` to `value`. It returns one on success or zero on // allocation failure. OPENSSL_EXPORT int BN_set_word(BIGNUM *bn, BN_ULONG value); -// BN_set_u64 sets |bn| to |value|. It returns one on success or zero on +// BN_set_u64 sets `bn` to `value`. It returns one on success or zero on // allocation failure. OPENSSL_EXPORT int BN_set_u64(BIGNUM *bn, uint64_t value); -// BN_set_negative sets the sign of |bn|. +// BN_set_negative sets the sign of `bn`. OPENSSL_EXPORT void BN_set_negative(BIGNUM *bn, int sign); -// BN_is_negative returns one if |bn| is negative and zero otherwise. +// BN_is_negative returns one if `bn` is negative and zero otherwise. OPENSSL_EXPORT int BN_is_negative(const BIGNUM *bn); // Conversion functions. -// BN_bin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as -// a big-endian number, and returns |ret|. If |ret| is NULL then a fresh -// |BIGNUM| is allocated and returned. It returns NULL on allocation +// BN_bin2bn sets `*ret` to the value of `len` bytes from `in`, interpreted as +// a big-endian number, and returns `ret`. If `ret` is NULL then a fresh +// `BIGNUM` is allocated and returned. It returns NULL on allocation // failure. OPENSSL_EXPORT BIGNUM *BN_bin2bn(const uint8_t *in, size_t len, BIGNUM *ret); -// BN_bn2bin serialises the absolute value of |in| to |out| as a big-endian -// integer, which must have |BN_num_bytes| of space available. It returns the -// number of bytes written. Note this function leaks the magnitude of |in|. If -// |in| is secret, use |BN_bn2bin_padded| instead. +// BN_bn2bin serialises the absolute value of `in` to `out` as a big-endian +// integer, which must have `BN_num_bytes` of space available. It returns the +// number of bytes written. Note this function leaks the magnitude of `in`. If +// `in` is secret, use `BN_bn2bin_padded` instead. OPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out); -// BN_lebin2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as -// a little-endian number, and returns |ret|. If |ret| is NULL then a fresh -// |BIGNUM| is allocated and returned. It returns NULL on allocation +// BN_lebin2bn sets `*ret` to the value of `len` bytes from `in`, interpreted as +// a little-endian number, and returns `ret`. If `ret` is NULL then a fresh +// `BIGNUM` is allocated and returned. It returns NULL on allocation // failure. OPENSSL_EXPORT BIGNUM *BN_lebin2bn(const uint8_t *in, size_t len, BIGNUM *ret); -// BN_bn2le_padded serialises the absolute value of |in| to |out| as a -// little-endian integer, which must have |len| of space available, padding -// out the remainder of out with zeros. If |len| is smaller than |BN_num_bytes|, +// BN_bn2le_padded serialises the absolute value of `in` to `out` as a +// little-endian integer, which must have `len` of space available, padding +// out the remainder of out with zeros. If `len` is smaller than `BN_num_bytes`, // the function fails and returns 0. Otherwise, it returns 1. OPENSSL_EXPORT int BN_bn2le_padded(uint8_t *out, size_t len, const BIGNUM *in); -// BN_bn2bin_padded serialises the absolute value of |in| to |out| as a +// BN_bn2bin_padded serialises the absolute value of `in` to `out` as a // big-endian integer. The integer is padded with leading zeros up to size -// |len|. If |len| is smaller than |BN_num_bytes|, the function fails and +// `len`. If `len` is smaller than `BN_num_bytes`, the function fails and // returns 0. Otherwise, it returns 1. OPENSSL_EXPORT int BN_bn2bin_padded(uint8_t *out, size_t len, const BIGNUM *in); -// BN_bn2cbb_padded behaves like |BN_bn2bin_padded| but writes to a |CBB|. +// BN_bn2cbb_padded behaves like `BN_bn2bin_padded` but writes to a `CBB`. OPENSSL_EXPORT int BN_bn2cbb_padded(CBB *out, size_t len, const BIGNUM *in); // BN_bn2hex returns an allocated string that contains a NUL-terminated, hex -// representation of |bn|. If |bn| is negative, the first char in the resulting +// representation of `bn`. If `bn` is negative, the first char in the resulting // string will be '-'. Returns NULL on allocation failure. OPENSSL_EXPORT char *BN_bn2hex(const BIGNUM *bn); -// BN_hex2bn parses the leading hex number from |in|, which may be proceeded by +// BN_hex2bn parses the leading hex number from `in`, which may be proceeded by // a '-' to indicate a negative number and may contain trailing, non-hex data. -// If |outp| is not NULL, it constructs a BIGNUM equal to the hex number and -// stores it in |*outp|. If |*outp| is NULL then it allocates a new BIGNUM and -// updates |*outp|. It returns the number of bytes of |in| processed or zero on +// If `outp` is not NULL, it constructs a BIGNUM equal to the hex number and +// stores it in `*outp`. If `*outp` is NULL then it allocates a new BIGNUM and +// updates `*outp`. It returns the number of bytes of `in` processed or zero on // error. OPENSSL_EXPORT int BN_hex2bn(BIGNUM **outp, const char *in); // BN_bn2dec returns an allocated string that contains a NUL-terminated, -// decimal representation of |bn|. If |bn| is negative, the first char in the +// decimal representation of `bn`. If `bn` is negative, the first char in the // resulting string will be '-'. Returns NULL on allocation failure. // // Converting an arbitrarily large integer to decimal is quadratic in the bit -// length of |a|. This function assumes the caller has capped the input within +// length of `a`. This function assumes the caller has capped the input within // performance tolerances. OPENSSL_EXPORT char *BN_bn2dec(const BIGNUM *a); -// BN_dec2bn parses the leading decimal number from |in|, which may be +// BN_dec2bn parses the leading decimal number from `in`, which may be // proceeded by a '-' to indicate a negative number and may contain trailing, -// non-decimal data. If |outp| is not NULL, it constructs a BIGNUM equal to the -// decimal number and stores it in |*outp|. If |*outp| is NULL then it -// allocates a new BIGNUM and updates |*outp|. It returns the number of bytes -// of |in| processed or zero on error. +// non-decimal data. If `outp` is not NULL, it constructs a BIGNUM equal to the +// decimal number and stores it in `*outp`. If `*outp` is NULL then it +// allocates a new BIGNUM and updates `*outp`. It returns the number of bytes +// of `in` processed or zero on error. // // Converting an arbitrarily large integer to decimal is quadratic in the bit -// length of |a|. This function assumes the caller has capped the input within +// length of `a`. This function assumes the caller has capped the input within // performance tolerances. OPENSSL_EXPORT int BN_dec2bn(BIGNUM **outp, const char *in); -// BN_asc2bn acts like |BN_dec2bn| or |BN_hex2bn| depending on whether |in| +// BN_asc2bn acts like `BN_dec2bn` or `BN_hex2bn` depending on whether `in` // begins with "0X" or "0x" (indicating hex) or not (indicating decimal). A // leading '-' is still permitted and comes before the optional 0X/0x. It // returns one on success or zero on error. OPENSSL_EXPORT int BN_asc2bn(BIGNUM **outp, const char *in); -// BN_print writes a hex encoding of |a| to |bio|. It returns one on success +// BN_print writes a hex encoding of `a` to `bio`. It returns one on success // and zero on error. OPENSSL_EXPORT int BN_print(BIO *bio, const BIGNUM *a); -// BN_print_fp acts like |BIO_print|, but wraps |fp| in a |BIO| first. +// BN_print_fp acts like `BIO_print`, but wraps `fp` in a `BIO` first. OPENSSL_EXPORT int BN_print_fp(FILE *fp, const BIGNUM *a); -// BN_get_word returns the absolute value of |bn| as a single word. If |bn| is +// BN_get_word returns the absolute value of `bn` as a single word. If `bn` is // too large to be represented as a single word, the maximum possible value // will be returned. OPENSSL_EXPORT BN_ULONG BN_get_word(const BIGNUM *bn); -// BN_get_u64 sets |*out| to the absolute value of |bn| as a |uint64_t| and -// returns one. If |bn| is too large to be represented as a |uint64_t|, it +// BN_get_u64 sets `*out` to the absolute value of `bn` as a `uint64_t` and +// returns one. If `bn` is too large to be represented as a `uint64_t`, it // returns zero. OPENSSL_EXPORT int BN_get_u64(const BIGNUM *bn, uint64_t *out); // ASN.1 functions. -// BN_parse_asn1_unsigned parses a non-negative DER INTEGER from |cbs| writes -// the result to |ret|. It returns one on success and zero on failure. +// BN_parse_asn1_unsigned parses a non-negative DER INTEGER from `cbs` writes +// the result to `ret`. It returns one on success and zero on failure. OPENSSL_EXPORT int BN_parse_asn1_unsigned(CBS *cbs, BIGNUM *ret); -// BN_marshal_asn1 marshals |bn| as a non-negative DER INTEGER and appends the -// result to |cbb|. It returns one on success and zero on failure. +// BN_marshal_asn1 marshals `bn` as a non-negative DER INTEGER and appends the +// result to `cbb`. It returns one on success and zero on failure. OPENSSL_EXPORT int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn); @@ -240,100 +240,100 @@ OPENSSL_EXPORT int BN_marshal_asn1(CBB *cbb, const BIGNUM *bn); // // Certain BIGNUM operations need to use many temporary variables and // allocating and freeing them can be quite slow. Thus such operations typically -// take a |BN_CTX| parameter, which contains a pool of |BIGNUMs|. The |ctx| -// argument to a public function may be NULL, in which case a local |BN_CTX| +// take a `BN_CTX` parameter, which contains a pool of `BIGNUMs`. The `ctx` +// argument to a public function may be NULL, in which case a local `BN_CTX` // will be created just for the lifetime of that call. // -// A function must call |BN_CTX_start| first. Then, |BN_CTX_get| may be called -// repeatedly to obtain temporary |BIGNUM|s. All |BN_CTX_get| calls must be made -// before calling any other functions that use the |ctx| as an argument. +// A function must call `BN_CTX_start` first. Then, `BN_CTX_get` may be called +// repeatedly to obtain temporary `BIGNUM`s. All `BN_CTX_get` calls must be made +// before calling any other functions that use the `ctx` as an argument. // -// Finally, |BN_CTX_end| must be called before returning from the function. -// When |BN_CTX_end| is called, the |BIGNUM| pointers obtained from -// |BN_CTX_get| become invalid. +// Finally, `BN_CTX_end` must be called before returning from the function. +// When `BN_CTX_end` is called, the `BIGNUM` pointers obtained from +// `BN_CTX_get` become invalid. // BN_CTX_new returns a new, empty BN_CTX or NULL on allocation failure. OPENSSL_EXPORT BN_CTX *BN_CTX_new(void); -// BN_CTX_free frees all BIGNUMs contained in |ctx| and then frees |ctx| +// BN_CTX_free frees all BIGNUMs contained in `ctx` and then frees `ctx` // itself. OPENSSL_EXPORT void BN_CTX_free(BN_CTX *ctx); -// BN_CTX_start "pushes" a new entry onto the |ctx| stack and allows future -// calls to |BN_CTX_get|. +// BN_CTX_start "pushes" a new entry onto the `ctx` stack and allows future +// calls to `BN_CTX_get`. OPENSSL_EXPORT void BN_CTX_start(BN_CTX *ctx); -// BN_CTX_get returns a new |BIGNUM|, or NULL on allocation failure. Once -// |BN_CTX_get| has returned NULL, all future calls will also return NULL until -// |BN_CTX_end| is called. +// BN_CTX_get returns a new `BIGNUM`, or NULL on allocation failure. Once +// `BN_CTX_get` has returned NULL, all future calls will also return NULL until +// `BN_CTX_end` is called. OPENSSL_EXPORT BIGNUM *BN_CTX_get(BN_CTX *ctx); -// BN_CTX_end invalidates all |BIGNUM|s returned from |BN_CTX_get| since the -// matching |BN_CTX_start| call. +// BN_CTX_end invalidates all `BIGNUM`s returned from `BN_CTX_get` since the +// matching `BN_CTX_start` call. OPENSSL_EXPORT void BN_CTX_end(BN_CTX *ctx); // Simple arithmetic -// BN_add sets |r| = |a| + |b|, where |r| may be the same pointer as either |a| -// or |b|. It returns one on success and zero on allocation failure. +// BN_add sets `r` = `a` + `b`, where `r` may be the same pointer as either `a` +// or `b`. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// BN_uadd sets |r| = |a| + |b|, considering only the absolute values of |a| and -// |b|. |r| may be the same pointer as either |a| or |b|. It returns one on +// BN_uadd sets `r` = `a` + `b`, considering only the absolute values of `a` and +// `b`. `r` may be the same pointer as either `a` or `b`. It returns one on // success and zero on allocation failure. OPENSSL_EXPORT int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// BN_add_word adds |w| to |a|. It returns one on success and zero otherwise. +// BN_add_word adds `w` to `a`. It returns one on success and zero otherwise. OPENSSL_EXPORT int BN_add_word(BIGNUM *a, BN_ULONG w); -// BN_sub sets |r| = |a| - |b|, where |r| may be the same pointer as either |a| -// or |b|. It returns one on success and zero on allocation failure. +// BN_sub sets `r` = `a` - `b`, where `r` may be the same pointer as either `a` +// or `b`. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// BN_usub sets |r| = |a| - |b|, considering only the absolute values of |a| and -// |b|. The result must be non-negative, i.e. |b| <= |a|. |r| may be the same -// pointer as either |a| or |b|. It returns one on success and zero on error. +// BN_usub sets `r` = `a` - `b`, considering only the absolute values of `a` and +// `b`. The result must be non-negative, i.e. `b` <= `a`. `r` may be the same +// pointer as either `a` or `b`. It returns one on success and zero on error. OPENSSL_EXPORT int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); -// BN_sub_word subtracts |w| from |a|. It returns one on success and zero on +// BN_sub_word subtracts `w` from `a`. It returns one on success and zero on // allocation failure. OPENSSL_EXPORT int BN_sub_word(BIGNUM *a, BN_ULONG w); -// BN_mul sets |r| = |a| * |b|, where |r| may be the same pointer as |a| or -// |b|. Returns one on success and zero otherwise. +// BN_mul sets `r` = `a` * `b`, where `r` may be the same pointer as `a` or +// `b`. Returns one on success and zero otherwise. OPENSSL_EXPORT int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// BN_mul_word sets |bn| = |bn| * |w|. It returns one on success or zero on +// BN_mul_word sets `bn` = `bn` * `w`. It returns one on success or zero on // allocation failure. OPENSSL_EXPORT int BN_mul_word(BIGNUM *bn, BN_ULONG w); -// BN_sqr sets |r| = |a|^2 (i.e. squares), where |r| may be the same pointer as -// |a|. Returns one on success and zero otherwise. This is more efficient than +// BN_sqr sets `r` = `a`^2 (i.e. squares), where `r` may be the same pointer as +// `a`. Returns one on success and zero otherwise. This is more efficient than // BN_mul(r, a, a, ctx). OPENSSL_EXPORT int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); -// BN_div divides |numerator| by |divisor| and places the result in |quotient| -// and the remainder in |rem|. Either of |quotient| or |rem| may be NULL, in +// BN_div divides `numerator` by `divisor` and places the result in `quotient` +// and the remainder in `rem`. Either of `quotient` or `rem` may be NULL, in // which case the respective value is not returned. It returns one on success or -// zero on error. It is an error condition if |divisor| is zero. +// zero on error. It is an error condition if `divisor` is zero. // -// The outputs will be such that |quotient| * |divisor| + |rem| = |numerator|, -// with the quotient rounded towards zero. Thus, if |numerator| is negative, -// |rem| will be zero or negative. If |divisor| is negative, the sign of -// |quotient| will be flipped to compensate but otherwise rounding will be as if -// |divisor| were its absolute value. +// The outputs will be such that `quotient` * `divisor` + `rem` = `numerator`, +// with the quotient rounded towards zero. Thus, if `numerator` is negative, +// `rem` will be zero or negative. If `divisor` is negative, the sign of +// `quotient` will be flipped to compensate but otherwise rounding will be as if +// `divisor` were its absolute value. OPENSSL_EXPORT int BN_div(BIGNUM *quotient, BIGNUM *rem, const BIGNUM *numerator, const BIGNUM *divisor, BN_CTX *ctx); -// BN_div_word sets |numerator| = |numerator|/|divisor| and returns the +// BN_div_word sets `numerator` = `numerator`/`divisor` and returns the // remainder or (BN_ULONG)-1 on error. OPENSSL_EXPORT BN_ULONG BN_div_word(BIGNUM *numerator, BN_ULONG divisor); -// BN_sqrt sets |*out_sqrt| (which may be the same |BIGNUM| as |in|) to the -// square root of |in|, using |ctx|. It returns one on success or zero on +// BN_sqrt sets `*out_sqrt` (which may be the same `BIGNUM` as `in`) to the +// square root of `in`, using `ctx`. It returns one on success or zero on // error. Negative numbers and non-square numbers will result in an error with // appropriate errors on the error queue. OPENSSL_EXPORT int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx); @@ -341,213 +341,213 @@ OPENSSL_EXPORT int BN_sqrt(BIGNUM *out_sqrt, const BIGNUM *in, BN_CTX *ctx); // Comparison functions -// BN_cmp returns a value less than, equal to or greater than zero if |a| is -// less than, equal to or greater than |b|, respectively. +// BN_cmp returns a value less than, equal to or greater than zero if `a` is +// less than, equal to or greater than `b`, respectively. OPENSSL_EXPORT int BN_cmp(const BIGNUM *a, const BIGNUM *b); -// BN_cmp_word is like |BN_cmp| except it takes its second argument as a -// |BN_ULONG| instead of a |BIGNUM|. +// BN_cmp_word is like `BN_cmp` except it takes its second argument as a +// `BN_ULONG` instead of a `BIGNUM`. OPENSSL_EXPORT int BN_cmp_word(const BIGNUM *a, BN_ULONG b); // BN_ucmp returns a value less than, equal to or greater than zero if the -// absolute value of |a| is less than, equal to or greater than the absolute -// value of |b|, respectively. +// absolute value of `a` is less than, equal to or greater than the absolute +// value of `b`, respectively. OPENSSL_EXPORT int BN_ucmp(const BIGNUM *a, const BIGNUM *b); -// BN_equal_consttime returns one if |a| is equal to |b|, and zero otherwise. -// It takes an amount of time dependent on the sizes of |a| and |b|, but -// independent of the contents (including the signs) of |a| and |b|. +// BN_equal_consttime returns one if `a` is equal to `b`, and zero otherwise. +// It takes an amount of time dependent on the sizes of `a` and `b`, but +// independent of the contents (including the signs) of `a` and `b`. OPENSSL_EXPORT int BN_equal_consttime(const BIGNUM *a, const BIGNUM *b); -// BN_abs_is_word returns one if the absolute value of |bn| equals |w| and zero +// BN_abs_is_word returns one if the absolute value of `bn` equals `w` and zero // otherwise. OPENSSL_EXPORT int BN_abs_is_word(const BIGNUM *bn, BN_ULONG w); -// BN_is_zero returns one if |bn| is zero and zero otherwise. +// BN_is_zero returns one if `bn` is zero and zero otherwise. OPENSSL_EXPORT int BN_is_zero(const BIGNUM *bn); -// BN_is_one returns one if |bn| equals one and zero otherwise. +// BN_is_one returns one if `bn` equals one and zero otherwise. OPENSSL_EXPORT int BN_is_one(const BIGNUM *bn); -// BN_is_word returns one if |bn| is exactly |w| and zero otherwise. +// BN_is_word returns one if `bn` is exactly `w` and zero otherwise. OPENSSL_EXPORT int BN_is_word(const BIGNUM *bn, BN_ULONG w); -// BN_is_odd returns one if |bn| is odd and zero otherwise. +// BN_is_odd returns one if `bn` is odd and zero otherwise. OPENSSL_EXPORT int BN_is_odd(const BIGNUM *bn); -// BN_is_pow2 returns 1 if |a| is a power of two, and 0 otherwise. +// BN_is_pow2 returns 1 if `a` is a power of two, and 0 otherwise. OPENSSL_EXPORT int BN_is_pow2(const BIGNUM *a); // Bitwise operations. -// BN_lshift sets |r| equal to |a| << n. The |a| and |r| arguments may be the -// same |BIGNUM|. It returns one on success and zero on allocation failure. +// BN_lshift sets `r` equal to `a` << n. The `a` and `r` arguments may be the +// same `BIGNUM`. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_lshift(BIGNUM *r, const BIGNUM *a, int n); -// BN_lshift1 sets |r| equal to |a| << 1, where |r| and |a| may be the same +// BN_lshift1 sets `r` equal to `a` << 1, where `r` and `a` may be the same // pointer. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_lshift1(BIGNUM *r, const BIGNUM *a); -// BN_rshift sets |r| equal to |a| >> n, where |r| and |a| may be the same +// BN_rshift sets `r` equal to `a` >> n, where `r` and `a` may be the same // pointer. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_rshift(BIGNUM *r, const BIGNUM *a, int n); -// BN_rshift1 sets |r| equal to |a| >> 1, where |r| and |a| may be the same +// BN_rshift1 sets `r` equal to `a` >> 1, where `r` and `a` may be the same // pointer. It returns one on success and zero on allocation failure. OPENSSL_EXPORT int BN_rshift1(BIGNUM *r, const BIGNUM *a); -// BN_set_bit sets the |n|th, least-significant bit in |a|. For example, if |a| +// BN_set_bit sets the `n`th, least-significant bit in `a`. For example, if `a` // is 2 then setting bit zero will make it 3. It returns one on success or zero // on allocation failure. OPENSSL_EXPORT int BN_set_bit(BIGNUM *a, int n); -// BN_clear_bit clears the |n|th, least-significant bit in |a|. For example, if -// |a| is 3, clearing bit zero will make it two. It returns one on success or +// BN_clear_bit clears the `n`th, least-significant bit in `a`. For example, if +// `a` is 3, clearing bit zero will make it two. It returns one on success or // zero on allocation failure. OPENSSL_EXPORT int BN_clear_bit(BIGNUM *a, int n); -// BN_is_bit_set returns one if the |n|th least-significant bit in |a| exists +// BN_is_bit_set returns one if the `n`th least-significant bit in `a` exists // and is set. Otherwise, it returns zero. OPENSSL_EXPORT int BN_is_bit_set(const BIGNUM *a, int n); -// BN_mask_bits truncates |a| so that it is only |n| bits long. It returns one -// on success or zero if |n| is negative. +// BN_mask_bits truncates `a` so that it is only `n` bits long. It returns one +// on success or zero if `n` is negative. // -// This differs from OpenSSL which additionally returns zero if |a|'s word -// length is less than or equal to |n|, rounded down to a number of words. Note +// This differs from OpenSSL which additionally returns zero if `a`'s word +// length is less than or equal to `n`, rounded down to a number of words. Note // word size is platform-dependent, so this behavior is also difficult to rely // on in OpenSSL and not very useful. OPENSSL_EXPORT int BN_mask_bits(BIGNUM *a, int n); -// BN_count_low_zero_bits returns the number of low-order zero bits in |bn|, or -// the number of factors of two which divide it. It returns zero if |bn| is +// BN_count_low_zero_bits returns the number of low-order zero bits in `bn`, or +// the number of factors of two which divide it. It returns zero if `bn` is // zero. OPENSSL_EXPORT int BN_count_low_zero_bits(const BIGNUM *bn); // Modulo arithmetic. -// BN_mod_word returns |a| mod |w| or (BN_ULONG)-1 on error. +// BN_mod_word returns `a` mod `w` or (BN_ULONG)-1 on error. OPENSSL_EXPORT BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w); -// BN_mod_pow2 sets |r| = |a| mod 2^|e|. It returns 1 on success and +// BN_mod_pow2 sets `r` = `a` mod 2^`e`. It returns 1 on success and // 0 on error. OPENSSL_EXPORT int BN_mod_pow2(BIGNUM *r, const BIGNUM *a, size_t e); -// BN_nnmod_pow2 sets |r| = |a| mod 2^|e| where |r| is always positive. +// BN_nnmod_pow2 sets `r` = `a` mod 2^`e` where `r` is always positive. // It returns 1 on success and 0 on error. OPENSSL_EXPORT int BN_nnmod_pow2(BIGNUM *r, const BIGNUM *a, size_t e); -// BN_mod is a helper macro that calls |BN_div| and discards the quotient. +// BN_mod is a helper macro that calls `BN_div` and discards the quotient. #define BN_mod(rem, numerator, divisor, ctx) \ BN_div(NULL, (rem), (numerator), (divisor), (ctx)) -// BN_nnmod is a non-negative modulo function. It acts like |BN_mod|, but 0 <= -// |rem| < |divisor| is always true. It returns one on success and zero on +// BN_nnmod is a non-negative modulo function. It acts like `BN_mod`, but 0 <= +// `rem` < `divisor` is always true. It returns one on success and zero on // error. OPENSSL_EXPORT int BN_nnmod(BIGNUM *rem, const BIGNUM *numerator, const BIGNUM *divisor, BN_CTX *ctx); -// BN_mod_add sets |r| = |a| + |b| mod |m|. It returns one on success and zero +// BN_mod_add sets `r` = `a` + `b` mod `m`. It returns one on success and zero // on error. OPENSSL_EXPORT int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_add_quick acts like |BN_mod_add| but requires that |a| and |b| be -// non-negative and less than |m|. +// BN_mod_add_quick acts like `BN_mod_add` but requires that `a` and `b` be +// non-negative and less than `m`. OPENSSL_EXPORT int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); -// BN_mod_sub sets |r| = |a| - |b| mod |m|. It returns one on success and zero +// BN_mod_sub sets `r` = `a` - `b` mod `m`. It returns one on success and zero // on error. OPENSSL_EXPORT int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_sub_quick acts like |BN_mod_sub| but requires that |a| and |b| be -// non-negative and less than |m|. +// BN_mod_sub_quick acts like `BN_mod_sub` but requires that `a` and `b` be +// non-negative and less than `m`. OPENSSL_EXPORT int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m); -// BN_mod_mul sets |r| = |a|*|b| mod |m|. It returns one on success and zero +// BN_mod_mul sets `r` = `a`*`b` mod `m`. It returns one on success and zero // on error. OPENSSL_EXPORT int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_sqr sets |r| = |a|^2 mod |m|. It returns one on success and zero +// BN_mod_sqr sets `r` = `a`^2 mod `m`. It returns one on success and zero // on error. OPENSSL_EXPORT int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_lshift sets |r| = (|a| << n) mod |m|, where |r| and |a| may be the +// BN_mod_lshift sets `r` = (`a` << n) mod `m`, where `r` and `a` may be the // same pointer. It returns one on success and zero on error. OPENSSL_EXPORT int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_lshift_quick acts like |BN_mod_lshift| but requires that |a| be -// non-negative and less than |m|. +// BN_mod_lshift_quick acts like `BN_mod_lshift` but requires that `a` be +// non-negative and less than `m`. OPENSSL_EXPORT int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m); -// BN_mod_lshift1 sets |r| = (|a| << 1) mod |m|, where |r| and |a| may be the +// BN_mod_lshift1 sets `r` = (`a` << 1) mod `m`, where `r` and `a` may be the // same pointer. It returns one on success and zero on error. OPENSSL_EXPORT int BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_lshift1_quick acts like |BN_mod_lshift1| but requires that |a| be -// non-negative and less than |m|. +// BN_mod_lshift1_quick acts like `BN_mod_lshift1` but requires that `a` be +// non-negative and less than `m`. OPENSSL_EXPORT int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m); -// BN_mod_sqrt returns a newly-allocated |BIGNUM|, r, such that -// r^2 == a (mod p). It returns NULL on error or if |a| is not a square mod |p|. -// In the latter case, it will add |BN_R_NOT_A_SQUARE| to the error queue. -// If |a| is a square and |p| > 2, there are two possible square roots. This +// BN_mod_sqrt returns a newly-allocated `BIGNUM`, r, such that +// r^2 == a (mod p). It returns NULL on error or if `a` is not a square mod `p`. +// In the latter case, it will add `BN_R_NOT_A_SQUARE` to the error queue. +// If `a` is a square and `p` > 2, there are two possible square roots. This // function may return either and may even select one non-deterministically. // -// If |in| is non-NULL, the function, instead of allocating the result, stores -// the result in |in| and returns |in| on success or NULL on failure. +// If `in` is non-NULL, the function, instead of allocating the result, stores +// the result in `in` and returns `in` on success or NULL on failure. // -// This function only works if |p| is a prime. If |p| is composite, it may fail +// This function only works if `p` is a prime. If `p` is composite, it may fail // or return an arbitrary value. Callers should not pass attacker-controlled -// values of |p|. +// values of `p`. OPENSSL_EXPORT BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); // Random and prime number generation. -// The following are values for the |top| parameter of |BN_rand|. +// The following are values for the `top` parameter of `BN_rand`. #define BN_RAND_TOP_ANY (-1) #define BN_RAND_TOP_ONE 0 #define BN_RAND_TOP_TWO 1 -// The following are values for the |bottom| parameter of |BN_rand|. +// The following are values for the `bottom` parameter of `BN_rand`. #define BN_RAND_BOTTOM_ANY 0 #define BN_RAND_BOTTOM_ODD 1 -// BN_rand sets |rnd| to a random number of length |bits|. It returns one on +// BN_rand sets `rnd` to a random number of length `bits`. It returns one on // success and zero otherwise. // -// |top| must be one of the |BN_RAND_TOP_*| values. If |BN_RAND_TOP_ONE|, the -// most-significant bit, if any, will be set. If |BN_RAND_TOP_TWO|, the two -// most significant bits, if any, will be set. If |BN_RAND_TOP_ANY|, no extra -// action will be taken and |BN_num_bits(rnd)| may not equal |bits| if the most +// `top` must be one of the `BN_RAND_TOP_*` values. If `BN_RAND_TOP_ONE`, the +// most-significant bit, if any, will be set. If `BN_RAND_TOP_TWO`, the two +// most significant bits, if any, will be set. If `BN_RAND_TOP_ANY`, no extra +// action will be taken and `BN_num_bits(rnd)` may not equal `bits` if the most // significant bits randomly ended up as zeros. // -// |bottom| must be one of the |BN_RAND_BOTTOM_*| values. If -// |BN_RAND_BOTTOM_ODD|, the least-significant bit, if any, will be set. If -// |BN_RAND_BOTTOM_ANY|, no extra action will be taken. +// `bottom` must be one of the `BN_RAND_BOTTOM_*` values. If +// `BN_RAND_BOTTOM_ODD`, the least-significant bit, if any, will be set. If +// `BN_RAND_BOTTOM_ANY`, no extra action will be taken. OPENSSL_EXPORT int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); -// BN_pseudo_rand is an alias for |BN_rand|. +// BN_pseudo_rand is an alias for `BN_rand`. OPENSSL_EXPORT int BN_pseudo_rand(BIGNUM *rnd, int bits, int top, int bottom); -// BN_rand_range is equivalent to |BN_rand_range_ex| with |min_inclusive| set -// to zero and |max_exclusive| set to |range|. +// BN_rand_range is equivalent to `BN_rand_range_ex` with `min_inclusive` set +// to zero and `max_exclusive` set to `range`. OPENSSL_EXPORT int BN_rand_range(BIGNUM *rnd, const BIGNUM *range); -// BN_rand_range_ex sets |rnd| to a random value in +// BN_rand_range_ex sets `rnd` to a random value in // [min_inclusive..max_exclusive). It returns one on success and zero // otherwise. OPENSSL_EXPORT int BN_rand_range_ex(BIGNUM *r, BN_ULONG min_inclusive, @@ -559,12 +559,12 @@ OPENSSL_EXPORT int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); #define BN_GENCB_GENERATED 0 #define BN_GENCB_PRIME_TEST 1 -// bn_gencb_st, or |BN_GENCB|, holds a callback function that is used by +// bn_gencb_st, or `BN_GENCB`, holds a callback function that is used by // generation functions that can take a very long time to complete. Use -// |BN_GENCB_set| to initialise a |BN_GENCB| structure. +// `BN_GENCB_set` to initialise a `BN_GENCB` structure. // -// The callback receives the address of that |BN_GENCB| structure as its last -// argument and the user is free to put an arbitrary pointer in |arg|. The other +// The callback receives the address of that `BN_GENCB` structure as its last +// argument and the user is free to put an arbitrary pointer in `arg`. The other // arguments are set as follows: // - event=BN_GENCB_GENERATED, n=i: after generating the i'th possible prime // number. @@ -582,57 +582,57 @@ struct bn_gencb_st { int (*callback)(int event, int n, struct bn_gencb_st *); }; -// BN_GENCB_new returns a newly-allocated |BN_GENCB| object, or NULL on -// allocation failure. The result must be released with |BN_GENCB_free| when +// BN_GENCB_new returns a newly-allocated `BN_GENCB` object, or NULL on +// allocation failure. The result must be released with `BN_GENCB_free` when // done. OPENSSL_EXPORT BN_GENCB *BN_GENCB_new(void); -// BN_GENCB_free releases memory associated with |callback|. +// BN_GENCB_free releases memory associated with `callback`. OPENSSL_EXPORT void BN_GENCB_free(BN_GENCB *callback); -// BN_GENCB_set configures |callback| to call |f| and sets |callout->arg| to -// |arg|. +// BN_GENCB_set configures `callback` to call `f` and sets `callout->arg` to +// `arg`. OPENSSL_EXPORT void BN_GENCB_set(BN_GENCB *callback, int (*f)(int event, int n, BN_GENCB *), void *arg); -// BN_GENCB_call calls |callback|, if not NULL, and returns the return value of -// the callback, or 1 if |callback| is NULL. +// BN_GENCB_call calls `callback`, if not NULL, and returns the return value of +// the callback, or 1 if `callback` is NULL. OPENSSL_EXPORT int BN_GENCB_call(BN_GENCB *callback, int event, int n); -// BN_GENCB_get_arg returns |callback->arg|. +// BN_GENCB_get_arg returns `callback->arg`. OPENSSL_EXPORT void *BN_GENCB_get_arg(const BN_GENCB *callback); -// BN_generate_prime_ex sets |ret| to a prime number of |bits| length. If safe +// BN_generate_prime_ex sets `ret` to a prime number of `bits` length. If safe // is non-zero then the prime will be such that (ret-1)/2 is also a prime. // (This is needed for Diffie-Hellman groups to ensure that the only subgroups // are of size 2 and (p-1)/2.). // -// If |add| is not NULL, the prime will fulfill the condition |ret| % |add| == -// |rem| in order to suit a given generator. (If |rem| is NULL then |ret| % -// |add| == 1.) +// If `add` is not NULL, the prime will fulfill the condition `ret` % `add` == +// `rem` in order to suit a given generator. (If `rem` is NULL then `ret` % +// `add` == 1.) // -// If |cb| is not NULL, it will be called during processing to give an -// indication of progress. See the comments for |BN_GENCB|. It returns one on +// If `cb` is not NULL, it will be called during processing to give an +// indication of progress. See the comments for `BN_GENCB`. It returns one on // success and zero otherwise. OPENSSL_EXPORT int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb); -// BN_prime_checks_for_validation can be used as the |checks| argument to the +// BN_prime_checks_for_validation can be used as the `checks` argument to the // primarily testing functions when validating an externally-supplied candidate // prime. It gives a false positive rate of at most 2^{-128}. (The worst case // false positive rate for a single iteration is 1/4 per // https://eprint.iacr.org/2018/749. (1/4)^64 = 2^{-128}.) #define BN_prime_checks_for_validation 64 -// BN_prime_checks_for_generation can be used as the |checks| argument to the +// BN_prime_checks_for_generation can be used as the `checks` argument to the // primality testing functions when generating random primes. It gives a false // positive rate at most the security level of the corresponding RSA key size. // // Note this value only performs enough checks if the candidate prime was // selected randomly. If validating an externally-supplied candidate, especially -// one that may be selected adversarially, use |BN_prime_checks_for_validation| +// one that may be selected adversarially, use `BN_prime_checks_for_validation` // instead. #define BN_prime_checks_for_generation 0 @@ -643,34 +643,34 @@ enum bn_primality_result_t { bn_non_prime_power_composite, }; -// BN_enhanced_miller_rabin_primality_test tests whether |w| is probably a prime +// BN_enhanced_miller_rabin_primality_test tests whether `w` is probably a prime // number using the Enhanced Miller-Rabin Test (FIPS 186-5 B.3.2) with -// |checks| iterations and returns the result in |out_result|. Enhanced +// `checks` iterations and returns the result in `out_result`. Enhanced // Miller-Rabin tests primality for odd integers greater than 3, returning -// |bn_probably_prime| if the number is probably prime, -// |bn_non_prime_power_composite| if the number is a composite that is not the -// power of a single prime, and |bn_composite| otherwise. It returns one on -// success and zero on failure. If |cb| is not NULL, then it is called during +// `bn_probably_prime` if the number is probably prime, +// `bn_non_prime_power_composite` if the number is a composite that is not the +// power of a single prime, and `bn_composite` otherwise. It returns one on +// success and zero on failure. If `cb` is not NULL, then it is called during // each iteration of the primality test. // -// See |BN_prime_checks_for_validation| and |BN_prime_checks_for_generation| for -// recommended values of |checks|. +// See `BN_prime_checks_for_validation` and `BN_prime_checks_for_generation` for +// recommended values of `checks`. OPENSSL_EXPORT int BN_enhanced_miller_rabin_primality_test( enum bn_primality_result_t *out_result, const BIGNUM *w, int checks, BN_CTX *ctx, BN_GENCB *cb); -// BN_primality_test sets |*is_probably_prime| to one if |candidate| is +// BN_primality_test sets `*is_probably_prime` to one if `candidate` is // probably a prime number by the Miller-Rabin test or zero if it's certainly // not. // -// If |do_trial_division| is non-zero then |candidate| will be tested against a +// If `do_trial_division` is non-zero then `candidate` will be tested against a // list of small primes before Miller-Rabin tests. The probability of this // function returning a false positive is at most 2^{2*checks}. See -// |BN_prime_checks_for_validation| and |BN_prime_checks_for_generation| for -// recommended values of |checks|. +// `BN_prime_checks_for_validation` and `BN_prime_checks_for_generation` for +// recommended values of `checks`. // -// If |cb| is not NULL then it is called during the checking process. See the -// comment above |BN_GENCB|. +// If `cb` is not NULL then it is called during the checking process. See the +// comment above `BN_GENCB`. // // The function returns one on success and zero on error. OPENSSL_EXPORT int BN_primality_test(int *is_probably_prime, @@ -678,72 +678,72 @@ OPENSSL_EXPORT int BN_primality_test(int *is_probably_prime, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); -// BN_is_prime_fasttest_ex returns one if |candidate| is probably a prime +// BN_is_prime_fasttest_ex returns one if `candidate` is probably a prime // number by the Miller-Rabin test, zero if it's certainly not and -1 on error. // -// If |do_trial_division| is non-zero then |candidate| will be tested against a +// If `do_trial_division` is non-zero then `candidate` will be tested against a // list of small primes before Miller-Rabin tests. The probability of this -// function returning one when |candidate| is composite is at most 2^{2*checks}. -// See |BN_prime_checks_for_validation| and |BN_prime_checks_for_generation| for -// recommended values of |checks|. +// function returning one when `candidate` is composite is at most 2^{2*checks}. +// See `BN_prime_checks_for_validation` and `BN_prime_checks_for_generation` for +// recommended values of `checks`. // -// If |cb| is not NULL then it is called during the checking process. See the -// comment above |BN_GENCB|. +// If `cb` is not NULL then it is called during the checking process. See the +// comment above `BN_GENCB`. // -// WARNING: deprecated. Use |BN_primality_test|. +// WARNING: deprecated. Use `BN_primality_test`. OPENSSL_EXPORT int BN_is_prime_fasttest_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); -// BN_is_prime_ex acts the same as |BN_is_prime_fasttest_ex| with -// |do_trial_division| set to zero. +// BN_is_prime_ex acts the same as `BN_is_prime_fasttest_ex` with +// `do_trial_division` set to zero. // -// WARNING: deprecated: Use |BN_primality_test|. +// WARNING: deprecated: Use `BN_primality_test`. OPENSSL_EXPORT int BN_is_prime_ex(const BIGNUM *candidate, int checks, BN_CTX *ctx, BN_GENCB *cb); // Number theory functions -// BN_gcd sets |r| = gcd(|a|, |b|). It returns one on success and zero +// BN_gcd sets `r` = gcd(`a`, `b`). It returns one on success and zero // otherwise. OPENSSL_EXPORT int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// BN_mod_inverse sets |out| equal to |a|^-1, mod |n|. If |out| is NULL, a +// BN_mod_inverse sets `out` equal to `a`^-1, mod `n`. If `out` is NULL, a // fresh BIGNUM is allocated. It returns the result or NULL on error. // -// If |n| is even then the operation is performed using an algorithm that avoids +// If `n` is even then the operation is performed using an algorithm that avoids // some branches but which isn't constant-time. This function shouldn't be used -// for secret values; use |BN_mod_inverse_blinded| instead. Or, if |n| is +// for secret values; use `BN_mod_inverse_blinded` instead. Or, if `n` is // guaranteed to be prime, use -// |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking +// `BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)`, taking // advantage of Fermat's Little Theorem. OPENSSL_EXPORT BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); -// BN_mod_inverse_blinded sets |out| equal to |a|^-1, mod |n|, where |n| is the -// Montgomery modulus for |mont|. |a| must be non-negative and must be less -// than |n|. |n| must be greater than 1. |a| is blinded (masked by a random +// BN_mod_inverse_blinded sets `out` equal to `a`^-1, mod `n`, where `n` is the +// Montgomery modulus for `mont`. `a` must be non-negative and must be less +// than `n`. `n` must be greater than 1. `a` is blinded (masked by a random // value) to protect it against side-channel attacks. On failure, if the failure -// was caused by |a| having no inverse mod |n| then |*out_no_inverse| will be +// was caused by `a` having no inverse mod `n` then `*out_no_inverse` will be // set to one; otherwise it will be set to zero. // -// Note this function may incorrectly report |a| has no inverse if the random -// blinding value has no inverse. It should only be used when |n| has few +// Note this function may incorrectly report `a` has no inverse if the random +// blinding value has no inverse. It should only be used when `n` has few // non-invertible elements, such as an RSA modulus. OPENSSL_EXPORT int BN_mod_inverse_blinded(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx); -// BN_mod_inverse_odd sets |out| equal to |a|^-1, mod |n|. |a| must be -// non-negative and must be less than |n|. |n| must be odd. This function -// shouldn't be used for secret values; use |BN_mod_inverse_blinded| instead. -// Or, if |n| is guaranteed to be prime, use -// |BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)|, taking +// BN_mod_inverse_odd sets `out` equal to `a`^-1, mod `n`. `a` must be +// non-negative and must be less than `n`. `n` must be odd. This function +// shouldn't be used for secret values; use `BN_mod_inverse_blinded` instead. +// Or, if `n` is guaranteed to be prime, use +// `BN_mod_exp_mont_consttime(out, a, m_minus_2, m, ctx, m_mont)`, taking // advantage of Fermat's Little Theorem. It returns one on success or zero on -// failure. On failure, if the failure was caused by |a| having no inverse mod -// |n| then |*out_no_inverse| will be set to one; otherwise it will be set to +// failure. On failure, if the failure was caused by `a` having no inverse mod +// `n` then `*out_no_inverse` will be set to one; otherwise it will be set to // zero. int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); @@ -754,41 +754,41 @@ int BN_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a, // BN_MONT_CTX contains the precomputed values needed to work in a specific // Montgomery domain. -// BN_MONT_CTX_new_for_modulus returns a fresh |BN_MONT_CTX| given the modulus, -// |mod| or NULL on error. Note this function assumes |mod| is public. +// BN_MONT_CTX_new_for_modulus returns a fresh `BN_MONT_CTX` given the modulus, +// `mod` or NULL on error. Note this function assumes `mod` is public. OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new_for_modulus(const BIGNUM *mod, BN_CTX *ctx); -// BN_MONT_CTX_new_consttime behaves like |BN_MONT_CTX_new_for_modulus| but -// treats |mod| as secret. +// BN_MONT_CTX_new_consttime behaves like `BN_MONT_CTX_new_for_modulus` but +// treats `mod` as secret. OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new_consttime(const BIGNUM *mod, BN_CTX *ctx); -// BN_MONT_CTX_free frees memory associated with |mont|. +// BN_MONT_CTX_free frees memory associated with `mont`. OPENSSL_EXPORT void BN_MONT_CTX_free(BN_MONT_CTX *mont); -// BN_MONT_CTX_copy sets |to| equal to |from|. It returns |to| on success or +// BN_MONT_CTX_copy sets `to` equal to `from`. It returns `to` on success or // NULL on error. OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to, const BN_MONT_CTX *from); -// BN_to_montgomery sets |ret| equal to |a| in the Montgomery domain. |a| is -// assumed to be in the range [0, n), where |n| is the Montgomery modulus. It +// BN_to_montgomery sets `ret` equal to `a` in the Montgomery domain. `a` is +// assumed to be in the range [0, n), where `n` is the Montgomery modulus. It // returns one on success or zero on error. OPENSSL_EXPORT int BN_to_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx); -// BN_from_montgomery sets |ret| equal to |a| * R^-1, i.e. translates values out -// of the Montgomery domain. |a| is assumed to be in the range [0, n*R), where -// |n| is the Montgomery modulus. Note n < R, so inputs in the range [0, n*n) +// BN_from_montgomery sets `ret` equal to `a` * R^-1, i.e. translates values out +// of the Montgomery domain. `a` is assumed to be in the range [0, n*R), where +// `n` is the Montgomery modulus. Note n < R, so inputs in the range [0, n*n) // are valid. This function returns one on success or zero on error. OPENSSL_EXPORT int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, const BN_MONT_CTX *mont, BN_CTX *ctx); -// BN_mod_mul_montgomery set |r| equal to |a| * |b|, in the Montgomery domain. -// Both |a| and |b| must already be in the Montgomery domain (by -// |BN_to_montgomery|). In particular, |a| and |b| are assumed to be in the -// range [0, n), where |n| is the Montgomery modulus. It returns one on success +// BN_mod_mul_montgomery set `r` equal to `a` * `b`, in the Montgomery domain. +// Both `a` and `b` must already be in the Montgomery domain (by +// `BN_to_montgomery`). In particular, `a` and `b` are assumed to be in the +// range [0, n), where `n` is the Montgomery modulus. It returns one on success // or zero on error. OPENSSL_EXPORT int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, @@ -797,27 +797,27 @@ OPENSSL_EXPORT int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, // Exponentiation. -// BN_exp sets |r| equal to |a|^{|p|}. It does so with a square-and-multiply +// BN_exp sets `r` equal to `a`^{`p`}. It does so with a square-and-multiply // algorithm that leaks side-channel information. It returns one on success or // zero otherwise. OPENSSL_EXPORT int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -// BN_mod_exp sets |r| equal to |a|^{|p|} mod |m|. It does so with the best +// BN_mod_exp sets `r` equal to `a`^{`p`} mod `m`. It does so with the best // algorithm for the values provided. It returns one on success or zero -// otherwise. The |BN_mod_exp_mont_consttime| variant must be used if the +// otherwise. The `BN_mod_exp_mont_consttime` variant must be used if the // exponent is secret. OPENSSL_EXPORT int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx); -// BN_mod_exp_mont behaves like |BN_mod_exp| but treats |a| as secret and -// requires 0 <= |a| < |m|. +// BN_mod_exp_mont behaves like `BN_mod_exp` but treats `a` as secret and +// requires 0 <= `a` < `m`. OPENSSL_EXPORT int BN_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, const BN_MONT_CTX *mont); -// BN_mod_exp_mont_consttime behaves like |BN_mod_exp| but treats |a|, |p|, and -// |m| as secret and requires 0 <= |a| < |m|. +// BN_mod_exp_mont_consttime behaves like `BN_mod_exp` but treats `a`, `p`, and +// `m` as secret and requires 0 <= `a` < `m`. OPENSSL_EXPORT int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, @@ -826,24 +826,24 @@ OPENSSL_EXPORT int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, // Deprecated functions -// BN_bn2mpi serialises the value of |in| to |out|, using a format that consists +// BN_bn2mpi serialises the value of `in` to `out`, using a format that consists // of the number's length in bytes represented as a 4-byte big-endian number, // and the number itself in big-endian format, where the most significant bit // signals a negative number. (The representation of numbers with the MSB set is -// prefixed with null byte). |out| must have sufficient space available; to -// find the needed amount of space, call the function with |out| set to NULL. +// prefixed with null byte). `out` must have sufficient space available; to +// find the needed amount of space, call the function with `out` set to NULL. OPENSSL_EXPORT size_t BN_bn2mpi(const BIGNUM *in, uint8_t *out); -// BN_mpi2bn parses |len| bytes from |in| and returns the resulting value. The -// bytes at |in| are expected to be in the format emitted by |BN_bn2mpi|. +// BN_mpi2bn parses `len` bytes from `in` and returns the resulting value. The +// bytes at `in` are expected to be in the format emitted by `BN_bn2mpi`. // -// If |out| is NULL then a fresh |BIGNUM| is allocated and returned, otherwise -// |out| is reused and returned. On error, NULL is returned and the error queue +// If `out` is NULL then a fresh `BIGNUM` is allocated and returned, otherwise +// `out` is reused and returned. On error, NULL is returned and the error queue // is updated. OPENSSL_EXPORT BIGNUM *BN_mpi2bn(const uint8_t *in, size_t len, BIGNUM *out); -// BN_mod_exp_mont_word is like |BN_mod_exp_mont| except that the base |a| is -// given as a |BN_ULONG| instead of a |BIGNUM *|. It returns one on success +// BN_mod_exp_mont_word is like `BN_mod_exp_mont` except that the base `a` is +// given as a `BN_ULONG` instead of a `BIGNUM *`. It returns one on success // or zero otherwise. OPENSSL_EXPORT int BN_mod_exp_mont_word(BIGNUM *r, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, @@ -856,67 +856,67 @@ OPENSSL_EXPORT int BN_mod_exp2_mont(BIGNUM *r, const BIGNUM *a1, const BIGNUM *p2, const BIGNUM *m, BN_CTX *ctx, const BN_MONT_CTX *mont); -// BN_MONT_CTX_new returns a fresh |BN_MONT_CTX| or NULL on allocation failure. -// Use |BN_MONT_CTX_new_for_modulus| instead. +// BN_MONT_CTX_new returns a fresh `BN_MONT_CTX` or NULL on allocation failure. +// Use `BN_MONT_CTX_new_for_modulus` instead. OPENSSL_EXPORT BN_MONT_CTX *BN_MONT_CTX_new(void); -// BN_MONT_CTX_set sets up a Montgomery context given the modulus, |mod|. It -// returns one on success and zero on error. Use |BN_MONT_CTX_new_for_modulus| +// BN_MONT_CTX_set sets up a Montgomery context given the modulus, `mod`. It +// returns one on success and zero on error. Use `BN_MONT_CTX_new_for_modulus` // instead. OPENSSL_EXPORT int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx); -// BN_bn2binpad behaves like |BN_bn2bin_padded|, but it returns |len| on success +// BN_bn2binpad behaves like `BN_bn2bin_padded`, but it returns `len` on success // and -1 on error. // -// Use |BN_bn2bin_padded| instead. It is |size_t|-clean. +// Use `BN_bn2bin_padded` instead. It is `size_t`-clean. OPENSSL_EXPORT int BN_bn2binpad(const BIGNUM *in, uint8_t *out, int len); -// BN_bn2lebinpad behaves like |BN_bn2le_padded|, but it returns |len| on +// BN_bn2lebinpad behaves like `BN_bn2le_padded`, but it returns `len` on // success and -1 on error. // -// Use |BN_bn2le_padded| instead. It is |size_t|-clean. +// Use `BN_bn2le_padded` instead. It is `size_t`-clean. OPENSSL_EXPORT int BN_bn2lebinpad(const BIGNUM *in, uint8_t *out, int len); -// BN_prime_checks is a deprecated alias for |BN_prime_checks_for_validation|. -// Use |BN_prime_checks_for_generation| or |BN_prime_checks_for_validation| -// instead. (This defaults to the |_for_validation| value in order to be +// BN_prime_checks is a deprecated alias for `BN_prime_checks_for_validation`. +// Use `BN_prime_checks_for_generation` or `BN_prime_checks_for_validation` +// instead. (This defaults to the `_for_validation` value in order to be // conservative.) #define BN_prime_checks BN_prime_checks_for_validation -// BN_secure_new calls |BN_new|. +// BN_secure_new calls `BN_new`. OPENSSL_EXPORT BIGNUM *BN_secure_new(void); -// BN_le2bn calls |BN_lebin2bn|. +// BN_le2bn calls `BN_lebin2bn`. OPENSSL_EXPORT BIGNUM *BN_le2bn(const uint8_t *in, size_t len, BIGNUM *ret); // Private functions struct bignum_st { - // d is a pointer to an array of |width| |BN_BITS2|-bit chunks in + // d is a pointer to an array of `width` `BN_BITS2`-bit chunks in // little-endian order. This stores the absolute value of the number. BN_ULONG *d; - // width is the number of elements of |d| which are valid. This value is not - // necessarily minimal; the most-significant words of |d| may be zero. - // |width| determines a potentially loose upper-bound on the absolute value - // of the |BIGNUM|. + // width is the number of elements of `d` which are valid. This value is not + // necessarily minimal; the most-significant words of `d` may be zero. + // `width` determines a potentially loose upper-bound on the absolute value + // of the `BIGNUM`. // - // Functions taking |BIGNUM| inputs must compute the same answer for all - // possible widths. |bn_minimal_width|, |bn_set_minimal_width|, and other + // Functions taking `BIGNUM` inputs must compute the same answer for all + // possible widths. `bn_minimal_width`, `bn_set_minimal_width`, and other // helpers may be used to recover the minimal width, provided it is not // secret. If it is secret, use a different algorithm. Functions may output - // minimal or non-minimal |BIGNUM|s depending on secrecy requirements, but + // minimal or non-minimal `BIGNUM`s depending on secrecy requirements, but // those which cause widths to unboundedly grow beyond the minimal value // should be documented such. // - // Note this is different from historical |BIGNUM| semantics. + // Note this is different from historical `BIGNUM` semantics. int width; - // dmax is number of elements of |d| which are allocated. + // dmax is number of elements of `d` which are allocated. int dmax; // neg is one if the number if negative and zero otherwise. int neg; - // flags is a bitmask of |BN_FLG_*| values + // flags is a bitmask of `BN_FLG_*` values int flags; }; @@ -924,7 +924,7 @@ OPENSSL_EXPORT unsigned BN_num_bits_word(BN_ULONG l); #define BN_FLG_MALLOCED 0x01 #define BN_FLG_STATIC_DATA 0x02 -// |BN_FLG_CONSTTIME| has been removed and intentionally omitted so code relying +// `BN_FLG_CONSTTIME` has been removed and intentionally omitted so code relying // on it will not compile. Consumers outside BoringSSL should use the // higher-level cryptographic algorithms exposed by other modules. Consumers // within the library should call the appropriate timing-sensitive algorithm diff --git a/third_party/boringssl/src/include/openssl/buf.h b/third_party/boringssl/src/include/openssl/buf.h index 18ae3a10..338beefe 100644 --- a/third_party/boringssl/src/include/openssl/buf.h +++ b/third_party/boringssl/src/include/openssl/buf.h @@ -25,7 +25,7 @@ extern "C" { // Memory and string functions, see also mem.h. -// buf_mem_st (aka |BUF_MEM|) is a generic buffer object used by OpenSSL. +// buf_mem_st (aka `BUF_MEM`) is a generic buffer object used by OpenSSL. struct buf_mem_st { size_t length; // current number of bytes char *data; @@ -35,45 +35,45 @@ struct buf_mem_st { // BUF_MEM_new creates a new BUF_MEM which has no allocated data buffer. OPENSSL_EXPORT BUF_MEM *BUF_MEM_new(void); -// BUF_MEM_free frees |buf->data| if needed and then frees |buf| itself. +// BUF_MEM_free frees `buf->data` if needed and then frees `buf` itself. OPENSSL_EXPORT void BUF_MEM_free(BUF_MEM *buf); -// BUF_MEM_reserve ensures |buf| has capacity |cap| and allocates memory if +// BUF_MEM_reserve ensures `buf` has capacity `cap` and allocates memory if // needed. It returns one on success and zero on error. OPENSSL_EXPORT int BUF_MEM_reserve(BUF_MEM *buf, size_t cap); -// BUF_MEM_grow ensures that |buf| has length |len| and allocates memory if -// needed. If the length of |buf| increased, the new bytes are filled with -// zeros. It returns the length of |buf|, or zero if there's an error. +// BUF_MEM_grow ensures that `buf` has length `len` and allocates memory if +// needed. If the length of `buf` increased, the new bytes are filled with +// zeros. It returns the length of `buf`, or zero if there's an error. OPENSSL_EXPORT size_t BUF_MEM_grow(BUF_MEM *buf, size_t len); -// BUF_MEM_grow_clean calls |BUF_MEM_grow|. BoringSSL always zeros memory +// BUF_MEM_grow_clean calls `BUF_MEM_grow`. BoringSSL always zeros memory // allocated memory on free. OPENSSL_EXPORT size_t BUF_MEM_grow_clean(BUF_MEM *buf, size_t len); -// BUF_MEM_append appends |in| to |buf|. It returns one on success and zero on +// BUF_MEM_append appends `in` to `buf`. It returns one on success and zero on // error. OPENSSL_EXPORT int BUF_MEM_append(BUF_MEM *buf, const void *in, size_t len); // Deprecated functions. -// BUF_strdup calls |OPENSSL_strdup|. +// BUF_strdup calls `OPENSSL_strdup`. OPENSSL_EXPORT char *BUF_strdup(const char *str); -// BUF_strnlen calls |OPENSSL_strnlen|. +// BUF_strnlen calls `OPENSSL_strnlen`. OPENSSL_EXPORT size_t BUF_strnlen(const char *str, size_t max_len); -// BUF_strndup calls |OPENSSL_strndup|. +// BUF_strndup calls `OPENSSL_strndup`. OPENSSL_EXPORT char *BUF_strndup(const char *str, size_t size); -// BUF_memdup calls |OPENSSL_memdup|. +// BUF_memdup calls `OPENSSL_memdup`. OPENSSL_EXPORT void *BUF_memdup(const void *data, size_t size); -// BUF_strlcpy calls |OPENSSL_strlcpy|. +// BUF_strlcpy calls `OPENSSL_strlcpy`. OPENSSL_EXPORT size_t BUF_strlcpy(char *dst, const char *src, size_t dst_size); -// BUF_strlcat calls |OPENSSL_strlcat|. +// BUF_strlcat calls `OPENSSL_strlcat`. OPENSSL_EXPORT size_t BUF_strlcat(char *dst, const char *src, size_t dst_size); diff --git a/third_party/boringssl/src/include/openssl/bytestring.h b/third_party/boringssl/src/include/openssl/bytestring.h index 3e1cfe5d..0cdfaf62 100644 --- a/third_party/boringssl/src/include/openssl/bytestring.h +++ b/third_party/boringssl/src/include/openssl/bytestring.h @@ -54,144 +54,148 @@ struct cbs_st { #endif }; -// CBS_init sets |cbs| to point to |data|. It does not take ownership of -// |data|. +// CBS_init sets `cbs` to point to `data`. It does not take ownership of +// `data`. OPENSSL_INLINE void CBS_init(CBS *cbs, const uint8_t *data, size_t len) { cbs->data = data; cbs->len = len; } -// CBS_skip advances |cbs| by |len| bytes. It returns one on success and zero +// CBS_skip advances `cbs` by `len` bytes. It returns one on success and zero // otherwise. OPENSSL_EXPORT int CBS_skip(CBS *cbs, size_t len); -// CBS_data returns a pointer to the contents of |cbs|. +// CBS_data returns a pointer to the contents of `cbs`. OPENSSL_INLINE const uint8_t *CBS_data(const CBS *cbs) { return cbs->data; } -// CBS_len returns the number of bytes remaining in |cbs|. +// CBS_len returns the number of bytes remaining in `cbs`. OPENSSL_INLINE size_t CBS_len(const CBS *cbs) { return cbs->len; } -// CBS_stow copies the current contents of |cbs| into |*out_ptr| and -// |*out_len|. If |*out_ptr| is not NULL, the contents are freed with +// CBS_stow copies the current contents of `cbs` into `*out_ptr` and +// `*out_len`. If `*out_ptr` is not NULL, the contents are freed with // OPENSSL_free. It returns one on success and zero on allocation failure. On -// success, |*out_ptr| should be freed with OPENSSL_free. If |cbs| is empty, -// |*out_ptr| will be NULL. +// success, `*out_ptr` should be freed with OPENSSL_free. If `cbs` is empty, +// `*out_ptr` will be NULL. OPENSSL_EXPORT int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len); -// CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a -// NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed +// CBS_strdup copies the current contents of `cbs` into `*out_ptr` as a +// NUL-terminated C string. If `*out_ptr` is not NULL, the contents are freed // with OPENSSL_free. It returns one on success and zero on allocation -// failure. On success, |*out_ptr| should be freed with OPENSSL_free. +// failure. On success, `*out_ptr` should be freed with OPENSSL_free. // -// NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call -// |CBS_contains_zero_byte(cbs)| to check for NUL bytes. +// NOTE: If `cbs` contains NUL bytes, the string will be truncated. Call +// `CBS_contains_zero_byte(cbs)` to check for NUL bytes. OPENSSL_EXPORT int CBS_strdup(const CBS *cbs, char **out_ptr); -// CBS_contains_zero_byte returns one if the current contents of |cbs| contains +// CBS_contains_zero_byte returns one if the current contents of `cbs` contains // a NUL byte and zero otherwise. OPENSSL_EXPORT int CBS_contains_zero_byte(const CBS *cbs); -// CBS_mem_equal compares the current contents of |cbs| with the |len| bytes -// starting at |data|. If they're equal, it returns one, otherwise zero. If the +// CBS_mem_equal compares the current contents of `cbs` with the `len` bytes +// starting at `data`. If they're equal, it returns one, otherwise zero. If the // lengths match, it uses a constant-time comparison. OPENSSL_EXPORT int CBS_mem_equal(const CBS *cbs, const uint8_t *data, size_t len); -// CBS_get_u8 sets |*out| to the next uint8_t from |cbs| and advances |cbs|. It +// CBS_get_u8 sets `*out` to the next uint8_t from `cbs` and advances `cbs`. It // returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u8(CBS *cbs, uint8_t *out); -// CBS_get_u16 sets |*out| to the next, big-endian uint16_t from |cbs| and -// advances |cbs|. It returns one on success and zero on error. +// CBS_get_u16 sets `*out` to the next, big-endian uint16_t from `cbs` and +// advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u16(CBS *cbs, uint16_t *out); -// CBS_get_u16le sets |*out| to the next, little-endian uint16_t from |cbs| and -// advances |cbs|. It returns one on success and zero on error. +// CBS_get_u16le sets `*out` to the next, little-endian uint16_t from `cbs` and +// advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u16le(CBS *cbs, uint16_t *out); -// CBS_get_u24 sets |*out| to the next, big-endian 24-bit value from |cbs| and -// advances |cbs|. It returns one on success and zero on error. +// CBS_get_u24 sets `*out` to the next, big-endian 24-bit value from `cbs` and +// advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u24(CBS *cbs, uint32_t *out); -// CBS_get_u32 sets |*out| to the next, big-endian uint32_t value from |cbs| -// and advances |cbs|. It returns one on success and zero on error. +// CBS_get_u32 sets `*out` to the next, big-endian uint32_t value from `cbs` +// and advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u32(CBS *cbs, uint32_t *out); -// CBS_get_u32le sets |*out| to the next, little-endian uint32_t value from -// |cbs| and advances |cbs|. It returns one on success and zero on error. +// CBS_get_u32le sets `*out` to the next, little-endian uint32_t value from +// `cbs` and advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u32le(CBS *cbs, uint32_t *out); -// CBS_get_u64 sets |*out| to the next, big-endian uint64_t value from |cbs| -// and advances |cbs|. It returns one on success and zero on error. +// CBS_get_u48 sets `*out` to the next, big-endian 48-bit value from `cbs` and +// advances `cbs`. It returns one on success and zero on error. +OPENSSL_EXPORT int CBS_get_u48(CBS *cbs, uint64_t *out); + +// CBS_get_u64 sets `*out` to the next, big-endian uint64_t value from `cbs` +// and advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u64(CBS *cbs, uint64_t *out); -// CBS_get_u64le sets |*out| to the next, little-endian uint64_t value from -// |cbs| and advances |cbs|. It returns one on success and zero on error. +// CBS_get_u64le sets `*out` to the next, little-endian uint64_t value from +// `cbs` and advances `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u64le(CBS *cbs, uint64_t *out); -// CBS_get_last_u8 sets |*out| to the last uint8_t from |cbs| and shortens -// |cbs|. It returns one on success and zero on error. +// CBS_get_last_u8 sets `*out` to the last uint8_t from `cbs` and shortens +// `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_last_u8(CBS *cbs, uint8_t *out); -// CBS_get_bytes sets |*out| to the next |len| bytes from |cbs| and advances -// |cbs|. It returns one on success and zero on error. +// CBS_get_bytes sets `*out` to the next `len` bytes from `cbs` and advances +// `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_bytes(CBS *cbs, CBS *out, size_t len); -// CBS_copy_bytes copies the next |len| bytes from |cbs| to |out| and advances -// |cbs|. It returns one on success and zero on error. +// CBS_copy_bytes copies the next `len` bytes from `cbs` to `out` and advances +// `cbs`. It returns one on success and zero on error. OPENSSL_EXPORT int CBS_copy_bytes(CBS *cbs, uint8_t *out, size_t len); -// CBS_get_u8_length_prefixed sets |*out| to the contents of an 8-bit, -// length-prefixed value from |cbs| and advances |cbs| over it. It returns one +// CBS_get_u8_length_prefixed sets `*out` to the contents of an 8-bit, +// length-prefixed value from `cbs` and advances `cbs` over it. It returns one // on success and zero on error. OPENSSL_EXPORT int CBS_get_u8_length_prefixed(CBS *cbs, CBS *out); -// CBS_get_u16_length_prefixed sets |*out| to the contents of a 16-bit, -// big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It +// CBS_get_u16_length_prefixed sets `*out` to the contents of a 16-bit, +// big-endian, length-prefixed value from `cbs` and advances `cbs` over it. It // returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u16_length_prefixed(CBS *cbs, CBS *out); -// CBS_get_u24_length_prefixed sets |*out| to the contents of a 24-bit, -// big-endian, length-prefixed value from |cbs| and advances |cbs| over it. It +// CBS_get_u24_length_prefixed sets `*out` to the contents of a 24-bit, +// big-endian, length-prefixed value from `cbs` and advances `cbs` over it. It // returns one on success and zero on error. OPENSSL_EXPORT int CBS_get_u24_length_prefixed(CBS *cbs, CBS *out); -// CBS_get_until_first finds the first instance of |c| in |cbs|. If found, it -// sets |*out| to the text before the match, advances |cbs| over it, and returns -// one. Otherwise, it returns zero and leaves |cbs| unmodified. +// CBS_get_until_first finds the first instance of `c` in `cbs`. If found, it +// sets `*out` to the text before the match, advances `cbs` over it, and returns +// one. Otherwise, it returns zero and leaves `cbs` unmodified. OPENSSL_EXPORT int CBS_get_until_first(CBS *cbs, CBS *out, uint8_t c); -// CBS_get_until_first_of finds the first byte in |cbs| matching one of the -// characters in |chars|, which is a NUL-terminated C string. If found, it sets -// |*out| to the text before the match, advances |cbs| over it, and returns one. -// Otherwise, it returns zero and leaves |cbs| unmodified. +// CBS_get_until_first_of finds the first byte in `cbs` matching one of the +// characters in `chars`, which is a NUL-terminated C string. If found, it sets +// `*out` to the text before the match, advances `cbs` over it, and returns one. +// Otherwise, it returns zero and leaves `cbs` unmodified. OPENSSL_EXPORT int CBS_get_until_first_of(CBS *cbs, CBS *out, const char *chars); -// CBS_get_until_first_not_of finds the first byte in |cbs| that does not match -// any of the characters in |chars|, which is a NUL-terminated C string. If -// found, it sets |*out| to the text before the match, advances |cbs| over it, -// and returns one. Otherwise, it returns zero and leaves |cbs| unmodified. +// CBS_get_until_first_not_of finds the first byte in `cbs` that does not match +// any of the characters in `chars`, which is a NUL-terminated C string. If +// found, it sets `*out` to the text before the match, advances `cbs` over it, +// and returns one. Otherwise, it returns zero and leaves `cbs` unmodified. OPENSSL_EXPORT int CBS_get_until_first_not_of(CBS *cbs, CBS *out, const char *chars); -// CBS_get_u64_decimal reads a decimal integer from |cbs| and writes it to -// |*out|. It stops reading at the end of the string, or the first non-digit +// CBS_get_u64_decimal reads a decimal integer from `cbs` and writes it to +// `*out`. It stops reading at the end of the string, or the first non-digit // character. It returns one on success and zero on error. This function behaves -// analogously to |strtoul| except it does not accept empty inputs, leading +// analogously to `strtoul` except it does not accept empty inputs, leading // zeros, or negative values. OPENSSL_EXPORT int CBS_get_u64_decimal(CBS *cbs, uint64_t *out); // Parsing ASN.1 // -// |CBS| may be used to parse DER structures. Rather than using a schema +// `CBS` may be used to parse DER structures. Rather than using a schema // compiler, the following functions act on tag-length-value elements in the // serialization itself. Thus the caller is responsible for looping over a // SEQUENCE, branching on CHOICEs or OPTIONAL fields, checking for trailing // data, and handling explicit vs. implicit tagging. // -// Tags are represented as |CBS_ASN1_TAG| values in memory. The upper few bits +// Tags are represented as `CBS_ASN1_TAG` values in memory. The upper few bits // store the class and constructed bit, and the remaining bits store the tag // number. Note this differs from the DER serialization, to support tag numbers // beyond 31. Consumers must use the constants defined below to decompose or @@ -249,46 +253,46 @@ OPENSSL_EXPORT int CBS_get_u64_decimal(CBS *cbs, uint64_t *out); #define CBS_ASN1_UNIVERSALSTRING 0x1cu #define CBS_ASN1_BMPSTRING 0x1eu -// CBS_get_asn1 sets |*out| to the contents of DER-encoded, ASN.1 element (not -// including tag and length bytes) and advances |cbs| over it. The ASN.1 -// element must match |tag_value|. It returns one on success and zero +// CBS_get_asn1 sets `*out` to the contents of DER-encoded, ASN.1 element (not +// including tag and length bytes) and advances `cbs` over it. The ASN.1 +// element must match `tag_value`. It returns one on success and zero // on error. OPENSSL_EXPORT int CBS_get_asn1(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value); -// CBS_get_asn1_element acts like |CBS_get_asn1| but |out| will include the +// CBS_get_asn1_element acts like `CBS_get_asn1` but `out` will include the // ASN.1 header bytes too. OPENSSL_EXPORT int CBS_get_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG tag_value); // CBS_peek_asn1_tag looks ahead at the next ASN.1 tag and returns one -// if the next ASN.1 element on |cbs| would have tag |tag_value|. If -// |cbs| is empty or the tag does not match, it returns zero. Note: if +// if the next ASN.1 element on `cbs` would have tag `tag_value`. If +// `cbs` is empty or the tag does not match, it returns zero. Note: if // it returns one, CBS_get_asn1 may still fail if the rest of the // element is malformed. OPENSSL_EXPORT int CBS_peek_asn1_tag(const CBS *cbs, CBS_ASN1_TAG tag_value); -// CBS_get_any_asn1 sets |*out| to contain the next ASN.1 element from |*cbs| -// (not including tag and length bytes), sets |*out_tag| to the tag number, and -// advances |*cbs|. It returns one on success and zero on error. Either of |out| -// and |out_tag| may be NULL to ignore the value. +// CBS_get_any_asn1 sets `*out` to contain the next ASN.1 element from `*cbs` +// (not including tag and length bytes), sets `*out_tag` to the tag number, and +// advances `*cbs`. It returns one on success and zero on error. Either of `out` +// and `out_tag` may be NULL to ignore the value. OPENSSL_EXPORT int CBS_get_any_asn1(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag); -// CBS_get_any_asn1_element sets |*out| to contain the next ASN.1 element from -// |*cbs| (including header bytes) and advances |*cbs|. It sets |*out_tag| to -// the tag number and |*out_header_len| to the length of the ASN.1 header. Each -// of |out|, |out_tag|, and |out_header_len| may be NULL to ignore the value. +// CBS_get_any_asn1_element sets `*out` to contain the next ASN.1 element from +// `*cbs` (including header bytes) and advances `*cbs`. It sets `*out_tag` to +// the tag number and `*out_header_len` to the length of the ASN.1 header. Each +// of `out`, `out_tag`, and `out_header_len` may be NULL to ignore the value. OPENSSL_EXPORT int CBS_get_any_asn1_element(CBS *cbs, CBS *out, CBS_ASN1_TAG *out_tag, size_t *out_header_len); -// CBS_get_any_ber_asn1_element acts the same as |CBS_get_any_asn1_element| but +// CBS_get_any_ber_asn1_element acts the same as `CBS_get_any_asn1_element` but // also allows indefinite-length elements to be returned and does not enforce -// that lengths are minimal. It sets |*out_indefinite| to one if the length was -// indefinite and zero otherwise. If indefinite, |*out_header_len| and -// |CBS_len(out)| will be equal as only the header is returned (although this is -// also true for empty elements so |*out_indefinite| should be checked). If -// |out_ber_found| is not NULL then it is set to one if any case of invalid DER +// that lengths are minimal. It sets `*out_indefinite` to one if the length was +// indefinite and zero otherwise. If indefinite, `*out_header_len` and +// `CBS_len(out)` will be equal as only the header is returned (although this is +// also true for empty elements so `*out_indefinite` should be checked). If +// `out_ber_found` is not NULL then it is set to one if any case of invalid DER // but valid BER is found, and to zero otherwise. // // This function will not successfully parse an end-of-contents (EOC) as an @@ -300,14 +304,14 @@ OPENSSL_EXPORT int CBS_get_any_ber_asn1_element(CBS *cbs, CBS *out, int *out_ber_found, int *out_indefinite); -// CBS_get_asn1_uint64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1| -// and sets |*out| to its value. It returns one on success and zero on error, +// CBS_get_asn1_uint64 gets an ASN.1 INTEGER from `cbs` using `CBS_get_asn1` +// and sets `*out` to its value. It returns one on success and zero on error, // where error includes the integer being negative, or too large to represent // in 64 bits. OPENSSL_EXPORT int CBS_get_asn1_uint64(CBS *cbs, uint64_t *out); -// CBS_get_asn1_uint64_with_tag gets an ASN.1 INTEGER from |cbs| using -// |CBS_get_asn1| and sets |*out| to its value. |tag| is used to handle to +// CBS_get_asn1_uint64_with_tag gets an ASN.1 INTEGER from `cbs` using +// `CBS_get_asn1` and sets `*out` to its value. `tag` is used to handle to // handle implicitly tagged INTEGER fields. It returns one on success and zero // on error, where error includes the integer being negative, or too large to // represent in 64 bits. @@ -315,35 +319,35 @@ OPENSSL_EXPORT int CBS_get_asn1_uint64_with_tag(CBS *cbs, uint64_t *out, CBS_ASN1_TAG tag); -// CBS_get_asn1_int64 gets an ASN.1 INTEGER from |cbs| using |CBS_get_asn1| -// and sets |*out| to its value. It returns one on success and zero on error, +// CBS_get_asn1_int64 gets an ASN.1 INTEGER from `cbs` using `CBS_get_asn1` +// and sets `*out` to its value. It returns one on success and zero on error, // where error includes the integer being too large to represent in 64 bits. OPENSSL_EXPORT int CBS_get_asn1_int64(CBS *cbs, int64_t *out); -// CBS_get_asn1_int64_with_tag gets an ASN.1 INTEGER from |cbs| using -// |CBS_get_asn1| and sets |*out| to its value. |tag| is used to handle to +// CBS_get_asn1_int64_with_tag gets an ASN.1 INTEGER from `cbs` using +// `CBS_get_asn1` and sets `*out` to its value. `tag` is used to handle to // handle implicitly tagged INTEGER fields. It returns one on success and zero // on error, where error includes the integer being too large to represent in 64 // bits. OPENSSL_EXPORT int CBS_get_asn1_int64_with_tag(CBS *cbs, int64_t *out, CBS_ASN1_TAG tag); -// CBS_get_asn1_bool gets an ASN.1 BOOLEAN from |cbs| and sets |*out| to zero +// CBS_get_asn1_bool gets an ASN.1 BOOLEAN from `cbs` and sets `*out` to zero // or one based on its value. It returns one on success or zero on error. OPENSSL_EXPORT int CBS_get_asn1_bool(CBS *cbs, int *out); -// CBS_get_optional_asn1 gets an optional explicitly-tagged element from |cbs| -// tagged with |tag| and sets |*out| to its contents, or ignores it if |out| is -// NULL. If present and if |out_present| is not NULL, it sets |*out_present| to +// CBS_get_optional_asn1 gets an optional explicitly-tagged element from `cbs` +// tagged with `tag` and sets `*out` to its contents, or ignores it if `out` is +// NULL. If present and if `out_present` is not NULL, it sets `*out_present` to // one, otherwise zero. It returns one on success, whether or not the element // was present, and zero on decode failure. OPENSSL_EXPORT int CBS_get_optional_asn1(CBS *cbs, CBS *out, int *out_present, CBS_ASN1_TAG tag); // CBS_get_optional_asn1_octet_string gets an optional -// explicitly-tagged OCTET STRING from |cbs|. If present, it sets -// |*out| to the string and |*out_present| to one. Otherwise, it sets -// |*out| to empty and |*out_present| to zero. |out_present| may be +// explicitly-tagged OCTET STRING from `cbs`. If present, it sets +// `*out` to the string and `*out_present` to one. Otherwise, it sets +// `*out` to empty and `*out_present` to zero. `out_present` may be // NULL. It returns one on success, whether or not the element was // present, and zero on decode failure. OPENSSL_EXPORT int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, @@ -351,8 +355,8 @@ OPENSSL_EXPORT int CBS_get_optional_asn1_octet_string(CBS *cbs, CBS *out, CBS_ASN1_TAG tag); // CBS_get_optional_asn1_uint64 gets an optional explicitly-tagged -// INTEGER from |cbs|. If present, it sets |*out| to the -// value. Otherwise, it sets |*out| to |default_value|. It returns one +// INTEGER from `cbs`. If present, it sets `*out` to the +// value. Otherwise, it sets `*out` to `default_value`. It returns one // on success, whether or not the element was present, and zero on // decode failure. OPENSSL_EXPORT int CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out, @@ -360,108 +364,108 @@ OPENSSL_EXPORT int CBS_get_optional_asn1_uint64(CBS *cbs, uint64_t *out, uint64_t default_value); // CBS_get_optional_asn1_bool gets an optional, explicitly-tagged BOOLEAN from -// |cbs|. If present, it sets |*out| to either zero or one, based on the -// boolean. Otherwise, it sets |*out| to |default_value|. It returns one on +// `cbs`. If present, it sets `*out` to either zero or one, based on the +// boolean. Otherwise, it sets `*out` to `default_value`. It returns one on // success, whether or not the element was present, and zero on decode // failure. OPENSSL_EXPORT int CBS_get_optional_asn1_bool(CBS *cbs, int *out, CBS_ASN1_TAG tag, int default_value); -// CBS_is_valid_asn1_bitstring returns one if |cbs| is a valid ASN.1 BIT STRING +// CBS_is_valid_asn1_bitstring returns one if `cbs` is a valid ASN.1 BIT STRING // body and zero otherwise. OPENSSL_EXPORT int CBS_is_valid_asn1_bitstring(const CBS *cbs); -// CBS_asn1_bitstring_has_bit returns one if |cbs| is a valid ASN.1 BIT STRING +// CBS_asn1_bitstring_has_bit returns one if `cbs` is a valid ASN.1 BIT STRING // body and the specified bit is present and set. Otherwise, it returns zero. -// |bit| is indexed starting from zero. +// `bit` is indexed starting from zero. OPENSSL_EXPORT int CBS_asn1_bitstring_has_bit(const CBS *cbs, unsigned bit); -// CBS_is_valid_asn1_integer returns one if |cbs| is a valid ASN.1 INTEGER, -// body and zero otherwise. On success, if |out_is_negative| is non-NULL, -// |*out_is_negative| will be set to one if |cbs| is negative and zero +// CBS_is_valid_asn1_integer returns one if `cbs` is a valid ASN.1 INTEGER, +// body and zero otherwise. On success, if `out_is_negative` is non-NULL, +// `*out_is_negative` will be set to one if `cbs` is negative and zero // otherwise. OPENSSL_EXPORT int CBS_is_valid_asn1_integer(const CBS *cbs, int *out_is_negative); -// CBS_is_unsigned_asn1_integer returns one if |cbs| is a valid non-negative +// CBS_is_unsigned_asn1_integer returns one if `cbs` is a valid non-negative // ASN.1 INTEGER body and zero otherwise. OPENSSL_EXPORT int CBS_is_unsigned_asn1_integer(const CBS *cbs); -// CBS_is_valid_asn1_oid returns one if |cbs| is a valid DER-encoded ASN.1 +// CBS_is_valid_asn1_oid returns one if `cbs` is a valid DER-encoded ASN.1 // OBJECT IDENTIFIER contents (not including the element framing) and zero // otherwise. This function tolerates arbitrarily large OID components. OPENSSL_EXPORT int CBS_is_valid_asn1_oid(const CBS *cbs); -// CBS_asn1_oid_to_text interprets |cbs| as DER-encoded ASN.1 OBJECT IDENTIFIER +// CBS_asn1_oid_to_text interprets `cbs` as DER-encoded ASN.1 OBJECT IDENTIFIER // contents (not including the element framing) and returns the ASCII // representation (e.g., "1.2.840.113554.4.1.72585") in a newly-allocated // string, or NULL on failure. The caller must release the result with -// |OPENSSL_free|. +// `OPENSSL_free`. // -// This function may fail if |cbs| is an invalid OBJECT IDENTIFIER, or if any +// This function may fail if `cbs` is an invalid OBJECT IDENTIFIER, or if any // OID components are too large. OPENSSL_EXPORT char *CBS_asn1_oid_to_text(const CBS *cbs); -// CBS_is_valid_asn1_relative_oid returns one if |cbs| is a valid DER-encoded +// CBS_is_valid_asn1_relative_oid returns one if `cbs` is a valid DER-encoded // ASN.1 RELATIVE-OID contents (not including the element framing) and zero // otherwise. This function tolerates arbitrarily large OID components. // -// (This is actually the same as |CBS_is_valid_asn1_oid|, but is also exposed +// (This is actually the same as `CBS_is_valid_asn1_oid`, but is also exposed // under the relative_oid name for API symmetry.) OPENSSL_EXPORT int CBS_is_valid_asn1_relative_oid(const CBS *cbs); -// CBS_asn1_relative_oid_to_text interprets |cbs| as DER-encoded ASN.1 +// CBS_asn1_relative_oid_to_text interprets `cbs` as DER-encoded ASN.1 // RELATIVE-OID contents (not including the element framing) and returns the // ASCII representation (e.g., "32473.1") in a newly-allocated string, or NULL -// on failure. The caller must release the result with |OPENSSL_free|. +// on failure. The caller must release the result with `OPENSSL_free`. // -// This function may fail if |cbs| is an invalid RELATIVE-OID, or if any +// This function may fail if `cbs` is an invalid RELATIVE-OID, or if any // OID components are too large. OPENSSL_EXPORT char *CBS_asn1_relative_oid_to_text(const CBS *cbs); -// CBS_parse_generalized_time returns one if |cbs| is a valid DER-encoded, ASN.1 +// CBS_parse_generalized_time returns one if `cbs` is a valid DER-encoded, ASN.1 // GeneralizedTime body within the limitations imposed by RFC 5280, or zero -// otherwise. If |allow_timezone_offset| is non-zero, four-digit timezone +// otherwise. If `allow_timezone_offset` is non-zero, four-digit timezone // offsets, which would not be allowed by DER, are permitted. On success, if -// |out_tm| is non-NULL, |*out_tm| will be zeroed, and then set to the -// corresponding time in UTC. This function does not compute |out_tm->tm_wday| -// or |out_tm->tm_yday|. +// `out_tm` is non-NULL, `*out_tm` will be zeroed, and then set to the +// corresponding time in UTC. This function does not compute `out_tm->tm_wday` +// or `out_tm->tm_yday`. OPENSSL_EXPORT int CBS_parse_generalized_time(const CBS *cbs, struct tm *out_tm, int allow_timezone_offset); -// CBS_parse_utc_time returns one if |cbs| is a valid DER-encoded, ASN.1 +// CBS_parse_utc_time returns one if `cbs` is a valid DER-encoded, ASN.1 // UTCTime body within the limitations imposed by RFC 5280, or zero otherwise. -// If |allow_timezone_offset| is non-zero, four-digit timezone offsets, which -// would not be allowed by DER, are permitted. On success, if |out_tm| is -// non-NULL, |*out_tm| will be zeroed, and then set to the corresponding time -// in UTC. This function does not compute |out_tm->tm_wday| or -// |out_tm->tm_yday|. +// If `allow_timezone_offset` is non-zero, four-digit timezone offsets, which +// would not be allowed by DER, are permitted. On success, if `out_tm` is +// non-NULL, `*out_tm` will be zeroed, and then set to the corresponding time +// in UTC. This function does not compute `out_tm->tm_wday` or +// `out_tm->tm_yday`. OPENSSL_EXPORT int CBS_parse_utc_time(const CBS *cbs, struct tm *out_tm, int allow_timezone_offset); // CRYPTO ByteBuilder. // -// |CBB| objects allow one to build length-prefixed serialisations. A |CBB| +// `CBB` objects allow one to build length-prefixed serialisations. A `CBB` // object is associated with a buffer and new buffers are created with -// |CBB_init|. Several |CBB| objects can point at the same buffer when a -// length-prefix is pending, however only a single |CBB| can be 'current' at -// any one time. For example, if one calls |CBB_add_u8_length_prefixed| then -// the new |CBB| points at the same buffer as the original. But if the original -// |CBB| is used then the length prefix is written out and the new |CBB| must +// `CBB_init`. Several `CBB` objects can point at the same buffer when a +// length-prefix is pending, however only a single `CBB` can be 'current' at +// any one time. For example, if one calls `CBB_add_u8_length_prefixed` then +// the new `CBB` points at the same buffer as the original. But if the original +// `CBB` is used then the length prefix is written out and the new `CBB` must // not be used again. // -// If one needs to force a length prefix to be written out because a |CBB| is -// going out of scope, use |CBB_flush|. If an operation on a |CBB| fails, it is -// in an undefined state and must not be used except to call |CBB_cleanup|. +// If one needs to force a length prefix to be written out because a `CBB` is +// going out of scope, use `CBB_flush`. If an operation on a `CBB` fails, it is +// in an undefined state and must not be used except to call `CBB_cleanup`. struct cbb_buffer_st { uint8_t *buf; - // len is the number of valid bytes in |buf|. + // len is the number of valid bytes in `buf`. size_t len; - // cap is the size of |buf|. + // cap is the size of `buf`. size_t cap; - // can_resize is one iff |buf| is owned by this object. If not then |buf| + // can_resize is one iff `buf` is owned by this object. If not then `buf` // cannot be resized. unsigned can_resize : 1; // error is one if there was an error writing to this CBB. All future @@ -470,12 +474,12 @@ struct cbb_buffer_st { }; struct cbb_child_st { - // base is a pointer to the buffer this |CBB| writes to. + // base is a pointer to the buffer this `CBB` writes to. struct cbb_buffer_st *base; - // offset is the number of bytes from the start of |base->buf| to this |CBB|'s + // offset is the number of bytes from the start of `base->buf` to this `CBB`'s // pending length prefix. size_t offset; - // pending_len_len contains the number of bytes in this |CBB|'s pending + // pending_len_len contains the number of bytes in this `CBB`'s pending // length-prefix, or zero if no length-prefix is pending. uint8_t pending_len_len; unsigned pending_is_asn1 : 1; @@ -484,8 +488,8 @@ struct cbb_child_st { struct cbb_st { // child points to a child CBB if a length-prefix is pending. CBB *child; - // is_child is one if this is a child |CBB| and zero if it is a top-level - // |CBB|. This determines which arm of the union is valid. + // is_child is one if this is a child `CBB` and zero if it is a top-level + // `CBB`. This determines which arm of the union is valid. char is_child; union { struct cbb_buffer_st base; @@ -493,213 +497,213 @@ struct cbb_st { } u; }; -// CBB_zero sets an uninitialised |cbb| to the zero state. It must be -// initialised with |CBB_init| or |CBB_init_fixed| before use, but it is safe to -// call |CBB_cleanup| without a successful |CBB_init|. This may be used for more -// uniform cleanup of a |CBB|. +// CBB_zero sets an uninitialised `cbb` to the zero state. It must be +// initialised with `CBB_init` or `CBB_init_fixed` before use, but it is safe to +// call `CBB_cleanup` without a successful `CBB_init`. This may be used for more +// uniform cleanup of a `CBB`. OPENSSL_EXPORT void CBB_zero(CBB *cbb); -// CBB_init initialises |cbb| with |initial_capacity|. Since a |CBB| grows as -// needed, the |initial_capacity| is just a hint. It returns one on success or +// CBB_init initialises `cbb` with `initial_capacity`. Since a `CBB` grows as +// needed, the `initial_capacity` is just a hint. It returns one on success or // zero on allocation failure. OPENSSL_EXPORT int CBB_init(CBB *cbb, size_t initial_capacity); -// CBB_init_fixed initialises |cbb| to write to |len| bytes at |buf|. Since -// |buf| cannot grow, trying to write more than |len| bytes will cause CBB +// CBB_init_fixed initialises `cbb` to write to `len` bytes at `buf`. Since +// `buf` cannot grow, trying to write more than `len` bytes will cause CBB // functions to fail. This function is infallible and always returns one. It is -// safe, but not necessary, to call |CBB_cleanup| on |cbb|. +// safe, but not necessary, to call `CBB_cleanup` on `cbb`. OPENSSL_EXPORT int CBB_init_fixed(CBB *cbb, uint8_t *buf, size_t len); -// CBB_cleanup frees all resources owned by |cbb| and other |CBB| objects +// CBB_cleanup frees all resources owned by `cbb` and other `CBB` objects // writing to the same buffer. This should be used in an error case where a // serialisation is abandoned. // -// This function can only be called on a "top level" |CBB|, i.e. one initialised -// with |CBB_init| or |CBB_init_fixed|, or a |CBB| set to the zero state with -// |CBB_zero|. +// This function can only be called on a "top level" `CBB`, i.e. one initialised +// with `CBB_init` or `CBB_init_fixed`, or a `CBB` set to the zero state with +// `CBB_zero`. OPENSSL_EXPORT void CBB_cleanup(CBB *cbb); -// CBB_finish completes any pending length prefix and sets |*out_data| to a -// malloced buffer and |*out_len| to the length of that buffer. The caller +// CBB_finish completes any pending length prefix and sets `*out_data` to a +// malloced buffer and `*out_len` to the length of that buffer. The caller // takes ownership of the buffer and, unless the buffer was fixed with -// |CBB_init_fixed|, must call |OPENSSL_free| when done. +// `CBB_init_fixed`, must call `OPENSSL_free` when done. // -// It can only be called on a "top level" |CBB|, i.e. one initialised with -// |CBB_init| or |CBB_init_fixed|. It returns one on success and zero on +// It can only be called on a "top level" `CBB`, i.e. one initialised with +// `CBB_init` or `CBB_init_fixed`. It returns one on success and zero on // error. OPENSSL_EXPORT int CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len); // CBB_flush causes any pending length prefixes to be written out and any child -// |CBB| objects of |cbb| to be invalidated. This allows |cbb| to continue to be -// used after the children go out of scope, e.g. when local |CBB| objects are -// added as children to a |CBB| that persists after a function returns. This +// `CBB` objects of `cbb` to be invalidated. This allows `cbb` to continue to be +// used after the children go out of scope, e.g. when local `CBB` objects are +// added as children to a `CBB` that persists after a function returns. This // function returns one on success or zero on error. OPENSSL_EXPORT int CBB_flush(CBB *cbb); -// CBB_data returns a pointer to the bytes written to |cbb|. It does not flush -// |cbb|. The pointer is valid until the next operation to |cbb|. +// CBB_data returns a pointer to the bytes written to `cbb`. It does not flush +// `cbb`. The pointer is valid until the next operation to `cbb`. // // To avoid unfinalized length prefixes, it is a fatal error to call this on a // CBB with any active children. OPENSSL_EXPORT uint8_t *CBB_data(const CBB *cbb); -// CBB_len returns the number of bytes written to |cbb|. It does not flush -// |cbb|. +// CBB_len returns the number of bytes written to `cbb`. It does not flush +// `cbb`. // // To avoid unfinalized length prefixes, it is a fatal error to call this on a // CBB with any active children. OPENSSL_EXPORT size_t CBB_len(const CBB *cbb); -// CBB_add_u8_length_prefixed sets |*out_contents| to a new child of |cbb|. The -// data written to |*out_contents| will be prefixed in |cbb| with an 8-bit +// CBB_add_u8_length_prefixed sets `*out_contents` to a new child of `cbb`. The +// data written to `*out_contents` will be prefixed in `cbb` with an 8-bit // length. It returns one on success or zero on error. OPENSSL_EXPORT int CBB_add_u8_length_prefixed(CBB *cbb, CBB *out_contents); -// CBB_add_u16_length_prefixed sets |*out_contents| to a new child of |cbb|. -// The data written to |*out_contents| will be prefixed in |cbb| with a 16-bit, +// CBB_add_u16_length_prefixed sets `*out_contents` to a new child of `cbb`. +// The data written to `*out_contents` will be prefixed in `cbb` with a 16-bit, // big-endian length. It returns one on success or zero on error. OPENSSL_EXPORT int CBB_add_u16_length_prefixed(CBB *cbb, CBB *out_contents); -// CBB_add_u24_length_prefixed sets |*out_contents| to a new child of |cbb|. -// The data written to |*out_contents| will be prefixed in |cbb| with a 24-bit, +// CBB_add_u24_length_prefixed sets `*out_contents` to a new child of `cbb`. +// The data written to `*out_contents` will be prefixed in `cbb` with a 24-bit, // big-endian length. It returns one on success or zero on error. OPENSSL_EXPORT int CBB_add_u24_length_prefixed(CBB *cbb, CBB *out_contents); -// CBB_add_asn1 sets |*out_contents| to a |CBB| into which the contents of an -// ASN.1 object can be written. The |tag| argument will be used as the tag for +// CBB_add_asn1 sets `*out_contents` to a `CBB` into which the contents of an +// ASN.1 object can be written. The `tag` argument will be used as the tag for // the object. It returns one on success or zero on error. OPENSSL_EXPORT int CBB_add_asn1(CBB *cbb, CBB *out_contents, CBS_ASN1_TAG tag); -// CBB_add_bytes appends |len| bytes from |data| to |cbb|. It returns one on +// CBB_add_bytes appends `len` bytes from `data` to `cbb`. It returns one on // success and zero otherwise. OPENSSL_EXPORT int CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len); -// CBB_add_zeros append |len| bytes with value zero to |cbb|. It returns one on +// CBB_add_zeros append `len` bytes with value zero to `cbb`. It returns one on // success and zero otherwise. OPENSSL_EXPORT int CBB_add_zeros(CBB *cbb, size_t len); -// CBB_add_space appends |len| bytes to |cbb| and sets |*out_data| to point to -// the beginning of that space. The caller must then write |len| bytes of -// actual contents to |*out_data|. It returns one on success and zero +// CBB_add_space appends `len` bytes to `cbb` and sets `*out_data` to point to +// the beginning of that space. The caller must then write `len` bytes of +// actual contents to `*out_data`. It returns one on success and zero // otherwise. OPENSSL_EXPORT int CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len); -// CBB_reserve ensures |cbb| has room for |len| additional bytes and sets -// |*out_data| to point to the beginning of that space. It returns one on -// success and zero otherwise. The caller may write up to |len| bytes to -// |*out_data| and call |CBB_did_write| to complete the write. |*out_data| is -// valid until the next operation on |cbb| or an ancestor |CBB|. +// CBB_reserve ensures `cbb` has room for `len` additional bytes and sets +// `*out_data` to point to the beginning of that space. It returns one on +// success and zero otherwise. The caller may write up to `len` bytes to +// `*out_data` and call `CBB_did_write` to complete the write. `*out_data` is +// valid until the next operation on `cbb` or an ancestor `CBB`. OPENSSL_EXPORT int CBB_reserve(CBB *cbb, uint8_t **out_data, size_t len); -// CBB_did_write advances |cbb| by |len| bytes, assuming the space has been +// CBB_did_write advances `cbb` by `len` bytes, assuming the space has been // written to by the caller. It returns one on success and zero on error. OPENSSL_EXPORT int CBB_did_write(CBB *cbb, size_t len); -// CBB_add_u8 appends an 8-bit number from |value| to |cbb|. It returns one on +// CBB_add_u8 appends an 8-bit number from `value` to `cbb`. It returns one on // success and zero otherwise. OPENSSL_EXPORT int CBB_add_u8(CBB *cbb, uint8_t value); -// CBB_add_u16 appends a 16-bit, big-endian number from |value| to |cbb|. It +// CBB_add_u16 appends a 16-bit, big-endian number from `value` to `cbb`. It // returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u16(CBB *cbb, uint16_t value); -// CBB_add_u16le appends a 16-bit, little-endian number from |value| to |cbb|. +// CBB_add_u16le appends a 16-bit, little-endian number from `value` to `cbb`. // It returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u16le(CBB *cbb, uint16_t value); -// CBB_add_u24 appends a 24-bit, big-endian number from |value| to |cbb|. It +// CBB_add_u24 appends a 24-bit, big-endian number from `value` to `cbb`. It // returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u24(CBB *cbb, uint32_t value); -// CBB_add_u32 appends a 32-bit, big-endian number from |value| to |cbb|. It +// CBB_add_u32 appends a 32-bit, big-endian number from `value` to `cbb`. It // returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u32(CBB *cbb, uint32_t value); -// CBB_add_u32le appends a 32-bit, little-endian number from |value| to |cbb|. +// CBB_add_u32le appends a 32-bit, little-endian number from `value` to `cbb`. // It returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u32le(CBB *cbb, uint32_t value); -// CBB_add_u64 appends a 64-bit, big-endian number from |value| to |cbb|. It +// CBB_add_u64 appends a 64-bit, big-endian number from `value` to `cbb`. It // returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u64(CBB *cbb, uint64_t value); -// CBB_add_u64le appends a 64-bit, little-endian number from |value| to |cbb|. +// CBB_add_u64le appends a 64-bit, little-endian number from `value` to `cbb`. // It returns one on success and zero otherwise. OPENSSL_EXPORT int CBB_add_u64le(CBB *cbb, uint64_t value); -// CBB_discard discards the last |len| bytes written to |cbb|. The process will -// abort if |cbb| has an unflushed child, or its length is smaller than |len|. +// CBB_discard discards the last `len` bytes written to `cbb`. The process will +// abort if `cbb` has an unflushed child, or its length is smaller than `len`. OPENSSL_EXPORT void CBB_discard(CBB *cbb, size_t len); -// CBB_discard_child discards the current unflushed child of |cbb|. Neither the +// CBB_discard_child discards the current unflushed child of `cbb`. Neither the // child's contents nor the length prefix will be included in the output. OPENSSL_EXPORT void CBB_discard_child(CBB *cbb); // CBB_add_asn1_element adds an ASN.1 element with the specified tag and // contents. It returns one on success and zero on error. This is a convenience -// function over |CBB_add_asn1| when the data is already available. +// function over `CBB_add_asn1` when the data is already available. OPENSSL_EXPORT int CBB_add_asn1_element(CBB *cbb, CBS_ASN1_TAG tag, const uint8_t *data, size_t data_len); -// CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1| -// and writes |value| in its contents. It returns one on success and zero on +// CBB_add_asn1_uint64 writes an ASN.1 INTEGER into `cbb` using `CBB_add_asn1` +// and writes `value` in its contents. It returns one on success and zero on // error. OPENSSL_EXPORT int CBB_add_asn1_uint64(CBB *cbb, uint64_t value); -// CBB_add_asn1_uint64_with_tag behaves like |CBB_add_asn1_uint64| but uses -// |tag| as the tag instead of INTEGER. This is useful if the INTEGER type uses +// CBB_add_asn1_uint64_with_tag behaves like `CBB_add_asn1_uint64` but uses +// `tag` as the tag instead of INTEGER. This is useful if the INTEGER type uses // implicit tagging. OPENSSL_EXPORT int CBB_add_asn1_uint64_with_tag(CBB *cbb, uint64_t value, CBS_ASN1_TAG tag); -// CBB_add_asn1_int64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1| -// and writes |value| in its contents. It returns one on success and zero on +// CBB_add_asn1_int64 writes an ASN.1 INTEGER into `cbb` using `CBB_add_asn1` +// and writes `value` in its contents. It returns one on success and zero on // error. OPENSSL_EXPORT int CBB_add_asn1_int64(CBB *cbb, int64_t value); -// CBB_add_asn1_int64_with_tag behaves like |CBB_add_asn1_int64| but uses |tag| +// CBB_add_asn1_int64_with_tag behaves like `CBB_add_asn1_int64` but uses `tag` // as the tag instead of INTEGER. This is useful if the INTEGER type uses // implicit tagging. OPENSSL_EXPORT int CBB_add_asn1_int64_with_tag(CBB *cbb, int64_t value, CBS_ASN1_TAG tag); -// CBB_add_asn1_octet_string writes an ASN.1 OCTET STRING into |cbb| with the +// CBB_add_asn1_octet_string writes an ASN.1 OCTET STRING into `cbb` with the // given contents. It returns one on success and zero on error. OPENSSL_EXPORT int CBB_add_asn1_octet_string(CBB *cbb, const uint8_t *data, size_t data_len); -// CBB_add_asn1_bool writes an ASN.1 BOOLEAN into |cbb| which is true iff -// |value| is non-zero. It returns one on success and zero on error. +// CBB_add_asn1_bool writes an ASN.1 BOOLEAN into `cbb` which is true iff +// `value` is non-zero. It returns one on success and zero on error. OPENSSL_EXPORT int CBB_add_asn1_bool(CBB *cbb, int value); -// CBB_add_asn1_oid_from_text decodes |len| bytes from |text| as an ASCII OID +// CBB_add_asn1_oid_from_text decodes `len` bytes from `text` as an ASCII OID // representation, e.g. "1.2.840.113554.4.1.72585", and writes the DER-encoded -// contents to |cbb|. It returns one on success and zero on malloc failure or if -// |text| was invalid. It does not include the OBJECT IDENTIFIER framing, only +// contents to `cbb`. It returns one on success and zero on malloc failure or if +// `text` was invalid. It does not include the OBJECT IDENTIFIER framing, only // the element's contents. // // This function considers OID strings with components which do not fit in a -// |uint64_t| to be invalid. +// `uint64_t` to be invalid. OPENSSL_EXPORT int CBB_add_asn1_oid_from_text(CBB *cbb, const char *text, size_t len); -// CBB_add_asn1_relative_oid_from_text decodes |len| bytes from |text| as an +// CBB_add_asn1_relative_oid_from_text decodes `len` bytes from `text` as an // ASCII RELATIVE-OID representation, e.g. "32473.1", and writes the -// DER-encoded contents to |cbb|. It returns one on success and zero on malloc -// failure or if |text| was invalid. It does not include any framing, only the +// DER-encoded contents to `cbb`. It returns one on success and zero on malloc +// failure or if `text` was invalid. It does not include any framing, only the // element's contents. // // This function considers OID strings with components which do not fit in a -// |uint64_t| to be invalid. +// `uint64_t` to be invalid. OPENSSL_EXPORT int CBB_add_asn1_relative_oid_from_text(CBB *cbb, const char *text, size_t len); -// CBB_add_asn1_oid_component appends a single OID component to |cbb|. +// CBB_add_asn1_oid_component appends a single OID component to `cbb`. // It returns one on success and zero on error. OPENSSL_EXPORT int CBB_add_asn1_oid_component(CBB *cbb, uint64_t value); -// CBB_flush_asn1_set_of calls |CBB_flush| on |cbb| and then reorders the +// CBB_flush_asn1_set_of calls `CBB_flush` on `cbb` and then reorders the // contents for a DER-encoded ASN.1 SET OF type. It returns one on success and // zero on failure. DER canonicalizes SET OF contents by sorting // lexicographically by encoding. Call this function when encoding a SET OF @@ -714,21 +718,21 @@ OPENSSL_EXPORT int CBB_flush_asn1_set_of(CBB *cbb); // These functions consider noncharacters (see section 23.7 from Unicode 15.0.0) // to be invalid code points and will treat them as an error condition. -// The following functions read one Unicode code point from |cbs| with the -// corresponding encoding and store it in |*out|. They return one on success and +// The following functions read one Unicode code point from `cbs` with the +// corresponding encoding and store it in `*out`. They return one on success and // zero on error. OPENSSL_EXPORT int CBS_get_utf8(CBS *cbs, uint32_t *out); OPENSSL_EXPORT int CBS_get_latin1(CBS *cbs, uint32_t *out); OPENSSL_EXPORT int CBS_get_ucs2_be(CBS *cbs, uint32_t *out); OPENSSL_EXPORT int CBS_get_utf32_be(CBS *cbs, uint32_t *out); -// CBB_get_utf8_len returns the number of bytes needed to represent |u| in +// CBB_get_utf8_len returns the number of bytes needed to represent `u` in // UTF-8. OPENSSL_EXPORT size_t CBB_get_utf8_len(uint32_t u); -// The following functions encode |u| to |cbb| with the corresponding +// The following functions encode `u` to `cbb` with the corresponding // encoding. They return one on success and zero on error. Error conditions -// include |u| being an invalid code point, or |u| being unencodable in the +// include `u` being an invalid code point, or `u` being unencodable in the // specified encoding. OPENSSL_EXPORT int CBB_add_utf8(CBB *cbb, uint32_t u); OPENSSL_EXPORT int CBB_add_latin1(CBB *cbb, uint32_t u); diff --git a/third_party/boringssl/src/include/openssl/cast.h b/third_party/boringssl/src/include/openssl/cast.h index 0c19ead6..36bad3bb 100644 --- a/third_party/boringssl/src/include/openssl/cast.h +++ b/third_party/boringssl/src/include/openssl/cast.h @@ -43,41 +43,41 @@ typedef struct cast_key_st { int short_key; // Use reduced rounds for short key } CAST_KEY; -// CAST_set_key initializes |key| from |len| bytes of key material starting from -// |data|. CAST-128 keys are between 5 and 16 bytes long. If |len| is greater -// than 16, |data| is truncated and only the first 16 bytes are processed. If -// |len| is less than 5, it is internally zero-padded. +// CAST_set_key initializes `key` from `len` bytes of key material starting from +// `data`. CAST-128 keys are between 5 and 16 bytes long. If `len` is greater +// than 16, `data` is truncated and only the first 16 bytes are processed. If +// `len` is less than 5, it is internally zero-padded. OPENSSL_EXPORT void CAST_set_key(CAST_KEY *key, size_t len, const uint8_t *data); -// CAST_ecb_encrypt encrypts (or decrypts, if |enc| is |CAST_DECRYPT|) a single -// 8-byte block from |in| to |out|, using |key|. +// CAST_ecb_encrypt encrypts (or decrypts, if `enc` is `CAST_DECRYPT`) a single +// 8-byte block from `in` to `out`, using `key`. OPENSSL_EXPORT void CAST_ecb_encrypt(const uint8_t in[CAST_BLOCK], uint8_t out[CAST_BLOCK], const CAST_KEY *key, int enc); -// CAST_encrypt encrypts an 8-byte block from |data| in-place with |key|. An +// CAST_encrypt encrypts an 8-byte block from `data` in-place with `key`. An // 8-byte block is represented in this function as two 32-bit integers, // containing the first and second four bytes in big-endian order. OPENSSL_EXPORT void CAST_encrypt(uint32_t data[2], const CAST_KEY *key); -// CAST_decrypt decrypts an 8-byte block from |data| in-place with |key|. An +// CAST_decrypt decrypts an 8-byte block from `data` in-place with `key`. An // 8-byte block is represented in this function as two 32-bit integers, // containing the first and second four bytes in big-endian order. OPENSSL_EXPORT void CAST_decrypt(uint32_t data[2], const CAST_KEY *key); -// CAST_cbc_encrypt encrypts (or decrypts, if |enc| is |CAST_DECRYPT|) |length| -// bytes from |in| to |out| with CAST-128 in CBC mode. |length| must be a -// multiple of 8. The IV is taken from |iv|. When the function completes, the IV -// for the next block is written to |iv|. +// CAST_cbc_encrypt encrypts (or decrypts, if `enc` is `CAST_DECRYPT`) `length` +// bytes from `in` to `out` with CAST-128 in CBC mode. `length` must be a +// multiple of 8. The IV is taken from `iv`. When the function completes, the IV +// for the next block is written to `iv`. OPENSSL_EXPORT void CAST_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t length, const CAST_KEY *ks, uint8_t iv[8], int enc); -// CAST_cfb64_encrypt encrypts (or decrypts, if |enc| is |CAST_DECRYPT|) -// |length| bytes from |in| to |out| with CAST-128 in CFB-64 mode. |length| must -// be a multiple of 8. On the first call, |*num| should be zero and |ivec| the -// IV. On exit, this function will write state to |ivec| and |*num| to resume an +// CAST_cfb64_encrypt encrypts (or decrypts, if `enc` is `CAST_DECRYPT`) +// `length` bytes from `in` to `out` with CAST-128 in CFB-64 mode. `length` must +// be a multiple of 8. On the first call, `*num` should be zero and `ivec` the +// IV. On exit, this function will write state to `ivec` and `*num` to resume an // encryption or decryption operation if the buffers are not contiguous. OPENSSL_EXPORT void CAST_cfb64_encrypt(const uint8_t *in, uint8_t *out, size_t length, const CAST_KEY *schedule, diff --git a/third_party/boringssl/src/include/openssl/chacha.h b/third_party/boringssl/src/include/openssl/chacha.h index ff9f55e0..857bda61 100644 --- a/third_party/boringssl/src/include/openssl/chacha.h +++ b/third_party/boringssl/src/include/openssl/chacha.h @@ -26,9 +26,9 @@ extern "C" { // ChaCha20 is a stream cipher. See https://tools.ietf.org/html/rfc8439. -// CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and -// nonce and writes the result to |out|. If |in| and |out| alias, they must be -// equal. The initial block counter is specified by |counter|. +// CRYPTO_chacha_20 encrypts `in_len` bytes from `in` with the given key and +// nonce and writes the result to `out`. If `in` and `out` alias, they must be +// equal. The initial block counter is specified by `counter`. // // This function implements a 32-bit block counter as in RFC 8439. On overflow, // the counter wraps. Reusing a key, nonce, and block counter combination is not diff --git a/third_party/boringssl/src/include/openssl/cipher.h b/third_party/boringssl/src/include/openssl/cipher.h index ed2eeab5..0b27aa88 100644 --- a/third_party/boringssl/src/include/openssl/cipher.h +++ b/third_party/boringssl/src/include/openssl/cipher.h @@ -27,7 +27,7 @@ extern "C" { // Cipher primitives. // -// The following functions return |EVP_CIPHER| objects that implement the named +// The following functions return `EVP_CIPHER` objects that implement the named // cipher algorithm. OPENSSL_EXPORT const EVP_CIPHER *EVP_rc4(void); @@ -73,54 +73,95 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbynid(int nid); // Cipher context allocation. // -// An |EVP_CIPHER_CTX| represents the state of an encryption or decryption in +// An `EVP_CIPHER_CTX` represents the state of an encryption or decryption in // progress. -// EVP_CIPHER_CTX_init initialises an, already allocated, |EVP_CIPHER_CTX|. +// EVP_CIPHER_CTX_init sets an uninitialized `EVP_CIPHER_CTX` to the zero state. +// This is the same as setting the structure to zero. +// +// This function is used for initializing uninitialized memory in an +// `EVP_CIPHER_CTX`, e.g. if it is declared as a local variable on the stack. +// This function should not be used on objects that have already been +// initialized. OPENSSL_EXPORT void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_new allocates a fresh |EVP_CIPHER_CTX|, calls -// |EVP_CIPHER_CTX_init| and returns it, or NULL on allocation failure. +// EVP_CIPHER_CTX_new returns a newly-allocated `EVP_CIPHER_CTX` in the zero +// state, or NULL on allocation failure. The caller must use +// `EVP_CIPHER_CTX_free` to release the resulting object. OPENSSL_EXPORT EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void); -// EVP_CIPHER_CTX_cleanup frees any memory referenced by |ctx|. It returns +// EVP_CIPHER_CTX_cleanup frees any memory referenced by `ctx`. It returns // one. OPENSSL_EXPORT int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_free calls |EVP_CIPHER_CTX_cleanup| on |ctx| and then frees -// |ctx| itself. +// EVP_CIPHER_CTX_free calls `EVP_CIPHER_CTX_cleanup` on `ctx` and then frees +// `ctx` itself. OPENSSL_EXPORT void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_copy sets |out| to be a duplicate of the current state of -// |in|. The |out| argument must have been previously initialised. +// EVP_CIPHER_CTX_copy sets `out` to be a duplicate of the current state of +// `in`. The `out` argument must have been previously initialised, e.g. with +// `EVP_CIPHER_CTX_init` or `EVP_CIPHER_CTX_new`. OPENSSL_EXPORT int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in); -// EVP_CIPHER_CTX_reset calls |EVP_CIPHER_CTX_cleanup| followed by -// |EVP_CIPHER_CTX_init| and returns one. +// EVP_CIPHER_CTX_reset calls `EVP_CIPHER_CTX_cleanup` followed by +// `EVP_CIPHER_CTX_init` and returns one. OPENSSL_EXPORT int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx); // Cipher context configuration. -// EVP_CipherInit_ex configures |ctx| for a fresh encryption (or decryption, if -// |enc| is zero) operation using |cipher|. If |ctx| has been previously -// configured with a cipher then |cipher|, |key| and |iv| may be |NULL| and -// |enc| may be -1 to reuse the previous values. The operation will use |key| -// as the key and |iv| as the IV (if any). These should have the correct -// lengths given by |EVP_CIPHER_key_length| and |EVP_CIPHER_iv_length|. It -// returns one on success and zero on error. +// EVP_CipherInit_ex configures `ctx` for a fresh encryption (or decryption, if +// `enc` is zero) operation using `cipher`. The memory in `ctx` must already +// have been initialized, e.g. with `EVP_CIPHER_CTX_init` or +// `EVP_CIPHER_CTX_new`. If non-NULL, `key` and `iv` will be used as the key and +// IV, respectively. These must point to `EVP_CIPHER_key_length` and +// `EVP_CIPHER_iv_length` bytes, respectively. It returns one on success and +// zero on error. +// +// This function may be called multiple times on a single `EVP_CIPHER_CTX`, +// either to reset an existing object, or to configure a single operation in +// multiple steps. In such cases: +// +// - `cipher` may be NULL to reuse the previous cipher state. A non-NULL +// `cipher` will reset all cipher state, including the key and IV, even if +// configuring the same `EVP_CIPHER` as before. +// +// - `key` and `iv` may be NULL to either reuse the previous value, or leave +// them unconfigured. +// +// - `enc` may be -1 to reuse the previous value. In ciphers that use a +// different key schedule between encryption and decryption (e.g. CBC and ECB +// modes), callers must configure `key` and `enc` together. +// +// Some example multi-step configuration patterns: +// +// - If setting a variable-length key with `EVP_CIPHER_CTX_set_key_length`, +// first configure only `cipher`, then use `EVP_CIPHER_CTX_set_key_length`, +// and finally configure `key`, leaving `cipher` NULL. +// +// - If setting a variable-length IV with `EVP_CTRL_AEAD_SET_IVLEN`, first +// configure `cipher` and `key`, then use `EVP_CTRL_AEAD_SET_IVLEN`, and +// finally configure `iv`, leaving other parameters NULL. +// +// - If retaining a long-lived context to reuse the key schedule across +// operations, first configure only `cipher` and `key` on the long-lived +// context, then copy the key schedule to a per-operation context with +// `EVP_CIPHER_CTX_copy`, and finally configure only `iv` on the per-operation +// context. +// +// WARNING: This API is difficult to use correctly. Use `EVP_AEAD` for AEADs. OPENSSL_EXPORT int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine, const uint8_t *key, const uint8_t *iv, int enc); -// EVP_EncryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to one. +// EVP_EncryptInit_ex calls `EVP_CipherInit_ex` with `enc` equal to one. OPENSSL_EXPORT int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const uint8_t *key, const uint8_t *iv); -// EVP_DecryptInit_ex calls |EVP_CipherInit_ex| with |enc| equal to zero. +// EVP_DecryptInit_ex calls `EVP_CipherInit_ex` with `enc` equal to zero. OPENSSL_EXPORT int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, const uint8_t *key, const uint8_t *iv); @@ -128,71 +169,75 @@ OPENSSL_EXPORT int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, // Cipher operations. -// EVP_EncryptUpdate_ex encrypts |in_len| bytes from |in| and writes up to -// |max_out| bytes of ciphertext to |out|. On success, it sets |*out_len| to +// EVP_EncryptUpdate_ex encrypts `in_len` bytes from `in` and writes up to +// `max_out_len` bytes of ciphertext to `out`. On success, it sets `*out_len` to // the number of output bytes and returns one. Otherwise, it returns zero. // -// If |max_out| is not large enough for the output, the function will return +// If `max_out_len` is not large enough for the output, the function will return // zero. The size of output buffer needed depends on the cipher and the number -// of bytes encrypted by |ctx| thus far. +// of bytes encrypted by `ctx` thus far. `EVP_CIPHER_CTX_max_next_update` will +// return the maximum output for this call. // // In ciphers whose block size is not 1, such as CBC, individual calls to -// |EVP_EncryptUpdate_ex| may output more or less than |in_len| bytes: a single -// call to |EVP_EncryptUpdate_ex| may output at most |in_len + block_size - 1| -// bytes. Additionally, the total output across all |EVP_EncryptUpdate_ex| and -// |EVP_EncryptFinal_ex2| calls will be at most the total input plus one byte, +// `EVP_EncryptUpdate_ex` may output more or less than `in_len` bytes: a single +// call to `EVP_EncryptUpdate_ex` may output at most `in_len + block_size - 1` +// bytes. Additionally, the total output across all `EVP_EncryptUpdate_ex` and +// `EVP_EncryptFinal_ex2` calls will be at most the total input plus one byte, // rounded up to a multiple of the block size. OPENSSL_EXPORT int EVP_EncryptUpdate_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *in, size_t in_len); // EVP_EncryptFinal_ex2 finishes an encryption operation and writes up to -// |max_out| bytes of output to out. On success, it sets |*out_len| to the +// `max_out_len` bytes of output to out. On success, it sets `*out_len` to the // number of bytes written and returns one. Otherwise, it returns zero. // -// If |max_out| is not large enough for the output, the function will return +// If `max_out_len` is not large enough for the output, the function will return // zero. The size of output buffer needed depends on the cipher and the number -// of bytes encrypted. +// of bytes encrypted. `EVP_CIPHER_CTX_max_final` will return the maximum output +// for this call. // // If the block size is 1, there will be no final output at all; otherwise, at // most one block of ciphertext will be written to the output. // // If padding is enabled (the default) and the block size is not 1, then // standard padding is applied to create the final block. If padding is -// disabled (with |EVP_CIPHER_CTX_set_padding|) then any partial block +// disabled (with `EVP_CIPHER_CTX_set_padding`) then any partial block // remaining will cause an error. The function returns one on success and zero // otherwise. OPENSSL_EXPORT int EVP_EncryptFinal_ex2(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len); -// EVP_DecryptUpdate_ex decrypts |in_len| bytes from |in| and writes up to -// |max_out| bytes of plaintext to |out|. On success, it sets |*out_len| to +// EVP_DecryptUpdate_ex decrypts `in_len` bytes from `in` and writes up to +// `max_out_len` bytes of plaintext to `out`. On success, it sets `*out_len` to // the number of output bytes and returns one. Otherwise, it returns zero. // -// If |max_out| is not large enough for the output, the function will return +// If `max_out_len` is not large enough for the output, the function will return // zero. The size of output buffer needed depends on the cipher and the number -// of bytes decrypted by |ctx| thus far. +// of bytes decrypted by `ctx` thus far. `EVP_CIPHER_CTX_max_next_update` will +// return the maximum output for this call. // // In ciphers whose block size is not 1, such as CBC, individual calls to -// |EVP_DecryptUpdate_ex| may output more or less than |in_len| bytes: a single -// call to |EVP_DecryptUpdate_ex| may output at most |in_len + block_size - 1| -// bytes. Additionally, the total output across all |EVP_DecryptUpdate_ex| and -// |EVP_DecryptFinal_ex2| calls will be at most the total input. +// `EVP_DecryptUpdate_ex` may output more or less than `in_len` bytes: a single +// call to `EVP_DecryptUpdate_ex` may output at most `in_len + block_size - 1` +// bytes. Additionally, the total output across all `EVP_DecryptUpdate_ex` and +// `EVP_DecryptFinal_ex2` calls will be at most the total input. // // WARNING: if the cipher is an AEAD cipher, decrypted data should not be // parsed or otherwise processed until success has been returned by -// |EVP_EncryptFinal_ex2|. +// `EVP_EncryptFinal_ex2`. OPENSSL_EXPORT int EVP_DecryptUpdate_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *in, size_t in_len); // EVP_DecryptFinal_ex2 finishes a decryption operation and writes up to -// |max_out| bytes of output to out. On success, it sets |*out_len| to the +// `max_out_len` bytes of output to out. On success, it sets `*out_len` to the // number of bytes written and returns one. Otherwise, it returns zero. // -// If |max_out| is not large enough for the output, the function will return +// If `max_out_len` is not large enough for the output, the function will return // zero. The size of output buffer needed depends on the cipher and the number -// of bytes decrypted. +// of bytes decrypted. `EVP_CIPHER_CTX_max_final` will return the maximum output +// for this call. // // If the block size is 1, there will be no final output at all; otherwise, at // most one block of ciphertext will be written to the output. @@ -206,111 +251,129 @@ OPENSSL_EXPORT int EVP_DecryptUpdate_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, OPENSSL_EXPORT int EVP_DecryptFinal_ex2(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len); -// EVP_CipherUpdate_ex calls either |EVP_EncryptUpdate_ex| or -// |EVP_DecryptUpdate_ex| depending on how |ctx| has been setup. +// EVP_CipherUpdate_ex calls either `EVP_EncryptUpdate_ex` or +// `EVP_DecryptUpdate_ex` depending on how `ctx` has been setup. OPENSSL_EXPORT int EVP_CipherUpdate_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *in, size_t in_len); -// EVP_CipherUpdateAAD adds |in_len| bytes from |in| to the AAD. The AAD must +// EVP_CipherUpdateAAD adds `in_len` bytes from `in` to the AAD. The AAD must // be fully specified in this way before any plaintext or ciphertext is -// supplied to the other functions. Please consider moving to the |EVP_AEAD| +// supplied to the other functions. Please consider moving to the `EVP_AEAD` // APIs instead. OPENSSL_EXPORT int EVP_CipherUpdateAAD(EVP_CIPHER_CTX *ctx, const uint8_t *in, size_t in_len); -// EVP_CipherFinal_ex2 calls either |EVP_EncryptFinal_ex2| or -// |EVP_DecryptFinal_ex2| depending on how |ctx| has been setup. +// EVP_CipherFinal_ex2 calls either `EVP_EncryptFinal_ex2` or +// `EVP_DecryptFinal_ex2` depending on how `ctx` has been setup. OPENSSL_EXPORT int EVP_CipherFinal_ex2(EVP_CIPHER_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len); +// EVP_CIPHER_CTX_max_next_update returns the maximum number of bytes that may +// be output from `ctx` by a call to `EVP_CipherUpdate_ex` with `in_len` bytes +// of input. This takes the current state of `ctx` into account, so the output +// will change as bytes are passed in and out. +OPENSSL_EXPORT size_t EVP_CIPHER_CTX_max_next_update(const EVP_CIPHER_CTX *ctx, + size_t in_len); + +// EVP_CIPHER_CTX_max_final returns the maximum number of bytes that may +// be output from `ctx` by a call to `EVP_CipherFinal_ex2`. This takes the +// current state of `ctx` into account, so the output will change as bytes are +// passed in and out. +OPENSSL_EXPORT size_t EVP_CIPHER_CTX_max_final(const EVP_CIPHER_CTX *ctx); + // Cipher context accessors. -// EVP_CIPHER_CTX_cipher returns the |EVP_CIPHER| underlying |ctx|, or NULL if +// EVP_CIPHER_CTX_cipher returns the `EVP_CIPHER` underlying `ctx`, or NULL if // none has been set. OPENSSL_EXPORT const EVP_CIPHER *EVP_CIPHER_CTX_cipher( const EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_nid returns a NID identifying the |EVP_CIPHER| underlying -// |ctx| (e.g. |NID_aes_128_gcm|). It will crash if no cipher has been +// EVP_CIPHER_CTX_nid returns a NID identifying the `EVP_CIPHER` underlying +// `ctx` (e.g. `NID_aes_128_gcm`). It will crash if no cipher has been // configured. OPENSSL_EXPORT int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_encrypting returns one if |ctx| is configured for encryption +// EVP_CIPHER_CTX_encrypting returns one if `ctx` is configured for encryption // and zero otherwise. OPENSSL_EXPORT int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx); // EVP_CIPHER_CTX_block_size returns the block size, in bytes, of the cipher -// underlying |ctx|, or one if the cipher is a stream cipher. It will crash if +// underlying `ctx`, or one if the cipher is a stream cipher. It will crash if // no cipher has been configured. OPENSSL_EXPORT unsigned EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); // EVP_CIPHER_CTX_key_length returns the key size, in bytes, of the cipher -// underlying |ctx| or zero if no cipher has been configured. +// underlying `ctx` or zero if no cipher has been configured. OPENSSL_EXPORT unsigned EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); // EVP_CIPHER_CTX_iv_length returns the IV size, in bytes, of the cipher -// underlying |ctx|. It will crash if no cipher has been configured. +// underlying `ctx`. It will crash if no cipher has been configured. OPENSSL_EXPORT unsigned EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); // EVP_CIPHER_CTX_get_app_data returns the opaque, application data pointer for -// |ctx|, or NULL if none has been set. +// `ctx`, or NULL if none has been set. OPENSSL_EXPORT void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); // EVP_CIPHER_CTX_set_app_data sets the opaque, application data pointer for -// |ctx| to |data|. +// `ctx` to `data`. OPENSSL_EXPORT void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); // EVP_CIPHER_CTX_flags returns a value which is the OR of zero or more -// |EVP_CIPH_*| flags. It will crash if no cipher has been configured. +// `EVP_CIPH_*` flags. It will crash if no cipher has been configured. OPENSSL_EXPORT uint32_t EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_mode returns one of the |EVP_CIPH_*| cipher mode values +// EVP_CIPHER_CTX_mode returns one of the `EVP_CIPH_*` cipher mode values // enumerated below. It will crash if no cipher has been configured. OPENSSL_EXPORT uint32_t EVP_CIPHER_CTX_mode(const EVP_CIPHER_CTX *ctx); -// EVP_CIPHER_CTX_ctrl is an |ioctl| like function. The |command| argument -// should be one of the |EVP_CTRL_*| values. The |arg| and |ptr| arguments are +// EVP_CIPHER_CTX_ctrl is an `ioctl` like function. The `command` argument +// should be one of the `EVP_CTRL_*` values. The `arg` and `ptr` arguments are // specific to the command in question. OPENSSL_EXPORT int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int command, int arg, void *ptr); -// EVP_CIPHER_CTX_set_padding sets whether padding is enabled for |ctx| and -// returns one. Pass a non-zero |pad| to enable padding (the default) or zero +// EVP_CIPHER_CTX_set_padding sets whether padding is enabled for `ctx` and +// returns one. Pass a non-zero `pad` to enable padding (the default) or zero // to disable. OPENSSL_EXPORT int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad); -// EVP_CIPHER_CTX_set_key_length sets the key length for |ctx|. This is only +// EVP_CIPHER_CTX_set_key_length sets the key length for `ctx`. This is only // valid for ciphers that can take a variable length key. It returns one on // success and zero on error. +// +// In order to use this function, |ctx| must have been configured with an +// |EVP_CIPHER| with |EVP_CipherInit_ex|. Callers should first configure only +// the cipher, leaving |key| NULL, call |EVP_CIPHER_CTX_set_key_length|, and +// finally call |EVP_CipherInit_ex| with a NULL |cipher| and non-NULL |key|. OPENSSL_EXPORT int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *ctx, unsigned key_len); // Cipher accessors. -// EVP_CIPHER_nid returns a NID identifying |cipher|. (For example, -// |NID_aes_128_gcm|.) +// EVP_CIPHER_nid returns a NID identifying `cipher`. (For example, +// `NID_aes_128_gcm`.) OPENSSL_EXPORT int EVP_CIPHER_nid(const EVP_CIPHER *cipher); -// EVP_CIPHER_block_size returns the block size, in bytes, for |cipher|, or one -// if |cipher| is a stream cipher. +// EVP_CIPHER_block_size returns the block size, in bytes, for `cipher`, or one +// if `cipher` is a stream cipher. OPENSSL_EXPORT unsigned EVP_CIPHER_block_size(const EVP_CIPHER *cipher); -// EVP_CIPHER_key_length returns the key size, in bytes, for |cipher|. If -// |cipher| can take a variable key length then this function returns the -// default key length and |EVP_CIPHER_flags| will return a value with -// |EVP_CIPH_VARIABLE_LENGTH| set. +// EVP_CIPHER_key_length returns the key size, in bytes, for `cipher`. If +// `cipher` can take a variable key length then this function returns the +// default key length and `EVP_CIPHER_flags` will return a value with +// `EVP_CIPH_VARIABLE_LENGTH` set. OPENSSL_EXPORT unsigned EVP_CIPHER_key_length(const EVP_CIPHER *cipher); -// EVP_CIPHER_iv_length returns the IV size, in bytes, of |cipher|, or zero if -// |cipher| doesn't take an IV. +// EVP_CIPHER_iv_length returns the IV size, in bytes, of `cipher`, or zero if +// `cipher` doesn't take an IV. OPENSSL_EXPORT unsigned EVP_CIPHER_iv_length(const EVP_CIPHER *cipher); // EVP_CIPHER_flags returns a value which is the OR of zero or more -// |EVP_CIPH_*| flags. +// `EVP_CIPH_*` flags. OPENSSL_EXPORT uint32_t EVP_CIPHER_flags(const EVP_CIPHER *cipher); // EVP_CIPHER_mode returns one of the cipher mode values enumerated below. @@ -319,31 +382,31 @@ OPENSSL_EXPORT uint32_t EVP_CIPHER_mode(const EVP_CIPHER *cipher); // Key derivation. -// EVP_BytesToKey generates a key and IV for the cipher |type| by iterating -// |md| |count| times using |data| and an optional |salt|, writing the result to -// |key| and |iv|. If not NULL, the |key| and |iv| buffers must have enough -// space to hold a key and IV for |type|, as returned by |EVP_CIPHER_key_length| -// and |EVP_CIPHER_iv_length|. This function returns the length of the key +// EVP_BytesToKey generates a key and IV for the cipher `type` by iterating +// `md` `count` times using `data` and an optional `salt`, writing the result to +// `key` and `iv`. If not NULL, the `key` and `iv` buffers must have enough +// space to hold a key and IV for `type`, as returned by `EVP_CIPHER_key_length` +// and `EVP_CIPHER_iv_length`. This function returns the length of the key // (without the IV) on success or zero on error. // -// If |salt| is NULL, the empty string is used as the salt. Salt lengths other -// than 0 and 8 are not supported by this function. Either of |key| or |iv| may +// If `salt` is NULL, the empty string is used as the salt. Salt lengths other +// than 0 and 8 are not supported by this function. Either of `key` or `iv` may // be NULL to skip that output. // -// When the total data derived is less than the size of |md|, this function +// When the total data derived is less than the size of `md`, this function // implements PBKDF1 from RFC 8018. Otherwise, it generalizes PBKDF1 by -// computing prepending the previous output to |data| and re-running PBKDF1 for +// computing prepending the previous output to `data` and re-running PBKDF1 for // further output. // // This function is provided for compatibility with legacy uses of PBKDF1. New -// applications should use a more modern algorithm, such as |EVP_PBE_scrypt|. +// applications should use a more modern algorithm, such as `EVP_PBE_scrypt`. OPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, const uint8_t salt[8], const uint8_t *data, size_t data_len, unsigned count, uint8_t *key, uint8_t *iv); -// Cipher modes (for |EVP_CIPHER_mode|). +// Cipher modes (for `EVP_CIPHER_mode`). #define EVP_CIPH_STREAM_CIPHER 0x0 #define EVP_CIPH_ECB_MODE 0x1 @@ -354,30 +417,30 @@ OPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, #define EVP_CIPH_GCM_MODE 0x6 #define EVP_CIPH_XTS_MODE 0x7 -// The following values are never returned from |EVP_CIPHER_mode| and are +// The following values are never returned from `EVP_CIPHER_mode` and are // included only to make it easier to compile code with BoringSSL. #define EVP_CIPH_CCM_MODE 0x8 #define EVP_CIPH_OCB_MODE 0x9 #define EVP_CIPH_WRAP_MODE 0xa -// Cipher flags (for |EVP_CIPHER_flags|). +// Cipher flags (for `EVP_CIPHER_flags`). // EVP_CIPH_VARIABLE_LENGTH indicates that the cipher takes a variable length // key. #define EVP_CIPH_VARIABLE_LENGTH 0x40 -// EVP_CIPH_ALWAYS_CALL_INIT indicates that the |init| function for the cipher +// EVP_CIPH_ALWAYS_CALL_INIT indicates that the `init` function for the cipher // should always be called when initialising a new operation, even if the key // is NULL to indicate that the same key is being used. #define EVP_CIPH_ALWAYS_CALL_INIT 0x80 // EVP_CIPH_CUSTOM_IV indicates that the cipher manages the IV itself rather -// than keeping it in the |iv| member of |EVP_CIPHER_CTX|. +// than keeping it in the `iv` member of `EVP_CIPHER_CTX`. #define EVP_CIPH_CUSTOM_IV 0x100 // EVP_CIPH_CTRL_INIT indicates that EVP_CTRL_INIT should be used when -// initialising an |EVP_CIPHER_CTX|. +// initialising an `EVP_CIPHER_CTX`. #define EVP_CIPH_CTRL_INIT 0x200 // EVP_CIPH_FLAG_CUSTOM_CIPHER indicates that the cipher manages blocking @@ -389,8 +452,8 @@ OPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, // one. #define EVP_CIPH_FLAG_AEAD_CIPHER 0x800 -// EVP_CIPH_CUSTOM_COPY indicates that the |ctrl| callback should be called -// with |EVP_CTRL_COPY| at the end of normal |EVP_CIPHER_CTX_copy| +// EVP_CIPH_CUSTOM_COPY indicates that the `ctrl` callback should be called +// with `EVP_CTRL_COPY` at the end of normal `EVP_CIPHER_CTX_copy` // processing. #define EVP_CIPH_CUSTOM_COPY 0x1000 @@ -403,114 +466,129 @@ OPENSSL_EXPORT int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md, // Deprecated functions -// EVP_CipherInit acts like EVP_CipherInit_ex except that |EVP_CIPHER_CTX_init| -// is called on |cipher| first, if |cipher| is not NULL. +// EVP_CipherInit acts like `EVP_CipherInit_ex` except that +// `EVP_CIPHER_CTX_init` is called on `cipher` first, if `cipher` is not NULL. +// +// `EVP_CIPHER_CTX_init` is used for initializing uninitialized memory in an +// `EVP_CIPHER_CTX`, e.g. if it is declared as a local variable on the stack. +// Thus this function should not be used on objects that have already been +// initialized. +// +// WARNING: This differs from OpenSSL 1.1.x, where `EVP_CipherInit` and +// `EVP_CipherInit_ex` are largely equivalent. This difference is because +// BoringSSL, like OpenSSL 1.0.x, still supports stack-allocating +// `EVP_CIPHER_CTX`. Implementing the OpenSSL 1.1.x semantics would introduce +// uninitialized reads in those callers. OPENSSL_EXPORT int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const uint8_t *key, const uint8_t *iv, int enc); -// EVP_EncryptInit calls |EVP_CipherInit| with |enc| equal to one. +// EVP_EncryptInit calls `EVP_CipherInit` with `enc` equal to one. +// +// WARNING: See discussion in `EVP_CipherInit`. OPENSSL_EXPORT int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const uint8_t *key, const uint8_t *iv); -// EVP_DecryptInit calls |EVP_CipherInit| with |enc| equal to zero. +// EVP_DecryptInit calls `EVP_CipherInit` with `enc` equal to zero. +// +// WARNING: See discussion in `EVP_CipherInit`. OPENSSL_EXPORT int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const uint8_t *key, const uint8_t *iv); -// EVP_CipherUpdate does the same as |EVP_CipherUpdate_ex|, except that no +// EVP_CipherUpdate does the same as `EVP_CipherUpdate_ex`, except that no // output size is given and thus no bounds checking is performed. // -// Additionally, if |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| -// is NULL, this function instead behaves like |EVP_CipherUpdateAAD|. +// Additionally, if `ctx` is an AEAD cipher, e.g. `EVP_aes_128_gcm`, and `out` +// is NULL, this function instead behaves like `EVP_CipherUpdateAAD`. // -// WARNING: This function does not check bounds on |out|, and correctly sizing -// the output buffer is difficult. Use |EVP_CipherUpdate_ex| or -// |EVP_CipherUpdateAAD| instead. +// WARNING: This function does not check bounds on `out`, and correctly sizing +// the output buffer is difficult. Use `EVP_CipherUpdate_ex` or +// `EVP_CipherUpdateAAD` instead. OPENSSL_EXPORT int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, int in_len); -// EVP_EncryptUpdate does the same as |EVP_EncryptUpdate_ex|, except that no +// EVP_EncryptUpdate does the same as `EVP_EncryptUpdate_ex`, except that no // output size is given and thus no bounds checking is performed. // -// Additionally, if |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| -// is NULL, this function instead behaves like |EVP_CipherUpdateAAD|. +// Additionally, if `ctx` is an AEAD cipher, e.g. `EVP_aes_128_gcm`, and `out` +// is NULL, this function instead behaves like `EVP_CipherUpdateAAD`. // -// WARNING: This function does not check bounds on |out|, and correctly sizing -// the output buffer is difficult. Use |EVP_EncryptUpdate_ex| or -// |EVP_CipherUpdateAAD| instead. +// WARNING: This function does not check bounds on `out`, and correctly sizing +// the output buffer is difficult. Use `EVP_EncryptUpdate_ex` or +// `EVP_CipherUpdateAAD` instead. OPENSSL_EXPORT int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, int in_len); -// EVP_DecryptUpdate does the same as |EVP_DecryptUpdate_ex|, except that no +// EVP_DecryptUpdate does the same as `EVP_DecryptUpdate_ex`, except that no // output size is given and thus no bounds checking is performed. // -// Additionally, if |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| -// is NULL, this function instead behaves like |EVP_CipherUpdateAAD|. +// Additionally, if `ctx` is an AEAD cipher, e.g. `EVP_aes_128_gcm`, and `out` +// is NULL, this function instead behaves like `EVP_CipherUpdateAAD`. // // WARNING: This function does not check bounds on out, and correctly sizing -// the output buffer is difficult. Use |EVP_DecryptUpdate_ex| or -// |EVP_CipherUpdateAAD| instead. +// the output buffer is difficult. Use `EVP_DecryptUpdate_ex` or +// `EVP_CipherUpdateAAD` instead. OPENSSL_EXPORT int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len, const uint8_t *in, int in_len); -// EVP_CipherFinal calls |EVP_CipherFinal_ex|. +// EVP_CipherFinal calls `EVP_CipherFinal_ex`. OPENSSL_EXPORT int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); -// EVP_CipherFinal_ex does the same as |EVP_CipherFinal_ex2|, except that no +// EVP_CipherFinal_ex does the same as `EVP_CipherFinal_ex2`, except that no // output size is given and thus no bounds checking is performed. // // WARNING: This function does not check bounds on out, and correctly sizing -// the output buffer is difficult. Use |EVP_CipherFinal_ex2| instead. +// the output buffer is difficult. Use `EVP_CipherFinal_ex2` instead. OPENSSL_EXPORT int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); -// EVP_EncryptFinal calls |EVP_EncryptFinal_ex|. +// EVP_EncryptFinal calls `EVP_EncryptFinal_ex`. OPENSSL_EXPORT int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); -// EVP_EncryptFinal_ex does the same as |EVP_EncryptFinal_ex2|, except that no +// EVP_EncryptFinal_ex does the same as `EVP_EncryptFinal_ex2`, except that no // output size is given and thus no bounds checking is performed. // // WARNING: This function does not check bounds on out, and correctly sizing -// the output buffer is difficult. Use |EVP_EncryptFinal_ex2| instead. +// the output buffer is difficult. Use `EVP_EncryptFinal_ex2` instead. OPENSSL_EXPORT int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); -// EVP_DecryptFinal calls |EVP_DecryptFinal_ex|. +// EVP_DecryptFinal calls `EVP_DecryptFinal_ex`. OPENSSL_EXPORT int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); -// EVP_DecryptFinal_ex does the same as |EVP_DecryptFinal_ex2|, except that no +// EVP_DecryptFinal_ex does the same as `EVP_DecryptFinal_ex2`, except that no // output size is given and thus no bounds checking is performed. // // WARNING: This function does not check bounds on out, and correctly sizing -// the output buffer is difficult. Use |EVP_DecryptFinal_ex2| instead. +// the output buffer is difficult. Use `EVP_DecryptFinal_ex2` instead. OPENSSL_EXPORT int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out, int *out_len); -// EVP_Cipher historically exposed an internal implementation detail of |ctx| -// and should not be used. Use |EVP_CipherUpdate| and |EVP_CipherFinal_ex| +// EVP_Cipher historically exposed an internal implementation detail of `ctx` +// and should not be used. Use `EVP_CipherUpdate` and `EVP_CipherFinal_ex` // instead. // -// If |ctx|'s cipher does not have the |EVP_CIPH_FLAG_CUSTOM_CIPHER| flag, it -// encrypts or decrypts |in_len| bytes from |in| and writes the resulting -// |in_len| bytes to |out|. It returns one on success and zero on error. -// |in_len| must be a multiple of the cipher's block size, or the behavior is +// If `ctx`'s cipher does not have the `EVP_CIPH_FLAG_CUSTOM_CIPHER` flag, it +// encrypts or decrypts `in_len` bytes from `in` and writes the resulting +// `in_len` bytes to `out`. It returns one on success and zero on error. +// `in_len` must be a multiple of the cipher's block size, or the behavior is // undefined. // // TODO(davidben): Rather than being undefined (it'll often round the length up // and likely read past the buffer), just fail the operation. // -// If |ctx|'s cipher has the |EVP_CIPH_FLAG_CUSTOM_CIPHER| flag, it runs in one -// of two modes: If |in| is non-NULL, it behaves like |EVP_CipherUpdate|. If -// |in| is NULL, it behaves like |EVP_CipherFinal_ex|. In both cases, it returns -// |*out_len| on success and -1 on error. +// If `ctx`'s cipher has the `EVP_CIPH_FLAG_CUSTOM_CIPHER` flag, it runs in one +// of two modes: If `in` is non-NULL, it behaves like `EVP_CipherUpdate`. If +// `in` is NULL, it behaves like `EVP_CipherFinal_ex`. In both cases, it returns +// `*out_len` on success and -1 on error. // // WARNING: The two possible calling conventions of this function signal errors // incompatibly. In the first, zero indicates an error. In the second, zero @@ -521,20 +599,20 @@ OPENSSL_EXPORT int EVP_Cipher(EVP_CIPHER_CTX *ctx, uint8_t *out, // EVP_add_cipher_alias does nothing and returns one. OPENSSL_EXPORT int EVP_add_cipher_alias(const char *a, const char *b); -// EVP_get_cipherbyname returns an |EVP_CIPHER| given a human readable name in -// |name|, or NULL if the name is unknown. Note using this function links almost +// EVP_get_cipherbyname returns an `EVP_CIPHER` given a human readable name in +// `name`, or NULL if the name is unknown. Note using this function links almost // every cipher implemented by BoringSSL into the binary, not just the ones the // caller requests. Size-conscious callers, such as client software, should not // use this function. OPENSSL_EXPORT const EVP_CIPHER *EVP_get_cipherbyname(const char *name); // These AEADs are deprecated AES-GCM implementations that set -// |EVP_CIPH_FLAG_CUSTOM_CIPHER|. Use |EVP_aead_aes_128_gcm| and -// |EVP_aead_aes_256_gcm| instead. +// `EVP_CIPH_FLAG_CUSTOM_CIPHER`. Use `EVP_aead_aes_128_gcm` and +// `EVP_aead_aes_256_gcm` instead. // // WARNING: Although these APIs allow streaming an individual AES-GCM operation, -// this is not secure. Until calling |EVP_DecryptFinal_ex|, the tag has not yet -// been checked and output released by |EVP_DecryptUpdate| is unauthenticated +// this is not secure. Until calling `EVP_DecryptFinal_ex`, the tag has not yet +// been checked and output released by `EVP_DecryptUpdate` is unauthenticated // and easily manipulated by attackers. Callers must buffer the output and may // not act on it until the entire operation is complete. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_gcm(void); @@ -547,27 +625,27 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ctr(void); OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_gcm(void); OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_ofb(void); -// EVP_des_ede3_ecb is an alias for |EVP_des_ede3|. Use the former instead. +// EVP_des_ede3_ecb is an alias for `EVP_des_ede3`. Use the former instead. OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void); // EVP_aes_128_cfb128 is only available in decrepit. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void); -// EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in +// EVP_aes_128_cfb is an alias for `EVP_aes_128_cfb128` and is only available in // decrepit. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb(void); // EVP_aes_192_cfb128 is only available in decrepit. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cfb128(void); -// EVP_aes_192_cfb is an alias for |EVP_aes_192_cfb128| and is only available in +// EVP_aes_192_cfb is an alias for `EVP_aes_192_cfb128` and is only available in // decrepit. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_192_cfb(void); // EVP_aes_256_cfb128 is only available in decrepit. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void); -// EVP_aes_256_cfb is an alias for |EVP_aes_256_cfb128| and is only available in +// EVP_aes_256_cfb is an alias for `EVP_aes_256_cfb128` and is only available in // decrepit. OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb(void); @@ -600,7 +678,7 @@ OPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, // EVP_CIPH_NO_PADDING disables padding in block ciphers. #define EVP_CIPH_NO_PADDING 0x800 -// The following are |EVP_CIPHER_CTX_ctrl| commands. +// The following are `EVP_CIPHER_CTX_ctrl` commands. #define EVP_CTRL_INIT 0x0 #define EVP_CTRL_SET_KEY_LENGTH 0x1 #define EVP_CTRL_GET_RC2_KEY_BITS 0x2 @@ -625,7 +703,7 @@ OPENSSL_EXPORT void EVP_CIPHER_CTX_set_flags(const EVP_CIPHER_CTX *ctx, #define EVP_GCM_TLS_EXPLICIT_IV_LEN 8 #define EVP_GCM_TLS_TAG_LEN 16 -// The following are legacy aliases for AEAD |EVP_CIPHER_CTX_ctrl| values. +// The following are legacy aliases for AEAD `EVP_CIPHER_CTX_ctrl` values. #define EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_AEAD_SET_IVLEN #define EVP_CTRL_GCM_GET_TAG EVP_CTRL_AEAD_GET_TAG #define EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG @@ -642,17 +720,17 @@ struct evp_cipher_ctx_st { // app_data is a pointer to opaque, user data. void *app_data; // application stuff - // cipher_data points to the |cipher| specific state. + // cipher_data points to the `cipher` specific state. void *cipher_data; // key_len contains the length of the key, which may differ from - // |cipher->key_len| if the cipher can take a variable key length. + // `cipher->key_len` if the cipher can take a variable key length. unsigned key_len; // encrypt is one if encrypting and zero if decrypting. int encrypt; - // flags contains the OR of zero or more |EVP_CIPH_*| flags, above. + // flags contains the OR of zero or more `EVP_CIPH_*` flags, above. uint32_t flags; // oiv contains the original IV value. @@ -666,14 +744,14 @@ struct evp_cipher_ctx_st { uint8_t buf[EVP_MAX_BLOCK_LENGTH]; // buf_len contains the number of bytes of a partial block contained in - // |buf|. + // `buf`. int buf_len; - // num contains the number of bytes of |iv| which are valid for modes that + // num contains the number of bytes of `iv` which are valid for modes that // manage partial blocks themselves. unsigned num; - // final_used is non-zero if the |final| buffer contains plaintext. + // final_used is non-zero if the `final` buffer contains plaintext. int final_used; uint8_t final[EVP_MAX_BLOCK_LENGTH]; // possible final block diff --git a/third_party/boringssl/src/include/openssl/cmac.h b/third_party/boringssl/src/include/openssl/cmac.h index 3e5a2d65..33bbf580 100644 --- a/third_party/boringssl/src/include/openssl/cmac.h +++ b/third_party/boringssl/src/include/openssl/cmac.h @@ -30,8 +30,8 @@ extern "C" { // One-shot functions. -// AES_CMAC calculates the 16-byte, CMAC authenticator of |in_len| bytes of -// |in| and writes it to |out|. The |key_len| may be 16 or 32 bytes to select +// AES_CMAC calculates the 16-byte, CMAC authenticator of `in_len` bytes of +// `in` and writes it to `out`. The `key_len` may be 16 or 32 bytes to select // between AES-128 and AES-256. It returns one on success or zero on error. OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len, const uint8_t *in, size_t in_len); @@ -39,36 +39,36 @@ OPENSSL_EXPORT int AES_CMAC(uint8_t out[16], const uint8_t *key, size_t key_len, // Incremental interface. -// CMAC_CTX_new allocates a fresh |CMAC_CTX| and returns it, or NULL on +// CMAC_CTX_new allocates a fresh `CMAC_CTX` and returns it, or NULL on // error. OPENSSL_EXPORT CMAC_CTX *CMAC_CTX_new(void); -// CMAC_CTX_free frees a |CMAC_CTX|. +// CMAC_CTX_free frees a `CMAC_CTX`. OPENSSL_EXPORT void CMAC_CTX_free(CMAC_CTX *ctx); -// CMAC_CTX_copy sets |out| to be a duplicate of the current state |in|. It +// CMAC_CTX_copy sets `out` to be a duplicate of the current state `in`. It // returns one on success and zero on error. OPENSSL_EXPORT int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in); -// CMAC_Init configures |ctx| to use the given |key| and |cipher|. The CMAC RFC -// only specifies the use of AES-128 thus |key_len| should be 16 and |cipher| -// should be |EVP_aes_128_cbc()|. However, this implementation also supports -// AES-256 by setting |key_len| to 32 and |cipher| to |EVP_aes_256_cbc()|. The -// |engine| argument is ignored. +// CMAC_Init configures `ctx` to use the given `key` and `cipher`. The CMAC RFC +// only specifies the use of AES-128 thus `key_len` should be 16 and `cipher` +// should be `EVP_aes_128_cbc()`. However, this implementation also supports +// AES-256 by setting `key_len` to 32 and `cipher` to `EVP_aes_256_cbc()`. The +// `engine` argument is ignored. // // It returns one on success or zero on error. OPENSSL_EXPORT int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t key_len, const EVP_CIPHER *cipher, ENGINE *engine); -// CMAC_Reset resets |ctx| so that a fresh message can be authenticated. +// CMAC_Reset resets `ctx` so that a fresh message can be authenticated. OPENSSL_EXPORT int CMAC_Reset(CMAC_CTX *ctx); -// CMAC_Update processes |in_len| bytes of message from |in|. It returns one on +// CMAC_Update processes `in_len` bytes of message from `in`. It returns one on // success or zero on error. OPENSSL_EXPORT int CMAC_Update(CMAC_CTX *ctx, const uint8_t *in, size_t in_len); -// CMAC_Final sets |*out_len| to 16 and, if |out| is not NULL, writes 16 bytes +// CMAC_Final sets `*out_len` to 16 and, if `out` is not NULL, writes 16 bytes // of authenticator to it. It returns one on success or zero on error. OPENSSL_EXPORT int CMAC_Final(CMAC_CTX *ctx, uint8_t *out, size_t *out_len); diff --git a/third_party/boringssl/src/include/openssl/cms.h b/third_party/boringssl/src/include/openssl/cms.h index fdb8e9ee..d365a462 100644 --- a/third_party/boringssl/src/include/openssl/cms.h +++ b/third_party/boringssl/src/include/openssl/cms.h @@ -31,10 +31,10 @@ extern "C" { // for S/MIME, is out of scope for BoringSSL. // // As this library is intentionally not a general CMS implementation, BoringSSL -// continues to define |OPENSSL_NO_CMS|, so that most callers turn off their +// continues to define `OPENSSL_NO_CMS`, so that most callers turn off their // general-purpose CMS code. In callers that are compatible with this subset, -// the |BORINGSSL_NO_NO_CMS| build option can be used to suppress -// |OPENSSL_NO_CMS|. +// the `BORINGSSL_NO_NO_CMS` build option can be used to suppress +// `OPENSSL_NO_CMS`. DECLARE_STACK_OF(X509) @@ -51,79 +51,79 @@ DECLARE_STACK_OF(X509) #define CMS_USE_KEYID 0x10000 #define CMS_NO_SIGNING_TIME 0x400000 -// CMS_sign returns a newly-allocated |CMS_ContentInfo| structure for building a +// CMS_sign returns a newly-allocated `CMS_ContentInfo` structure for building a // SignedData (RFC 5652), or NULL on error. // -// |certs| must be NULL or zero length. BoringSSL does not support embedding +// `certs` must be NULL or zero length. BoringSSL does not support embedding // certificates in SignedData. // -// |flags| must contain |CMS_DETACHED|, which indicates an external signature. +// `flags` must contain `CMS_DETACHED`, which indicates an external signature. // BoringSSL only supports generating external signatures and does not support // embedding encapsulated content directly in a SignedData. // -// If |pkey| is non-NULL, |CMS_add1_signer| is automatically called with -// |signcert|, |pkey|, a default hash of SHA-256, and |flags|. |flags| will then -// additionally be interpreted as in |CMS_add1_signer|. +// If `pkey` is non-NULL, `CMS_add1_signer` is automatically called with +// `signcert`, `pkey`, a default hash of SHA-256, and `flags`. `flags` will then +// additionally be interpreted as in `CMS_add1_signer`. // -// If |CMS_PARTIAL| or |CMS_STREAM| is set in |flags|, the object will be left -// incomplete. |data| will then be ignored and should be NULL. The caller can -// then continue configuring it and finalizing it with |CMS_final|. Otherwise, -// the object will be finalized with |data| and |flags| passed to |CMS_final|. +// If `CMS_PARTIAL` or `CMS_STREAM` is set in `flags`, the object will be left +// incomplete. `data` will then be ignored and should be NULL. The caller can +// then continue configuring it and finalizing it with `CMS_final`. Otherwise, +// the object will be finalized with `data` and `flags` passed to `CMS_final`. OPENSSL_EXPORT CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, uint32_t flags); -// CMS_ContentInfo_free releases memory associated with |cms|. +// CMS_ContentInfo_free releases memory associated with `cms`. OPENSSL_EXPORT void CMS_ContentInfo_free(CMS_ContentInfo *cms); -// CMS_add1_signer adds a signer to |cms|, which must be a SignedData created by -// |CMS_sign|, with the |CMS_PARTIAL| flag set. The signer will use |signcert|, -// |pkey|, and |md| for the signing certificate, private key, and digest +// CMS_add1_signer adds a signer to `cms`, which must be a SignedData created by +// `CMS_sign`, with the `CMS_PARTIAL` flag set. The signer will use `signcert`, +// `pkey`, and `md` for the signing certificate, private key, and digest // algorithm, respectively. It returns a non-NULL pointer to the signer on -// success, and NULL on error. The signer is owned by |cms| and should not be +// success, and NULL on error. The signer is owned by `cms` and should not be // released by the caller. // -// |flags| is interpreted as follows: +// `flags` is interpreted as follows: // -// - |CMS_PARTIAL| must not be set. BoringSSL does not support configuring a +// - `CMS_PARTIAL` must not be set. BoringSSL does not support configuring a // signer in multiple steps. // -// - |CMS_NOCERTS| must be set. BoringSSL does not support embedding +// - `CMS_NOCERTS` must be set. BoringSSL does not support embedding // certificates in SignedData. // -// - |CMS_NOATTR| must be set. BoringSSL does not support attributes in +// - `CMS_NOATTR` must be set. BoringSSL does not support attributes in // SignedData. // -// - If |CMS_USE_KEYID| is set, SignerInfos will be identified by subject key -// identifier instead of issuer and serial number. |signcert| must then have +// - If `CMS_USE_KEYID` is set, SignerInfos will be identified by subject key +// identifier instead of issuer and serial number. `signcert` must then have // the subject key identifier extension. // -// BoringSSL currently only supports one signer per |CMS_ContentInfo|. +// BoringSSL currently only supports one signer per `CMS_ContentInfo`. // Subsequent calls will fail. Additionally, only RSA keys are currently -// supported for |pkey|. +// supported for `pkey`. OPENSSL_EXPORT CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signcert, EVP_PKEY *pkey, const EVP_MD *md, uint32_t flags); -// CMS_final finalizes constructing |cms|, which must have been initialized with -// the |CMS_PARTIAL| flag. |data| is read, until EOF, as the data to be +// CMS_final finalizes constructing `cms`, which must have been initialized with +// the `CMS_PARTIAL` flag. `data` is read, until EOF, as the data to be // processed by CMS. It returns one on success and zero on error. // -// |CMS_BINARY| must be set in |flags|. BoringSSL does not support translating +// `CMS_BINARY` must be set in `flags`. BoringSSL does not support translating // inputs according to S/MIME. // -// |dcont| must be NULL. What a non-NULL |dcont| does is not clearly documented +// `dcont` must be NULL. What a non-NULL `dcont` does is not clearly documented // by OpenSSL, and there are no tests to demonstrate its behavior. OPENSSL_EXPORT int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, uint32_t flags); -// i2d_CMS_bio encodes |cms| as a DER-encoded ContentInfo structure (RFC 5652). +// i2d_CMS_bio encodes `cms` as a DER-encoded ContentInfo structure (RFC 5652). // It returns one on success and zero on failure. OPENSSL_EXPORT int i2d_CMS_bio(BIO *out, CMS_ContentInfo *cms); -// i2d_CMS_bio_stream calls |i2d_CMS_bio|. |in| must be NULL and |flags| must -// not contain |CMS_STREAM|. BoringSSL does not support any streaming modes for +// i2d_CMS_bio_stream calls `i2d_CMS_bio`. `in` must be NULL and `flags` must +// not contain `CMS_STREAM`. BoringSSL does not support any streaming modes for // CMS. OPENSSL_EXPORT int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags); diff --git a/third_party/boringssl/src/include/openssl/conf.h b/third_party/boringssl/src/include/openssl/conf.h index 875124ec..94765775 100644 --- a/third_party/boringssl/src/include/openssl/conf.h +++ b/third_party/boringssl/src/include/openssl/conf.h @@ -36,7 +36,7 @@ extern "C" { // [section_name] // key2=value2 // -// Config files are represented by a |CONF|. Use of this module is strongly +// Config files are represented by a `CONF`. Use of this module is strongly // discouraged. It is a remnant of the OpenSSL command-line tool. Parsing an // untrusted input as a config file risks string injection and denial of service // vulnerabilities. @@ -51,32 +51,32 @@ struct conf_value_st { DEFINE_STACK_OF(CONF_VALUE) -// NCONF_new returns a fresh, empty |CONF|, or NULL on error. The |method| +// NCONF_new returns a fresh, empty `CONF`, or NULL on error. The `method` // argument must be NULL. OPENSSL_EXPORT CONF *NCONF_new(void *method); -// NCONF_free frees all the data owned by |conf| and then |conf| itself. +// NCONF_free frees all the data owned by `conf` and then `conf` itself. OPENSSL_EXPORT void NCONF_free(CONF *conf); -// NCONF_load parses the file named |filename| and adds the values found to -// |conf|. It returns one on success and zero on error. In the event of an -// error, if |out_error_line| is not NULL, |*out_error_line| is set to the +// NCONF_load parses the file named `filename` and adds the values found to +// `conf`. It returns one on success and zero on error. In the event of an +// error, if `out_error_line` is not NULL, `*out_error_line` is set to the // number of the line that contained the error. OPENSSL_EXPORT int NCONF_load(CONF *conf, const char *filename, long *out_error_line); -// NCONF_load_bio acts like |NCONF_load| but reads from |bio| rather than from +// NCONF_load_bio acts like `NCONF_load` but reads from `bio` rather than from // a named file. OPENSSL_EXPORT int NCONF_load_bio(CONF *conf, BIO *bio, long *out_error_line); -// NCONF_get_section returns a stack of values for a given section in |conf|. -// If |section| is NULL, the default section is returned. It returns NULL on +// NCONF_get_section returns a stack of values for a given section in `conf`. +// If `section` is NULL, the default section is returned. It returns NULL on // error. OPENSSL_EXPORT const STACK_OF(CONF_VALUE) *NCONF_get_section( const CONF *conf, const char *section); -// NCONF_get_string returns the value of the key |name|, in section |section|. -// The |section| argument may be NULL to indicate the default section. It +// NCONF_get_string returns the value of the key `name`, in section `section`. +// The `section` argument may be NULL to indicate the default section. It // returns the value or NULL on error. OPENSSL_EXPORT const char *NCONF_get_string(const CONF *conf, const char *section, @@ -91,7 +91,7 @@ OPENSSL_EXPORT const char *NCONF_get_string(const CONF *conf, #define CONF_MFLAGS_IGNORE_MISSING_FILE 0 // CONF_modules_load_file returns one. BoringSSL is defined to have no config -// file options, thus loading from |filename| always succeeds by doing nothing. +// file options, thus loading from `filename` always succeeds by doing nothing. OPENSSL_EXPORT int CONF_modules_load_file(const char *filename, const char *appname, unsigned long flags); diff --git a/third_party/boringssl/src/include/openssl/crypto.h b/third_party/boringssl/src/include/openssl/crypto.h index a22bfa23..8f6af1f0 100644 --- a/third_party/boringssl/src/include/openssl/crypto.h +++ b/third_party/boringssl/src/include/openssl/crypto.h @@ -18,11 +18,11 @@ #include // IWYU pragma: export #include -// Upstream OpenSSL defines |OPENSSL_malloc|, etc., in crypto.h rather than +// Upstream OpenSSL defines `OPENSSL_malloc`, etc., in crypto.h rather than // mem.h. #include -// Upstream OpenSSL defines |CRYPTO_LOCK|, etc., in crypto.h rather than +// Upstream OpenSSL defines `CRYPTO_LOCK`, etc., in crypto.h rather than // thread.h. #include @@ -111,7 +111,7 @@ enum fips_counter_t { }; // FIPS_read_counter returns a counter of the number of times the specific -// function denoted by |counter| has been used. This always returns zero unless +// function denoted by `counter` has been used. This always returns zero unless // BoringSSL was built with BORINGSSL_FIPS_COUNTERS defined. OPENSSL_EXPORT size_t FIPS_read_counter(enum fips_counter_t counter); @@ -129,7 +129,7 @@ OPENSSL_EXPORT size_t FIPS_read_counter(enum fips_counter_t counter); #define OPENSSL_DIR 4 // OpenSSL_version is a compatibility function that returns the string -// "BoringSSL" if |which| is |OPENSSL_VERSION| and placeholder strings +// "BoringSSL" if `which` is `OPENSSL_VERSION` and placeholder strings // otherwise. OPENSSL_EXPORT const char *OpenSSL_version(int which); @@ -139,7 +139,7 @@ OPENSSL_EXPORT const char *OpenSSL_version(int which); #define SSLEAY_PLATFORM OPENSSL_PLATFORM #define SSLEAY_DIR OPENSSL_DIR -// SSLeay_version calls |OpenSSL_version|. +// SSLeay_version calls `OpenSSL_version`. OPENSSL_EXPORT const char *SSLeay_version(int which); // SSLeay is a compatibility function that returns OPENSSL_VERSION_NUMBER from @@ -196,8 +196,8 @@ OPENSSL_EXPORT int OPENSSL_init_crypto(uint64_t opts, // OPENSSL_cleanup does nothing. OPENSSL_EXPORT void OPENSSL_cleanup(void); -// FIPS_mode_set returns one if |on| matches whether BoringSSL was built with -// |BORINGSSL_FIPS| and zero otherwise. +// FIPS_mode_set returns one if `on` matches whether BoringSSL was built with +// `BORINGSSL_FIPS` and zero otherwise. OPENSSL_EXPORT int FIPS_mode_set(int on); // FIPS_module_name returns the name of the FIPS module. @@ -210,10 +210,10 @@ OPENSSL_EXPORT const uint8_t *FIPS_module_hash(void); // isn't exactly at a verified version. The version, expressed in base 10, will // be a date in the form yyyymmdd. // -// (This format exceeds a |uint32_t| in the year 4294.) +// (This format exceeds a `uint32_t` in the year 4294.) OPENSSL_EXPORT uint32_t FIPS_version(void); -// FIPS_query_algorithm_status returns one if |algorithm| is FIPS validated in +// FIPS_query_algorithm_status returns one if `algorithm` is FIPS validated in // the current BoringSSL and zero otherwise. OPENSSL_EXPORT int FIPS_query_algorithm_status(const char *algorithm); diff --git a/third_party/boringssl/src/include/openssl/ctrdrbg.h b/third_party/boringssl/src/include/openssl/ctrdrbg.h index 849fc82b..678b08b6 100644 --- a/third_party/boringssl/src/include/openssl/ctrdrbg.h +++ b/third_party/boringssl/src/include/openssl/ctrdrbg.h @@ -53,17 +53,17 @@ extern "C" { #define CTR_DRBG_NONCE_LEN 16 // CTR_DRBG_MAX_GENERATE_LENGTH is the maximum number of bytes that can be -// generated in a single call to |CTR_DRBG_generate|. +// generated in a single call to `CTR_DRBG_generate`. #define CTR_DRBG_MAX_GENERATE_LENGTH 65536 -// CTR_DRBG_new returns an initialized |CTR_DRBG_STATE|, or NULL if either -// allocation failed or if |personalization_len| is invalid. This DRBG will not +// CTR_DRBG_new returns an initialized `CTR_DRBG_STATE`, or NULL if either +// allocation failed or if `personalization_len` is invalid. This DRBG will not // use a derivation function. OPENSSL_EXPORT CTR_DRBG_STATE *CTR_DRBG_new( const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], const uint8_t *personalization, size_t personalization_len); -// CTR_DRBG_new_df returns an initialized |CTR_DRBG_STATE|, or NULL if either +// CTR_DRBG_new_df returns an initialized `CTR_DRBG_STATE`, or NULL if either // allocation failed or if an argument is invalid. This DRBG will use a // derivation function. OPENSSL_EXPORT CTR_DRBG_STATE *CTR_DRBG_new_df( @@ -71,11 +71,11 @@ OPENSSL_EXPORT CTR_DRBG_STATE *CTR_DRBG_new_df( const uint8_t nonce[CTR_DRBG_NONCE_LEN], const uint8_t *personalization, size_t personalization_len); -// CTR_DRBG_free frees |state| if non-NULL, or else does nothing. +// CTR_DRBG_free frees `state` if non-NULL, or else does nothing. OPENSSL_EXPORT void CTR_DRBG_free(CTR_DRBG_STATE *state); -// CTR_DRBG_reseed reseeds |drbg| given |CTR_DRBG_ENTROPY_LEN| bytes of entropy -// in |entropy| and, optionally, up to |CTR_DRBG_SEED_LEN| bytes of +// CTR_DRBG_reseed reseeds `drbg` given `CTR_DRBG_ENTROPY_LEN` bytes of entropy +// in `entropy` and, optionally, up to `CTR_DRBG_SEED_LEN` bytes of // additional data. It returns one on success or zero on error. OPENSSL_EXPORT int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg, const uint8_t entropy[CTR_DRBG_ENTROPY_LEN], @@ -83,23 +83,23 @@ OPENSSL_EXPORT int CTR_DRBG_reseed(CTR_DRBG_STATE *drbg, size_t additional_data_len); // CTR_DRBG_reseed_ex acts like `CTR_DRBG_reseed` but with variable-length -// entropy input, up to |CTR_DRBG_MAX_ENTROPY_LEN|. +// entropy input, up to `CTR_DRBG_MAX_ENTROPY_LEN`. OPENSSL_EXPORT int CTR_DRBG_reseed_ex(CTR_DRBG_STATE *drbg, const uint8_t *entropy, size_t entropy_len, const uint8_t *additional_data, size_t additional_data_len); -// CTR_DRBG_generate processes to up |CTR_DRBG_ENTROPY_LEN| bytes of additional -// data (if any) and then writes |out_len| random bytes to |out|, where -// |out_len| <= |CTR_DRBG_MAX_GENERATE_LENGTH|. It returns one on success or +// CTR_DRBG_generate processes to up `CTR_DRBG_ENTROPY_LEN` bytes of additional +// data (if any) and then writes `out_len` random bytes to `out`, where +// `out_len` <= `CTR_DRBG_MAX_GENERATE_LENGTH`. It returns one on success or // zero on error. OPENSSL_EXPORT int CTR_DRBG_generate(CTR_DRBG_STATE *drbg, uint8_t *out, size_t out_len, const uint8_t *additional_data, size_t additional_data_len); -// CTR_DRBG_clear zeroises the state of |drbg|. +// CTR_DRBG_clear zeroises the state of `drbg`. OPENSSL_EXPORT void CTR_DRBG_clear(CTR_DRBG_STATE *drbg); diff --git a/third_party/boringssl/src/include/openssl/curve25519.h b/third_party/boringssl/src/include/openssl/curve25519.h index 85a08b80..83d7d97e 100644 --- a/third_party/boringssl/src/include/openssl/curve25519.h +++ b/third_party/boringssl/src/include/openssl/curve25519.h @@ -37,12 +37,12 @@ extern "C" { #define X25519_PUBLIC_VALUE_LEN 32 #define X25519_SHARED_KEY_LEN 32 -// X25519_keypair sets |out_public_value| and |out_private_key| to a freshly +// X25519_keypair sets `out_public_value` and `out_private_key` to a freshly // generated, public–private key pair. OPENSSL_EXPORT void X25519_keypair(uint8_t out_public_value[32], uint8_t out_private_key[32]); -// X25519 writes a shared key to |out_shared_key| that is calculated from the +// X25519 writes a shared key to `out_shared_key` that is calculated from the // given private key and the peer's public value. It returns one on success and // zero on error. // @@ -53,7 +53,7 @@ OPENSSL_EXPORT int X25519(uint8_t out_shared_key[32], const uint8_t peer_public_value[32]); // X25519_public_from_private calculates a Diffie-Hellman public value from the -// given private key and writes it to |out_public_value|. +// given private key and writes it to `out_public_value`. OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32], const uint8_t private_key[32]); @@ -72,20 +72,20 @@ OPENSSL_EXPORT void X25519_public_from_private(uint8_t out_public_value[32], #define ED25519_PUBLIC_KEY_LEN 32 #define ED25519_SIGNATURE_LEN 64 -// ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly +// ED25519_keypair sets `out_public_key` and `out_private_key` to a freshly // generated, public–private key pair. OPENSSL_EXPORT void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]); -// ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from -// |message| using |private_key|. It returns one on success or zero on +// ED25519_sign sets `out_sig` to be a signature of `message_len` bytes from +// `message` using `private_key`. It returns one on success or zero on // allocation failure. OPENSSL_EXPORT int ED25519_sign(uint8_t out_sig[64], const uint8_t *message, size_t message_len, const uint8_t private_key[64]); -// ED25519_verify returns one iff |signature| is a valid signature, by -// |public_key| of |message_len| bytes from |message|. It returns zero +// ED25519_verify returns one iff `signature` is a valid signature, by +// `public_key` of `message_len` bytes from `message`. It returns zero // otherwise. OPENSSL_EXPORT int ED25519_verify(const uint8_t *message, size_t message_len, const uint8_t signature[64], @@ -118,12 +118,12 @@ enum spake2_role_t { spake2_role_bob, }; -// SPAKE2_CTX_new creates a new |SPAKE2_CTX| (which can only be used for a +// SPAKE2_CTX_new creates a new `SPAKE2_CTX` (which can only be used for a // single execution of the protocol). SPAKE2 requires the symmetry of the two -// parties to be broken which is indicated via |my_role| – each party must pass +// parties to be broken which is indicated via `my_role` – each party must pass // a different value for this argument. // -// The |my_name| and |their_name| arguments allow optional, opaque names to be +// The `my_name` and `their_name` arguments allow optional, opaque names to be // bound into the protocol. For example MAC addresses, hostnames, usernames // etc. These values are not exposed and can avoid context-confusion attacks // when a password is shared between several devices. @@ -132,19 +132,19 @@ OPENSSL_EXPORT SPAKE2_CTX *SPAKE2_CTX_new( const uint8_t *my_name, size_t my_name_len, const uint8_t *their_name, size_t their_name_len); -// SPAKE2_CTX_free frees |ctx| and all the resources that it has allocated. +// SPAKE2_CTX_free frees `ctx` and all the resources that it has allocated. OPENSSL_EXPORT void SPAKE2_CTX_free(SPAKE2_CTX *ctx); // SPAKE2_MAX_MSG_SIZE is the maximum size of a SPAKE2 message. #define SPAKE2_MAX_MSG_SIZE 32 -// SPAKE2_generate_msg generates a SPAKE2 message given |password|, writes -// it to |out| and sets |*out_len| to the number of bytes written. +// SPAKE2_generate_msg generates a SPAKE2 message given `password`, writes +// it to `out` and sets `*out_len` to the number of bytes written. // -// At most |max_out_len| bytes are written to |out| and, in order to ensure -// success, |max_out_len| should be at least |SPAKE2_MAX_MSG_SIZE| bytes. +// At most `max_out_len` bytes are written to `out` and, in order to ensure +// success, `max_out_len` should be at least `SPAKE2_MAX_MSG_SIZE` bytes. // -// This function can only be called once for a given |SPAKE2_CTX|. +// This function can only be called once for a given `SPAKE2_CTX`. // // It returns one on success and zero on error. OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, @@ -157,8 +157,8 @@ OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, #define SPAKE2_MAX_KEY_SIZE 64 // SPAKE2_process_msg completes the SPAKE2 exchange given the peer's message in -// |their_msg|, writes at most |max_out_key_len| bytes to |out_key| and sets -// |*out_key_len| to the number of bytes written. +// `their_msg`, writes at most `max_out_key_len` bytes to `out_key` and sets +// `*out_key_len` to the number of bytes written. // // The resulting keying material is suitable for: // - Using directly in a key-confirmation step: i.e. each side could @@ -167,13 +167,13 @@ OPENSSL_EXPORT int SPAKE2_generate_msg(SPAKE2_CTX *ctx, uint8_t *out, // - Using as input keying material to HKDF to generate a variety of subkeys // for encryption etc. // -// If |max_out_key_key| is smaller than the amount of key material generated +// If `max_out_key_key` is smaller than the amount of key material generated // then the key is silently truncated. If you want to ensure that no truncation -// occurs then |max_out_key| should be at least |SPAKE2_MAX_KEY_SIZE|. +// occurs then `max_out_key` should be at least `SPAKE2_MAX_KEY_SIZE`. // -// You must call |SPAKE2_generate_msg| on a given |SPAKE2_CTX| before calling -// this function. On successful return, |ctx| is complete and calling -// |SPAKE2_CTX_free| is the only acceptable operation on it. +// You must call `SPAKE2_generate_msg` on a given `SPAKE2_CTX` before calling +// this function. On successful return, `ctx` is complete and calling +// `SPAKE2_CTX_free` is the only acceptable operation on it. // // Returns one on success or zero on error. OPENSSL_EXPORT int SPAKE2_process_msg(SPAKE2_CTX *ctx, uint8_t *out_key, diff --git a/third_party/boringssl/src/include/openssl/des.h b/third_party/boringssl/src/include/openssl/des.h index c6013910..ce4571ff 100644 --- a/third_party/boringssl/src/include/openssl/des.h +++ b/third_party/boringssl/src/include/openssl/des.h @@ -49,32 +49,32 @@ typedef struct DES_ks { #define DES_CBC_MODE 0 #define DES_PCBC_MODE 1 -// DES_set_key performs a key schedule and initialises |schedule| with |key|. +// DES_set_key performs a key schedule and initialises `schedule` with `key`. OPENSSL_EXPORT void DES_set_key(const DES_cblock *key, DES_key_schedule *schedule); // DES_set_odd_parity sets the parity bits (the least-significant bits in each -// byte) of |key| given the other bits in each byte. +// byte) of `key` given the other bits in each byte. OPENSSL_EXPORT void DES_set_odd_parity(DES_cblock *key); -// DES_ecb_encrypt encrypts (or decrypts, if |is_encrypt| is |DES_DECRYPT|) a -// single DES block (8 bytes) from |in| to |out|, using the key configured in -// |schedule|. +// DES_ecb_encrypt encrypts (or decrypts, if `is_encrypt` is `DES_DECRYPT`) a +// single DES block (8 bytes) from `in` to `out`, using the key configured in +// `schedule`. OPENSSL_EXPORT void DES_ecb_encrypt(const DES_cblock *in, DES_cblock *out, const DES_key_schedule *schedule, int is_encrypt); -// DES_ncbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len| -// bytes from |in| to |out| with DES in CBC mode. |len| must be a multiple of 8. -// The IV is taken from |ivec|. When the function completes, the IV for the next -// block is written to |ivec|. +// DES_ncbc_encrypt encrypts (or decrypts, if `enc` is `DES_DECRYPT`) `len` +// bytes from `in` to `out` with DES in CBC mode. `len` must be a multiple of 8. +// The IV is taken from `ivec`. When the function completes, the IV for the next +// block is written to `ivec`. OPENSSL_EXPORT void DES_ncbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *schedule, DES_cblock *ivec, int enc); -// DES_ecb3_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) a single -// block (8 bytes) of data from |input| to |output| using 3DES. +// DES_ecb3_encrypt encrypts (or decrypts, if `enc` is `DES_DECRYPT`) a single +// block (8 bytes) of data from `input` to `output` using 3DES. OPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input, DES_cblock *output, const DES_key_schedule *ks1, @@ -82,11 +82,11 @@ OPENSSL_EXPORT void DES_ecb3_encrypt(const DES_cblock *input, const DES_key_schedule *ks3, int enc); -// DES_ede3_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len| -// bytes from |in| to |out| with 3DES in CBC mode. 3DES uses three keys, thus -// the function takes three different |DES_key_schedule|s. |len| must be a -// multiple of 8. The IV is taken from |ivec|. When the function completes, the -// IV for the next block is written to |ivec|. +// DES_ede3_cbc_encrypt encrypts (or decrypts, if `enc` is `DES_DECRYPT`) `len` +// bytes from `in` to `out` with 3DES in CBC mode. 3DES uses three keys, thus +// the function takes three different `DES_key_schedule`s. `len` must be a +// multiple of 8. The IV is taken from `ivec`. When the function completes, the +// IV for the next block is written to `ivec`. OPENSSL_EXPORT void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *ks1, @@ -94,12 +94,12 @@ OPENSSL_EXPORT void DES_ede3_cbc_encrypt(const uint8_t *in, uint8_t *out, const DES_key_schedule *ks3, DES_cblock *ivec, int enc); -// DES_ede2_cbc_encrypt encrypts (or decrypts, if |enc| is |DES_DECRYPT|) |len| -// bytes from |in| to |out| with 3DES in CBC mode. With this keying option, the +// DES_ede2_cbc_encrypt encrypts (or decrypts, if `enc` is `DES_DECRYPT`) `len` +// bytes from `in` to `out` with 3DES in CBC mode. With this keying option, the // first and third 3DES keys are identical. Thus, this function takes only two -// different |DES_key_schedule|s. |len| must be a multiple of 8. The IV is taken -// from |ivec|. When the function completes, the IV for the next block is -// written to |ivec|. +// different `DES_key_schedule`s. `len` must be a multiple of 8. The IV is taken +// from `ivec`. When the function completes, the IV for the next block is +// written to `ivec`. OPENSSL_EXPORT void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, size_t len, const DES_key_schedule *ks1, @@ -109,7 +109,7 @@ OPENSSL_EXPORT void DES_ede2_cbc_encrypt(const uint8_t *in, uint8_t *out, // Deprecated functions. -// DES_set_key_unchecked calls |DES_set_key|. +// DES_set_key_unchecked calls `DES_set_key`. OPENSSL_EXPORT void DES_set_key_unchecked(const DES_cblock *key, DES_key_schedule *schedule); diff --git a/third_party/boringssl/src/include/openssl/dh.h b/third_party/boringssl/src/include/openssl/dh.h index acba59f3..59e8c9c7 100644 --- a/third_party/boringssl/src/include/openssl/dh.h +++ b/third_party/boringssl/src/include/openssl/dh.h @@ -32,21 +32,21 @@ extern "C" { // Allocation and destruction. // -// A |DH| object represents a Diffie-Hellman key or group parameters. A given +// A `DH` object represents a Diffie-Hellman key or group parameters. A given // object may be used concurrently on multiple threads by non-mutating // functions, provided no other thread is concurrently calling a mutating -// function. Unless otherwise documented, functions which take a |const| pointer -// are non-mutating and functions which take a non-|const| pointer are mutating. +// function. Unless otherwise documented, functions which take a `const` pointer +// are non-mutating and functions which take a non-`const` pointer are mutating. // DH_new returns a new, empty DH object or NULL on error. OPENSSL_EXPORT DH *DH_new(void); -// DH_free decrements the reference count of |dh| and frees it if the reference +// DH_free decrements the reference count of `dh` and frees it if the reference // count drops to zero. OPENSSL_EXPORT void DH_free(DH *dh); -// DH_up_ref increments the reference count of |dh| and returns one. It does not -// mutate |dh| for thread-safety purposes and may be used concurrently. +// DH_up_ref increments the reference count of `dh` and returns one. It does not +// mutate `dh` for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int DH_up_ref(DH *dh); @@ -56,52 +56,52 @@ OPENSSL_EXPORT int DH_up_ref(DH *dh); // modulus, in bits. #define OPENSSL_DH_MAX_MODULUS_BITS 8192 -// DH_bits returns the size of |dh|'s group modulus, in bits. +// DH_bits returns the size of `dh`'s group modulus, in bits. OPENSSL_EXPORT unsigned DH_bits(const DH *dh); // DH_size returns the number of bytes in the DH group's prime. OPENSSL_EXPORT int DH_size(const DH *dh); -// DH_get0_pub_key returns |dh|'s public key. +// DH_get0_pub_key returns `dh`'s public key. OPENSSL_EXPORT const BIGNUM *DH_get0_pub_key(const DH *dh); -// DH_get0_priv_key returns |dh|'s private key, or NULL if |dh| is a public key. +// DH_get0_priv_key returns `dh`'s private key, or NULL if `dh` is a public key. OPENSSL_EXPORT const BIGNUM *DH_get0_priv_key(const DH *dh); -// DH_get0_p returns |dh|'s group modulus. +// DH_get0_p returns `dh`'s group modulus. OPENSSL_EXPORT const BIGNUM *DH_get0_p(const DH *dh); -// DH_get0_q returns the size of |dh|'s subgroup, or NULL if it is unset. +// DH_get0_q returns the size of `dh`'s subgroup, or NULL if it is unset. OPENSSL_EXPORT const BIGNUM *DH_get0_q(const DH *dh); -// DH_get0_g returns |dh|'s group generator. +// DH_get0_g returns `dh`'s group generator. OPENSSL_EXPORT const BIGNUM *DH_get0_g(const DH *dh); -// DH_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dh|'s -// public and private key, respectively. If |dh| is a public key, the private +// DH_get0_key sets `*out_pub_key` and `*out_priv_key`, if non-NULL, to `dh`'s +// public and private key, respectively. If `dh` is a public key, the private // key will be set to NULL. OPENSSL_EXPORT void DH_get0_key(const DH *dh, const BIGNUM **out_pub_key, const BIGNUM **out_priv_key); -// DH_set0_key sets |dh|'s public and private key to the specified values. If +// DH_set0_key sets `dh`'s public and private key to the specified values. If // NULL, the field is left unchanged. On success, it takes ownership of each // argument and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -// DH_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dh|'s p, +// DH_get0_pqg sets `*out_p`, `*out_q`, and `*out_g`, if non-NULL, to `dh`'s p, // q, and g parameters, respectively. OPENSSL_EXPORT void DH_get0_pqg(const DH *dh, const BIGNUM **out_p, const BIGNUM **out_q, const BIGNUM **out_g); -// DH_set0_pqg sets |dh|'s p, q, and g parameters to the specified values. If +// DH_set0_pqg sets `dh`'s p, q, and g parameters to the specified values. If // NULL, the field is left unchanged. On success, it takes ownership of each -// argument and returns one. Otherwise, it returns zero. |q| may be NULL, but -// |p| and |g| must either be specified or already configured on |dh|. +// argument and returns one. Otherwise, it returns zero. `q` may be NULL, but +// `p` and `g` must either be specified or already configured on `dh`. OPENSSL_EXPORT int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); // DH_set_length sets the number of bits to use for the secret exponent when -// calling |DH_generate_key| on |dh| and returns one. If unset, -// |DH_generate_key| will use the bit length of p. +// calling `DH_generate_key` on `dh` and returns one. If unset, +// `DH_generate_key` will use the bit length of p. OPENSSL_EXPORT int DH_set_length(DH *dh, unsigned priv_length); @@ -112,38 +112,38 @@ OPENSSL_EXPORT int DH_set_length(DH *dh, unsigned priv_length); // of memory. OPENSSL_EXPORT DH *DH_get_rfc7919_2048(void); -// BN_get_rfc3526_prime_1536 sets |*ret| to the 1536-bit MODP group from RFC -// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated +// BN_get_rfc3526_prime_1536 sets `*ret` to the 1536-bit MODP group from RFC +// 3526 and returns `ret`. If `ret` is NULL then a fresh `BIGNUM` is allocated // and returned. It returns NULL on allocation failure. The generator for this // group is 2. OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *ret); -// BN_get_rfc3526_prime_2048 sets |*ret| to the 2048-bit MODP group from RFC -// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated +// BN_get_rfc3526_prime_2048 sets `*ret` to the 2048-bit MODP group from RFC +// 3526 and returns `ret`. If `ret` is NULL then a fresh `BIGNUM` is allocated // and returned. It returns NULL on allocation failure. The generator for this // group is 2. OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *ret); -// BN_get_rfc3526_prime_3072 sets |*ret| to the 3072-bit MODP group from RFC -// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated +// BN_get_rfc3526_prime_3072 sets `*ret` to the 3072-bit MODP group from RFC +// 3526 and returns `ret`. If `ret` is NULL then a fresh `BIGNUM` is allocated // and returned. It returns NULL on allocation failure. The generator for this // group is 2. OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *ret); -// BN_get_rfc3526_prime_4096 sets |*ret| to the 4096-bit MODP group from RFC -// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated +// BN_get_rfc3526_prime_4096 sets `*ret` to the 4096-bit MODP group from RFC +// 3526 and returns `ret`. If `ret` is NULL then a fresh `BIGNUM` is allocated // and returned. It returns NULL on allocation failure. The generator for this // group is 2. OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *ret); -// BN_get_rfc3526_prime_6144 sets |*ret| to the 6144-bit MODP group from RFC -// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated +// BN_get_rfc3526_prime_6144 sets `*ret` to the 6144-bit MODP group from RFC +// 3526 and returns `ret`. If `ret` is NULL then a fresh `BIGNUM` is allocated // and returned. It returns NULL on allocation failure. The generator for this // group is 2. OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *ret); -// BN_get_rfc3526_prime_8192 sets |*ret| to the 8192-bit MODP group from RFC -// 3526 and returns |ret|. If |ret| is NULL then a fresh |BIGNUM| is allocated +// BN_get_rfc3526_prime_8192 sets `*ret` to the 8192-bit MODP group from RFC +// 3526 and returns `ret`. If `ret` is NULL then a fresh `BIGNUM` is allocated // and returned. It returns NULL on allocation failure. The generator for this // group is 2. OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *ret); @@ -155,12 +155,12 @@ OPENSSL_EXPORT BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *ret); #define DH_GENERATOR_5 5 // DH_generate_parameters_ex generates a suitable Diffie-Hellman group with a -// prime that is |prime_bits| long and stores it in |dh|. The generator of the -// group will be |generator|, which should be |DH_GENERATOR_2| unless there's a -// good reason to use a different value. The |cb| argument contains a callback +// prime that is `prime_bits` long and stores it in `dh`. The generator of the +// group will be `generator`, which should be `DH_GENERATOR_2` unless there's a +// good reason to use a different value. The `cb` argument contains a callback // function that will be called during the generation. See the documentation in -// |bn.h| about this. In addition to the callback invocations from |BN|, |cb| -// will also be called with |event| equal to three when the generation is +// `bn.h` about this. In addition to the callback invocations from `BN`, `cb` +// will also be called with `event` equal to three when the generation is // complete. OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits, int generator, BN_GENCB *cb); @@ -169,43 +169,43 @@ OPENSSL_EXPORT int DH_generate_parameters_ex(DH *dh, int prime_bits, // Diffie-Hellman operations. // DH_generate_key generates a new, random, private key and stores it in -// |dh|, if |dh| does not already have a private key. Otherwise, it updates -// |dh|'s public key to match the private key. It returns one on success and +// `dh`, if `dh` does not already have a private key. Otherwise, it updates +// `dh`'s public key to match the private key. It returns one on success and // zero on error. OPENSSL_EXPORT int DH_generate_key(DH *dh); -// DH_compute_key_padded calculates the shared key between |dh| and |peers_key| -// and writes it as a big-endian integer into |out|, padded up to |DH_size| -// bytes. It returns the number of bytes written, which is always |DH_size|, or -// a negative number on error. |out| must have |DH_size| bytes of space. +// DH_compute_key_padded calculates the shared key between `dh` and `peers_key` +// and writes it as a big-endian integer into `out`, padded up to `DH_size` +// bytes. It returns the number of bytes written, which is always `DH_size`, or +// a negative number on error. `out` must have `DH_size` bytes of space. // // WARNING: this differs from the usual BoringSSL return-value convention. // -// Note this function differs from |DH_compute_key| in that it preserves leading +// Note this function differs from `DH_compute_key` in that it preserves leading // zeros in the secret. This function is the preferred variant. It matches PKCS // #3 and avoids some side channel attacks. However, the two functions are not // drop-in replacements for each other. Using a different variant than the // application expects will result in sporadic key mismatches. // // Callers that expect a fixed-width secret should use this function over -// |DH_compute_key|. Callers that use either function should migrate to a modern +// `DH_compute_key`. Callers that use either function should migrate to a modern // primitive such as X25519 or ECDH with P-256 instead. // -// This function does not mutate |dh| for thread-safety purposes and may be used +// This function does not mutate `dh` for thread-safety purposes and may be used // concurrently. OPENSSL_EXPORT int DH_compute_key_padded(uint8_t *out, const BIGNUM *peers_key, DH *dh); -// DH_compute_key_hashed calculates the shared key between |dh| and |peers_key| -// and hashes it with the given |digest|. If the hash output is less than -// |max_out_len| bytes then it writes the hash output to |out| and sets -// |*out_len| to the number of bytes written. Otherwise it signals an error. It +// DH_compute_key_hashed calculates the shared key between `dh` and `peers_key` +// and hashes it with the given `digest`. If the hash output is less than +// `max_out_len` bytes then it writes the hash output to `out` and sets +// `*out_len` to the number of bytes written. Otherwise it signals an error. It // returns one on success or zero on error. // // NOTE: this follows the usual BoringSSL return-value convention, but that's -// different from |DH_compute_key| and |DH_compute_key_padded|. +// different from `DH_compute_key` and `DH_compute_key_padded`. // -// This function does not mutate |dh| for thread-safety purposes and may be used +// This function does not mutate `dh` for thread-safety purposes and may be used // concurrently. OPENSSL_EXPORT int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, size_t max_out_len, @@ -226,9 +226,9 @@ OPENSSL_EXPORT int DH_compute_key_hashed(DH *dh, uint8_t *out, size_t *out_len, #define DH_NOT_SUITABLE_GENERATOR DH_CHECK_NOT_SUITABLE_GENERATOR #define DH_UNABLE_TO_CHECK_GENERATOR DH_CHECK_UNABLE_TO_CHECK_GENERATOR -// DH_check checks the suitability of |dh| as a Diffie-Hellman group. and sets -// |DH_CHECK_*| flags in |*out_flags| if it finds any errors. It returns one if -// |*out_flags| was successfully set and zero on error. +// DH_check checks the suitability of `dh` as a Diffie-Hellman group. and sets +// `DH_CHECK_*` flags in `*out_flags` if it finds any errors. It returns one if +// `*out_flags` was successfully set and zero on error. // // Note: these checks may be quite computationally expensive. OPENSSL_EXPORT int DH_check(const DH *dh, int *out_flags); @@ -237,73 +237,73 @@ OPENSSL_EXPORT int DH_check(const DH *dh, int *out_flags); #define DH_CHECK_PUBKEY_TOO_LARGE 0x2 #define DH_CHECK_PUBKEY_INVALID 0x4 -// DH_check_pub_key checks the suitability of |pub_key| as a public key for the -// DH group in |dh| and sets |DH_CHECK_PUBKEY_*| flags in |*out_flags| if it -// finds any errors. It returns one if |*out_flags| was successfully set and +// DH_check_pub_key checks the suitability of `pub_key` as a public key for the +// DH group in `dh` and sets `DH_CHECK_PUBKEY_*` flags in `*out_flags` if it +// finds any errors. It returns one if `*out_flags` was successfully set and // zero on error. OPENSSL_EXPORT int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *out_flags); -// DHparams_dup allocates a fresh |DH| and copies the parameters from |dh| into -// it. It returns the new |DH| or NULL on error. +// DHparams_dup allocates a fresh `DH` and copies the parameters from `dh` into +// it. It returns the new `DH` or NULL on error. OPENSSL_EXPORT DH *DHparams_dup(const DH *dh); // ASN.1 functions. // DH_parse_parameters decodes a DER-encoded DHParameter structure (PKCS #3) -// from |cbs| and advances |cbs|. It returns a newly-allocated |DH| or NULL on +// from `cbs` and advances `cbs`. It returns a newly-allocated `DH` or NULL on // error. OPENSSL_EXPORT DH *DH_parse_parameters(CBS *cbs); -// DH_marshal_parameters marshals |dh| as a DER-encoded DHParameter structure -// (PKCS #3) and appends the result to |cbb|. It returns one on success and zero +// DH_marshal_parameters marshals `dh` as a DER-encoded DHParameter structure +// (PKCS #3) and appends the result to `cbb`. It returns one on success and zero // on error. OPENSSL_EXPORT int DH_marshal_parameters(CBB *cbb, const DH *dh); // Deprecated functions. -// DH_generate_parameters behaves like |DH_generate_parameters_ex|, which is +// DH_generate_parameters behaves like `DH_generate_parameters_ex`, which is // what you should use instead. It returns NULL on error, or a newly-allocated -// |DH| on success. This function is provided for compatibility only. +// `DH` on success. This function is provided for compatibility only. OPENSSL_EXPORT DH *DH_generate_parameters(int prime_len, int generator, void (*callback)(int, int, void *), void *cb_arg); -// d2i_DHparams parses a DER-encoded DHParameter structure (PKCS #3) from |len| -// bytes at |*inp|, as in |d2i_SAMPLE|. +// d2i_DHparams parses a DER-encoded DHParameter structure (PKCS #3) from `len` +// bytes at `*inp`, as in `d2i_SAMPLE`. // -// Use |DH_parse_parameters| instead. +// Use `DH_parse_parameters` instead. OPENSSL_EXPORT DH *d2i_DHparams(DH **ret, const unsigned char **inp, long len); -// i2d_DHparams marshals |in| to a DER-encoded DHParameter structure (PKCS #3), -// as described in |i2d_SAMPLE|. +// i2d_DHparams marshals `in` to a DER-encoded DHParameter structure (PKCS #3), +// as described in `i2d_SAMPLE`. // -// Use |DH_marshal_parameters| instead. +// Use `DH_marshal_parameters` instead. OPENSSL_EXPORT int i2d_DHparams(const DH *in, unsigned char **outp); -// DH_compute_key behaves like |DH_compute_key_padded| but, contrary to PKCS #3, +// DH_compute_key behaves like `DH_compute_key_padded` but, contrary to PKCS #3, // returns a variable-length shared key with leading zeros. It returns the -// number of bytes written, or a negative number on error. |out| must have -// |DH_size| bytes of space. +// number of bytes written, or a negative number on error. `out` must have +// `DH_size` bytes of space. // // WARNING: this differs from the usual BoringSSL return-value convention. // // Note this function's running time and memory access pattern leaks information -// about the shared secret. Particularly if |dh| is reused, this may result in +// about the shared secret. Particularly if `dh` is reused, this may result in // side channel attacks such as https://raccoon-attack.com/. // -// |DH_compute_key_padded| is the preferred variant and avoids the above +// `DH_compute_key_padded` is the preferred variant and avoids the above // attacks. However, the two functions are not drop-in replacements for each // other. Using a different variant than the application expects will result in // sporadic key mismatches. // -// Callers that expect a fixed-width secret should use |DH_compute_key_padded| +// Callers that expect a fixed-width secret should use `DH_compute_key_padded` // instead. Callers that use either function should migrate to a modern // primitive such as X25519 or ECDH with P-256 instead. // -// This function does not mutate |dh| for thread-safety purposes and may be used +// This function does not mutate `dh` for thread-safety purposes and may be used // concurrently. OPENSSL_EXPORT int DH_compute_key(uint8_t *out, const BIGNUM *peers_key, DH *dh); diff --git a/third_party/boringssl/src/include/openssl/digest.h b/third_party/boringssl/src/include/openssl/digest.h index 62ad5736..a81c2a41 100644 --- a/third_party/boringssl/src/include/openssl/digest.h +++ b/third_party/boringssl/src/include/openssl/digest.h @@ -31,7 +31,7 @@ extern "C" { // Hash algorithms. // -// The following functions return |EVP_MD| objects that implement the named hash +// The following functions return `EVP_MD` objects that implement the named hash // function. OPENSSL_EXPORT const EVP_MD *EVP_md4(void); @@ -44,15 +44,15 @@ OPENSSL_EXPORT const EVP_MD *EVP_sha512(void); OPENSSL_EXPORT const EVP_MD *EVP_sha512_256(void); OPENSSL_EXPORT const EVP_MD *EVP_blake2b256(void); -// EVP_md5_sha1 is a TLS-specific |EVP_MD| which computes the concatenation of +// EVP_md5_sha1 is a TLS-specific `EVP_MD` which computes the concatenation of // MD5 and SHA-1, as used in TLS 1.1 and below. OPENSSL_EXPORT const EVP_MD *EVP_md5_sha1(void); -// EVP_get_digestbynid returns an |EVP_MD| for the given NID, or NULL if no +// EVP_get_digestbynid returns an `EVP_MD` for the given NID, or NULL if no // such digest is known. OPENSSL_EXPORT const EVP_MD *EVP_get_digestbynid(int nid); -// EVP_get_digestbyobj returns an |EVP_MD| for the given |ASN1_OBJECT|, or NULL +// EVP_get_digestbyobj returns an `EVP_MD` for the given `ASN1_OBJECT`, or NULL // if no such digest is known. OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj); @@ -62,56 +62,61 @@ OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *obj); // An EVP_MD_CTX represents the state of a specific digest operation in // progress. -// EVP_MD_CTX_init initialises an, already allocated, |EVP_MD_CTX|. This is the -// same as setting the structure to zero. +// EVP_MD_CTX_init sets an uninitialized `EVP_MD_CTX` to the zero state. This +// is the same as setting the structure to zero. +// +// This function is used for initializing uninitialized memory in an +// `EVP_MD_CTX`, e.g. if it is declared as a local variable on the stack. This +// function should not be used on objects that have already been initialized. OPENSSL_EXPORT void EVP_MD_CTX_init(EVP_MD_CTX *ctx); -// EVP_MD_CTX_new allocates and initialises a fresh |EVP_MD_CTX| and returns -// it, or NULL on allocation failure. The caller must use |EVP_MD_CTX_free| to -// release the resulting object. +// EVP_MD_CTX_new returns a newly-allocated `EVP_MD_CTX` in the zero state, or +// NULL on allocation failure. The caller must use `EVP_MD_CTX_free` to release +// the resulting object. OPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_new(void); -// EVP_MD_CTX_cleanup frees any resources owned by |ctx| and resets it to a -// freshly initialised state. It does not free |ctx| itself. It returns one. +// EVP_MD_CTX_cleanup frees any resources owned by `ctx` and resets it to the +// zero state. It does not free `ctx` itself. It returns one. OPENSSL_EXPORT int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx); -// EVP_MD_CTX_cleanse zeros the digest state in |ctx| and then performs the -// actions of |EVP_MD_CTX_cleanup|. Note that some |EVP_MD_CTX| objects contain -// more than just a digest (e.g. those resulting from |EVP_DigestSignInit|) but +// EVP_MD_CTX_cleanse zeros the digest state in `ctx` and then performs the +// actions of `EVP_MD_CTX_cleanup`. Note that some `EVP_MD_CTX` objects contain +// more than just a digest (e.g. those resulting from `EVP_DigestSignInit`) but // this function does not zero out more than just the digest state even in that // case. OPENSSL_EXPORT void EVP_MD_CTX_cleanse(EVP_MD_CTX *ctx); -// EVP_MD_CTX_free calls |EVP_MD_CTX_cleanup| and then frees |ctx| itself. +// EVP_MD_CTX_free calls `EVP_MD_CTX_cleanup` and then frees `ctx` itself. OPENSSL_EXPORT void EVP_MD_CTX_free(EVP_MD_CTX *ctx); -// EVP_MD_CTX_copy_ex sets |out|, which must already be initialised, to be a -// copy of |in|. It returns one on success and zero on allocation failure. +// EVP_MD_CTX_copy_ex sets `out` to be a copy of `in`. It returns one on success +// and zero on allocation failure. `out` must have been previously initialized, +// e.g. with `EVP_MD_CTX_init` or `EVP_MD_CTX_new`. OPENSSL_EXPORT int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); -// EVP_MD_CTX_move sets |out|, which must already be initialised, to the hash -// state in |in|. |in| is mutated and left in an empty state. +// EVP_MD_CTX_move sets `out`, which must already be initialised, to the hash +// state in `in`. `in` is mutated and left in an empty state. OPENSSL_EXPORT void EVP_MD_CTX_move(EVP_MD_CTX *out, EVP_MD_CTX *in); -// EVP_MD_CTX_reset calls |EVP_MD_CTX_cleanup| followed by |EVP_MD_CTX_init|. It +// EVP_MD_CTX_reset calls `EVP_MD_CTX_cleanup` followed by `EVP_MD_CTX_init`. It // returns one. OPENSSL_EXPORT int EVP_MD_CTX_reset(EVP_MD_CTX *ctx); // Digest operations. -// EVP_DigestInit_ex configures |ctx|, which must already have been -// initialised, for a fresh hashing operation using |type|. It returns one on -// success and zero on allocation failure. +// EVP_DigestInit_ex configures `ctx`, whose memory must already have been +// initialised (e.g. with `EVP_MD_CTX_init` or `EVP_MD_CTX_new`), for a fresh +// hashing operation using `type`. It returns one on success and zero on +// allocation failure. +// +// This function may be used to reconfigure an `EVP_MD_CTX` that was previously +// used for another operation. OPENSSL_EXPORT int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *engine); -// EVP_DigestInit acts like |EVP_DigestInit_ex| except that |ctx| is -// initialised before use. -OPENSSL_EXPORT int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); - -// EVP_DigestUpdate hashes |len| bytes from |data| into the hashing operation -// in |ctx|. It returns one. +// EVP_DigestUpdate hashes `len` bytes from `data` into the hashing operation +// in `ctx`. It returns one. OPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); @@ -124,24 +129,24 @@ OPENSSL_EXPORT int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, // bytes. #define EVP_MAX_MD_BLOCK_SIZE 128 // SHA-512 is the longest so far. -// EVP_DigestFinal_ex finishes the digest in |ctx| and writes the output to -// |md_out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_size| is not NULL then |*out_size| is set to the +// EVP_DigestFinal_ex finishes the digest in `ctx` and writes the output to +// `md_out`. `EVP_MD_CTX_size` bytes are written, which is at most +// `EVP_MAX_MD_SIZE`. If `out_size` is not NULL then `*out_size` is set to the // number of bytes written. It returns one. After this call, the hash cannot be -// updated or finished again until |EVP_DigestInit_ex| is called to start +// updated or finished again until `EVP_DigestInit_ex` is called to start // another hashing operation. OPENSSL_EXPORT int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, uint8_t *md_out, unsigned int *out_size); -// EVP_DigestFinal acts like |EVP_DigestFinal_ex| except that -// |EVP_MD_CTX_cleanup| is called on |ctx| before returning. +// EVP_DigestFinal acts like `EVP_DigestFinal_ex` except that +// `EVP_MD_CTX_cleanup` is called on `ctx` before returning. OPENSSL_EXPORT int EVP_DigestFinal(EVP_MD_CTX *ctx, uint8_t *md_out, unsigned int *out_size); -// EVP_Digest performs a complete hashing operation in one call. It hashes |len| -// bytes from |data| and writes the digest to |md_out|. |EVP_MD_CTX_size| bytes -// are written, which is at most |EVP_MAX_MD_SIZE|. If |out_size| is not NULL -// then |*out_size| is set to the number of bytes written. It returns one on +// EVP_Digest performs a complete hashing operation in one call. It hashes `len` +// bytes from `data` and writes the digest to `md_out`. `EVP_MD_CTX_size` bytes +// are written, which is at most `EVP_MAX_MD_SIZE`. If `out_size` is not NULL +// then `*out_size` is set to the number of bytes written. It returns one on // success and zero otherwise. OPENSSL_EXPORT int EVP_Digest(const void *data, size_t len, uint8_t *md_out, unsigned int *md_out_size, const EVP_MD *type, @@ -153,17 +158,17 @@ OPENSSL_EXPORT int EVP_Digest(const void *data, size_t len, uint8_t *md_out, // These functions allow code to learn details about an abstract hash // function. -// EVP_MD_type returns a NID identifying |md|. (For example, |NID_sha256|.) +// EVP_MD_type returns a NID identifying `md`. (For example, `NID_sha256`.) OPENSSL_EXPORT int EVP_MD_type(const EVP_MD *md); -// EVP_MD_flags returns the flags for |md|, which is a set of |EVP_MD_FLAG_*| +// EVP_MD_flags returns the flags for `md`, which is a set of `EVP_MD_FLAG_*` // values, ORed together. OPENSSL_EXPORT uint32_t EVP_MD_flags(const EVP_MD *md); -// EVP_MD_size returns the digest size of |md|, in bytes. +// EVP_MD_size returns the digest size of `md`, in bytes. OPENSSL_EXPORT size_t EVP_MD_size(const EVP_MD *md); -// EVP_MD_block_size returns the native block-size of |md|, in bytes. +// EVP_MD_block_size returns the native block-size of `md`, in bytes. OPENSSL_EXPORT size_t EVP_MD_block_size(const EVP_MD *md); // EVP_MD_FLAG_DIGALGID_ABSENT indicates that the parameter type in an X.509 @@ -173,7 +178,7 @@ OPENSSL_EXPORT size_t EVP_MD_block_size(const EVP_MD *md); // EVP_MD_FLAG_XOF indicates that the digest is an extensible-output function // (XOF). This flag is defined for compatibility and will never be set in any -// |EVP_MD| in BoringSSL. +// `EVP_MD` in BoringSSL. #define EVP_MD_FLAG_XOF 4 @@ -184,26 +189,26 @@ OPENSSL_EXPORT size_t EVP_MD_block_size(const EVP_MD *md); OPENSSL_EXPORT const EVP_MD *EVP_MD_CTX_get0_md(const EVP_MD_CTX *ctx); // EVP_MD_CTX_md returns the underlying digest function, or NULL if one has not -// been set. (This is the same as |EVP_MD_CTX_get0_md| but OpenSSL has +// been set. (This is the same as `EVP_MD_CTX_get0_md` but OpenSSL has // deprecated this spelling.) OPENSSL_EXPORT const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); -// EVP_MD_CTX_size returns the digest size of |ctx|, in bytes. It -// will crash if a digest hasn't been set on |ctx|. +// EVP_MD_CTX_size returns the digest size of `ctx`, in bytes. It +// will crash if a digest hasn't been set on `ctx`. OPENSSL_EXPORT size_t EVP_MD_CTX_size(const EVP_MD_CTX *ctx); // EVP_MD_CTX_block_size returns the block size of the digest function used by -// |ctx|, in bytes. It will crash if a digest hasn't been set on |ctx|. +// `ctx`, in bytes. It will crash if a digest hasn't been set on `ctx`. OPENSSL_EXPORT size_t EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx); -// EVP_MD_CTX_type returns a NID describing the digest function used by |ctx|. -// (For example, |NID_sha256|.) It will crash if a digest hasn't been set on -// |ctx|. +// EVP_MD_CTX_type returns a NID describing the digest function used by `ctx`. +// (For example, `NID_sha256`.) It will crash if a digest hasn't been set on +// `ctx`. OPENSSL_EXPORT int EVP_MD_CTX_type(const EVP_MD_CTX *ctx); -// EVP_MD_CTX_pkey_ctx returns the |EVP_PKEY_CTX| used to configure additional -// parameters on |ctx| if |ctx| is used for a sign or verify operation with -// |EVP_DigestSignInit| or |EVP_DigestVerifyInit|. It returns NULL otherwise. +// EVP_MD_CTX_pkey_ctx returns the `EVP_PKEY_CTX` used to configure additional +// parameters on `ctx` if `ctx` is used for a sign or verify operation with +// `EVP_DigestSignInit` or `EVP_DigestVerifyInit`. It returns NULL otherwise. OPENSSL_EXPORT EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); @@ -214,19 +219,19 @@ OPENSSL_EXPORT EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); // EVP_parse_digest_algorithm parses an AlgorithmIdentifier structure containing // a hash function OID (for example, 2.16.840.1.101.3.4.2.1 is SHA-256) and -// advances |cbs|. The parameters field may either be omitted or a NULL. It +// advances `cbs`. The parameters field may either be omitted or a NULL. It // returns the digest function or NULL on error. OPENSSL_EXPORT const EVP_MD *EVP_parse_digest_algorithm(CBS *cbs); -// EVP_parse_digest_algorithm_nid behaves like |EVP_parse_digest_algorithm| -// except it returns |NID_undef| on error and some other value on success. This +// EVP_parse_digest_algorithm_nid behaves like `EVP_parse_digest_algorithm` +// except it returns `NID_undef` on error and some other value on success. This // may be used to avoid depending on every digest algorithm in the library. OPENSSL_EXPORT int EVP_parse_digest_algorithm_nid(CBS *cbs); -// EVP_marshal_digest_algorithm marshals |md| as an AlgorithmIdentifier -// structure and appends the result to |cbb|. It returns one on success and zero +// EVP_marshal_digest_algorithm marshals `md` as an AlgorithmIdentifier +// structure and appends the result to `cbb`. It returns one on success and zero // on error. It sets the parameters field to NULL. Use -// |EVP_marshal_digest_algorithm_no_params| to omit the parameters instead. +// `EVP_marshal_digest_algorithm_no_params` to omit the parameters instead. // // In general, the parameters should be omitted for digest algorithms, but the // following specifications require a NULL parameter instead. @@ -241,23 +246,47 @@ OPENSSL_EXPORT int EVP_parse_digest_algorithm_nid(CBS *cbs); OPENSSL_EXPORT int EVP_marshal_digest_algorithm(CBB *cbb, const EVP_MD *md); // EVP_marshal_digest_algorithm_no_params behaves like -// |EVP_marshal_digest_algorithm| but omits the parameters field. +// `EVP_marshal_digest_algorithm` but omits the parameters field. OPENSSL_EXPORT int EVP_marshal_digest_algorithm_no_params(CBB *cbb, const EVP_MD *md); // Deprecated functions. -// EVP_MD_CTX_copy sets |out|, which must /not/ be initialised, to be a copy of -// |in|. It returns one on success and zero on error. +// EVP_DigestInit calls `EVP_MD_CTX_init`, followed by `EVP_DigestInit_ex`. +// +// `EVP_MD_CTX_init` is used for initializing uninitialized memory in an +// `EVP_MD_CTX`, e.g. if it is declared as a local variable on the stack. Thus +// this function should not be used on objects that have already been +// initialized. +// +// WARNING: This differs from OpenSSL 1.1.x, where `EVP_DigestInit` and +// `EVP_DigestInit_ex` are largely equivalent. This difference is because +// BoringSSL, like OpenSSL 1.0.x, still supports stack-allocating `EVP_MD_CTX`. +// Implementing the OpenSSL 1.1.x semantics would introduce uninitialized reads +// in those callers. +OPENSSL_EXPORT int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); + +// EVP_MD_CTX_copy calls `EVP_MD_CTX_init`, followed by `EVP_MD_CTX_copy_ex`. +// +// `EVP_MD_CTX_init` is used for initializing uninitialized memory in an +// `EVP_MD_CTX`, e.g. if it is declared as a local variable on the stack. Thus +// this function should not be used on objects that have already been +// initialized. +// +// WARNING: This differs from OpenSSL 1.1.x, where `EVP_MD_CTX_copy` and +// |EVP_MD_CTX_copy_ex| are largely equivalent. This difference is because +// BoringSSL, like OpenSSL 1.0.x, still supports stack-allocating `EVP_MD_CTX`. +// Implementing the OpenSSL 1.1.x semantics would introduce uninitialized reads +// in those callers. OPENSSL_EXPORT int EVP_MD_CTX_copy(EVP_MD_CTX *out, const EVP_MD_CTX *in); // EVP_add_digest does nothing and returns one. It exists only for // compatibility with OpenSSL. OPENSSL_EXPORT int EVP_add_digest(const EVP_MD *digest); -// EVP_get_digestbyname returns an |EVP_MD| given a human readable name in -// |name|, or NULL if the name is unknown. +// EVP_get_digestbyname returns an `EVP_MD` given a human readable name in +// `name`, or NULL if the name is unknown. OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyname(const char *name); // EVP_dss1 returns the value of EVP_sha1(). This was provided by OpenSSL to @@ -266,10 +295,10 @@ OPENSSL_EXPORT const EVP_MD *EVP_get_digestbyname(const char *name); // interface will always fail. OPENSSL_EXPORT const EVP_MD *EVP_dss1(void); -// EVP_MD_CTX_create calls |EVP_MD_CTX_new|. +// EVP_MD_CTX_create calls `EVP_MD_CTX_new`. OPENSSL_EXPORT EVP_MD_CTX *EVP_MD_CTX_create(void); -// EVP_MD_CTX_destroy calls |EVP_MD_CTX_free|. +// EVP_MD_CTX_destroy calls `EVP_MD_CTX_free`. OPENSSL_EXPORT void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); // EVP_DigestFinalXOF returns zero and adds an error to the error queue. @@ -277,7 +306,7 @@ OPENSSL_EXPORT void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx); OPENSSL_EXPORT int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, uint8_t *out, size_t len); -// EVP_MD_meth_get_flags calls |EVP_MD_flags|. +// EVP_MD_meth_get_flags calls `EVP_MD_flags`. OPENSSL_EXPORT uint32_t EVP_MD_meth_get_flags(const EVP_MD *md); // EVP_MD_CTX_set_flags does nothing. @@ -289,23 +318,23 @@ OPENSSL_EXPORT void EVP_MD_CTX_set_flags(EVP_MD_CTX *ctx, int flags); // their needs). Thus this exists only to allow code to compile. #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW 0 -// EVP_MD_nid calls |EVP_MD_type|. +// EVP_MD_nid calls `EVP_MD_type`. OPENSSL_EXPORT int EVP_MD_nid(const EVP_MD *md); -// EVP_MD_fetch behaves like |EVP_get_digestbyname|. |libctx| and |propq| are -// ignored. Although it returns a non-const pointer, |EVP_MD|s in BoringSSL are +// EVP_MD_fetch behaves like `EVP_get_digestbyname`. `libctx` and `propq` are +// ignored. Although it returns a non-const pointer, `EVP_MD`s in BoringSSL are // static and do not need to be freed. OPENSSL_EXPORT EVP_MD *EVP_MD_fetch(OSSL_LIB_CTX *libctx, const char *name, const char *propq); -// EVP_MD_up_ref returns one. |EVP_MD|s in BoringSSL are static. +// EVP_MD_up_ref returns one. `EVP_MD`s in BoringSSL are static. OPENSSL_EXPORT int EVP_MD_up_ref(EVP_MD *md); -// EVP_MD_free does nothing. |EVP_MD|s in BoringSSL are static. +// EVP_MD_free does nothing. `EVP_MD`s in BoringSSL are static. OPENSSL_EXPORT void EVP_MD_free(EVP_MD *md); -// EVP_Q_digest behaves like |EVP_Digest| but specifies the digest by a string -// |name|. |libctx| and |propq| are ignored. +// EVP_Q_digest behaves like `EVP_Digest` but specifies the digest by a string +// `name`. `libctx` and `propq` are ignored. OPENSSL_EXPORT int EVP_Q_digest(OSSL_LIB_CTX *libctx, const char *name, const char *propq, const void *in, size_t in_len, uint8_t *out, size_t *out_len); @@ -337,7 +366,7 @@ struct env_md_ctx_st { EVP_PKEY_CTX *pctx; // pctx_ops, if not NULL, points to a vtable that contains functions to - // manipulate |pctx|. + // manipulate `pctx`. const struct evp_md_pctx_ops *pctx_ops; } /* EVP_MD_CTX */; diff --git a/third_party/boringssl/src/include/openssl/dsa.h b/third_party/boringssl/src/include/openssl/dsa.h index 9b502861..fff5b768 100644 --- a/third_party/boringssl/src/include/openssl/dsa.h +++ b/third_party/boringssl/src/include/openssl/dsa.h @@ -34,21 +34,21 @@ extern "C" { // Allocation and destruction. // -// A |DSA| object represents a DSA key or group parameters. A given object may +// A `DSA` object represents a DSA key or group parameters. A given object may // be used concurrently on multiple threads by non-mutating functions, provided // no other thread is concurrently calling a mutating function. Unless otherwise -// documented, functions which take a |const| pointer are non-mutating and -// functions which take a non-|const| pointer are mutating. +// documented, functions which take a `const` pointer are non-mutating and +// functions which take a non-`const` pointer are mutating. // DSA_new returns a new, empty DSA object or NULL on error. OPENSSL_EXPORT DSA *DSA_new(void); -// DSA_free decrements the reference count of |dsa| and frees it if the +// DSA_free decrements the reference count of `dsa` and frees it if the // reference count drops to zero. OPENSSL_EXPORT void DSA_free(DSA *dsa); -// DSA_up_ref increments the reference count of |dsa| and returns one. It does -// not mutate |dsa| for thread-safety purposes and may be used concurrently. +// DSA_up_ref increments the reference count of `dsa` and returns one. It does +// not mutate `dsa` for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int DSA_up_ref(DSA *dsa); @@ -58,49 +58,49 @@ OPENSSL_EXPORT int DSA_up_ref(DSA *dsa); // bits. #define OPENSSL_DSA_MAX_MODULUS_BITS 8192 -// DSA_bits returns the size of |dsa|'s group modulus, in bits. +// DSA_bits returns the size of `dsa`'s group modulus, in bits. OPENSSL_EXPORT unsigned DSA_bits(const DSA *dsa); -// DSA_get0_pub_key returns |dsa|'s public key. +// DSA_get0_pub_key returns `dsa`'s public key. OPENSSL_EXPORT const BIGNUM *DSA_get0_pub_key(const DSA *dsa); -// DSA_get0_priv_key returns |dsa|'s private key, or NULL if |dsa| is a public +// DSA_get0_priv_key returns `dsa`'s private key, or NULL if `dsa` is a public // key. OPENSSL_EXPORT const BIGNUM *DSA_get0_priv_key(const DSA *dsa); -// DSA_get0_p returns |dsa|'s group modulus. +// DSA_get0_p returns `dsa`'s group modulus. OPENSSL_EXPORT const BIGNUM *DSA_get0_p(const DSA *dsa); -// DSA_get0_q returns the size of |dsa|'s subgroup. +// DSA_get0_q returns the size of `dsa`'s subgroup. OPENSSL_EXPORT const BIGNUM *DSA_get0_q(const DSA *dsa); -// DSA_get0_g returns |dsa|'s group generator. +// DSA_get0_g returns `dsa`'s group generator. OPENSSL_EXPORT const BIGNUM *DSA_get0_g(const DSA *dsa); -// DSA_get0_key sets |*out_pub_key| and |*out_priv_key|, if non-NULL, to |dsa|'s -// public and private key, respectively. If |dsa| is a public key, the private +// DSA_get0_key sets `*out_pub_key` and `*out_priv_key`, if non-NULL, to `dsa`'s +// public and private key, respectively. If `dsa` is a public key, the private // key will be set to NULL. OPENSSL_EXPORT void DSA_get0_key(const DSA *dsa, const BIGNUM **out_pub_key, const BIGNUM **out_priv_key); -// DSA_get0_pqg sets |*out_p|, |*out_q|, and |*out_g|, if non-NULL, to |dsa|'s +// DSA_get0_pqg sets `*out_p`, `*out_q`, and `*out_g`, if non-NULL, to `dsa`'s // p, q, and g parameters, respectively. OPENSSL_EXPORT void DSA_get0_pqg(const DSA *dsa, const BIGNUM **out_p, const BIGNUM **out_q, const BIGNUM **out_g); -// DSA_set0_key sets |dsa|'s public and private key to |pub_key| and |priv_key|, +// DSA_set0_key sets `dsa`'s public and private key to `pub_key` and `priv_key`, // respectively, if non-NULL. On success, it takes ownership of each argument // and returns one. Otherwise, it returns zero. // -// |priv_key| may be NULL, but |pub_key| must either be non-NULL or already -// configured on |dsa|. +// `priv_key` may be NULL, but `pub_key` must either be non-NULL or already +// configured on `dsa`. OPENSSL_EXPORT int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key); -// DSA_set0_pqg sets |dsa|'s parameters to |p|, |q|, and |g|, if non-NULL, and +// DSA_set0_pqg sets `dsa`'s parameters to `p`, `q`, and `g`, if non-NULL, and // takes ownership of them. On success, it takes ownership of each argument and // returns one. Otherwise, it returns zero. // -// Each argument must either be non-NULL or already configured on |dsa|. +// Each argument must either be non-NULL or already configured on `dsa`. OPENSSL_EXPORT int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g); @@ -110,17 +110,17 @@ OPENSSL_EXPORT int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g); // the procedure given in FIPS 186-4, appendix A. // (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf) // -// The larger prime will have a length of |bits| (e.g. 2048). The |seed| value +// The larger prime will have a length of `bits` (e.g. 2048). The `seed` value // allows others to generate and verify the same parameters and should be -// random input which is kept for reference. If |out_counter| or |out_h| are +// random input which is kept for reference. If `out_counter` or `out_h` are // not NULL then the counter and h value used in the generation are written to // them. // -// The |cb| argument is passed to |BN_generate_prime_ex| and is thus called +// The `cb` argument is passed to `BN_generate_prime_ex` and is thus called // during the generation process in order to indicate progress. See the // comments for that function for details. In addition to the calls made by -// |BN_generate_prime_ex|, |DSA_generate_parameters_ex| will call it with -// |event| equal to 2 and 3 at different stages of the process. +// `BN_generate_prime_ex`, `DSA_generate_parameters_ex` will call it with +// `event` equal to 2 and 3 at different stages of the process. // // It returns one on success and zero otherwise. OPENSSL_EXPORT int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, @@ -129,14 +129,14 @@ OPENSSL_EXPORT int DSA_generate_parameters_ex(DSA *dsa, unsigned bits, unsigned long *out_h, BN_GENCB *cb); -// DSAparams_dup returns a freshly allocated |DSA| that contains a copy of the -// parameters from |dsa|. It returns NULL on error. +// DSAparams_dup returns a freshly allocated `DSA` that contains a copy of the +// parameters from `dsa`. It returns NULL on error. OPENSSL_EXPORT DSA *DSAparams_dup(const DSA *dsa); // Key generation. -// DSA_generate_key generates a public/private key pair in |dsa|, which must +// DSA_generate_key generates a public/private key pair in `dsa`, which must // already have parameters setup. It returns one on success and zero on // error. OPENSSL_EXPORT int DSA_generate_key(DSA *dsa); @@ -144,49 +144,49 @@ OPENSSL_EXPORT int DSA_generate_key(DSA *dsa); // Signatures. -// DSA_SIG_st (aka |DSA_SIG|) contains a DSA signature as a pair of integers. +// DSA_SIG_st (aka `DSA_SIG`) contains a DSA signature as a pair of integers. struct DSA_SIG_st { BIGNUM *r, *s; }; // DSA_SIG_new returns a freshly allocated, DIG_SIG structure or NULL on error. -// Both |r| and |s| in the signature will be NULL. +// Both `r` and `s` in the signature will be NULL. OPENSSL_EXPORT DSA_SIG *DSA_SIG_new(void); -// DSA_SIG_free frees the contents of |sig| and then frees |sig| itself. +// DSA_SIG_free frees the contents of `sig` and then frees `sig` itself. OPENSSL_EXPORT void DSA_SIG_free(DSA_SIG *sig); -// DSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two components -// of |sig|. +// DSA_SIG_get0 sets `*out_r` and `*out_s`, if non-NULL, to the two components +// of `sig`. OPENSSL_EXPORT void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **out_r, const BIGNUM **out_s); -// DSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may be +// DSA_SIG_set0 sets `sig`'s components to `r` and `s`, neither of which may be // NULL. On success, it takes ownership of each argument and returns one. // Otherwise, it returns zero. OPENSSL_EXPORT int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); -// DSA_do_sign returns a signature of the hash in |digest| by the key in |dsa| +// DSA_do_sign returns a signature of the hash in `digest` by the key in `dsa` // and returns an allocated, DSA_SIG structure, or NULL on error. OPENSSL_EXPORT DSA_SIG *DSA_do_sign(const uint8_t *digest, size_t digest_len, const DSA *dsa); -// DSA_do_verify verifies that |sig| is a valid signature, by the public key in -// |dsa|, of the hash in |digest|. It returns one if so, zero if invalid and -1 +// DSA_do_verify verifies that `sig` is a valid signature, by the public key in +// `dsa`, of the hash in `digest`. It returns one if so, zero if invalid and -1 // on error. // // WARNING: do not use. This function returns -1 for error, 0 for invalid and 1 // for valid. However, this is dangerously different to the usual OpenSSL -// convention and could be a disaster if a user did |if (DSA_do_verify(...))|. -// Because of this, |DSA_check_signature| is a safer version of this. +// convention and could be a disaster if a user did `if (DSA_do_verify(...))`. +// Because of this, `DSA_check_signature` is a safer version of this. // // TODO(fork): deprecate. OPENSSL_EXPORT int DSA_do_verify(const uint8_t *digest, size_t digest_len, const DSA_SIG *sig, const DSA *dsa); -// DSA_do_check_signature sets |*out_valid| to zero. Then it verifies that |sig| -// is a valid signature, by the public key in |dsa| of the hash in |digest| -// and, if so, it sets |*out_valid| to one. +// DSA_do_check_signature sets `*out_valid` to zero. Then it verifies that `sig` +// is a valid signature, by the public key in `dsa` of the hash in `digest` +// and, if so, it sets `*out_valid` to one. // // It returns one if it was able to verify the signature as valid or invalid, // and zero on error. @@ -198,38 +198,38 @@ OPENSSL_EXPORT int DSA_do_check_signature(int *out_valid, const uint8_t *digest, // ASN.1 signatures. // // These functions also perform DSA signature operations, but deal with ASN.1 -// encoded signatures as opposed to raw |BIGNUM|s. If you don't know what +// encoded signatures as opposed to raw `BIGNUM`s. If you don't know what // encoding a DSA signature is in, it's probably ASN.1. -// DSA_sign signs |digest| with the key in |dsa| and writes the resulting -// signature, in ASN.1 form, to |out_sig| and the length of the signature to -// |*out_siglen|. There must be, at least, |DSA_size(dsa)| bytes of space in -// |out_sig|. It returns one on success and zero otherwise. +// DSA_sign signs `digest` with the key in `dsa` and writes the resulting +// signature, in ASN.1 form, to `out_sig` and the length of the signature to +// `*out_siglen`. There must be, at least, `DSA_size(dsa)` bytes of space in +// `out_sig`. It returns one on success and zero otherwise. // -// (The |type| argument is ignored.) +// (The `type` argument is ignored.) OPENSSL_EXPORT int DSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *out_sig, unsigned int *out_siglen, const DSA *dsa); -// DSA_verify verifies that |sig| is a valid, ASN.1 signature, by the public -// key in |dsa|, of the hash in |digest|. It returns one if so, zero if invalid +// DSA_verify verifies that `sig` is a valid, ASN.1 signature, by the public +// key in `dsa`, of the hash in `digest`. It returns one if so, zero if invalid // and -1 on error. // -// (The |type| argument is ignored.) +// (The `type` argument is ignored.) // // WARNING: do not use. This function returns -1 for error, 0 for invalid and 1 // for valid. However, this is dangerously different to the usual OpenSSL -// convention and could be a disaster if a user did |if (DSA_do_verify(...))|. -// Because of this, |DSA_check_signature| is a safer version of this. +// convention and could be a disaster if a user did `if (DSA_do_verify(...))`. +// Because of this, `DSA_check_signature` is a safer version of this. // // TODO(fork): deprecate. OPENSSL_EXPORT int DSA_verify(int type, const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, const DSA *dsa); -// DSA_check_signature sets |*out_valid| to zero. Then it verifies that |sig| -// is a valid, ASN.1 signature, by the public key in |dsa|, of the hash in -// |digest|. If so, it sets |*out_valid| to one. +// DSA_check_signature sets `*out_valid` to zero. Then it verifies that `sig` +// is a valid, ASN.1 signature, by the public key in `dsa`, of the hash in +// `digest`. If so, it sets `*out_valid` to one. // // It returns one if it was able to verify the signature as valid or invalid, // and zero on error. @@ -238,60 +238,60 @@ OPENSSL_EXPORT int DSA_check_signature(int *out_valid, const uint8_t *digest, size_t sig_len, const DSA *dsa); // DSA_size returns the size, in bytes, of an ASN.1 encoded, DSA signature -// generated by |dsa|. Parameters must already have been setup in |dsa|. +// generated by `dsa`. Parameters must already have been setup in `dsa`. OPENSSL_EXPORT int DSA_size(const DSA *dsa); // ASN.1 encoding. -// DSA_SIG_parse parses a DER-encoded DSA-Sig-Value structure from |cbs| and -// advances |cbs|. It returns a newly-allocated |DSA_SIG| or NULL on error. +// DSA_SIG_parse parses a DER-encoded DSA-Sig-Value structure from `cbs` and +// advances `cbs`. It returns a newly-allocated `DSA_SIG` or NULL on error. OPENSSL_EXPORT DSA_SIG *DSA_SIG_parse(CBS *cbs); -// DSA_SIG_marshal marshals |sig| as a DER-encoded DSA-Sig-Value and appends the -// result to |cbb|. It returns one on success and zero on error. +// DSA_SIG_marshal marshals `sig` as a DER-encoded DSA-Sig-Value and appends the +// result to `cbb`. It returns one on success and zero on error. OPENSSL_EXPORT int DSA_SIG_marshal(CBB *cbb, const DSA_SIG *sig); -// DSA_parse_public_key parses a DER-encoded DSA public key from |cbs| and -// advances |cbs|. It returns a newly-allocated |DSA| or NULL on error. +// DSA_parse_public_key parses a DER-encoded DSA public key from `cbs` and +// advances `cbs`. It returns a newly-allocated `DSA` or NULL on error. OPENSSL_EXPORT DSA *DSA_parse_public_key(CBS *cbs); -// DSA_marshal_public_key marshals |dsa| as a DER-encoded DSA public key and -// appends the result to |cbb|. It returns one on success and zero on +// DSA_marshal_public_key marshals `dsa` as a DER-encoded DSA public key and +// appends the result to `cbb`. It returns one on success and zero on // failure. OPENSSL_EXPORT int DSA_marshal_public_key(CBB *cbb, const DSA *dsa); -// DSA_parse_private_key parses a DER-encoded DSA private key from |cbs| and -// advances |cbs|. It returns a newly-allocated |DSA| or NULL on error. +// DSA_parse_private_key parses a DER-encoded DSA private key from `cbs` and +// advances `cbs`. It returns a newly-allocated `DSA` or NULL on error. OPENSSL_EXPORT DSA *DSA_parse_private_key(CBS *cbs); -// DSA_marshal_private_key marshals |dsa| as a DER-encoded DSA private key and -// appends the result to |cbb|. It returns one on success and zero on +// DSA_marshal_private_key marshals `dsa` as a DER-encoded DSA private key and +// appends the result to `cbb`. It returns one on success and zero on // failure. OPENSSL_EXPORT int DSA_marshal_private_key(CBB *cbb, const DSA *dsa); // DSA_parse_parameters parses a DER-encoded Dss-Parms structure (RFC 3279) -// from |cbs| and advances |cbs|. It returns a newly-allocated |DSA| or NULL on +// from `cbs` and advances `cbs`. It returns a newly-allocated `DSA` or NULL on // error. OPENSSL_EXPORT DSA *DSA_parse_parameters(CBS *cbs); -// DSA_marshal_parameters marshals |dsa| as a DER-encoded Dss-Parms structure -// (RFC 3279) and appends the result to |cbb|. It returns one on success and +// DSA_marshal_parameters marshals `dsa` as a DER-encoded Dss-Parms structure +// (RFC 3279) and appends the result to `cbb`. It returns one on success and // zero on failure. OPENSSL_EXPORT int DSA_marshal_parameters(CBB *cbb, const DSA *dsa); // Conversion. -// DSA_dup_DH returns a |DH| constructed from the parameters of |dsa|. This is +// DSA_dup_DH returns a `DH` constructed from the parameters of `dsa`. This is // sometimes needed when Diffie-Hellman parameters are stored in the form of -// DSA parameters. It returns an allocated |DH| on success or NULL on error. +// DSA parameters. It returns an allocated `DH` on success or NULL on error. OPENSSL_EXPORT DH *DSA_dup_DH(const DSA *dsa); // ex_data functions. // -// See |ex_data.h| for details. +// See `ex_data.h` for details. OPENSSL_EXPORT int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, @@ -303,57 +303,57 @@ OPENSSL_EXPORT void *DSA_get_ex_data(const DSA *dsa, int idx); // Deprecated functions. -// d2i_DSA_SIG parses a DER-encoded DSA-Sig-Value structure from |len| bytes at -// |*inp|, as described in |d2i_SAMPLE|. +// d2i_DSA_SIG parses a DER-encoded DSA-Sig-Value structure from `len` bytes at +// `*inp`, as described in `d2i_SAMPLE`. // -// Use |DSA_SIG_parse| instead. +// Use `DSA_SIG_parse` instead. OPENSSL_EXPORT DSA_SIG *d2i_DSA_SIG(DSA_SIG **out_sig, const uint8_t **inp, long len); -// i2d_DSA_SIG marshals |in| to a DER-encoded DSA-Sig-Value structure, as -// described in |i2d_SAMPLE|. +// i2d_DSA_SIG marshals `in` to a DER-encoded DSA-Sig-Value structure, as +// described in `i2d_SAMPLE`. // -// Use |DSA_SIG_marshal| instead. +// Use `DSA_SIG_marshal` instead. OPENSSL_EXPORT int i2d_DSA_SIG(const DSA_SIG *in, uint8_t **outp); -// d2i_DSAPublicKey parses a DER-encoded DSA public key from |len| bytes at -// |*inp|, as described in |d2i_SAMPLE|. +// d2i_DSAPublicKey parses a DER-encoded DSA public key from `len` bytes at +// `*inp`, as described in `d2i_SAMPLE`. // -// Use |DSA_parse_public_key| instead. +// Use `DSA_parse_public_key` instead. OPENSSL_EXPORT DSA *d2i_DSAPublicKey(DSA **out, const uint8_t **inp, long len); -// i2d_DSAPublicKey marshals |in| as a DER-encoded DSA public key, as described -// in |i2d_SAMPLE|. +// i2d_DSAPublicKey marshals `in` as a DER-encoded DSA public key, as described +// in `i2d_SAMPLE`. // -// Use |DSA_marshal_public_key| instead. +// Use `DSA_marshal_public_key` instead. OPENSSL_EXPORT int i2d_DSAPublicKey(const DSA *in, uint8_t **outp); -// d2i_DSAPrivateKey parses a DER-encoded DSA private key from |len| bytes at -// |*inp|, as described in |d2i_SAMPLE|. +// d2i_DSAPrivateKey parses a DER-encoded DSA private key from `len` bytes at +// `*inp`, as described in `d2i_SAMPLE`. // -// Use |DSA_parse_private_key| instead. +// Use `DSA_parse_private_key` instead. OPENSSL_EXPORT DSA *d2i_DSAPrivateKey(DSA **out, const uint8_t **inp, long len); -// i2d_DSAPrivateKey marshals |in| as a DER-encoded DSA private key, as -// described in |i2d_SAMPLE|. +// i2d_DSAPrivateKey marshals `in` as a DER-encoded DSA private key, as +// described in `i2d_SAMPLE`. // -// Use |DSA_marshal_private_key| instead. +// Use `DSA_marshal_private_key` instead. OPENSSL_EXPORT int i2d_DSAPrivateKey(const DSA *in, uint8_t **outp); -// d2i_DSAparams parses a DER-encoded Dss-Parms structure (RFC 3279) from |len| -// bytes at |*inp|, as described in |d2i_SAMPLE|. +// d2i_DSAparams parses a DER-encoded Dss-Parms structure (RFC 3279) from `len` +// bytes at `*inp`, as described in `d2i_SAMPLE`. // -// Use |DSA_parse_parameters| instead. +// Use `DSA_parse_parameters` instead. OPENSSL_EXPORT DSA *d2i_DSAparams(DSA **out, const uint8_t **inp, long len); -// i2d_DSAparams marshals |in|'s parameters as a DER-encoded Dss-Parms structure -// (RFC 3279), as described in |i2d_SAMPLE|. +// i2d_DSAparams marshals `in`'s parameters as a DER-encoded Dss-Parms structure +// (RFC 3279), as described in `i2d_SAMPLE`. // -// Use |DSA_marshal_parameters| instead. +// Use `DSA_marshal_parameters` instead. OPENSSL_EXPORT int i2d_DSAparams(const DSA *in, uint8_t **outp); // DSA_generate_parameters is a deprecated version of -// |DSA_generate_parameters_ex| that creates and returns a |DSA*|. Don't use +// `DSA_generate_parameters_ex` that creates and returns a `DSA*`. Don't use // it. OPENSSL_EXPORT DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len, int *counter_ret, diff --git a/third_party/boringssl/src/include/openssl/ec.h b/third_party/boringssl/src/include/openssl/ec.h index 24792286..e9ed9714 100644 --- a/third_party/boringssl/src/include/openssl/ec.h +++ b/third_party/boringssl/src/include/openssl/ec.h @@ -49,143 +49,143 @@ typedef enum { // Elliptic curve groups. // -// Elliptic curve groups are represented by |EC_GROUP| objects. Unlike OpenSSL, -// if limited to the APIs in this section, callers may treat |EC_GROUP|s as +// Elliptic curve groups are represented by `EC_GROUP` objects. Unlike OpenSSL, +// if limited to the APIs in this section, callers may treat `EC_GROUP`s as // static, immutable objects which do not need to be copied or released. In -// BoringSSL, only custom |EC_GROUP|s created by |EC_GROUP_new_curve_GFp| +// BoringSSL, only custom `EC_GROUP`s created by `EC_GROUP_new_curve_GFp` // (deprecated) are dynamic. // -// Callers may cast away |const| and use |EC_GROUP_dup| and |EC_GROUP_free| with +// Callers may cast away `const` and use `EC_GROUP_dup` and `EC_GROUP_free` with // static groups, for compatibility with OpenSSL or dynamic groups, but it is // otherwise unnecessary. -// EC_group_p224 returns an |EC_GROUP| for P-224, also known as secp224r1. +// EC_group_p224 returns an `EC_GROUP` for P-224, also known as secp224r1. OPENSSL_EXPORT const EC_GROUP *EC_group_p224(void); -// EC_group_p256 returns an |EC_GROUP| for P-256, also known as secp256r1 or +// EC_group_p256 returns an `EC_GROUP` for P-256, also known as secp256r1 or // prime256v1. OPENSSL_EXPORT const EC_GROUP *EC_group_p256(void); -// EC_group_p384 returns an |EC_GROUP| for P-384, also known as secp384r1. +// EC_group_p384 returns an `EC_GROUP` for P-384, also known as secp384r1. OPENSSL_EXPORT const EC_GROUP *EC_group_p384(void); -// EC_group_p521 returns an |EC_GROUP| for P-521, also known as secp521r1. +// EC_group_p521 returns an `EC_GROUP` for P-521, also known as secp521r1. OPENSSL_EXPORT const EC_GROUP *EC_group_p521(void); -// EC_GROUP_new_by_curve_name returns the |EC_GROUP| object for the elliptic -// curve specified by |nid|, or NULL on unsupported NID. For OpenSSL +// EC_GROUP_new_by_curve_name returns the `EC_GROUP` object for the elliptic +// curve specified by `nid`, or NULL on unsupported NID. For OpenSSL // compatibility, this function returns a non-const pointer which may be passed -// to |EC_GROUP_free|. However, the resulting object is actually static and -// calling |EC_GROUP_free| is optional. +// to `EC_GROUP_free`. However, the resulting object is actually static and +// calling `EC_GROUP_free` is optional. // // The supported NIDs are: -// - |NID_secp224r1| (P-224) -// - |NID_X9_62_prime256v1| (P-256) -// - |NID_secp384r1| (P-384) -// - |NID_secp521r1| (P-521) +// - `NID_secp224r1` (P-224) +// - `NID_X9_62_prime256v1` (P-256) +// - `NID_secp384r1` (P-384) +// - `NID_secp521r1` (P-521) // // Calling this function causes all four curves to be linked into the binary. -// Prefer calling |EC_group_*| to allow the static linker to drop unused curves. +// Prefer calling `EC_group_*` to allow the static linker to drop unused curves. // -// If in doubt, use |NID_X9_62_prime256v1|, or see the curve25519.h header for +// If in doubt, use `NID_X9_62_prime256v1`, or see the curve25519.h header for // more modern primitives. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_by_curve_name(int nid); -// EC_GROUP_cmp returns zero if |a| and |b| are the same group and non-zero +// EC_GROUP_cmp returns zero if `a` and `b` are the same group and non-zero // otherwise. OPENSSL_EXPORT int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ignored); -// EC_GROUP_get0_generator returns a pointer to the internal |EC_POINT| object -// in |group| that specifies the generator for the group. +// EC_GROUP_get0_generator returns a pointer to the internal `EC_POINT` object +// in `group` that specifies the generator for the group. OPENSSL_EXPORT const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); -// EC_GROUP_get0_order returns a pointer to the internal |BIGNUM| object in -// |group| that specifies the order of the group. +// EC_GROUP_get0_order returns a pointer to the internal `BIGNUM` object in +// `group` that specifies the order of the group. OPENSSL_EXPORT const BIGNUM *EC_GROUP_get0_order(const EC_GROUP *group); -// EC_GROUP_order_bits returns the number of bits of the order of |group|. +// EC_GROUP_order_bits returns the number of bits of the order of `group`. OPENSSL_EXPORT int EC_GROUP_order_bits(const EC_GROUP *group); -// EC_GROUP_get_cofactor sets |*cofactor| to the cofactor of |group|. It returns -// one on success and zero otherwise. |ctx| is ignored and may be NULL. +// EC_GROUP_get_cofactor sets `*cofactor` to the cofactor of `group`. It returns +// one on success and zero otherwise. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx); // EC_GROUP_get_curve_GFp gets various parameters about a group. It sets -// |*out_p| to the order of the coordinate field and |*out_a| and |*out_b| to +// `*out_p` to the order of the coordinate field and `*out_a` and `*out_b` to // the parameters of the curve when expressed as y² = x³ + ax + b. Any of the // output parameters can be NULL. It returns one on success and zero on -// error. |ctx| is ignored and may be NULL. +// error. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *out_p, BIGNUM *out_a, BIGNUM *out_b, BN_CTX *ctx); -// EC_GROUP_get_curve_name returns a NID that identifies |group|. +// EC_GROUP_get_curve_name returns a NID that identifies `group`. OPENSSL_EXPORT int EC_GROUP_get_curve_name(const EC_GROUP *group); // EC_GROUP_get_degree returns the number of bits needed to represent an -// element of the field underlying |group|. +// element of the field underlying `group`. OPENSSL_EXPORT unsigned EC_GROUP_get_degree(const EC_GROUP *group); // EC_curve_nid2nist returns the NIST name of the elliptic curve specified by -// |nid|, or NULL if |nid| is not a NIST curve. For example, it returns "P-256" -// for |NID_X9_62_prime256v1|. +// `nid`, or NULL if `nid` is not a NIST curve. For example, it returns "P-256" +// for `NID_X9_62_prime256v1`. OPENSSL_EXPORT const char *EC_curve_nid2nist(int nid); // EC_curve_nist2nid returns the NID of the elliptic curve specified by the NIST -// name |name|, or |NID_undef| if |name| is not a recognized name. For example, -// it returns |NID_X9_62_prime256v1| for "P-256". +// name `name`, or `NID_undef` if `name` is not a recognized name. For example, +// it returns `NID_X9_62_prime256v1` for "P-256". OPENSSL_EXPORT int EC_curve_nist2nid(const char *name); // Points on elliptic curves. -// EC_POINT_new returns a fresh |EC_POINT| object in the given group, or NULL +// EC_POINT_new returns a fresh `EC_POINT` object in the given group, or NULL // on error. OPENSSL_EXPORT EC_POINT *EC_POINT_new(const EC_GROUP *group); -// EC_POINT_free frees |point| and the data that it points to. +// EC_POINT_free frees `point` and the data that it points to. OPENSSL_EXPORT void EC_POINT_free(EC_POINT *point); -// EC_POINT_copy sets |*dest| equal to |*src|. It returns one on success and +// EC_POINT_copy sets `*dest` equal to `*src`. It returns one on success and // zero otherwise. OPENSSL_EXPORT int EC_POINT_copy(EC_POINT *dest, const EC_POINT *src); -// EC_POINT_dup returns a fresh |EC_POINT| that contains the same values as -// |src|, or NULL on error. +// EC_POINT_dup returns a fresh `EC_POINT` that contains the same values as +// `src`, or NULL on error. OPENSSL_EXPORT EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group); -// EC_POINT_set_to_infinity sets |point| to be the "point at infinity" for the +// EC_POINT_set_to_infinity sets `point` to be the "point at infinity" for the // given group. OPENSSL_EXPORT int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point); -// EC_POINT_is_at_infinity returns one iff |point| is the point at infinity and +// EC_POINT_is_at_infinity returns one iff `point` is the point at infinity and // zero otherwise. OPENSSL_EXPORT int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point); -// EC_POINT_is_on_curve returns one if |point| is an element of |group| and +// EC_POINT_is_on_curve returns one if `point` is an element of `group` and // and zero otherwise or when an error occurs. This is different from OpenSSL, -// which returns -1 on error. |ctx| is ignored and may be NULL. +// which returns -1 on error. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx); -// EC_POINT_cmp returns zero if |a| is equal to |b|, greater than zero if -// not equal and -1 on error. |ctx| is ignored and may be NULL. +// EC_POINT_cmp returns zero if `a` is equal to `b`, greater than zero if +// not equal and -1 on error. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); // Point conversion. -// EC_POINT_get_affine_coordinates_GFp sets |x| and |y| to the affine value of -// |point|. It returns one on success and zero otherwise. |ctx| is ignored and +// EC_POINT_get_affine_coordinates_GFp sets `x` and `y` to the affine value of +// `point`. It returns one on success and zero otherwise. `ctx` is ignored and // may be NULL. // -// Either |x| or |y| may be NULL to skip computing that coordinate. This is +// Either `x` or `y` may be NULL to skip computing that coordinate. This is // slightly faster in the common case where only the x-coordinate is needed. OPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point, @@ -193,21 +193,21 @@ OPENSSL_EXPORT int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, BN_CTX *ctx); // EC_POINT_get_affine_coordinates is an alias of -// |EC_POINT_get_affine_coordinates_GFp|. +// `EC_POINT_get_affine_coordinates_GFp`. OPENSSL_EXPORT int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -// EC_POINT_set_affine_coordinates_GFp sets the value of |point| to be -// (|x|, |y|). |ctx| is ignored and may be NULL. It returns one on success or +// EC_POINT_set_affine_coordinates_GFp sets the value of `point` to be +// (`x`, `y`). `ctx` is ignored and may be NULL. It returns one on success or // zero on error. It's considered an error if the point is not on the curve. // // Note that the corresponding function in OpenSSL versions prior to 1.0.2s does // not check if the point is on the curve. This is a security-critical check, so // code additionally supporting OpenSSL should repeat the check with -// |EC_POINT_is_on_curve| or check for older OpenSSL versions with -// |OPENSSL_VERSION_NUMBER|. +// `EC_POINT_is_on_curve` or check for older OpenSSL versions with +// `OPENSSL_VERSION_NUMBER`. OPENSSL_EXPORT int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, @@ -215,51 +215,51 @@ OPENSSL_EXPORT int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, BN_CTX *ctx); // EC_POINT_set_affine_coordinates is an alias of -// |EC_POINT_set_affine_coordinates_GFp|. +// `EC_POINT_set_affine_coordinates_GFp`. OPENSSL_EXPORT int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); -// EC_POINT_point2oct serialises |point| into the X9.62 form given by |form| -// into, at most, |max_out| bytes at |buf|. It returns the number of bytes -// written or zero on error if |buf| is non-NULL, else the number of bytes -// needed. |ctx| is ignored and may be NULL. +// EC_POINT_point2oct serialises `point` into the X9.62 form given by `form` +// into, at most, `max_out` bytes at `buf`. It returns the number of bytes +// written or zero on error if `buf` is non-NULL, else the number of bytes +// needed. `ctx` is ignored and may be NULL. OPENSSL_EXPORT size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, uint8_t *buf, size_t max_out, BN_CTX *ctx); -// EC_POINT_point2buf serialises |point| into the X9.62 form given by |form| to -// a newly-allocated buffer and sets |*out_buf| to point to it. It returns the +// EC_POINT_point2buf serialises `point` into the X9.62 form given by `form` to +// a newly-allocated buffer and sets `*out_buf` to point to it. It returns the // length of the result on success or zero on error. The caller must release -// |*out_buf| with |OPENSSL_free| when done. |ctx| is ignored and may be NULL. +// `*out_buf` with `OPENSSL_free` when done. `ctx` is ignored and may be NULL. OPENSSL_EXPORT size_t EC_POINT_point2buf(const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, uint8_t **out_buf, BN_CTX *ctx); -// EC_POINT_point2cbb behaves like |EC_POINT_point2oct| but appends the -// serialised point to |cbb|. It returns one on success and zero on error. |ctx| +// EC_POINT_point2cbb behaves like `EC_POINT_point2oct` but appends the +// serialised point to `cbb`. It returns one on success and zero on error. `ctx` // is ignored and may be NULL. OPENSSL_EXPORT int EC_POINT_point2cbb(CBB *out, const EC_GROUP *group, const EC_POINT *point, point_conversion_form_t form, BN_CTX *ctx); -// EC_POINT_oct2point sets |point| from |len| bytes of X9.62 format -// serialisation in |buf|. It returns one on success and zero on error. |ctx| -// may be NULL. It's considered an error if |buf| does not represent a point on +// EC_POINT_oct2point sets `point` from `len` bytes of X9.62 format +// serialisation in `buf`. It returns one on success and zero on error. `ctx` +// may be NULL. It's considered an error if `buf` does not represent a point on // the curve. OPENSSL_EXPORT int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, const uint8_t *buf, size_t len, BN_CTX *ctx); -// EC_POINT_set_compressed_coordinates_GFp sets |point| to equal the point with -// the given |x| coordinate and the y coordinate specified by |y_bit| (see -// X9.62). It returns one on success and zero otherwise. |ctx| may be NULL. +// EC_POINT_set_compressed_coordinates_GFp sets `point` to equal the point with +// the given `x` coordinate and the y coordinate specified by `y_bit` (see +// X9.62). It returns one on success and zero otherwise. `ctx` may be NULL. OPENSSL_EXPORT int EC_POINT_set_compressed_coordinates_GFp( const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, int y_bit, BN_CTX *ctx); @@ -267,24 +267,24 @@ OPENSSL_EXPORT int EC_POINT_set_compressed_coordinates_GFp( // Group operations. -// EC_POINT_add sets |r| equal to |a| plus |b|. It returns one on success and -// zero otherwise. |ctx| is ignored and may be NULL. +// EC_POINT_add sets `r` equal to `a` plus `b`. It returns one on success and +// zero otherwise. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); -// EC_POINT_dbl sets |r| equal to |a| plus |a|. It returns one on success and -// zero otherwise. |ctx| is ignored and may be NULL. +// EC_POINT_dbl sets `r` equal to `a` plus `a`. It returns one on success and +// zero otherwise. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx); -// EC_POINT_invert sets |a| equal to minus |a|. It returns one on success and -// zero otherwise. |ctx| is ignored and may be NULL. +// EC_POINT_invert sets `a` equal to minus `a`. It returns one on success and +// zero otherwise. `ctx` is ignored and may be NULL. OPENSSL_EXPORT int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx); // EC_POINT_mul sets r = generator*n + q*m. It returns one on success and zero -// otherwise. |ctx| may be NULL. +// otherwise. `ctx` may be NULL. OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); @@ -292,44 +292,44 @@ OPENSSL_EXPORT int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, // Hash-to-curve. // -// The following functions implement primitives from RFC 9380. The |dst| +// The following functions implement primitives from RFC 9380. The `dst` // parameter in each function is the domain separation tag and must be unique -// for each protocol and between the |hash_to_curve| and |hash_to_scalar| +// for each protocol and between the `hash_to_curve` and `hash_to_scalar` // variants. See section 3.1 of the spec for additional guidance on this // parameter. -// EC_hash_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| and -// writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_RO_ suite +// EC_hash_to_curve_p256_xmd_sha256_sswu hashes `msg` to a point on `group` and +// writes the result to `out`, implementing the P256_XMD:SHA-256_SSWU_RO_ suite // from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// EC_hash_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| and -// writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_RO_ suite +// EC_hash_to_curve_p384_xmd_sha384_sswu hashes `msg` to a point on `group` and +// writes the result to `out`, implementing the P384_XMD:SHA-384_SSWU_RO_ suite // from RFC 9380. It returns one on success and zero on error. OPENSSL_EXPORT int EC_hash_to_curve_p384_xmd_sha384_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// EC_encode_to_curve_p256_xmd_sha256_sswu hashes |msg| to a point on |group| -// and writes the result to |out|, implementing the P256_XMD:SHA-256_SSWU_NU_ +// EC_encode_to_curve_p256_xmd_sha256_sswu hashes `msg` to a point on `group` +// and writes the result to `out`, implementing the P256_XMD:SHA-256_SSWU_NU_ // suite from RFC 9380. It returns one on success and zero on error. // -// This is a nonuniform encoding from byte strings to points in |group|. That -// is, the set of possible outputs is only a fraction of the points in |group|, +// This is a nonuniform encoding from byte strings to points in `group`. That +// is, the set of possible outputs is only a fraction of the points in `group`, // and some points in this set are more likely to be output than others. See // also RFC 9380, section 10.4 OPENSSL_EXPORT int EC_encode_to_curve_p256_xmd_sha256_sswu( const EC_GROUP *group, EC_POINT *out, const uint8_t *dst, size_t dst_len, const uint8_t *msg, size_t msg_len); -// EC_encode_to_curve_p384_xmd_sha384_sswu hashes |msg| to a point on |group| -// and writes the result to |out|, implementing the P384_XMD:SHA-384_SSWU_NU_ +// EC_encode_to_curve_p384_xmd_sha384_sswu hashes `msg` to a point on `group` +// and writes the result to `out`, implementing the P384_XMD:SHA-384_SSWU_NU_ // suite from RFC 9380. It returns one on success and zero on error. // -// This is a nonuniform encoding from byte strings to points in |group|. That -// is, the set of possible outputs is only a fraction of the points in |group|, +// This is a nonuniform encoding from byte strings to points in `group`. That +// is, the set of possible outputs is only a fraction of the points in `group`, // and some points in this set are more likely to be output than others. See // also RFC 9380, section 10.4 OPENSSL_EXPORT int EC_encode_to_curve_p384_xmd_sha384_sswu( @@ -339,61 +339,61 @@ OPENSSL_EXPORT int EC_encode_to_curve_p384_xmd_sha384_sswu( // Deprecated functions. -// EC_GROUP_free releases a reference to |group|, if |group| was created by -// |EC_GROUP_new_curve_GFp|. If |group| is static, it does nothing. +// EC_GROUP_free releases a reference to `group`, if `group` was created by +// `EC_GROUP_new_curve_GFp`. If `group` is static, it does nothing. // // This function exists for OpenSSL compatibility, and to manage dynamic -// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need +// `EC_GROUP`s constructed by `EC_GROUP_new_curve_GFp`. Callers that do not need // either may ignore this function. OPENSSL_EXPORT void EC_GROUP_free(EC_GROUP *group); -// EC_GROUP_dup increments |group|'s reference count and returns it, if |group| -// was created by |EC_GROUP_new_curve_GFp|. If |group| is static, it simply -// returns |group|. +// EC_GROUP_dup increments `group`'s reference count and returns it, if `group` +// was created by `EC_GROUP_new_curve_GFp`. If `group` is static, it simply +// returns `group`. // // This function exists for OpenSSL compatibility, and to manage dynamic -// |EC_GROUP|s constructed by |EC_GROUP_new_curve_GFp|. Callers that do not need +// `EC_GROUP`s constructed by `EC_GROUP_new_curve_GFp`. Callers that do not need // either may ignore this function. OPENSSL_EXPORT EC_GROUP *EC_GROUP_dup(const EC_GROUP *group); // EC_GROUP_new_curve_GFp creates a new, arbitrary elliptic curve group based // on the equation y² = x³ + a·x + b. It returns the new group or NULL on // error. The lifetime of the resulting object must be managed with -// |EC_GROUP_dup| and |EC_GROUP_free|. +// `EC_GROUP_dup` and `EC_GROUP_free`. // // This new group has no generator. It is an error to use a generator-less group -// with any functions except for |EC_GROUP_free|, |EC_POINT_new|, -// |EC_POINT_set_affine_coordinates_GFp|, and |EC_GROUP_set_generator|. +// with any functions except for `EC_GROUP_free`, `EC_POINT_new`, +// `EC_POINT_set_affine_coordinates_GFp`, and `EC_GROUP_set_generator`. // -// |EC_GROUP|s returned by this function will always compare as unequal via -// |EC_GROUP_cmp| (even to themselves). |EC_GROUP_get_curve_name| will always -// return |NID_undef|. +// `EC_GROUP`s returned by this function will always compare as unequal via +// `EC_GROUP_cmp` (even to themselves). `EC_GROUP_get_curve_name` will always +// return `NID_undef`. // // This function is provided for compatibility with some legacy applications -// only. Avoid using arbitrary curves and use |EC_GROUP_new_by_curve_name| +// only. Avoid using arbitrary curves and use `EC_GROUP_new_by_curve_name` // instead. This ensures the result meets preconditions necessary for // elliptic curve algorithms to function correctly and securely. // // Given invalid parameters, this function may fail or it may return an -// |EC_GROUP| which breaks these preconditions. Subsequent operations may then +// `EC_GROUP` which breaks these preconditions. Subsequent operations may then // return arbitrary, incorrect values. Callers should not pass // attacker-controlled values to this function. OPENSSL_EXPORT EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -// EC_GROUP_set_generator sets the generator for |group| to |generator|, which -// must have the given order and cofactor. It may only be used with |EC_GROUP| -// objects returned by |EC_GROUP_new_curve_GFp| and may only be used once on -// each group. |generator| must have been created using |group|. +// EC_GROUP_set_generator sets the generator for `group` to `generator`, which +// must have the given order and cofactor. It may only be used with `EC_GROUP` +// objects returned by `EC_GROUP_new_curve_GFp` and may only be used once on +// each group. `generator` must have been created using `group`. OPENSSL_EXPORT int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor); -// EC_GROUP_get_order sets |*order| to the order of |group|, if it's not -// NULL. It returns one on success and zero otherwise. |ctx| is ignored and may -// be NULL. Use |EC_GROUP_get0_order| instead. +// EC_GROUP_get_order sets `*order` to the order of `group`, if it's not +// NULL. It returns one on success and zero otherwise. `ctx` is ignored and may +// be NULL. Use `EC_GROUP_get0_order` instead. OPENSSL_EXPORT int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); @@ -403,7 +403,7 @@ OPENSSL_EXPORT int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, // EC_GROUP_set_asn1_flag does nothing. OPENSSL_EXPORT void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); -// EC_GROUP_get_asn1_flag returns |OPENSSL_EC_NAMED_CURVE|. +// EC_GROUP_get_asn1_flag returns `OPENSSL_EC_NAMED_CURVE`. OPENSSL_EXPORT int EC_GROUP_get_asn1_flag(const EC_GROUP *group); typedef struct ec_method_st EC_METHOD; @@ -414,8 +414,8 @@ OPENSSL_EXPORT const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group); // EC_METHOD_get_field_type returns NID_X9_62_prime_field. OPENSSL_EXPORT int EC_METHOD_get_field_type(const EC_METHOD *meth); -// EC_GROUP_set_point_conversion_form aborts the process if |form| is not -// |POINT_CONVERSION_UNCOMPRESSED| and otherwise does nothing. +// EC_GROUP_set_point_conversion_form aborts the process if `form` is not +// `POINT_CONVERSION_UNCOMPRESSED` and otherwise does nothing. OPENSSL_EXPORT void EC_GROUP_set_point_conversion_form( EC_GROUP *group, point_conversion_form_t form); @@ -425,15 +425,15 @@ typedef struct { const char *comment; } EC_builtin_curve; -// EC_get_builtin_curves writes at most |max_num_curves| elements to -// |out_curves| and returns the total number that it would have written, had -// |max_num_curves| been large enough. +// EC_get_builtin_curves writes at most `max_num_curves` elements to +// `out_curves` and returns the total number that it would have written, had +// `max_num_curves` been large enough. // -// The |EC_builtin_curve| items describe the supported elliptic curves. +// The `EC_builtin_curve` items describe the supported elliptic curves. OPENSSL_EXPORT size_t EC_get_builtin_curves(EC_builtin_curve *out_curves, size_t max_num_curves); -// EC_POINT_clear_free calls |EC_POINT_free|. +// EC_POINT_clear_free calls `EC_POINT_free`. OPENSSL_EXPORT void EC_POINT_clear_free(EC_POINT *point); diff --git a/third_party/boringssl/src/include/openssl/ec_key.h b/third_party/boringssl/src/include/openssl/ec_key.h index 47d50636..2ab696cf 100644 --- a/third_party/boringssl/src/include/openssl/ec_key.h +++ b/third_party/boringssl/src/include/openssl/ec_key.h @@ -33,83 +33,83 @@ extern "C" { // EC key objects. // -// An |EC_KEY| object represents a public or private EC key. A given object may +// An `EC_KEY` object represents a public or private EC key. A given object may // be used concurrently on multiple threads by non-mutating functions, provided // no other thread is concurrently calling a mutating function. Unless otherwise -// documented, functions which take a |const| pointer are non-mutating and -// functions which take a non-|const| pointer are mutating. +// documented, functions which take a `const` pointer are non-mutating and +// functions which take a non-`const` pointer are mutating. -// EC_KEY_new returns a fresh |EC_KEY| object or NULL on error. +// EC_KEY_new returns a fresh `EC_KEY` object or NULL on error. OPENSSL_EXPORT EC_KEY *EC_KEY_new(void); -// EC_KEY_new_method acts the same as |EC_KEY_new|, but takes an explicit -// |ENGINE|. +// EC_KEY_new_method acts the same as `EC_KEY_new`, but takes an explicit +// `ENGINE`. OPENSSL_EXPORT EC_KEY *EC_KEY_new_method(const ENGINE *engine); -// EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by |nid| +// EC_KEY_new_by_curve_name returns a fresh EC_KEY for group specified by `nid` // or NULL on error. OPENSSL_EXPORT EC_KEY *EC_KEY_new_by_curve_name(int nid); -// EC_KEY_free frees all the data owned by |key| and |key| itself. +// EC_KEY_free frees all the data owned by `key` and `key` itself. OPENSSL_EXPORT void EC_KEY_free(EC_KEY *key); -// EC_KEY_dup returns a fresh copy of |src| or NULL on error. +// EC_KEY_dup returns a fresh copy of `src` or NULL on error. OPENSSL_EXPORT EC_KEY *EC_KEY_dup(const EC_KEY *src); -// EC_KEY_up_ref increases the reference count of |key| and returns one. It does -// not mutate |key| for thread-safety purposes and may be used concurrently. +// EC_KEY_up_ref increases the reference count of `key` and returns one. It does +// not mutate `key` for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int EC_KEY_up_ref(EC_KEY *key); -// EC_KEY_is_opaque returns one if |key| is opaque and doesn't expose its key +// EC_KEY_is_opaque returns one if `key` is opaque and doesn't expose its key // material. Otherwise it return zero. OPENSSL_EXPORT int EC_KEY_is_opaque(const EC_KEY *key); -// EC_KEY_get0_group returns a pointer to the |EC_GROUP| object inside |key|. +// EC_KEY_get0_group returns a pointer to the `EC_GROUP` object inside `key`. OPENSSL_EXPORT const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); -// EC_KEY_set_group sets the |EC_GROUP| object that |key| will use to |group|. -// It returns one on success and zero if |key| is already configured with a +// EC_KEY_set_group sets the `EC_GROUP` object that `key` will use to `group`. +// It returns one on success and zero if `key` is already configured with a // different group. OPENSSL_EXPORT int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group); -// EC_KEY_get0_private_key returns a pointer to the private key inside |key|. +// EC_KEY_get0_private_key returns a pointer to the private key inside `key`. OPENSSL_EXPORT const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key); -// EC_KEY_set_private_key sets the private key of |key| to |priv|. It returns -// one on success and zero otherwise. |key| must already have had a group -// configured (see |EC_KEY_set_group| and |EC_KEY_new_by_curve_name|). +// EC_KEY_set_private_key sets the private key of `key` to `priv`. It returns +// one on success and zero otherwise. `key` must already have had a group +// configured (see `EC_KEY_set_group` and `EC_KEY_new_by_curve_name`). OPENSSL_EXPORT int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv); // EC_KEY_get0_public_key returns a pointer to the public key point inside -// |key|. +// `key`. OPENSSL_EXPORT const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); -// EC_KEY_set_public_key sets the public key of |key| to |pub|, by copying it. -// It returns one on success and zero otherwise. |key| must already have had a -// group configured (see |EC_KEY_set_group| and |EC_KEY_new_by_curve_name|), and -// |pub| must also belong to that group, and must not be the point at infinity. +// EC_KEY_set_public_key sets the public key of `key` to `pub`, by copying it. +// It returns one on success and zero otherwise. `key` must already have had a +// group configured (see `EC_KEY_set_group` and `EC_KEY_new_by_curve_name`), and +// `pub` must also belong to that group, and must not be the point at infinity. OPENSSL_EXPORT int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); #define EC_PKEY_NO_PARAMETERS 0x001 #define EC_PKEY_NO_PUBKEY 0x002 -// EC_KEY_get_enc_flags returns the encoding flags for |key|, which is a -// bitwise-OR of |EC_PKEY_*| values. +// EC_KEY_get_enc_flags returns the encoding flags for `key`, which is a +// bitwise-OR of `EC_PKEY_*` values. OPENSSL_EXPORT unsigned EC_KEY_get_enc_flags(const EC_KEY *key); -// EC_KEY_set_enc_flags sets the encoding flags for |key|, which is a -// bitwise-OR of |EC_PKEY_*| values. +// EC_KEY_set_enc_flags sets the encoding flags for `key`, which is a +// bitwise-OR of `EC_PKEY_*` values. OPENSSL_EXPORT void EC_KEY_set_enc_flags(EC_KEY *key, unsigned flags); // EC_KEY_get_conv_form returns the conversation form that will be used by -// |key|. +// `key`. OPENSSL_EXPORT point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); -// EC_KEY_set_conv_form sets the conversion form to be used by |key|. +// EC_KEY_set_conv_form sets the conversion form to be used by `key`. OPENSSL_EXPORT void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform); -// EC_KEY_check_key performs several checks on |key| (possibly including an +// EC_KEY_check_key performs several checks on `key` (possibly including an // expensive check that the public key is in the primary subgroup). It returns // one if all checks pass and zero otherwise. If it returns zero then detail // about the problem can be found on the error stack. @@ -120,70 +120,70 @@ OPENSSL_EXPORT int EC_KEY_check_key(const EC_KEY *key); // 5.6.2.1.4. It returns one if it passes and zero otherwise. OPENSSL_EXPORT int EC_KEY_check_fips(const EC_KEY *key); -// EC_KEY_set_public_key_affine_coordinates sets the public key in |key| to -// (|x|, |y|). It returns one on success and zero on error. It's considered an -// error if |x| and |y| do not represent a point on |key|'s curve. +// EC_KEY_set_public_key_affine_coordinates sets the public key in `key` to +// (`x`, `y`). It returns one on success and zero on error. It's considered an +// error if `x` and `y` do not represent a point on `key`'s curve. OPENSSL_EXPORT int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, const BIGNUM *x, const BIGNUM *y); -// EC_KEY_oct2key decodes |len| bytes from |in| as an EC public key in X9.62 -// form. |key| must already have a group configured. On success, it sets the -// public key in |key| to the result and returns one. Otherwise, it returns -// zero. |ctx| may be NULL. +// EC_KEY_oct2key decodes `len` bytes from `in` as an EC public key in X9.62 +// form. `key` must already have a group configured. On success, it sets the +// public key in `key` to the result and returns one. Otherwise, it returns +// zero. `ctx` may be NULL. OPENSSL_EXPORT int EC_KEY_oct2key(EC_KEY *key, const uint8_t *in, size_t len, BN_CTX *ctx); -// EC_KEY_key2buf behaves like |EC_POINT_point2buf|, except it encodes the -// public key in |key|. |ctx| is ignored and may be NULL. +// EC_KEY_key2buf behaves like `EC_POINT_point2buf`, except it encodes the +// public key in `key`. `ctx` is ignored and may be NULL. OPENSSL_EXPORT size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form, uint8_t **out_buf, BN_CTX *ctx); -// EC_KEY_oct2priv decodes a big-endian, zero-padded integer from |len| bytes -// from |in| and sets |key|'s private key to the result. It returns one on -// success and zero on error. The input must be padded to the size of |key|'s +// EC_KEY_oct2priv decodes a big-endian, zero-padded integer from `len` bytes +// from `in` and sets `key`'s private key to the result. It returns one on +// success and zero on error. The input must be padded to the size of `key`'s // group order. OPENSSL_EXPORT int EC_KEY_oct2priv(EC_KEY *key, const uint8_t *in, size_t len); -// EC_KEY_priv2oct serializes |key|'s private key as a big-endian integer, -// zero-padded to the size of |key|'s group order and writes the result to at -// most |max_out| bytes of |out|. It returns the number of bytes written on -// success and zero on error. If |out| is NULL, it returns the number of bytes +// EC_KEY_priv2oct serializes `key`'s private key as a big-endian integer, +// zero-padded to the size of `key`'s group order and writes the result to at +// most `max_out` bytes of `out`. It returns the number of bytes written on +// success and zero on error. If `out` is NULL, it returns the number of bytes // needed without writing anything. OPENSSL_EXPORT size_t EC_KEY_priv2oct(const EC_KEY *key, uint8_t *out, size_t max_out); -// EC_KEY_priv2buf behaves like |EC_KEY_priv2oct| but sets |*out_buf| to a +// EC_KEY_priv2buf behaves like `EC_KEY_priv2oct` but sets `*out_buf` to a // newly-allocated buffer containing the result. It returns the size of the -// result on success and zero on error. The caller must release |*out_buf| with -// |OPENSSL_free| when done. +// result on success and zero on error. The caller must release `*out_buf` with +// `OPENSSL_free` when done. OPENSSL_EXPORT size_t EC_KEY_priv2buf(const EC_KEY *key, uint8_t **out_buf); // Key generation. // EC_KEY_generate_key generates a random, private key, calculates the -// corresponding public key and stores both in |key|. It returns one on success +// corresponding public key and stores both in `key`. It returns one on success // or zero otherwise. OPENSSL_EXPORT int EC_KEY_generate_key(EC_KEY *key); -// EC_KEY_generate_key_fips behaves like |EC_KEY_generate_key| but performs +// EC_KEY_generate_key_fips behaves like `EC_KEY_generate_key` but performs // additional checks for FIPS compliance. This function is applicable when // generating keys for either signing/verification or key agreement because // both types of consistency check (PCT) are performed. OPENSSL_EXPORT int EC_KEY_generate_key_fips(EC_KEY *key); -// EC_KEY_derive_from_secret deterministically derives a private key for |group| -// from an input secret using HKDF-SHA256. It returns a newly-allocated |EC_KEY| -// on success or NULL on error. |secret| must not be used in any other +// EC_KEY_derive_from_secret deterministically derives a private key for `group` +// from an input secret using HKDF-SHA256. It returns a newly-allocated `EC_KEY` +// on success or NULL on error. `secret` must not be used in any other // algorithm. If using a base secret for multiple operations, derive separate // values with a KDF such as HKDF first. // // Note this function implements an arbitrary derivation scheme, rather than any // particular standard one. New protocols are recommended to use X25519 and // Ed25519, which have standard byte import functions. See -// |X25519_public_from_private| and |ED25519_keypair_from_seed|. +// `X25519_public_from_private` and `ED25519_keypair_from_seed`. OPENSSL_EXPORT EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, const uint8_t *secret, size_t secret_len); @@ -192,45 +192,45 @@ OPENSSL_EXPORT EC_KEY *EC_KEY_derive_from_secret(const EC_GROUP *group, // Serialisation. // EC_KEY_parse_private_key parses a DER-encoded ECPrivateKey structure (RFC -// 5915) from |cbs| and advances |cbs|. It returns a newly-allocated |EC_KEY| or -// NULL on error. If |group| is non-null, the parameters field of the -// ECPrivateKey may be omitted (but must match |group| if present). Otherwise, +// 5915) from `cbs` and advances `cbs`. It returns a newly-allocated `EC_KEY` or +// NULL on error. If `group` is non-null, the parameters field of the +// ECPrivateKey may be omitted (but must match `group` if present). Otherwise, // the parameters field is required. OPENSSL_EXPORT EC_KEY *EC_KEY_parse_private_key(CBS *cbs, const EC_GROUP *group); -// EC_KEY_marshal_private_key marshals |key| as a DER-encoded ECPrivateKey -// structure (RFC 5915) and appends the result to |cbb|. It returns one on -// success and zero on failure. |enc_flags| is a combination of |EC_PKEY_*| +// EC_KEY_marshal_private_key marshals `key` as a DER-encoded ECPrivateKey +// structure (RFC 5915) and appends the result to `cbb`. It returns one on +// success and zero on failure. `enc_flags` is a combination of `EC_PKEY_*` // values and controls whether corresponding fields are omitted. OPENSSL_EXPORT int EC_KEY_marshal_private_key(CBB *cbb, const EC_KEY *key, unsigned enc_flags); // EC_KEY_parse_curve_name parses a DER-encoded OBJECT IDENTIFIER as a curve -// name from |cbs| and advances |cbs|. It returns the decoded |EC_GROUP| or NULL +// name from `cbs` and advances `cbs`. It returns the decoded `EC_GROUP` or NULL // on error. // // This function returns a non-const pointer which may be passed to -// |EC_GROUP_free|. However, the resulting object is actually static and calling -// |EC_GROUP_free| is optional. +// `EC_GROUP_free`. However, the resulting object is actually static and calling +// `EC_GROUP_free` is optional. // // TODO(davidben): Make this return a const pointer, if it does not break too // many callers. OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_curve_name(CBS *cbs); -// EC_KEY_marshal_curve_name marshals |group| as a DER-encoded OBJECT IDENTIFIER -// and appends the result to |cbb|. It returns one on success and zero on +// EC_KEY_marshal_curve_name marshals `group` as a DER-encoded OBJECT IDENTIFIER +// and appends the result to `cbb`. It returns one on success and zero on // failure. OPENSSL_EXPORT int EC_KEY_marshal_curve_name(CBB *cbb, const EC_GROUP *group); // EC_KEY_parse_parameters parses a DER-encoded ECParameters structure (RFC -// 5480) from |cbs| and advances |cbs|. It returns the resulting |EC_GROUP| or +// 5480) from `cbs` and advances `cbs`. It returns the resulting `EC_GROUP` or // NULL on error. It supports the namedCurve and specifiedCurve options, but use -// of specifiedCurve is deprecated. Use |EC_KEY_parse_curve_name| instead. +// of specifiedCurve is deprecated. Use `EC_KEY_parse_curve_name` instead. // // This function returns a non-const pointer which may be passed to -// |EC_GROUP_free|. However, the resulting object is actually static and calling -// |EC_GROUP_free| is optional. +// `EC_GROUP_free`. However, the resulting object is actually static and calling +// `EC_GROUP_free` is optional. // // TODO(davidben): Make this return a const pointer, if it does not break too // many callers. @@ -239,7 +239,7 @@ OPENSSL_EXPORT EC_GROUP *EC_KEY_parse_parameters(CBS *cbs); // ex_data functions. // -// These functions are wrappers. See |ex_data.h| for details. +// These functions are wrappers. See `ex_data.h` for details. OPENSSL_EXPORT int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, @@ -266,7 +266,7 @@ struct ecdsa_method_st { int (*init)(EC_KEY *key); int (*finish)(EC_KEY *key); - // sign matches the arguments and behaviour of |ECDSA_sign|. + // sign matches the arguments and behaviour of `ECDSA_sign`. int (*sign)(const uint8_t *digest, size_t digest_len, uint8_t *sig, unsigned int *sig_len, EC_KEY *eckey); @@ -280,62 +280,62 @@ struct ecdsa_method_st { OPENSSL_EXPORT void EC_KEY_set_asn1_flag(EC_KEY *key, int flag); // d2i_ECPrivateKey parses a DER-encoded ECPrivateKey structure (RFC 5915) from -// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. On input, if |*out_key| +// `len` bytes at `*inp`, as described in `d2i_SAMPLE`. On input, if `*out_key` // is non-NULL and has a group configured, the parameters field may be omitted // but must match that group if present. // -// Use |EC_KEY_parse_private_key| instead. +// Use `EC_KEY_parse_private_key` instead. OPENSSL_EXPORT EC_KEY *d2i_ECPrivateKey(EC_KEY **out_key, const uint8_t **inp, long len); -// i2d_ECPrivateKey marshals |key| as a DER-encoded ECPrivateKey structure (RFC -// 5915), as described in |i2d_SAMPLE|. +// i2d_ECPrivateKey marshals `key` as a DER-encoded ECPrivateKey structure (RFC +// 5915), as described in `i2d_SAMPLE`. // -// Use |EC_KEY_marshal_private_key| instead. +// Use `EC_KEY_marshal_private_key` instead. OPENSSL_EXPORT int i2d_ECPrivateKey(const EC_KEY *key, uint8_t **outp); // d2i_ECPKParameters parses a DER-encoded ECParameters structure (RFC 5480) -// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. For legacy reasons, +// from `len` bytes at `*inp`, as described in `d2i_SAMPLE`. For legacy reasons, // it recognizes the specifiedCurve form, but only for curves that are already // supported as named curves. // -// Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead. +// Use `EC_KEY_parse_parameters` or `EC_KEY_parse_curve_name` instead. OPENSSL_EXPORT EC_GROUP *d2i_ECPKParameters(EC_GROUP **out, const uint8_t **inp, long len); -// i2d_ECPKParameters marshals |group| as a DER-encoded ECParameters structure -// (RFC 5480), as described in |i2d_SAMPLE|. +// i2d_ECPKParameters marshals `group` as a DER-encoded ECParameters structure +// (RFC 5480), as described in `i2d_SAMPLE`. // -// Use |EC_KEY_marshal_curve_name| instead. +// Use `EC_KEY_marshal_curve_name` instead. OPENSSL_EXPORT int i2d_ECPKParameters(const EC_GROUP *group, uint8_t **outp); // d2i_ECParameters parses a DER-encoded ECParameters structure (RFC 5480) from -// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. It returns the result as -// an |EC_KEY| with parameters, but no key, configured. +// `len` bytes at `*inp`, as described in `d2i_SAMPLE`. It returns the result as +// an `EC_KEY` with parameters, but no key, configured. // -// Use |EC_KEY_parse_parameters| or |EC_KEY_parse_curve_name| instead. +// Use `EC_KEY_parse_parameters` or `EC_KEY_parse_curve_name` instead. OPENSSL_EXPORT EC_KEY *d2i_ECParameters(EC_KEY **out_key, const uint8_t **inp, long len); -// i2d_ECParameters marshals |key|'s parameters as a DER-encoded OBJECT -// IDENTIFIER, as described in |i2d_SAMPLE|. +// i2d_ECParameters marshals `key`'s parameters as a DER-encoded OBJECT +// IDENTIFIER, as described in `i2d_SAMPLE`. // -// Use |EC_KEY_marshal_curve_name| instead. +// Use `EC_KEY_marshal_curve_name` instead. OPENSSL_EXPORT int i2d_ECParameters(const EC_KEY *key, uint8_t **outp); -// o2i_ECPublicKey parses an EC point from |len| bytes at |*inp| into -// |*out_key|. Note that this differs from the d2i format in that |*out_key| -// must be non-NULL with a group set. On successful exit, |*inp| is advanced by -// |len| bytes. It returns |*out_key| or NULL on error. +// o2i_ECPublicKey parses an EC point from `len` bytes at `*inp` into +// `*out_key`. Note that this differs from the d2i format in that `*out_key` +// must be non-NULL with a group set. On successful exit, `*inp` is advanced by +// `len` bytes. It returns `*out_key` or NULL on error. // -// Use |EC_POINT_oct2point| instead. +// Use `EC_POINT_oct2point` instead. OPENSSL_EXPORT EC_KEY *o2i_ECPublicKey(EC_KEY **out_key, const uint8_t **inp, long len); -// i2o_ECPublicKey marshals an EC point from |key|, as described in -// |i2d_SAMPLE|, except it returns zero on error instead of a negative value. +// i2o_ECPublicKey marshals an EC point from `key`, as described in +// `i2d_SAMPLE`, except it returns zero on error instead of a negative value. // -// Use |EC_POINT_point2cbb| instead. +// Use `EC_POINT_point2cbb` instead. OPENSSL_EXPORT int i2o_ECPublicKey(const EC_KEY *key, unsigned char **outp); diff --git a/third_party/boringssl/src/include/openssl/ecdh.h b/third_party/boringssl/src/include/openssl/ecdh.h index 35a99e63..a1dff7b4 100644 --- a/third_party/boringssl/src/include/openssl/ecdh.h +++ b/third_party/boringssl/src/include/openssl/ecdh.h @@ -28,22 +28,22 @@ extern "C" { // Elliptic curve Diffie-Hellman. -// ECDH_compute_key calculates the shared key between |pub_key| and |priv_key|. -// If |kdf| is not NULL, then it is called with the bytes of the shared key and -// the parameter |out|. When |kdf| returns, the value of |*outlen| becomes the +// ECDH_compute_key calculates the shared key between `pub_key` and `priv_key`. +// If `kdf` is not NULL, then it is called with the bytes of the shared key and +// the parameter `out`. When `kdf` returns, the value of `*outlen` becomes the // return value. Otherwise, as many bytes of the shared key as will fit are -// copied directly to, at most, |outlen| bytes at |out|. It returns the number -// of bytes written to |out|, or -1 on error. +// copied directly to, at most, `outlen` bytes at `out`. It returns the number +// of bytes written to `out`, or -1 on error. OPENSSL_EXPORT int ECDH_compute_key( void *out, size_t outlen, const EC_POINT *pub_key, const EC_KEY *priv_key, void *(*kdf)(const void *in, size_t inlen, void *out, size_t *outlen)); -// ECDH_compute_key_fips calculates the shared key between |pub_key| and -// |priv_key| and hashes it with the appropriate SHA function for |out_len|. The -// only value values for |out_len| are thus 24 (SHA-224), 32 (SHA-256), 48 +// ECDH_compute_key_fips calculates the shared key between `pub_key` and +// `priv_key` and hashes it with the appropriate SHA function for `out_len`. The +// only value values for `out_len` are thus 24 (SHA-224), 32 (SHA-256), 48 // (SHA-384), and 64 (SHA-512). It returns one on success and zero on error. // -// Note that the return value is different to |ECDH_compute_key|: it returns an +// Note that the return value is different to `ECDH_compute_key`: it returns an // error flag (as is common for BoringSSL) rather than the number of bytes // written. // diff --git a/third_party/boringssl/src/include/openssl/ecdsa.h b/third_party/boringssl/src/include/openssl/ecdsa.h index 3eee16fc..5eee8090 100644 --- a/third_party/boringssl/src/include/openssl/ecdsa.h +++ b/third_party/boringssl/src/include/openssl/ecdsa.h @@ -36,24 +36,24 @@ extern "C" { // format is variable-length. Callers must be prepared to receive signatures // that are slightly shorter than the maximum for the ECDSA curve. -// ECDSA_sign signs |digest_len| bytes from |digest| with |key| and writes the -// resulting ASN.1-based signature to |sig|, which must have |ECDSA_size(key)| -// bytes of space. On successful exit, |*sig_len| is set to the actual number of -// bytes written. The |type| argument should be zero. It returns one on success +// ECDSA_sign signs `digest_len` bytes from `digest` with `key` and writes the +// resulting ASN.1-based signature to `sig`, which must have `ECDSA_size(key)` +// bytes of space. On successful exit, `*sig_len` is set to the actual number of +// bytes written. The `type` argument should be zero. It returns one on success // and zero otherwise. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // signed. Passing unhashed inputs will not result in a secure signature scheme. OPENSSL_EXPORT int ECDSA_sign(int type, const uint8_t *digest, size_t digest_len, uint8_t *sig, unsigned int *sig_len, const EC_KEY *key); -// ECDSA_verify verifies that |sig_len| bytes from |sig| constitute a valid -// ASN.1-based signature by |key| of |digest|. (The |type| argument should be +// ECDSA_verify verifies that `sig_len` bytes from `sig` constitute a valid +// ASN.1-based signature by `key` of `digest`. (The `type` argument should be // zero.) It returns one on success or zero if the signature is invalid or an // error occurred. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // verified. Passing unhashed inputs will not result in a secure signature // scheme. OPENSSL_EXPORT int ECDSA_verify(int type, const uint8_t *digest, @@ -61,13 +61,13 @@ OPENSSL_EXPORT int ECDSA_verify(int type, const uint8_t *digest, size_t sig_len, const EC_KEY *key); // ECDSA_size returns the maximum size of an ASN.1-based ECDSA signature using -// |key|. It returns zero if |key| is NULL or if it doesn't have a group set. +// `key`. It returns zero if `key` is NULL or if it doesn't have a group set. OPENSSL_EXPORT size_t ECDSA_size(const EC_KEY *key); // Low-level signing and verification. // -// Low-level functions handle signatures as |ECDSA_SIG| structures which allow +// Low-level functions handle signatures as `ECDSA_SIG` structures which allow // the two values in an ECDSA signature to be handled separately. struct ecdsa_sig_st { @@ -75,41 +75,41 @@ struct ecdsa_sig_st { BIGNUM *s; }; -// ECDSA_SIG_new returns a fresh |ECDSA_SIG| structure or NULL on error. +// ECDSA_SIG_new returns a fresh `ECDSA_SIG` structure or NULL on error. OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_new(void); -// ECDSA_SIG_free frees |sig| its member |BIGNUM|s. +// ECDSA_SIG_free frees `sig` its member `BIGNUM`s. OPENSSL_EXPORT void ECDSA_SIG_free(ECDSA_SIG *sig); -// ECDSA_SIG_get0_r returns the r component of |sig|. +// ECDSA_SIG_get0_r returns the r component of `sig`. OPENSSL_EXPORT const BIGNUM *ECDSA_SIG_get0_r(const ECDSA_SIG *sig); -// ECDSA_SIG_get0_s returns the s component of |sig|. +// ECDSA_SIG_get0_s returns the s component of `sig`. OPENSSL_EXPORT const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig); -// ECDSA_SIG_get0 sets |*out_r| and |*out_s|, if non-NULL, to the two -// components of |sig|. +// ECDSA_SIG_get0 sets `*out_r` and `*out_s`, if non-NULL, to the two +// components of `sig`. OPENSSL_EXPORT void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **out_r, const BIGNUM **out_s); -// ECDSA_SIG_set0 sets |sig|'s components to |r| and |s|, neither of which may +// ECDSA_SIG_set0 sets `sig`'s components to `r` and `s`, neither of which may // be NULL. On success, it takes ownership of each argument and returns one. // Otherwise, it returns zero. OPENSSL_EXPORT int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -// ECDSA_do_sign signs |digest_len| bytes from |digest| with |key| and returns +// ECDSA_do_sign signs `digest_len` bytes from `digest` with `key` and returns // the resulting signature structure, or NULL on error. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // signed. Passing unhashed inputs will not result in a secure signature scheme. OPENSSL_EXPORT ECDSA_SIG *ECDSA_do_sign(const uint8_t *digest, size_t digest_len, const EC_KEY *key); -// ECDSA_do_verify verifies that |sig| constitutes a valid signature by |key| -// of |digest|. It returns one on success or zero if the signature is invalid +// ECDSA_do_verify verifies that `sig` constitutes a valid signature by `key` +// of `digest`. It returns one on success or zero if the signature is invalid // or on error. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // verified. Passing unhashed inputs will not result in a secure signature // scheme. OPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, @@ -118,28 +118,28 @@ OPENSSL_EXPORT int ECDSA_do_verify(const uint8_t *digest, size_t digest_len, // ASN.1 functions. -// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from |cbs| and -// advances |cbs|. It returns a newly-allocated |ECDSA_SIG| or NULL on error. +// ECDSA_SIG_parse parses a DER-encoded ECDSA-Sig-Value structure from `cbs` and +// advances `cbs`. It returns a newly-allocated `ECDSA_SIG` or NULL on error. OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_parse(CBS *cbs); -// ECDSA_SIG_from_bytes parses |in| as a DER-encoded ECDSA-Sig-Value structure. -// It returns a newly-allocated |ECDSA_SIG| structure or NULL on error. +// ECDSA_SIG_from_bytes parses `in` as a DER-encoded ECDSA-Sig-Value structure. +// It returns a newly-allocated `ECDSA_SIG` structure or NULL on error. OPENSSL_EXPORT ECDSA_SIG *ECDSA_SIG_from_bytes(const uint8_t *in, size_t in_len); -// ECDSA_SIG_marshal marshals |sig| as a DER-encoded ECDSA-Sig-Value and appends -// the result to |cbb|. It returns one on success and zero on error. +// ECDSA_SIG_marshal marshals `sig` as a DER-encoded ECDSA-Sig-Value and appends +// the result to `cbb`. It returns one on success and zero on error. OPENSSL_EXPORT int ECDSA_SIG_marshal(CBB *cbb, const ECDSA_SIG *sig); -// ECDSA_SIG_to_bytes marshals |sig| as a DER-encoded ECDSA-Sig-Value and, on -// success, sets |*out_bytes| to a newly allocated buffer containing the result +// ECDSA_SIG_to_bytes marshals `sig` as a DER-encoded ECDSA-Sig-Value and, on +// success, sets `*out_bytes` to a newly allocated buffer containing the result // and returns one. Otherwise, it returns zero. The result should be freed with -// |OPENSSL_free|. +// `OPENSSL_free`. OPENSSL_EXPORT int ECDSA_SIG_to_bytes(uint8_t **out_bytes, size_t *out_len, const ECDSA_SIG *sig); // ECDSA_SIG_max_len returns the maximum length of a DER-encoded ECDSA-Sig-Value -// structure for a group whose order is represented in |order_len| bytes, or +// structure for a group whose order is represented in `order_len` bytes, or // zero on overflow. OPENSSL_EXPORT size_t ECDSA_SIG_max_len(size_t order_len); @@ -153,23 +153,23 @@ OPENSSL_EXPORT size_t ECDSA_SIG_max_len(size_t order_len); // the width of the group order. This format is fixed-width, so a given ECDSA // curve's signatures will always have the same size. -// ECDSA_sign_p1363 signs |digest_len| bytes from |digest| with |key| and writes -// the resulting P1363-based signature to |sig|, which must have -// |ECDSA_size_p1363(key)| bytes of space. On successful exit, |*out_sig_len| is +// ECDSA_sign_p1363 signs `digest_len` bytes from `digest` with `key` and writes +// the resulting P1363-based signature to `sig`, which must have +// `ECDSA_size_p1363(key)` bytes of space. On successful exit, `*out_sig_len` is // set to the actual number of bytes written, which will always match -// |ECDSA_size_p1363(key)|. It returns one on success and zero otherwise. +// `ECDSA_size_p1363(key)`. It returns one on success and zero otherwise. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // signed. Passing unhashed inputs will not result in a secure signature scheme. OPENSSL_EXPORT int ECDSA_sign_p1363(const uint8_t *digest, size_t digest_len, uint8_t *sig, size_t *out_sig_len, size_t max_sig_len, const EC_KEY *key); -// ECDSA_verify_p1363 verifies that |sig_len| bytes from |sig| constitute a -// valid P1363-based signature by |key| of |digest|. It returns one on success +// ECDSA_verify_p1363 verifies that `sig_len` bytes from `sig` constitute a +// valid P1363-based signature by `key` of `digest`. It returns one on success // or zero if the signature is invalid or an error occurred. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // verified. Passing unhashed inputs will not result in a secure signature // scheme. OPENSSL_EXPORT int ECDSA_verify_p1363(const uint8_t *digest, size_t digest_len, @@ -177,16 +177,16 @@ OPENSSL_EXPORT int ECDSA_verify_p1363(const uint8_t *digest, size_t digest_len, const EC_KEY *key); // ECDSA_size_p1363 returns the size of a P1363-based ECDSA signature using -// |key|. It returns zero if |key| is NULL or if it doesn't have a group set. +// `key`. It returns zero if `key` is NULL or if it doesn't have a group set. OPENSSL_EXPORT size_t ECDSA_size_p1363(const EC_KEY *key); // Testing-only functions. // ECDSA_sign_with_nonce_and_leak_private_key_for_testing behaves like -// |ECDSA_do_sign| but uses |nonce| for the ECDSA nonce 'k', instead of a random -// value. |nonce| is interpreted as a big-endian integer. It must be reduced -// modulo the group order and padded with zeros up to |BN_num_bytes(order)| +// `ECDSA_do_sign` but uses `nonce` for the ECDSA nonce 'k', instead of a random +// value. `nonce` is interpreted as a big-endian integer. It must be reduced +// modulo the group order and padded with zeros up to `BN_num_bytes(order)` // bytes. // // WARNING: This function is only exported for testing purposes, when using test @@ -202,17 +202,17 @@ ECDSA_sign_with_nonce_and_leak_private_key_for_testing(const uint8_t *digest, // Deprecated functions. -// d2i_ECDSA_SIG parses aa DER-encoded ECDSA-Sig-Value structure from |len| -// bytes at |*inp|, as described in |d2i_SAMPLE|. +// d2i_ECDSA_SIG parses aa DER-encoded ECDSA-Sig-Value structure from `len` +// bytes at `*inp`, as described in `d2i_SAMPLE`. // -// Use |ECDSA_SIG_parse| instead. +// Use `ECDSA_SIG_parse` instead. OPENSSL_EXPORT ECDSA_SIG *d2i_ECDSA_SIG(ECDSA_SIG **out, const uint8_t **inp, long len); -// i2d_ECDSA_SIG marshals |sig| as a DER-encoded ECDSA-Sig-Value, as described -// in |i2d_SAMPLE|. +// i2d_ECDSA_SIG marshals `sig` as a DER-encoded ECDSA-Sig-Value, as described +// in `i2d_SAMPLE`. // -// Use |ECDSA_SIG_marshal| instead. +// Use `ECDSA_SIG_marshal` instead. OPENSSL_EXPORT int i2d_ECDSA_SIG(const ECDSA_SIG *sig, uint8_t **outp); diff --git a/third_party/boringssl/src/include/openssl/engine.h b/third_party/boringssl/src/include/openssl/engine.h index 6765c28b..3c2dd5ec 100644 --- a/third_party/boringssl/src/include/openssl/engine.h +++ b/third_party/boringssl/src/include/openssl/engine.h @@ -27,9 +27,9 @@ extern "C" { // be overridden via a callback. This can be used, for example, to implement an // RSA* that forwards operations to a hardware module. // -// Methods are reference counted but |ENGINE|s are not. When creating a method, +// Methods are reference counted but `ENGINE`s are not. When creating a method, // you should zero the whole structure and fill in the function pointers that -// you wish before setting it on an |ENGINE|. Any functions pointers that +// you wish before setting it on an `ENGINE`. Any functions pointers that // are NULL indicate that the default behaviour should be used. @@ -40,7 +40,7 @@ extern "C" { OPENSSL_EXPORT ENGINE *ENGINE_new(void); // ENGINE_free decrements the reference counts for all methods linked from -// |engine| and frees |engine| itself. It returns one. +// `engine` and frees `engine` itself. It returns one. OPENSSL_EXPORT int ENGINE_free(ENGINE *engine); @@ -69,11 +69,11 @@ OPENSSL_EXPORT ECDSA_METHOD *ENGINE_get_ECDSA_method(const ENGINE *engine); // These functions take a void* type but actually operate on all method // structures. -// METHOD_ref increments the reference count of |method|. This is a no-op for +// METHOD_ref increments the reference count of `method`. This is a no-op for // now because all methods are currently static. void METHOD_ref(void *method); -// METHOD_unref decrements the reference count of |method| and frees it if the +// METHOD_unref decrements the reference count of `method` and frees it if the // reference count drops to zero. This is a no-op for now because all methods // are currently static. void METHOD_unref(void *method); diff --git a/third_party/boringssl/src/include/openssl/err.h b/third_party/boringssl/src/include/openssl/err.h index c7923fe7..7b94af4c 100644 --- a/third_party/boringssl/src/include/openssl/err.h +++ b/third_party/boringssl/src/include/openssl/err.h @@ -48,20 +48,20 @@ extern "C" { // Reading and formatting errors. // ERR_GET_LIB returns the library code for the error. This is one of -// the |ERR_LIB_*| values. +// the `ERR_LIB_*` values. OPENSSL_INLINE int ERR_GET_LIB(uint32_t packed_error) { return (int)((packed_error >> 24) & 0xff); } // ERR_GET_REASON returns the reason code for the error. This is one of -// library-specific |LIB_R_*| values where |LIB| is the library (see -// |ERR_GET_LIB|). Note that reason codes are specific to the library. +// library-specific `LIB_R_*` values where `LIB` is the library (see +// `ERR_GET_LIB`). Note that reason codes are specific to the library. OPENSSL_INLINE int ERR_GET_REASON(uint32_t packed_error) { return (int)(packed_error & 0xfff); } -// ERR_equals returns one if |packed_error|'s library and reason code are |lib| -// and |reason|, respectively, and zero otherwise. +// ERR_equals returns one if `packed_error`'s library and reason code are `lib` +// and `reason`, respectively, and zero otherwise. OPENSSL_INLINE int ERR_equals(uint32_t packed_error, int lib, int reason) { return ERR_GET_LIB(packed_error) == lib && ERR_GET_REASON(packed_error) == reason; @@ -72,33 +72,33 @@ OPENSSL_INLINE int ERR_equals(uint32_t packed_error, int lib, int reason) { // it returns zero. OPENSSL_EXPORT uint32_t ERR_get_error(void); -// ERR_get_error_line acts like |ERR_get_error|, except that the file and line +// ERR_get_error_line acts like `ERR_get_error`, except that the file and line // number of the call that added the error are also returned. OPENSSL_EXPORT uint32_t ERR_get_error_line(const char **file, int *line); -// ERR_FLAG_STRING means that the |data| member is a NUL-terminated string that -// can be printed. This is always set if |data| is non-NULL. +// ERR_FLAG_STRING means that the `data` member is a NUL-terminated string that +// can be printed. This is always set if `data` is non-NULL. #define ERR_FLAG_STRING 1 -// ERR_FLAG_MALLOCED is passed into |ERR_set_error_data| to indicate that |data| -// was allocated with |OPENSSL_malloc|. +// ERR_FLAG_MALLOCED is passed into `ERR_set_error_data` to indicate that `data` +// was allocated with `OPENSSL_malloc`. // -// It is, separately, returned in |*flags| from |ERR_get_error_line_data| to -// indicate that |*data| has a non-static lifetime, but this lifetime is still -// managed by the library. The caller must not call |OPENSSL_free| or |free| on -// |data|. +// It is, separately, returned in `*flags` from `ERR_get_error_line_data` to +// indicate that `*data` has a non-static lifetime, but this lifetime is still +// managed by the library. The caller must not call `OPENSSL_free` or `free` on +// `data`. #define ERR_FLAG_MALLOCED 2 -// ERR_get_error_line_data acts like |ERR_get_error_line|, but also returns the +// ERR_get_error_line_data acts like `ERR_get_error_line`, but also returns the // error-specific data pointer and flags. The flags are a bitwise-OR of -// |ERR_FLAG_*| values. The error-specific data is owned by the error queue +// `ERR_FLAG_*` values. The error-specific data is owned by the error queue // and the pointer becomes invalid after the next call that affects the same -// thread's error queue. If |*flags| contains |ERR_FLAG_STRING| then |*data| is +// thread's error queue. If `*flags` contains `ERR_FLAG_STRING` then `*data` is // human-readable. OPENSSL_EXPORT uint32_t ERR_get_error_line_data(const char **file, int *line, const char **data, int *flags); -// The "peek" functions act like the |ERR_get_error| functions, above, but they +// The "peek" functions act like the `ERR_get_error` functions, above, but they // do not remove the error from the queue. OPENSSL_EXPORT uint32_t ERR_peek_error(void); OPENSSL_EXPORT uint32_t ERR_peek_error_line(const char **file, int *line); @@ -115,9 +115,9 @@ OPENSSL_EXPORT uint32_t ERR_peek_last_error_line_data(const char **file, int *flags); // ERR_error_string_n generates a human-readable string representing -// |packed_error|, places it at |buf|, and returns |buf|. It writes at most -// |len| bytes (including the terminating NUL) and truncates the string if -// necessary. If |len| is greater than zero then |buf| is always NUL terminated. +// `packed_error`, places it at `buf`, and returns `buf`. It writes at most +// `len` bytes (including the terminating NUL) and truncates the string if +// necessary. If `len` is greater than zero then `buf` is always NUL terminated. // // The string will have the following format: // @@ -129,31 +129,31 @@ OPENSSL_EXPORT char *ERR_error_string_n(uint32_t packed_error, char *buf, size_t len); // ERR_lib_error_string returns a string representation of the library that -// generated |packed_error|, or a placeholder string is the library is +// generated `packed_error`, or a placeholder string is the library is // unrecognized. OPENSSL_EXPORT const char *ERR_lib_error_string(uint32_t packed_error); // ERR_reason_error_string returns a string representation of the reason for -// |packed_error|, or a placeholder string if the reason is unrecognized. +// `packed_error`, or a placeholder string if the reason is unrecognized. OPENSSL_EXPORT const char *ERR_reason_error_string(uint32_t packed_error); // ERR_lib_symbol_name returns the symbol name of library that generated -// |packed_error|, or NULL if unrecognized. For example, an error from -// |ERR_LIB_EVP| would return "EVP". +// `packed_error`, or NULL if unrecognized. For example, an error from +// `ERR_LIB_EVP` would return "EVP". OPENSSL_EXPORT const char *ERR_lib_symbol_name(uint32_t packed_error); // ERR_reason_symbol_name returns the symbol name of the reason for -// |packed_error|, or NULL if unrecognized. For example, |ERR_R_INTERNAL_ERROR| +// `packed_error`, or NULL if unrecognized. For example, `ERR_R_INTERNAL_ERROR` // would return "INTERNAL_ERROR". // -// Errors from the |ERR_LIB_SYS| library are typically |errno| values and will +// Errors from the `ERR_LIB_SYS` library are typically `errno` values and will // return NULL. User-defined errors will also return NULL. OPENSSL_EXPORT const char *ERR_reason_symbol_name(uint32_t packed_error); // ERR_print_errors_callback_t is the type of a function used by -// |ERR_print_errors_cb|. It takes a pointer to a human readable string (and -// its length) that describes an entry in the error queue. The |ctx| argument -// is an opaque pointer given to |ERR_print_errors_cb|. +// `ERR_print_errors_cb`. It takes a pointer to a human readable string (and +// its length) that describes an entry in the error queue. The `ctx` argument +// is an opaque pointer given to `ERR_print_errors_cb`. // // It should return one on success or zero on error, which will stop the // iteration over the error queue. @@ -161,22 +161,22 @@ typedef int (*ERR_print_errors_callback_t)(const char *str, size_t len, void *ctx); // ERR_print_errors_cb clears the current thread's error queue, calling -// |callback| with a string representation of each error, from the least recent +// `callback` with a string representation of each error, from the least recent // to the most recent error. // // The string will have the following format (which differs from -// |ERR_error_string|): +// `ERR_error_string`): // // [thread id]:error:[error code]:[library name]:OPENSSL_internal:[reason string]:[file]:[line number]:[optional string data] // // The callback can return one to continue the iteration or zero to stop it. -// The |ctx| argument is an opaque value that is passed through to the +// The `ctx` argument is an opaque value that is passed through to the // callback. OPENSSL_EXPORT void ERR_print_errors_cb(ERR_print_errors_callback_t callback, void *ctx); // ERR_print_errors_fp clears the current thread's error queue, printing each -// error to |file|. See |ERR_print_errors_cb| for the format. +// error to `file`. See `ERR_print_errors_cb` for the format. OPENSSL_EXPORT void ERR_print_errors_fp(FILE *file); @@ -185,21 +185,21 @@ OPENSSL_EXPORT void ERR_print_errors_fp(FILE *file); // ERR_clear_error clears the error queue for the current thread. OPENSSL_EXPORT void ERR_clear_error(void); -// ERR_set_mark "marks" the most recent error for use with |ERR_pop_to_mark|. +// ERR_set_mark "marks" the most recent error for use with `ERR_pop_to_mark`. // It returns one if an error was marked and zero if there are no errors. OPENSSL_EXPORT int ERR_set_mark(void); // ERR_pop_to_mark removes errors from the most recent to the least recent // until (and not including) a "marked" error. It returns zero if no marked // error was found (and thus all errors were removed) and one otherwise. Errors -// are marked using |ERR_set_mark|. +// are marked using `ERR_set_mark`. OPENSSL_EXPORT int ERR_pop_to_mark(void); // Custom errors. // ERR_get_next_error_library returns a value suitable for passing as the -// |library| argument to |ERR_put_error|. This is intended for code that wishes +// `library` argument to `ERR_put_error`. This is intended for code that wishes // to push its own, non-standard errors to the error queue. OPENSSL_EXPORT int ERR_get_next_error_library(void); @@ -312,29 +312,29 @@ OPENSSL_EXPORT void ERR_load_RAND_strings(void); // ERR_free_strings does nothing. OPENSSL_EXPORT void ERR_free_strings(void); -// ERR_remove_state calls |ERR_clear_error|. +// ERR_remove_state calls `ERR_clear_error`. OPENSSL_EXPORT void ERR_remove_state(unsigned long pid); // ERR_remove_thread_state clears the error queue for the current thread if -// |tid| is NULL. Otherwise it calls |assert(0)|, because it's no longer +// `tid` is NULL. Otherwise it calls `assert(0)`, because it's no longer // possible to delete the error queue for other threads. // -// Use |ERR_clear_error| instead. Note error queues are deleted automatically on +// Use `ERR_clear_error` instead. Note error queues are deleted automatically on // thread exit. You do not need to call this function to release memory. OPENSSL_EXPORT void ERR_remove_thread_state(const CRYPTO_THREADID *tid); // ERR_func_error_string returns the string "OPENSSL_internal". OPENSSL_EXPORT const char *ERR_func_error_string(uint32_t packed_error); -// ERR_error_string behaves like |ERR_error_string_n| but |len| is implicitly -// |ERR_ERROR_STRING_BUF_LEN|. +// ERR_error_string behaves like `ERR_error_string_n` but `len` is implicitly +// `ERR_ERROR_STRING_BUF_LEN`. // -// Additionally, if |buf| is NULL, the error string is placed in a static buffer +// Additionally, if `buf` is NULL, the error string is placed in a static buffer // which is returned. This is not thread-safe and only exists for backwards // compatibility with legacy callers. The static buffer will be overridden by // calls in other threads. // -// Use |ERR_error_string_n| instead. +// Use `ERR_error_string_n` instead. // // TODO(fork): remove this function. OPENSSL_EXPORT char *ERR_error_string(uint32_t packed_error, char *buf); @@ -373,7 +373,7 @@ OPENSSL_EXPORT void ERR_clear_system_error(void); OPENSSL_EXPORT void ERR_put_error(int library, int unused, int reason, const char *file, unsigned line); -// ERR_add_error_data takes a variable number (|count|) of const char* +// ERR_add_error_data takes a variable number (`count`) of const char* // pointers, concatenates them and sets the result as the data on the most // recent error. OPENSSL_EXPORT void ERR_add_error_data(unsigned count, ...); @@ -383,13 +383,13 @@ OPENSSL_EXPORT void ERR_add_error_data(unsigned count, ...); OPENSSL_EXPORT void ERR_add_error_dataf(const char *format, ...) OPENSSL_PRINTF_FORMAT_FUNC(1, 2); -// ERR_set_error_data sets the data on the most recent error to |data|, which -// must be a NUL-terminated string. |flags| must contain |ERR_FLAG_STRING|. If -// |flags| contains |ERR_FLAG_MALLOCED|, this function takes ownership of -// |data|, which must have been allocated with |OPENSSL_malloc|. Otherwise, it -// saves a copy of |data|. +// ERR_set_error_data sets the data on the most recent error to `data`, which +// must be a NUL-terminated string. `flags` must contain `ERR_FLAG_STRING`. If +// `flags` contains `ERR_FLAG_MALLOCED`, this function takes ownership of +// `data`, which must have been allocated with `OPENSSL_malloc`. Otherwise, it +// saves a copy of `data`. // -// Note this differs from OpenSSL which, when |ERR_FLAG_MALLOCED| is unset, +// Note this differs from OpenSSL which, when `ERR_FLAG_MALLOCED` is unset, // saves the pointer as-is and requires it remain valid for the lifetime of the // address space. OPENSSL_EXPORT void ERR_set_error_data(char *data, int flags); @@ -404,7 +404,7 @@ OPENSSL_EXPORT void ERR_set_error_data(char *data, int flags); // OPENSSL_DECLARE_ERROR_REASON is used by util/make_errors.h (which generates // the error defines) to recognise that an additional reason value is needed. // This is needed when the reason value is used outside of an -// |OPENSSL_PUT_ERROR| macro. The resulting define will be +// `OPENSSL_PUT_ERROR` macro. The resulting define will be // ${lib}_R_${reason}. #define OPENSSL_DECLARE_ERROR_REASON(lib, reason) diff --git a/third_party/boringssl/src/include/openssl/evp.h b/third_party/boringssl/src/include/openssl/evp.h index bb168db4..45fef4a8 100644 --- a/third_party/boringssl/src/include/openssl/evp.h +++ b/third_party/boringssl/src/include/openssl/evp.h @@ -37,80 +37,80 @@ extern "C" { // Public/private key objects. // -// An |EVP_PKEY| object represents a public or private key. A given object may +// An `EVP_PKEY` object represents a public or private key. A given object may // be used concurrently on multiple threads by non-mutating functions, provided // no other thread is concurrently calling a mutating function. Unless otherwise -// documented, functions which take a |const| pointer are non-mutating and -// functions which take a non-|const| pointer are mutating. +// documented, functions which take a `const` pointer are non-mutating and +// functions which take a non-`const` pointer are mutating. // EVP_PKEY_new creates a new, empty public-key object and returns it or NULL // on allocation failure. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new(void); -// EVP_PKEY_free decrements the reference count of |pkey| and frees it if the +// EVP_PKEY_free decrements the reference count of `pkey` and frees it if the // reference count drops to zero. OPENSSL_EXPORT void EVP_PKEY_free(EVP_PKEY *pkey); -// EVP_PKEY_up_ref increments the reference count of |pkey| and returns one. It -// does not mutate |pkey| for thread-safety purposes and may be used +// EVP_PKEY_up_ref increments the reference count of `pkey` and returns one. It +// does not mutate `pkey` for thread-safety purposes and may be used // concurrently. OPENSSL_EXPORT int EVP_PKEY_up_ref(EVP_PKEY *pkey); -// EVP_PKEY_dup_ref increments the reference count of |pkey| and returns |pkey|. -// The caller must call |EVP_PKEY_free| on the result to release the reference. +// EVP_PKEY_dup_ref increments the reference count of `pkey` and returns `pkey`. +// The caller must call `EVP_PKEY_free` on the result to release the reference. // -// WARNING: Although the result is non-const for use with |EVP_PKEY_free|, it is +// WARNING: Although the result is non-const for use with `EVP_PKEY_free`, it is // still shared with other parts of the application that share the same object. -// Avoid mutating shared |EVP_PKEY|s. +// Avoid mutating shared `EVP_PKEY`s. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_dup_ref(const EVP_PKEY *pkey); -// EVP_PKEY_is_opaque returns one if |pkey| is opaque. Opaque keys are backed by +// EVP_PKEY_is_opaque returns one if `pkey` is opaque. Opaque keys are backed by // custom implementations which do not expose key material and parameters. It is // an error to attempt to duplicate, export, or compare an opaque key. OPENSSL_EXPORT int EVP_PKEY_is_opaque(const EVP_PKEY *pkey); -// EVP_PKEY_eq compares |a| and |b| and returns one if their public keys are +// EVP_PKEY_eq compares `a` and `b` and returns one if their public keys are // equal and zero otherwise. OPENSSL_EXPORT int EVP_PKEY_eq(const EVP_PKEY *a, const EVP_PKEY *b); -// EVP_PKEY_copy_parameters sets the parameters of |to| to equal the parameters -// of |from|. It returns one on success and zero on error. +// EVP_PKEY_copy_parameters sets the parameters of `to` to equal the parameters +// of `from`. It returns one on success and zero on error. OPENSSL_EXPORT int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from); -// EVP_PKEY_missing_parameters returns one if |pkey| is missing needed +// EVP_PKEY_missing_parameters returns one if `pkey` is missing needed // parameters or zero if not, or if the algorithm doesn't take parameters. OPENSSL_EXPORT int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey); -// EVP_PKEY_parameters_eq compares the parameters of |a| and |b|. It returns one +// EVP_PKEY_parameters_eq compares the parameters of `a` and `b`. It returns one // if they match and zero otherwise. In algorithms that do not use parameters, // this function returns one; null parameters are vacuously equal. OPENSSL_EXPORT int EVP_PKEY_parameters_eq(const EVP_PKEY *a, const EVP_PKEY *b); // EVP_PKEY_size returns the maximum size, in bytes, of a signature signed by -// |pkey|. For an RSA key, this returns the number of bytes needed to represent +// `pkey`. For an RSA key, this returns the number of bytes needed to represent // the modulus. For an EC key, this returns the maximum size of a DER-encoded // ECDSA signature. OPENSSL_EXPORT int EVP_PKEY_size(const EVP_PKEY *pkey); -// EVP_PKEY_bits returns the "size", in bits, of |pkey|. For an RSA key, this +// EVP_PKEY_bits returns the "size", in bits, of `pkey`. For an RSA key, this // returns the bit length of the modulus. For an EC key, this returns the bit // length of the group order. OPENSSL_EXPORT int EVP_PKEY_bits(const EVP_PKEY *pkey); -// EVP_PKEY_has_public returns one if |pkey| has a public key, or zero +// EVP_PKEY_has_public returns one if `pkey` has a public key, or zero // otherwise. OPENSSL_EXPORT int EVP_PKEY_has_public(const EVP_PKEY *pkey); -// EVP_PKEY_has_private returns one if |pkey| has a private key, or zero +// EVP_PKEY_has_private returns one if `pkey` has a private key, or zero // otherwise. OPENSSL_EXPORT int EVP_PKEY_has_private(const EVP_PKEY *pkey); -// EVP_PKEY_copy_public returns a newly-allocated |EVP_PKEY| that contains only -// the public key of |pkey|, or NULL on error. Parameters, if relevant for the +// EVP_PKEY_copy_public returns a newly-allocated `EVP_PKEY` that contains only +// the public key of `pkey`, or NULL on error. Parameters, if relevant for the // key type, are also copied. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_copy_public(const EVP_PKEY *pkey); -// The following constants are returned by |EVP_PKEY_id| and specify the type of +// The following constants are returned by `EVP_PKEY_id` and specify the type of // key. #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_RSA NID_rsaEncryption @@ -128,81 +128,80 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_copy_public(const EVP_PKEY *pkey); #define EVP_PKEY_ML_KEM_1024 NID_ML_KEM_1024 #define EVP_PKEY_XWING NID_X_Wing -// EVP_PKEY_id returns the type of |pkey|, which is one of the |EVP_PKEY_*| +// EVP_PKEY_id returns the type of `pkey`, which is one of the `EVP_PKEY_*` // values above. These type values generally correspond to the algorithm OID, // but not the parameters, of a SubjectPublicKeyInfo (RFC 5280) or // PrivateKeyInfo (RFC 5208) AlgorithmIdentifier. Algorithm parameters can be // inspected with algorithm-specific accessors, e.g. -// |EVP_PKEY_get_ec_curve_nid|. +// `EVP_PKEY_get_ec_curve_nid`. OPENSSL_EXPORT int EVP_PKEY_id(const EVP_PKEY *pkey); // Algorithms. // -// An |EVP_PKEY| may carry a key from one of several algorithms, represented by -// |EVP_PKEY_ALG|. |EVP_PKEY_ALG|s are used by functions that construct -// |EVP_PKEY|s, such as parsing, so that callers can specify the algorithm(s) to +// An `EVP_PKEY` may carry a key from one of several algorithms, represented by +// `EVP_PKEY_ALG`. `EVP_PKEY_ALG`s are used by functions that construct +// `EVP_PKEY`s, such as parsing, so that callers can specify the algorithm(s) to // use. // -// Each |EVP_PKEY_ALG| generally corresponds to the AlgorithmIdentifier of a +// Each `EVP_PKEY_ALG` generally corresponds to the AlgorithmIdentifier of a // SubjectPublicKeyInfo (RFC 5280) or PrivateKeyInfo (RFC 5208), but some may // support multiple sets of AlgorithmIdentifier parameters, while others may be // specific to one parameter. // EVP_pkey_rsa implements RSA keys (RFC 8017), encoded as rsaEncryption (RFC // 3279, Section 2.3.1). The rsaEncryption encoding is confusingly named: these -// keys are used for all RSA operations, including signing. The |EVP_PKEY_id| -// value is |EVP_PKEY_RSA|. +// keys are used for all RSA operations, including signing. The `EVP_PKEY_id` +// value is `EVP_PKEY_RSA`. // -// WARNING: This |EVP_PKEY_ALG| accepts all RSA key sizes supported by +// WARNING: This `EVP_PKEY_ALG` accepts all RSA key sizes supported by // BoringSSL. When parsing RSA keys, callers should check the size is within -// their desired bounds with |EVP_PKEY_bits|. RSA public key operations scale +// their desired bounds with `EVP_PKEY_bits`. RSA public key operations scale // quadratically and RSA private key operations scale cubicly, so key sizes may // be a DoS vector. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_rsa(void); // EVP_pkey_ec_* implement EC keys, encoded as id-ecPublicKey (RFC 5480, // Section 2.1.1). The id-ecPublicKey encoding is confusingly named: it is also -// used for private keys (RFC 5915). The |EVP_PKEY_id| value is |EVP_PKEY_EC|. +// used for private keys (RFC 5915). The `EVP_PKEY_id` value is `EVP_PKEY_EC`. // // Each function only supports the specified curve, but curves are not reflected -// in |EVP_PKEY_id|. The curve can be inspected with -// |EVP_PKEY_get_ec_curve_nid|. +// in `EVP_PKEY_id`. The curve can be inspected with +// `EVP_PKEY_get_ec_curve_nid`. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ec_p224(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ec_p256(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ec_p384(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ec_p521(void); // EVP_pkey_x25519 implements X25519 keys (RFC 7748), encoded as in RFC 8410. -// The |EVP_PKEY_id| value is |EVP_PKEY_X25519|. +// The `EVP_PKEY_id` value is `EVP_PKEY_X25519`. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_x25519(void); // EVP_pkey_ed25519 implements Ed25519 keys (RFC 8032), encoded as in RFC 8410. -// The |EVP_PKEY_id| value is |EVP_PKEY_ED25519|. +// The `EVP_PKEY_id` value is `EVP_PKEY_ED25519`. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ed25519(void); -// EVP_pkey_ml_dsa_* implement ML-DSA keys, encoded as in -// draft-ietf-lamps-dilithium-certificates. The |EVP_PKEY_id| values are -// |EVP_PKEY_ML_DSA_*|. In the private key representation, only the "seed" form -// is serialized or parsed. +// EVP_pkey_ml_dsa_* implement ML-DSA keys, encoded as in RFC 9881. The +// `EVP_PKEY_id` values are `EVP_PKEY_ML_DSA_*`. In the private key +// representation, only the "seed" form is serialized or parsed. // // To configure OpenSSL to output the standard "seed" form, configure the // "ml-dsa.output_formats" provider parameter so that "seed-only" is first. This // can be done programmatically with OpenSSL's -// |OSSL_PROVIDER_add_conf_parameter| function, or by passing "-provparam" to +// `OSSL_PROVIDER_add_conf_parameter` function, or by passing "-provparam" to // the command-line tool. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ml_dsa_44(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ml_dsa_65(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ml_dsa_87(void); // EVP_pkey_ml_kem_* implement ML-KEM keys, encoded as in RFC 9935. The -// |EVP_PKEY_id| values are |EVP_PKEY_ML_KEM_*|. In the private key +// `EVP_PKEY_id` values are `EVP_PKEY_ML_KEM_*`. In the private key // representation, only the "seed" form is serialized or parsed. // // To configure OpenSSL to output the standard "seed" form, configure the // "ml-kem.output_formats" provider parameter so that "seed-only" is first. This // can be done programmatically with OpenSSL's -// |OSSL_PROVIDER_add_conf_parameter| function, or by passing "-provparam" to +// `OSSL_PROVIDER_add_conf_parameter` function, or by passing "-provparam" to // the command-line tool. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ml_kem_768(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ml_kem_1024(void); @@ -214,22 +213,22 @@ OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_ml_kem_1024(void); OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_xwing(void); // EVP_pkey_dsa implements DSA keys, encoded as in RFC 3279, Section 2.3.2. The -// |EVP_PKEY_id| value is |EVP_PKEY_DSA|. This |EVP_PKEY_ALG| accepts all DSA +// `EVP_PKEY_id` value is `EVP_PKEY_DSA`. This `EVP_PKEY_ALG` accepts all DSA // parameters supported by BoringSSL. // // Keys of this type are not usable with any operations, though the underlying -// |DSA| object can be extracted with |EVP_PKEY_get0_DSA|. This key type is +// `DSA` object can be extracted with `EVP_PKEY_get0_DSA`. This key type is // deprecated and only implemented for compatibility with legacy applications. // -// TODO(crbug.com/42290364): We didn't wire up |EVP_PKEY_sign| and -// |EVP_PKEY_verify| just so it was auditable which callers used DSA. Once DSA +// TODO(crbug.com/42290364): We didn't wire up `EVP_PKEY_sign` and +// `EVP_PKEY_verify` just so it was auditable which callers used DSA. Once DSA // is removed from the default SPKI and PKCS#8 parser and DSA users explicitly -// request |EVP_pkey_dsa|, we could change that. +// request `EVP_pkey_dsa`, we could change that. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_dsa(void); // EVP_pkey_rsa_pss_* implements RSASSA-PSS keys, encoded as id-RSASSA-PSS -// (RFC 4055, Section 3.1). The |EVP_PKEY_id| value is |EVP_PKEY_RSA_PSS|. Each -// |EVP_PKEY_ALG| only accepts keys whose parameters specify: +// (RFC 4055, Section 3.1). The `EVP_PKEY_id` value is `EVP_PKEY_RSA_PSS`. Each +// `EVP_PKEY_ALG` only accepts keys whose parameters specify: // // - A hashAlgorithm of the specified hash // - A maskGenAlgorithm of MGF1 with the specified hash @@ -248,18 +247,18 @@ OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_dsa(void); // parameters chosen. // // Note the id-RSASSA-PSS key type is distinct from the RSASSA-PSS signature -// algorithm. The widely implemented id-rsaEncryption key type (|EVP_pkey_rsa| -// and |EVP_PKEY_RSA|) also supports RSASSA-PSS signatures. +// algorithm. The widely implemented id-rsaEncryption key type (`EVP_pkey_rsa` +// and `EVP_PKEY_RSA`) also supports RSASSA-PSS signatures. // -// WARNING: Any |EVP_PKEY|s produced by this algorithm will return a non-NULL -// |RSA| object through |EVP_PKEY_get1_RSA| and |EVP_PKEY_get0_RSA|. This is +// WARNING: Any `EVP_PKEY`s produced by this algorithm will return a non-NULL +// `RSA` object through `EVP_PKEY_get1_RSA` and `EVP_PKEY_get0_RSA`. This is // dangerous as existing code may assume a non-NULL return implies the more // common id-rsaEncryption key. Additionally, the operations on the underlying -// |RSA| object will not capture the RSA-PSS constraints, so callers risk +// `RSA` object will not capture the RSA-PSS constraints, so callers risk // misusing the key by calling these functions. Callers using this algorithm -// must use |EVP_PKEY_id| to distinguish |EVP_PKEY_RSA| and |EVP_PKEY_RSA_PSS|. +// must use `EVP_PKEY_id` to distinguish `EVP_PKEY_RSA` and `EVP_PKEY_RSA_PSS`. // -// WARNING: BoringSSL does not currently implement |RSA_get0_pss_params| with +// WARNING: BoringSSL does not currently implement `RSA_get0_pss_params` with // these keys. Callers that require this functionality should contact the // BoringSSL team. OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_rsa_pss_sha256(void); @@ -270,29 +269,29 @@ OPENSSL_EXPORT const EVP_PKEY_ALG *EVP_pkey_rsa_pss_sha512(void); // Getting and setting concrete key types. // // The following functions get and set the underlying key representation in an -// |EVP_PKEY| object. The |set1| functions take an additional reference to the -// underlying key and return one on success or zero if |key| is NULL. The -// |assign| functions adopt the caller's reference and return one on success or -// zero if |key| is NULL. The |get1| functions return a fresh reference to the -// underlying object or NULL if |pkey| is not of the correct type. The |get0| +// `EVP_PKEY` object. The `set1` functions take an additional reference to the +// underlying key and return one on success or zero if `key` is NULL. The +// `assign` functions adopt the caller's reference and return one on success or +// zero if `key` is NULL. The `get1` functions return a fresh reference to the +// underlying object or NULL if `pkey` is not of the correct type. The `get0` // functions behave the same but return a non-owning pointer. // -// The |get0| and |get1| functions take |const| pointers and are thus +// The `get0` and `get1` functions take `const` pointers and are thus // non-mutating for thread-safety purposes, but mutating functions on the -// returned lower-level objects are considered to also mutate the |EVP_PKEY| and -// may not be called concurrently with other operations on the |EVP_PKEY|. +// returned lower-level objects are considered to also mutate the `EVP_PKEY` and +// may not be called concurrently with other operations on the `EVP_PKEY`. // // WARNING: Matching OpenSSL, the RSA functions behave non-uniformly. -// |EVP_PKEY_set1_RSA| and |EVP_PKEY_assign_RSA| construct an |EVP_PKEY_RSA| -// key, while the |EVP_PKEY_get0_RSA| and |EVP_PKEY_get1_RSA| will return -// non-NULL for both |EVP_PKEY_RSA| and |EVP_PKEY_RSA_PSS|. +// `EVP_PKEY_set1_RSA` and `EVP_PKEY_assign_RSA` construct an `EVP_PKEY_RSA` +// key, while the `EVP_PKEY_get0_RSA` and `EVP_PKEY_get1_RSA` will return +// non-NULL for both `EVP_PKEY_RSA` and `EVP_PKEY_RSA_PSS`. // // This means callers risk misusing a key if they assume a non-NULL return from -// |EVP_PKEY_get0_RSA| or |EVP_PKEY_get1_RSA| implies |EVP_PKEY_RSA|. Prefer -// |EVP_PKEY_id| to check the type of a key. To reduce this risk, BoringSSL does -// not make |EVP_PKEY_RSA_PSS| available by default, only when callers opt in -// via |EVP_pkey_rsa_pss_sha256|. This differs from upstream OpenSSL, where -// callers are exposed to |EVP_PKEY_RSA_PSS| by default. +// `EVP_PKEY_get0_RSA` or `EVP_PKEY_get1_RSA` implies `EVP_PKEY_RSA`. Prefer +// `EVP_PKEY_id` to check the type of a key. To reduce this risk, BoringSSL does +// not make `EVP_PKEY_RSA_PSS` available by default, only when callers opt in +// via `EVP_pkey_rsa_pss_sha256`. This differs from upstream OpenSSL, where +// callers are exposed to `EVP_PKEY_RSA_PSS` by default. OPENSSL_EXPORT int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key); OPENSSL_EXPORT int EVP_PKEY_assign_RSA(EVP_PKEY *pkey, RSA *key); @@ -318,21 +317,21 @@ OPENSSL_EXPORT DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey); // ASN.1 functions // EVP_PKEY_from_subject_public_key_info decodes a DER-encoded -// SubjectPublicKeyInfo structure (RFC 5280) from |in|. It returns a -// newly-allocated |EVP_PKEY| or NULL on error. Only the |num_algs| algorithms -// in |algs| will be considered when parsing. +// SubjectPublicKeyInfo structure (RFC 5280) from `in`. It returns a +// newly-allocated `EVP_PKEY` or NULL on error. Only the `num_algs` algorithms +// in `algs` will be considered when parsing. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_subject_public_key_info( const uint8_t *in, size_t len, const EVP_PKEY_ALG *const *algs, size_t num_algs); // EVP_parse_public_key decodes a DER-encoded SubjectPublicKeyInfo structure -// (RFC 5280) from |cbs| and advances |cbs|. It returns a newly-allocated -// |EVP_PKEY| or NULL on error. +// (RFC 5280) from `cbs` and advances `cbs`. It returns a newly-allocated +// `EVP_PKEY` or NULL on error. // -// Prefer |EVP_PKEY_from_subject_public_key_info| instead. This function has +// Prefer `EVP_PKEY_from_subject_public_key_info` instead. This function has // several pitfalls: // -// Callers are expected to handle trailing data returned from |cbs|, making more +// Callers are expected to handle trailing data returned from `cbs`, making more // common cases error-prone. // // There is also no way to pass in supported algorithms. This function instead @@ -346,14 +345,14 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_subject_public_key_info( // size or EC curve. OPENSSL_EXPORT EVP_PKEY *EVP_parse_public_key(CBS *cbs); -// EVP_marshal_public_key marshals |key| as a DER-encoded SubjectPublicKeyInfo -// structure (RFC 5280) and appends the result to |cbb|. It returns one on +// EVP_marshal_public_key marshals `key` as a DER-encoded SubjectPublicKeyInfo +// structure (RFC 5280) and appends the result to `cbb`. It returns one on // success and zero on error. OPENSSL_EXPORT int EVP_marshal_public_key(CBB *cbb, const EVP_PKEY *key); // EVP_PKEY_from_private_key_info decodes a DER-encoded PrivateKeyInfo structure -// (RFC 5208) from |in|. It returns a newly-allocated |EVP_PKEY| or NULL on -// error. Only the |num_algs| algorithms in |algs| will be considered when +// (RFC 5208) from `in`. It returns a newly-allocated `EVP_PKEY` or NULL on +// error. Only the `num_algs` algorithms in `algs` will be considered when // parsing. // // A PrivateKeyInfo ends with an optional set of attributes. These are silently @@ -363,13 +362,13 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_private_key_info( size_t num_algs); // EVP_parse_private_key decodes a DER-encoded PrivateKeyInfo structure (RFC -// 5208) from |cbs| and advances |cbs|. It returns a newly-allocated |EVP_PKEY| +// 5208) from `cbs` and advances `cbs`. It returns a newly-allocated `EVP_PKEY` // or NULL on error. // -// Prefer |EVP_PKEY_from_private_key_info| instead. This function has +// Prefer `EVP_PKEY_from_private_key_info` instead. This function has // several pitfalls: // -// Callers are expected to handle trailing data returned from |cbs|, making more +// Callers are expected to handle trailing data returned from `cbs`, making more // common cases error-prone. // // There is also no way to pass in supported algorithms. This function instead @@ -382,14 +381,14 @@ OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_private_key_info( // it is suitable and validate other desired key properties such as RSA modulus // size or EC curve. In particular, RSA private key operations scale cubicly, so // applications accepting RSA private keys from external sources may need to -// bound key sizes (use |EVP_PKEY_bits| or |RSA_bits|) to avoid a DoS vector. +// bound key sizes (use `EVP_PKEY_bits` or `RSA_bits`) to avoid a DoS vector. // // A PrivateKeyInfo ends with an optional set of attributes. These are silently // ignored. OPENSSL_EXPORT EVP_PKEY *EVP_parse_private_key(CBS *cbs); -// EVP_marshal_private_key marshals |key| as a DER-encoded PrivateKeyInfo -// structure (RFC 5208) and appends the result to |cbb|. It returns one on +// EVP_marshal_private_key marshals `key` as a DER-encoded PrivateKeyInfo +// structure (RFC 5208) and appends the result to `cbb`. It returns one on // success and zero on error. OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key); @@ -402,14 +401,14 @@ OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key); // - X25519, using the formats in RFC 7748. // // - Ed25519, using the formats in RFC 8032. Note the RFC 8032 private key -// format is the 32-byte prefix of |ED25519_sign|'s 64-byte private key. +// format is the 32-byte prefix of `ED25519_sign`'s 64-byte private key. // // - ML-DSA, using the formats in FIPS 204. The private key representation // supported by BoringSSL is the 32-byte "seed", defined in FIPS 204 as 𝜉, not // the larger expanded form. For OpenSSL compatibility, it is not used with -// the |EVP_PKEY_from_raw_private_key| and |EVP_PKEY_get_raw_private_key| -// APIs, but instead the |EVP_PKEY_from_private_seed| and -// |EVP_PKEY_get_private_seed| APIs. +// the `EVP_PKEY_from_raw_private_key` and `EVP_PKEY_get_raw_private_key` +// APIs, but instead the `EVP_PKEY_from_private_seed` and +// `EVP_PKEY_get_private_seed` APIs. // // - ML-KEM, using the formats in FIPS 203. The private key representation // supported by BoringSSL is the 64-byte "seed" resulting from the @@ -418,50 +417,50 @@ OPENSSL_EXPORT int EVP_marshal_private_key(CBB *cbb, const EVP_PKEY *key); // These formats are suitable if serializing a key in a context where the // algorithm is already known and there is no need to encode it. -// EVP_PKEY_from_raw_private_key interprets |in| as a raw private key of type -// |alg| and returns a newly-allocated |EVP_PKEY|, or nullptr on error. +// EVP_PKEY_from_raw_private_key interprets `in` as a raw private key of type +// `alg` and returns a newly-allocated `EVP_PKEY`, or nullptr on error. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_raw_private_key(const EVP_PKEY_ALG *alg, const uint8_t *in, size_t len); -// EVP_PKEY_from_private_seed interprets |in| as a private seed of type |alg| -// and returns a newly-allocated |EVP_PKEY|, or nullptr on error. +// EVP_PKEY_from_private_seed interprets `in` as a private seed of type `alg` +// and returns a newly-allocated `EVP_PKEY`, or nullptr on error. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_private_seed(const EVP_PKEY_ALG *alg, const uint8_t *in, size_t len); -// EVP_PKEY_from_raw_public_key interprets |in| as a raw public key of type -// |alg| and returns a newly-allocated |EVP_PKEY|, or nullptr on error. +// EVP_PKEY_from_raw_public_key interprets `in` as a raw public key of type +// `alg` and returns a newly-allocated `EVP_PKEY`, or nullptr on error. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_from_raw_public_key(const EVP_PKEY_ALG *alg, const uint8_t *in, size_t len); -// EVP_PKEY_get_raw_private_key outputs the private key for |pkey| in raw form. -// If |out| is NULL, it sets |*out_len| to the size of the raw private key. -// Otherwise, it writes at most |*out_len| bytes to |out| and sets |*out_len| to +// EVP_PKEY_get_raw_private_key outputs the private key for `pkey` in raw form. +// If `out` is NULL, it sets `*out_len` to the size of the raw private key. +// Otherwise, it writes at most `*out_len` bytes to `out` and sets `*out_len` to // the number of bytes written. // -// It returns one on success and zero if |pkey| has no private key, the key +// It returns one on success and zero if `pkey` has no private key, the key // type does not support this format, or the buffer is too small. OPENSSL_EXPORT int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); -// EVP_PKEY_get_private_seed outputs the private key for |pkey| as a private -// seed. If |out| is NULL, it sets |*out_len| to the size of the seed. -// Otherwise, it writes at most |*out_len| bytes to |out| and sets -// |*out_len| to the number of bytes written. +// EVP_PKEY_get_private_seed outputs the private key for `pkey` as a private +// seed. If `out` is NULL, it sets `*out_len` to the size of the seed. +// Otherwise, it writes at most `*out_len` bytes to `out` and sets +// `*out_len` to the number of bytes written. // -// It returns one on success and zero if |pkey| has no private key, the key +// It returns one on success and zero if `pkey` has no private key, the key // type does not support this format, or the buffer is too small. OPENSSL_EXPORT int EVP_PKEY_get_private_seed(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); -// EVP_PKEY_get_raw_public_key outputs the public key for |pkey| in raw form. -// If |out| is NULL, it sets |*out_len| to the size of the raw public key. -// Otherwise, it writes at most |*out_len| bytes to |out| and sets |*out_len| to +// EVP_PKEY_get_raw_public_key outputs the public key for `pkey` in raw form. +// If `out` is NULL, it sets `*out_len` to the size of the raw public key. +// Otherwise, it writes at most `*out_len` bytes to `out` and sets `*out_len` to // the number of bytes written. // -// It returns one on success and zero if |pkey| has no public key, the key +// It returns one on success and zero if `pkey` has no public key, the key // type does not support this format, or the buffer is too small. OPENSSL_EXPORT int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, uint8_t *out, size_t *out_len); @@ -469,64 +468,64 @@ OPENSSL_EXPORT int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, // Key generation -// EVP_PKEY_generate_from_alg generates a new key of type |alg|. It returns a -// newly-allocated |EVP_PKEY| or nullptr on error. +// EVP_PKEY_generate_from_alg generates a new key of type `alg`. It returns a +// newly-allocated `EVP_PKEY` or nullptr on error. // -// When passed |EVP_pkey_rsa|, this function generates an RSA-2048 key with the -// recommended public exponent of 65537, or |RSA_F4|. Use |EVP_RSA_gen| or -// |EVP_PKEY_keygen| instead to customize these parameters. +// When passed `EVP_pkey_rsa`, this function generates an RSA-2048 key with the +// recommended public exponent of 65537, or `RSA_F4`. Use `EVP_RSA_gen` or +// `EVP_PKEY_keygen` instead to customize these parameters. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_generate_from_alg(const EVP_PKEY_ALG *alg); // Signing -// EVP_DigestSignInit sets up |ctx| for a signing operation with |type| and -// |pkey|. The |ctx| argument must have been initialised with -// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing -// operation will be written to |*pctx|; this can be used to set alternative +// EVP_DigestSignInit sets up `ctx` for a signing operation with `type` and +// `pkey`. The `ctx` argument must have been initialised with +// `EVP_MD_CTX_init`. If `pctx` is not NULL, the `EVP_PKEY_CTX` of the signing +// operation will be written to `*pctx`; this can be used to set alternative // signing options. // // For single-shot signing algorithms which do not use a pre-hash, such as -// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is -// present so the API is uniform. See |EVP_DigestSign|. +// Ed25519, `type` should be NULL. The `EVP_MD_CTX` itself is unused but is +// present so the API is uniform. See `EVP_DigestSign`. // -// This function does not mutate |pkey| for thread-safety purposes and may be -// used concurrently with other non-mutating functions on |pkey|. +// This function does not mutate `pkey` for thread-safety purposes and may be +// used concurrently with other non-mutating functions on `pkey`. // // It returns one on success, or zero on error. OPENSSL_EXPORT int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); -// EVP_DigestSignUpdate appends |len| bytes from |data| to the data which will -// be signed in |EVP_DigestSignFinal|. It returns one. +// EVP_DigestSignUpdate appends `len` bytes from `data` to the data which will +// be signed in `EVP_DigestSignFinal`. It returns one. // // This function performs a streaming signing operation and will fail for -// signature algorithms which do not support this. Use |EVP_DigestSign| for a +// signature algorithms which do not support this. Use `EVP_DigestSign` for a // single-shot operation. OPENSSL_EXPORT int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); // EVP_DigestSignFinal signs the data that has been included by one or more -// calls to |EVP_DigestSignUpdate|. If |out_sig| is NULL then |*out_sig_len| is +// calls to `EVP_DigestSignUpdate`. If `out_sig` is NULL then `*out_sig_len` is // set to the maximum number of output bytes. Otherwise, on entry, -// |*out_sig_len| must contain the length of the |out_sig| buffer. If the call -// is successful, the signature is written to |out_sig| and |*out_sig_len| is +// `*out_sig_len` must contain the length of the `out_sig` buffer. If the call +// is successful, the signature is written to `out_sig` and `*out_sig_len` is // set to its length. // // This function performs a streaming signing operation and will fail for -// signature algorithms which do not support this. Use |EVP_DigestSign| for a +// signature algorithms which do not support this. Use `EVP_DigestSign` for a // single-shot operation. // // It returns one on success, or zero on error. OPENSSL_EXPORT int EVP_DigestSignFinal(EVP_MD_CTX *ctx, uint8_t *out_sig, size_t *out_sig_len); -// EVP_DigestSign signs |data_len| bytes from |data| using |ctx|. If |out_sig| -// is NULL then |*out_sig_len| is set to the maximum number of output -// bytes. Otherwise, on entry, |*out_sig_len| must contain the length of the -// |out_sig| buffer. If the call is successful, the signature is written to -// |out_sig| and |*out_sig_len| is set to its length. +// EVP_DigestSign signs `data_len` bytes from `data` using `ctx`. If `out_sig` +// is NULL then `*out_sig_len` is set to the maximum number of output +// bytes. Otherwise, on entry, `*out_sig_len` must contain the length of the +// `out_sig` buffer. If the call is successful, the signature is written to +// `out_sig` and `*out_sig_len` is set to its length. // // It returns one on success and zero on error. OPENSSL_EXPORT int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, @@ -536,45 +535,45 @@ OPENSSL_EXPORT int EVP_DigestSign(EVP_MD_CTX *ctx, uint8_t *out_sig, // Verifying -// EVP_DigestVerifyInit sets up |ctx| for a signature verification operation -// with |type| and |pkey|. The |ctx| argument must have been initialised with -// |EVP_MD_CTX_init|. If |pctx| is not NULL, the |EVP_PKEY_CTX| of the signing -// operation will be written to |*pctx|; this can be used to set alternative +// EVP_DigestVerifyInit sets up `ctx` for a signature verification operation +// with `type` and `pkey`. The `ctx` argument must have been initialised with +// `EVP_MD_CTX_init`. If `pctx` is not NULL, the `EVP_PKEY_CTX` of the signing +// operation will be written to `*pctx`; this can be used to set alternative // signing options. // // For single-shot signing algorithms which do not use a pre-hash, such as -// Ed25519, |type| should be NULL. The |EVP_MD_CTX| itself is unused but is -// present so the API is uniform. See |EVP_DigestVerify|. +// Ed25519, `type` should be NULL. The `EVP_MD_CTX` itself is unused but is +// present so the API is uniform. See `EVP_DigestVerify`. // -// This function does not mutate |pkey| for thread-safety purposes and may be -// used concurrently with other non-mutating functions on |pkey|. +// This function does not mutate `pkey` for thread-safety purposes and may be +// used concurrently with other non-mutating functions on `pkey`. // // It returns one on success, or zero on error. OPENSSL_EXPORT int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); -// EVP_DigestVerifyUpdate appends |len| bytes from |data| to the data which -// will be verified by |EVP_DigestVerifyFinal|. It returns one. +// EVP_DigestVerifyUpdate appends `len` bytes from `data` to the data which +// will be verified by `EVP_DigestVerifyFinal`. It returns one. // // This function performs streaming signature verification and will fail for -// signature algorithms which do not support this. Use |EVP_DigestVerify| for a +// signature algorithms which do not support this. Use `EVP_DigestVerify` for a // single-shot verification. OPENSSL_EXPORT int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); -// EVP_DigestVerifyFinal verifies that |sig_len| bytes of |sig| are a valid +// EVP_DigestVerifyFinal verifies that `sig_len` bytes of `sig` are a valid // signature for the data that has been included by one or more calls to -// |EVP_DigestVerifyUpdate|. It returns one on success and zero otherwise. +// `EVP_DigestVerifyUpdate`. It returns one on success and zero otherwise. // // This function performs streaming signature verification and will fail for -// signature algorithms which do not support this. Use |EVP_DigestVerify| for a +// signature algorithms which do not support this. Use `EVP_DigestVerify` for a // single-shot verification. OPENSSL_EXPORT int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len); -// EVP_DigestVerify verifies that |sig_len| bytes from |sig| are a valid -// signature for |data|. It returns one on success or zero on error. +// EVP_DigestVerify verifies that `sig_len` bytes from `sig` are a valid +// signature for `data`. It returns one on success or zero on error. OPENSSL_EXPORT int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len, const uint8_t *data, size_t len); @@ -582,71 +581,71 @@ OPENSSL_EXPORT int EVP_DigestVerify(EVP_MD_CTX *ctx, const uint8_t *sig, // Signing (old functions) -// EVP_SignInit_ex configures |ctx|, which must already have been initialised, -// for a fresh signing operation using the hash function |type|. It returns one +// EVP_SignInit_ex configures `ctx`, which must already have been initialised, +// for a fresh signing operation using the hash function `type`. It returns one // on success and zero otherwise. // -// (In order to initialise |ctx|, either obtain it initialised with -// |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.) +// (In order to initialise `ctx`, either obtain it initialised with +// `EVP_MD_CTX_create`, or use `EVP_MD_CTX_init`.) OPENSSL_EXPORT int EVP_SignInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); -// EVP_SignInit is a deprecated version of |EVP_SignInit_ex|. +// EVP_SignInit is a deprecated version of `EVP_SignInit_ex`. // // TODO(fork): remove. OPENSSL_EXPORT int EVP_SignInit(EVP_MD_CTX *ctx, const EVP_MD *type); -// EVP_SignUpdate appends |len| bytes from |data| to the data which will be -// signed in |EVP_SignFinal|. +// EVP_SignUpdate appends `len` bytes from `data` to the data which will be +// signed in `EVP_SignFinal`. OPENSSL_EXPORT int EVP_SignUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); // EVP_SignFinal signs the data that has been included by one or more calls to -// |EVP_SignUpdate|, using the key |pkey|, and writes it to |sig|. On entry, -// |sig| must point to at least |EVP_PKEY_size(pkey)| bytes of space. The -// actual size of the signature is written to |*out_sig_len|. +// `EVP_SignUpdate`, using the key `pkey`, and writes it to `sig`. On entry, +// `sig` must point to at least `EVP_PKEY_size(pkey)` bytes of space. The +// actual size of the signature is written to `*out_sig_len`. // // It returns one on success and zero otherwise. // -// It does not modify |ctx|, thus it's possible to continue to use |ctx| in -// order to sign a longer message. It also does not mutate |pkey| for +// It does not modify `ctx`, thus it's possible to continue to use `ctx` in +// order to sign a longer message. It also does not mutate `pkey` for // thread-safety purposes and may be used concurrently with other non-mutating -// functions on |pkey|. +// functions on `pkey`. OPENSSL_EXPORT int EVP_SignFinal(const EVP_MD_CTX *ctx, uint8_t *sig, unsigned int *out_sig_len, EVP_PKEY *pkey); // Verifying (old functions) -// EVP_VerifyInit_ex configures |ctx|, which must already have been +// EVP_VerifyInit_ex configures `ctx`, which must already have been // initialised, for a fresh signature verification operation using the hash -// function |type|. It returns one on success and zero otherwise. +// function `type`. It returns one on success and zero otherwise. // -// (In order to initialise |ctx|, either obtain it initialised with -// |EVP_MD_CTX_create|, or use |EVP_MD_CTX_init|.) +// (In order to initialise `ctx`, either obtain it initialised with +// `EVP_MD_CTX_create`, or use `EVP_MD_CTX_init`.) OPENSSL_EXPORT int EVP_VerifyInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); -// EVP_VerifyInit is a deprecated version of |EVP_VerifyInit_ex|. +// EVP_VerifyInit is a deprecated version of `EVP_VerifyInit_ex`. // // TODO(fork): remove. OPENSSL_EXPORT int EVP_VerifyInit(EVP_MD_CTX *ctx, const EVP_MD *type); -// EVP_VerifyUpdate appends |len| bytes from |data| to the data which will be -// signed in |EVP_VerifyFinal|. +// EVP_VerifyUpdate appends `len` bytes from `data` to the data which will be +// signed in `EVP_VerifyFinal`. OPENSSL_EXPORT int EVP_VerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t len); -// EVP_VerifyFinal verifies that |sig_len| bytes of |sig| are a valid -// signature, by |pkey|, for the data that has been included by one or more -// calls to |EVP_VerifyUpdate|. +// EVP_VerifyFinal verifies that `sig_len` bytes of `sig` are a valid +// signature, by `pkey`, for the data that has been included by one or more +// calls to `EVP_VerifyUpdate`. // // It returns one on success and zero otherwise. // -// It does not modify |ctx|, thus it's possible to continue to use |ctx| in -// order to verify a longer message. It also does not mutate |pkey| for +// It does not modify `ctx`, thus it's possible to continue to use `ctx` in +// order to verify a longer message. It also does not mutate `pkey` for // thread-safety purposes and may be used concurrently with other non-mutating -// functions on |pkey|. +// functions on `pkey`. OPENSSL_EXPORT int EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, size_t sig_len, EVP_PKEY *pkey); @@ -654,17 +653,17 @@ OPENSSL_EXPORT int EVP_VerifyFinal(EVP_MD_CTX *ctx, const uint8_t *sig, // Printing // EVP_PKEY_print_public prints a textual representation of the public key in -// |pkey| to |out|. Returns one on success or zero otherwise. +// `pkey` to `out`. Returns one on success or zero otherwise. OPENSSL_EXPORT int EVP_PKEY_print_public(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); // EVP_PKEY_print_private prints a textual representation of the private key in -// |pkey| to |out|. Returns one on success or zero otherwise. +// `pkey` to `out`. Returns one on success or zero otherwise. OPENSSL_EXPORT int EVP_PKEY_print_private(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); // EVP_PKEY_print_params prints a textual representation of the parameters in -// |pkey| to |out|. Returns one on success or zero otherwise. +// `pkey` to `out`. Returns one on success or zero otherwise. OPENSSL_EXPORT int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); @@ -675,38 +674,38 @@ OPENSSL_EXPORT int EVP_PKEY_print_params(BIO *out, const EVP_PKEY *pkey, // function that results in a key suitable for use in symmetric // cryptography. -// PKCS5_PBKDF2_HMAC computes |iterations| iterations of PBKDF2 of |password| -// and |salt|, using |digest|, and outputs |key_len| bytes to |out_key|. It +// PKCS5_PBKDF2_HMAC computes `iterations` iterations of PBKDF2 of `password` +// and `salt`, using `digest`, and outputs `key_len` bytes to `out_key`. It // returns one on success and zero on allocation failure or if iterations is 0. OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, uint32_t iterations, const EVP_MD *digest, size_t key_len, uint8_t *out_key); -// PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with |digest| -// fixed to |EVP_sha1|. +// PKCS5_PBKDF2_HMAC_SHA1 is the same as PKCS5_PBKDF2_HMAC, but with `digest` +// fixed to `EVP_sha1`. OPENSSL_EXPORT int PKCS5_PBKDF2_HMAC_SHA1(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, uint32_t iterations, size_t key_len, uint8_t *out_key); -// EVP_PBE_scrypt expands |password| into a secret key of length |key_len| using -// scrypt, as described in RFC 7914, and writes the result to |out_key|. It +// EVP_PBE_scrypt expands `password` into a secret key of length `key_len` using +// scrypt, as described in RFC 7914, and writes the result to `out_key`. It // returns one on success and zero on allocation failure, if the memory required -// for the operation exceeds |max_mem|, or if any of the parameters are invalid +// for the operation exceeds `max_mem`, or if any of the parameters are invalid // as described below. // -// |N|, |r|, and |p| are as described in RFC 7914 section 6. They determine the -// cost of the operation. If |max_mem| is zero, a default limit of 65MiB will be +// `N`, `r`, and `p` are as described in RFC 7914 section 6. They determine the +// cost of the operation. If `max_mem` is zero, a default limit of 65MiB will be // used. // // The parameters are considered invalid under any of the following conditions: -// - |r| or |p| are zero -// - |p| > (2^30 - 1) / |r| -// - |N| is not a power of two -// - |N| > 2^32 -// - |N| > 2^(128 * |r| / 8) +// - `r` or `p` are zero +// - `p` > (2^30 - 1) / `r` +// - `N` is not a power of two +// - `N` > 2^32 +// - `N` > 2^(128 * `r` / 8) OPENSSL_EXPORT int EVP_PBE_scrypt(const char *password, size_t password_len, const uint8_t *salt, size_t salt_len, uint64_t N, uint64_t r, uint64_t p, @@ -716,72 +715,72 @@ OPENSSL_EXPORT int EVP_PBE_scrypt(const char *password, size_t password_len, // Operations. // -// |EVP_PKEY_CTX| objects hold the context for an operation (e.g. signing or -// encrypting) that uses an |EVP_PKEY|. They are used to configure +// `EVP_PKEY_CTX` objects hold the context for an operation (e.g. signing or +// encrypting) that uses an `EVP_PKEY`. They are used to configure // algorithm-specific parameters for the operation before performing the // operation. The general pattern for performing an operation in EVP is: // -// 1. Construct an |EVP_PKEY_CTX|, either with |EVP_PKEY_CTX_new| (operations -// using a key, like signing) or |EVP_PKEY_CTX_new_id| (operations not using +// 1. Construct an `EVP_PKEY_CTX`, either with `EVP_PKEY_CTX_new` (operations +// using a key, like signing) or `EVP_PKEY_CTX_new_id` (operations not using // an existing key, like key generation). // -// 2. Initialize it for an operation. For example, |EVP_PKEY_sign_init| -// initializes an |EVP_PKEY_CTX| for signing. +// 2. Initialize it for an operation. For example, `EVP_PKEY_sign_init` +// initializes an `EVP_PKEY_CTX` for signing. // // 3. Configure algorithm-specific parameters for the operation by calling -// control functions on the |EVP_PKEY_CTX|. Some functions are generic, such -// as |EVP_PKEY_CTX_set_signature_md|, and some are specific to an algorithm, -// such as |EVP_PKEY_CTX_set_rsa_padding|. +// control functions on the `EVP_PKEY_CTX`. Some functions are generic, such +// as `EVP_PKEY_CTX_set_signature_md`, and some are specific to an algorithm, +// such as `EVP_PKEY_CTX_set_rsa_padding`. // -// 4. Perform the operation. For example, |EVP_PKEY_sign| signs with the +// 4. Perform the operation. For example, `EVP_PKEY_sign` signs with the // corresponding parameters. // -// 5. Release the |EVP_PKEY_CTX| with |EVP_PKEY_CTX_free|. +// 5. Release the `EVP_PKEY_CTX` with `EVP_PKEY_CTX_free`. // -// Each |EVP_PKEY| algorithm interprets operations and parameters differently. +// Each `EVP_PKEY` algorithm interprets operations and parameters differently. // Not all algorithms support all operations. Functions will fail if the // algorithm does not support the parameter or operation. -// EVP_PKEY_CTX_new allocates a fresh |EVP_PKEY_CTX| for use with |pkey|. It +// EVP_PKEY_CTX_new allocates a fresh `EVP_PKEY_CTX` for use with `pkey`. It // returns the context or NULL on error. OPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_new(EVP_PKEY *pkey, ENGINE *e); -// EVP_PKEY_CTX_new_id allocates a fresh |EVP_PKEY_CTX| for a key of type |id| -// (e.g. |EVP_PKEY_HMAC|). This can be used for key generation where -// |EVP_PKEY_CTX_new| can't be used because there isn't an |EVP_PKEY| to pass +// EVP_PKEY_CTX_new_id allocates a fresh `EVP_PKEY_CTX` for a key of type `id` +// (e.g. `EVP_PKEY_HMAC`). This can be used for key generation where +// `EVP_PKEY_CTX_new` can't be used because there isn't an `EVP_PKEY` to pass // it. It returns the context or NULL on error. // -// For key generation, prefer to use |EVP_PKEY_generate_from_alg|. +// For key generation, prefer to use `EVP_PKEY_generate_from_alg`. OPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_new_id(int id, ENGINE *e); -// EVP_PKEY_CTX_free frees |ctx| and the data it owns. +// EVP_PKEY_CTX_free frees `ctx` and the data it owns. OPENSSL_EXPORT void EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx); -// EVP_PKEY_CTX_dup allocates a fresh |EVP_PKEY_CTX| and sets it equal to the -// state of |ctx|. It returns the fresh |EVP_PKEY_CTX| or NULL on error. +// EVP_PKEY_CTX_dup allocates a fresh `EVP_PKEY_CTX` and sets it equal to the +// state of `ctx`. It returns the fresh `EVP_PKEY_CTX` or NULL on error. OPENSSL_EXPORT EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *ctx); -// EVP_PKEY_CTX_get0_pkey returns the |EVP_PKEY| associated with |ctx|. +// EVP_PKEY_CTX_get0_pkey returns the `EVP_PKEY` associated with `ctx`. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx); -// EVP_PKEY_sign_init initialises an |EVP_PKEY_CTX| for a signing operation. It -// should be called before |EVP_PKEY_sign|. +// EVP_PKEY_sign_init initialises an `EVP_PKEY_CTX` for a signing operation. It +// should be called before `EVP_PKEY_sign`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx); -// EVP_PKEY_sign signs |digest_len| bytes from |digest| using |ctx|. If |sig| is -// NULL, the maximum size of the signature is written to |out_sig_len|. -// Otherwise, |*sig_len| must contain the number of bytes of space available at -// |sig|. If sufficient, the signature will be written to |sig| and |*sig_len| +// EVP_PKEY_sign signs `digest_len` bytes from `digest` using `ctx`. If `sig` is +// NULL, the maximum size of the signature is written to `out_sig_len`. +// Otherwise, `*sig_len` must contain the number of bytes of space available at +// `sig`. If sufficient, the signature will be written to `sig` and `*sig_len` // updated with the true length. This function will fail for signature // algorithms like Ed25519 that do not support signing pre-hashed inputs. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // signed. Passing unhashed inputs will not result in a secure signature scheme. -// Use |EVP_DigestSignInit| to sign an unhashed input. +// Use `EVP_DigestSignInit` to sign an unhashed input. // -// WARNING: Setting |sig| to NULL only gives the maximum size of the +// WARNING: Setting `sig` to NULL only gives the maximum size of the // signature. The actual signature may be smaller. // // It returns one on success or zero on error. (Note: this differs from @@ -790,19 +789,19 @@ OPENSSL_EXPORT int EVP_PKEY_sign(EVP_PKEY_CTX *ctx, uint8_t *sig, size_t *sig_len, const uint8_t *digest, size_t digest_len); -// EVP_PKEY_verify_init initialises an |EVP_PKEY_CTX| for a signature -// verification operation. It should be called before |EVP_PKEY_verify|. +// EVP_PKEY_verify_init initialises an `EVP_PKEY_CTX` for a signature +// verification operation. It should be called before `EVP_PKEY_verify`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_verify_init(EVP_PKEY_CTX *ctx); -// EVP_PKEY_verify verifies that |sig_len| bytes from |sig| are a valid -// signature for |digest|. This function will fail for signature +// EVP_PKEY_verify verifies that `sig_len` bytes from `sig` are a valid +// signature for `digest`. This function will fail for signature // algorithms like Ed25519 that do not support signing pre-hashed inputs. // -// WARNING: |digest| must be the output of some hash function on the data to be +// WARNING: `digest` must be the output of some hash function on the data to be // verified. Passing unhashed inputs will not result in a secure signature -// scheme. Use |EVP_DigestVerifyInit| to verify a signature given the unhashed +// scheme. Use `EVP_DigestVerifyInit` to verify a signature given the unhashed // input. // // It returns one on success or zero on error. @@ -810,19 +809,19 @@ OPENSSL_EXPORT int EVP_PKEY_verify(EVP_PKEY_CTX *ctx, const uint8_t *sig, size_t sig_len, const uint8_t *digest, size_t digest_len); -// EVP_PKEY_encrypt_init initialises an |EVP_PKEY_CTX| for an encryption -// operation. It should be called before |EVP_PKEY_encrypt|. +// EVP_PKEY_encrypt_init initialises an `EVP_PKEY_CTX` for an encryption +// operation. It should be called before `EVP_PKEY_encrypt`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_encrypt_init(EVP_PKEY_CTX *ctx); -// EVP_PKEY_encrypt encrypts |in_len| bytes from |in|. If |out| is NULL, the -// maximum size of the ciphertext is written to |out_len|. Otherwise, |*out_len| -// must contain the number of bytes of space available at |out|. If sufficient, -// the ciphertext will be written to |out| and |*out_len| updated with the true +// EVP_PKEY_encrypt encrypts `in_len` bytes from `in`. If `out` is NULL, the +// maximum size of the ciphertext is written to `out_len`. Otherwise, `*out_len` +// must contain the number of bytes of space available at `out`. If sufficient, +// the ciphertext will be written to `out` and `*out_len` updated with the true // length. // -// WARNING: Setting |out| to NULL only gives the maximum size of the +// WARNING: Setting `out` to NULL only gives the maximum size of the // ciphertext. The actual ciphertext may be smaller. // // It returns one on success or zero on error. @@ -830,19 +829,19 @@ OPENSSL_EXPORT int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, const uint8_t *in, size_t in_len); -// EVP_PKEY_decrypt_init initialises an |EVP_PKEY_CTX| for a decryption -// operation. It should be called before |EVP_PKEY_decrypt|. +// EVP_PKEY_decrypt_init initialises an `EVP_PKEY_CTX` for a decryption +// operation. It should be called before `EVP_PKEY_decrypt`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_decrypt_init(EVP_PKEY_CTX *ctx); -// EVP_PKEY_decrypt decrypts |in_len| bytes from |in|. If |out| is NULL, the -// maximum size of the plaintext is written to |out_len|. Otherwise, |*out_len| -// must contain the number of bytes of space available at |out|. If sufficient, -// the ciphertext will be written to |out| and |*out_len| updated with the true +// EVP_PKEY_decrypt decrypts `in_len` bytes from `in`. If `out` is NULL, the +// maximum size of the plaintext is written to `out_len`. Otherwise, `*out_len` +// must contain the number of bytes of space available at `out`. If sufficient, +// the ciphertext will be written to `out` and `*out_len` updated with the true // length. // -// WARNING: Setting |out| to NULL only gives the maximum size of the +// WARNING: Setting `out` to NULL only gives the maximum size of the // plaintext. The actual plaintext may be smaller. // // It returns one on success or zero on error. @@ -850,8 +849,8 @@ OPENSSL_EXPORT int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, const uint8_t *in, size_t in_len); -// EVP_PKEY_verify_recover_init initialises an |EVP_PKEY_CTX| for a public-key -// decryption operation. It should be called before |EVP_PKEY_verify_recover|. +// EVP_PKEY_verify_recover_init initialises an `EVP_PKEY_CTX` for a public-key +// decryption operation. It should be called before `EVP_PKEY_verify_recover`. // // Public-key decryption is a very obscure operation that is only implemented // by RSA keys. It is effectively a signature verification operation that @@ -861,16 +860,16 @@ OPENSSL_EXPORT int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx, uint8_t *out, // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx); -// EVP_PKEY_verify_recover decrypts |sig_len| bytes from |sig|. If |out| is -// NULL, the maximum size of the plaintext is written to |out_len|. Otherwise, -// |*out_len| must contain the number of bytes of space available at |out|. If -// sufficient, the ciphertext will be written to |out| and |*out_len| updated +// EVP_PKEY_verify_recover decrypts `sig_len` bytes from `sig`. If `out` is +// NULL, the maximum size of the plaintext is written to `out_len`. Otherwise, +// `*out_len` must contain the number of bytes of space available at `out`. If +// sufficient, the ciphertext will be written to `out` and `*out_len` updated // with the true length. // -// WARNING: Setting |out| to NULL only gives the maximum size of the +// WARNING: Setting `out` to NULL only gives the maximum size of the // plaintext. The actual plaintext may be smaller. // -// See the warning about this operation in |EVP_PKEY_verify_recover_init|. It +// See the warning about this operation in `EVP_PKEY_verify_recover_init`. It // is probably not what you want. // // It returns one on success or zero on error. @@ -878,81 +877,81 @@ OPENSSL_EXPORT int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, uint8_t *out, size_t *out_len, const uint8_t *sig, size_t siglen); -// EVP_PKEY_derive_init initialises an |EVP_PKEY_CTX| for a key derivation -// operation. It should be called before |EVP_PKEY_derive_set_peer| and -// |EVP_PKEY_derive|. +// EVP_PKEY_derive_init initialises an `EVP_PKEY_CTX` for a key derivation +// operation. It should be called before `EVP_PKEY_derive_set_peer` and +// `EVP_PKEY_derive`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_derive_init(EVP_PKEY_CTX *ctx); // EVP_PKEY_derive_set_peer sets the peer's key to be used for key derivation -// by |ctx| to |peer|. It should be called after |EVP_PKEY_derive_init|. (For +// by `ctx` to `peer`. It should be called after `EVP_PKEY_derive_init`. (For // example, this is used to set the peer's key in (EC)DH.) It returns one on // success and zero on error. OPENSSL_EXPORT int EVP_PKEY_derive_set_peer(EVP_PKEY_CTX *ctx, EVP_PKEY *peer); -// EVP_PKEY_derive derives a shared key from |ctx|. If |key| is non-NULL then, -// on entry, |out_key_len| must contain the amount of space at |key|. If -// sufficient then the shared key will be written to |key| and |*out_key_len| -// will be set to the length. If |key| is NULL then |out_key_len| will be set to +// EVP_PKEY_derive derives a shared key from `ctx`. If `key` is non-NULL then, +// on entry, `out_key_len` must contain the amount of space at `key`. If +// sufficient then the shared key will be written to `key` and `*out_key_len` +// will be set to the length. If `key` is NULL then `out_key_len` will be set to // the maximum length. // -// WARNING: Setting |out| to NULL only gives the maximum size of the key. The +// WARNING: Setting `out` to NULL only gives the maximum size of the key. The // actual key may be smaller. // // It returns one on success and zero on error. OPENSSL_EXPORT int EVP_PKEY_derive(EVP_PKEY_CTX *ctx, uint8_t *key, size_t *out_key_len); -// EVP_PKEY_keygen_init initialises an |EVP_PKEY_CTX| for a key generation -// operation. It should be called before |EVP_PKEY_keygen|. +// EVP_PKEY_keygen_init initialises an `EVP_PKEY_CTX` for a key generation +// operation. It should be called before `EVP_PKEY_keygen`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_keygen_init(EVP_PKEY_CTX *ctx); // EVP_PKEY_keygen performs a key generation operation using the values from -// |ctx|. If |*out_pkey| is non-NULL, it overwrites |*out_pkey| with the -// resulting key. Otherwise, it sets |*out_pkey| to a newly-allocated |EVP_PKEY| +// `ctx`. If `*out_pkey` is non-NULL, it overwrites `*out_pkey` with the +// resulting key. Otherwise, it sets `*out_pkey` to a newly-allocated `EVP_PKEY` // containing the result. It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey); -// EVP_PKEY_paramgen_init initialises an |EVP_PKEY_CTX| for a parameter -// generation operation. It should be called before |EVP_PKEY_paramgen|. +// EVP_PKEY_paramgen_init initialises an `EVP_PKEY_CTX` for a parameter +// generation operation. It should be called before `EVP_PKEY_paramgen`. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx); // EVP_PKEY_paramgen performs a parameter generation using the values from -// |ctx|. If |*out_pkey| is non-NULL, it overwrites |*out_pkey| with the -// resulting parameters, but no key. Otherwise, it sets |*out_pkey| to a -// newly-allocated |EVP_PKEY| containing the result. It returns one on success +// `ctx`. If `*out_pkey` is non-NULL, it overwrites `*out_pkey` with the +// resulting parameters, but no key. Otherwise, it sets `*out_pkey` to a +// newly-allocated `EVP_PKEY` containing the result. It returns one on success // or zero on error. OPENSSL_EXPORT int EVP_PKEY_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY **out_pkey); -// EVP_PKEY_encapsulate_init initialises an |EVP_PKEY_CTX| for an encapsulate -// operation. It should be called before |EVP_PKEY_encapsulate|. |params| is +// EVP_PKEY_encapsulate_init initialises an `EVP_PKEY_CTX` for an encapsulate +// operation. It should be called before `EVP_PKEY_encapsulate`. `params` is // included for OpenSSL compatibility, but this parameter should be NULL or have -// |OSSL_PARAM_END| as its first element. +// `OSSL_PARAM_END` as its first element. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params); -// EVP_PKEY_encapsulate implements public key encapsulation using |ctx|. It +// EVP_PKEY_encapsulate implements public key encapsulation using `ctx`. It // either performs the operation or returns the maximum output sizes, depending -// on whether |out_ciphertext| is NULL: +// on whether `out_ciphertext` is NULL: // -// If |out_ciphertext| is NULL, it writes the maximum ciphertext length to -// |*out_ciphertext_len| and the maximum shared secret length to -// |*out_secret_len|. Either of |out_ciphertext_len| or |out_secret_len| may be +// If `out_ciphertext` is NULL, it writes the maximum ciphertext length to +// `*out_ciphertext_len` and the maximum shared secret length to +// `*out_secret_len`. Either of `out_ciphertext_len` or `out_secret_len` may be // NULL to ignore the corresponding output. // -// If |out_ciphertext| is non-NULL, it performs the operation and, on success, -// writes the ciphertext to |out_ciphertext|, the ciphertext size to -// |out_ciphertext_len|, the shared secret to |out_secret|, and the shared -// secret length to |out_secret_len|. On input, |*out_ciphertext_len| and -// |*out_secret_len| must contain the amount of space available in -// |out_ciphertext| and |out_secret|, respectively. If there is insufficient +// If `out_ciphertext` is non-NULL, it performs the operation and, on success, +// writes the ciphertext to `out_ciphertext`, the ciphertext size to +// `out_ciphertext_len`, the shared secret to `out_secret`, and the shared +// secret length to `out_secret_len`. On input, `*out_ciphertext_len` and +// `*out_secret_len` must contain the amount of space available in +// `out_ciphertext` and `out_secret`, respectively. If there is insufficient // space to write the output, the operation will fail. // // In both modes, this function returns one on success or zero on error. @@ -962,26 +961,26 @@ OPENSSL_EXPORT int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx, uint8_t *out_secret, size_t *out_secret_len); -// EVP_PKEY_decapsulate_init initialises an |EVP_PKEY_CTX| for a decapsulate -// operation. It should be called before |EVP_PKEY_decapsulate|. |params| is +// EVP_PKEY_decapsulate_init initialises an `EVP_PKEY_CTX` for a decapsulate +// operation. It should be called before `EVP_PKEY_decapsulate`. `params` is // included for OpenSSL compatibility, but this parameter should be NULL or have -// |OSSL_PARAM_END| as its first element. +// `OSSL_PARAM_END` as its first element. // // It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM *params); -// EVP_PKEY_decapsulate implements private key decapsulation using |ctx|. -// |ciphertext| and |ciphertext_len| specify the ciphertext to be decapsulated. -// If |out_secret| is NULL, it writes the maximum size of the shared secret -// output to |*out_secret_len| and returns one. Otherwise, |*out_secret_len| -// must contain the number of bytes of space available at |out_secret|. If the +// EVP_PKEY_decapsulate implements private key decapsulation using `ctx`. +// `ciphertext` and `ciphertext_len` specify the ciphertext to be decapsulated. +// If `out_secret` is NULL, it writes the maximum size of the shared secret +// output to `*out_secret_len` and returns one. Otherwise, `*out_secret_len` +// must contain the number of bytes of space available at `out_secret`. If the // space is insufficient, this function returns zero. If the space is -// sufficient, the decapsulated shared secret will be written to |out_secret| -// and the size of the output to |out_secret_len|, and this function will return -// one. If |ciphertext| has been corrupted, the function may fail or it may +// sufficient, the decapsulated shared secret will be written to `out_secret` +// and the size of the output to `out_secret_len`, and this function will return +// one. If `ciphertext` has been corrupted, the function may fail or it may // output a shared secret that appears to be random. Any subsequent symmetric -// encryption using |out_secret| must use an authenticated encryption scheme to +// encryption using `out_secret` must use an authenticated encryption scheme to // discover the decapsulation failure. OPENSSL_EXPORT int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *out_secret, size_t *out_secret_len, @@ -991,18 +990,18 @@ OPENSSL_EXPORT int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, uint8_t *out_secret, // Generic control functions. -// EVP_PKEY_CTX_set_signature_md sets |md| as the digest to be used in a +// EVP_PKEY_CTX_set_signature_md sets `md` as the digest to be used in a // signature operation. It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_set_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -// EVP_PKEY_CTX_get_signature_md sets |*out_md| to the digest to be used in a +// EVP_PKEY_CTX_get_signature_md sets `*out_md` to the digest to be used in a // signature operation. It returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_get_signature_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md); // EVP_PKEY_CTX_set1_signature_context_string sets the context string for a -// signature or verification operation to |context|. It returns one success and +// signature or verification operation to `context`. It returns one success and // zero on error. The context string is an additional input to some signature // algorithms, such as ML-DSA, to separate different uses of the same key. This // is known as domain separation. Section 8.3 of RFC 8032 provides some @@ -1019,41 +1018,41 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set1_signature_context_string( // RSA specific control functions. // EVP_RSA_gen generates a new RSA key with the specified number of bits. It -// returns a newly-allocated |EVP_PKEY| or nullptr on error. +// returns a newly-allocated `EVP_PKEY` or nullptr on error. // // This function sets the public exponent to the recommended value of 65537, or -// |RSA_F4|. To use a less common value, instead use -// |EVP_PKEY_CTX_set_rsa_keygen_pubexp| and |EVP_PKEY_keygen|. +// `RSA_F4`. To use a less common value, instead use +// `EVP_PKEY_CTX_set_rsa_keygen_pubexp` and `EVP_PKEY_keygen`. OPENSSL_EXPORT EVP_PKEY *EVP_RSA_gen(unsigned bits); // EVP_PKEY_CTX_set_rsa_padding sets the padding type to use. It should be one -// of the |RSA_*_PADDING| values. Returns one on success or zero on error. By -// default, the padding is |RSA_PKCS1_PADDING|. +// of the `RSA_*_PADDING` values. Returns one on success or zero on error. By +// default, the padding is `RSA_PKCS1_PADDING`. OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_padding(EVP_PKEY_CTX *ctx, int padding); -// EVP_PKEY_CTX_get_rsa_padding sets |*out_padding| to the current padding -// value, which is one of the |RSA_*_PADDING| values. Returns one on success or +// EVP_PKEY_CTX_get_rsa_padding sets `*out_padding` to the current padding +// value, which is one of the `RSA_*_PADDING` values. Returns one on success or // zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_padding(EVP_PKEY_CTX *ctx, int *out_padding); // EVP_PKEY_CTX_set_rsa_pss_saltlen sets the length of the salt in a PSS-padded -// signature. A value of |RSA_PSS_SALTLEN_DIGEST| causes the salt to be the same -// length as the digest in the signature. A value of |RSA_PSS_SALTLEN_AUTO| +// signature. A value of `RSA_PSS_SALTLEN_DIGEST` causes the salt to be the same +// length as the digest in the signature. A value of `RSA_PSS_SALTLEN_AUTO` // causes the salt to be the maximum length that will fit when signing and // recovered from the signature when verifying. Otherwise the value gives the // size of the salt in bytes. // -// If unsure, use |RSA_PSS_SALTLEN_DIGEST|, which is the default. Note this -// differs from OpenSSL, which defaults to |RSA_PSS_SALTLEN_AUTO|. +// If unsure, use `RSA_PSS_SALTLEN_DIGEST`, which is the default. Note this +// differs from OpenSSL, which defaults to `RSA_PSS_SALTLEN_AUTO`. // // Returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int salt_len); -// EVP_PKEY_CTX_get_rsa_pss_saltlen sets |*out_salt_len| to the salt length of +// EVP_PKEY_CTX_get_rsa_pss_saltlen sets `*out_salt_len` to the salt length of // a PSS-padded signature. See the documentation for -// |EVP_PKEY_CTX_set_rsa_pss_saltlen| for details of the special values that it +// `EVP_PKEY_CTX_set_rsa_pss_saltlen` for details of the special values that it // can take. // // Returns one on success or zero on error. @@ -1066,14 +1065,14 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits); -// EVP_PKEY_CTX_set_rsa_keygen_pubexp sets |e| as the public exponent for key -// generation. Returns one on success or zero on error. On success, |ctx| takes -// ownership of |e|. The library will then call |BN_free| on |e| when |ctx| is +// EVP_PKEY_CTX_set_rsa_keygen_pubexp sets `e` as the public exponent for key +// generation. Returns one on success or zero on error. On success, `ctx` takes +// ownership of `e`. The library will then call `BN_free` on `e` when `ctx` is // destroyed. OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *e); -// EVP_PKEY_CTX_set_rsa_oaep_md sets |md| as the digest used in OAEP padding. +// EVP_PKEY_CTX_set_rsa_oaep_md sets `md` as the digest used in OAEP padding. // Returns one on success or zero on error. If unset, the default is SHA-1. // Callers are recommended to overwrite this default. // @@ -1081,35 +1080,35 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -// EVP_PKEY_CTX_get_rsa_oaep_md sets |*out_md| to the digest function used in +// EVP_PKEY_CTX_get_rsa_oaep_md sets `*out_md` to the digest function used in // OAEP padding. Returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md); -// EVP_PKEY_CTX_set_rsa_mgf1_md sets |md| as the digest used in MGF1. Returns +// EVP_PKEY_CTX_set_rsa_mgf1_md sets `md` as the digest used in MGF1. Returns // one on success or zero on error. // -// If unset, the default is the signing hash for |RSA_PKCS1_PSS_PADDING| and the -// OAEP hash for |RSA_PKCS1_OAEP_PADDING|. Callers are recommended to use this +// If unset, the default is the signing hash for `RSA_PKCS1_PSS_PADDING` and the +// OAEP hash for `RSA_PKCS1_OAEP_PADDING`. Callers are recommended to use this // default and not call this function. OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -// EVP_PKEY_CTX_get_rsa_mgf1_md sets |*out_md| to the digest function used in +// EVP_PKEY_CTX_get_rsa_mgf1_md sets `*out_md` to the digest function used in // MGF1. Returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **out_md); -// EVP_PKEY_CTX_set0_rsa_oaep_label sets |label_len| bytes from |label| as the -// label used in OAEP. DANGER: On success, this call takes ownership of |label| -// and will call |OPENSSL_free| on it when |ctx| is destroyed. +// EVP_PKEY_CTX_set0_rsa_oaep_label sets `label_len` bytes from `label` as the +// label used in OAEP. DANGER: On success, this call takes ownership of `label` +// and will call `OPENSSL_free` on it when `ctx` is destroyed. // // Returns one on success or zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, uint8_t *label, size_t label_len); -// EVP_PKEY_CTX_get0_rsa_oaep_label sets |*out_label| to point to the internal +// EVP_PKEY_CTX_get0_rsa_oaep_label sets `*out_label` to point to the internal // buffer containing the OAEP label (which may be NULL) and returns the length // of the label or a negative value on error. // @@ -1120,16 +1119,16 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, // EC specific control functions. -// EVP_PKEY_get_ec_curve_nid returns |pkey|'s curve as a NID constant, such as -// |NID_X9_62_prime256v1|, or |NID_undef| if |pkey| is not an EC key. +// EVP_PKEY_get_ec_curve_nid returns `pkey`'s curve as a NID constant, such as +// `NID_X9_62_prime256v1`, or `NID_undef` if `pkey` is not an EC key. OPENSSL_EXPORT int EVP_PKEY_get_ec_curve_nid(const EVP_PKEY *pkey); -// EVP_PKEY_get_ec_point_conv_form returns |pkey|'s point conversion form as a -// |POINT_CONVERSION_*| constant, or zero if |pkey| is not an EC key. +// EVP_PKEY_get_ec_point_conv_form returns `pkey`'s point conversion form as a +// `POINT_CONVERSION_*` constant, or zero if `pkey` is not an EC key. OPENSSL_EXPORT int EVP_PKEY_get_ec_point_conv_form(const EVP_PKEY *pkey); // EVP_PKEY_CTX_set_ec_paramgen_curve_nid sets the curve used for -// |EVP_PKEY_keygen| or |EVP_PKEY_paramgen| operations to |nid|. It returns one +// `EVP_PKEY_keygen` or `EVP_PKEY_paramgen` operations to `nid`. It returns one // on success and zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, int nid); @@ -1137,14 +1136,14 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_paramgen_curve_nid(EVP_PKEY_CTX *ctx, // Diffie-Hellman-specific control functions. -// EVP_PKEY_CTX_set_dh_pad configures configures whether |ctx|, which must be an -// |EVP_PKEY_derive| operation, configures the handling of leading zeros in the -// Diffie-Hellman shared secret. If |pad| is zero, leading zeros are removed -// from the secret. If |pad| is non-zero, the fixed-width shared secret is used +// EVP_PKEY_CTX_set_dh_pad configures configures whether `ctx`, which must be an +// `EVP_PKEY_derive` operation, configures the handling of leading zeros in the +// Diffie-Hellman shared secret. If `pad` is zero, leading zeros are removed +// from the secret. If `pad` is non-zero, the fixed-width shared secret is used // unmodified, as in PKCS #3. If this function is not called, the default is to // remove leading zeros. // -// WARNING: The behavior when |pad| is zero leaks information about the shared +// WARNING: The behavior when `pad` is zero leaks information about the shared // secret. This may result in side channel attacks such as // https://raccoon-attack.com/, particularly when the same private key is used // for multiple operations. @@ -1156,15 +1155,15 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_dh_pad(EVP_PKEY_CTX *ctx, int pad); // Two APIs for working with key encapsulation mechanism (KEM) algorithms are // provided: // -// 1. Create an |EVP_PKEY_CTX|, initialize it for the appropriate KEM operation -// (see |EVP_PKEY_encapsulate_init| and |EVP_PKEY_decapsulate_init|), then +// 1. Create an `EVP_PKEY_CTX`, initialize it for the appropriate KEM operation +// (see `EVP_PKEY_encapsulate_init` and `EVP_PKEY_decapsulate_init`), then // run the operation. This matches the OpenSSL API. // -// 2. Pass an appropriate |EVP_KEM| object to the functions below to use it -// for encapsulation and decapsulation operations with compatible |EVP_PKEY| +// 2. Pass an appropriate `EVP_KEM` object to the functions below to use it +// for encapsulation and decapsulation operations with compatible `EVP_PKEY` // objects. This API requires fewer steps. // -// The |EVP_KEM| API is only compatible with KEMs that use fixed-length +// The `EVP_KEM` API is only compatible with KEMs that use fixed-length // ciphertexts and secrets. // EVP_kem_ml_kem_* implement ML-KEM, defined in FIPS 203. @@ -1178,32 +1177,32 @@ OPENSSL_EXPORT const EVP_KEM *EVP_kem_xwing(void); // TODO(crbug.com/449751916): Add more supported KEMs. // EVP_KEM_ciphertext_len returns the fixed length, in bytes, of a ciphertext -// produced and consumed by |kem|. +// produced and consumed by `kem`. OPENSSL_EXPORT size_t EVP_KEM_ciphertext_len(const EVP_KEM *kem); // EVP_KEM_secret_len returns the fixed length, in bytes, of the shared -// secret produced and consumed by |kem|. +// secret produced and consumed by `kem`. OPENSSL_EXPORT size_t EVP_KEM_secret_len(const EVP_KEM *kem); -// EVP_KEM_encap uses |kem| to encapsulate a |peer_key|. It outputs a -// ciphertext of length |ciphertext_len| into |*out_ciphertext| and outputs a -// shared secret of length |secret_len| into |*out_secret|. |peer_key| must be -// a public key of the type expected by |kem|. |ciphertext_len| and -// |secret_len| must match the output of |EVP_KEM_ciphertext_len| and -// |EVP_KEM_secret_len|, respectively, when called with |kem|. This function +// EVP_KEM_encap uses `kem` to encapsulate a `peer_key`. It outputs a +// ciphertext of length `ciphertext_len` into `*out_ciphertext` and outputs a +// shared secret of length `secret_len` into `*out_secret`. `peer_key` must be +// a public key of the type expected by `kem`. `ciphertext_len` and +// `secret_len` must match the output of `EVP_KEM_ciphertext_len` and +// `EVP_KEM_secret_len`, respectively, when called with `kem`. This function // returns one on success or zero on failure. OPENSSL_EXPORT int EVP_KEM_encap(const EVP_KEM *kem, uint8_t *out_ciphertext, size_t ciphertext_len, uint8_t *out_secret, size_t secret_len, const EVP_PKEY *peer_key); -// EVP_KEM_decap uses |kem| to decapsulate a |ciphertext| of length -// |ciphertext_len|, using |key| as a decapsulation key. It outputs a shared -// secret of length |secret_len| into |*out_secret|. |key| must be a private key -// of the type expected by |kem|. |secret_len| must match the output of -// |EVP_KEM_secret_len| when called with |kem|. This function returns one on -// success or zero on failure. If |ciphertext| has been corrupted, the function +// EVP_KEM_decap uses `kem` to decapsulate a `ciphertext` of length +// `ciphertext_len`, using `key` as a decapsulation key. It outputs a shared +// secret of length `secret_len` into `*out_secret`. `key` must be a private key +// of the type expected by `kem`. `secret_len` must match the output of +// `EVP_KEM_secret_len` when called with `kem`. This function returns one on +// success or zero on failure. If `ciphertext` has been corrupted, the function // may fail or it may output a shared secret that appears to be random. Any -// subsequent symmetric encryption using |*out_secret| must use an authenticated +// subsequent symmetric encryption using `*out_secret` must use an authenticated // encryption scheme in order to discover the decapsulation failure. OPENSSL_EXPORT int EVP_KEM_decap(const EVP_KEM *kem, uint8_t *out_secret, size_t secret_len, const uint8_t *ciphertext, @@ -1225,7 +1224,7 @@ OPENSSL_EXPORT int EVP_KEM_decap(const EVP_KEM *kem, uint8_t *out_secret, #define EVP_PKEY_ED448 NID_ED448 // EVP_PKEY_get0 returns NULL. This function is provided for compatibility with -// OpenSSL but does not return anything. Use the typed |EVP_PKEY_get0_*| +// OpenSSL but does not return anything. Use the typed `EVP_PKEY_get0_*` // functions instead. OPENSSL_EXPORT void *EVP_PKEY_get0(const EVP_PKEY *pkey); @@ -1244,7 +1243,7 @@ OPENSSL_EXPORT void OpenSSL_add_all_digests(void); // EVP_cleanup does nothing. OPENSSL_EXPORT void EVP_cleanup(void); -// EVP_default_properties_is_fips_enabled calls |FIPS_mode|. +// EVP_default_properties_is_fips_enabled calls `FIPS_mode`. OPENSSL_EXPORT int EVP_default_properties_is_fips_enabled(OSSL_LIB_CTX *libctx); OPENSSL_EXPORT void EVP_CIPHER_do_all_sorted( @@ -1267,82 +1266,82 @@ OPENSSL_EXPORT void EVP_MD_do_all(void (*callback)(const EVP_MD *md, OPENSSL_EXPORT void EVP_MD_do_all_provided( OSSL_LIB_CTX *libctx, void (*callback)(EVP_MD *md, void *arg), void *arg); -// i2d_PrivateKey marshals a private key from |key| to type-specific format, as -// described in |i2d_SAMPLE|. +// i2d_PrivateKey marshals a private key from `key` to type-specific format, as +// described in `i2d_SAMPLE`. // // RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 8017) structure. // EC keys are serialized as a DER-encoded ECPrivateKey (RFC 5915) structure. // -// Use |RSA_marshal_private_key| or |EC_KEY_marshal_private_key| instead. +// Use `RSA_marshal_private_key` or `EC_KEY_marshal_private_key` instead. OPENSSL_EXPORT int i2d_PrivateKey(const EVP_PKEY *key, uint8_t **outp); -// i2d_PublicKey marshals a public key from |key| to a type-specific format, as -// described in |i2d_SAMPLE|. +// i2d_PublicKey marshals a public key from `key` to a type-specific format, as +// described in `i2d_SAMPLE`. // // RSA keys are serialized as a DER-encoded RSAPublicKey (RFC 8017) structure. // EC keys are serialized as an EC point per SEC 1. // -// Use |RSA_marshal_public_key| or |EC_POINT_point2cbb| instead. +// Use `RSA_marshal_public_key` or `EC_POINT_point2cbb` instead. OPENSSL_EXPORT int i2d_PublicKey(const EVP_PKEY *key, uint8_t **outp); -// d2i_PrivateKey parses a DER-encoded private key from |len| bytes at |*inp|, -// as described in |d2i_SAMPLE|. The private key must have type |type|, +// d2i_PrivateKey parses a DER-encoded private key from `len` bytes at `*inp`, +// as described in `d2i_SAMPLE`. The private key must have type `type`, // otherwise it will be rejected. // // This function tries to detect one of several formats. Instead, use -// |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an -// RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey. +// `EVP_parse_private_key` for a PrivateKeyInfo, `RSA_parse_private_key` for an +// RSAPrivateKey, and `EC_parse_private_key` for an ECPrivateKey. OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **out, const uint8_t **inp, long len); -// d2i_AutoPrivateKey acts the same as |d2i_PrivateKey|, but detects the type +// d2i_AutoPrivateKey acts the same as `d2i_PrivateKey`, but detects the type // of the private key. // // This function tries to detect one of several formats. Instead, use -// |EVP_parse_private_key| for a PrivateKeyInfo, |RSA_parse_private_key| for an -// RSAPrivateKey, and |EC_parse_private_key| for an ECPrivateKey. +// `EVP_parse_private_key` for a PrivateKeyInfo, `RSA_parse_private_key` for an +// RSAPrivateKey, and `EC_parse_private_key` for an ECPrivateKey. OPENSSL_EXPORT EVP_PKEY *d2i_AutoPrivateKey(EVP_PKEY **out, const uint8_t **inp, long len); -// d2i_PublicKey parses a public key from |len| bytes at |*inp| in a type- -// specific format specified by |type|, as described in |d2i_SAMPLE|. +// d2i_PublicKey parses a public key from `len` bytes at `*inp` in a type- +// specific format specified by `type`, as described in `d2i_SAMPLE`. // -// The only supported value for |type| is |EVP_PKEY_RSA|, which parses a +// The only supported value for `type` is `EVP_PKEY_RSA`, which parses a // DER-encoded RSAPublicKey (RFC 8017) structure. Parsing EC keys is not // supported by this function. // -// Use |RSA_parse_public_key| instead. +// Use `RSA_parse_public_key` instead. OPENSSL_EXPORT EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **out, const uint8_t **inp, long len); -// EVP_PKEY_CTX_set_ec_param_enc returns one if |encoding| is -// |OPENSSL_EC_NAMED_CURVE| or zero with an error otherwise. +// EVP_PKEY_CTX_set_ec_param_enc returns one if `encoding` is +// `OPENSSL_EC_NAMED_CURVE` or zero with an error otherwise. OPENSSL_EXPORT int EVP_PKEY_CTX_set_ec_param_enc(EVP_PKEY_CTX *ctx, int encoding); -// EVP_PKEY_set_type sets the type of |pkey| to |type|. It returns one if -// successful or zero if the |type| argument is not one of the |EVP_PKEY_*| -// values supported for use with this function. If |pkey| is NULL, it simply +// EVP_PKEY_set_type sets the type of `pkey` to `type`. It returns one if +// successful or zero if the `type` argument is not one of the `EVP_PKEY_*` +// values supported for use with this function. If `pkey` is NULL, it simply // reports whether the type is known. // -// There are very few cases where this function is useful. Changing |pkey|'s +// There are very few cases where this function is useful. Changing `pkey`'s // type clears any previously stored keys, so there is no benefit to loading a -// key and then changing its type. Although |pkey| is left with a type +// key and then changing its type. Although `pkey` is left with a type // configured, it has no key, and functions which set a key, such as -// |EVP_PKEY_set1_RSA|, will configure a type anyway. If writing unit tests that +// `EVP_PKEY_set1_RSA`, will configure a type anyway. If writing unit tests that // are only sensitive to the type of a key, it is preferable to construct a real // key, so that tests are more representative of production code. // // The only API pattern which requires this function is -// |EVP_PKEY_set1_tls_encodedpoint| with X25519, which requires a half-empty -// |EVP_PKEY| that was first configured with |EVP_PKEY_X25519|. Currently, all -// other values of |type| will result in an error. +// `EVP_PKEY_set1_tls_encodedpoint` with X25519, which requires a half-empty +// `EVP_PKEY` that was first configured with `EVP_PKEY_X25519`. Currently, all +// other values of `type` will result in an error. OPENSSL_EXPORT int EVP_PKEY_set_type(EVP_PKEY *pkey, int type); -// EVP_PKEY_set1_tls_encodedpoint replaces |pkey| with a public key encoded by -// |in|. It returns one on success and zero on error. +// EVP_PKEY_set1_tls_encodedpoint replaces `pkey` with a public key encoded by +// `in`. It returns one on success and zero on error. // -// If |pkey| is an EC key, the format is an X9.62 point and |pkey| must already +// If `pkey` is an EC key, the format is an X9.62 point and `pkey` must already // have an EC group configured. If it is an X25519 key, it is the 32-byte X25519 // public key representation. This function is not supported for other key types // and will fail. @@ -1350,19 +1349,19 @@ OPENSSL_EXPORT int EVP_PKEY_set1_tls_encodedpoint(EVP_PKEY *pkey, const uint8_t *in, size_t len); -// EVP_PKEY_get1_tls_encodedpoint sets |*out_ptr| to a newly-allocated buffer -// containing the raw encoded public key for |pkey|. The caller must call -// |OPENSSL_free| to release this buffer. The function returns the length of the +// EVP_PKEY_get1_tls_encodedpoint sets `*out_ptr` to a newly-allocated buffer +// containing the raw encoded public key for `pkey`. The caller must call +// `OPENSSL_free` to release this buffer. The function returns the length of the // buffer on success and zero on error. // -// If |pkey| is an EC key, the format is an X9.62 point with uncompressed +// If `pkey` is an EC key, the format is an X9.62 point with uncompressed // coordinates. If it is an X25519 key, it is the 32-byte X25519 public key // representation. This function is not supported for other key types and will // fail. OPENSSL_EXPORT size_t EVP_PKEY_get1_tls_encodedpoint(const EVP_PKEY *pkey, uint8_t **out_ptr); -// EVP_PKEY_base_id calls |EVP_PKEY_id|. +// EVP_PKEY_base_id calls `EVP_PKEY_id`. OPENSSL_EXPORT int EVP_PKEY_base_id(const EVP_PKEY *pkey); // EVP_PKEY_CTX_set_rsa_pss_keygen_md returns 0. @@ -1377,56 +1376,56 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -// i2d_PUBKEY marshals |pkey| as a DER-encoded SubjectPublicKeyInfo, as -// described in |i2d_SAMPLE|. +// i2d_PUBKEY marshals `pkey` as a DER-encoded SubjectPublicKeyInfo, as +// described in `i2d_SAMPLE`. // -// Use |EVP_marshal_public_key| instead. +// Use `EVP_marshal_public_key` instead. OPENSSL_EXPORT int i2d_PUBKEY(const EVP_PKEY *pkey, uint8_t **outp); -// d2i_PUBKEY parses a DER-encoded SubjectPublicKeyInfo from |len| bytes at -// |*inp|, as described in |d2i_SAMPLE|. +// d2i_PUBKEY parses a DER-encoded SubjectPublicKeyInfo from `len` bytes at +// `*inp`, as described in `d2i_SAMPLE`. // -// Use |EVP_parse_public_key| instead. +// Use `EVP_parse_public_key` instead. OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY(EVP_PKEY **out, const uint8_t **inp, long len); -// i2d_RSA_PUBKEY marshals |rsa| as a DER-encoded SubjectPublicKeyInfo -// structure, as described in |i2d_SAMPLE|. +// i2d_RSA_PUBKEY marshals `rsa` as a DER-encoded SubjectPublicKeyInfo +// structure, as described in `i2d_SAMPLE`. // -// Use |EVP_marshal_public_key| instead. +// Use `EVP_marshal_public_key` instead. OPENSSL_EXPORT int i2d_RSA_PUBKEY(const RSA *rsa, uint8_t **outp); // d2i_RSA_PUBKEY parses an RSA public key as a DER-encoded SubjectPublicKeyInfo -// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// from `len` bytes at `*inp`, as described in `d2i_SAMPLE`. // SubjectPublicKeyInfo structures containing other key types are rejected. // -// Use |EVP_parse_public_key| instead. +// Use `EVP_parse_public_key` instead. OPENSSL_EXPORT RSA *d2i_RSA_PUBKEY(RSA **out, const uint8_t **inp, long len); -// i2d_DSA_PUBKEY marshals |dsa| as a DER-encoded SubjectPublicKeyInfo, as -// described in |i2d_SAMPLE|. +// i2d_DSA_PUBKEY marshals `dsa` as a DER-encoded SubjectPublicKeyInfo, as +// described in `i2d_SAMPLE`. // -// Use |EVP_marshal_public_key| instead. +// Use `EVP_marshal_public_key` instead. OPENSSL_EXPORT int i2d_DSA_PUBKEY(const DSA *dsa, uint8_t **outp); // d2i_DSA_PUBKEY parses a DSA public key as a DER-encoded SubjectPublicKeyInfo -// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// from `len` bytes at `*inp`, as described in `d2i_SAMPLE`. // SubjectPublicKeyInfo structures containing other key types are rejected. // -// Use |EVP_parse_public_key| instead. +// Use `EVP_parse_public_key` instead. OPENSSL_EXPORT DSA *d2i_DSA_PUBKEY(DSA **out, const uint8_t **inp, long len); -// i2d_EC_PUBKEY marshals |ec_key| as a DER-encoded SubjectPublicKeyInfo, as -// described in |i2d_SAMPLE|. +// i2d_EC_PUBKEY marshals `ec_key` as a DER-encoded SubjectPublicKeyInfo, as +// described in `i2d_SAMPLE`. // -// Use |EVP_marshal_public_key| instead. +// Use `EVP_marshal_public_key` instead. OPENSSL_EXPORT int i2d_EC_PUBKEY(const EC_KEY *ec_key, uint8_t **outp); // d2i_EC_PUBKEY parses an EC public key as a DER-encoded SubjectPublicKeyInfo -// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// from `len` bytes at `*inp`, as described in `d2i_SAMPLE`. // SubjectPublicKeyInfo structures containing other key types are rejected. // -// Use |EVP_parse_public_key| instead. +// Use `EVP_parse_public_key` instead. OPENSSL_EXPORT EC_KEY *d2i_EC_PUBKEY(EC_KEY **out, const uint8_t **inp, long len); @@ -1438,45 +1437,45 @@ OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, OPENSSL_EXPORT int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits); -// EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of -// the given type. If successful, it returns one. If the |type| argument -// is not one of |EVP_PKEY_RSA|, |EVP_PKEY_DSA|, or |EVP_PKEY_EC| values or if -// |key| is NULL, it returns zero. This function may not be used with other -// |EVP_PKEY_*| types. +// EVP_PKEY_assign sets the underlying key of `pkey` to `key`, which must be of +// the given type. If successful, it returns one. If the `type` argument +// is not one of `EVP_PKEY_RSA`, `EVP_PKEY_DSA`, or `EVP_PKEY_EC` values or if +// `key` is NULL, it returns zero. This function may not be used with other +// `EVP_PKEY_*` types. // -// Use the |EVP_PKEY_assign_*| functions instead. +// Use the `EVP_PKEY_assign_*` functions instead. OPENSSL_EXPORT int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); -// EVP_PKEY_type returns |nid|. +// EVP_PKEY_type returns `nid`. OPENSSL_EXPORT int EVP_PKEY_type(int nid); -// EVP_PKEY_new_raw_private_key interprets |in| as a raw private key of type -// |type|, which must be an |EVP_PKEY_*| constant, such as |EVP_PKEY_X25519|, -// and returns a newly-allocated |EVP_PKEY|, or nullptr on error. +// EVP_PKEY_new_raw_private_key interprets `in` as a raw private key of type +// `type`, which must be an `EVP_PKEY_*` constant, such as `EVP_PKEY_X25519`, +// and returns a newly-allocated `EVP_PKEY`, or nullptr on error. // -// Prefer |EVP_PKEY_from_raw_private_key|, which allows dead code elimination to +// Prefer `EVP_PKEY_from_raw_private_key`, which allows dead code elimination to // discard algorithms that aren't reachable from the caller. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *unused, const uint8_t *in, size_t len); -// EVP_PKEY_new_raw_public_key interprets |in| as a raw public key of type -// |type|, which must be an |EVP_PKEY_*| constant, such as |EVP_PKEY_X25519|, -// and returns a newly-allocated |EVP_PKEY|, or nullptr on error. +// EVP_PKEY_new_raw_public_key interprets `in` as a raw public key of type +// `type`, which must be an `EVP_PKEY_*` constant, such as `EVP_PKEY_X25519`, +// and returns a newly-allocated `EVP_PKEY`, or nullptr on error. // -// Prefer |EVP_PKEY_from_raw_private_key|, which allows dead code elimination to +// Prefer `EVP_PKEY_from_raw_private_key`, which allows dead code elimination to // discard algorithms that aren't reachable from the caller. OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *unused, const uint8_t *in, size_t len); -// EVP_PKEY_cmp calls |EVP_PKEY_eq|. It returns one if public keys are equal and +// EVP_PKEY_cmp calls `EVP_PKEY_eq`. It returns one if public keys are equal and // zero otherwise. // // WARNING: This differs from the traditional return value of a "cmp" function. OPENSSL_EXPORT int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b); -// EVP_PKEY_cmp_parameters calls |EVP_PKEY_parameters_eq|. It returns one if +// EVP_PKEY_cmp_parameters calls `EVP_PKEY_parameters_eq`. It returns one if // parameters are equal and zero otherwise. // // WARNING: This differs from the traditional return value of a "cmp" function. @@ -1490,7 +1489,7 @@ OPENSSL_EXPORT int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, // constants to 'ctrl' functions. To avoid breaking #ifdefs in consumers, this // section defines a number of legacy macros. -// |BORINGSSL_PREFIX| already makes some of these symbols into macros, so there +// `BORINGSSL_PREFIX` already makes some of these symbols into macros, so there // is no need to define conflicting macros; however it is compiler specific // which ones become macros. #if !defined(EVP_PKEY_CTX_set_rsa_oaep_md) diff --git a/third_party/boringssl/src/include/openssl/ex_data.h b/third_party/boringssl/src/include/openssl/ex_data.h index 6bb18747..1e567fe0 100644 --- a/third_party/boringssl/src/include/openssl/ex_data.h +++ b/third_party/boringssl/src/include/openssl/ex_data.h @@ -35,9 +35,9 @@ extern "C" { // Each type that supports ex_data provides three functions: -// TYPE_get_ex_new_index allocates a new index for |TYPE|. An optional -// |free_func| argument may be provided which is called when the owning object -// is destroyed. See |CRYPTO_EX_free| for details. The |argl| and |argp| +// TYPE_get_ex_new_index allocates a new index for `TYPE`. An optional +// `free_func` argument may be provided which is called when the owning object +// is destroyed. See `CRYPTO_EX_free` for details. The `argl` and `argp` // arguments are opaque values that are passed to the callback. It returns the // new index or a negative number on error. OPENSSL_EXPORT int TYPE_get_ex_new_index(long argl, void *argp, @@ -45,24 +45,24 @@ OPENSSL_EXPORT int TYPE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_dup *dup_unused, CRYPTO_EX_free *free_func); -// TYPE_set_ex_data sets an extra data pointer on |t|. The |index| argument -// must have been returned from a previous call to |TYPE_get_ex_new_index|. +// TYPE_set_ex_data sets an extra data pointer on `t`. The `index` argument +// must have been returned from a previous call to `TYPE_get_ex_new_index`. OPENSSL_EXPORT int TYPE_set_ex_data(TYPE *t, int index, void *arg); -// TYPE_get_ex_data returns an extra data pointer for |t|, or NULL if no such -// pointer exists. The |index| argument should have been returned from a -// previous call to |TYPE_get_ex_new_index|. +// TYPE_get_ex_data returns an extra data pointer for `t`, or NULL if no such +// pointer exists. The `index` argument should have been returned from a +// previous call to `TYPE_get_ex_new_index`. OPENSSL_EXPORT void *TYPE_get_ex_data(const TYPE *t, int index); // Some types additionally preallocate index zero, with all callbacks set to // NULL. Applications that do not need the general ex_data machinery may use // this instead. -// TYPE_set_app_data sets |t|'s application data pointer to |arg|. It returns +// TYPE_set_app_data sets `t`'s application data pointer to `arg`. It returns // one on success and zero on error. OPENSSL_EXPORT int TYPE_set_app_data(TYPE *t, void *arg); -// TYPE_get_app_data returns the application data pointer for |t|, or NULL if no +// TYPE_get_app_data returns the application data pointer for `t`, or NULL if no // such pointer exists. OPENSSL_EXPORT void *TYPE_get_app_data(const TYPE *t); @@ -77,19 +77,19 @@ typedef struct crypto_ex_data_st CRYPTO_EX_DATA; // CRYPTO_EX_free is a callback function that is called when an object of the // class with extra data pointers is being destroyed. For example, if this -// callback has been passed to |SSL_get_ex_new_index| then it may be called each -// time an |SSL*| is destroyed. +// callback has been passed to `SSL_get_ex_new_index` then it may be called each +// time an `SSL*` is destroyed. // -// |parent| and |ad| will be NULL. Historically, the parent object was passed in -// |parent|, but accessing the pointer was not safe because |parent| was in the +// `parent` and `ad` will be NULL. Historically, the parent object was passed in +// `parent`, but accessing the pointer was not safe because `parent` was in the // process of being destroyed. If the callback has access to some other pointer // to the parent object, it must not pass the pointer to any BoringSSL APIs. // Mid-destruction, invariants on the parent object no longer hold. // -// The arguments |argl| and |argp| contain opaque values that were given to -// |CRYPTO_get_ex_new_index_ex|. +// The arguments `argl` and `argp` contain opaque values that were given to +// `CRYPTO_get_ex_new_index_ex`. // -// This callback may be called with a NULL value for |ptr| if the object has no +// This callback may be called with a NULL value for `ptr` if the object has no // value set for this index. However, the callbacks may also be skipped entirely // if no extra data pointers are set on the object at all. typedef void CRYPTO_EX_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, diff --git a/third_party/boringssl/src/include/openssl/hkdf.h b/third_party/boringssl/src/include/openssl/hkdf.h index 19663db1..2e249e25 100644 --- a/third_party/boringssl/src/include/openssl/hkdf.h +++ b/third_party/boringssl/src/include/openssl/hkdf.h @@ -26,8 +26,8 @@ extern "C" { // HKDF computes HKDF (as specified by RFC 5869) of initial keying material -// |secret| with |salt| and |info| using |digest|, and outputs |out_len| bytes -// to |out_key|. It returns one on success and zero on error. +// `secret` with `salt` and `info` using `digest`, and outputs `out_len` bytes +// to `out_key`. It returns one on success and zero on error. // // HKDF is an Extract-and-Expand algorithm. It does not do any key stretching, // and as such, is not suited to be used alone to generate a key from a @@ -38,8 +38,8 @@ OPENSSL_EXPORT int HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *info, size_t info_len); // HKDF_extract computes a HKDF PRK (as specified by RFC 5869) from initial -// keying material |secret| and salt |salt| using |digest|, and outputs -// |out_len| bytes to |out_key|. The maximum output size is |EVP_MAX_MD_SIZE|. +// keying material `secret` and salt `salt` using `digest`, and outputs +// `out_len` bytes to `out_key`. The maximum output size is `EVP_MAX_MD_SIZE`. // It returns one on success and zero on error. // // WARNING: This function orders the inputs differently from RFC 5869 @@ -51,8 +51,8 @@ OPENSSL_EXPORT int HKDF_extract(uint8_t *out_key, size_t *out_len, size_t salt_len); // HKDF_expand computes a HKDF OKM (as specified by RFC 5869) of length -// |out_len| from the PRK |prk| and info |info| using |digest|, and outputs -// the result to |out_key|. It returns one on success and zero on error. +// `out_len` from the PRK `prk` and info `info` using `digest`, and outputs +// the result to `out_key`. It returns one on success and zero on error. OPENSSL_EXPORT int HKDF_expand(uint8_t *out_key, size_t out_len, const EVP_MD *digest, const uint8_t *prk, size_t prk_len, const uint8_t *info, diff --git a/third_party/boringssl/src/include/openssl/hmac.h b/third_party/boringssl/src/include/openssl/hmac.h index 2266f99f..18e9c024 100644 --- a/third_party/boringssl/src/include/openssl/hmac.h +++ b/third_party/boringssl/src/include/openssl/hmac.h @@ -30,11 +30,11 @@ extern "C" { // One-shot operation. -// HMAC calculates the HMAC of |data_len| bytes of |data|, using the given key -// and hash function, and writes the result to |out|. On entry, |out| must -// contain at least |EVP_MD_size| bytes of space. The actual length of the -// result is written to |*out_len|. An output size of |EVP_MAX_MD_SIZE| will -// always be large enough. It returns |out| or NULL on error. +// HMAC calculates the HMAC of `data_len` bytes of `data`, using the given key +// and hash function, and writes the result to `out`. On entry, `out` must +// contain at least `EVP_MD_size` bytes of space. The actual length of the +// result is written to `*out_len`. An output size of `EVP_MAX_MD_SIZE` will +// always be large enough. It returns `out` or NULL on error. OPENSSL_EXPORT uint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len, const uint8_t *data, size_t data_len, uint8_t *out, @@ -43,47 +43,47 @@ OPENSSL_EXPORT uint8_t *HMAC(const EVP_MD *evp_md, const void *key, // Incremental operation. -// HMAC_CTX_init initialises |ctx| for use in an HMAC operation. It's assumed +// HMAC_CTX_init initialises `ctx` for use in an HMAC operation. It's assumed // that HMAC_CTX objects will be allocated on the stack thus no allocation // function is provided. OPENSSL_EXPORT void HMAC_CTX_init(HMAC_CTX *ctx); -// HMAC_CTX_new allocates and initialises a new |HMAC_CTX| and returns it, or -// NULL on allocation failure. The caller must use |HMAC_CTX_free| to release +// HMAC_CTX_new allocates and initialises a new `HMAC_CTX` and returns it, or +// NULL on allocation failure. The caller must use `HMAC_CTX_free` to release // the resulting object. OPENSSL_EXPORT HMAC_CTX *HMAC_CTX_new(void); -// HMAC_CTX_cleanup frees data owned by |ctx|. It does not free |ctx| itself. +// HMAC_CTX_cleanup frees data owned by `ctx`. It does not free `ctx` itself. OPENSSL_EXPORT void HMAC_CTX_cleanup(HMAC_CTX *ctx); -// HMAC_CTX_cleanse zeros the digest state from |ctx| and then performs the -// actions of |HMAC_CTX_cleanup|. +// HMAC_CTX_cleanse zeros the digest state from `ctx` and then performs the +// actions of `HMAC_CTX_cleanup`. OPENSSL_EXPORT void HMAC_CTX_cleanse(HMAC_CTX *ctx); -// HMAC_CTX_free calls |HMAC_CTX_cleanup| and then frees |ctx| itself. +// HMAC_CTX_free calls `HMAC_CTX_cleanup` and then frees `ctx` itself. OPENSSL_EXPORT void HMAC_CTX_free(HMAC_CTX *ctx); -// HMAC_Init_ex sets up an initialised |HMAC_CTX| to use |md| as the hash -// function and |key| as the key. For a non-initial call, |md| may be NULL, in +// HMAC_Init_ex sets up an initialised `HMAC_CTX` to use `md` as the hash +// function and `key` as the key. For a non-initial call, `md` may be NULL, in // which case the previous hash function will be used. If the hash function has -// not changed and |key| is NULL, |ctx| reuses the previous key. It returns one +// not changed and `key` is NULL, `ctx` reuses the previous key. It returns one // on success or zero on allocation failure. // // WARNING: NULL and empty keys are ambiguous on non-initial calls. Passing NULL -// |key| but repeating the previous |md| reuses the previous key rather than the +// `key` but repeating the previous `md` reuses the previous key rather than the // empty key. OPENSSL_EXPORT int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len, const EVP_MD *md, ENGINE *impl); -// HMAC_Update hashes |data_len| bytes from |data| into the current HMAC -// operation in |ctx|. It returns one. +// HMAC_Update hashes `data_len` bytes from `data` into the current HMAC +// operation in `ctx`. It returns one. OPENSSL_EXPORT int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len); -// HMAC_Final completes the HMAC operation in |ctx| and writes the result to -// |out|. If |out_len| is not |NULL| then it writes the length of the result to -// |*out_len|. On entry, |out| must contain at least |HMAC_size| bytes of -// space. An output size of |EVP_MAX_MD_SIZE| will always be large enough. It +// HMAC_Final completes the HMAC operation in `ctx` and writes the result to +// `out`. If `out_len` is not `NULL` then it writes the length of the result to +// `*out_len`. On entry, `out` must contain at least `HMAC_size` bytes of +// space. An output size of `EVP_MAX_MD_SIZE` will always be large enough. It // returns one on success or zero on allocation failure. OPENSSL_EXPORT int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len); @@ -92,18 +92,18 @@ OPENSSL_EXPORT int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, // Utility functions. // HMAC_size returns the size, in bytes, of the HMAC that will be produced by -// |ctx|. On entry, |ctx| must have been setup with |HMAC_Init_ex|. +// `ctx`. On entry, `ctx` must have been setup with `HMAC_Init_ex`. OPENSSL_EXPORT size_t HMAC_size(const HMAC_CTX *ctx); -// HMAC_CTX_get_md returns |ctx|'s hash function. +// HMAC_CTX_get_md returns `ctx`'s hash function. OPENSSL_EXPORT const EVP_MD *HMAC_CTX_get_md(const HMAC_CTX *ctx); -// HMAC_CTX_copy_ex sets |dest| equal to |src|. On entry, |dest| must have been -// initialised by calling |HMAC_CTX_init|. It returns one on success and zero +// HMAC_CTX_copy_ex sets `dest` equal to `src`. On entry, `dest` must have been +// initialised by calling `HMAC_CTX_init`. It returns one on success and zero // on error. OPENSSL_EXPORT int HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src); -// HMAC_CTX_reset calls |HMAC_CTX_cleanup| followed by |HMAC_CTX_init|. +// HMAC_CTX_reset calls `HMAC_CTX_cleanup` followed by `HMAC_CTX_init`. OPENSSL_EXPORT void HMAC_CTX_reset(HMAC_CTX *ctx); @@ -112,9 +112,9 @@ OPENSSL_EXPORT void HMAC_CTX_reset(HMAC_CTX *ctx); OPENSSL_EXPORT int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md); -// HMAC_CTX_copy calls |HMAC_CTX_init| on |dest| and then sets it equal to -// |src|. On entry, |dest| must /not/ be initialised for an operation with -// |HMAC_Init_ex|. It returns one on success and zero on error. +// HMAC_CTX_copy calls `HMAC_CTX_init` on `dest` and then sets it equal to +// `src`. On entry, `dest` must /not/ be initialised for an operation with +// `HMAC_Init_ex`. It returns one on success and zero on error. OPENSSL_EXPORT int HMAC_CTX_copy(HMAC_CTX *dest, const HMAC_CTX *src); diff --git a/third_party/boringssl/src/include/openssl/hpke.h b/third_party/boringssl/src/include/openssl/hpke.h index deacbc95..ae2d619e 100644 --- a/third_party/boringssl/src/include/openssl/hpke.h +++ b/third_party/boringssl/src/include/openssl/hpke.h @@ -36,7 +36,7 @@ extern "C" { // Parameters. // // An HPKE context is parameterized by KEM, KDF, and AEAD algorithms, -// represented by |EVP_HPKE_KEM|, |EVP_HPKE_KDF|, and |EVP_HPKE_AEAD| types, +// represented by `EVP_HPKE_KEM`, `EVP_HPKE_KDF`, and `EVP_HPKE_AEAD` types, // respectively. // The following constants are KEM identifiers. @@ -48,31 +48,31 @@ extern "C" { // The following functions are KEM algorithms which may be used with HPKE. Note // that, while some HPKE KEMs use KDFs internally, this is separate from the -// |EVP_HPKE_KDF| selection. +// `EVP_HPKE_KDF` selection. OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_x25519_hkdf_sha256(void); OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_p256_hkdf_sha256(void); OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_xwing(void); OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_mlkem768(void); OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_hpke_mlkem1024(void); -// EVP_HPKE_KEM_id returns the HPKE KEM identifier for |kem|, which -// will be one of the |EVP_HPKE_KEM_*| constants. +// EVP_HPKE_KEM_id returns the HPKE KEM identifier for `kem`, which +// will be one of the `EVP_HPKE_KEM_*` constants. OPENSSL_EXPORT uint16_t EVP_HPKE_KEM_id(const EVP_HPKE_KEM *kem); // EVP_HPKE_MAX_PUBLIC_KEY_LENGTH is the maximum length of an encoded public key // for all KEMs currently supported by this library. #define EVP_HPKE_MAX_PUBLIC_KEY_LENGTH 1568 -// EVP_HPKE_KEM_public_key_len returns the length of a public key for |kem|. -// This value will be at most |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH|. +// EVP_HPKE_KEM_public_key_len returns the length of a public key for `kem`. +// This value will be at most `EVP_HPKE_MAX_PUBLIC_KEY_LENGTH`. OPENSSL_EXPORT size_t EVP_HPKE_KEM_public_key_len(const EVP_HPKE_KEM *kem); // EVP_HPKE_MAX_PRIVATE_KEY_LENGTH is the maximum length of an encoded private // key for all KEMs currently supported by this library. #define EVP_HPKE_MAX_PRIVATE_KEY_LENGTH 64 -// EVP_HPKE_KEM_private_key_len returns the length of a private key for |kem|. -// This value will be at most |EVP_HPKE_MAX_PRIVATE_KEY_LENGTH|. +// EVP_HPKE_KEM_private_key_len returns the length of a private key for `kem`. +// This value will be at most `EVP_HPKE_MAX_PRIVATE_KEY_LENGTH`. OPENSSL_EXPORT size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem); // EVP_HPKE_MAX_ENC_LENGTH is the maximum length of "enc", the encapsulated @@ -80,7 +80,7 @@ OPENSSL_EXPORT size_t EVP_HPKE_KEM_private_key_len(const EVP_HPKE_KEM *kem); #define EVP_HPKE_MAX_ENC_LENGTH 1568 // EVP_HPKE_KEM_enc_len returns the length of the "enc", the encapsulated shared -// secret, for |kem|. This value will be at most |EVP_HPKE_MAX_ENC_LENGTH|. +// secret, for `kem`. This value will be at most `EVP_HPKE_MAX_ENC_LENGTH`. OPENSSL_EXPORT size_t EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM *kem); // The following constants are KDF identifiers. @@ -88,15 +88,15 @@ OPENSSL_EXPORT size_t EVP_HPKE_KEM_enc_len(const EVP_HPKE_KEM *kem); #define EVP_HPKE_HKDF_SHA384 0x0002 // The following functions are KDF algorithms which may be used with HPKE. If -// unsure, use |EVP_hpke_hkdf_sha256|. +// unsure, use `EVP_hpke_hkdf_sha256`. OPENSSL_EXPORT const EVP_HPKE_KDF *EVP_hpke_hkdf_sha256(void); OPENSSL_EXPORT const EVP_HPKE_KDF *EVP_hpke_hkdf_sha384(void); -// EVP_HPKE_KDF_id returns the HPKE KDF identifier for |kdf|. +// EVP_HPKE_KDF_id returns the HPKE KDF identifier for `kdf`. OPENSSL_EXPORT uint16_t EVP_HPKE_KDF_id(const EVP_HPKE_KDF *kdf); -// EVP_HPKE_KDF_hkdf_md returns the HKDF hash function corresponding to |kdf|, -// or NULL if |kdf| is not an HKDF-based KDF. All currently supported KDFs are +// EVP_HPKE_KDF_hkdf_md returns the HKDF hash function corresponding to `kdf`, +// or NULL if `kdf` is not an HKDF-based KDF. All currently supported KDFs are // HKDF-based. OPENSSL_EXPORT const EVP_MD *EVP_HPKE_KDF_hkdf_md(const EVP_HPKE_KDF *kdf); @@ -110,90 +110,90 @@ OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_aes_128_gcm(void); OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_aes_256_gcm(void); OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_hpke_chacha20_poly1305(void); -// EVP_HPKE_AEAD_id returns the HPKE AEAD identifier for |aead|. +// EVP_HPKE_AEAD_id returns the HPKE AEAD identifier for `aead`. OPENSSL_EXPORT uint16_t EVP_HPKE_AEAD_id(const EVP_HPKE_AEAD *aead); -// EVP_HPKE_AEAD_aead returns the |EVP_AEAD| corresponding to |aead|. +// EVP_HPKE_AEAD_aead returns the `EVP_AEAD` corresponding to `aead`. OPENSSL_EXPORT const EVP_AEAD *EVP_HPKE_AEAD_aead(const EVP_HPKE_AEAD *aead); // Recipient keys. // // An HPKE recipient maintains a long-term KEM key. This library represents keys -// with the |EVP_HPKE_KEY| type. +// with the `EVP_HPKE_KEY` type. -// EVP_HPKE_KEY_zero sets an uninitialized |EVP_HPKE_KEY| to the zero state. The -// caller should then use |EVP_HPKE_KEY_init|, |EVP_HPKE_KEY_copy|, or -// |EVP_HPKE_KEY_generate| to finish initializing |key|. +// EVP_HPKE_KEY_zero sets an uninitialized `EVP_HPKE_KEY` to the zero state. The +// caller should then use `EVP_HPKE_KEY_init`, `EVP_HPKE_KEY_copy`, or +// `EVP_HPKE_KEY_generate` to finish initializing `key`. // -// It is safe, but not necessary to call |EVP_HPKE_KEY_cleanup| in this state. -// This may be used for more uniform cleanup of |EVP_HPKE_KEY|. +// It is safe, but not necessary to call `EVP_HPKE_KEY_cleanup` in this state. +// This may be used for more uniform cleanup of `EVP_HPKE_KEY`. OPENSSL_EXPORT void EVP_HPKE_KEY_zero(EVP_HPKE_KEY *key); -// EVP_HPKE_KEY_cleanup releases memory referenced by |key|. +// EVP_HPKE_KEY_cleanup releases memory referenced by `key`. OPENSSL_EXPORT void EVP_HPKE_KEY_cleanup(EVP_HPKE_KEY *key); -// EVP_HPKE_KEY_new returns a newly-allocated |EVP_HPKE_KEY|, or NULL on error. -// The caller must call |EVP_HPKE_KEY_free| on the result to release it. +// EVP_HPKE_KEY_new returns a newly-allocated `EVP_HPKE_KEY`, or NULL on error. +// The caller must call `EVP_HPKE_KEY_free` on the result to release it. // // This is a convenience function for callers that need a heap-allocated -// |EVP_HPKE_KEY|. +// `EVP_HPKE_KEY`. OPENSSL_EXPORT EVP_HPKE_KEY *EVP_HPKE_KEY_new(void); -// EVP_HPKE_KEY_free releases memory associated with |key|, which must have been -// created with |EVP_HPKE_KEY_new|. +// EVP_HPKE_KEY_free releases memory associated with `key`, which must have been +// created with `EVP_HPKE_KEY_new`. OPENSSL_EXPORT void EVP_HPKE_KEY_free(EVP_HPKE_KEY *key); -// EVP_HPKE_KEY_copy sets |dst| to a copy of |src|. It returns one on success -// and zero on error. On success, the caller must call |EVP_HPKE_KEY_cleanup| to -// release |dst|. On failure, calling |EVP_HPKE_KEY_cleanup| is safe, but not +// EVP_HPKE_KEY_copy sets `dst` to a copy of `src`. It returns one on success +// and zero on error. On success, the caller must call `EVP_HPKE_KEY_cleanup` to +// release `dst`. On failure, calling `EVP_HPKE_KEY_cleanup` is safe, but not // necessary. OPENSSL_EXPORT int EVP_HPKE_KEY_copy(EVP_HPKE_KEY *dst, const EVP_HPKE_KEY *src); -// EVP_HPKE_KEY_move sets |out|, which must be initialized or in the zero state, -// to the key in |in|. |in| is mutated and left in the zero state. +// EVP_HPKE_KEY_move sets `out`, which must be initialized or in the zero state, +// to the key in `in`. `in` is mutated and left in the zero state. OPENSSL_EXPORT void EVP_HPKE_KEY_move(EVP_HPKE_KEY *out, EVP_HPKE_KEY *in); -// EVP_HPKE_KEY_init decodes |priv_key| as a private key for |kem| and -// initializes |key| with the result. It returns one on success and zero if -// |priv_key| was invalid. On success, the caller must call -// |EVP_HPKE_KEY_cleanup| to release the key. On failure, calling -// |EVP_HPKE_KEY_cleanup| is safe, but not necessary. +// EVP_HPKE_KEY_init decodes `priv_key` as a private key for `kem` and +// initializes `key` with the result. It returns one on success and zero if +// `priv_key` was invalid. On success, the caller must call +// `EVP_HPKE_KEY_cleanup` to release the key. On failure, calling +// `EVP_HPKE_KEY_cleanup` is safe, but not necessary. OPENSSL_EXPORT int EVP_HPKE_KEY_init(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem, const uint8_t *priv_key, size_t priv_key_len); -// EVP_HPKE_KEY_generate sets |key| to a newly-generated key using |kem|. +// EVP_HPKE_KEY_generate sets `key` to a newly-generated key using `kem`. OPENSSL_EXPORT int EVP_HPKE_KEY_generate(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem); -// EVP_HPKE_KEY_derive deterministically derives a key from |ikm| for use with -// |kem| and initializes |key| with the result. It returns one on success and +// EVP_HPKE_KEY_derive deterministically derives a key from `ikm` for use with +// `kem` and initializes `key` with the result. It returns one on success and // zero on error. This corresponds to the DeriveKeyPair operation in RFC 9180. OPENSSL_EXPORT int EVP_HPKE_KEY_derive(EVP_HPKE_KEY *key, const EVP_HPKE_KEM *kem, const uint8_t *ikm, size_t ikm_len); -// EVP_HPKE_KEY_kem returns the HPKE KEM used by |key|. +// EVP_HPKE_KEY_kem returns the HPKE KEM used by `key`. OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_HPKE_KEY_kem(const EVP_HPKE_KEY *key); -// EVP_HPKE_KEY_public_key writes |key|'s public key to |out| and sets -// |*out_len| to the number of bytes written. On success, it returns one and -// writes at most |max_out| bytes. If |max_out| is too small, it returns zero. -// Setting |max_out| to |EVP_HPKE_MAX_PUBLIC_KEY_LENGTH| will ensure the public +// EVP_HPKE_KEY_public_key writes `key`'s public key to `out` and sets +// `*out_len` to the number of bytes written. On success, it returns one and +// writes at most `max_out` bytes. If `max_out` is too small, it returns zero. +// Setting `max_out` to `EVP_HPKE_MAX_PUBLIC_KEY_LENGTH` will ensure the public // key fits. An exact size can also be determined by -// |EVP_HPKE_KEM_public_key_len|. +// `EVP_HPKE_KEM_public_key_len`. OPENSSL_EXPORT int EVP_HPKE_KEY_public_key(const EVP_HPKE_KEY *key, uint8_t *out, size_t *out_len, size_t max_out); -// EVP_HPKE_KEY_private_key writes |key|'s private key to |out| and sets -// |*out_len| to the number of bytes written. On success, it returns one and -// writes at most |max_out| bytes. If |max_out| is too small, it returns zero. -// Setting |max_out| to |EVP_HPKE_MAX_PRIVATE_KEY_LENGTH| will ensure the +// EVP_HPKE_KEY_private_key writes `key`'s private key to `out` and sets +// `*out_len` to the number of bytes written. On success, it returns one and +// writes at most `max_out` bytes. If `max_out` is too small, it returns zero. +// Setting `max_out` to `EVP_HPKE_MAX_PRIVATE_KEY_LENGTH` will ensure the // private key fits. An exact size can also be determined by -// |EVP_HPKE_KEM_private_key_len|. +// `EVP_HPKE_KEM_private_key_len`. OPENSSL_EXPORT int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, uint8_t *out, size_t *out_len, size_t max_out); @@ -201,47 +201,47 @@ OPENSSL_EXPORT int EVP_HPKE_KEY_private_key(const EVP_HPKE_KEY *key, // Encryption contexts. // -// An HPKE encryption context is represented by the |EVP_HPKE_CTX| type. +// An HPKE encryption context is represented by the `EVP_HPKE_CTX` type. -// EVP_HPKE_CTX_zero sets an uninitialized |EVP_HPKE_CTX| to the zero state. The -// caller should then use one of the |EVP_HPKE_CTX_setup_*| functions to finish -// setting up |ctx|. +// EVP_HPKE_CTX_zero sets an uninitialized `EVP_HPKE_CTX` to the zero state. The +// caller should then use one of the `EVP_HPKE_CTX_setup_*` functions to finish +// setting up `ctx`. // -// It is safe, but not necessary to call |EVP_HPKE_CTX_cleanup| in this state. -// This may be used for more uniform cleanup of |EVP_HPKE_CTX|. +// It is safe, but not necessary to call `EVP_HPKE_CTX_cleanup` in this state. +// This may be used for more uniform cleanup of `EVP_HPKE_CTX`. OPENSSL_EXPORT void EVP_HPKE_CTX_zero(EVP_HPKE_CTX *ctx); -// EVP_HPKE_CTX_cleanup releases memory referenced by |ctx|. |ctx| must have -// been initialized with |EVP_HPKE_CTX_zero| or one of the -// |EVP_HPKE_CTX_setup_*| functions. +// EVP_HPKE_CTX_cleanup releases memory referenced by `ctx`. `ctx` must have +// been initialized with `EVP_HPKE_CTX_zero` or one of the +// `EVP_HPKE_CTX_setup_*` functions. OPENSSL_EXPORT void EVP_HPKE_CTX_cleanup(EVP_HPKE_CTX *ctx); -// EVP_HPKE_CTX_new returns a newly-allocated |EVP_HPKE_CTX|, or NULL on error. -// The caller must call |EVP_HPKE_CTX_free| on the result to release it. +// EVP_HPKE_CTX_new returns a newly-allocated `EVP_HPKE_CTX`, or NULL on error. +// The caller must call `EVP_HPKE_CTX_free` on the result to release it. // // This is a convenience function for callers that need a heap-allocated -// |EVP_HPKE_CTX|. +// `EVP_HPKE_CTX`. OPENSSL_EXPORT EVP_HPKE_CTX *EVP_HPKE_CTX_new(void); -// EVP_HPKE_CTX_free releases memory associated with |ctx|, which must have been -// created with |EVP_HPKE_CTX_new|. +// EVP_HPKE_CTX_free releases memory associated with `ctx`, which must have been +// created with `EVP_HPKE_CTX_new`. OPENSSL_EXPORT void EVP_HPKE_CTX_free(EVP_HPKE_CTX *ctx); // EVP_HPKE_CTX_setup_sender implements the SetupBaseS HPKE operation. It -// encapsulates a shared secret for |peer_public_key| and sets up |ctx| as a -// sender context. It writes the encapsulated shared secret to |out_enc| and -// sets |*out_enc_len| to the number of bytes written. It writes at most -// |max_enc| bytes and fails if the buffer is too small. Setting |max_enc| to at -// least |EVP_HPKE_MAX_ENC_LENGTH| will ensure the buffer is large enough. An -// exact size may also be determined by |EVP_PKEY_KEM_enc_len|. +// encapsulates a shared secret for `peer_public_key` and sets up `ctx` as a +// sender context. It writes the encapsulated shared secret to `out_enc` and +// sets `*out_enc_len` to the number of bytes written. It writes at most +// `max_enc` bytes and fails if the buffer is too small. Setting `max_enc` to at +// least `EVP_HPKE_MAX_ENC_LENGTH` will ensure the buffer is large enough. An +// exact size may also be determined by `EVP_PKEY_KEM_enc_len`. // // This function returns one on success and zero on error. Note that -// |peer_public_key| may be invalid, in which case this function will return an +// `peer_public_key` may be invalid, in which case this function will return an // error. // -// On success, callers may call |EVP_HPKE_CTX_seal| to encrypt messages for the -// recipient. Callers must then call |EVP_HPKE_CTX_cleanup| when done. On -// failure, calling |EVP_HPKE_CTX_cleanup| is safe, but not required. +// On success, callers may call `EVP_HPKE_CTX_seal` to encrypt messages for the +// recipient. Callers must then call `EVP_HPKE_CTX_cleanup` when done. On +// failure, calling `EVP_HPKE_CTX_cleanup` is safe, but not required. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender( EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, const EVP_HPKE_KEM *kem, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, @@ -249,8 +249,8 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender( const uint8_t *info, size_t info_len); // EVP_HPKE_CTX_setup_sender_with_seed_for_testing behaves like -// |EVP_HPKE_CTX_setup_sender|, but takes a seed to behave deterministically. -// The seed's format depends on |kem|. For X25519, it is the sender's +// `EVP_HPKE_CTX_setup_sender`, but takes a seed to behave deterministically. +// The seed's format depends on `kem`. For X25519, it is the sender's // ephemeral private key. For P256, it's an HKDF input. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender_with_seed_for_testing( EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, @@ -259,21 +259,21 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_sender_with_seed_for_testing( const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len); // EVP_HPKE_CTX_setup_recipient implements the SetupBaseR HPKE operation. It -// decapsulates the shared secret in |enc| with |key| and sets up |ctx| as a +// decapsulates the shared secret in `enc` with `key` and sets up `ctx` as a // recipient context. It returns one on success and zero on failure. Note that -// |enc| may be invalid, in which case this function will return an error. +// `enc` may be invalid, in which case this function will return an error. // -// On success, callers may call |EVP_HPKE_CTX_open| to decrypt messages from the -// sender. Callers must then call |EVP_HPKE_CTX_cleanup| when done. On failure, -// calling |EVP_HPKE_CTX_cleanup| is safe, but not required. +// On success, callers may call `EVP_HPKE_CTX_open` to decrypt messages from the +// sender. Callers must then call `EVP_HPKE_CTX_cleanup` when done. On failure, +// calling `EVP_HPKE_CTX_cleanup` is safe, but not required. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_recipient( EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len, const uint8_t *info, size_t info_len); // EVP_HPKE_CTX_setup_auth_sender implements the SetupAuthS HPKE operation. It -// behaves like |EVP_HPKE_CTX_setup_sender| but authenticates the resulting -// context with |key|. +// behaves like `EVP_HPKE_CTX_setup_sender` but authenticates the resulting +// context with `key`. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender( EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, @@ -281,8 +281,8 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender( const uint8_t *info, size_t info_len); // EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing behaves like -// |EVP_HPKE_CTX_setup_auth_sender|, but takes a seed to behave -// deterministically. The seed's format depends on |kem|. For X25519, it is the +// `EVP_HPKE_CTX_setup_auth_sender`, but takes a seed to behave +// deterministically. The seed's format depends on `kem`. For X25519, it is the // sender's ephemeral private key. For P256, it's an HKDF input. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing( EVP_HPKE_CTX *ctx, uint8_t *out_enc, size_t *out_enc_len, size_t max_enc, @@ -291,8 +291,8 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_sender_with_seed_for_testing( const uint8_t *info, size_t info_len, const uint8_t *seed, size_t seed_len); // EVP_HPKE_CTX_setup_auth_recipient implements the SetupAuthR HPKE operation. -// It behaves like |EVP_HPKE_CTX_setup_recipient| but checks the resulting -// context was authenticated with |peer_public_key|. +// It behaves like `EVP_HPKE_CTX_setup_recipient` but checks the resulting +// context was authenticated with `peer_public_key`. OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_recipient( EVP_HPKE_CTX *ctx, const EVP_HPKE_KEY *key, const EVP_HPKE_KDF *kdf, const EVP_HPKE_AEAD *aead, const uint8_t *enc, size_t enc_len, @@ -302,50 +302,50 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_setup_auth_recipient( // Using an HPKE context. // -// Once set up, callers may encrypt or decrypt with an |EVP_HPKE_CTX| using the +// Once set up, callers may encrypt or decrypt with an `EVP_HPKE_CTX` using the // following functions. -// EVP_HPKE_CTX_open uses the HPKE context |ctx| to authenticate |in_len| bytes -// from |in| and |ad_len| bytes from |ad| and to decrypt at most |in_len| bytes -// into |out|. It returns one on success, and zero otherwise. +// EVP_HPKE_CTX_open uses the HPKE context `ctx` to authenticate `in_len` bytes +// from `in` and `ad_len` bytes from `ad` and to decrypt at most `in_len` bytes +// into `out`. It returns one on success, and zero otherwise. // -// This operation will fail if the |ctx| context is not set up as a receiver. +// This operation will fail if the `ctx` context is not set up as a receiver. // // Note that HPKE encryption is stateful and ordered. The sender's first call to -// |EVP_HPKE_CTX_seal| must correspond to the recipient's first call to -// |EVP_HPKE_CTX_open|, etc. +// `EVP_HPKE_CTX_seal` must correspond to the recipient's first call to +// `EVP_HPKE_CTX_open`, etc. // -// At most |in_len| bytes are written to |out|. In order to ensure success, -// |max_out_len| should be at least |in_len|. On successful return, |*out_len| +// At most `in_len` bytes are written to `out`. In order to ensure success, +// `max_out_len` should be at least `in_len`. On successful return, `*out_len` // is set to the actual number of bytes written. OPENSSL_EXPORT int EVP_HPKE_CTX_open(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len); -// EVP_HPKE_CTX_seal uses the HPKE context |ctx| to encrypt and authenticate -// |in_len| bytes of ciphertext |in| and authenticate |ad_len| bytes from |ad|, -// writing the result to |out|. It returns one on success and zero otherwise. +// EVP_HPKE_CTX_seal uses the HPKE context `ctx` to encrypt and authenticate +// `in_len` bytes of ciphertext `in` and authenticate `ad_len` bytes from `ad`, +// writing the result to `out`. It returns one on success and zero otherwise. // -// This operation will fail if the |ctx| context is not set up as a sender. +// This operation will fail if the `ctx` context is not set up as a sender. // // Note that HPKE encryption is stateful and ordered. The sender's first call to -// |EVP_HPKE_CTX_seal| must correspond to the recipient's first call to -// |EVP_HPKE_CTX_open|, etc. +// `EVP_HPKE_CTX_seal` must correspond to the recipient's first call to +// `EVP_HPKE_CTX_open`, etc. // -// At most, |max_out_len| encrypted bytes are written to |out|. On successful -// return, |*out_len| is set to the actual number of bytes written. +// At most, `max_out_len` encrypted bytes are written to `out`. On successful +// return, `*out_len` is set to the actual number of bytes written. // -// To ensure success, |max_out_len| should be |in_len| plus the result of -// |EVP_HPKE_CTX_max_overhead| or |EVP_HPKE_MAX_OVERHEAD|. +// To ensure success, `max_out_len` should be `in_len` plus the result of +// `EVP_HPKE_CTX_max_overhead` or `EVP_HPKE_MAX_OVERHEAD`. OPENSSL_EXPORT int EVP_HPKE_CTX_seal(EVP_HPKE_CTX *ctx, uint8_t *out, size_t *out_len, size_t max_out_len, const uint8_t *in, size_t in_len, const uint8_t *ad, size_t ad_len); -// EVP_HPKE_CTX_export uses the HPKE context |ctx| to export a secret of -// |secret_len| bytes into |out|. This function uses |context_len| bytes from -// |context| as a context string for the secret. This is necessary to separate +// EVP_HPKE_CTX_export uses the HPKE context `ctx` to export a secret of +// `secret_len` bytes into `out`. This function uses `context_len` bytes from +// `context` as a context string for the secret. This is necessary to separate // different uses of exported secrets and bind relevant caller-specific context // into the output. It returns one on success and zero otherwise. OPENSSL_EXPORT int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out, @@ -354,23 +354,23 @@ OPENSSL_EXPORT int EVP_HPKE_CTX_export(const EVP_HPKE_CTX *ctx, uint8_t *out, size_t context_len); // EVP_HPKE_MAX_OVERHEAD contains the largest value that -// |EVP_HPKE_CTX_max_overhead| would ever return for any context. +// `EVP_HPKE_CTX_max_overhead` would ever return for any context. #define EVP_HPKE_MAX_OVERHEAD EVP_AEAD_MAX_OVERHEAD // EVP_HPKE_CTX_max_overhead returns the maximum number of additional bytes -// added by sealing data with |EVP_HPKE_CTX_seal|. The |ctx| context must be set +// added by sealing data with `EVP_HPKE_CTX_seal`. The `ctx` context must be set // up as a sender. OPENSSL_EXPORT size_t EVP_HPKE_CTX_max_overhead(const EVP_HPKE_CTX *ctx); -// EVP_HPKE_CTX_kem returns |ctx|'s configured KEM, or NULL if the context has +// EVP_HPKE_CTX_kem returns `ctx`'s configured KEM, or NULL if the context has // not been set up. OPENSSL_EXPORT const EVP_HPKE_KEM *EVP_HPKE_CTX_kem(const EVP_HPKE_CTX *ctx); -// EVP_HPKE_CTX_aead returns |ctx|'s configured AEAD, or NULL if the context has +// EVP_HPKE_CTX_aead returns `ctx`'s configured AEAD, or NULL if the context has // not been set up. OPENSSL_EXPORT const EVP_HPKE_AEAD *EVP_HPKE_CTX_aead(const EVP_HPKE_CTX *ctx); -// EVP_HPKE_CTX_kdf returns |ctx|'s configured KDF, or NULL if the context has +// EVP_HPKE_CTX_kdf returns `ctx`'s configured KDF, or NULL if the context has // not been set up. OPENSSL_EXPORT const EVP_HPKE_KDF *EVP_HPKE_CTX_kdf(const EVP_HPKE_CTX *ctx); diff --git a/third_party/boringssl/src/include/openssl/hrss.h b/third_party/boringssl/src/include/openssl/hrss.h index 53fdade1..348ad497 100644 --- a/third_party/boringssl/src/include/openssl/hrss.h +++ b/third_party/boringssl/src/include/openssl/hrss.h @@ -72,18 +72,18 @@ OPENSSL_EXPORT int HRSS_generate_key( const uint8_t input[HRSS_GENERATE_KEY_BYTES]); // HRSS_encap is a deterministic function the generates and encrypts a random -// session key from the given entropy, writing those values to |out_shared_key| -// and |out_ciphertext|, respectively. It returns one on success or zero on +// session key from the given entropy, writing those values to `out_shared_key` +// and `out_ciphertext`, respectively. It returns one on success or zero on // malloc failure. OPENSSL_EXPORT int HRSS_encap(uint8_t out_ciphertext[HRSS_CIPHERTEXT_BYTES], uint8_t out_shared_key[HRSS_KEY_BYTES], const struct HRSS_public_key *in_pub, const uint8_t in[HRSS_ENCAP_BYTES]); -// HRSS_decap decrypts a session key from |ciphertext_len| bytes of -// |ciphertext|. If the ciphertext is valid, the decrypted key is written to -// |out_shared_key|. Otherwise the HMAC of |ciphertext| under a secret key (kept -// in |in_priv|) is written. If the ciphertext is the wrong length then it will +// HRSS_decap decrypts a session key from `ciphertext_len` bytes of +// `ciphertext`. If the ciphertext is valid, the decrypted key is written to +// `out_shared_key`. Otherwise the HMAC of `ciphertext` under a secret key (kept +// in `in_priv`) is written. If the ciphertext is the wrong length then it will // leak which was done via side-channels. Otherwise it should perform either // action in constant-time. It returns one on success (whether the ciphertext // was valid or not) and zero on malloc failure. @@ -91,11 +91,11 @@ OPENSSL_EXPORT int HRSS_decap(uint8_t out_shared_key[HRSS_KEY_BYTES], const struct HRSS_private_key *in_priv, const uint8_t *ciphertext, size_t ciphertext_len); -// HRSS_marshal_public_key serialises |in_pub| to |out|. +// HRSS_marshal_public_key serialises `in_pub` to `out`. OPENSSL_EXPORT void HRSS_marshal_public_key( uint8_t out[HRSS_PUBLIC_KEY_BYTES], const struct HRSS_public_key *in_pub); -// HRSS_parse_public_key sets |*out| to the public-key encoded in |in|. It +// HRSS_parse_public_key sets `*out` to the public-key encoded in `in`. It // returns true on success and zero on error. OPENSSL_EXPORT int HRSS_parse_public_key( struct HRSS_public_key *out, const uint8_t in[HRSS_PUBLIC_KEY_BYTES]); diff --git a/third_party/boringssl/src/include/openssl/kdf.h b/third_party/boringssl/src/include/openssl/kdf.h index b434e2d8..c619af1a 100644 --- a/third_party/boringssl/src/include/openssl/kdf.h +++ b/third_party/boringssl/src/include/openssl/kdf.h @@ -28,11 +28,11 @@ extern "C" { // HKDF-specific functions. // // The following functions are provided for OpenSSL compatibility. Prefer the -// HKDF functions in . In each, |ctx| must be created with -// |EVP_PKEY_CTX_new_id| with |EVP_PKEY_HKDF| and then initialized with -// |EVP_PKEY_derive_init|. +// HKDF functions in . In each, `ctx` must be created with +// `EVP_PKEY_CTX_new_id` with `EVP_PKEY_HKDF` and then initialized with +// `EVP_PKEY_derive_init`. -// EVP_PKEY_HKDEF_MODE_* define "modes" for use with |EVP_PKEY_CTX_hkdf_mode|. +// EVP_PKEY_HKDEF_MODE_* define "modes" for use with `EVP_PKEY_CTX_hkdf_mode`. // The misspelling of "HKDF" as "HKDEF" is intentional for OpenSSL // compatibility. #define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0 @@ -40,12 +40,12 @@ extern "C" { #define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 2 // EVP_PKEY_CTX_hkdf_mode configures which HKDF operation to run. It returns one -// on success and zero on error. |mode| must be one of |EVP_PKEY_HKDEF_MODE_*|. -// By default, the mode is |EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND|. +// on success and zero on error. `mode` must be one of `EVP_PKEY_HKDEF_MODE_*`. +// By default, the mode is `EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND`. // -// If |mode| is |EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND| or -// |EVP_PKEY_HKDEF_MODE_EXPAND_ONLY|, the output is variable-length. -// |EVP_PKEY_derive| uses the size of the output buffer as the output length for +// If `mode` is `EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND` or +// `EVP_PKEY_HKDEF_MODE_EXPAND_ONLY`, the output is variable-length. +// `EVP_PKEY_derive` uses the size of the output buffer as the output length for // HKDF-Expand. // // WARNING: Although this API calls it a "mode", HKDF-Extract and HKDF-Expand @@ -53,31 +53,31 @@ extern "C" { // Callers should not pass input secrets for one operation into the other. OPENSSL_EXPORT int EVP_PKEY_CTX_hkdf_mode(EVP_PKEY_CTX *ctx, int mode); -// EVP_PKEY_CTX_set_hkdf_md sets |md| as the digest to use with HKDF. It returns +// EVP_PKEY_CTX_set_hkdf_md sets `md` as the digest to use with HKDF. It returns // one on success and zero on error. OPENSSL_EXPORT int EVP_PKEY_CTX_set_hkdf_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); -// EVP_PKEY_CTX_set1_hkdf_key configures HKDF to use |key_len| bytes from |key| +// EVP_PKEY_CTX_set1_hkdf_key configures HKDF to use `key_len` bytes from `key` // as the "key", described below. It returns one on success and zero on error. // -// Which input is the key depends on the "mode" (see |EVP_PKEY_CTX_hkdf_mode|). -// If |EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND| or -// |EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY|, this function specifies the input keying -// material (IKM) for HKDF-Extract. If |EVP_PKEY_HKDEF_MODE_EXPAND_ONLY|, it +// Which input is the key depends on the "mode" (see `EVP_PKEY_CTX_hkdf_mode`). +// If `EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND` or +// `EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY`, this function specifies the input keying +// material (IKM) for HKDF-Extract. If `EVP_PKEY_HKDEF_MODE_EXPAND_ONLY`, it // instead specifies the pseudorandom key (PRK) for HKDF-Expand. OPENSSL_EXPORT int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx, const uint8_t *key, size_t key_len); -// EVP_PKEY_CTX_set1_hkdf_salt configures HKDF to use |salt_len| bytes from -// |salt| as the salt parameter to HKDF-Extract. It returns one on success and +// EVP_PKEY_CTX_set1_hkdf_salt configures HKDF to use `salt_len` bytes from +// `salt` as the salt parameter to HKDF-Extract. It returns one on success and // zero on error. If performing HKDF-Expand only, this parameter is ignored. OPENSSL_EXPORT int EVP_PKEY_CTX_set1_hkdf_salt(EVP_PKEY_CTX *ctx, const uint8_t *salt, size_t salt_len); -// EVP_PKEY_CTX_add1_hkdf_info appends |info_len| bytes from |info| to the info +// EVP_PKEY_CTX_add1_hkdf_info appends `info_len` bytes from `info` to the info // parameter used with HKDF-Expand. It returns one on success and zero on error. // If performing HKDF-Extract only, this parameter is ignored. OPENSSL_EXPORT int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx, diff --git a/third_party/boringssl/src/include/openssl/md4.h b/third_party/boringssl/src/include/openssl/md4.h index 6703d72d..a43c2d8b 100644 --- a/third_party/boringssl/src/include/openssl/md4.h +++ b/third_party/boringssl/src/include/openssl/md4.h @@ -37,24 +37,24 @@ extern "C" { // MD4_DIGEST_LENGTH is the length of an MD4 digest. #define MD4_DIGEST_LENGTH 16 -// MD4_Init initialises |md4| and returns one. +// MD4_Init initialises `md4` and returns one. OPENSSL_EXPORT int MD4_Init(MD4_CTX *md4); -// MD4_Update adds |len| bytes from |data| to |md4| and returns one. +// MD4_Update adds `len` bytes from `data` to `md4` and returns one. OPENSSL_EXPORT int MD4_Update(MD4_CTX *md4, const void *data, size_t len); -// MD4_Final adds the final padding to |md4| and writes the resulting digest to -// |out|, which must have at least |MD4_DIGEST_LENGTH| bytes of space. It +// MD4_Final adds the final padding to `md4` and writes the resulting digest to +// `out`, which must have at least `MD4_DIGEST_LENGTH` bytes of space. It // returns one. OPENSSL_EXPORT int MD4_Final(uint8_t out[MD4_DIGEST_LENGTH], MD4_CTX *md4); -// MD4 writes the digest of |len| bytes from |data| to |out| and returns |out|. -// There must be at least |MD4_DIGEST_LENGTH| bytes of space in |out|. +// MD4 writes the digest of `len` bytes from `data` to `out` and returns `out`. +// There must be at least `MD4_DIGEST_LENGTH` bytes of space in `out`. OPENSSL_EXPORT uint8_t *MD4(const uint8_t *data, size_t len, uint8_t out[MD4_DIGEST_LENGTH]); // MD4_Transform is a low-level function that performs a single, MD4 block -// transformation using the state from |md4| and 64 bytes from |block|. +// transformation using the state from `md4` and 64 bytes from `block`. OPENSSL_EXPORT void MD4_Transform(MD4_CTX *md4, const uint8_t block[MD4_CBLOCK]); diff --git a/third_party/boringssl/src/include/openssl/md5.h b/third_party/boringssl/src/include/openssl/md5.h index 1e7d5190..373533d9 100644 --- a/third_party/boringssl/src/include/openssl/md5.h +++ b/third_party/boringssl/src/include/openssl/md5.h @@ -31,24 +31,24 @@ extern "C" { // MD5_DIGEST_LENGTH is the length of an MD5 digest. #define MD5_DIGEST_LENGTH 16 -// MD5_Init initialises |md5| and returns one. +// MD5_Init initialises `md5` and returns one. OPENSSL_EXPORT int MD5_Init(MD5_CTX *md5); -// MD5_Update adds |len| bytes from |data| to |md5| and returns one. +// MD5_Update adds `len` bytes from `data` to `md5` and returns one. OPENSSL_EXPORT int MD5_Update(MD5_CTX *md5, const void *data, size_t len); -// MD5_Final adds the final padding to |md5| and writes the resulting digest to -// |out|, which must have at least |MD5_DIGEST_LENGTH| bytes of space. It +// MD5_Final adds the final padding to `md5` and writes the resulting digest to +// `out`, which must have at least `MD5_DIGEST_LENGTH` bytes of space. It // returns one. OPENSSL_EXPORT int MD5_Final(uint8_t out[MD5_DIGEST_LENGTH], MD5_CTX *md5); -// MD5 writes the digest of |len| bytes from |data| to |out| and returns |out|. -// There must be at least |MD5_DIGEST_LENGTH| bytes of space in |out|. +// MD5 writes the digest of `len` bytes from `data` to `out` and returns `out`. +// There must be at least `MD5_DIGEST_LENGTH` bytes of space in `out`. OPENSSL_EXPORT uint8_t *MD5(const uint8_t *data, size_t len, uint8_t out[MD5_DIGEST_LENGTH]); // MD5_Transform is a low-level function that performs a single, MD5 block -// transformation using the state from |md5| and 64 bytes from |block|. +// transformation using the state from `md5` and 64 bytes from `block`. OPENSSL_EXPORT void MD5_Transform(MD5_CTX *md5, const uint8_t block[MD5_CBLOCK]); diff --git a/third_party/boringssl/src/include/openssl/mem.h b/third_party/boringssl/src/include/openssl/mem.h index e0ac688b..2b580c0a 100644 --- a/third_party/boringssl/src/include/openssl/mem.h +++ b/third_party/boringssl/src/include/openssl/mem.h @@ -29,45 +29,45 @@ extern "C" { // // BoringSSL has its own set of allocation functions, which keep track of // allocation lengths and zero them out before freeing. All memory returned by -// BoringSSL API calls must therefore generally be freed using |OPENSSL_free| +// BoringSSL API calls must therefore generally be freed using `OPENSSL_free` // unless stated otherwise. #ifndef _BORINGSSL_PROHIBIT_OPENSSL_MALLOC -// OPENSSL_malloc is similar to a regular |malloc|, but allocates additional -// private data. The resulting pointer must be freed with |OPENSSL_free|. In -// the case of a malloc failure, prior to returning NULL |OPENSSL_malloc| will -// push |ERR_R_MALLOC_FAILURE| onto the openssl error stack. +// OPENSSL_malloc is similar to a regular `malloc`, but allocates additional +// private data. The resulting pointer must be freed with `OPENSSL_free`. In +// the case of a malloc failure, prior to returning NULL `OPENSSL_malloc` will +// push `ERR_R_MALLOC_FAILURE` onto the openssl error stack. OPENSSL_EXPORT void *OPENSSL_malloc(size_t size); -// OPENSSL_zalloc behaves like |OPENSSL_malloc| except it also initializes the +// OPENSSL_zalloc behaves like `OPENSSL_malloc` except it also initializes the // resulting memory to zero. OPENSSL_EXPORT void *OPENSSL_zalloc(size_t size); -// OPENSSL_calloc is similar to a regular |calloc|, but allocates data with -// |OPENSSL_malloc|. On overflow, it will push |ERR_R_OVERFLOW| onto the error +// OPENSSL_calloc is similar to a regular `calloc`, but allocates data with +// `OPENSSL_malloc`. On overflow, it will push `ERR_R_OVERFLOW` onto the error // queue. OPENSSL_EXPORT void *OPENSSL_calloc(size_t num, size_t size); -// OPENSSL_realloc returns a pointer to a buffer of |new_size| bytes that -// contains the contents of |ptr|. Unlike |realloc|, a new buffer is always -// allocated and the data at |ptr| is always wiped and freed. Memory is -// allocated with |OPENSSL_malloc| and must be freed with |OPENSSL_free|. +// OPENSSL_realloc returns a pointer to a buffer of `new_size` bytes that +// contains the contents of `ptr`. Unlike `realloc`, a new buffer is always +// allocated and the data at `ptr` is always wiped and freed. Memory is +// allocated with `OPENSSL_malloc` and must be freed with `OPENSSL_free`. OPENSSL_EXPORT void *OPENSSL_realloc(void *ptr, size_t new_size); #endif // !_BORINGSSL_PROHIBIT_OPENSSL_MALLOC -// OPENSSL_free does nothing if |ptr| is NULL. Otherwise it zeros out the -// memory allocated at |ptr| and frees it along with the private data. -// It must only be used on on |ptr| values obtained from |OPENSSL_malloc| +// OPENSSL_free does nothing if `ptr` is NULL. Otherwise it zeros out the +// memory allocated at `ptr` and frees it along with the private data. +// It must only be used on on `ptr` values obtained from `OPENSSL_malloc` OPENSSL_EXPORT void OPENSSL_free(void *ptr); -// OPENSSL_cleanse zeros out |len| bytes of memory at |ptr|. This is similar to -// |memset_s| from C11. +// OPENSSL_cleanse zeros out `len` bytes of memory at `ptr`. This is similar to +// `memset_s` from C11. OPENSSL_EXPORT void OPENSSL_cleanse(void *ptr, size_t len); -// CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It -// takes an amount of time dependent on |len|, but independent of the contents -// of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a +// CRYPTO_memcmp returns zero iff the `len` bytes at `a` and `b` are equal. It +// takes an amount of time dependent on `len`, but independent of the contents +// of `a` and `b`. Unlike memcmp, it cannot be used to put elements into a // defined order as the return value when a != b is undefined, other than to be // non-zero. OPENSSL_EXPORT int CRYPTO_memcmp(const void *a, const void *b, size_t len); @@ -75,7 +75,7 @@ OPENSSL_EXPORT int CRYPTO_memcmp(const void *a, const void *b, size_t len); // OPENSSL_hash32 implements the 32 bit, FNV-1a hash. OPENSSL_EXPORT uint32_t OPENSSL_hash32(const void *ptr, size_t len); -// OPENSSL_strhash calls |OPENSSL_hash32| on the NUL-terminated string |s|. +// OPENSSL_strhash calls `OPENSSL_hash32` on the NUL-terminated string `s`. OPENSSL_EXPORT uint32_t OPENSSL_strhash(const char *s); // OPENSSL_strdup has the same behaviour as strdup(3). @@ -97,13 +97,13 @@ OPENSSL_EXPORT int OPENSSL_isdigit(int c); // digits. OPENSSL_EXPORT int OPENSSL_isxdigit(int c); -// OPENSSL_fromxdigit returns one if |c| is a hexadecimal digit as recognized -// by OPENSSL_isxdigit, and sets |out| to the corresponding value. Otherwise +// OPENSSL_fromxdigit returns one if `c` is a hexadecimal digit as recognized +// by OPENSSL_isxdigit, and sets `out` to the corresponding value. Otherwise // zero is returned. OPENSSL_EXPORT int OPENSSL_fromxdigit(uint8_t *out, int c); // OPENSSL_isalnum is a locale-independent, ASCII-only version of isalnum(3), It -// only recognizes what |OPENSSL_isalpha| and |OPENSSL_isdigit| recognize. +// only recognizes what `OPENSSL_isalpha` and `OPENSSL_isdigit` recognize. OPENSSL_EXPORT int OPENSSL_isalnum(int c); // OPENSSL_tolower is a locale-independent, ASCII-only version of tolower(3). It @@ -135,24 +135,24 @@ OPENSSL_EXPORT int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) OPENSSL_PRINTF_FORMAT_FUNC(3, 0); // OPENSSL_vasprintf has the same behavior as vasprintf(3), except that -// memory allocated in a returned string must be freed with |OPENSSL_free|. +// memory allocated in a returned string must be freed with `OPENSSL_free`. OPENSSL_EXPORT int OPENSSL_vasprintf(char **str, const char *format, va_list args) OPENSSL_PRINTF_FORMAT_FUNC(2, 0); // OPENSSL_asprintf has the same behavior as asprintf(3), except that -// memory allocated in a returned string must be freed with |OPENSSL_free|. +// memory allocated in a returned string must be freed with `OPENSSL_free`. OPENSSL_EXPORT int OPENSSL_asprintf(char **str, const char *format, ...) OPENSSL_PRINTF_FORMAT_FUNC(2, 3); -// OPENSSL_strndup returns an allocated, duplicate of |str|, which is, at most, -// |size| bytes. The result is always NUL terminated. The memory allocated -// must be freed with |OPENSSL_free|. +// OPENSSL_strndup returns an allocated, duplicate of `str`, which is, at most, +// `size` bytes. The result is always NUL terminated. The memory allocated +// must be freed with `OPENSSL_free`. OPENSSL_EXPORT char *OPENSSL_strndup(const char *str, size_t size); -// OPENSSL_memdup returns an allocated, duplicate of |size| bytes from |data| or +// OPENSSL_memdup returns an allocated, duplicate of `size` bytes from `data` or // NULL on allocation failure. The memory allocated must be freed with -// |OPENSSL_free|. +// `OPENSSL_free`. OPENSSL_EXPORT void *OPENSSL_memdup(const void *data, size_t size); // OPENSSL_strlcpy acts like strlcpy(3). @@ -166,18 +166,18 @@ OPENSSL_EXPORT size_t OPENSSL_strlcat(char *dst, const char *src, // Deprecated functions. -// CRYPTO_malloc calls |OPENSSL_malloc|. |file| and |line| are ignored. +// CRYPTO_malloc calls `OPENSSL_malloc`. `file` and `line` are ignored. OPENSSL_EXPORT void *CRYPTO_malloc(size_t size, const char *file, int line); -// CRYPTO_realloc calls |OPENSSL_realloc|. |file| and |line| are ignored. +// CRYPTO_realloc calls `OPENSSL_realloc`. `file` and `line` are ignored. OPENSSL_EXPORT void *CRYPTO_realloc(void *ptr, size_t new_size, const char *file, int line); -// CRYPTO_free calls |OPENSSL_free|. |file| and |line| are ignored. +// CRYPTO_free calls `OPENSSL_free`. `file` and `line` are ignored. OPENSSL_EXPORT void CRYPTO_free(void *ptr, const char *file, int line); -// OPENSSL_clear_free calls |OPENSSL_free|. BoringSSL automatically clears all -// allocations on free, but we define |OPENSSL_clear_free| for compatibility. +// OPENSSL_clear_free calls `OPENSSL_free`. BoringSSL automatically clears all +// allocations on free, but we define `OPENSSL_clear_free` for compatibility. OPENSSL_EXPORT void OPENSSL_clear_free(void *ptr, size_t len); // CRYPTO_secure_malloc_init returns zero. @@ -189,10 +189,10 @@ OPENSSL_EXPORT int CRYPTO_secure_malloc_initialized(void); // CRYPTO_secure_used returns zero. OPENSSL_EXPORT size_t CRYPTO_secure_used(void); -// OPENSSL_secure_malloc calls |OPENSSL_malloc|. +// OPENSSL_secure_malloc calls `OPENSSL_malloc`. OPENSSL_EXPORT void *OPENSSL_secure_malloc(size_t size); -// OPENSSL_secure_clear_free calls |OPENSSL_clear_free|. +// OPENSSL_secure_clear_free calls `OPENSSL_clear_free`. OPENSSL_EXPORT void OPENSSL_secure_clear_free(void *ptr, size_t len); diff --git a/third_party/boringssl/src/include/openssl/mldsa.h b/third_party/boringssl/src/include/openssl/mldsa.h index 3d6b04c7..6651f75b 100644 --- a/third_party/boringssl/src/include/openssl/mldsa.h +++ b/third_party/boringssl/src/include/openssl/mldsa.h @@ -74,8 +74,8 @@ struct MLDSA65_prehash { #define MLDSA65_SIGNATURE_BYTES 3309 // MLDSA65_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key|, writes the seed to -// |out_seed|, and sets |out_private_key| to the private key. Returns 1 on +// encoded public key to `out_encoded_public_key`, writes the seed to +// `out_seed`, and sets `out_private_key` to the private key. Returns 1 on // success and 0 on allocation failure. OPENSSL_EXPORT int MLDSA65_generate_key( uint8_t out_encoded_public_key[MLDSA65_PUBLIC_KEY_BYTES], @@ -83,34 +83,34 @@ OPENSSL_EXPORT int MLDSA65_generate_key( struct MLDSA65_private_key *out_private_key); // MLDSA65_private_key_from_seed regenerates a private key from a seed value -// that was generated by |MLDSA65_generate_key|. Returns 1 on success and 0 on -// allocation failure or if |seed_len| is incorrect. +// that was generated by `MLDSA65_generate_key`. Returns 1 on success and 0 on +// allocation failure or if `seed_len` is incorrect. OPENSSL_EXPORT int MLDSA65_private_key_from_seed( struct MLDSA65_private_key *out_private_key, const uint8_t *seed, size_t seed_len); -// MLDSA65_public_from_private sets |*out_public_key| to the public key that -// corresponds to |private_key|. Returns 1 on success and 0 on failure. +// MLDSA65_public_from_private sets `*out_public_key` to the public key that +// corresponds to `private_key`. Returns 1 on success and 0 on failure. OPENSSL_EXPORT int MLDSA65_public_from_private( struct MLDSA65_public_key *out_public_key, const struct MLDSA65_private_key *private_key); -// MLDSA65_sign generates a signature for the message |msg| of length -// |msg_len| using |private_key| (following the randomized algorithm), and -// writes the encoded signature to |out_encoded_signature|. The |context| +// MLDSA65_sign generates a signature for the message `msg` of length +// `msg_len` using `private_key` (following the randomized algorithm), and +// writes the encoded signature to `out_encoded_signature`. The `context` // argument is also signed over and can be used to include implicit contextual -// information that isn't included in |msg|. The same value of |context| must be -// presented to |MLDSA65_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// information that isn't included in `msg`. The same value of `context` must be +// presented to `MLDSA65_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). Returns 1 on success and 0 on failure. OPENSSL_EXPORT int MLDSA65_sign( uint8_t out_encoded_signature[MLDSA65_SIGNATURE_BYTES], const struct MLDSA65_private_key *private_key, const uint8_t *msg, size_t msg_len, const uint8_t *context, size_t context_len); -// MLDSA65_verify verifies that |signature| constitutes a valid -// signature for the message |msg| of length |msg_len| using |public_key|. The -// value of |context| must equal the value that was passed to |MLDSA65_sign| +// MLDSA65_verify verifies that `signature` constitutes a valid +// signature for the message `msg` of length `msg_len` using `public_key`. The +// value of `context` must equal the value that was passed to `MLDSA65_sign` // when the signature was generated. Returns 1 on success or 0 on error. OPENSSL_EXPORT int MLDSA65_verify(const struct MLDSA65_public_key *public_key, const uint8_t *signature, @@ -118,11 +118,11 @@ OPENSSL_EXPORT int MLDSA65_verify(const struct MLDSA65_public_key *public_key, size_t msg_len, const uint8_t *context, size_t context_len); -// MLDSA65_prehash_init initializes a pre-hashing state using |public_key|. The -// |context| argument can be used to include implicit contextual information -// that isn't included in the message. The same value of |context| must be -// presented to |MLDSA65_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// MLDSA65_prehash_init initializes a pre-hashing state using `public_key`. The +// `context` argument can be used to include implicit contextual information +// that isn't included in the message. The same value of `context` must be +// presented to `MLDSA65_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). Returns 1 on success and 0 on failure (if the // context is too long). OPENSSL_EXPORT int MLDSA65_prehash_init( @@ -130,26 +130,26 @@ OPENSSL_EXPORT int MLDSA65_prehash_init( const struct MLDSA65_public_key *public_key, const uint8_t *context, size_t context_len); -// MLDSA65_prehash_update incorporates the given |msg| of length |msg_len| into +// MLDSA65_prehash_update incorporates the given `msg` of length `msg_len` into // the pre-hashing state. This can be called multiple times on successive chunks -// of the message. This should be called after |MLDSA65_prehash_init| and before -// |MLDSA65_prehash_finalize|. +// of the message. This should be called after `MLDSA65_prehash_init` and before +// `MLDSA65_prehash_finalize`. OPENSSL_EXPORT void MLDSA65_prehash_update(struct MLDSA65_prehash *inout_state, const uint8_t *msg, size_t msg_len); // MLDSA65_prehash_finalize extracts a pre-hashed message representative from // the given pre-hashing state. This should be called after -// |MLDSA65_prehash_init| and |MLDSA65_prehash_update|. The resulting -// |out_msg_rep| should then be passed to |MLDSA65_sign_message_representative| +// `MLDSA65_prehash_init` and `MLDSA65_prehash_update`. The resulting +// `out_msg_rep` should then be passed to `MLDSA65_sign_message_representative` // to obtain a signature. OPENSSL_EXPORT void MLDSA65_prehash_finalize( uint8_t out_msg_rep[MLDSA_MU_BYTES], struct MLDSA65_prehash *inout_state); // MLDSA65_sign_message_representative generates a signature for the pre-hashed -// message |msg_rep| using |private_key| (following the randomized algorithm), -// and writes the encoded signature to |out_encoded_signature|. The |msg_rep| -// should be obtained via calls to |MLDSA65_prehash_init|, -// |MLDSA65_prehash_update| and |MLDSA65_prehash_finalize| using the public key +// message `msg_rep` using `private_key` (following the randomized algorithm), +// and writes the encoded signature to `out_encoded_signature`. The `msg_rep` +// should be obtained via calls to `MLDSA65_prehash_init`, +// `MLDSA65_prehash_update` and `MLDSA65_prehash_finalize` using the public key // from the same key pair, otherwise the signature will not verify. Returns 1 on // success and 0 on failure. OPENSSL_EXPORT int MLDSA65_sign_message_representative( @@ -157,10 +157,10 @@ OPENSSL_EXPORT int MLDSA65_sign_message_representative( const struct MLDSA65_private_key *private_key, const uint8_t msg_rep[MLDSA_MU_BYTES]); -// MLDSA65_verify_message_representative verifies that |signature| constitutes a -// valid signature for the pre-hashed message |msg_rep| using |public_key|. The -// |msg_rep| should be obtained via calls to |MLDSA65_prehash_init|, -// |MLDSA65_prehash_update| and |MLDSA65_prehash_finalize| using |public key| +// MLDSA65_verify_message_representative verifies that `signature` constitutes a +// valid signature for the pre-hashed message `msg_rep` using `public_key`. The +// `msg_rep` should be obtained via calls to `MLDSA65_prehash_init`, +// `MLDSA65_prehash_update` and `MLDSA65_prehash_finalize` using `public_key` // and the same context as when the signature was generated. Returns 1 on // success or 0 on error. OPENSSL_EXPORT int MLDSA65_verify_message_representative( @@ -168,16 +168,16 @@ OPENSSL_EXPORT int MLDSA65_verify_message_representative( const uint8_t *signature, size_t signature_len, const uint8_t msg_rep[MLDSA_MU_BYTES]); -// MLDSA65_marshal_public_key serializes |public_key| to |out| in the standard +// MLDSA65_marshal_public_key serializes `public_key` to `out` in the standard // format for ML-DSA-65 public keys. It returns 1 on success or 0 on // allocation error. OPENSSL_EXPORT int MLDSA65_marshal_public_key( CBB *out, const struct MLDSA65_public_key *public_key); // MLDSA65_parse_public_key parses a public key, in the format generated by -// |MLDSA65_marshal_public_key|, from |in| and writes the result to -// |out_public_key|. It returns 1 on success or 0 on parse error or if -// there are trailing bytes in |in|. +// `MLDSA65_marshal_public_key`, from `in` and writes the result to +// `out_public_key`. It returns 1 on success or 0 on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int MLDSA65_parse_public_key( struct MLDSA65_public_key *public_key, CBS *in); @@ -224,8 +224,8 @@ struct MLDSA87_prehash { #define MLDSA87_SIGNATURE_BYTES 4627 // MLDSA87_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key|, writes the seed to -// |out_seed|, and sets |out_private_key| to the private key. Returns 1 on +// encoded public key to `out_encoded_public_key`, writes the seed to +// `out_seed`, and sets `out_private_key` to the private key. Returns 1 on // success and 0 on allocation failure. OPENSSL_EXPORT int MLDSA87_generate_key( uint8_t out_encoded_public_key[MLDSA87_PUBLIC_KEY_BYTES], @@ -233,34 +233,34 @@ OPENSSL_EXPORT int MLDSA87_generate_key( struct MLDSA87_private_key *out_private_key); // MLDSA87_private_key_from_seed regenerates a private key from a seed value -// that was generated by |MLDSA87_generate_key|. Returns 1 on success and 0 on -// allocation failure or if |seed_len| is incorrect. +// that was generated by `MLDSA87_generate_key`. Returns 1 on success and 0 on +// allocation failure or if `seed_len` is incorrect. OPENSSL_EXPORT int MLDSA87_private_key_from_seed( struct MLDSA87_private_key *out_private_key, const uint8_t *seed, size_t seed_len); -// MLDSA87_public_from_private sets |*out_public_key| to the public key that -// corresponds to |private_key|. Returns 1 on success and 0 on failure. +// MLDSA87_public_from_private sets `*out_public_key` to the public key that +// corresponds to `private_key`. Returns 1 on success and 0 on failure. OPENSSL_EXPORT int MLDSA87_public_from_private( struct MLDSA87_public_key *out_public_key, const struct MLDSA87_private_key *private_key); -// MLDSA87_sign generates a signature for the message |msg| of length -// |msg_len| using |private_key| (following the randomized algorithm), and -// writes the encoded signature to |out_encoded_signature|. The |context| +// MLDSA87_sign generates a signature for the message `msg` of length +// `msg_len` using `private_key` (following the randomized algorithm), and +// writes the encoded signature to `out_encoded_signature`. The `context` // argument is also signed over and can be used to include implicit contextual -// information that isn't included in |msg|. The same value of |context| must be -// presented to |MLDSA87_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// information that isn't included in `msg`. The same value of `context` must be +// presented to `MLDSA87_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). Returns 1 on success and 0 on failure. OPENSSL_EXPORT int MLDSA87_sign( uint8_t out_encoded_signature[MLDSA87_SIGNATURE_BYTES], const struct MLDSA87_private_key *private_key, const uint8_t *msg, size_t msg_len, const uint8_t *context, size_t context_len); -// MLDSA87_verify verifies that |signature| constitutes a valid -// signature for the message |msg| of length |msg_len| using |public_key|. The -// value of |context| must equal the value that was passed to |MLDSA87_sign| +// MLDSA87_verify verifies that `signature` constitutes a valid +// signature for the message `msg` of length `msg_len` using `public_key`. The +// value of `context` must equal the value that was passed to `MLDSA87_sign` // when the signature was generated. Returns 1 on success or 0 on error. OPENSSL_EXPORT int MLDSA87_verify(const struct MLDSA87_public_key *public_key, const uint8_t *signature, @@ -268,11 +268,11 @@ OPENSSL_EXPORT int MLDSA87_verify(const struct MLDSA87_public_key *public_key, size_t msg_len, const uint8_t *context, size_t context_len); -// MLDSA87_prehash_init initializes a pre-hashing state using |public_key|. The -// |context| argument can be used to include implicit contextual information -// that isn't included in the message. The same value of |context| must be -// presented to |MLDSA87_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// MLDSA87_prehash_init initializes a pre-hashing state using `public_key`. The +// `context` argument can be used to include implicit contextual information +// that isn't included in the message. The same value of `context` must be +// presented to `MLDSA87_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). Returns 1 on success and 0 on failure (if the // context is too long). OPENSSL_EXPORT int MLDSA87_prehash_init( @@ -280,26 +280,26 @@ OPENSSL_EXPORT int MLDSA87_prehash_init( const struct MLDSA87_public_key *public_key, const uint8_t *context, size_t context_len); -// MLDSA87_prehash_update incorporates the given |msg| of length |msg_len| into +// MLDSA87_prehash_update incorporates the given `msg` of length `msg_len` into // the pre-hashing state. This can be called multiple times on successive chunks -// of the message. This should be called after |MLDSA87_prehash_init| and before -// |MLDSA87_prehash_finalize|. +// of the message. This should be called after `MLDSA87_prehash_init` and before +// `MLDSA87_prehash_finalize`. OPENSSL_EXPORT void MLDSA87_prehash_update(struct MLDSA87_prehash *inout_state, const uint8_t *msg, size_t msg_len); // MLDSA87_prehash_finalize extracts a pre-hashed message representative from // the given pre-hashing state. This should be called after -// |MLDSA87_prehash_init| and |MLDSA87_prehash_update|. The resulting -// |out_msg_rep| should then be passed to |MLDSA87_sign_message_representative| +// `MLDSA87_prehash_init` and `MLDSA87_prehash_update`. The resulting +// `out_msg_rep` should then be passed to `MLDSA87_sign_message_representative` // to obtain a signature. OPENSSL_EXPORT void MLDSA87_prehash_finalize( uint8_t out_msg_rep[MLDSA_MU_BYTES], struct MLDSA87_prehash *inout_state); // MLDSA87_sign_message_representative generates a signature for the pre-hashed -// message |msg_rep| using |private_key| (following the randomized algorithm), -// and writes the encoded signature to |out_encoded_signature|. The |msg_rep| -// should be obtained via calls to |MLDSA87_prehash_init|, -// |MLDSA87_prehash_update| and |MLDSA87_prehash_finalize| using the public key +// message `msg_rep` using `private_key` (following the randomized algorithm), +// and writes the encoded signature to `out_encoded_signature`. The `msg_rep` +// should be obtained via calls to `MLDSA87_prehash_init`, +// `MLDSA87_prehash_update` and `MLDSA87_prehash_finalize` using the public key // from the same key pair, otherwise the signature will not verify. Returns 1 on // success and 0 on failure. OPENSSL_EXPORT int MLDSA87_sign_message_representative( @@ -307,10 +307,10 @@ OPENSSL_EXPORT int MLDSA87_sign_message_representative( const struct MLDSA87_private_key *private_key, const uint8_t msg_rep[MLDSA_MU_BYTES]); -// MLDSA87_verify_message_representative verifies that |signature| constitutes a -// valid signature for the pre-hashed message |msg_rep| using |public_key|. The -// |msg_rep| should be obtained via calls to |MLDSA87_prehash_init|, -// |MLDSA87_prehash_update| and |MLDSA87_prehash_finalize| using |public key| +// MLDSA87_verify_message_representative verifies that `signature` constitutes a +// valid signature for the pre-hashed message `msg_rep` using `public_key`. The +// `msg_rep` should be obtained via calls to `MLDSA87_prehash_init`, +// `MLDSA87_prehash_update` and `MLDSA87_prehash_finalize` using `public_key` // and the same context as when the signature was generated. Returns 1 on // success or 0 on error. OPENSSL_EXPORT int MLDSA87_verify_message_representative( @@ -318,16 +318,16 @@ OPENSSL_EXPORT int MLDSA87_verify_message_representative( const uint8_t *signature, size_t signature_len, const uint8_t msg_rep[MLDSA_MU_BYTES]); -// MLDSA87_marshal_public_key serializes |public_key| to |out| in the standard +// MLDSA87_marshal_public_key serializes `public_key` to `out` in the standard // format for ML-DSA-87 public keys. It returns 1 on success or 0 on // allocation error. OPENSSL_EXPORT int MLDSA87_marshal_public_key( CBB *out, const struct MLDSA87_public_key *public_key); // MLDSA87_parse_public_key parses a public key, in the format generated by -// |MLDSA87_marshal_public_key|, from |in| and writes the result to -// |out_public_key|. It returns 1 on success or 0 on parse error or if -// there are trailing bytes in |in|. +// `MLDSA87_marshal_public_key`, from `in` and writes the result to +// `out_public_key`. It returns 1 on success or 0 on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int MLDSA87_parse_public_key( struct MLDSA87_public_key *public_key, CBS *in); @@ -371,8 +371,8 @@ struct MLDSA44_prehash { #define MLDSA44_SIGNATURE_BYTES 2420 // MLDSA44_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key|, writes the seed to -// |out_seed|, and sets |out_private_key| to the private key. Returns 1 on +// encoded public key to `out_encoded_public_key`, writes the seed to +// `out_seed`, and sets `out_private_key` to the private key. Returns 1 on // success and 0 on allocation failure. OPENSSL_EXPORT int MLDSA44_generate_key( uint8_t out_encoded_public_key[MLDSA44_PUBLIC_KEY_BYTES], @@ -380,34 +380,34 @@ OPENSSL_EXPORT int MLDSA44_generate_key( struct MLDSA44_private_key *out_private_key); // MLDSA44_private_key_from_seed regenerates a private key from a seed value -// that was generated by |MLDSA44_generate_key|. Returns 1 on success and 0 on -// allocation failure or if |seed_len| is incorrect. +// that was generated by `MLDSA44_generate_key`. Returns 1 on success and 0 on +// allocation failure or if `seed_len` is incorrect. OPENSSL_EXPORT int MLDSA44_private_key_from_seed( struct MLDSA44_private_key *out_private_key, const uint8_t *seed, size_t seed_len); -// MLDSA44_public_from_private sets |*out_public_key| to the public key that -// corresponds to |private_key|. Returns 1 on success and 0 on failure. +// MLDSA44_public_from_private sets `*out_public_key` to the public key that +// corresponds to `private_key`. Returns 1 on success and 0 on failure. OPENSSL_EXPORT int MLDSA44_public_from_private( struct MLDSA44_public_key *out_public_key, const struct MLDSA44_private_key *private_key); -// MLDSA44_sign generates a signature for the message |msg| of length -// |msg_len| using |private_key| (following the randomized algorithm), and -// writes the encoded signature to |out_encoded_signature|. The |context| +// MLDSA44_sign generates a signature for the message `msg` of length +// `msg_len` using `private_key` (following the randomized algorithm), and +// writes the encoded signature to `out_encoded_signature`. The `context` // argument is also signed over and can be used to include implicit contextual -// information that isn't included in |msg|. The same value of |context| must be -// presented to |MLDSA44_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// information that isn't included in `msg`. The same value of `context` must be +// presented to `MLDSA44_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). Returns 1 on success and 0 on failure. OPENSSL_EXPORT int MLDSA44_sign( uint8_t out_encoded_signature[MLDSA44_SIGNATURE_BYTES], const struct MLDSA44_private_key *private_key, const uint8_t *msg, size_t msg_len, const uint8_t *context, size_t context_len); -// MLDSA44_verify verifies that |signature| constitutes a valid -// signature for the message |msg| of length |msg_len| using |public_key|. The -// value of |context| must equal the value that was passed to |MLDSA44_sign| +// MLDSA44_verify verifies that `signature` constitutes a valid +// signature for the message `msg` of length `msg_len` using `public_key`. The +// value of `context` must equal the value that was passed to `MLDSA44_sign` // when the signature was generated. Returns 1 on success or 0 on error. OPENSSL_EXPORT int MLDSA44_verify(const struct MLDSA44_public_key *public_key, const uint8_t *signature, @@ -415,11 +415,11 @@ OPENSSL_EXPORT int MLDSA44_verify(const struct MLDSA44_public_key *public_key, size_t msg_len, const uint8_t *context, size_t context_len); -// MLDSA44_prehash_init initializes a pre-hashing state using |public_key|. The -// |context| argument can be used to include implicit contextual information -// that isn't included in the message. The same value of |context| must be -// presented to |MLDSA44_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// MLDSA44_prehash_init initializes a pre-hashing state using `public_key`. The +// `context` argument can be used to include implicit contextual information +// that isn't included in the message. The same value of `context` must be +// presented to `MLDSA44_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). Returns 1 on success and 0 on failure (if the // context is too long). OPENSSL_EXPORT int MLDSA44_prehash_init( @@ -427,26 +427,26 @@ OPENSSL_EXPORT int MLDSA44_prehash_init( const struct MLDSA44_public_key *public_key, const uint8_t *context, size_t context_len); -// MLDSA44_prehash_update incorporates the given |msg| of length |msg_len| into +// MLDSA44_prehash_update incorporates the given `msg` of length `msg_len` into // the pre-hashing state. This can be called multiple times on successive chunks -// of the message. This should be called after |MLDSA44_prehash_init| and before -// |MLDSA44_prehash_finalize|. +// of the message. This should be called after `MLDSA44_prehash_init` and before +// `MLDSA44_prehash_finalize`. OPENSSL_EXPORT void MLDSA44_prehash_update(struct MLDSA44_prehash *inout_state, const uint8_t *msg, size_t msg_len); // MLDSA44_prehash_finalize extracts a pre-hashed message representative from // the given pre-hashing state. This should be called after -// |MLDSA44_prehash_init| and |MLDSA44_prehash_update|. The resulting -// |out_msg_rep| should then be passed to |MLDSA44_sign_message_representative| +// `MLDSA44_prehash_init` and `MLDSA44_prehash_update`. The resulting +// `out_msg_rep` should then be passed to `MLDSA44_sign_message_representative` // to obtain a signature. OPENSSL_EXPORT void MLDSA44_prehash_finalize( uint8_t out_msg_rep[MLDSA_MU_BYTES], struct MLDSA44_prehash *inout_state); // MLDSA44_sign_message_representative generates a signature for the pre-hashed -// message |msg_rep| using |private_key| (following the randomized algorithm), -// and writes the encoded signature to |out_encoded_signature|. The |msg_rep| -// should be obtained via calls to |MLDSA44_prehash_init|, -// |MLDSA44_prehash_update| and |MLDSA44_prehash_finalize| using the public key +// message `msg_rep` using `private_key` (following the randomized algorithm), +// and writes the encoded signature to `out_encoded_signature`. The `msg_rep` +// should be obtained via calls to `MLDSA44_prehash_init`, +// `MLDSA44_prehash_update` and `MLDSA44_prehash_finalize` using the public key // from the same key pair, otherwise the signature will not verify. Returns 1 on // success and 0 on failure. OPENSSL_EXPORT int MLDSA44_sign_message_representative( @@ -454,10 +454,10 @@ OPENSSL_EXPORT int MLDSA44_sign_message_representative( const struct MLDSA44_private_key *private_key, const uint8_t msg_rep[MLDSA_MU_BYTES]); -// MLDSA44_verify_message_representative verifies that |signature| constitutes a -// valid signature for the pre-hashed message |msg_rep| using |public_key|. The -// |msg_rep| should be obtained via calls to |MLDSA44_prehash_init|, -// |MLDSA44_prehash_update| and |MLDSA44_prehash_finalize| using |public key| +// MLDSA44_verify_message_representative verifies that `signature` constitutes a +// valid signature for the pre-hashed message `msg_rep` using `public_key`. The +// `msg_rep` should be obtained via calls to `MLDSA44_prehash_init`, +// `MLDSA44_prehash_update` and `MLDSA44_prehash_finalize` using `public_key` // and the same context as when the signature was generated. Returns 1 on // success or 0 on error. OPENSSL_EXPORT int MLDSA44_verify_message_representative( @@ -465,16 +465,16 @@ OPENSSL_EXPORT int MLDSA44_verify_message_representative( const uint8_t *signature, size_t signature_len, const uint8_t msg_rep[MLDSA_MU_BYTES]); -// MLDSA44_marshal_public_key serializes |public_key| to |out| in the standard +// MLDSA44_marshal_public_key serializes `public_key` to `out` in the standard // format for ML-DSA-44 public keys. It returns 1 on success or 0 on // allocation error. OPENSSL_EXPORT int MLDSA44_marshal_public_key( CBB *out, const struct MLDSA44_public_key *public_key); // MLDSA44_parse_public_key parses a public key, in the format generated by -// |MLDSA44_marshal_public_key|, from |in| and writes the result to -// |out_public_key|. It returns 1 on success or 0 on parse error or if -// there are trailing bytes in |in|. +// `MLDSA44_marshal_public_key`, from `in` and writes the result to +// `out_public_key`. It returns 1 on success or 0 on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int MLDSA44_parse_public_key( struct MLDSA44_public_key *public_key, CBS *in); diff --git a/third_party/boringssl/src/include/openssl/mlkem.h b/third_party/boringssl/src/include/openssl/mlkem.h index 65b4e90f..89c22475 100644 --- a/third_party/boringssl/src/include/openssl/mlkem.h +++ b/third_party/boringssl/src/include/openssl/mlkem.h @@ -54,8 +54,8 @@ struct MLKEM768_private_key { #define MLKEM_SEED_BYTES 64 // MLKEM768_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key| and sets |out_private_key| to -// the private key. If |optional_out_seed| is not NULL then the seed used to +// encoded public key to `out_encoded_public_key` and sets `out_private_key` to +// the private key. If `optional_out_seed` is not NULL then the seed used to // generate the private key is written to it. OPENSSL_EXPORT void MLKEM768_generate_key( uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES], @@ -63,15 +63,15 @@ OPENSSL_EXPORT void MLKEM768_generate_key( struct MLKEM768_private_key *out_private_key); // MLKEM768_private_key_from_seed derives a private key from a seed that was -// generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is -// incorrect, otherwise it writes |*out_private_key| and returns 1. +// generated by `MLKEM768_generate_key`. It fails and returns 0 if `seed_len` is +// incorrect, otherwise it writes `*out_private_key` and returns 1. OPENSSL_EXPORT int MLKEM768_private_key_from_seed( struct MLKEM768_private_key *out_private_key, const uint8_t *seed, size_t seed_len); -// MLKEM768_public_from_private sets |*out_public_key| to the public key that -// corresponds to |private_key|. (This is faster than parsing the output of -// |MLKEM768_generate_key| if, for some reason, you need to encapsulate to a key +// MLKEM768_public_from_private sets `*out_public_key` to the public key that +// corresponds to `private_key`. (This is faster than parsing the output of +// `MLKEM768_generate_key` if, for some reason, you need to encapsulate to a key // that was just generated.) OPENSSL_EXPORT void MLKEM768_public_from_private( struct MLKEM768_public_key *out_public_key, @@ -83,21 +83,21 @@ OPENSSL_EXPORT void MLKEM768_public_from_private( // MLKEM_SHARED_SECRET_BYTES is the number of bytes in an ML-KEM shared secret. #define MLKEM_SHARED_SECRET_BYTES 32 -// MLKEM768_encap encrypts a random shared secret for |public_key|, writes the -// ciphertext to |out_ciphertext|, and writes the random shared secret to -// |out_shared_secret|. +// MLKEM768_encap encrypts a random shared secret for `public_key`, writes the +// ciphertext to `out_ciphertext`, and writes the random shared secret to +// `out_shared_secret`. OPENSSL_EXPORT void MLKEM768_encap( uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES], uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const struct MLKEM768_public_key *public_key); -// MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key| -// and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it -// returns 0, otherwise it returns 1. If |ciphertext| is invalid (but of the -// correct length), |out_shared_secret| is filled with a key that will always be -// the same for the same |ciphertext| and |private_key|, but which appears to be -// random unless one has access to |private_key|. These alternatives occur in -// constant time. Any subsequent symmetric encryption using |out_shared_secret| +// MLKEM768_decap decrypts a shared secret from `ciphertext` using `private_key` +// and writes it to `out_shared_secret`. If `ciphertext_len` is incorrect it +// returns 0, otherwise it returns 1. If `ciphertext` is invalid (but of the +// correct length), `out_shared_secret` is filled with a key that will always be +// the same for the same `ciphertext` and `private_key`, but which appears to be +// random unless one has access to `private_key`. These alternatives occur in +// constant time. Any subsequent symmetric encryption using `out_shared_secret` // must use an authenticated encryption scheme in order to discover the // decapsulation failure. OPENSSL_EXPORT int MLKEM768_decap( @@ -108,16 +108,16 @@ OPENSSL_EXPORT int MLKEM768_decap( // Serialisation of keys. -// MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard +// MLKEM768_marshal_public_key serializes `public_key` to `out` in the standard // format for ML-KEM-768 public keys. It returns one on success or zero on // allocation error. OPENSSL_EXPORT int MLKEM768_marshal_public_key( CBB *out, const struct MLKEM768_public_key *public_key); // MLKEM768_parse_public_key parses a public key, in the format generated by -// |MLKEM768_marshal_public_key|, from |in| and writes the result to -// |out_public_key|. It returns one on success or zero on parse error or if -// there are trailing bytes in |in|. +// `MLKEM768_marshal_public_key`, from `in` and writes the result to +// `out_public_key`. It returns one on success or zero on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int MLKEM768_parse_public_key( struct MLKEM768_public_key *out_public_key, CBS *in); @@ -150,8 +150,8 @@ struct MLKEM1024_private_key { #define MLKEM1024_PUBLIC_KEY_BYTES 1568 // MLKEM1024_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key| and sets |out_private_key| to -// the private key. If |optional_out_seed| is not NULL then the seed used to +// encoded public key to `out_encoded_public_key` and sets `out_private_key` to +// the private key. If `optional_out_seed` is not NULL then the seed used to // generate the private key is written to it. OPENSSL_EXPORT void MLKEM1024_generate_key( uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES], @@ -159,15 +159,15 @@ OPENSSL_EXPORT void MLKEM1024_generate_key( struct MLKEM1024_private_key *out_private_key); // MLKEM1024_private_key_from_seed derives a private key from a seed that was -// generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len| -// is incorrect, otherwise it writes |*out_private_key| and returns 1. +// generated by `MLKEM1024_generate_key`. It fails and returns 0 if `seed_len` +// is incorrect, otherwise it writes `*out_private_key` and returns 1. OPENSSL_EXPORT int MLKEM1024_private_key_from_seed( struct MLKEM1024_private_key *out_private_key, const uint8_t *seed, size_t seed_len); -// MLKEM1024_public_from_private sets |*out_public_key| to the public key that -// corresponds to |private_key|. (This is faster than parsing the output of -// |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a +// MLKEM1024_public_from_private sets `*out_public_key` to the public key that +// corresponds to `private_key`. (This is faster than parsing the output of +// `MLKEM1024_generate_key` if, for some reason, you need to encapsulate to a // key that was just generated.) OPENSSL_EXPORT void MLKEM1024_public_from_private( struct MLKEM1024_public_key *out_public_key, @@ -176,22 +176,22 @@ OPENSSL_EXPORT void MLKEM1024_public_from_private( // MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. #define MLKEM1024_CIPHERTEXT_BYTES 1568 -// MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the -// ciphertext to |out_ciphertext|, and writes the random shared secret to -// |out_shared_secret|. +// MLKEM1024_encap encrypts a random shared secret for `public_key`, writes the +// ciphertext to `out_ciphertext`, and writes the random shared secret to +// `out_shared_secret`. OPENSSL_EXPORT void MLKEM1024_encap( uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES], uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const struct MLKEM1024_public_key *public_key); -// MLKEM1024_decap decrypts a shared secret from |ciphertext| using -// |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is -// incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid -// (but of the correct length), |out_shared_secret| is filled with a key that -// will always be the same for the same |ciphertext| and |private_key|, but -// which appears to be random unless one has access to |private_key|. These +// MLKEM1024_decap decrypts a shared secret from `ciphertext` using +// `private_key` and writes it to `out_shared_secret`. If `ciphertext_len` is +// incorrect it returns 0, otherwise it returns 1. If `ciphertext` is invalid +// (but of the correct length), `out_shared_secret` is filled with a key that +// will always be the same for the same `ciphertext` and `private_key`, but +// which appears to be random unless one has access to `private_key`. These // alternatives occur in constant time. Any subsequent symmetric encryption -// using |out_shared_secret| must use an authenticated encryption scheme in +// using `out_shared_secret` must use an authenticated encryption scheme in // order to discover the decapsulation failure. OPENSSL_EXPORT int MLKEM1024_decap( uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], @@ -201,16 +201,16 @@ OPENSSL_EXPORT int MLKEM1024_decap( // Serialisation of ML-KEM-1024 keys. -// MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard +// MLKEM1024_marshal_public_key serializes `public_key` to `out` in the standard // format for ML-KEM-1024 public keys. It returns one on success or zero on // allocation error. OPENSSL_EXPORT int MLKEM1024_marshal_public_key( CBB *out, const struct MLKEM1024_public_key *public_key); // MLKEM1024_parse_public_key parses a public key, in the format generated by -// |MLKEM1024_marshal_public_key|, from |in| and writes the result to -// |out_public_key|. It returns one on success or zero on parse error or if -// there are trailing bytes in |in|. +// `MLKEM1024_marshal_public_key`, from `in` and writes the result to +// `out_public_key`. It returns one on success or zero on parse error or if +// there are trailing bytes in `in`. OPENSSL_EXPORT int MLKEM1024_parse_public_key( struct MLKEM1024_public_key *out_public_key, CBS *in); diff --git a/third_party/boringssl/src/include/openssl/obj.h b/third_party/boringssl/src/include/openssl/obj.h index b3fabca2..ba4f8032 100644 --- a/third_party/boringssl/src/include/openssl/obj.h +++ b/third_party/boringssl/src/include/openssl/obj.h @@ -42,46 +42,46 @@ extern "C" { // Basic operations. -// OBJ_dup returns a duplicate copy of |obj| or NULL on allocation failure. The -// caller must call |ASN1_OBJECT_free| on the result to release it. +// OBJ_dup returns a duplicate copy of `obj` or NULL on allocation failure. The +// caller must call `ASN1_OBJECT_free` on the result to release it. OPENSSL_EXPORT ASN1_OBJECT *OBJ_dup(const ASN1_OBJECT *obj); -// OBJ_cmp returns a value less than, equal to or greater than zero if |a| is -// less than, equal to or greater than |b|, respectively. +// OBJ_cmp returns a value less than, equal to or greater than zero if `a` is +// less than, equal to or greater than `b`, respectively. OPENSSL_EXPORT int OBJ_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b); -// OBJ_get0_data returns a pointer to the DER representation of |obj|. This is +// OBJ_get0_data returns a pointer to the DER representation of `obj`. This is // the contents of the DER-encoded identifier, not including the tag and length. -// If |obj| does not have an associated object identifier (i.e. it is a nid-only +// If `obj` does not have an associated object identifier (i.e. it is a nid-only // value), this value is the empty string. OPENSSL_EXPORT const uint8_t *OBJ_get0_data(const ASN1_OBJECT *obj); -// OBJ_length returns the length of the DER representation of |obj|. This is the +// OBJ_length returns the length of the DER representation of `obj`. This is the // contents of the DER-encoded identifier, not including the tag and length. If -// |obj| does not have an associated object identifier (i.e. it is a nid-only +// `obj` does not have an associated object identifier (i.e. it is a nid-only // value), this value is the empty string. OPENSSL_EXPORT size_t OBJ_length(const ASN1_OBJECT *obj); // Looking up nids. -// OBJ_obj2nid returns the nid corresponding to |obj|, or |NID_undef| if no +// OBJ_obj2nid returns the nid corresponding to `obj`, or `NID_undef` if no // such object is known. OPENSSL_EXPORT int OBJ_obj2nid(const ASN1_OBJECT *obj); -// OBJ_cbs2nid returns the nid corresponding to the DER data in |cbs|, or -// |NID_undef| if no such object is known. +// OBJ_cbs2nid returns the nid corresponding to the DER data in `cbs`, or +// `NID_undef` if no such object is known. OPENSSL_EXPORT int OBJ_cbs2nid(const CBS *cbs); -// OBJ_sn2nid returns the nid corresponding to |short_name|, or |NID_undef| if +// OBJ_sn2nid returns the nid corresponding to `short_name`, or `NID_undef` if // no such short name is known. OPENSSL_EXPORT int OBJ_sn2nid(const char *short_name); -// OBJ_ln2nid returns the nid corresponding to |long_name|, or |NID_undef| if +// OBJ_ln2nid returns the nid corresponding to `long_name`, or `NID_undef` if // no such long name is known. OPENSSL_EXPORT int OBJ_ln2nid(const char *long_name); -// OBJ_txt2nid returns the nid corresponding to |s|, which may be a short name, +// OBJ_txt2nid returns the nid corresponding to `s`, which may be a short name, // long name, or an ASCII string containing a dotted sequence of numbers. It // returns the nid or NID_undef if unknown. OPENSSL_EXPORT int OBJ_txt2nid(const char *s); @@ -89,54 +89,54 @@ OPENSSL_EXPORT int OBJ_txt2nid(const char *s); // Getting information about nids. -// OBJ_nid2obj returns the |ASN1_OBJECT| corresponding to |nid|, or NULL if -// |nid| is unknown. +// OBJ_nid2obj returns the `ASN1_OBJECT` corresponding to `nid`, or NULL if +// `nid` is unknown. // // Although the output is not const, this function returns a static, immutable -// |ASN1_OBJECT|. It is not necessary to release the object with -// |ASN1_OBJECT_free|. +// `ASN1_OBJECT`. It is not necessary to release the object with +// `ASN1_OBJECT_free`. // -// However, functions like |X509_ALGOR_set0| expect to take ownership of a -// possibly dynamically-allocated |ASN1_OBJECT|. |ASN1_OBJECT_free| is a no-op -// for static |ASN1_OBJECT|s, so |OBJ_nid2obj| is compatible with such +// However, functions like `X509_ALGOR_set0` expect to take ownership of a +// possibly dynamically-allocated `ASN1_OBJECT`. `ASN1_OBJECT_free` is a no-op +// for static `ASN1_OBJECT`s, so `OBJ_nid2obj` is compatible with such // functions. // // Callers are encouraged to store the result of this function in a const -// pointer. However, if using functions like |X509_ALGOR_set0|, callers may use +// pointer. However, if using functions like `X509_ALGOR_set0`, callers may use // a non-const pointer and manage ownership. OPENSSL_EXPORT ASN1_OBJECT *OBJ_nid2obj(int nid); -// OBJ_get_undef returns the object for |NID_undef|. Prefer this function over -// |OBJ_nid2obj| to avoid pulling in the full OID table. +// OBJ_get_undef returns the object for `NID_undef`. Prefer this function over +// `OBJ_nid2obj` to avoid pulling in the full OID table. OPENSSL_EXPORT const ASN1_OBJECT *OBJ_get_undef(void); -// OBJ_nid2sn returns the short name for |nid|, or NULL if |nid| is unknown. +// OBJ_nid2sn returns the short name for `nid`, or NULL if `nid` is unknown. OPENSSL_EXPORT const char *OBJ_nid2sn(int nid); -// OBJ_nid2ln returns the long name for |nid|, or NULL if |nid| is unknown. +// OBJ_nid2ln returns the long name for `nid`, or NULL if `nid` is unknown. OPENSSL_EXPORT const char *OBJ_nid2ln(int nid); -// OBJ_nid2cbb writes |nid| as an ASN.1 OBJECT IDENTIFIER to |out|. It returns +// OBJ_nid2cbb writes `nid` as an ASN.1 OBJECT IDENTIFIER to `out`. It returns // one on success or zero otherwise. OPENSSL_EXPORT int OBJ_nid2cbb(CBB *out, int nid); // Dealing with textual representations of object identifiers. -// OBJ_txt2obj returns an ASN1_OBJECT for the textual representation in |s|. -// If |dont_search_names| is zero, then |s| will be matched against the long -// and short names of a known objects to find a match. Otherwise |s| must +// OBJ_txt2obj returns an ASN1_OBJECT for the textual representation in `s`. +// If `dont_search_names` is zero, then `s` will be matched against the long +// and short names of a known objects to find a match. Otherwise `s` must // contain an ASCII string with a dotted sequence of numbers. The resulting // object need not be previously known. It returns a freshly allocated -// |ASN1_OBJECT| or NULL on error. +// `ASN1_OBJECT` or NULL on error. OPENSSL_EXPORT ASN1_OBJECT *OBJ_txt2obj(const char *s, int dont_search_names); -// OBJ_obj2txt converts |obj| to a textual representation. If -// |always_return_oid| is zero then |obj| will be matched against known objects +// OBJ_obj2txt converts `obj` to a textual representation. If +// `always_return_oid` is zero then `obj` will be matched against known objects // and the long (preferably) or short name will be used if found. Otherwise -// |obj| will be converted into a dotted sequence of integers. If |out| is not -// NULL, then at most |out_len| bytes of the textual form will be written -// there. If |out_len| is at least one, then string written to |out| will +// `obj` will be converted into a dotted sequence of integers. If `out` is not +// NULL, then at most `out_len` bytes of the textual form will be written +// there. If `out_len` is at least one, then string written to `out` will // always be NUL terminated. It returns the number of characters that could // have been written, not including the final NUL, or -1 on error. OPENSSL_EXPORT int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj, @@ -153,7 +153,7 @@ OPENSSL_EXPORT int OBJ_obj2txt(char *out, int out_len, const ASN1_OBJECT *obj, // address space add conflicting values, only one registration will take effect. // Avoid this function if possible. Instead, callers can process OIDs unknown to // BoringSSL by acting on the byte representation directly. See -// |ASN1_OBJECT_create|, |OBJ_get0_data|, and |OBJ_length|. +// `ASN1_OBJECT_create`, `OBJ_get0_data`, and `OBJ_length`. OPENSSL_EXPORT int OBJ_create(const char *oid, const char *short_name, const char *long_name); @@ -165,20 +165,20 @@ OPENSSL_EXPORT int OBJ_create(const char *oid, const char *short_name, // and public-key algorithms and the NIDs that specify their combination. // // Sometimes the combination NID leaves the digest unspecified (e.g. -// rsassaPss). In these cases, the digest NID is |NID_undef|. +// rsassaPss). In these cases, the digest NID is `NID_undef`. // OBJ_find_sigid_algs finds the digest and public-key NIDs that correspond to -// the signing algorithm |sign_nid|. If successful, it sets |*out_digest_nid| -// and |*out_pkey_nid| and returns one. Otherwise it returns zero. Any of -// |out_digest_nid| or |out_pkey_nid| can be NULL if the caller doesn't need +// the signing algorithm `sign_nid`. If successful, it sets `*out_digest_nid` +// and `*out_pkey_nid` and returns one. Otherwise it returns zero. Any of +// `out_digest_nid` or `out_pkey_nid` can be NULL if the caller doesn't need // that output value. OPENSSL_EXPORT int OBJ_find_sigid_algs(int sign_nid, int *out_digest_nid, int *out_pkey_nid); // OBJ_find_sigid_by_algs finds the signature NID that corresponds to the -// combination of |digest_nid| and |pkey_nid|. If success, it sets -// |*out_sign_nid| and returns one. Otherwise it returns zero. The -// |out_sign_nid| argument can be NULL if the caller only wishes to learn +// combination of `digest_nid` and `pkey_nid`. If success, it sets +// `*out_sign_nid` and returns one. Otherwise it returns zero. The +// `out_sign_nid` argument can be NULL if the caller only wishes to learn // whether the combination is valid. OPENSSL_EXPORT int OBJ_find_sigid_by_algs(int *out_sign_nid, int digest_nid, int pkey_nid); @@ -196,17 +196,17 @@ typedef struct obj_name_st { #define OBJ_NAME_TYPE_MD_METH 1 #define OBJ_NAME_TYPE_CIPHER_METH 2 -// OBJ_NAME_do_all_sorted calls |callback| zero or more times, each time with -// the name of a different primitive. If |type| is |OBJ_NAME_TYPE_MD_METH| then -// the primitives will be hash functions, alternatively if |type| is -// |OBJ_NAME_TYPE_CIPHER_METH| then the primitives will be ciphers or cipher +// OBJ_NAME_do_all_sorted calls `callback` zero or more times, each time with +// the name of a different primitive. If `type` is `OBJ_NAME_TYPE_MD_METH` then +// the primitives will be hash functions, alternatively if `type` is +// `OBJ_NAME_TYPE_CIPHER_METH` then the primitives will be ciphers or cipher // modes. // // This function is ill-specified and should never be used. OPENSSL_EXPORT void OBJ_NAME_do_all_sorted( int type, void (*callback)(const OBJ_NAME *, void *arg), void *arg); -// OBJ_NAME_do_all calls |OBJ_NAME_do_all_sorted|. +// OBJ_NAME_do_all calls `OBJ_NAME_do_all_sorted`. OPENSSL_EXPORT void OBJ_NAME_do_all(int type, void (*callback)(const OBJ_NAME *, void *arg), void *arg); diff --git a/third_party/boringssl/src/include/openssl/opensslconf.h b/third_party/boringssl/src/include/openssl/opensslconf.h index a41e49be..edd792cc 100644 --- a/third_party/boringssl/src/include/openssl/opensslconf.h +++ b/third_party/boringssl/src/include/openssl/opensslconf.h @@ -98,8 +98,8 @@ // https://stackoverflow.com/questions/216510/extern-inline // // So in C, always use static inline, whereas in C++, use static inline -// only if |BORINGSSL_ALWAYS_USE_STATIC_INLINE| is defined (which may be useful -// for some FFI integrations in conjunction with |BORINGSSL_PREFIX|, as static +// only if `BORINGSSL_ALWAYS_USE_STATIC_INLINE` is defined (which may be useful +// for some FFI integrations in conjunction with `BORINGSSL_PREFIX`, as static // inline functions are local to the compilation unit and need no prefix). #if !defined(__cplusplus) && !defined(BORINGSSL_ALWAYS_USE_STATIC_INLINE) #define BORINGSSL_ALWAYS_USE_STATIC_INLINE diff --git a/third_party/boringssl/src/include/openssl/params.h b/third_party/boringssl/src/include/openssl/params.h index 95e3f4eb..21f22e7a 100644 --- a/third_party/boringssl/src/include/openssl/params.h +++ b/third_party/boringssl/src/include/openssl/params.h @@ -32,7 +32,7 @@ struct ossl_param_st { size_t return_size; }; -// OSSL_PARAM_END is a terminating element in an array of |OSSL_PARAM|s. +// OSSL_PARAM_END is a terminating element in an array of `OSSL_PARAM`s. #define OSSL_PARAM_END {NULL, 0, NULL, 0, 0} #if defined(__cplusplus) diff --git a/third_party/boringssl/src/include/openssl/pem.h b/third_party/boringssl/src/include/openssl/pem.h index 0e491625..a01d9bfd 100644 --- a/third_party/boringssl/src/include/openssl/pem.h +++ b/third_party/boringssl/src/include/openssl/pem.h @@ -25,7 +25,7 @@ #include // For compatibility with open-iscsi, which assumes that it can get -// |OPENSSL_malloc| from pem.h or err.h +// `OPENSSL_malloc` from pem.h or err.h #include #if defined(__cplusplus) @@ -280,20 +280,20 @@ extern "C" { // "userdata": new with OpenSSL 0.9.4 typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata); -// PEM_read_bio reads from |bp|, until the next PEM block. If one is found, it -// returns one and sets |*name|, |*header|, and |*data| to newly-allocated +// PEM_read_bio reads from `bp`, until the next PEM block. If one is found, it +// returns one and sets `*name`, `*header`, and `*data` to newly-allocated // buffers containing the PEM type, the header block, and the decoded data, -// respectively. |*name| and |*header| are NUL-terminated C strings, while -// |*data| has |*len| bytes. The caller must release each of |*name|, |*header|, -// and |*data| with |OPENSSL_free| when done. If no PEM block is found, this -// function returns zero and pushes |PEM_R_NO_START_LINE| to the error queue. If +// respectively. `*name` and `*header` are NUL-terminated C strings, while +// `*data` has `*len` bytes. The caller must release each of `*name`, `*header`, +// and `*data` with `OPENSSL_free` when done. If no PEM block is found, this +// function returns zero and pushes `PEM_R_NO_START_LINE` to the error queue. If // one is found, but there is an error decoding it, it returns zero and pushes // some other error to the error queue. OPENSSL_EXPORT int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, long *len); -// PEM_write_bio writes a PEM block to |bp|, containing |len| bytes from |data| -// as data. |name| and |hdr| are NUL-terminated C strings containing the PEM +// PEM_write_bio writes a PEM block to `bp`, containing `len` bytes from `data` +// as data. `name` and `hdr` are NUL-terminated C strings containing the PEM // type and header block, respectively. This function returns zero on error and // the number of bytes written on success. OPENSSL_EXPORT int PEM_write_bio(BIO *bp, const char *name, const char *hdr, @@ -310,35 +310,35 @@ OPENSSL_EXPORT int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, const unsigned char *pass, int pass_len, pem_password_cb *cb, void *u); -// PEM_X509_INFO_read_bio reads PEM blocks from |bp| and decodes any +// PEM_X509_INFO_read_bio reads PEM blocks from `bp` and decodes any // certificates, CRLs, and private keys found. It returns a -// |STACK_OF(X509_INFO)| structure containing the results, or NULL on error. +// `STACK_OF(X509_INFO)` structure containing the results, or NULL on error. // -// If |sk| is NULL, the result on success will be a newly-allocated -// |STACK_OF(X509_INFO)| structure which should be released with -// |sk_X509_INFO_pop_free| and |X509_INFO_free| when done. +// If `sk` is NULL, the result on success will be a newly-allocated +// `STACK_OF(X509_INFO)` structure which should be released with +// `sk_X509_INFO_pop_free` and `X509_INFO_free` when done. // -// If |sk| is non-NULL, it appends the results to |sk| instead and returns |sk| -// on success. In this case, the caller retains ownership of |sk| in both +// If `sk` is non-NULL, it appends the results to `sk` instead and returns `sk` +// on success. In this case, the caller retains ownership of `sk` in both // success and failure. // -// This function will decrypt any encrypted certificates in |bp|, using |cb|, +// This function will decrypt any encrypted certificates in `bp`, using `cb`, // but it will not decrypt encrypted private keys. Encrypted private keys are -// instead represented as placeholder |X509_INFO| objects with an empty |x_pkey| +// instead represented as placeholder `X509_INFO` objects with an empty `x_pkey` // field. This allows this function to be used with inputs with unencrypted // certificates, but encrypted passwords, without knowing the password. However, // it also means that this function cannot be used to decrypt the private key // when the password is known. // // WARNING: If the input contains "TRUSTED CERTIFICATE" PEM blocks, this -// function parses auxiliary properties as in |d2i_X509_AUX|. Passing untrusted +// function parses auxiliary properties as in `d2i_X509_AUX`. Passing untrusted // input to this function allows an attacker to influence those properties. See -// |d2i_X509_AUX| for details. +// `d2i_X509_AUX` for details. OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio( BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u); -// PEM_X509_INFO_read behaves like |PEM_X509_INFO_read_bio| but reads from a -// |FILE|. +// PEM_X509_INFO_read behaves like `PEM_X509_INFO_read_bio` but reads from a +// `FILE`. OPENSSL_EXPORT STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, @@ -355,9 +355,9 @@ OPENSSL_EXPORT int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, const unsigned char *pass, int pass_len, pem_password_cb *callback, void *u); -// PEM_def_callback treats |userdata| as a string and copies it into |buf|, -// assuming its |size| is sufficient. Returns the length of the string, or -1 on -// error. Error cases the buffer being too small, or |buf| and |userdata| being +// PEM_def_callback treats `userdata` as a string and copies it into `buf`, +// assuming its `size` is sufficient. Returns the length of the string, or -1 on +// error. Error cases the buffer being too small, or `buf` and `userdata` being // NULL. Note that this is different from OpenSSL, which prompts for a password. OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, void *userdata); @@ -366,7 +366,7 @@ OPENSSL_EXPORT int PEM_def_callback(char *buf, int size, int rwflag, DECLARE_PEM_rw(X509, X509) // TODO(crbug.com/boringssl/426): When documenting these, copy the warning -// about auxiliary properties from |PEM_X509_INFO_read_bio|. +// about auxiliary properties from `PEM_X509_INFO_read_bio`. DECLARE_PEM_rw(X509_AUX, X509) diff --git a/third_party/boringssl/src/include/openssl/pkcs7.h b/third_party/boringssl/src/include/openssl/pkcs7.h index ec72683f..85c851ed 100644 --- a/third_party/boringssl/src/include/openssl/pkcs7.h +++ b/third_party/boringssl/src/include/openssl/pkcs7.h @@ -34,70 +34,70 @@ DECLARE_STACK_OF(CRYPTO_BUFFER) DECLARE_STACK_OF(X509) DECLARE_STACK_OF(X509_CRL) -// PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from |cbs| -// and appends the included certificates to |out_certs|. It returns one on -// success and zero on error. |cbs| is advanced passed the structure. +// PKCS7_get_raw_certificates parses a PKCS#7, SignedData structure from `cbs` +// and appends the included certificates to `out_certs`. It returns one on +// success and zero on error. `cbs` is advanced passed the structure. // // Note that a SignedData structure may contain no certificates, in which case // this function succeeds but does not append any certificates. Additionally, // certificates in SignedData structures are unordered. Callers should not -// assume a particular order in |*out_certs| and may need to search for matches +// assume a particular order in `*out_certs` and may need to search for matches // or run path-building algorithms. OPENSSL_EXPORT int PKCS7_get_raw_certificates( STACK_OF(CRYPTO_BUFFER) *out_certs, CBS *cbs, CRYPTO_BUFFER_POOL *pool); -// PKCS7_get_certificates behaves like |PKCS7_get_raw_certificates| but parses -// them into |X509| objects. +// PKCS7_get_certificates behaves like `PKCS7_get_raw_certificates` but parses +// them into `X509` objects. OPENSSL_EXPORT int PKCS7_get_certificates(STACK_OF(X509) *out_certs, CBS *cbs); // PKCS7_bundle_raw_certificates appends a PKCS#7, SignedData structure -// containing |certs| to |out|. It returns one on success and zero on error. +// containing `certs` to `out`. It returns one on success and zero on error. // Note that certificates in SignedData structures are unordered. The order in -// |certs| will not be preserved. +// `certs` will not be preserved. OPENSSL_EXPORT int PKCS7_bundle_raw_certificates( CBB *out, const STACK_OF(CRYPTO_BUFFER) *certs); -// PKCS7_bundle_certificates behaves like |PKCS7_bundle_raw_certificates| but -// takes |X509| objects as input. +// PKCS7_bundle_certificates behaves like `PKCS7_bundle_raw_certificates` but +// takes `X509` objects as input. OPENSSL_EXPORT int PKCS7_bundle_certificates( CBB *out, const STACK_OF(X509) *certs); -// PKCS7_get_CRLs parses a PKCS#7, SignedData structure from |cbs| and appends -// the included CRLs to |out_crls|. It returns one on success and zero on error. -// |cbs| is advanced passed the structure. +// PKCS7_get_CRLs parses a PKCS#7, SignedData structure from `cbs` and appends +// the included CRLs to `out_crls`. It returns one on success and zero on error. +// `cbs` is advanced passed the structure. // // Note that a SignedData structure may contain no CRLs, in which case this // function succeeds but does not append any CRLs. Additionally, CRLs in // SignedData structures are unordered. Callers should not assume an order in -// |*out_crls| and may need to search for matches. +// `*out_crls` and may need to search for matches. OPENSSL_EXPORT int PKCS7_get_CRLs(STACK_OF(X509_CRL) *out_crls, CBS *cbs); // PKCS7_bundle_CRLs appends a PKCS#7, SignedData structure containing -// |crls| to |out|. It returns one on success and zero on error. Note that CRLs -// in SignedData structures are unordered. The order in |crls| will not be +// `crls` to `out`. It returns one on success and zero on error. Note that CRLs +// in SignedData structures are unordered. The order in `crls` will not be // preserved. OPENSSL_EXPORT int PKCS7_bundle_CRLs(CBB *out, const STACK_OF(X509_CRL) *crls); // PKCS7_get_PEM_certificates reads a PEM-encoded, PKCS#7, SignedData structure -// from |pem_bio| and appends the included certificates to |out_certs|. It +// from `pem_bio` and appends the included certificates to `out_certs`. It // returns one on success and zero on error. // // Note that a SignedData structure may contain no certificates, in which case // this function succeeds but does not append any certificates. Additionally, // certificates in SignedData structures are unordered. Callers should not -// assume a particular order in |*out_certs| and may need to search for matches +// assume a particular order in `*out_certs` and may need to search for matches // or run path-building algorithms. OPENSSL_EXPORT int PKCS7_get_PEM_certificates(STACK_OF(X509) *out_certs, BIO *pem_bio); // PKCS7_get_PEM_CRLs reads a PEM-encoded, PKCS#7, SignedData structure from -// |pem_bio| and appends the included CRLs to |out_crls|. It returns one on +// `pem_bio` and appends the included CRLs to `out_crls`. It returns one on // success and zero on error. // // Note that a SignedData structure may contain no CRLs, in which case this // function succeeds but does not append any CRLs. Additionally, CRLs in // SignedData structures are unordered. Callers should not assume an order in -// |*out_crls| and may need to search for matches. +// `*out_crls` and may need to search for matches. OPENSSL_EXPORT int PKCS7_get_PEM_CRLs(STACK_OF(X509_CRL) *out_crls, BIO *pem_bio); @@ -143,26 +143,26 @@ typedef struct { } PKCS7; // d2i_PKCS7 parses a BER-encoded, PKCS#7 signed data ContentInfo structure from -// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// `len` bytes at `*inp`, as described in `d2i_SAMPLE`. OPENSSL_EXPORT PKCS7 *d2i_PKCS7(PKCS7 **out, const uint8_t **inp, size_t len); -// d2i_PKCS7_bio behaves like |d2i_PKCS7| but reads the input from |bio|. If -// the length of the object is indefinite the full contents of |bio| are read. +// d2i_PKCS7_bio behaves like `d2i_PKCS7` but reads the input from `bio`. If +// the length of the object is indefinite the full contents of `bio` are read. // // If the function fails then some unknown amount of data may have been read -// from |bio|. +// from `bio`. OPENSSL_EXPORT PKCS7 *d2i_PKCS7_bio(BIO *bio, PKCS7 **out); -// i2d_PKCS7 marshals |p7| as a DER-encoded PKCS#7 ContentInfo structure, as -// described in |i2d_SAMPLE|. +// i2d_PKCS7 marshals `p7` as a DER-encoded PKCS#7 ContentInfo structure, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_PKCS7(const PKCS7 *p7, uint8_t **out); -// i2d_PKCS7_bio writes |p7| to |bio|. It returns one on success and zero on +// i2d_PKCS7_bio writes `p7` to `bio`. It returns one on success and zero on // error. OPENSSL_EXPORT int i2d_PKCS7_bio(BIO *bio, const PKCS7 *p7); -// PKCS7_free releases memory associated with |p7|. +// PKCS7_free releases memory associated with `p7`. OPENSSL_EXPORT void PKCS7_free(PKCS7 *p7); // PKCS7_type_is_data returns zero. @@ -186,7 +186,7 @@ OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); // PKCS7_DETACHED indicates that the PKCS#7 file specifies its data externally. #define PKCS7_DETACHED 0x40 -// The following flags cause |PKCS7_sign| to fail. +// The following flags cause `PKCS7_sign` to fail. #define PKCS7_TEXT 0x1 #define PKCS7_NOCERTS 0x2 #define PKCS7_NOSIGS 0x4 @@ -201,17 +201,17 @@ OPENSSL_EXPORT int PKCS7_type_is_signedAndEnveloped(const PKCS7 *p7); // PKCS7_sign can operate in two modes to provide some backwards compatibility: // -// The first mode assembles |certs| into a PKCS#7 signed data ContentInfo with -// external data and no signatures. It returns a newly-allocated |PKCS7| on -// success or NULL on error. |sign_cert| and |pkey| must be NULL. |data| is -// ignored. |flags| must be equal to |PKCS7_DETACHED|. Additionally, -// certificates in SignedData structures are unordered. The order of |certs| +// The first mode assembles `certs` into a PKCS#7 signed data ContentInfo with +// external data and no signatures. It returns a newly-allocated `PKCS7` on +// success or NULL on error. `sign_cert` and `pkey` must be NULL. `data` is +// ignored. `flags` must be equal to `PKCS7_DETACHED`. Additionally, +// certificates in SignedData structures are unordered. The order of `certs` // will not be preserved. // -// The second mode generates a detached RSA SHA-256 signature of |data| using -// |pkey| and produces a PKCS#7 SignedData structure containing it. |certs| -// must be NULL and |flags| must be exactly |PKCS7_NOATTR | PKCS7_BINARY | -// PKCS7_NOCERTS | PKCS7_DETACHED|. +// The second mode generates a detached RSA SHA-256 signature of `data` using +// `pkey` and produces a PKCS#7 SignedData structure containing it. `certs` +// must be NULL and `flags` must be exactly +// `PKCS7_NOATTR | PKCS7_BINARY | PKCS7_NOCERTS | PKCS7_DETACHED`. // // Note this function only implements a subset of the corresponding OpenSSL // function. It is provided for backwards compatibility only. diff --git a/third_party/boringssl/src/include/openssl/pkcs8.h b/third_party/boringssl/src/include/openssl/pkcs8.h index a7052089..3abc0c7d 100644 --- a/third_party/boringssl/src/include/openssl/pkcs8.h +++ b/third_party/boringssl/src/include/openssl/pkcs8.h @@ -34,18 +34,18 @@ extern "C" { // PKCS8_encrypt serializes and encrypts a PKCS8_PRIV_KEY_INFO with PBES1 or // PBES2 as defined in PKCS #5. Only pbeWithSHAAnd128BitRC4, // pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, defined in PKCS -// #12, and PBES2, are supported. PBES2 is selected by setting |cipher| and -// passing -1 for |pbe_nid|. Otherwise, PBES1 is used and |cipher| is ignored. +// #12, and PBES2, are supported. PBES2 is selected by setting `cipher` and +// passing -1 for `pbe_nid`. Otherwise, PBES1 is used and `cipher` is ignored. // -// |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this +// `pass` is used as the password. If a PBES1 scheme from PKCS #12 is used, this // will be converted to a raw byte string as specified in B.1 of PKCS #12. If -// |pass| is NULL, it will be encoded as the empty byte string rather than two +// `pass` is NULL, it will be encoded as the empty byte string rather than two // zero bytes, the PKCS #12 encoding of the empty string. // -// If |salt| is NULL, a random salt of |salt_len| bytes is generated. If -// |salt_len| is zero, a default salt length is used instead. +// If `salt` is NULL, a random salt of `salt_len` bytes is generated. If +// `salt_len` is zero, a default salt length is used instead. // -// The resulting structure is stored in an |X509_SIG| which must be freed by the +// The resulting structure is stored in an `X509_SIG` which must be freed by the // caller. OPENSSL_EXPORT X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, int pass_len, @@ -53,8 +53,8 @@ OPENSSL_EXPORT X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, int iterations, PKCS8_PRIV_KEY_INFO *p8inf); -// PKCS8_marshal_encrypted_private_key behaves like |PKCS8_encrypt| but encrypts -// an |EVP_PKEY| and writes the serialized EncryptedPrivateKeyInfo to |out|. It +// PKCS8_marshal_encrypted_private_key behaves like `PKCS8_encrypt` but encrypts +// an `EVP_PKEY` and writes the serialized EncryptedPrivateKeyInfo to `out`. It // returns one on success and zero on error. OPENSSL_EXPORT int PKCS8_marshal_encrypted_private_key( CBB *out, int pbe_nid, const EVP_CIPHER *cipher, const char *pass, @@ -66,9 +66,9 @@ OPENSSL_EXPORT int PKCS8_marshal_encrypted_private_key( // pbeWithSHAAnd3-KeyTripleDES-CBC and pbeWithSHA1And40BitRC2, and PBES2, // defined in PKCS #12, are supported. // -// |pass| is used as the password. If a PBES1 scheme from PKCS #12 is used, this +// `pass` is used as the password. If a PBES1 scheme from PKCS #12 is used, this // will be converted to a raw byte string as specified in B.1 of PKCS #12. If -// |pass| is NULL, it will be encoded as the empty byte string rather than two +// `pass` is NULL, it will be encoded as the empty byte string rather than two // zero bytes, the PKCS #12 encoding of the empty string. // // The resulting structure must be freed by the caller. @@ -76,19 +76,19 @@ OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *pkcs8, const char *pass, int pass_len); -// PKCS8_parse_encrypted_private_key behaves like |PKCS8_decrypt| but it parses -// the EncryptedPrivateKeyInfo structure from |cbs| and advances |cbs|. It -// returns a newly-allocated |EVP_PKEY| on success and zero on error. +// PKCS8_parse_encrypted_private_key behaves like `PKCS8_decrypt` but it parses +// the EncryptedPrivateKeyInfo structure from `cbs` and advances `cbs`. It +// returns a newly-allocated `EVP_PKEY` on success and zero on error. OPENSSL_EXPORT EVP_PKEY *PKCS8_parse_encrypted_private_key(CBS *cbs, const char *pass, size_t pass_len); -// PKCS12_get_key_and_certs parses a PKCS#12 structure from |in|, authenticates -// and decrypts it using |password|, sets |*out_key| to the included private -// key and appends the included certificates to |out_certs|. It returns one on +// PKCS12_get_key_and_certs parses a PKCS#12 structure from `in`, authenticates +// and decrypts it using `password`, sets `*out_key` to the included private +// key and appends the included certificates to `out_certs`. It returns one on // success and zero on error. The caller takes ownership of the outputs. // Any friendlyName attributes (RFC 2985) in the PKCS#12 structure will be -// returned on the |X509| objects as aliases. See also |X509_alias_get0|. +// returned on the `X509` objects as aliases. See also `X509_alias_get0`. OPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key, STACK_OF(X509) *out_certs, CBS *in, const char *password); @@ -99,95 +99,95 @@ OPENSSL_EXPORT int PKCS12_get_key_and_certs(EVP_PKEY **out_key, // PKCS12_PBE_add does nothing. It exists for compatibility with OpenSSL. OPENSSL_EXPORT void PKCS12_PBE_add(void); -// d2i_PKCS12 is a dummy function that copies |*ber_bytes| into a -// |PKCS12| structure. The |out_p12| argument should be NULL(✝). On exit, -// |*ber_bytes| will be advanced by |ber_len|. It returns a fresh |PKCS12| +// d2i_PKCS12 is a dummy function that copies `*ber_bytes` into a +// `PKCS12` structure. The `out_p12` argument should be NULL(✝). On exit, +// `*ber_bytes` will be advanced by `ber_len`. It returns a fresh `PKCS12` // structure or NULL on error. // -// Note: unlike other d2i functions, |d2i_PKCS12| will always consume |ber_len| +// Note: unlike other d2i functions, `d2i_PKCS12` will always consume `ber_len` // bytes. // -// (✝) If |out_p12| is not NULL and the function is successful, |*out_p12| will -// be freed if not NULL itself and the result will be written to |*out_p12|. +// (✝) If `out_p12` is not NULL and the function is successful, `*out_p12` will +// be freed if not NULL itself and the result will be written to `*out_p12`. // New code should not depend on this. OPENSSL_EXPORT PKCS12 *d2i_PKCS12(PKCS12 **out_p12, const uint8_t **ber_bytes, size_t ber_len); -// d2i_PKCS12_bio acts like |d2i_PKCS12| but reads from a |BIO|. +// d2i_PKCS12_bio acts like `d2i_PKCS12` but reads from a `BIO`. OPENSSL_EXPORT PKCS12* d2i_PKCS12_bio(BIO *bio, PKCS12 **out_p12); -// d2i_PKCS12_fp acts like |d2i_PKCS12| but reads from a |FILE|. +// d2i_PKCS12_fp acts like `d2i_PKCS12` but reads from a `FILE`. OPENSSL_EXPORT PKCS12* d2i_PKCS12_fp(FILE *fp, PKCS12 **out_p12); -// i2d_PKCS12 is a dummy function which copies the contents of |p12|. If |out| -// is not NULL then the result is written to |*out| and |*out| is advanced just +// i2d_PKCS12 is a dummy function which copies the contents of `p12`. If `out` +// is not NULL then the result is written to `*out` and `*out` is advanced just // past the output. It returns the number of bytes in the result, whether // written or not, or a negative value on error. OPENSSL_EXPORT int i2d_PKCS12(const PKCS12 *p12, uint8_t **out); -// i2d_PKCS12_bio writes the contents of |p12| to |bio|. It returns one on +// i2d_PKCS12_bio writes the contents of `p12` to `bio`. It returns one on // success and zero on error. OPENSSL_EXPORT int i2d_PKCS12_bio(BIO *bio, const PKCS12 *p12); -// i2d_PKCS12_fp writes the contents of |p12| to |fp|. It returns one on +// i2d_PKCS12_fp writes the contents of `p12` to `fp`. It returns one on // success and zero on error. OPENSSL_EXPORT int i2d_PKCS12_fp(FILE *fp, const PKCS12 *p12); -// PKCS12_parse calls |PKCS12_get_key_and_certs| on the ASN.1 data stored in -// |p12|. The |out_pkey| and |out_cert| arguments must not be NULL and, on +// PKCS12_parse calls `PKCS12_get_key_and_certs` on the ASN.1 data stored in +// `p12`. The `out_pkey` and `out_cert` arguments must not be NULL and, on // successful exit, the private key and matching certificate will be stored in -// them. The |out_ca_certs| argument may be NULL but, if not, then any extra -// certificates will be appended to |*out_ca_certs|. If |*out_ca_certs| is NULL +// them. The `out_ca_certs` argument may be NULL but, if not, then any extra +// certificates will be appended to `*out_ca_certs`. If `*out_ca_certs` is NULL // then it will be set to a freshly allocated stack containing the extra certs. // -// Note if |p12| does not contain a private key, both |*out_pkey| and -// |*out_cert| will be set to NULL and all certificates will be returned via -// |*out_ca_certs|. Also note this function differs from OpenSSL in that extra +// Note if `p12` does not contain a private key, both `*out_pkey` and +// `*out_cert` will be set to NULL and all certificates will be returned via +// `*out_ca_certs`. Also note this function differs from OpenSSL in that extra // certificates are returned in the order they appear in the file. OpenSSL 1.1.1 // returns them in reverse order, but this will be fixed in OpenSSL 3.0. // // It returns one on success and zero on error. // -// Use |PKCS12_get_key_and_certs| instead. +// Use `PKCS12_get_key_and_certs` instead. OPENSSL_EXPORT int PKCS12_parse(const PKCS12 *p12, const char *password, EVP_PKEY **out_pkey, X509 **out_cert, STACK_OF(X509) **out_ca_certs); -// PKCS12_verify_mac returns one if |password| is a valid password for |p12| -// and zero otherwise. Since |PKCS12_parse| doesn't take a length parameter, +// PKCS12_verify_mac returns one if `password` is a valid password for `p12` +// and zero otherwise. Since `PKCS12_parse` doesn't take a length parameter, // it's not actually possible to use a non-NUL-terminated password to actually -// get anything from a |PKCS12|. Thus |password| and |password_len| may be -// |NULL| and zero, respectively, or else |password_len| may be -1, or else -// |password[password_len]| must be zero and no other NUL bytes may appear in -// |password|. If the |password_len| checks fail, zero is returned +// get anything from a `PKCS12`. Thus `password` and `password_len` may be +// `NULL` and zero, respectively, or else `password_len` may be -1, or else +// `password[password_len]` must be zero and no other NUL bytes may appear in +// `password`. If the `password_len` checks fail, zero is returned // immediately. OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password, int password_len); // PKCS12_DEFAULT_ITER is the default number of KDF iterations used when -// creating a |PKCS12| object. +// creating a `PKCS12` object. #define PKCS12_DEFAULT_ITER 2048 -// PKCS12_create returns a newly-allocated |PKCS12| object containing |pkey|, -// |cert|, and |chain|, encrypted with the specified password. |name|, if not +// PKCS12_create returns a newly-allocated `PKCS12` object containing `pkey`, +// `cert`, and `chain`, encrypted with the specified password. `name`, if not // NULL, specifies a user-friendly name to encode with the key and -// certificate. The key and certificates are encrypted with |key_nid| and -// |cert_nid|, respectively, using |iterations| iterations in the -// KDF. |mac_iterations| is the number of iterations when deriving the MAC -// key. |key_type| must be zero. |pkey| and |cert| may be NULL to omit them. +// certificate. The key and certificates are encrypted with `key_nid` and +// `cert_nid`, respectively, using `iterations` iterations in the +// KDF. `mac_iterations` is the number of iterations when deriving the MAC +// key. `key_type` must be zero. `pkey` and `cert` may be NULL to omit them. // -// Each of |key_nid|, |cert_nid|, |iterations|, and |mac_iterations| may be zero -// to use defaults, which are |NID_aes_256_cbc|, |NID_aes_256_cbc|, -// |PKCS12_DEFAULT_ITER|, and |PKCS12_DEFAULT_ITER|, respectively. +// Each of `key_nid`, `cert_nid`, `iterations`, and `mac_iterations` may be zero +// to use defaults, which are `NID_aes_256_cbc`, `NID_aes_256_cbc`, +// `PKCS12_DEFAULT_ITER`, and `PKCS12_DEFAULT_ITER`, respectively. // -// |key_nid| and |cert_nid| are then interpreted as follows: +// `key_nid` and `cert_nid` are then interpreted as follows: // // * If the NID is a cipher that is supported with PBES2, e.g. -// |NID_aes_256_cbc|, this function will use it with PBES2 and a default KDF +// `NID_aes_256_cbc`, this function will use it with PBES2 and a default KDF // (currently PBKDF2 with HMAC-SHA256). There is no way to specify the KDF in // this function. // -// * If the NID is a PBES1 suite, e.g. |NID_pbe_WithSHA1And3_Key_TripleDES_CBC|, +// * If the NID is a PBES1 suite, e.g. `NID_pbe_WithSHA1And3_Key_TripleDES_CBC`, // this function will use the specified suite. // // * If the NID is -1, this function will disable encryption for the key or @@ -197,11 +197,11 @@ OPENSSL_EXPORT int PKCS12_verify_mac(const PKCS12 *p12, const char *password, // supported and may not open in other implementations. // // WARNING: This differs from other functions in this module, which use a pair -// of NID and |EVP_CIPHER| parameters to pick between PBES1 and PBES2 schemes. +// of NID and `EVP_CIPHER` parameters to pick between PBES1 and PBES2 schemes. // -// If |cert| or |chain| have associated aliases (see |X509_alias_set1|), they +// If `cert` or `chain` have associated aliases (see `X509_alias_set1`), they // will be included in the output as friendlyName attributes (RFC 2985). It is -// an error to specify both an alias on |cert| and a non-NULL |name| +// an error to specify both an alias on `cert` and a non-NULL `name` // parameter. OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name, const EVP_PKEY *pkey, X509 *cert, @@ -209,7 +209,7 @@ OPENSSL_EXPORT PKCS12 *PKCS12_create(const char *password, const char *name, int cert_nid, int iterations, int mac_iterations, int key_type); -// PKCS12_free frees |p12| and its contents. +// PKCS12_free frees `p12` and its contents. OPENSSL_EXPORT void PKCS12_free(PKCS12 *p12); diff --git a/third_party/boringssl/src/include/openssl/poly1305.h b/third_party/boringssl/src/include/openssl/poly1305.h index ac0865f8..d60b7531 100644 --- a/third_party/boringssl/src/include/openssl/poly1305.h +++ b/third_party/boringssl/src/include/openssl/poly1305.h @@ -27,20 +27,20 @@ extern "C" { typedef uint8_t poly1305_state[512]; -// CRYPTO_poly1305_init sets up |state| so that it can be used to calculate an -// authentication tag with the one-time key |key|. Note that |key| is a +// CRYPTO_poly1305_init sets up `state` so that it can be used to calculate an +// authentication tag with the one-time key `key`. Note that `key` is a // one-time key and therefore there is no `reset' method because that would // enable several messages to be authenticated with the same key. OPENSSL_EXPORT void CRYPTO_poly1305_init(poly1305_state *state, const uint8_t key[32]); -// CRYPTO_poly1305_update processes |in_len| bytes from |in|. It can be called +// CRYPTO_poly1305_update processes `in_len` bytes from `in`. It can be called // zero or more times after poly1305_init. OPENSSL_EXPORT void CRYPTO_poly1305_update(poly1305_state *state, const uint8_t *in, size_t in_len); // CRYPTO_poly1305_finish completes the poly1305 calculation and writes a 16 -// byte authentication tag to |mac|. +// byte authentication tag to `mac`. OPENSSL_EXPORT void CRYPTO_poly1305_finish(poly1305_state *state, uint8_t mac[16]); diff --git a/third_party/boringssl/src/include/openssl/pool.h b/third_party/boringssl/src/include/openssl/pool.h index 46150478..23f8c442 100644 --- a/third_party/boringssl/src/include/openssl/pool.h +++ b/third_party/boringssl/src/include/openssl/pool.h @@ -26,93 +26,93 @@ extern "C" { // Buffers and buffer pools. // -// |CRYPTO_BUFFER|s are simply reference-counted, immutable byte string. A -// single |CRYPTO_BUFFER| can be referenced from multiple parts of an +// `CRYPTO_BUFFER`s are simply reference-counted, immutable byte string. A +// single `CRYPTO_BUFFER` can be referenced from multiple parts of an // application without storing multiple copies of the underlying data in // memory. // -// A |CRYPTO_BUFFER_POOL| can be used to additionally deduplicate -// |CRYPTO_BUFFER|s on construction. It maintains weak references to associated -// |CRYPTO_BUFFER|s and returns an existing |CRYPTO_BUFFER| if matching ones +// A `CRYPTO_BUFFER_POOL` can be used to additionally deduplicate +// `CRYPTO_BUFFER`s on construction. It maintains weak references to associated +// `CRYPTO_BUFFER`s and returns an existing `CRYPTO_BUFFER` if matching ones // already exist. // -// Without a |CRYPTO_BUFFER_POOL|, if two parts of application construct an -// identical |CRYPTO_BUFFER| (e.g. if two TLS connections received the same +// Without a `CRYPTO_BUFFER_POOL`, if two parts of application construct an +// identical `CRYPTO_BUFFER` (e.g. if two TLS connections received the same // certificate), there will be two copies of the buffer in memory. A -// |CRYPTO_BUFFER_POOL| allows two parts of an application that construct -// |CRYPTO_BUFFER|s to deduplicate their contents, at the cost of more thread +// `CRYPTO_BUFFER_POOL` allows two parts of an application that construct +// `CRYPTO_BUFFER`s to deduplicate their contents, at the cost of more thread // contention. DEFINE_STACK_OF(CRYPTO_BUFFER) -// CRYPTO_BUFFER_POOL_new returns a freshly allocated |CRYPTO_BUFFER_POOL| or +// CRYPTO_BUFFER_POOL_new returns a freshly allocated `CRYPTO_BUFFER_POOL` or // NULL on error. OPENSSL_EXPORT CRYPTO_BUFFER_POOL *CRYPTO_BUFFER_POOL_new(void); -// CRYPTO_BUFFER_POOL_free decrements the reference count of |pool| and frees it +// CRYPTO_BUFFER_POOL_free decrements the reference count of `pool` and frees it // if the reference count drops to zero. OPENSSL_EXPORT void CRYPTO_BUFFER_POOL_free(CRYPTO_BUFFER_POOL *pool); -// CRYPTO_BUFFER_POOL_up_ref increments the reference count of |pool| and -// returns one. It does not mutate |pool| for thread-safety purposes and may be +// CRYPTO_BUFFER_POOL_up_ref increments the reference count of `pool` and +// returns one. It does not mutate `pool` for thread-safety purposes and may be // used concurrently. OPENSSL_EXPORT int CRYPTO_BUFFER_POOL_up_ref(CRYPTO_BUFFER_POOL *pool); -// CRYPTO_BUFFER_new returns a |CRYPTO_BUFFER| containing a copy of |data|, or -// else NULL on error. If |pool| is not NULL then the returned value may be a -// reference to a previously existing |CRYPTO_BUFFER| that contained the same -// data. Otherwise, the returned, fresh |CRYPTO_BUFFER| will be added to the +// CRYPTO_BUFFER_new returns a `CRYPTO_BUFFER` containing a copy of `data`, or +// else NULL on error. If `pool` is not NULL then the returned value may be a +// reference to a previously existing `CRYPTO_BUFFER` that contained the same +// data. Otherwise, the returned, fresh `CRYPTO_BUFFER` will be added to the // pool. // -// There is no requirement that |pool| outlive the |CRYPTO_BUFFER|, or vice -// versa. If the |CRYPTO_BUFFER| is released first, it will be removed from -// |pool|. If |pool| is released first, the |CRYPTO_BUFFER| remains valid. +// There is no requirement that `pool` outlive the `CRYPTO_BUFFER`, or vice +// versa. If the `CRYPTO_BUFFER` is released first, it will be removed from +// `pool`. If `pool` is released first, the `CRYPTO_BUFFER` remains valid. OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new(const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool); -// CRYPTO_BUFFER_alloc creates an unpooled |CRYPTO_BUFFER| of the given size and -// writes the underlying data pointer to |*out_data|. It returns NULL on error. +// CRYPTO_BUFFER_alloc creates an unpooled `CRYPTO_BUFFER` of the given size and +// writes the underlying data pointer to `*out_data`. It returns NULL on error. // -// After calling this function, |len| bytes of contents must be written to -// |out_data| before passing the returned pointer to any other BoringSSL -// functions. Once initialized, the |CRYPTO_BUFFER| should be treated as +// After calling this function, `len` bytes of contents must be written to +// `out_data` before passing the returned pointer to any other BoringSSL +// functions. Once initialized, the `CRYPTO_BUFFER` should be treated as // immutable. OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_alloc(uint8_t **out_data, size_t len); -// CRYPTO_BUFFER_new_from_CBS acts the same as |CRYPTO_BUFFER_new|. +// CRYPTO_BUFFER_new_from_CBS acts the same as `CRYPTO_BUFFER_new`. OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_CBS( const CBS *cbs, CRYPTO_BUFFER_POOL *pool); -// CRYPTO_BUFFER_new_from_static_data_unsafe behaves like |CRYPTO_BUFFER_new| -// but does not copy |data|. |data| must be immutable and last for the lifetime +// CRYPTO_BUFFER_new_from_static_data_unsafe behaves like `CRYPTO_BUFFER_new` +// but does not copy `data`. `data` must be immutable and last for the lifetime // of the address space. OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_new_from_static_data_unsafe( const uint8_t *data, size_t len, CRYPTO_BUFFER_POOL *pool); -// CRYPTO_BUFFER_free decrements the reference count of |buf|. If there are no +// CRYPTO_BUFFER_free decrements the reference count of `buf`. If there are no // other references, or if the only remaining reference is from a pool, then -// |buf| will be freed. +// `buf` will be freed. OPENSSL_EXPORT void CRYPTO_BUFFER_free(CRYPTO_BUFFER *buf); -// CRYPTO_BUFFER_up_ref increments the reference count of |buf| and returns +// CRYPTO_BUFFER_up_ref increments the reference count of `buf` and returns // one. OPENSSL_EXPORT int CRYPTO_BUFFER_up_ref(CRYPTO_BUFFER *buf); -// CRYPTO_BUFFER_dup_ref increments the reference count of |buf| and returns -// |buf|. The caller must call |CRYPTO_BUFFER_free| on the result to release the +// CRYPTO_BUFFER_dup_ref increments the reference count of `buf` and returns +// `buf`. The caller must call `CRYPTO_BUFFER_free` on the result to release the // reference. OPENSSL_EXPORT CRYPTO_BUFFER *CRYPTO_BUFFER_dup_ref(const CRYPTO_BUFFER *buf); -// CRYPTO_BUFFER_data returns a pointer to the data contained in |buf|. +// CRYPTO_BUFFER_data returns a pointer to the data contained in `buf`. OPENSSL_EXPORT const uint8_t *CRYPTO_BUFFER_data(const CRYPTO_BUFFER *buf); // CRYPTO_BUFFER_len returns the length, in bytes, of the data contained in -// |buf|. +// `buf`. OPENSSL_EXPORT size_t CRYPTO_BUFFER_len(const CRYPTO_BUFFER *buf); -// CRYPTO_BUFFER_init_CBS initialises |out| to point at the data from |buf|. +// CRYPTO_BUFFER_init_CBS initialises `out` to point at the data from `buf`. OPENSSL_EXPORT void CRYPTO_BUFFER_init_CBS(const CRYPTO_BUFFER *buf, CBS *out); diff --git a/third_party/boringssl/src/include/openssl/posix_time.h b/third_party/boringssl/src/include/openssl/posix_time.h index b9e0a77e..7a6afc6f 100644 --- a/third_party/boringssl/src/include/openssl/posix_time.h +++ b/third_party/boringssl/src/include/openssl/posix_time.h @@ -27,18 +27,18 @@ extern "C" { // Time functions. -// OPENSSL_posix_to_tm converts a int64_t POSIX time value in |time|, which must -// be in the range of year 0000 to 9999, to a broken out time value in |tm|. It +// OPENSSL_posix_to_tm converts a int64_t POSIX time value in `time`, which must +// be in the range of year 0000 to 9999, to a broken out time value in `tm`. It // returns one on success and zero on error. OPENSSL_EXPORT int OPENSSL_posix_to_tm(int64_t time, struct tm *out_tm); // OPENSSL_tm_to_posix converts a time value between the years 0 and 9999 in -// |tm| to a POSIX time value in |out|. One is returned on success, zero is -// returned on failure. It is a failure if |tm| contains out of range values. +// `tm` to a POSIX time value in `out`. One is returned on success, zero is +// returned on failure. It is a failure if `tm` contains out of range values. OPENSSL_EXPORT int OPENSSL_tm_to_posix(const struct tm *tm, int64_t *out); -// OPENSSL_timegm converts a time value between the years 0 and 9999 in |tm| to -// a time_t value in |out|. One is returned on success, zero is returned on +// OPENSSL_timegm converts a time value between the years 0 and 9999 in `tm` to +// a time_t value in `out`. One is returned on success, zero is returned on // failure. It is a failure if the converted time can not be represented in a // time_t, or if the tm contains out of range values. OPENSSL_EXPORT int OPENSSL_timegm(const struct tm *tm, time_t *out); diff --git a/third_party/boringssl/src/include/openssl/prefix_symbols.h b/third_party/boringssl/src/include/openssl/prefix_symbols.h index c25242da..5dd00f9c 100644 --- a/third_party/boringssl/src/include/openssl/prefix_symbols.h +++ b/third_party/boringssl/src/include/openssl/prefix_symbols.h @@ -274,6 +274,7 @@ #pragma redefine_extname BIO_meth_set_puts BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_meth_set_puts) #pragma redefine_extname BIO_meth_set_read BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_meth_set_read) #pragma redefine_extname BIO_meth_set_write BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_meth_set_write) +#pragma redefine_extname BIO_meth_set_write_ex BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_meth_set_write_ex) #pragma redefine_extname BIO_method_type BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_method_type) #pragma redefine_extname BIO_new BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_new) #pragma redefine_extname BIO_new_bio_pair BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_new_bio_pair) @@ -337,6 +338,7 @@ #pragma redefine_extname BIO_wpending BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_wpending) #pragma redefine_extname BIO_write BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_write) #pragma redefine_extname BIO_write_all BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_write_all) +#pragma redefine_extname BIO_write_ex BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_write_ex) #pragma redefine_extname BIO_write_filename BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BIO_write_filename) #pragma redefine_extname BLAKE2B256 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BLAKE2B256) #pragma redefine_extname BLAKE2B256_Final BORINGSSL_ADD_USER_LABEL_AND_PREFIX(BLAKE2B256_Final) @@ -568,6 +570,7 @@ #pragma redefine_extname CBS_get_u24_length_prefixed BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u24_length_prefixed) #pragma redefine_extname CBS_get_u32 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u32) #pragma redefine_extname CBS_get_u32le BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u32le) +#pragma redefine_extname CBS_get_u48 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u48) #pragma redefine_extname CBS_get_u64 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u64) #pragma redefine_extname CBS_get_u64_decimal BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u64_decimal) #pragma redefine_extname CBS_get_u64le BORINGSSL_ADD_USER_LABEL_AND_PREFIX(CBS_get_u64le) @@ -962,6 +965,8 @@ #pragma redefine_extname EVP_CIPHER_CTX_init BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_init) #pragma redefine_extname EVP_CIPHER_CTX_iv_length BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_iv_length) #pragma redefine_extname EVP_CIPHER_CTX_key_length BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_key_length) +#pragma redefine_extname EVP_CIPHER_CTX_max_final BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_max_final) +#pragma redefine_extname EVP_CIPHER_CTX_max_next_update BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_max_next_update) #pragma redefine_extname EVP_CIPHER_CTX_mode BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_mode) #pragma redefine_extname EVP_CIPHER_CTX_new BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_new) #pragma redefine_extname EVP_CIPHER_CTX_nid BORINGSSL_ADD_USER_LABEL_AND_PREFIX(EVP_CIPHER_CTX_nid) @@ -1714,7 +1719,6 @@ #pragma redefine_extname RAND_get_rand_method BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_get_rand_method) #pragma redefine_extname RAND_get_system_entropy_for_custom_prng BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_get_system_entropy_for_custom_prng) #pragma redefine_extname RAND_load_file BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_load_file) -#pragma redefine_extname RAND_maybe_reseed BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_maybe_reseed) #pragma redefine_extname RAND_poll BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_poll) #pragma redefine_extname RAND_pseudo_bytes BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_pseudo_bytes) #pragma redefine_extname RAND_reset_for_fuzzing BORINGSSL_ADD_USER_LABEL_AND_PREFIX(RAND_reset_for_fuzzing) @@ -3388,6 +3392,7 @@ #define BIO_meth_set_puts BORINGSSL_ADD_PREFIX(BIO_meth_set_puts) #define BIO_meth_set_read BORINGSSL_ADD_PREFIX(BIO_meth_set_read) #define BIO_meth_set_write BORINGSSL_ADD_PREFIX(BIO_meth_set_write) +#define BIO_meth_set_write_ex BORINGSSL_ADD_PREFIX(BIO_meth_set_write_ex) #define BIO_method_type BORINGSSL_ADD_PREFIX(BIO_method_type) #define BIO_new BORINGSSL_ADD_PREFIX(BIO_new) #define BIO_new_bio_pair BORINGSSL_ADD_PREFIX(BIO_new_bio_pair) @@ -3451,6 +3456,7 @@ #define BIO_wpending BORINGSSL_ADD_PREFIX(BIO_wpending) #define BIO_write BORINGSSL_ADD_PREFIX(BIO_write) #define BIO_write_all BORINGSSL_ADD_PREFIX(BIO_write_all) +#define BIO_write_ex BORINGSSL_ADD_PREFIX(BIO_write_ex) #define BIO_write_filename BORINGSSL_ADD_PREFIX(BIO_write_filename) #define BLAKE2B256 BORINGSSL_ADD_PREFIX(BLAKE2B256) #define BLAKE2B256_Final BORINGSSL_ADD_PREFIX(BLAKE2B256_Final) @@ -3682,6 +3688,7 @@ #define CBS_get_u24_length_prefixed BORINGSSL_ADD_PREFIX(CBS_get_u24_length_prefixed) #define CBS_get_u32 BORINGSSL_ADD_PREFIX(CBS_get_u32) #define CBS_get_u32le BORINGSSL_ADD_PREFIX(CBS_get_u32le) +#define CBS_get_u48 BORINGSSL_ADD_PREFIX(CBS_get_u48) #define CBS_get_u64 BORINGSSL_ADD_PREFIX(CBS_get_u64) #define CBS_get_u64_decimal BORINGSSL_ADD_PREFIX(CBS_get_u64_decimal) #define CBS_get_u64le BORINGSSL_ADD_PREFIX(CBS_get_u64le) @@ -4076,6 +4083,8 @@ #define EVP_CIPHER_CTX_init BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_init) #define EVP_CIPHER_CTX_iv_length BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_iv_length) #define EVP_CIPHER_CTX_key_length BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_key_length) +#define EVP_CIPHER_CTX_max_final BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_max_final) +#define EVP_CIPHER_CTX_max_next_update BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_max_next_update) #define EVP_CIPHER_CTX_mode BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_mode) #define EVP_CIPHER_CTX_new BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_new) #define EVP_CIPHER_CTX_nid BORINGSSL_ADD_PREFIX(EVP_CIPHER_CTX_nid) @@ -4828,7 +4837,6 @@ #define RAND_get_rand_method BORINGSSL_ADD_PREFIX(RAND_get_rand_method) #define RAND_get_system_entropy_for_custom_prng BORINGSSL_ADD_PREFIX(RAND_get_system_entropy_for_custom_prng) #define RAND_load_file BORINGSSL_ADD_PREFIX(RAND_load_file) -#define RAND_maybe_reseed BORINGSSL_ADD_PREFIX(RAND_maybe_reseed) #define RAND_poll BORINGSSL_ADD_PREFIX(RAND_poll) #define RAND_pseudo_bytes BORINGSSL_ADD_PREFIX(RAND_pseudo_bytes) #define RAND_reset_for_fuzzing BORINGSSL_ADD_PREFIX(RAND_reset_for_fuzzing) diff --git a/third_party/boringssl/src/include/openssl/prefix_symbols_internal_S.h b/third_party/boringssl/src/include/openssl/prefix_symbols_internal_S.h index 4e5a51b4..170ac1c1 100644 --- a/third_party/boringssl/src/include/openssl/prefix_symbols_internal_S.h +++ b/third_party/boringssl/src/include/openssl/prefix_symbols_internal_S.h @@ -231,38 +231,14 @@ #define _chacha20_poly1305_seal BORINGSSL_ADD_USER_LABEL_AND_PREFIX(chacha20_poly1305_seal) #define _chacha20_poly1305_seal_avx2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(chacha20_poly1305_seal_avx2) #define _chacha20_poly1305_seal_sse41 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(chacha20_poly1305_seal_sse41) -#define _ecp_nistz256_div_by_2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_div_by_2) -#define _ecp_nistz256_mul_by_2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_by_2) -#define _ecp_nistz256_mul_by_3 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_by_3) #define _ecp_nistz256_mul_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_mont) -#define _ecp_nistz256_mul_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_mont_adx) -#define _ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_mont_nohw) -#define _ecp_nistz256_neg BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_neg) #define _ecp_nistz256_ord_mul_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_mul_mont) #define _ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_mul_mont_adx) #define _ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_mul_mont_nohw) #define _ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_sqr_mont) #define _ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_sqr_mont_adx) #define _ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_sqr_mont_nohw) -#define _ecp_nistz256_point_add BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add) -#define _ecp_nistz256_point_add_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_adx) -#define _ecp_nistz256_point_add_affine BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_affine) -#define _ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_affine_adx) -#define _ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_affine_nohw) -#define _ecp_nistz256_point_add_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_nohw) -#define _ecp_nistz256_point_double BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_double) -#define _ecp_nistz256_point_double_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_double_adx) -#define _ecp_nistz256_point_double_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_double_nohw) -#define _ecp_nistz256_select_w5 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w5) -#define _ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w5_avx2) -#define _ecp_nistz256_select_w5_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w5_nohw) -#define _ecp_nistz256_select_w7 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w7) -#define _ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w7_avx2) -#define _ecp_nistz256_select_w7_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w7_nohw) #define _ecp_nistz256_sqr_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sqr_mont) -#define _ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sqr_mont_adx) -#define _ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sqr_mont_nohw) -#define _ecp_nistz256_sub BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sub) #define _fiat_curve25519_adx_mul BORINGSSL_ADD_USER_LABEL_AND_PREFIX(fiat_curve25519_adx_mul) #define _fiat_curve25519_adx_square BORINGSSL_ADD_USER_LABEL_AND_PREFIX(fiat_curve25519_adx_square) #define _fiat_p256_adx_mul BORINGSSL_ADD_USER_LABEL_AND_PREFIX(fiat_p256_adx_mul) @@ -533,38 +509,14 @@ #define chacha20_poly1305_seal BORINGSSL_ADD_USER_LABEL_AND_PREFIX(chacha20_poly1305_seal) #define chacha20_poly1305_seal_avx2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(chacha20_poly1305_seal_avx2) #define chacha20_poly1305_seal_sse41 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(chacha20_poly1305_seal_sse41) -#define ecp_nistz256_div_by_2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_div_by_2) -#define ecp_nistz256_mul_by_2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_by_2) -#define ecp_nistz256_mul_by_3 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_by_3) #define ecp_nistz256_mul_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_mont) -#define ecp_nistz256_mul_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_mont_adx) -#define ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_mul_mont_nohw) -#define ecp_nistz256_neg BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_neg) #define ecp_nistz256_ord_mul_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_mul_mont) #define ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_mul_mont_adx) #define ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_mul_mont_nohw) #define ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_sqr_mont) #define ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_sqr_mont_adx) #define ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_ord_sqr_mont_nohw) -#define ecp_nistz256_point_add BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add) -#define ecp_nistz256_point_add_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_adx) -#define ecp_nistz256_point_add_affine BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_affine) -#define ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_affine_adx) -#define ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_affine_nohw) -#define ecp_nistz256_point_add_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_add_nohw) -#define ecp_nistz256_point_double BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_double) -#define ecp_nistz256_point_double_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_double_adx) -#define ecp_nistz256_point_double_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_point_double_nohw) -#define ecp_nistz256_select_w5 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w5) -#define ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w5_avx2) -#define ecp_nistz256_select_w5_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w5_nohw) -#define ecp_nistz256_select_w7 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w7) -#define ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w7_avx2) -#define ecp_nistz256_select_w7_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_select_w7_nohw) #define ecp_nistz256_sqr_mont BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sqr_mont) -#define ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sqr_mont_adx) -#define ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sqr_mont_nohw) -#define ecp_nistz256_sub BORINGSSL_ADD_USER_LABEL_AND_PREFIX(ecp_nistz256_sub) #define fiat_curve25519_adx_mul BORINGSSL_ADD_USER_LABEL_AND_PREFIX(fiat_curve25519_adx_mul) #define fiat_curve25519_adx_square BORINGSSL_ADD_USER_LABEL_AND_PREFIX(fiat_curve25519_adx_square) #define fiat_p256_adx_mul BORINGSSL_ADD_USER_LABEL_AND_PREFIX(fiat_p256_adx_mul) diff --git a/third_party/boringssl/src/include/openssl/prefix_symbols_internal_c.h b/third_party/boringssl/src/include/openssl/prefix_symbols_internal_c.h index 6e840711..ef124523 100644 --- a/third_party/boringssl/src/include/openssl/prefix_symbols_internal_c.h +++ b/third_party/boringssl/src/include/openssl/prefix_symbols_internal_c.h @@ -231,38 +231,14 @@ #define chacha20_poly1305_seal BORINGSSL_ADD_PREFIX(chacha20_poly1305_seal) #define chacha20_poly1305_seal_avx2 BORINGSSL_ADD_PREFIX(chacha20_poly1305_seal_avx2) #define chacha20_poly1305_seal_sse41 BORINGSSL_ADD_PREFIX(chacha20_poly1305_seal_sse41) -#define ecp_nistz256_div_by_2 BORINGSSL_ADD_PREFIX(ecp_nistz256_div_by_2) -#define ecp_nistz256_mul_by_2 BORINGSSL_ADD_PREFIX(ecp_nistz256_mul_by_2) -#define ecp_nistz256_mul_by_3 BORINGSSL_ADD_PREFIX(ecp_nistz256_mul_by_3) #define ecp_nistz256_mul_mont BORINGSSL_ADD_PREFIX(ecp_nistz256_mul_mont) -#define ecp_nistz256_mul_mont_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_mul_mont_adx) -#define ecp_nistz256_mul_mont_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_mul_mont_nohw) -#define ecp_nistz256_neg BORINGSSL_ADD_PREFIX(ecp_nistz256_neg) #define ecp_nistz256_ord_mul_mont BORINGSSL_ADD_PREFIX(ecp_nistz256_ord_mul_mont) #define ecp_nistz256_ord_mul_mont_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_ord_mul_mont_adx) #define ecp_nistz256_ord_mul_mont_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_ord_mul_mont_nohw) #define ecp_nistz256_ord_sqr_mont BORINGSSL_ADD_PREFIX(ecp_nistz256_ord_sqr_mont) #define ecp_nistz256_ord_sqr_mont_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_ord_sqr_mont_adx) #define ecp_nistz256_ord_sqr_mont_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_ord_sqr_mont_nohw) -#define ecp_nistz256_point_add BORINGSSL_ADD_PREFIX(ecp_nistz256_point_add) -#define ecp_nistz256_point_add_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_point_add_adx) -#define ecp_nistz256_point_add_affine BORINGSSL_ADD_PREFIX(ecp_nistz256_point_add_affine) -#define ecp_nistz256_point_add_affine_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_point_add_affine_adx) -#define ecp_nistz256_point_add_affine_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_point_add_affine_nohw) -#define ecp_nistz256_point_add_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_point_add_nohw) -#define ecp_nistz256_point_double BORINGSSL_ADD_PREFIX(ecp_nistz256_point_double) -#define ecp_nistz256_point_double_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_point_double_adx) -#define ecp_nistz256_point_double_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_point_double_nohw) -#define ecp_nistz256_select_w5 BORINGSSL_ADD_PREFIX(ecp_nistz256_select_w5) -#define ecp_nistz256_select_w5_avx2 BORINGSSL_ADD_PREFIX(ecp_nistz256_select_w5_avx2) -#define ecp_nistz256_select_w5_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_select_w5_nohw) -#define ecp_nistz256_select_w7 BORINGSSL_ADD_PREFIX(ecp_nistz256_select_w7) -#define ecp_nistz256_select_w7_avx2 BORINGSSL_ADD_PREFIX(ecp_nistz256_select_w7_avx2) -#define ecp_nistz256_select_w7_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_select_w7_nohw) #define ecp_nistz256_sqr_mont BORINGSSL_ADD_PREFIX(ecp_nistz256_sqr_mont) -#define ecp_nistz256_sqr_mont_adx BORINGSSL_ADD_PREFIX(ecp_nistz256_sqr_mont_adx) -#define ecp_nistz256_sqr_mont_nohw BORINGSSL_ADD_PREFIX(ecp_nistz256_sqr_mont_nohw) -#define ecp_nistz256_sub BORINGSSL_ADD_PREFIX(ecp_nistz256_sub) #define fiat_curve25519_adx_mul BORINGSSL_ADD_PREFIX(fiat_curve25519_adx_mul) #define fiat_curve25519_adx_square BORINGSSL_ADD_PREFIX(fiat_curve25519_adx_square) #define fiat_p256_adx_mul BORINGSSL_ADD_PREFIX(fiat_p256_adx_mul) diff --git a/third_party/boringssl/src/include/openssl/rand.h b/third_party/boringssl/src/include/openssl/rand.h index 9d66a895..3bb3855a 100644 --- a/third_party/boringssl/src/include/openssl/rand.h +++ b/third_party/boringssl/src/include/openssl/rand.h @@ -25,8 +25,8 @@ extern "C" { // Random number generation. -// RAND_bytes writes |len| bytes of random data to |buf| and returns one. In the -// event that sufficient random data can not be obtained, |abort| is called. +// RAND_bytes writes `len` bytes of random data to `buf` and returns one. In the +// event that sufficient random data can not be obtained, `abort` is called. OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); @@ -34,10 +34,10 @@ OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); #if !defined(OPENSSL_WINDOWS) // RAND_enable_fork_unsafe_buffering indicates that clones of the address space, -// e.g. via |fork|, will never call into BoringSSL. It may be used to disable +// e.g. via `fork`, will never call into BoringSSL. It may be used to disable // BoringSSL's more expensive fork-safety measures. However, calling this -// function and then using BoringSSL across |fork| calls will leak secret keys. -// |fd| must be -1. +// function and then using BoringSSL across `fork` calls will leak secret keys. +// `fd` must be -1. // // WARNING: This function affects BoringSSL for the entire address space. Thus // this function should never be called by library code, only by code with @@ -46,7 +46,7 @@ OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); // Do not use this function unless a performance issue was measured with the // default behavior. BoringSSL can efficiently detect forks on most platforms, // in which case this function is a no-op and is unnecessary. In particular, -// Linux kernel versions 4.14 or later provide |MADV_WIPEONFORK|. Future +// Linux kernel versions 4.14 or later provide `MADV_WIPEONFORK`. Future // versions of BoringSSL will remove this functionality when older kernels are // sufficiently rare. // @@ -55,7 +55,7 @@ OPENSSL_EXPORT int RAND_bytes(uint8_t *buf, size_t len); OPENSSL_EXPORT void RAND_enable_fork_unsafe_buffering(int fd); // RAND_disable_fork_unsafe_buffering restores BoringSSL's default fork-safety -// protections. See also |RAND_enable_fork_unsafe_buffering|. +// protections. See also `RAND_enable_fork_unsafe_buffering`. OPENSSL_EXPORT void RAND_disable_fork_unsafe_buffering(void); #endif @@ -65,31 +65,20 @@ OPENSSL_EXPORT void RAND_disable_fork_unsafe_buffering(void); OPENSSL_EXPORT void RAND_reset_for_fuzzing(void); #endif -// RAND_get_system_entropy_for_custom_prng writes |len| bytes of random data -// from a system entropy source to |buf|. The maximum length of entropy which +// RAND_get_system_entropy_for_custom_prng writes `len` bytes of random data +// from a system entropy source to `buf`. The maximum length of entropy which // may be requested is 256 bytes. If more than 256 bytes of data is requested, -// or if sufficient random data can not be obtained, |abort| is called. -// |RAND_bytes| should normally be used instead of this function. This function -// should only be used for seed values or where |malloc| should not be called +// or if sufficient random data can not be obtained, `abort` is called. +// `RAND_bytes` should normally be used instead of this function. This function +// should only be used for seed values or where `malloc` should not be called // from BoringSSL. This function is not FIPS compliant. OPENSSL_EXPORT void RAND_get_system_entropy_for_custom_prng(uint8_t *buf, size_t len); -// RAND_maybe_reseed might reseed the PRNG if it's getting close to the reseed -// limit. If it does so, it may briefly block other threads that are -// concurrently calling `RAND_bytes`, but only for ~microseconds. Applications -// may wish to periodically call this function to avoid hitting a reseed while -// servicing a `RAND_bytes` call, which could happen from anywhere and take -// milliseconds or more in FIPS configurations. _Most_ applications, however, -// should ignore this and it only makes a difference in FIPS builds. -// -// Returns one if a reseed was performed and zero otherwise. -OPENSSL_EXPORT int RAND_maybe_reseed(void); - // Deprecated functions -// RAND_pseudo_bytes is a wrapper around |RAND_bytes|. +// RAND_pseudo_bytes is a wrapper around `RAND_bytes`. OPENSSL_EXPORT int RAND_pseudo_bytes(uint8_t *buf, size_t len); // RAND_seed reads a single byte of random data to ensure that any file @@ -117,8 +106,8 @@ OPENSSL_EXPORT int RAND_status(void); // RAND_cleanup does nothing. OPENSSL_EXPORT void RAND_cleanup(void); -// rand_meth_st is typedefed to |RAND_METHOD| in base.h. It isn't used; it -// exists only to be the return type of |RAND_SSLeay|. It's +// rand_meth_st is typedefed to `RAND_METHOD` in base.h. It isn't used; it +// exists only to be the return type of `RAND_SSLeay`. It's // external so that variables of this type can be initialized. struct rand_meth_st { void (*seed) (const void *buf, int num); @@ -129,13 +118,13 @@ struct rand_meth_st { int (*status) (void); }; -// RAND_SSLeay returns a pointer to a dummy |RAND_METHOD|. +// RAND_SSLeay returns a pointer to a dummy `RAND_METHOD`. OPENSSL_EXPORT RAND_METHOD *RAND_SSLeay(void); -// RAND_OpenSSL returns a pointer to a dummy |RAND_METHOD|. +// RAND_OpenSSL returns a pointer to a dummy `RAND_METHOD`. OPENSSL_EXPORT RAND_METHOD *RAND_OpenSSL(void); -// RAND_get_rand_method returns |RAND_SSLeay()|. +// RAND_get_rand_method returns `RAND_SSLeay()`. OPENSSL_EXPORT const RAND_METHOD *RAND_get_rand_method(void); // RAND_set_rand_method returns one. diff --git a/third_party/boringssl/src/include/openssl/rc4.h b/third_party/boringssl/src/include/openssl/rc4.h index 520c3a68..b45eaaff 100644 --- a/third_party/boringssl/src/include/openssl/rc4.h +++ b/third_party/boringssl/src/include/openssl/rc4.h @@ -30,13 +30,13 @@ struct rc4_key_st { uint32_t data[256]; } /* RC4_KEY */; -// RC4_set_key performs an RC4 key schedule and initialises |rc4key| with |len| -// bytes of key material from |key|. +// RC4_set_key performs an RC4 key schedule and initialises `rc4key` with `len` +// bytes of key material from `key`. OPENSSL_EXPORT void RC4_set_key(RC4_KEY *rc4key, unsigned len, const uint8_t *key); -// RC4 encrypts (or decrypts, it's the same with RC4) |len| bytes from |in| to -// |out|. +// RC4 encrypts (or decrypts, it's the same with RC4) `len` bytes from `in` to +// `out`. OPENSSL_EXPORT void RC4(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out); diff --git a/third_party/boringssl/src/include/openssl/ripemd.h b/third_party/boringssl/src/include/openssl/ripemd.h index d21c72e7..b59a1a65 100644 --- a/third_party/boringssl/src/include/openssl/ripemd.h +++ b/third_party/boringssl/src/include/openssl/ripemd.h @@ -38,28 +38,28 @@ struct RIPEMD160state_st { unsigned num; }; -// RIPEMD160_Init initialises |ctx| and returns one. +// RIPEMD160_Init initialises `ctx` and returns one. OPENSSL_EXPORT int RIPEMD160_Init(RIPEMD160_CTX *ctx); -// RIPEMD160_Update adds |len| bytes from |data| to |ctx| and returns one. +// RIPEMD160_Update adds `len` bytes from `data` to `ctx` and returns one. OPENSSL_EXPORT int RIPEMD160_Update(RIPEMD160_CTX *ctx, const void *data, size_t len); -// RIPEMD160_Final adds the final padding to |ctx| and writes the resulting -// digest to |out|, which must have at least |RIPEMD160_DIGEST_LENGTH| bytes of +// RIPEMD160_Final adds the final padding to `ctx` and writes the resulting +// digest to `out`, which must have at least `RIPEMD160_DIGEST_LENGTH` bytes of // space. It returns one. OPENSSL_EXPORT int RIPEMD160_Final(uint8_t out[RIPEMD160_DIGEST_LENGTH], RIPEMD160_CTX *ctx); -// RIPEMD160 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |RIPEMD160_DIGEST_LENGTH| bytes of space in -// |out|. +// RIPEMD160 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `RIPEMD160_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *RIPEMD160(const uint8_t *data, size_t len, uint8_t out[RIPEMD160_DIGEST_LENGTH]); // RIPEMD160_Transform is a low-level function that performs a single, -// RIPEMD160 block transformation using the state from |ctx| and 64 bytes from -// |block|. +// RIPEMD160 block transformation using the state from `ctx` and 64 bytes from +// `block`. OPENSSL_EXPORT void RIPEMD160_Transform(RIPEMD160_CTX *ctx, const uint8_t block[RIPEMD160_CBLOCK]); diff --git a/third_party/boringssl/src/include/openssl/rsa.h b/third_party/boringssl/src/include/openssl/rsa.h index 692d5095..45858eb1 100644 --- a/third_party/boringssl/src/include/openssl/rsa.h +++ b/third_party/boringssl/src/include/openssl/rsa.h @@ -30,17 +30,17 @@ extern "C" { // Allocation and destruction. // -// An |RSA| object represents a public or private RSA key. A given object may be +// An `RSA` object represents a public or private RSA key. A given object may be // used concurrently on multiple threads by non-mutating functions, provided no // other thread is concurrently calling a mutating function. Unless otherwise -// documented, functions which take a |const| pointer are non-mutating and -// functions which take a non-|const| pointer are mutating. +// documented, functions which take a `const` pointer are non-mutating and +// functions which take a non-`const` pointer are mutating. -// RSA_new_public_key returns a new |RSA| object containing a public key with +// RSA_new_public_key returns a new `RSA` object containing a public key with // the specified parameters, or NULL on error or invalid input. OPENSSL_EXPORT RSA *RSA_new_public_key(const BIGNUM *n, const BIGNUM *e); -// RSA_new_private_key returns a new |RSA| object containing a private key with +// RSA_new_private_key returns a new `RSA` object containing a private key with // the specified parameters, or NULL on error or invalid input. All parameters // are mandatory and may not be NULL. // @@ -50,19 +50,19 @@ OPENSSL_EXPORT RSA *RSA_new_private_key(const BIGNUM *n, const BIGNUM *e, const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1, const BIGNUM *iqmp); -// RSA_new returns a new, empty |RSA| object or NULL on error. Prefer using -// |RSA_new_public_key| or |RSA_new_private_key| to import an RSA key. +// RSA_new returns a new, empty `RSA` object or NULL on error. Prefer using +// `RSA_new_public_key` or `RSA_new_private_key` to import an RSA key. OPENSSL_EXPORT RSA *RSA_new(void); -// RSA_new_method acts the same as |RSA_new| but takes an explicit |ENGINE|. +// RSA_new_method acts the same as `RSA_new` but takes an explicit `ENGINE`. OPENSSL_EXPORT RSA *RSA_new_method(const ENGINE *engine); -// RSA_free decrements the reference count of |rsa| and frees it if the +// RSA_free decrements the reference count of `rsa` and frees it if the // reference count drops to zero. OPENSSL_EXPORT void RSA_free(RSA *rsa); -// RSA_up_ref increments the reference count of |rsa| and returns one. It does -// not mutate |rsa| for thread-safety purposes and may be used concurrently. +// RSA_up_ref increments the reference count of `rsa` and returns one. It does +// not mutate `rsa` for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int RSA_up_ref(RSA *rsa); @@ -80,53 +80,53 @@ OPENSSL_EXPORT int RSA_up_ref(RSA *rsa); // opt-in, or impose a tighter limit on private key operations. #define OPENSSL_RSA_MAX_MODULUS_BITS 16384 -// RSA_bits returns the size of |rsa|, in bits. +// RSA_bits returns the size of `rsa`, in bits. OPENSSL_EXPORT unsigned RSA_bits(const RSA *rsa); -// RSA_get0_n returns |rsa|'s public modulus. +// RSA_get0_n returns `rsa`'s public modulus. OPENSSL_EXPORT const BIGNUM *RSA_get0_n(const RSA *rsa); -// RSA_get0_e returns |rsa|'s public exponent. +// RSA_get0_e returns `rsa`'s public exponent. OPENSSL_EXPORT const BIGNUM *RSA_get0_e(const RSA *rsa); -// RSA_get0_d returns |rsa|'s private exponent. If |rsa| is a public key, this +// RSA_get0_d returns `rsa`'s private exponent. If `rsa` is a public key, this // value will be NULL. OPENSSL_EXPORT const BIGNUM *RSA_get0_d(const RSA *rsa); -// RSA_get0_p returns |rsa|'s first private prime factor. If |rsa| is a public +// RSA_get0_p returns `rsa`'s first private prime factor. If `rsa` is a public // key or lacks its prime factors, this value will be NULL. OPENSSL_EXPORT const BIGNUM *RSA_get0_p(const RSA *rsa); -// RSA_get0_q returns |rsa|'s second private prime factor. If |rsa| is a public +// RSA_get0_q returns `rsa`'s second private prime factor. If `rsa` is a public // key or lacks its prime factors, this value will be NULL. OPENSSL_EXPORT const BIGNUM *RSA_get0_q(const RSA *rsa); -// RSA_get0_dmp1 returns d (mod p-1) for |rsa|. If |rsa| is a public key or +// RSA_get0_dmp1 returns d (mod p-1) for `rsa`. If `rsa` is a public key or // lacks CRT parameters, this value will be NULL. OPENSSL_EXPORT const BIGNUM *RSA_get0_dmp1(const RSA *rsa); -// RSA_get0_dmq1 returns d (mod q-1) for |rsa|. If |rsa| is a public key or +// RSA_get0_dmq1 returns d (mod q-1) for `rsa`. If `rsa` is a public key or // lacks CRT parameters, this value will be NULL. OPENSSL_EXPORT const BIGNUM *RSA_get0_dmq1(const RSA *rsa); -// RSA_get0_iqmp returns q^-1 (mod p). If |rsa| is a public key or lacks CRT +// RSA_get0_iqmp returns q^-1 (mod p). If `rsa` is a public key or lacks CRT // parameters, this value will be NULL. OPENSSL_EXPORT const BIGNUM *RSA_get0_iqmp(const RSA *rsa); -// RSA_get0_key sets |*out_n|, |*out_e|, and |*out_d|, if non-NULL, to |rsa|'s -// modulus, public exponent, and private exponent, respectively. If |rsa| is a +// RSA_get0_key sets `*out_n`, `*out_e`, and `*out_d`, if non-NULL, to `rsa`'s +// modulus, public exponent, and private exponent, respectively. If `rsa` is a // public key, the private exponent will be set to NULL. OPENSSL_EXPORT void RSA_get0_key(const RSA *rsa, const BIGNUM **out_n, const BIGNUM **out_e, const BIGNUM **out_d); -// RSA_get0_factors sets |*out_p| and |*out_q|, if non-NULL, to |rsa|'s prime -// factors. If |rsa| is a public key, they will be set to NULL. +// RSA_get0_factors sets `*out_p` and `*out_q`, if non-NULL, to `rsa`'s prime +// factors. If `rsa` is a public key, they will be set to NULL. OPENSSL_EXPORT void RSA_get0_factors(const RSA *rsa, const BIGNUM **out_p, const BIGNUM **out_q); -// RSA_get0_crt_params sets |*out_dmp1|, |*out_dmq1|, and |*out_iqmp|, if -// non-NULL, to |rsa|'s CRT parameters. These are d (mod p-1), d (mod q-1) and -// q^-1 (mod p), respectively. If |rsa| is a public key, each parameter will be +// RSA_get0_crt_params sets `*out_dmp1`, `*out_dmq1`, and `*out_iqmp`, if +// non-NULL, to `rsa`'s CRT parameters. These are d (mod p-1), d (mod q-1) and +// q^-1 (mod p), respectively. If `rsa` is a public key, each parameter will be // set to NULL. OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, const BIGNUM **out_dmq1, @@ -135,10 +135,10 @@ OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, // Setting individual properties. // -// These functions allow setting individual properties of an |RSA| object. This -// is typically used with |RSA_new| to construct an RSA key field by field. -// Prefer instead to use |RSA_new_public_key| and |RSA_new_private_key|. These -// functions defer some initialization to the first use of an |RSA| object. This +// These functions allow setting individual properties of an `RSA` object. This +// is typically used with `RSA_new` to construct an RSA key field by field. +// Prefer instead to use `RSA_new_public_key` and `RSA_new_private_key`. These +// functions defer some initialization to the first use of an `RSA` object. This // means invalid inputs may be caught late. // // TODO(crbug.com/boringssl/316): This deferred initialization also causes @@ -146,35 +146,35 @@ OPENSSL_EXPORT void RSA_get0_crt_params(const RSA *rsa, const BIGNUM **out_dmp1, // currently have the same issues, but they will initialize eagerly in the // future. -// RSA_set0_key sets |rsa|'s modulus, public exponent, and private exponent to -// |n|, |e|, and |d| respectively, if non-NULL. On success, it takes ownership +// RSA_set0_key sets `rsa`'s modulus, public exponent, and private exponent to +// `n`, `e`, and `d` respectively, if non-NULL. On success, it takes ownership // of each argument and returns one. Otherwise, it returns zero. // -// |d| may be NULL, but |n| and |e| must either be non-NULL or already -// configured on |rsa|. +// `d` may be NULL, but `n` and `e` must either be non-NULL or already +// configured on `rsa`. // -// It is an error to call this function after |rsa| has been used for a -// cryptographic operation. Construct a new |RSA| object instead. +// It is an error to call this function after `rsa` has been used for a +// cryptographic operation. Construct a new `RSA` object instead. OPENSSL_EXPORT int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d); -// RSA_set0_factors sets |rsa|'s prime factors to |p| and |q|, if non-NULL, and +// RSA_set0_factors sets `rsa`'s prime factors to `p` and `q`, if non-NULL, and // takes ownership of them. On success, it takes ownership of each argument and // returns one. Otherwise, it returns zero. // -// Each argument must either be non-NULL or already configured on |rsa|. +// Each argument must either be non-NULL or already configured on `rsa`. // -// It is an error to call this function after |rsa| has been used for a -// cryptographic operation. Construct a new |RSA| object instead. +// It is an error to call this function after `rsa` has been used for a +// cryptographic operation. Construct a new `RSA` object instead. OPENSSL_EXPORT int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q); -// RSA_set0_crt_params sets |rsa|'s CRT parameters to |dmp1|, |dmq1|, and -// |iqmp|, if non-NULL, and takes ownership of them. On success, it takes +// RSA_set0_crt_params sets `rsa`'s CRT parameters to `dmp1`, `dmq1`, and +// `iqmp`, if non-NULL, and takes ownership of them. On success, it takes // ownership of its parameters and returns one. Otherwise, it returns zero. // -// Each argument must either be non-NULL or already configured on |rsa|. +// Each argument must either be non-NULL or already configured on `rsa`. // -// It is an error to call this function after |rsa| has been used for a -// cryptographic operation. Construct a new |RSA| object instead. +// It is an error to call this function after `rsa` has been used for a +// cryptographic operation. Construct a new `RSA` object instead. OPENSSL_EXPORT int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); @@ -182,19 +182,19 @@ OPENSSL_EXPORT int RSA_set0_crt_params(RSA *rsa, BIGNUM *dmp1, BIGNUM *dmq1, // Key generation. // RSA_generate_key_ex generates a new RSA key where the modulus has size -// |bits| and the public exponent is |e|. If unsure, |RSA_F4| is a good value -// for |e|. If |cb| is not NULL then it is called during the key generation -// process. In addition to the calls documented for |BN_generate_prime_ex|, it +// `bits` and the public exponent is `e`. If unsure, `RSA_F4` is a good value +// for `e`. If `cb` is not NULL then it is called during the key generation +// process. In addition to the calls documented for `BN_generate_prime_ex`, it // is called with event=2 when the n'th prime is rejected as unsuitable and -// with event=3 when a suitable value for |p| is found. +// with event=3 when a suitable value for `p` is found. // // It returns one on success or zero on error. OPENSSL_EXPORT int RSA_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb); -// RSA_generate_key_fips behaves like |RSA_generate_key_ex| but performs +// RSA_generate_key_fips behaves like `RSA_generate_key_ex` but performs // additional checks for FIPS compliance. The public exponent is always 65537 -// and |bits| must be either 2048 or 3072. +// and `bits` must be either 2048 or 3072. OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); @@ -221,40 +221,40 @@ OPENSSL_EXPORT int RSA_generate_key_fips(RSA *rsa, int bits, BN_GENCB *cb); #define RSA_PKCS1_OAEP_PADDING 4 // RSA_PKCS1_PSS_PADDING denotes the RSASSA-PSS signature scheme. This value may -// not be passed into |RSA_sign_raw|, only |EVP_PKEY_CTX_set_rsa_padding|. See -// also |RSA_sign_pss_mgf1| and |RSA_verify_pss_mgf1|. +// not be passed into `RSA_sign_raw`, only `EVP_PKEY_CTX_set_rsa_padding`. See +// also `RSA_sign_pss_mgf1` and `RSA_verify_pss_mgf1`. #define RSA_PKCS1_PSS_PADDING 6 -// RSA_encrypt encrypts |in_len| bytes from |in| to the public key from |rsa| -// and writes, at most, |max_out| bytes of encrypted data to |out|. The -// |max_out| argument must be, at least, |RSA_size| in order to ensure success. +// RSA_encrypt encrypts `in_len` bytes from `in` to the public key from `rsa` +// and writes, at most, `max_out` bytes of encrypted data to `out`. The +// `max_out` argument must be, at least, `RSA_size` in order to ensure success. // // It returns 1 on success or zero on error. // -// The |padding| argument must be one of the |RSA_*_PADDING| values. If in -// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. When |padding| is -// |RSA_PKCS1_OAEP_PADDING|, this function has no way to set the OAEP or MGF-1 -// digest, so it is always SHA-1. For other OAEP parameters, wrap |rsa| in an -// |EVP_PKEY| and use |EVP_PKEY_encrypt| with |EVP_PKEY_CTX_set_rsa_padding| and +// The `padding` argument must be one of the `RSA_*_PADDING` values. If in +// doubt, use `RSA_PKCS1_OAEP_PADDING` for new protocols. When `padding` is +// `RSA_PKCS1_OAEP_PADDING`, this function has no way to set the OAEP or MGF-1 +// digest, so it is always SHA-1. For other OAEP parameters, wrap `rsa` in an +// `EVP_PKEY` and use `EVP_PKEY_encrypt` with `EVP_PKEY_CTX_set_rsa_padding` and // related functions. OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); -// RSA_decrypt decrypts |in_len| bytes from |in| with the private key from -// |rsa| and writes, at most, |max_out| bytes of plaintext to |out|. The -// |max_out| argument must be, at least, |RSA_size| in order to ensure success. +// RSA_decrypt decrypts `in_len` bytes from `in` with the private key from +// `rsa` and writes, at most, `max_out` bytes of plaintext to `out`. The +// `max_out` argument must be, at least, `RSA_size` in order to ensure success. // // It returns 1 on success or zero on error. // -// The |padding| argument must be one of the |RSA_*_PADDING| values. If in -// doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. When |padding| is -// |RSA_PKCS1_OAEP_PADDING|, this function has no way to set the OAEP or MGF-1 -// digest, so it is always SHA-1. For other OAEP parameters, wrap |rsa| in an -// |EVP_PKEY| and use |EVP_PKEY_decrypt| with |EVP_PKEY_CTX_set_rsa_padding| and +// The `padding` argument must be one of the `RSA_*_PADDING` values. If in +// doubt, use `RSA_PKCS1_OAEP_PADDING` for new protocols. When `padding` is +// `RSA_PKCS1_OAEP_PADDING`, this function has no way to set the OAEP or MGF-1 +// digest, so it is always SHA-1. For other OAEP parameters, wrap `rsa` in an +// `EVP_PKEY` and use `EVP_PKEY_decrypt` with `EVP_PKEY_CTX_set_rsa_padding` and // related functions. // -// WARNING: Passing |RSA_PKCS1_PADDING| into this function is deprecated and +// WARNING: Passing `RSA_PKCS1_PADDING` into this function is deprecated and // insecure. RSAES-PKCS1-v1_5 is vulnerable to a chosen-ciphertext attack. // Decrypting attacker-supplied ciphertext with RSAES-PKCS1-v1_5 may give the // attacker control over your private key. See "Chosen Ciphertext Attacks @@ -263,42 +263,42 @@ OPENSSL_EXPORT int RSA_encrypt(RSA *rsa, size_t *out_len, uint8_t *out, // // In some limited cases, such as TLS RSA key exchange, it is possible to // mitigate this flaw with custom, protocol-specific padding logic. This -// should be implemented with |RSA_NO_PADDING|, not |RSA_PKCS1_PADDING|. +// should be implemented with `RSA_NO_PADDING`, not `RSA_PKCS1_PADDING`. OPENSSL_EXPORT int RSA_decrypt(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); -// RSA_public_encrypt encrypts |flen| bytes from |from| to the public key in -// |rsa| and writes the encrypted data to |to|. The |to| buffer must have at -// least |RSA_size| bytes of space. It returns the number of bytes written, or -// -1 on error. The |padding| argument must be one of the |RSA_*_PADDING| -// values. If in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. +// RSA_public_encrypt encrypts `flen` bytes from `from` to the public key in +// `rsa` and writes the encrypted data to `to`. The `to` buffer must have at +// least `RSA_size` bytes of space. It returns the number of bytes written, or +// -1 on error. The `padding` argument must be one of the `RSA_*_PADDING` +// values. If in doubt, use `RSA_PKCS1_OAEP_PADDING` for new protocols. // -// When |padding| is |RSA_PKCS1_OAEP_PADDING|, this function has no way to set +// When `padding` is `RSA_PKCS1_OAEP_PADDING`, this function has no way to set // the OAEP or MGF-1 digest, so it is always SHA-1. For other OAEP parameters, -// wrap |rsa| in an |EVP_PKEY| and use |EVP_PKEY_encrypt| with -// |EVP_PKEY_CTX_set_rsa_padding| and related functions. +// wrap `rsa` in an `EVP_PKEY` and use `EVP_PKEY_encrypt` with +// `EVP_PKEY_CTX_set_rsa_padding` and related functions. // // WARNING: this function is dangerous because it breaks the usual return value -// convention. Use |RSA_encrypt| instead. +// convention. Use `RSA_encrypt` instead. OPENSSL_EXPORT int RSA_public_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, int padding); -// RSA_private_decrypt decrypts |flen| bytes from |from| with the public key in -// |rsa| and writes the plaintext to |to|. The |to| buffer must have at least -// |RSA_size| bytes of space. It returns the number of bytes written, or -1 on -// error. The |padding| argument must be one of the |RSA_*_PADDING| values. If -// in doubt, use |RSA_PKCS1_OAEP_PADDING| for new protocols. Passing -// |RSA_PKCS1_PADDING| into this function is deprecated and insecure. See -// |RSA_decrypt|. +// RSA_private_decrypt decrypts `flen` bytes from `from` with the public key in +// `rsa` and writes the plaintext to `to`. The `to` buffer must have at least +// `RSA_size` bytes of space. It returns the number of bytes written, or -1 on +// error. The `padding` argument must be one of the `RSA_*_PADDING` values. If +// in doubt, use `RSA_PKCS1_OAEP_PADDING` for new protocols. Passing +// `RSA_PKCS1_PADDING` into this function is deprecated and insecure. See +// `RSA_decrypt`. // -// When |padding| is |RSA_PKCS1_OAEP_PADDING|, this function has no way to set +// When `padding` is `RSA_PKCS1_OAEP_PADDING`, this function has no way to set // the OAEP or MGF-1 digest, so it is always SHA-1. For other OAEP parameters, -// wrap |rsa| in an |EVP_PKEY| and use |EVP_PKEY_decrypt| with -// |EVP_PKEY_CTX_set_rsa_padding| and related functions. +// wrap `rsa` in an `EVP_PKEY` and use `EVP_PKEY_decrypt` with +// `EVP_PKEY_CTX_set_rsa_padding` and related functions. // // WARNING: this function is dangerous because it breaks the usual return value -// convention. Use |RSA_decrypt| instead. +// convention. Use `RSA_decrypt` instead. OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, int padding); @@ -308,19 +308,19 @@ OPENSSL_EXPORT int RSA_private_decrypt(size_t flen, const uint8_t *from, // These functions are considered non-mutating for thread-safety purposes and // may be used concurrently. -// RSA_sign signs |digest_len| bytes of digest from |digest| with |rsa| using -// RSASSA-PKCS1-v1_5. It writes, at most, |RSA_size(rsa)| bytes to |out|. On +// RSA_sign signs `digest_len` bytes of digest from `digest` with `rsa` using +// RSASSA-PKCS1-v1_5. It writes, at most, `RSA_size(rsa)` bytes to `out`. On // successful return, the actual number of bytes written is written to -// |*out_len|. +// `*out_len`. // -// The |hash_nid| argument identifies the hash function used to calculate -// |digest| and is embedded in the resulting signature. For example, it might be -// |NID_sha256|. +// The `hash_nid` argument identifies the hash function used to calculate +// `digest` and is embedded in the resulting signature. For example, it might be +// `NID_sha256`. // // It returns 1 on success and zero on error. // -// WARNING: |digest| must be the result of hashing the data to be signed with -// |hash_nid|. Passing unhashed inputs will not result in a secure signature +// WARNING: `digest` must be the result of hashing the data to be signed with +// `hash_nid`. Passing unhashed inputs will not result in a secure signature // scheme. OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest, size_t digest_len, uint8_t *out, unsigned *out_len, @@ -335,139 +335,139 @@ OPENSSL_EXPORT int RSA_sign(int hash_nid, const uint8_t *digest, // with FIPS 186-5. #define RSA_PSS_SALTLEN_AUTO (-2) -// RSA_sign_pss_mgf1 signs |digest_len| bytes from |digest| with the public key -// from |rsa| using RSASSA-PSS with MGF1 as the mask generation function. It -// writes, at most, |max_out| bytes of signature data to |out|. The |max_out| -// argument must be, at least, |RSA_size| in order to ensure success. It returns +// RSA_sign_pss_mgf1 signs `digest_len` bytes from `digest` with the public key +// from `rsa` using RSASSA-PSS with MGF1 as the mask generation function. It +// writes, at most, `max_out` bytes of signature data to `out`. The `max_out` +// argument must be, at least, `RSA_size` in order to ensure success. It returns // 1 on success or zero on error. // -// The |md| and |mgf1_md| arguments identify the hash used to calculate |digest| -// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is +// The `md` and `mgf1_md` arguments identify the hash used to calculate `digest` +// and the MGF1 hash, respectively. If `mgf1_md` is NULL, `md` is // used. // -// |salt_len| specifies the expected salt length in bytes. If |salt_len| is -// |RSA_PSS_SALTLEN_DIGEST|, then the salt length is the same as the hash -// length. If |RSA_PSS_SALTLEN_AUTO|, then the salt length is maximal given the -// size of |rsa|. If unsure, use |RSA_PSS_SALTLEN_DIGEST|. +// `salt_len` specifies the expected salt length in bytes. If `salt_len` is +// `RSA_PSS_SALTLEN_DIGEST`, then the salt length is the same as the hash +// length. If `RSA_PSS_SALTLEN_AUTO`, then the salt length is maximal given the +// size of `rsa`. If unsure, use `RSA_PSS_SALTLEN_DIGEST`. // -// WARNING: |digest| must be the result of hashing the data to be signed with -// |md|. Passing unhashed inputs will not result in a secure signature scheme. +// WARNING: `digest` must be the result of hashing the data to be signed with +// `md`. Passing unhashed inputs will not result in a secure signature scheme. OPENSSL_EXPORT int RSA_sign_pss_mgf1(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *digest, size_t digest_len, const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len); // RSA_sign_raw performs the private key portion of computing a signature with -// |rsa|. It writes, at most, |max_out| bytes of signature data to |out|. The -// |max_out| argument must be, at least, |RSA_size| in order to ensure the +// `rsa`. It writes, at most, `max_out` bytes of signature data to `out`. The +// `max_out` argument must be, at least, `RSA_size` in order to ensure the // output fits. It returns 1 on success or zero on error. // -// If |padding| is |RSA_PKCS1_PADDING|, this function wraps |in| with the +// If `padding` is `RSA_PKCS1_PADDING`, this function wraps `in` with the // padding portion of RSASSA-PKCS1-v1_5 and then performs the raw private key // operation. The caller is responsible for hashing the input and wrapping it in // a DigestInfo structure. // -// If |padding| is |RSA_NO_PADDING|, this function only performs the raw private -// key operation, interpreting |in| as a integer modulo n. The caller is +// If `padding` is `RSA_NO_PADDING`, this function only performs the raw private +// key operation, interpreting `in` as a integer modulo n. The caller is // responsible for hashing the input and encoding it for the signature scheme // being implemented. // // WARNING: This function is a building block for a signature scheme, not a -// complete one. |in| must be the result of hashing and encoding the data as +// complete one. `in` must be the result of hashing and encoding the data as // needed for the scheme being implemented. Passing in arbitrary inputs will not // result in a secure signature scheme. OPENSSL_EXPORT int RSA_sign_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); -// RSA_verify verifies that |sig_len| bytes from |sig| are a valid, -// RSASSA-PKCS1-v1_5 signature of |digest_len| bytes at |digest| by |rsa|. +// RSA_verify verifies that `sig_len` bytes from `sig` are a valid, +// RSASSA-PKCS1-v1_5 signature of `digest_len` bytes at `digest` by `rsa`. // -// The |hash_nid| argument identifies the hash function used to calculate -// |digest| and is embedded in the resulting signature in order to prevent hash -// confusion attacks. For example, it might be |NID_sha256|. +// The `hash_nid` argument identifies the hash function used to calculate +// `digest` and is embedded in the resulting signature in order to prevent hash +// confusion attacks. For example, it might be `NID_sha256`. // // It returns one if the signature is valid and zero otherwise. // // WARNING: this differs from the original, OpenSSL function which additionally // returned -1 on error. // -// WARNING: |digest| must be the result of hashing the data to be verified with -// |hash_nid|. Passing unhashed input will not result in a secure signature +// WARNING: `digest` must be the result of hashing the data to be verified with +// `hash_nid`. Passing unhashed input will not result in a secure signature // scheme. OPENSSL_EXPORT int RSA_verify(int hash_nid, const uint8_t *digest, size_t digest_len, const uint8_t *sig, size_t sig_len, RSA *rsa); -// RSA_verify_pss_mgf1 verifies that |sig_len| bytes from |sig| are a valid, -// RSASSA-PSS signature of |digest_len| bytes at |digest| by |rsa|. It returns +// RSA_verify_pss_mgf1 verifies that `sig_len` bytes from `sig` are a valid, +// RSASSA-PSS signature of `digest_len` bytes at `digest` by `rsa`. It returns // one if the signature is valid and zero otherwise. MGF1 is used as the mask // generation function. // -// The |md| and |mgf1_md| arguments identify the hash used to calculate |digest| -// and the MGF1 hash, respectively. If |mgf1_md| is NULL, |md| is -// used. |salt_len| specifies the expected salt length in bytes. +// The `md` and `mgf1_md` arguments identify the hash used to calculate `digest` +// and the MGF1 hash, respectively. If `mgf1_md` is NULL, `md` is +// used. `salt_len` specifies the expected salt length in bytes. // -// If |salt_len| is |RSA_PSS_SALTLEN_DIGEST|, then the salt length is the same -// as the hash length. If |RSA_PSS_SALTLEN_AUTO|, then the salt length is -// recovered and all values accepted. If unsure, use |RSA_PSS_SALTLEN_DIGEST|. +// If `salt_len` is `RSA_PSS_SALTLEN_DIGEST`, then the salt length is the same +// as the hash length. If `RSA_PSS_SALTLEN_AUTO`, then the salt length is +// recovered and all values accepted. If unsure, use `RSA_PSS_SALTLEN_DIGEST`. // -// WARNING: |digest| must be the result of hashing the data to be verified with -// |md|. Passing unhashed input will not result in a secure signature scheme. +// WARNING: `digest` must be the result of hashing the data to be verified with +// `md`. Passing unhashed input will not result in a secure signature scheme. OPENSSL_EXPORT int RSA_verify_pss_mgf1(RSA *rsa, const uint8_t *digest, size_t digest_len, const EVP_MD *md, const EVP_MD *mgf1_md, int salt_len, const uint8_t *sig, size_t sig_len); -// RSA_verify_raw performs the public key portion of verifying |in_len| bytes of -// signature from |in| using the public key from |rsa|. On success, it returns -// one and writes, at most, |max_out| bytes of output to |out|. The |max_out| -// argument must be, at least, |RSA_size| in order to ensure the output fits. On +// RSA_verify_raw performs the public key portion of verifying `in_len` bytes of +// signature from `in` using the public key from `rsa`. On success, it returns +// one and writes, at most, `max_out` bytes of output to `out`. The `max_out` +// argument must be, at least, `RSA_size` in order to ensure the output fits. On // failure or invalid input, it returns zero. // -// If |padding| is |RSA_PKCS1_PADDING|, this function checks the padding portion +// If `padding` is `RSA_PKCS1_PADDING`, this function checks the padding portion // of RSASSA-PKCS1-v1_5 and outputs the remainder of the encoded digest. The // caller is responsible for checking the output is a DigestInfo-wrapped digest // of the message. // -// If |padding| is |RSA_NO_PADDING|, this function only performs the raw public +// If `padding` is `RSA_NO_PADDING`, this function only performs the raw public // key operation. The caller is responsible for checking the output is a valid // result for the signature scheme being implemented. // // WARNING: This function is a building block for a signature scheme, not a -// complete one. Checking for arbitrary strings in |out| will not result in a +// complete one. Checking for arbitrary strings in `out` will not result in a // secure signature scheme. OPENSSL_EXPORT int RSA_verify_raw(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); // RSA_private_encrypt performs the private key portion of computing a signature -// with |rsa|. It takes |flen| bytes from |from| as input and writes the result -// to |to|. The |to| buffer must have at least |RSA_size| bytes of space. It +// with `rsa`. It takes `flen` bytes from `from` as input and writes the result +// to `to`. The `to` buffer must have at least `RSA_size` bytes of space. It // returns the number of bytes written, or -1 on error. // -// For the interpretation of |padding| and the input, see |RSA_sign_raw|. +// For the interpretation of `padding` and the input, see `RSA_sign_raw`. // // WARNING: This function is a building block for a signature scheme, not a -// complete one. See |RSA_sign_raw| for details. +// complete one. See `RSA_sign_raw` for details. // // WARNING: This function is dangerous because it breaks the usual return value -// convention. Use |RSA_sign_raw| instead. +// convention. Use `RSA_sign_raw` instead. OPENSSL_EXPORT int RSA_private_encrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, int padding); -// RSA_public_decrypt performs the public key portion of verifying |flen| bytes -// of signature from |from| using the public key from |rsa|. It writes the -// result to |to|, which must have at least |RSA_size| bytes of space. It +// RSA_public_decrypt performs the public key portion of verifying `flen` bytes +// of signature from `from` using the public key from `rsa`. It writes the +// result to `to`, which must have at least `RSA_size` bytes of space. It // returns the number of bytes written, or -1 on error. // -// For the interpretation of |padding| and the result, see |RSA_verify_raw|. +// For the interpretation of `padding` and the result, see `RSA_verify_raw`. // // WARNING: This function is a building block for a signature scheme, not a -// complete one. See |RSA_verify_raw| for details. +// complete one. See `RSA_verify_raw` for details. // // WARNING: This function is dangerous because it breaks the usual return value -// convention. Use |RSA_verify_raw| instead. +// convention. Use `RSA_verify_raw` instead. OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from, uint8_t *to, RSA *rsa, int padding); @@ -475,36 +475,36 @@ OPENSSL_EXPORT int RSA_public_decrypt(size_t flen, const uint8_t *from, // Utility functions. // RSA_size returns the number of bytes in the modulus, which is also the size -// of a signature or encrypted value using |rsa|. +// of a signature or encrypted value using `rsa`. OPENSSL_EXPORT unsigned RSA_size(const RSA *rsa); -// RSA_is_opaque returns one if |rsa| is opaque and doesn't expose its key +// RSA_is_opaque returns one if `rsa` is opaque and doesn't expose its key // material. Otherwise it returns zero. OPENSSL_EXPORT int RSA_is_opaque(const RSA *rsa); -// RSAPublicKey_dup allocates a fresh |RSA| and copies the public key from -// |rsa| into it. It returns the fresh |RSA| object, or NULL on error. +// RSAPublicKey_dup allocates a fresh `RSA` and copies the public key from +// `rsa` into it. It returns the fresh `RSA` object, or NULL on error. OPENSSL_EXPORT RSA *RSAPublicKey_dup(const RSA *rsa); -// RSAPrivateKey_dup allocates a fresh |RSA| and copies the private key from -// |rsa| into it. It returns the fresh |RSA| object, or NULL on error. +// RSAPrivateKey_dup allocates a fresh `RSA` and copies the private key from +// `rsa` into it. It returns the fresh `RSA` object, or NULL on error. OPENSSL_EXPORT RSA *RSAPrivateKey_dup(const RSA *rsa); -// RSA_check_key performs basic validity tests on |rsa|. It returns one if +// RSA_check_key performs basic validity tests on `rsa`. It returns one if // they pass and zero otherwise. Opaque keys and public keys always pass. If it // returns zero then a more detailed error is available on the error queue. OPENSSL_EXPORT int RSA_check_key(const RSA *rsa); -// RSA_check_fips performs public key validity tests on |key|. It returns one if +// RSA_check_fips performs public key validity tests on `key`. It returns one if // they pass and zero otherwise. Opaque keys always fail. This function does not -// mutate |rsa| for thread-safety purposes and may be used concurrently. +// mutate `rsa` for thread-safety purposes and may be used concurrently. OPENSSL_EXPORT int RSA_check_fips(RSA *key); -// RSA_verify_PKCS1_PSS_mgf1 verifies that |EM| is a correct PSS padding of -// |mHash|, where |mHash| is a digest produced by |Hash|. |EM| must point to -// exactly |RSA_size(rsa)| bytes of data. The |mgf1Hash| argument specifies the -// hash function for generating the mask. If NULL, |Hash| is used. The |sLen| -// argument specifies the expected salt length in bytes. If |sLen| is -1 then +// RSA_verify_PKCS1_PSS_mgf1 verifies that `EM` is a correct PSS padding of +// `mHash`, where `mHash` is a digest produced by `Hash`. `EM` must point to +// exactly `RSA_size(rsa)` bytes of data. The `mgf1Hash` argument specifies the +// hash function for generating the mask. If NULL, `Hash` is used. The `sLen` +// argument specifies the expected salt length in bytes. If `sLen` is -1 then // the salt length is the same as the hash length. If -2, then the salt length // is recovered and all values accepted. // @@ -513,34 +513,34 @@ OPENSSL_EXPORT int RSA_check_fips(RSA *key); // It returns one on success or zero on error. // // This function implements only the low-level padding logic. Use -// |RSA_verify_pss_mgf1| instead. +// `RSA_verify_pss_mgf1` instead. OPENSSL_EXPORT int RSA_verify_PKCS1_PSS_mgf1(const RSA *rsa, const uint8_t *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash, const uint8_t *EM, int sLen); -// RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of |mHash| to |EM|, -// where |mHash| is a digest produced by |Hash|. |RSA_size(rsa)| bytes of -// output will be written to |EM|. The |mgf1Hash| argument specifies the hash -// function for generating the mask. If NULL, |Hash| is used. The |sLen| -// argument specifies the expected salt length in bytes. If |sLen| is -1 then +// RSA_padding_add_PKCS1_PSS_mgf1 writes a PSS padding of `mHash` to `EM`, +// where `mHash` is a digest produced by `Hash`. `RSA_size(rsa)` bytes of +// output will be written to `EM`. The `mgf1Hash` argument specifies the hash +// function for generating the mask. If NULL, `Hash` is used. The `sLen` +// argument specifies the expected salt length in bytes. If `sLen` is -1 then // the salt length is the same as the hash length. If -2, then the salt length -// is maximal given the space in |EM|. +// is maximal given the space in `EM`. // // It returns one on success or zero on error. // // This function implements only the low-level padding logic. Use -// |RSA_sign_pss_mgf1| instead. +// `RSA_sign_pss_mgf1` instead. OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS_mgf1(const RSA *rsa, uint8_t *EM, const uint8_t *mHash, const EVP_MD *Hash, const EVP_MD *mgf1Hash, int sLen); -// RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of |from| to |to| -// with the given parameters and hash functions. If |md| is NULL then SHA-1 is -// used. If |mgf1md| is NULL then the value of |md| is used (which means SHA-1 +// RSA_padding_add_PKCS1_OAEP_mgf1 writes an OAEP padding of `from` to `to` +// with the given parameters and hash functions. If `md` is NULL then SHA-1 is +// used. If `mgf1md` is NULL then the value of `md` is used (which means SHA-1 // if that, in turn, is NULL). // // It returns one on success or zero on error. @@ -549,10 +549,10 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP_mgf1( const uint8_t *param, size_t param_len, const EVP_MD *md, const EVP_MD *mgf1md); -// RSA_add_pkcs1_prefix builds a version of |digest| prefixed with the -// DigestInfo header for the given hash function and sets |out_msg| to point to -// it. On successful return, if |*is_alloced| is one, the caller must release -// |*out_msg| with |OPENSSL_free|. +// RSA_add_pkcs1_prefix builds a version of `digest` prefixed with the +// DigestInfo header for the given hash function and sets `out_msg` to point to +// it. On successful return, if `*is_alloced` is one, the caller must release +// `*out_msg` with `OPENSSL_free`. OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, int *is_alloced, int hash_nid, const uint8_t *digest, @@ -562,45 +562,45 @@ OPENSSL_EXPORT int RSA_add_pkcs1_prefix(uint8_t **out_msg, size_t *out_msg_len, // ASN.1 functions. // RSA_parse_public_key parses a DER-encoded RSAPublicKey structure (RFC 8017) -// from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on +// from `cbs` and advances `cbs`. It returns a newly-allocated `RSA` or NULL on // error. OPENSSL_EXPORT RSA *RSA_parse_public_key(CBS *cbs); -// RSA_public_key_from_bytes parses |in| as a DER-encoded RSAPublicKey structure -// (RFC 8017). It returns a newly-allocated |RSA| or NULL on error. +// RSA_public_key_from_bytes parses `in` as a DER-encoded RSAPublicKey structure +// (RFC 8017). It returns a newly-allocated `RSA` or NULL on error. OPENSSL_EXPORT RSA *RSA_public_key_from_bytes(const uint8_t *in, size_t in_len); -// RSA_marshal_public_key marshals |rsa| as a DER-encoded RSAPublicKey structure -// (RFC 8017) and appends the result to |cbb|. It returns one on success and +// RSA_marshal_public_key marshals `rsa` as a DER-encoded RSAPublicKey structure +// (RFC 8017) and appends the result to `cbb`. It returns one on success and // zero on failure. OPENSSL_EXPORT int RSA_marshal_public_key(CBB *cbb, const RSA *rsa); -// RSA_public_key_to_bytes marshals |rsa| as a DER-encoded RSAPublicKey -// structure (RFC 8017) and, on success, sets |*out_bytes| to a newly allocated +// RSA_public_key_to_bytes marshals `rsa` as a DER-encoded RSAPublicKey +// structure (RFC 8017) and, on success, sets `*out_bytes` to a newly allocated // buffer containing the result and returns one. Otherwise, it returns zero. The -// result should be freed with |OPENSSL_free|. +// result should be freed with `OPENSSL_free`. OPENSSL_EXPORT int RSA_public_key_to_bytes(uint8_t **out_bytes, size_t *out_len, const RSA *rsa); // RSA_parse_private_key parses a DER-encoded RSAPrivateKey structure (RFC 8017) -// from |cbs| and advances |cbs|. It returns a newly-allocated |RSA| or NULL on +// from `cbs` and advances `cbs`. It returns a newly-allocated `RSA` or NULL on // error. OPENSSL_EXPORT RSA *RSA_parse_private_key(CBS *cbs); -// RSA_private_key_from_bytes parses |in| as a DER-encoded RSAPrivateKey -// structure (RFC 8017). It returns a newly-allocated |RSA| or NULL on error. +// RSA_private_key_from_bytes parses `in` as a DER-encoded RSAPrivateKey +// structure (RFC 8017). It returns a newly-allocated `RSA` or NULL on error. OPENSSL_EXPORT RSA *RSA_private_key_from_bytes(const uint8_t *in, size_t in_len); -// RSA_marshal_private_key marshals |rsa| as a DER-encoded RSAPrivateKey -// structure (RFC 8017) and appends the result to |cbb|. It returns one on +// RSA_marshal_private_key marshals `rsa` as a DER-encoded RSAPrivateKey +// structure (RFC 8017) and appends the result to `cbb`. It returns one on // success and zero on failure. OPENSSL_EXPORT int RSA_marshal_private_key(CBB *cbb, const RSA *rsa); -// RSA_private_key_to_bytes marshals |rsa| as a DER-encoded RSAPrivateKey -// structure (RFC 8017) and, on success, sets |*out_bytes| to a newly allocated +// RSA_private_key_to_bytes marshals `rsa` as a DER-encoded RSAPrivateKey +// structure (RFC 8017) and, on success, sets `*out_bytes` to a newly allocated // buffer containing the result and returns one. Otherwise, it returns zero. The -// result should be freed with |OPENSSL_free|. +// result should be freed with `OPENSSL_free`. OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, size_t *out_len, const RSA *rsa); @@ -610,7 +610,7 @@ OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, // These functions allow creating RSA keys with obscure combinations of // parameters. -// RSA_new_private_key_no_crt behaves like |RSA_new_private_key| but constructs +// RSA_new_private_key_no_crt behaves like `RSA_new_private_key` but constructs // an RSA key without CRT coefficients. // // Keys created by this function will be less performant and cannot be @@ -618,7 +618,7 @@ OPENSSL_EXPORT int RSA_private_key_to_bytes(uint8_t **out_bytes, OPENSSL_EXPORT RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, const BIGNUM *d); -// RSA_new_private_key_no_e behaves like |RSA_new_private_key| but constructs an +// RSA_new_private_key_no_e behaves like `RSA_new_private_key` but constructs an // RSA key without CRT parameters or public exponent. // // Keys created by this function will be less performant, cannot be serialized, @@ -626,21 +626,21 @@ OPENSSL_EXPORT RSA *RSA_new_private_key_no_crt(const BIGNUM *n, const BIGNUM *e, // attacks. OPENSSL_EXPORT RSA *RSA_new_private_key_no_e(const BIGNUM *n, const BIGNUM *d); -// RSA_new_public_key_large_e behaves like |RSA_new_public_key| but allows any -// |e| up to |n|. +// RSA_new_public_key_large_e behaves like `RSA_new_public_key` but allows any +// `e` up to `n`. // // BoringSSL typically bounds public exponents as a denial-of-service // mitigation. Keys created by this function may perform worse than those -// created by |RSA_new_public_key|. +// created by `RSA_new_public_key`. OPENSSL_EXPORT RSA *RSA_new_public_key_large_e(const BIGNUM *n, const BIGNUM *e); -// RSA_new_private_key_large_e behaves like |RSA_new_private_key| but allows any -// |e| up to |n|. +// RSA_new_private_key_large_e behaves like `RSA_new_private_key` but allows any +// `e` up to `n`. // // BoringSSL typically bounds public exponents as a denial-of-service // mitigation. Keys created by this function may perform worse than those -// created by |RSA_new_private_key|. +// created by `RSA_new_private_key`. OPENSSL_EXPORT RSA *RSA_new_private_key_large_e( const BIGNUM *n, const BIGNUM *e, const BIGNUM *d, const BIGNUM *p, const BIGNUM *q, const BIGNUM *dmp1, const BIGNUM *dmq1, @@ -649,7 +649,7 @@ OPENSSL_EXPORT RSA *RSA_new_private_key_large_e( // ex_data functions. // -// See |ex_data.h| for details. +// See `ex_data.h` for details. OPENSSL_EXPORT int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, @@ -674,12 +674,12 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx); // RSA_FLAG_NO_PUBLIC_EXPONENT indicates that private keys without a public // exponent are allowed. This is an internal constant. Use -// |RSA_new_private_key_no_e| to construct such keys. +// `RSA_new_private_key_no_e` to construct such keys. #define RSA_FLAG_NO_PUBLIC_EXPONENT 0x40 // RSA_FLAG_LARGE_PUBLIC_EXPONENT indicates that keys with a large public // exponent are allowed. This is an internal constant. Use -// |RSA_new_public_key_large_e| and |RSA_new_private_key_large_e| to construct +// `RSA_new_public_key_large_e` and `RSA_new_private_key_large_e` to construct // such keys. #define RSA_FLAG_LARGE_PUBLIC_EXPONENT 0x80 @@ -694,11 +694,11 @@ OPENSSL_EXPORT void *RSA_get_ex_data(const RSA *rsa, int idx); #define RSA_METHOD_FLAG_NO_CHECK RSA_FLAG_OPAQUE -// RSA_flags returns the flags for |rsa|. These are a bitwise OR of |RSA_FLAG_*| +// RSA_flags returns the flags for `rsa`. These are a bitwise OR of `RSA_FLAG_*` // constants. OPENSSL_EXPORT int RSA_flags(const RSA *rsa); -// RSA_test_flags returns the subset of flags in |flags| which are set in |rsa|. +// RSA_test_flags returns the subset of flags in `flags` which are set in `rsa`. OPENSSL_EXPORT int RSA_test_flags(const RSA *rsa, int flags); // RSA_blinding_on returns one. @@ -707,57 +707,57 @@ OPENSSL_EXPORT int RSA_blinding_on(RSA *rsa, BN_CTX *ctx); // RSA_blinding_off does nothing. OPENSSL_EXPORT void RSA_blinding_off(RSA *rsa); -// RSA_generate_key behaves like |RSA_generate_key_ex|, which is what you -// should use instead. It returns NULL on error, or a newly-allocated |RSA| on -// success. This function is provided for compatibility only. The |callback| -// and |cb_arg| parameters must be NULL. +// RSA_generate_key behaves like `RSA_generate_key_ex`, which is what you +// should use instead. It returns NULL on error, or a newly-allocated `RSA` on +// success. This function is provided for compatibility only. The `callback` +// and `cb_arg` parameters must be NULL. OPENSSL_EXPORT RSA *RSA_generate_key(int bits, uint64_t e, void *callback, void *cb_arg); // d2i_RSAPublicKey parses a DER-encoded RSAPublicKey structure (RFC 8017) from -// |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// `len` bytes at `*inp`, as described in `d2i_SAMPLE`. // -// Use |RSA_parse_public_key| instead. +// Use `RSA_parse_public_key` instead. OPENSSL_EXPORT RSA *d2i_RSAPublicKey(RSA **out, const uint8_t **inp, long len); -// i2d_RSAPublicKey marshals |in| to a DER-encoded RSAPublicKey structure (RFC -// 8017), as described in |i2d_SAMPLE|. +// i2d_RSAPublicKey marshals `in` to a DER-encoded RSAPublicKey structure (RFC +// 8017), as described in `i2d_SAMPLE`. // -// Use |RSA_marshal_public_key| instead. +// Use `RSA_marshal_public_key` instead. OPENSSL_EXPORT int i2d_RSAPublicKey(const RSA *in, uint8_t **outp); // d2i_RSAPrivateKey parses a DER-encoded RSAPrivateKey structure (RFC 8017) -// from |len| bytes at |*inp|, as described in |d2i_SAMPLE|. +// from `len` bytes at `*inp`, as described in `d2i_SAMPLE`. // -// Use |RSA_parse_private_key| instead. +// Use `RSA_parse_private_key` instead. OPENSSL_EXPORT RSA *d2i_RSAPrivateKey(RSA **out, const uint8_t **inp, long len); -// i2d_RSAPrivateKey marshals |in| to a DER-encoded RSAPrivateKey structure (RFC -// 8017), as described in |i2d_SAMPLE|. +// i2d_RSAPrivateKey marshals `in` to a DER-encoded RSAPrivateKey structure (RFC +// 8017), as described in `i2d_SAMPLE`. // -// Use |RSA_marshal_private_key| instead. +// Use `RSA_marshal_private_key` instead. OPENSSL_EXPORT int i2d_RSAPrivateKey(const RSA *in, uint8_t **outp); -// RSA_padding_add_PKCS1_PSS acts like |RSA_padding_add_PKCS1_PSS_mgf1| but the -// |mgf1Hash| parameter of the latter is implicitly set to |Hash|. +// RSA_padding_add_PKCS1_PSS acts like `RSA_padding_add_PKCS1_PSS_mgf1` but the +// `mgf1Hash` parameter of the latter is implicitly set to `Hash`. // // This function implements only the low-level padding logic. Use -// |RSA_sign_pss_mgf1| instead. +// `RSA_sign_pss_mgf1` instead. OPENSSL_EXPORT int RSA_padding_add_PKCS1_PSS(const RSA *rsa, uint8_t *EM, const uint8_t *mHash, const EVP_MD *Hash, int sLen); -// RSA_verify_PKCS1_PSS acts like |RSA_verify_PKCS1_PSS_mgf1| but the -// |mgf1Hash| parameter of the latter is implicitly set to |Hash|. +// RSA_verify_PKCS1_PSS acts like `RSA_verify_PKCS1_PSS_mgf1` but the +// `mgf1Hash` parameter of the latter is implicitly set to `Hash`. // // This function implements only the low-level padding logic. Use -// |RSA_verify_pss_mgf1| instead. +// `RSA_verify_pss_mgf1` instead. OPENSSL_EXPORT int RSA_verify_PKCS1_PSS(const RSA *rsa, const uint8_t *mHash, const EVP_MD *Hash, const uint8_t *EM, int sLen); -// RSA_padding_add_PKCS1_OAEP acts like |RSA_padding_add_PKCS1_OAEP_mgf1| but -// the |md| and |mgf1md| parameters of the latter are implicitly set to NULL, +// RSA_padding_add_PKCS1_OAEP acts like `RSA_padding_add_PKCS1_OAEP_mgf1` but +// the `md` and `mgf1md` parameters of the latter are implicitly set to NULL, // which means SHA-1. OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, const uint8_t *from, @@ -765,22 +765,22 @@ OPENSSL_EXPORT int RSA_padding_add_PKCS1_OAEP(uint8_t *to, size_t to_len, const uint8_t *param, size_t param_len); -// RSA_print prints a textual representation of |rsa| to |bio|. It returns one +// RSA_print prints a textual representation of `rsa` to `bio`. It returns one // on success or zero otherwise. OPENSSL_EXPORT int RSA_print(BIO *bio, const RSA *rsa, int indent); // RSA_get0_pss_params returns NULL. In OpenSSL, this function retries RSA-PSS -// parameters associated with |RSA| objects, but BoringSSL does not enable the +// parameters associated with `RSA` objects, but BoringSSL does not enable the // id-RSASSA-PSS key encoding by default. // // WARNING: BoringSSL does support id-RSASSA-PSS parameters when callers opt in -// (see |EVP_pkey_rsa_pss_sha256| and others). We currently assume such callers +// (see `EVP_pkey_rsa_pss_sha256` and others). We currently assume such callers // do not need this function. Callers that opt into id-RSASSA-PSS support and // require this functionality should contact the BoringSSL team. OPENSSL_EXPORT const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *rsa); -// RSA_new_method_no_e returns a newly-allocated |RSA| object backed by -// |engine|, with a public modulus of |n| and no known public exponent. +// RSA_new_method_no_e returns a newly-allocated `RSA` object backed by +// `engine`, with a public modulus of `n` and no known public exponent. // // Do not use this function. It exists only to support Conscrypt, whose use // should be replaced with a more sound mechanism. See @@ -799,17 +799,17 @@ struct rsa_meth_st { int (*sign)(int type, const uint8_t *m, unsigned int m_length, uint8_t *sigret, unsigned int *siglen, const RSA *rsa); - // These functions mirror the |RSA_*| functions of the same name. + // These functions mirror the `RSA_*` functions of the same name. int (*sign_raw)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); int (*decrypt)(RSA *rsa, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); - // private_transform takes a big-endian integer from |in|, calculates the + // private_transform takes a big-endian integer from `in`, calculates the // d'th power of it, modulo the RSA modulus and writes the result as a - // big-endian integer to |out|. Both |in| and |out| are |len| bytes long and - // |len| is always equal to |RSA_size(rsa)|. If the result of the transform - // can be represented in fewer than |len| bytes, then |out| must be zero + // big-endian integer to `out`. Both `in` and `out` are `len` bytes long and + // `len` is always equal to `RSA_size(rsa)`. If the result of the transform + // can be represented in fewer than `len` bytes, then `out` must be zero // padded on the left. // // It returns one on success and zero otherwise. diff --git a/third_party/boringssl/src/include/openssl/sha.h b/third_party/boringssl/src/include/openssl/sha.h index ba17bfaa..a09889f4 100644 --- a/third_party/boringssl/src/include/openssl/sha.h +++ b/third_party/boringssl/src/include/openssl/sha.h @@ -38,26 +38,26 @@ extern "C" { // SHA_DIGEST_LENGTH is the length of a SHA-1 digest. #define SHA_DIGEST_LENGTH 20 -// SHA1_Init initialises |sha| and returns one. +// SHA1_Init initialises `sha` and returns one. OPENSSL_EXPORT int SHA1_Init(SHA_CTX *sha); -// SHA1_Update adds |len| bytes from |data| to |sha| and returns one. +// SHA1_Update adds `len` bytes from `data` to `sha` and returns one. OPENSSL_EXPORT int SHA1_Update(SHA_CTX *sha, const void *data, size_t len); -// SHA1_Final adds the final padding to |sha| and writes the resulting digest to -// |out|, which must have at least |SHA_DIGEST_LENGTH| bytes of space. It +// SHA1_Final adds the final padding to `sha` and writes the resulting digest to +// `out`, which must have at least `SHA_DIGEST_LENGTH` bytes of space. It // returns one. OPENSSL_EXPORT int SHA1_Final(uint8_t out[SHA_DIGEST_LENGTH], SHA_CTX *sha); -// SHA1 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |SHA_DIGEST_LENGTH| bytes of space in -// |out|. +// SHA1 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `SHA_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *SHA1(const uint8_t *data, size_t len, uint8_t out[SHA_DIGEST_LENGTH]); // SHA1_Transform is a low-level function that performs a single, SHA-1 block -// transformation using the state from |sha| and |SHA_CBLOCK| bytes from -// |block|. +// transformation using the state from `sha` and `SHA_CBLOCK` bytes from +// `block`. OPENSSL_EXPORT void SHA1_Transform(SHA_CTX *sha, const uint8_t block[SHA_CBLOCK]); @@ -65,7 +65,7 @@ struct sha_state_st { #if defined(__cplusplus) || defined(OPENSSL_WINDOWS) uint32_t h[5]; #else - // wpa_supplicant accesses |h0|..|h4| so we must support those names for + // wpa_supplicant accesses `h0`..`h4` so we must support those names for // compatibility with it until it can be updated. Anonymous unions are only // standard in C11, so disable this workaround in C++. union { @@ -84,14 +84,14 @@ struct sha_state_st { unsigned num; } /* SHA_CTX */; -// CRYPTO_fips_186_2_prf derives |out_len| bytes from |xkey| using the PRF +// CRYPTO_fips_186_2_prf derives `out_len` bytes from `xkey` using the PRF // defined in FIPS 186-2, Appendix 3.1, with change notice 1 applied. The b // parameter is 160 and seed, XKEY, is also 160 bits. The optional XSEED user // input is all zeros. // // The PRF generates a sequence of 320-bit numbers. Each number is encoded as a -// 40-byte string in big-endian and then concatenated to form |out|. If -// |out_len| is not a multiple of 40, the result is truncated. This matches the +// 40-byte string in big-endian and then concatenated to form `out`. If +// `out_len` is not a multiple of 40, the result is truncated. This matches the // construction used in Section 7 of RFC 4186 and Section 7 of RFC 4187. // // This PRF is based on SHA-1, a weak hash function, and should not be used diff --git a/third_party/boringssl/src/include/openssl/sha2.h b/third_party/boringssl/src/include/openssl/sha2.h index 7bb3f21a..349d280b 100644 --- a/third_party/boringssl/src/include/openssl/sha2.h +++ b/third_party/boringssl/src/include/openssl/sha2.h @@ -33,21 +33,21 @@ extern "C" { // SHA224_DIGEST_LENGTH is the length of a SHA-224 digest. #define SHA224_DIGEST_LENGTH 28 -// SHA224_Init initialises |sha| and returns 1. +// SHA224_Init initialises `sha` and returns 1. OPENSSL_EXPORT int SHA224_Init(SHA256_CTX *sha); -// SHA224_Update adds |len| bytes from |data| to |sha| and returns 1. +// SHA224_Update adds `len` bytes from `data` to `sha` and returns 1. OPENSSL_EXPORT int SHA224_Update(SHA256_CTX *sha, const void *data, size_t len); -// SHA224_Final adds the final padding to |sha| and writes the resulting digest -// to |out|, which must have at least |SHA224_DIGEST_LENGTH| bytes of space. It +// SHA224_Final adds the final padding to `sha` and writes the resulting digest +// to `out`, which must have at least `SHA224_DIGEST_LENGTH` bytes of space. It // returns 1. OPENSSL_EXPORT int SHA224_Final(uint8_t out[SHA224_DIGEST_LENGTH], SHA256_CTX *sha); -// SHA224 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |SHA224_DIGEST_LENGTH| bytes of space in -// |out|. +// SHA224 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `SHA224_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *SHA224(const uint8_t *data, size_t len, uint8_t out[SHA224_DIGEST_LENGTH]); @@ -60,33 +60,33 @@ OPENSSL_EXPORT uint8_t *SHA224(const uint8_t *data, size_t len, // SHA256_DIGEST_LENGTH is the length of a SHA-256 digest. #define SHA256_DIGEST_LENGTH 32 -// SHA256_Init initialises |sha| and returns 1. +// SHA256_Init initialises `sha` and returns 1. OPENSSL_EXPORT int SHA256_Init(SHA256_CTX *sha); -// SHA256_Update adds |len| bytes from |data| to |sha| and returns 1. +// SHA256_Update adds `len` bytes from `data` to `sha` and returns 1. OPENSSL_EXPORT int SHA256_Update(SHA256_CTX *sha, const void *data, size_t len); -// SHA256_Final adds the final padding to |sha| and writes the resulting digest -// to |out|, which must have at least |SHA256_DIGEST_LENGTH| bytes of space. It +// SHA256_Final adds the final padding to `sha` and writes the resulting digest +// to `out`, which must have at least `SHA256_DIGEST_LENGTH` bytes of space. It // returns one on success and zero on programmer error. OPENSSL_EXPORT int SHA256_Final(uint8_t out[SHA256_DIGEST_LENGTH], SHA256_CTX *sha); -// SHA256 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |SHA256_DIGEST_LENGTH| bytes of space in -// |out|. +// SHA256 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `SHA256_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *SHA256(const uint8_t *data, size_t len, uint8_t out[SHA256_DIGEST_LENGTH]); // SHA256_Transform is a low-level function that performs a single, SHA-256 -// block transformation using the state from |sha| and |SHA256_CBLOCK| bytes -// from |block|. +// block transformation using the state from `sha` and `SHA256_CBLOCK` bytes +// from `block`. OPENSSL_EXPORT void SHA256_Transform(SHA256_CTX *sha, const uint8_t block[SHA256_CBLOCK]); -// SHA256_TransformBlocks is a low-level function that takes |num_blocks| * -// |SHA256_CBLOCK| bytes of data and performs SHA-256 transforms on it to update -// |state|. You should not use this function unless you are implementing a +// SHA256_TransformBlocks is a low-level function that takes `num_blocks` * +// `SHA256_CBLOCK` bytes of data and performs SHA-256 transforms on it to update +// `state`. You should not use this function unless you are implementing a // derivative of SHA-256. OPENSSL_EXPORT void SHA256_TransformBlocks(uint32_t state[8], const uint8_t *data, @@ -108,21 +108,21 @@ struct sha256_state_st { // SHA384_DIGEST_LENGTH is the length of a SHA-384 digest. #define SHA384_DIGEST_LENGTH 48 -// SHA384_Init initialises |sha| and returns 1. +// SHA384_Init initialises `sha` and returns 1. OPENSSL_EXPORT int SHA384_Init(SHA512_CTX *sha); -// SHA384_Update adds |len| bytes from |data| to |sha| and returns 1. +// SHA384_Update adds `len` bytes from `data` to `sha` and returns 1. OPENSSL_EXPORT int SHA384_Update(SHA512_CTX *sha, const void *data, size_t len); -// SHA384_Final adds the final padding to |sha| and writes the resulting digest -// to |out|, which must have at least |SHA384_DIGEST_LENGTH| bytes of space. It +// SHA384_Final adds the final padding to `sha` and writes the resulting digest +// to `out`, which must have at least `SHA384_DIGEST_LENGTH` bytes of space. It // returns one on success and zero on programmer error. OPENSSL_EXPORT int SHA384_Final(uint8_t out[SHA384_DIGEST_LENGTH], SHA512_CTX *sha); -// SHA384 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |SHA384_DIGEST_LENGTH| bytes of space in -// |out|. +// SHA384 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `SHA384_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *SHA384(const uint8_t *data, size_t len, uint8_t out[SHA384_DIGEST_LENGTH]); @@ -135,27 +135,27 @@ OPENSSL_EXPORT uint8_t *SHA384(const uint8_t *data, size_t len, // SHA512_DIGEST_LENGTH is the length of a SHA-512 digest. #define SHA512_DIGEST_LENGTH 64 -// SHA512_Init initialises |sha| and returns 1. +// SHA512_Init initialises `sha` and returns 1. OPENSSL_EXPORT int SHA512_Init(SHA512_CTX *sha); -// SHA512_Update adds |len| bytes from |data| to |sha| and returns 1. +// SHA512_Update adds `len` bytes from `data` to `sha` and returns 1. OPENSSL_EXPORT int SHA512_Update(SHA512_CTX *sha, const void *data, size_t len); -// SHA512_Final adds the final padding to |sha| and writes the resulting digest -// to |out|, which must have at least |SHA512_DIGEST_LENGTH| bytes of space. It +// SHA512_Final adds the final padding to `sha` and writes the resulting digest +// to `out`, which must have at least `SHA512_DIGEST_LENGTH` bytes of space. It // returns one on success and zero on programmer error. OPENSSL_EXPORT int SHA512_Final(uint8_t out[SHA512_DIGEST_LENGTH], SHA512_CTX *sha); -// SHA512 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |SHA512_DIGEST_LENGTH| bytes of space in -// |out|. +// SHA512 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `SHA512_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *SHA512(const uint8_t *data, size_t len, uint8_t out[SHA512_DIGEST_LENGTH]); // SHA512_Transform is a low-level function that performs a single, SHA-512 -// block transformation using the state from |sha| and |SHA512_CBLOCK| bytes -// from |block|. +// block transformation using the state from `sha` and `SHA512_CBLOCK` bytes +// from `block`. OPENSSL_EXPORT void SHA512_Transform(SHA512_CTX *sha, const uint8_t block[SHA512_CBLOCK]); @@ -174,22 +174,22 @@ struct sha512_state_st { #define SHA512_256_DIGEST_LENGTH 32 -// SHA512_256_Init initialises |sha| and returns 1. +// SHA512_256_Init initialises `sha` and returns 1. OPENSSL_EXPORT int SHA512_256_Init(SHA512_CTX *sha); -// SHA512_256_Update adds |len| bytes from |data| to |sha| and returns 1. +// SHA512_256_Update adds `len` bytes from `data` to `sha` and returns 1. OPENSSL_EXPORT int SHA512_256_Update(SHA512_CTX *sha, const void *data, size_t len); -// SHA512_256_Final adds the final padding to |sha| and writes the resulting -// digest to |out|, which must have at least |SHA512_256_DIGEST_LENGTH| bytes of +// SHA512_256_Final adds the final padding to `sha` and writes the resulting +// digest to `out`, which must have at least `SHA512_256_DIGEST_LENGTH` bytes of // space. It returns one on success and zero on programmer error. OPENSSL_EXPORT int SHA512_256_Final(uint8_t out[SHA512_256_DIGEST_LENGTH], SHA512_CTX *sha); -// SHA512_256 writes the digest of |len| bytes from |data| to |out| and returns -// |out|. There must be at least |SHA512_256_DIGEST_LENGTH| bytes of space in -// |out|. +// SHA512_256 writes the digest of `len` bytes from `data` to `out` and returns +// `out`. There must be at least `SHA512_256_DIGEST_LENGTH` bytes of space in +// `out`. OPENSSL_EXPORT uint8_t *SHA512_256(const uint8_t *data, size_t len, uint8_t out[SHA512_256_DIGEST_LENGTH]); diff --git a/third_party/boringssl/src/include/openssl/slhdsa.h b/third_party/boringssl/src/include/openssl/slhdsa.h index c9cda0c9..9a535ba7 100644 --- a/third_party/boringssl/src/include/openssl/slhdsa.h +++ b/third_party/boringssl/src/include/openssl/slhdsa.h @@ -50,37 +50,37 @@ extern "C" { #define SLHDSA_SHAKE_256F_SIGNATURE_BYTES 49856 // SLHDSA_SHA2_128S_generate_key generates a SLH-DSA-SHA2-128s key pair and -// writes the result to |out_public_key| and |out_private_key|. +// writes the result to `out_public_key` and `out_private_key`. OPENSSL_EXPORT void SLHDSA_SHA2_128S_generate_key( uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], uint8_t out_private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]); // SLHDSA_SHAKE_256F_generate_key generates a SLH-DSA-SHAKE-256f key pair and -// writes the result to |out_public_key| and |out_private_key|. +// writes the result to `out_public_key` and `out_private_key`. OPENSSL_EXPORT void SLHDSA_SHAKE_256F_generate_key( uint8_t out_public_key[SLHDSA_SHAKE_256F_PUBLIC_KEY_BYTES], uint8_t out_private_key[SLHDSA_SHAKE_256F_PRIVATE_KEY_BYTES]); // SLHDSA_SHA2_128S_public_from_private writes the public key corresponding to -// |private_key| to |out_public_key|. +// `private_key` to `out_public_key`. OPENSSL_EXPORT void SLHDSA_SHA2_128S_public_from_private( uint8_t out_public_key[SLHDSA_SHA2_128S_PUBLIC_KEY_BYTES], const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES]); // SLHDSA_SHAKE_256F_public_from_private writes the public key corresponding to -// |private_key| to |out_public_key|. +// `private_key` to `out_public_key`. OPENSSL_EXPORT void SLHDSA_SHAKE_256F_public_from_private( uint8_t out_public_key[SLHDSA_SHAKE_256F_PUBLIC_KEY_BYTES], const uint8_t private_key[SLHDSA_SHAKE_256F_PRIVATE_KEY_BYTES]); -// SLHDSA_SHA2_128S_sign slowly generates a SLH-DSA-SHA2-128s signature of |msg| -// using |private_key| and writes it to |out_signature|. The |context| argument +// SLHDSA_SHA2_128S_sign slowly generates a SLH-DSA-SHA2-128s signature of `msg` +// using `private_key` and writes it to `out_signature`. The `context` argument // is also signed over and can be used to include implicit contextual -// information that isn't included in |msg|. The same value of |context| must be -// presented to |SLHDSA_SHA2_128S_verify| in order for the generated signature -// to be considered valid. |context| and |context_len| may be |NULL| and 0 to +// information that isn't included in `msg`. The same value of `context` must be +// presented to `SLHDSA_SHA2_128S_verify` in order for the generated signature +// to be considered valid. `context` and `context_len` may be `NULL` and 0 to // use an empty context (this is common). It returns 1 on success and 0 if -// |context_len| is larger than 255. +// `context_len` is larger than 255. OPENSSL_EXPORT int SLHDSA_SHA2_128S_sign( uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], const uint8_t private_key[SLHDSA_SHA2_128S_PRIVATE_KEY_BYTES], @@ -88,22 +88,22 @@ OPENSSL_EXPORT int SLHDSA_SHA2_128S_sign( size_t context_len); // SLHDSA_SHAKE_256F_sign slowly generates a SLH-DSA-SHAKE-256f signature of -// |msg| using |private_key| and writes it to |out_signature|. The |context| +// `msg` using `private_key` and writes it to `out_signature`. The `context` // argument is also signed over and can be used to include implicit contextual -// information that isn't included in |msg|. The same value of |context| must be -// presented to |SLHDSA_SHAKE_256F_verify| in order for the generated signature -// to be considered valid. |context| and |context_len| may be |NULL| and 0 to +// information that isn't included in `msg`. The same value of `context` must be +// presented to `SLHDSA_SHAKE_256F_verify` in order for the generated signature +// to be considered valid. `context` and `context_len` may be `NULL` and 0 to // use an empty context (this is common). It returns 1 on success and 0 if -// |context_len| is larger than 255. +// `context_len` is larger than 255. OPENSSL_EXPORT int SLHDSA_SHAKE_256F_sign( uint8_t out_signature[SLHDSA_SHAKE_256F_SIGNATURE_BYTES], const uint8_t private_key[SLHDSA_SHAKE_256F_PRIVATE_KEY_BYTES], const uint8_t *msg, size_t msg_len, const uint8_t *context, size_t context_len); -// SLHDSA_SHA2_128S_verify verifies that |signature| is a valid -// SLH-DSA-SHA2-128s signature of |msg| by |public_key|. The value of |context| -// must equal the value that was passed to |SLHDSA_SHA2_128S_sign| when the +// SLHDSA_SHA2_128S_verify verifies that `signature` is a valid +// SLH-DSA-SHA2-128s signature of `msg` by `public_key`. The value of `context` +// must equal the value that was passed to `SLHDSA_SHA2_128S_sign` when the // signature was generated. It returns 1 if the signature is valid and 0 // otherwise. OPENSSL_EXPORT int SLHDSA_SHA2_128S_verify( @@ -112,9 +112,9 @@ OPENSSL_EXPORT int SLHDSA_SHA2_128S_verify( const uint8_t *msg, size_t msg_len, const uint8_t *context, size_t context_len); -// SLHDSA_SHAKE_256F_verify verifies that |signature| is a valid -// SLH-DSA-SHAKE-256f signature of |msg| by |public_key|. The value of |context| -// must equal the value that was passed to |SLHDSA_SHAKE_256F_sign| when the +// SLHDSA_SHAKE_256F_verify verifies that `signature` is a valid +// SLH-DSA-SHAKE-256f signature of `msg` by `public_key`. The value of `context` +// must equal the value that was passed to `SLHDSA_SHAKE_256F_sign` when the // signature was generated. It returns 1 if the signature is valid and 0 // otherwise. OPENSSL_EXPORT int SLHDSA_SHAKE_256F_verify( @@ -137,20 +137,20 @@ OPENSSL_EXPORT int SLHDSA_SHAKE_256F_verify( // and there's no other way to prevent ambiguity. // SLHDSA_SHA2_128S_prehash_sign slowly generates a SLH-DSA-SHA2-128s signature -// of the prehashed |hashed_msg| using |private_key| and writes it to -// |out_signature|. The |context| argument is also signed over and can be used +// of the prehashed `hashed_msg` using `private_key` and writes it to +// `out_signature`. The `context` argument is also signed over and can be used // to include implicit contextual information that isn't included in -// |hashed_msg|. The same value of |context| must be presented to -// |SLHDSA_SHA2_128S_prehash_verify| in order for the generated signature to be -// considered valid. |context| and |context_len| may be |NULL| and 0 to use an +// `hashed_msg`. The same value of `context` must be presented to +// `SLHDSA_SHA2_128S_prehash_verify` in order for the generated signature to be +// considered valid. `context` and `context_len` may be `NULL` and 0 to use an // empty context (this is common). // -// The |hash_nid| argument must specify the hash function that was used to -// generate |hashed_msg|. This function only accepts hash functions listed in +// The `hash_nid` argument must specify the hash function that was used to +// generate `hashed_msg`. This function only accepts hash functions listed in // FIPS 205. // -// This function returns 1 on success and 0 if |context_len| is larger than 255, -// if the hash function is not supported, or if |hashed_msg| is the wrong +// This function returns 1 on success and 0 if `context_len` is larger than 255, +// if the hash function is not supported, or if `hashed_msg` is the wrong // length. OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_sign( uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], @@ -158,18 +158,18 @@ OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_sign( const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid, const uint8_t *context, size_t context_len); -// SLHDSA_SHA2_128S_prehash_verify verifies that |signature| is a valid -// SLH-DSA-SHA2-128s signature of the prehashed |hashed_msg| by |public_key|, -// using the hash algorithm identified by |hash_nid|. The value of |context| -// must equal the value that was passed to |SLHDSA_SHA2_128S_prehash_sign| when +// SLHDSA_SHA2_128S_prehash_verify verifies that `signature` is a valid +// SLH-DSA-SHA2-128s signature of the prehashed `hashed_msg` by `public_key`, +// using the hash algorithm identified by `hash_nid`. The value of `context` +// must equal the value that was passed to `SLHDSA_SHA2_128S_prehash_sign` when // the signature was generated. // -// The |hash_nid| argument must specify the hash function that was used to -// generate |hashed_msg|. This function only accepts hash functions that are +// The `hash_nid` argument must specify the hash function that was used to +// generate `hashed_msg`. This function only accepts hash functions that are // listed in FIPS 205. // // This function returns 1 if the signature is valid and 0 if the signature is -// invalid, the hash function is not supported, or if |hashed_msg| is the wrong +// invalid, the hash function is not supported, or if `hashed_msg` is the wrong // length. OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_verify( const uint8_t *signature, size_t signature_len, @@ -178,20 +178,20 @@ OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_verify( const uint8_t *context, size_t context_len); // SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign slowly generates a -// SLH-DSA-SHA2-128s signature of the prehashed |hashed_msg| using |private_key| -// and writes it to |out_signature|. The |context| argument is also signed over +// SLH-DSA-SHA2-128s signature of the prehashed `hashed_msg` using `private_key` +// and writes it to `out_signature`. The `context` argument is also signed over // and can be used to include implicit contextual information that isn't -// included in |hashed_msg|. The same value of |context| must be presented to -// |SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify| in order for the -// generated signature to be considered valid. |context| and |context_len| may -// be |NULL| and 0 to use an empty context (this is common). +// included in `hashed_msg`. The same value of `context` must be presented to +// `SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify` in order for the +// generated signature to be considered valid. `context` and `context_len` may +// be `NULL` and 0 to use an empty context (this is common). // -// The |hash_nid| argument must specify the hash function that was used to -// generate |hashed_msg|. This function only accepts non-standard hash functions +// The `hash_nid` argument must specify the hash function that was used to +// generate `hashed_msg`. This function only accepts non-standard hash functions // that are not compliant with FIPS 205. // -// This function returns 1 on success and 0 if |context_len| is larger than 255, -// if the hash function is not supported, or if |hashed_msg| is the wrong +// This function returns 1 on success and 0 if `context_len` is larger than 255, +// if the hash function is not supported, or if `hashed_msg` is the wrong // length. OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign( uint8_t out_signature[SLHDSA_SHA2_128S_SIGNATURE_BYTES], @@ -199,18 +199,18 @@ OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_warning_nonstandard_sign( const uint8_t *hashed_msg, size_t hashed_msg_len, int hash_nid, const uint8_t *context, size_t context_len); -// SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify verifies that |signature| -// is a valid SLH-DSA-SHA2-128s signature of the prehashed |hashed_msg| by -// |public_key|, using the hash algorithm identified by |hash_nid|. The value of -// |context| must equal the value that was passed to -// |SLHDSA_SHA2_128S_prehash_sign| when the signature was generated. +// SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify verifies that `signature` +// is a valid SLH-DSA-SHA2-128s signature of the prehashed `hashed_msg` by +// `public_key`, using the hash algorithm identified by `hash_nid`. The value of +// `context` must equal the value that was passed to +// `SLHDSA_SHA2_128S_prehash_sign` when the signature was generated. // -// The |hash_nid| argument must specify the hash function that was used to -// generate |hashed_msg|. This function only accepts non-standard hash functions +// The `hash_nid` argument must specify the hash function that was used to +// generate `hashed_msg`. This function only accepts non-standard hash functions // that are not compliant with FIPS 205. // // This function returns 1 if the signature is valid and 0 if the signature is -// invalid, the hash function is not supported, or if |hashed_msg| is the wrong +// invalid, the hash function is not supported, or if `hashed_msg` is the wrong // length. OPENSSL_EXPORT int SLHDSA_SHA2_128S_prehash_warning_nonstandard_verify( const uint8_t *signature, size_t signature_len, diff --git a/third_party/boringssl/src/include/openssl/span.h b/third_party/boringssl/src/include/openssl/span.h index eb05f135..5f205b6a 100644 --- a/third_party/boringssl/src/include/openssl/span.h +++ b/third_party/boringssl/src/include/openssl/span.h @@ -113,12 +113,12 @@ struct AllowRedeclaringConstructor {}; } // namespace internal // A Span is a non-owning reference to a contiguous array of objects of type -// |T|. Conceptually, a Span is a simple a pointer to |T| and a count of +// `T`. Conceptually, a Span is a simple a pointer to `T` and a count of // elements accessible via that pointer. The elements referenced by the Span can -// be mutated if |T| is mutable. +// be mutated if `T` is mutable. // -// A Span can be constructed from container types implementing |data()| and -// |size()| methods. If |T| is constant, construction from a container type is +// A Span can be constructed from container types implementing `data()` and +// `size()` methods. If `T` is constant, construction from a container type is // implicit. This allows writing methods that accept data from some unspecified // container type: // @@ -255,7 +255,7 @@ class Span : public internal::SpanStorage { public: // NOTE: This method may abort() at runtime if pos or len are out of range. - // NOTE: As opposed to std::span, the |dynamic_extent| value of |len| is not + // NOTE: As opposed to std::span, the `dynamic_extent` value of `len` is not // magical here. This gets rid of a lot of runtime checks. constexpr Span subspan(size_t pos, size_t len) const { // absl::Span throws an exception here. Note std::span and Chromium diff --git a/third_party/boringssl/src/include/openssl/stack.h b/third_party/boringssl/src/include/openssl/stack.h index c88f6b37..18824d1d 100644 --- a/third_party/boringssl/src/include/openssl/stack.h +++ b/third_party/boringssl/src/include/openssl/stack.h @@ -26,56 +26,56 @@ extern "C" { // used collection object. // // This file defines macros for type-safe use of the stack functions. A stack -// type is named like |STACK_OF(FOO)| and is accessed with functions named -// like |sk_FOO_*|. Note the stack will typically contain /pointers/ to |FOO|. +// type is named like `STACK_OF(FOO)` and is accessed with functions named +// like `sk_FOO_*`. Note the stack will typically contain /pointers/ to `FOO`. // -// The |DECLARE_STACK_OF| macro makes |STACK_OF(FOO)| available, and -// |DEFINE_STACK_OF| makes the corresponding functions available. +// The `DECLARE_STACK_OF` macro makes `STACK_OF(FOO)` available, and +// `DEFINE_STACK_OF` makes the corresponding functions available. // Defining stacks. -// STACK_OF expands to the stack type for |type|. +// STACK_OF expands to the stack type for `type`. #define STACK_OF(type) struct stack_st_##type -// DECLARE_STACK_OF declares the |STACK_OF(type)| type. It does not make the -// corresponding |sk_type_*| functions available. This macro should be used in +// DECLARE_STACK_OF declares the `STACK_OF(type)` type. It does not make the +// corresponding `sk_type_*` functions available. This macro should be used in // files which only need the type. #define DECLARE_STACK_OF(type) STACK_OF(type); -// DEFINE_NAMED_STACK_OF defines |STACK_OF(name)| to be a stack whose elements -// are |type| *. This macro makes the |sk_name_*| functions available. +// DEFINE_NAMED_STACK_OF defines `STACK_OF(name)` to be a stack whose elements +// are `type` *. This macro makes the `sk_name_*` functions available. // -// It is not necessary to use |DECLARE_STACK_OF| in files which use this macro. +// It is not necessary to use `DECLARE_STACK_OF` in files which use this macro. // // Must be used from the global namespace. #define DEFINE_NAMED_STACK_OF(name, type) \ BORINGSSL_DEFINE_STACK_OF_IMPL(name, type *, const type *) \ BORINGSSL_DEFINE_STACK_TRAITS(name, type, false) -// DEFINE_STACK_OF defines |STACK_OF(type)| to be a stack whose elements are -// |type| *. This macro makes the |sk_type_*| functions available. +// DEFINE_STACK_OF defines `STACK_OF(type)` to be a stack whose elements are +// `type` *. This macro makes the `sk_type_*` functions available. // -// It is not necessary to use |DECLARE_STACK_OF| in files which use this macro. +// It is not necessary to use `DECLARE_STACK_OF` in files which use this macro. // // Must be used from the global namespace. #define DEFINE_STACK_OF(type) DEFINE_NAMED_STACK_OF(type, type) -// DEFINE_CONST_STACK_OF defines |STACK_OF(type)| to be a stack whose elements -// are const |type| *. This macro makes the |sk_type_*| functions available. +// DEFINE_CONST_STACK_OF defines `STACK_OF(type)` to be a stack whose elements +// are const `type` *. This macro makes the `sk_type_*` functions available. // -// It is not necessary to use |DECLARE_STACK_OF| in files which use this macro. +// It is not necessary to use `DECLARE_STACK_OF` in files which use this macro. // // Must be used from the global namespace. #define DEFINE_CONST_STACK_OF(type) \ BORINGSSL_DEFINE_STACK_OF_IMPL(type, const type *, const type *) \ BORINGSSL_DEFINE_STACK_TRAITS(type, const type, true) -// DEFINE_NAMESPACED_STACK_OF is same as |DEFINE_STACK_OF| but to be used for +// DEFINE_NAMESPACED_STACK_OF is same as `DEFINE_STACK_OF` but to be used for // internal stacks from within the bssl namespace. // -// Such stacks then can only be accessed using |STACK_OF| if in the |bssl| -// namespace or if the |bssl| namespace has been imported with a +// Such stacks then can only be accessed using `STACK_OF` if in the `bssl` +// namespace or if the `bssl` namespace has been imported with a // using-directive. #define DEFINE_NAMESPACED_STACK_OF(type) \ BORINGSSL_DEFINE_STACK_OF_IMPL(type, type *, const type *) \ @@ -86,7 +86,7 @@ extern "C" { // Using stacks. // -// After the |DEFINE_STACK_OF| macro is used, the following functions are +// After the `DEFINE_STACK_OF` macro is used, the following functions are // available. #if 0 // Sample @@ -98,11 +98,11 @@ typedef void (*sk_SAMPLE_free_func)(SAMPLE *); // return the copy or NULL on error. typedef SAMPLE *(*sk_SAMPLE_copy_func)(const SAMPLE *); -// sk_SAMPLE_cmp_func is a callback to compare |*a| to |*b|. It should return a -// value < 0, 0, or > 0 if |*a| is less than, equal to, or greater than |*b|, +// sk_SAMPLE_cmp_func is a callback to compare `*a` to `*b`. It should return a +// value < 0, 0, or > 0 if `*a` is less than, equal to, or greater than `*b`, // respectively. Note the extra indirection - the function is given a pointer -// to a pointer to the element. This is the |qsort|/|bsearch| comparison -// function applied to an array of |SAMPLE*|. +// to a pointer to the element. This is the `qsort`/`bsearch` comparison +// function applied to an array of `SAMPLE*`. typedef int (*sk_SAMPLE_cmp_func)(const SAMPLE *const *a, const SAMPLE *const *b); @@ -114,113 +114,113 @@ STACK_OF(SAMPLE) *sk_SAMPLE_new(sk_SAMPLE_cmp_func comp); // NULL on allocation failure. STACK_OF(SAMPLE) *sk_SAMPLE_new_null(void); -// sk_SAMPLE_num returns the number of elements in |sk|. It is safe to cast this -// value to |int|. |sk| is guaranteed to have at most |INT_MAX| elements. If -// |sk| is NULL, it is treated as the empty list and this function returns zero. +// sk_SAMPLE_num returns the number of elements in `sk`. It is safe to cast this +// value to `int`. `sk` is guaranteed to have at most `INT_MAX` elements. If +// `sk` is NULL, it is treated as the empty list and this function returns zero. size_t sk_SAMPLE_num(const STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_zero resets |sk| to the empty state but does nothing to free the +// sk_SAMPLE_zero resets `sk` to the empty state but does nothing to free the // individual elements themselves. void sk_SAMPLE_zero(STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_value returns the |i|th pointer in |sk|, or NULL if |i| is out of -// range. If |sk| is NULL, it is treated as an empty list and the function +// sk_SAMPLE_value returns the `i`th pointer in `sk`, or NULL if `i` is out of +// range. If `sk` is NULL, it is treated as an empty list and the function // returns NULL. SAMPLE *sk_SAMPLE_value(const STACK_OF(SAMPLE) *sk, size_t i); -// sk_SAMPLE_set sets the |i|th pointer in |sk| to |p| and returns |p|. If |i| +// sk_SAMPLE_set sets the `i`th pointer in `sk` to `p` and returns `p`. If `i` // is out of range, it returns NULL. SAMPLE *sk_SAMPLE_set(STACK_OF(SAMPLE) *sk, size_t i, SAMPLE *p); -// sk_SAMPLE_free frees |sk|, but does nothing to free the individual elements. -// Use |sk_SAMPLE_pop_free| to also free the elements. +// sk_SAMPLE_free frees `sk`, but does nothing to free the individual elements. +// Use `sk_SAMPLE_pop_free` to also free the elements. void sk_SAMPLE_free(STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_pop_free calls |free_func| on each element in |sk| and then +// sk_SAMPLE_pop_free calls `free_func` on each element in `sk` and then // frees the stack itself. void sk_SAMPLE_pop_free(STACK_OF(SAMPLE) *sk, sk_SAMPLE_free_func free_func); -// sk_SAMPLE_insert inserts |p| into the stack at index |where|, moving existing +// sk_SAMPLE_insert inserts `p` into the stack at index `where`, moving existing // elements if needed. It returns the length of the new stack, or zero on // error. size_t sk_SAMPLE_insert(STACK_OF(SAMPLE) *sk, SAMPLE *p, size_t where); -// sk_SAMPLE_delete removes the pointer at index |where|, moving other elements -// down if needed. It returns the removed pointer, or NULL if |where| is out of +// sk_SAMPLE_delete removes the pointer at index `where`, moving other elements +// down if needed. It returns the removed pointer, or NULL if `where` is out of // range. SAMPLE *sk_SAMPLE_delete(STACK_OF(SAMPLE) *sk, size_t where); -// sk_SAMPLE_delete_ptr removes, at most, one instance of |p| from |sk| based on -// pointer equality. If an instance of |p| is found then |p| is returned, +// sk_SAMPLE_delete_ptr removes, at most, one instance of `p` from `sk` based on +// pointer equality. If an instance of `p` is found then `p` is returned, // otherwise it returns NULL. SAMPLE *sk_SAMPLE_delete_ptr(STACK_OF(SAMPLE) *sk, const SAMPLE *p); -// sk_SAMPLE_delete_if_func is the callback function for |sk_SAMPLE_delete_if|. -// It should return one to remove |p| and zero to keep it. +// sk_SAMPLE_delete_if_func is the callback function for `sk_SAMPLE_delete_if`. +// It should return one to remove `p` and zero to keep it. typedef int (*sk_SAMPLE_delete_if_func)(SAMPLE *p, void *data); -// sk_SAMPLE_delete_if calls |func| with each element of |sk| and removes the -// entries where |func| returned one. This function does not free or return -// removed pointers so, if |sk| owns its contents, |func| should release the +// sk_SAMPLE_delete_if calls `func` with each element of `sk` and removes the +// entries where `func` returned one. This function does not free or return +// removed pointers so, if `sk` owns its contents, `func` should release the // pointers prior to returning one. void sk_SAMPLE_delete_if(STACK_OF(SAMPLE) *sk, sk_SAMPLE_delete_if_func func, void *data); -// sk_SAMPLE_find find the first value in |sk| equal to |p|. |sk|'s comparison -// function determines equality, or pointer equality if |sk| has no comparison +// sk_SAMPLE_find find the first value in `sk` equal to `p`. `sk`'s comparison +// function determines equality, or pointer equality if `sk` has no comparison // function. // -// If the stack is sorted (see |sk_SAMPLE_sort|), this function uses a binary +// If the stack is sorted (see `sk_SAMPLE_sort`), this function uses a binary // search. Otherwise it performs a linear search. If it finds a matching -// element, it writes the index to |*out_index| (if |out_index| is not NULL) and -// returns one. Otherwise, it returns zero. If |sk| is NULL, it is treated as +// element, it writes the index to `*out_index` (if `out_index` is not NULL) and +// returns one. Otherwise, it returns zero. If `sk` is NULL, it is treated as // the empty list and the function returns zero. // // Note this differs from OpenSSL. The type signature is slightly different, and -// OpenSSL's version will implicitly sort |sk| if it has a comparison function +// OpenSSL's version will implicitly sort `sk` if it has a comparison function // defined. int sk_SAMPLE_find(const STACK_OF(SAMPLE) *sk, size_t *out_index, const SAMPLE *p); -// sk_SAMPLE_shift removes and returns the first element in |sk|, or NULL if -// |sk| is empty. +// sk_SAMPLE_shift removes and returns the first element in `sk`, or NULL if +// `sk` is empty. SAMPLE *sk_SAMPLE_shift(STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_push appends |p| to |sk| and returns the length of the new stack, +// sk_SAMPLE_push appends `p` to `sk` and returns the length of the new stack, // or 0 on allocation failure. size_t sk_SAMPLE_push(STACK_OF(SAMPLE) *sk, SAMPLE *p); -// sk_SAMPLE_pop removes and returns the last element of |sk|, or NULL if |sk| +// sk_SAMPLE_pop removes and returns the last element of `sk`, or NULL if `sk` // is empty. SAMPLE *sk_SAMPLE_pop(STACK_OF(SAMPLE) *sk); // sk_SAMPLE_dup performs a shallow copy of a stack and returns the new stack, -// or NULL on error. Use |sk_SAMPLE_deep_copy| to also copy the elements. +// or NULL on error. Use `sk_SAMPLE_deep_copy` to also copy the elements. STACK_OF(SAMPLE) *sk_SAMPLE_dup(const STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_sort sorts the elements of |sk| into ascending order based on the +// sk_SAMPLE_sort sorts the elements of `sk` into ascending order based on the // comparison function. The stack maintains a "sorted" flag and sorting an // already sorted stack is a no-op. void sk_SAMPLE_sort(STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_sort_and_dedup sorts the elements of |sk| based on the comparison -// function and removes duplicates. If |free_func| is not NULL, it is called on +// sk_SAMPLE_sort_and_dedup sorts the elements of `sk` based on the comparison +// function and removes duplicates. If `free_func` is not NULL, it is called on // every removed element. void sk_SAMPLE_sort_and_dedup(STACK_OF(SAMPLE) *sk, sk_SAMPLE_free_func free_func); -// sk_SAMPLE_is_sorted returns one if |sk| is known to be sorted and zero +// sk_SAMPLE_is_sorted returns one if `sk` is known to be sorted and zero // otherwise. int sk_SAMPLE_is_sorted(const STACK_OF(SAMPLE) *sk); -// sk_SAMPLE_set_cmp_func sets the comparison function to be used by |sk| and +// sk_SAMPLE_set_cmp_func sets the comparison function to be used by `sk` and // returns the previous one. sk_SAMPLE_cmp_func sk_SAMPLE_set_cmp_func(STACK_OF(SAMPLE) *sk, sk_SAMPLE_cmp_func comp); -// sk_SAMPLE_deep_copy performs a copy of |sk| and of each of the non-NULL -// elements in |sk| by using |copy_func|. If an error occurs, it calls -// |free_func| to free any copies already made and returns NULL. +// sk_SAMPLE_deep_copy performs a copy of `sk` and of each of the non-NULL +// elements in `sk` by using `copy_func`. If an error occurs, it calls +// `free_func` to free any copies already made and returns NULL. STACK_OF(SAMPLE) *sk_SAMPLE_deep_copy(const STACK_OF(SAMPLE) *sk, sk_SAMPLE_copy_func copy_func, sk_SAMPLE_free_func free_func); @@ -230,34 +230,34 @@ STACK_OF(SAMPLE) *sk_SAMPLE_deep_copy(const STACK_OF(SAMPLE) *sk, // Private functions. // -// The |sk_*| functions generated above are implemented internally using the +// The `sk_*` functions generated above are implemented internally using the // type-erased functions below. Callers should use the typed wrappers instead. // When using the type-erased functions, callers are responsible for ensuring // the underlying types are correct. Casting pointers to the wrong types will // result in memory errors. // OPENSSL_sk_free_func is a function that frees an element in a stack. Note its -// actual type is void (*)(T *) for some T. Low-level |sk_*| functions will be +// actual type is void (*)(T *) for some T. Low-level `sk_*` functions will be // passed a type-specific wrapper to call it correctly. typedef void (*OPENSSL_sk_free_func)(void *ptr); // OPENSSL_sk_copy_func is a function that copies an element in a stack. Note -// its actual type is T *(*)(const T *) for some T. Low-level |sk_*| functions +// its actual type is T *(*)(const T *) for some T. Low-level `sk_*` functions // will be passed a type-specific wrapper to call it correctly. typedef void *(*OPENSSL_sk_copy_func)(const void *ptr); // OPENSSL_sk_cmp_func is a comparison function that returns a value < 0, 0 or > -// 0 if |*a| is less than, equal to or greater than |*b|, respectively. Note +// 0 if `*a` is less than, equal to or greater than `*b`, respectively. Note // the extra indirection - the function is given a pointer to a pointer to the // element. This differs from the usual qsort/bsearch comparison function. // -// Note its actual type is |int (*)(const T *const *a, const T *const *b)|. -// Low-level |sk_*| functions will be passed a type-specific wrapper to call it +// Note its actual type is `int (*)(const T *const *a, const T *const *b)`. +// Low-level `sk_*` functions will be passed a type-specific wrapper to call it // correctly. typedef int (*OPENSSL_sk_cmp_func)(const void *const *a, const void *const *b); // OPENSSL_sk_delete_if_func is the generic version of -// |sk_SAMPLE_delete_if_func|. +// `sk_SAMPLE_delete_if_func`. typedef int (*OPENSSL_sk_delete_if_func)(void *obj, void *data); // The following function types call the above type-erased signatures with the @@ -274,7 +274,7 @@ typedef int (*OPENSSL_sk_call_delete_if_func)(OPENSSL_sk_delete_if_func, void *, typedef struct stack_st OPENSSL_STACK; // The following are raw stack functions. They implement the corresponding typed -// |sk_SAMPLE_*| functions generated by |DEFINE_STACK_OF|. Callers shouldn't be +// `sk_SAMPLE_*` functions generated by `DEFINE_STACK_OF`. Callers shouldn't be // using them. Rather, callers should use the typed functions. OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new(OPENSSL_sk_cmp_func comp); OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_new_null(void); @@ -324,7 +324,7 @@ OPENSSL_EXPORT OPENSSL_STACK *OPENSSL_sk_deep_copy( typedef OPENSSL_STACK _STACK; -// The following functions call the corresponding |OPENSSL_sk_*| function. +// The following functions call the corresponding `OPENSSL_sk_*` function. OPENSSL_EXPORT OPENSSL_DEPRECATED OPENSSL_STACK *sk_new_null(void); OPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_num(const OPENSSL_STACK *sk); OPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_value(const OPENSSL_STACK *sk, @@ -333,16 +333,16 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_free(OPENSSL_STACK *sk); OPENSSL_EXPORT OPENSSL_DEPRECATED size_t sk_push(OPENSSL_STACK *sk, void *p); OPENSSL_EXPORT OPENSSL_DEPRECATED void *sk_pop(OPENSSL_STACK *sk); -// sk_pop_free_ex calls |OPENSSL_sk_pop_free_ex|. +// sk_pop_free_ex calls `OPENSSL_sk_pop_free_ex`. // // TODO(b/291994116): Remove this. OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free_ex( OPENSSL_STACK *sk, OPENSSL_sk_call_free_func call_free_func, OPENSSL_sk_free_func free_func); -// sk_pop_free behaves like |OPENSSL_sk_pop_free_ex| but performs an invalid +// sk_pop_free behaves like `OPENSSL_sk_pop_free_ex` but performs an invalid // function pointer cast. It exists because some existing callers called -// |sk_pop_free| directly. +// `sk_pop_free` directly. // // TODO(davidben): Migrate callers to bssl::UniquePtr and remove this. OPENSSL_EXPORT OPENSSL_DEPRECATED void sk_pop_free( @@ -381,9 +381,9 @@ BSSL_NAMESPACE_END /* We disable MSVC C4191 in this macro, which warns when pointers are cast \ * to the wrong type. While the cast itself is valid, it is often a bug \ * because calling it through the cast is UB. However, we never actually \ - * call functions as |OPENSSL_sk_cmp_func|. The type is just a type-erased \ + * call functions as `OPENSSL_sk_cmp_func`. The type is just a type-erased \ * function pointer. (C does not guarantee function pointers fit in \ - * |void*|, and GCC will warn on this.) Thus we just disable the false \ + * `void*`, and GCC will warn on this.) Thus we just disable the false \ * positive warning. */ \ OPENSSL_MSVC_PRAGMA(warning(push)) \ OPENSSL_MSVC_PRAGMA(warning(disable : 4191)) \ @@ -419,7 +419,7 @@ BSSL_NAMESPACE_END const void *a, const void *b) { \ constptrtype a_ptr = (constptrtype)a; \ constptrtype b_ptr = (constptrtype)b; \ - /* |cmp_func| expects an extra layer of pointers to match qsort. */ \ + /* `cmp_func` expects an extra layer of pointers to match qsort. */ \ return ((sk_##name##_cmp_func)cmp_func)(&a_ptr, &b_ptr); \ } \ \ @@ -564,7 +564,7 @@ BSSL_NAMESPACE_BEGIN namespace internal { -// Stacks defined with |DEFINE_CONST_STACK_OF| are freed with |sk_free|. +// Stacks defined with `DEFINE_CONST_STACK_OF` are freed with `sk_free`. template struct DeleterImpl::kIsConst>> { static void Free(Stack *sk) { @@ -572,7 +572,7 @@ struct DeleterImpl::kIsConst>> { } }; -// Stacks defined with |DEFINE_STACK_OF| are freed with |sk_pop_free| and the +// Stacks defined with `DEFINE_STACK_OF` are freed with `sk_pop_free` and the // corresponding type's deleter. template struct DeleterImpl::kIsConst>> { @@ -631,7 +631,7 @@ using StackIterator = } // namespace internal -// PushToStack pushes |elem| to |sk|. It returns true on success and false on +// PushToStack pushes `elem` to `sk`. It returns true on success and false on // allocation failure. template inline std::enable_if_t::kIsConst, bool> diff --git a/third_party/boringssl/src/include/openssl/target.h b/third_party/boringssl/src/include/openssl/target.h index 2c03389c..2372a055 100644 --- a/third_party/boringssl/src/include/openssl/target.h +++ b/third_party/boringssl/src/include/openssl/target.h @@ -105,6 +105,11 @@ #define OPENSSL_FUCHSIA #endif +// See go/boringssl-on-pythia. +#if defined(__pythia__) +#define OPENSSL_PYTHIA +#endif + // Trusty is Android's TEE target. See // https://source.android.com/docs/security/features/trusty // @@ -165,6 +170,11 @@ #define OPENSSL_NO_SOCK #endif +#if defined(OPENSSL_PYTHIA) +#define OPENSSL_NO_POSIX_IO +#define OPENSSL_NO_SOCK +#endif + #if defined(__ANDROID_API__) #define OPENSSL_ANDROID #endif diff --git a/third_party/boringssl/src/include/openssl/tls_prf.h b/third_party/boringssl/src/include/openssl/tls_prf.h index 4740d02f..83ce9a64 100644 --- a/third_party/boringssl/src/include/openssl/tls_prf.h +++ b/third_party/boringssl/src/include/openssl/tls_prf.h @@ -27,10 +27,10 @@ extern "C" { // The TLS PRF is defined in Section 5 of RFC 5246. -// CRYPTO_tls1_prf calculates |out_len| bytes of the TLS PRF, using |digest|, -// and writes them to |out|. It is defined in Section 5 of RFC 5246, acting on -// |secret_len| bytes of shared |secret|, |label_len| bytes of |label|, -// |seed1_len| bytes of |seed1| and |seed2_len| bytes of |seed2|. It returns one +// CRYPTO_tls1_prf calculates `out_len` bytes of the TLS PRF, using `digest`, +// and writes them to `out`. It is defined in Section 5 of RFC 5246, acting on +// `secret_len` bytes of shared `secret`, `label_len` bytes of `label`, +// `seed1_len` bytes of `seed1` and `seed2_len` bytes of `seed2`. It returns one // on success and zero on error. OPENSSL_EXPORT int CRYPTO_tls1_prf(const EVP_MD *digest, uint8_t *out, size_t out_len, const uint8_t *secret, diff --git a/third_party/boringssl/src/include/openssl/trust_token.h b/third_party/boringssl/src/include/openssl/trust_token.h index e9c46679..cf909aed 100644 --- a/third_party/boringssl/src/include/openssl/trust_token.h +++ b/third_party/boringssl/src/include/openssl/trust_token.h @@ -67,25 +67,25 @@ struct trust_token_st { DEFINE_STACK_OF(TRUST_TOKEN) -// TRUST_TOKEN_new creates a newly-allocated |TRUST_TOKEN| with value |data| or +// TRUST_TOKEN_new creates a newly-allocated `TRUST_TOKEN` with value `data` or // NULL on allocation failure. OPENSSL_EXPORT TRUST_TOKEN *TRUST_TOKEN_new(const uint8_t *data, size_t len); -// TRUST_TOKEN_free releases memory associated with |token|. +// TRUST_TOKEN_free releases memory associated with `token`. OPENSSL_EXPORT void TRUST_TOKEN_free(TRUST_TOKEN *token); #define TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE 512 #define TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE 512 -// TRUST_TOKEN_generate_key creates a new Trust Token keypair labeled with |id| +// TRUST_TOKEN_generate_key creates a new Trust Token keypair labeled with `id` // and serializes the private and public keys, writing the private key to -// |out_priv_key| and setting |*out_priv_key_len| to the number of bytes -// written, and writing the public key to |out_pub_key| and setting -// |*out_pub_key_len| to the number of bytes written. +// `out_priv_key` and setting `*out_priv_key_len` to the number of bytes +// written, and writing the public key to `out_pub_key` and setting +// `*out_pub_key_len` to the number of bytes written. // -// At most |max_priv_key_len| and |max_pub_key_len| bytes are written. In order +// At most `max_priv_key_len` and `max_pub_key_len` bytes are written. In order // to ensure success, these should be at least -// |TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE| and |TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE|. +// `TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE` and `TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE`. // // This function returns one on success or zero on error. OPENSSL_EXPORT int TRUST_TOKEN_generate_key( @@ -94,15 +94,15 @@ OPENSSL_EXPORT int TRUST_TOKEN_generate_key( size_t *out_pub_key_len, size_t max_pub_key_len, uint32_t id); // TRUST_TOKEN_derive_key_from_secret deterministically derives a new Trust -// Token keypair labeled with |id| from an input |secret| and serializes the -// private and public keys, writing the private key to |out_priv_key| and -// setting |*out_priv_key_len| to the number of bytes written, and writing the -// public key to |out_pub_key| and setting |*out_pub_key_len| to the number of +// Token keypair labeled with `id` from an input `secret` and serializes the +// private and public keys, writing the private key to `out_priv_key` and +// setting `*out_priv_key_len` to the number of bytes written, and writing the +// public key to `out_pub_key` and setting `*out_pub_key_len` to the number of // bytes written. // -// At most |max_priv_key_len| and |max_pub_key_len| bytes are written. In order +// At most `max_priv_key_len` and `max_pub_key_len` bytes are written. In order // to ensure success, these should be at least -// |TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE| and |TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE|. +// `TRUST_TOKEN_MAX_PRIVATE_KEY_SIZE` and `TRUST_TOKEN_MAX_PUBLIC_KEY_SIZE`. // // This function returns one on success or zero on error. OPENSSL_EXPORT int TRUST_TOKEN_derive_key_from_secret( @@ -115,34 +115,34 @@ OPENSSL_EXPORT int TRUST_TOKEN_derive_key_from_secret( // Trust Token client implementation. // // These functions implements the client half of the Trust Token protocol. A -// single |TRUST_TOKEN_CLIENT| can perform a single protocol operation. +// single `TRUST_TOKEN_CLIENT` can perform a single protocol operation. -// TRUST_TOKEN_CLIENT_new returns a newly-allocated |TRUST_TOKEN_CLIENT| -// configured to use a max batchsize of |max_batchsize| or NULL on error. -// Issuance requests must be made in batches smaller than |max_batchsize|. This -// function will return an error if |max_batchsize| is too large for Trust +// TRUST_TOKEN_CLIENT_new returns a newly-allocated `TRUST_TOKEN_CLIENT` +// configured to use a max batchsize of `max_batchsize` or NULL on error. +// Issuance requests must be made in batches smaller than `max_batchsize`. This +// function will return an error if `max_batchsize` is too large for Trust // Tokens. OPENSSL_EXPORT TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_new( const TRUST_TOKEN_METHOD *method, size_t max_batchsize); -// TRUST_TOKEN_CLIENT_free releases memory associated with |ctx|. +// TRUST_TOKEN_CLIENT_free releases memory associated with `ctx`. OPENSSL_EXPORT void TRUST_TOKEN_CLIENT_free(TRUST_TOKEN_CLIENT *ctx); -// TRUST_TOKEN_CLIENT_dup_for_testing returns a newly-allocated copy of |ctx|, +// TRUST_TOKEN_CLIENT_dup_for_testing returns a newly-allocated copy of `ctx`, // or NULL on error. This may be useful for testing the library, e.g. to // benchmark an individual operation. // // WARNING: This function should never be used in production. A -// |TRUST_TOKEN_CLIENT| maintains single-use state between -// |TRUST_TOKEN_CLIENT_begin_issuance| and |TRUST_TOKEN_CLIENT_finish_issuance| +// `TRUST_TOKEN_CLIENT` maintains single-use state between +// `TRUST_TOKEN_CLIENT_begin_issuance` and `TRUST_TOKEN_CLIENT_finish_issuance` // operations. Cloning this state will cause tokens to be linkable and no longer // anonymized. OPENSSL_EXPORT TRUST_TOKEN_CLIENT *TRUST_TOKEN_CLIENT_dup_for_testing( const TRUST_TOKEN_CLIENT *ctx); -// TRUST_TOKEN_CLIENT_add_key configures the |ctx| to support the public key -// |key|. It sets |*out_key_index| to the index this key has been configured to. -// It returns one on success or zero on error if the |key| can't be parsed or +// TRUST_TOKEN_CLIENT_add_key configures the `ctx` to support the public key +// `key`. It sets `*out_key_index` to the index this key has been configured to. +// It returns one on success or zero on error if the `key` can't be parsed or // too many keys have been configured. OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_add_key(TRUST_TOKEN_CLIENT *ctx, size_t *out_key_index, @@ -154,10 +154,10 @@ OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_add_key(TRUST_TOKEN_CLIENT *ctx, OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_set_srr_key(TRUST_TOKEN_CLIENT *ctx, EVP_PKEY *key); -// TRUST_TOKEN_CLIENT_begin_issuance produces a request for |count| trust tokens -// and serializes the request into a newly-allocated buffer, setting |*out| to -// that buffer and |*out_len| to its length. The caller takes ownership of the -// buffer and must call |OPENSSL_free| when done. It returns one on success and +// TRUST_TOKEN_CLIENT_begin_issuance produces a request for `count` trust tokens +// and serializes the request into a newly-allocated buffer, setting `*out` to +// that buffer and `*out_len` to its length. The caller takes ownership of the +// buffer and must call `OPENSSL_free` when done. It returns one on success and // zero on error. OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_issuance(TRUST_TOKEN_CLIENT *ctx, uint8_t **out, @@ -165,20 +165,20 @@ OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_issuance(TRUST_TOKEN_CLIENT *ctx, size_t count); // TRUST_TOKEN_CLIENT_begin_issuance_over_message produces a request for a trust -// token derived from |msg| and serializes the request into a newly-allocated -// buffer, setting |*out| to that buffer and |*out_len| to its length. The -// caller takes ownership of the buffer and must call |OPENSSL_free| when done. +// token derived from `msg` and serializes the request into a newly-allocated +// buffer, setting `*out` to that buffer and `*out_len` to its length. The +// caller takes ownership of the buffer and must call `OPENSSL_free` when done. // It returns one on success and zero on error. OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_issuance_over_message( TRUST_TOKEN_CLIENT *ctx, uint8_t **out, size_t *out_len, size_t count, const uint8_t *msg, size_t msg_len); -// TRUST_TOKEN_CLIENT_finish_issuance consumes |response| from the issuer and +// TRUST_TOKEN_CLIENT_finish_issuance consumes `response` from the issuer and // extracts the tokens, returning a list of tokens and the index of the key used -// to sign the tokens in |*out_key_index|. The caller can use this to determine +// to sign the tokens in `*out_key_index`. The caller can use this to determine // what key was used in an issuance and to drop tokens if a new key commitment // arrives without the specified key present. The caller takes ownership of the -// list and must call |sk_TRUST_TOKEN_pop_free| when done. The list is empty if +// list and must call `sk_TRUST_TOKEN_pop_free` when done. The list is empty if // issuance fails. OPENSSL_EXPORT STACK_OF(TRUST_TOKEN) * TRUST_TOKEN_CLIENT_finish_issuance(TRUST_TOKEN_CLIENT *ctx, @@ -188,23 +188,23 @@ OPENSSL_EXPORT STACK_OF(TRUST_TOKEN) * // TRUST_TOKEN_CLIENT_begin_redemption produces a request to redeem a token -// |token| and receive a signature over |data| and serializes the request into -// a newly-allocated buffer, setting |*out| to that buffer and |*out_len| to -// its length. |time| is the number of seconds since the UNIX epoch and used to +// `token` and receive a signature over `data` and serializes the request into +// a newly-allocated buffer, setting `*out` to that buffer and `*out_len` to +// its length. `time` is the number of seconds since the UNIX epoch and used to // verify the validity of the issuer's response in TrustTokenV1 and ignored in // other versions. The caller takes ownership of the buffer and must call -// |OPENSSL_free| when done. It returns one on success or zero on error. +// `OPENSSL_free` when done. It returns one on success or zero on error. OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_begin_redemption( TRUST_TOKEN_CLIENT *ctx, uint8_t **out, size_t *out_len, const TRUST_TOKEN *token, const uint8_t *data, size_t data_len, uint64_t time); -// TRUST_TOKEN_CLIENT_finish_redemption consumes |response| from the issuer. In -// |TRUST_TOKEN_experiment_v1|, it then verifies the SRR and if valid sets -// |*out_rr| and |*out_rr_len| (respectively, |*out_sig| and |*out_sig_len|) +// TRUST_TOKEN_CLIENT_finish_redemption consumes `response` from the issuer. In +// `TRUST_TOKEN_experiment_v1`, it then verifies the SRR and if valid sets +// `*out_rr` and `*out_rr_len` (respectively, `*out_sig` and `*out_sig_len`) // to a newly-allocated buffer containing the SRR (respectively, the SRR -// signature). In other versions, it sets |*out_rr| and |*out_rr_len| -// to a newly-allocated buffer containing |response| and leaves all validation +// signature). In other versions, it sets `*out_rr` and `*out_rr_len` +// to a newly-allocated buffer containing `response` and leaves all validation // to the caller. It returns one on success or zero on failure. OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_finish_redemption( TRUST_TOKEN_CLIENT *ctx, uint8_t **out_rr, size_t *out_rr_len, @@ -215,26 +215,26 @@ OPENSSL_EXPORT int TRUST_TOKEN_CLIENT_finish_redemption( // Trust Token issuer implementation. // // These functions implement the issuer half of the Trust Token protocol. A -// |TRUST_TOKEN_ISSUER| can be reused across multiple protocol operations. It +// `TRUST_TOKEN_ISSUER` can be reused across multiple protocol operations. It // may be used concurrently on multiple threads by non-mutating functions, // provided no other thread is concurrently calling a mutating function. -// Functions which take a |const| pointer are non-mutating and functions which -// take a non-|const| pointer are mutating. +// Functions which take a `const` pointer are non-mutating and functions which +// take a non-`const` pointer are mutating. -// TRUST_TOKEN_ISSUER_new returns a newly-allocated |TRUST_TOKEN_ISSUER| -// configured to use a max batchsize of |max_batchsize| or NULL on error. -// Issuance requests must be made in batches smaller than |max_batchsize|. This -// function will return an error if |max_batchsize| is too large for Trust +// TRUST_TOKEN_ISSUER_new returns a newly-allocated `TRUST_TOKEN_ISSUER` +// configured to use a max batchsize of `max_batchsize` or NULL on error. +// Issuance requests must be made in batches smaller than `max_batchsize`. This +// function will return an error if `max_batchsize` is too large for Trust // Tokens. OPENSSL_EXPORT TRUST_TOKEN_ISSUER *TRUST_TOKEN_ISSUER_new( const TRUST_TOKEN_METHOD *method, size_t max_batchsize); -// TRUST_TOKEN_ISSUER_free releases memory associated with |ctx|. +// TRUST_TOKEN_ISSUER_free releases memory associated with `ctx`. OPENSSL_EXPORT void TRUST_TOKEN_ISSUER_free(TRUST_TOKEN_ISSUER *ctx); -// TRUST_TOKEN_ISSUER_add_key configures the |ctx| to support the private key -// |key|. It must be a private key returned by |TRUST_TOKEN_generate_key|. It -// returns one on success or zero on error. This function may fail if the |key| +// TRUST_TOKEN_ISSUER_add_key configures the `ctx` to support the private key +// `key`. It must be a private key returned by `TRUST_TOKEN_generate_key`. It +// returns one on success or zero on error. This function may fail if the `key` // can't be parsed or too many keys have been configured. OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_add_key(TRUST_TOKEN_ISSUER *ctx, const uint8_t *key, @@ -245,31 +245,31 @@ OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_add_key(TRUST_TOKEN_ISSUER *ctx, OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_set_srr_key(TRUST_TOKEN_ISSUER *ctx, EVP_PKEY *key); -// TRUST_TOKEN_ISSUER_issue ingests |request| for token issuance -// and generates up to |max_issuance| valid tokens, producing a list of blinded +// TRUST_TOKEN_ISSUER_issue ingests `request` for token issuance +// and generates up to `max_issuance` valid tokens, producing a list of blinded // tokens and storing the response into a newly-allocated buffer and setting -// |*out| to that buffer, |*out_len| to its length, and |*out_tokens_issued| to +// `*out` to that buffer, `*out_len` to its length, and `*out_tokens_issued` to // the number of tokens issued. The tokens are issued with public metadata of -// |public_metadata| and a private metadata value of |private_metadata|. -// |public_metadata| must be one of the previously configured key IDs. -// |private_metadata| must be 0 or 1. The caller takes ownership of the buffer -// and must call |OPENSSL_free| when done. It returns one on success or zero on +// `public_metadata` and a private metadata value of `private_metadata`. +// `public_metadata` must be one of the previously configured key IDs. +// `private_metadata` must be 0 or 1. The caller takes ownership of the buffer +// and must call `OPENSSL_free` when done. It returns one on success or zero on // error. OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_issue( const TRUST_TOKEN_ISSUER *ctx, uint8_t **out, size_t *out_len, size_t *out_tokens_issued, const uint8_t *request, size_t request_len, uint32_t public_metadata, uint8_t private_metadata, size_t max_issuance); -// TRUST_TOKEN_ISSUER_redeem ingests a |request| for token redemption and -// verifies the token. The public metadata is stored in |*out_public|. The -// private metadata (if any) is stored in |*out_private|. The extracted -// |TRUST_TOKEN| is stored into a newly-allocated buffer and stored in -// |*out_token|. The extracted client data is stored into a newly-allocated -// buffer and stored in |*out_client_data|. The caller takes ownership of each -// output buffer and must call |OPENSSL_free| when done. It returns one on +// TRUST_TOKEN_ISSUER_redeem ingests a `request` for token redemption and +// verifies the token. The public metadata is stored in `*out_public`. The +// private metadata (if any) is stored in `*out_private`. The extracted +// `TRUST_TOKEN` is stored into a newly-allocated buffer and stored in +// `*out_token`. The extracted client data is stored into a newly-allocated +// buffer and stored in `*out_client_data`. The caller takes ownership of each +// output buffer and must call `OPENSSL_free` when done. It returns one on // success or zero on error. // -// The caller must keep track of all values of |*out_token| seen globally before +// The caller must keep track of all values of `*out_token` seen globally before // returning a response to the client. If the value has been reused, the caller // must report an error to the client. Returning a response with replayed values // allows an attacker to double-spend tokens. @@ -279,20 +279,20 @@ OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_redeem( size_t *out_client_data_len, const uint8_t *request, size_t request_len); // TRUST_TOKEN_ISSUER_redeem_raw is a legacy alias for -// |TRUST_TOKEN_ISSUER_redeem|. +// `TRUST_TOKEN_ISSUER_redeem`. #define TRUST_TOKEN_ISSUER_redeem_raw TRUST_TOKEN_ISSUER_redeem -// TRUST_TOKEN_ISSUER_redeem_over_message ingests a |request| for token +// TRUST_TOKEN_ISSUER_redeem_over_message ingests a `request` for token // redemption and a message and verifies the token and that it is derived from -// the provided |msg|. The public metadata is stored in -// |*out_public|. The private metadata (if any) is stored in |*out_private|. The -// extracted |TRUST_TOKEN| is stored into a newly-allocated buffer and stored in -// |*out_token|. The extracted client data is stored into a newly-allocated -// buffer and stored in |*out_client_data|. The caller takes ownership of each -// output buffer and must call |OPENSSL_free| when done. It returns one on +// the provided `msg`. The public metadata is stored in +// `*out_public`. The private metadata (if any) is stored in `*out_private`. The +// extracted `TRUST_TOKEN` is stored into a newly-allocated buffer and stored in +// `*out_token`. The extracted client data is stored into a newly-allocated +// buffer and stored in `*out_client_data`. The caller takes ownership of each +// output buffer and must call `OPENSSL_free` when done. It returns one on // success or zero on error. // -// The caller must keep track of all values of |*out_token| seen globally before +// The caller must keep track of all values of `*out_token` seen globally before // returning a response to the client. If the value has been reused, the caller // must report an error to the client. Returning a response with replayed values // allows an attacker to double-spend tokens. @@ -302,10 +302,10 @@ OPENSSL_EXPORT int TRUST_TOKEN_ISSUER_redeem_over_message( size_t *out_client_data_len, const uint8_t *request, size_t request_len, const uint8_t *msg, size_t msg_len); -// TRUST_TOKEN_decode_private_metadata decodes |encrypted_bit| using the -// private metadata key specified by a |key| buffer of length |key_len| and the -// nonce by a |nonce| buffer of length |nonce_len|. The nonce in -// |TRUST_TOKEN_experiment_v1| is the token-hash field of the SRR. |*out_value| +// TRUST_TOKEN_decode_private_metadata decodes `encrypted_bit` using the +// private metadata key specified by a `key` buffer of length `key_len` and the +// nonce by a `nonce` buffer of length `nonce_len`. The nonce in +// `TRUST_TOKEN_experiment_v1` is the token-hash field of the SRR. `*out_value` // is set to the decrypted value, either zero or one. It returns one on success // and zero on error. OPENSSL_EXPORT int TRUST_TOKEN_decode_private_metadata( diff --git a/third_party/boringssl/src/include/openssl/type_check.h b/third_party/boringssl/src/include/openssl/type_check.h index 185b7656..a95bf131 100644 --- a/third_party/boringssl/src/include/openssl/type_check.h +++ b/third_party/boringssl/src/include/openssl/type_check.h @@ -22,7 +22,7 @@ extern "C" { #endif -// CHECKED_CAST casts |p| from type |from| to type |to|. +// CHECKED_CAST casts `p` from type `from` to type `to`. // // TODO(davidben): Although this macro is not public API and is unused in // BoringSSL, wpa_supplicant uses it to define its own stacks. Remove this once diff --git a/third_party/boringssl/src/include/openssl/x509.h b/third_party/boringssl/src/include/openssl/x509.h index e72d9ca9..d507d1e6 100644 --- a/third_party/boringssl/src/include/openssl/x509.h +++ b/third_party/boringssl/src/include/openssl/x509.h @@ -57,11 +57,11 @@ extern "C" { // Certificates. // -// An |X509| object represents an X.509 certificate, defined in RFC 5280. +// An `X509` object represents an X.509 certificate, defined in RFC 5280. // -// Although an |X509| is a mutable object, mutating an |X509| can give incorrect -// results. Callers typically obtain |X509|s by parsing some input with -// |d2i_X509|, etc. Such objects carry information such as the serialized +// Although an `X509` is a mutable object, mutating an `X509` can give incorrect +// results. Callers typically obtain `X509`s by parsing some input with +// `d2i_X509`, etc. Such objects carry information such as the serialized // TBSCertificate and decoded extensions, which will become inconsistent when // mutated. // @@ -70,59 +70,59 @@ extern "C" { DEFINE_STACK_OF(X509) -// X509 is an |ASN1_ITEM| whose ASN.1 type is X.509 Certificate (RFC 5280) and C -// type is |X509*|. +// X509 is an `ASN1_ITEM` whose ASN.1 type is X.509 Certificate (RFC 5280) and C +// type is `X509*`. DECLARE_ASN1_ITEM(X509) -// X509_up_ref adds one to the reference count of |x509| and returns one. +// X509_up_ref adds one to the reference count of `x509` and returns one. OPENSSL_EXPORT int X509_up_ref(X509 *x509); -// X509_dup_ref increments the reference count of |x509| and returns |x509|. -// The caller must call |X509_free| on the result to release the reference. +// X509_dup_ref increments the reference count of `x509` and returns `x509`. +// The caller must call `X509_free` on the result to release the reference. // -// WARNING: Although the result is non-const for use with |X509_free|, it is +// WARNING: Although the result is non-const for use with `X509_free`, it is // still shared with other parts of the appplication for the same object. Avoid -// mutating shared |X509|s. +// mutating shared `X509`s. OPENSSL_EXPORT X509 *X509_dup_ref(const X509 *x509); -// X509_chain_up_ref returns a newly-allocated |STACK_OF(X509)| containing a -// shallow copy of |chain|, or NULL on error. That is, the return value has the -// same contents as |chain|, and each |X509|'s reference count is incremented by +// X509_chain_up_ref returns a newly-allocated `STACK_OF(X509)` containing a +// shallow copy of `chain`, or NULL on error. That is, the return value has the +// same contents as `chain`, and each `X509`'s reference count is incremented by // one. OPENSSL_EXPORT STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); -// X509_dup returns a newly-allocated copy of |x509|, or NULL on error. This +// X509_dup returns a newly-allocated copy of `x509`, or NULL on error. This // function works by serializing the structure, so auxiliary properties (see -// |i2d_X509_AUX|) are not preserved. Additionally, if |x509| is incomplete, +// `i2d_X509_AUX`) are not preserved. Additionally, if `x509` is incomplete, // this function may fail. OPENSSL_EXPORT X509 *X509_dup(const X509 *x509); -// X509_free decrements |x509|'s reference count and, if zero, releases memory -// associated with |x509|. +// X509_free decrements `x509`'s reference count and, if zero, releases memory +// associated with `x509`. OPENSSL_EXPORT void X509_free(X509 *x509); -// d2i_X509 parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// Certificate (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_X509 parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// Certificate (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509 *d2i_X509(X509 **out, const uint8_t **inp, long len); -// X509_parse_with_algorithms parses an X.509 structure from |buf| and returns a -// fresh X509 or NULL on error. There must not be any trailing data in |buf|. -// The returned structure (if any) increment's |buf|'s reference count and +// X509_parse_with_algorithms parses an X.509 structure from `buf` and returns a +// fresh X509 or NULL on error. There must not be any trailing data in `buf`. +// The returned structure (if any) increment's `buf`'s reference count and // retains a reference to it. // -// Only the |num_algs| algorithms from |algs| will be considered when parsing +// Only the `num_algs` algorithms from `algs` will be considered when parsing // the certificate's public key. If the certificate uses a different algorithm, -// it will still be parsed, but |X509_get0_pubkey| will return NULL. +// it will still be parsed, but `X509_get0_pubkey` will return NULL. OPENSSL_EXPORT X509 *X509_parse_with_algorithms(CRYPTO_BUFFER *buf, const EVP_PKEY_ALG *const *algs, size_t num_algs); -// X509_parse_from_buffer behaves like |X509_parse_with_algorithms| but uses a +// X509_parse_from_buffer behaves like `X509_parse_with_algorithms` but uses a // default algorithm list. OPENSSL_EXPORT X509 *X509_parse_from_buffer(CRYPTO_BUFFER *buf); -// i2d_X509 marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), as -// described in |i2d_SAMPLE|. +// i2d_X509 marshals `x509` as a DER-encoded X.509 Certificate (RFC 5280), as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509(const X509 *x509, uint8_t **outp); // X509_VERSION_* are X.509 version numbers. Note the numerical values of all @@ -131,65 +131,65 @@ OPENSSL_EXPORT int i2d_X509(const X509 *x509, uint8_t **outp); #define X509_VERSION_2 1 #define X509_VERSION_3 2 -// X509_get_version returns the numerical value of |x509|'s version, which will -// be one of the |X509_VERSION_*| constants. +// X509_get_version returns the numerical value of `x509`'s version, which will +// be one of the `X509_VERSION_*` constants. OPENSSL_EXPORT long X509_get_version(const X509 *x509); -// X509_get0_serialNumber returns |x509|'s serial number. +// X509_get0_serialNumber returns `x509`'s serial number. OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x509); -// X509_get0_notBefore returns |x509|'s notBefore time. +// X509_get0_notBefore returns `x509`'s notBefore time. OPENSSL_EXPORT const ASN1_TIME *X509_get0_notBefore(const X509 *x509); -// X509_get0_notAfter returns |x509|'s notAfter time. +// X509_get0_notAfter returns `x509`'s notAfter time. OPENSSL_EXPORT const ASN1_TIME *X509_get0_notAfter(const X509 *x509); -// X509_get_issuer_name returns |x509|'s issuer. +// X509_get_issuer_name returns `x509`'s issuer. OPENSSL_EXPORT X509_NAME *X509_get_issuer_name(const X509 *x509); -// X509_get_subject_name returns |x509|'s subject. +// X509_get_subject_name returns `x509`'s subject. OPENSSL_EXPORT X509_NAME *X509_get_subject_name(const X509 *x509); -// X509_get_X509_PUBKEY returns the public key of |x509|. Note this function is +// X509_get_X509_PUBKEY returns the public key of `x509`. Note this function is // not const-correct for legacy reasons. Callers should not modify the returned // object. OPENSSL_EXPORT X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x509); -// X509_get0_pubkey returns |x509|'s public key as an |EVP_PKEY|, or NULL if the -// public key was unsupported or could not be decoded. The |EVP_PKEY| is cached -// in |x509|, so callers must not mutate the result. +// X509_get0_pubkey returns `x509`'s public key as an `EVP_PKEY`, or NULL if the +// public key was unsupported or could not be decoded. The `EVP_PKEY` is cached +// in `x509`, so callers must not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_get0_pubkey(const X509 *x509); -// X509_get_pubkey behaves like |X509_get0_pubkey| but increments the reference -// count on the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |x509|, so callers +// X509_get_pubkey behaves like `X509_get0_pubkey` but increments the reference +// count on the `EVP_PKEY`. The caller must release the result with +// `EVP_PKEY_free` when done. The `EVP_PKEY` is cached in `x509`, so callers // must not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_get_pubkey(const X509 *x509); -// X509_get0_pubkey_bitstr returns the BIT STRING portion of |x509|'s public +// X509_get0_pubkey_bitstr returns the BIT STRING portion of `x509`'s public // key. Note this does not contain the AlgorithmIdentifier portion. // // WARNING: This function returns a non-const pointer for OpenSSL compatibility, // but the caller must not modify the resulting object. Doing so will break -// internal invariants in |x509|. +// internal invariants in `x509`. OPENSSL_EXPORT ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x509); -// X509_check_private_key returns one if |x509|'s public key matches |pkey| and +// X509_check_private_key returns one if `x509`'s public key matches `pkey` and // zero otherwise. OPENSSL_EXPORT int X509_check_private_key(const X509 *x509, const EVP_PKEY *pkey); -// X509_get0_uids sets |*out_issuer_uid| to a non-owning pointer to the -// issuerUID field of |x509|, or NULL if |x509| has no issuerUID. It similarly -// outputs |x509|'s subjectUID field to |*out_subject_uid|. +// X509_get0_uids sets `*out_issuer_uid` to a non-owning pointer to the +// issuerUID field of `x509`, or NULL if `x509` has no issuerUID. It similarly +// outputs `x509`'s subjectUID field to `*out_subject_uid`. // -// Callers may pass NULL to either |out_issuer_uid| or |out_subject_uid| to +// Callers may pass NULL to either `out_issuer_uid` or `out_subject_uid` to // ignore the corresponding field. OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, const ASN1_BIT_STRING **out_issuer_uid, const ASN1_BIT_STRING **out_subject_uid); -// The following bits are returned from |X509_get_extension_flags|. +// The following bits are returned from `X509_get_extension_flags`. // EXFLAG_BCONS indicates the certificate has a basic constraints extension. #define EXFLAG_BCONS 0x1 @@ -220,21 +220,21 @@ OPENSSL_EXPORT void X509_get0_uids(const X509 *x509, // itself is not checked in computing this bit. #define EXFLAG_SS 0x2000 -// X509_get_extension_flags decodes a set of extensions from |x509| and returns -// a collection of |EXFLAG_*| bits which reflect |x509|. If there was an error -// in computing this bitmask, the result will include the |EXFLAG_INVALID| bit. +// X509_get_extension_flags decodes a set of extensions from `x509` and returns +// a collection of `EXFLAG_*` bits which reflect `x509`. If there was an error +// in computing this bitmask, the result will include the `EXFLAG_INVALID` bit. OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x509); // X509_get_pathlen returns path length constraint from the basic constraints -// extension in |x509|. (See RFC 5280, section 4.2.1.9.) It returns -1 if the -// constraint is not present, or if some extension in |x509| was invalid. +// extension in `x509`. (See RFC 5280, section 4.2.1.9.) It returns -1 if the +// constraint is not present, or if some extension in `x509` was invalid. // -// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// TODO(crbug.com/boringssl/381): Decoding an `X509` object will not check for // invalid extensions. To detect the error case, call -// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +// `X509_get_extension_flags` and check the `EXFLAG_INVALID` bit. OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); -// X509v3_KU_* are key usage bits returned from |X509_get_key_usage|. +// X509v3_KU_* are key usage bits returned from `X509_get_key_usage`. #define X509v3_KU_DIGITAL_SIGNATURE 0x0080 #define X509v3_KU_NON_REPUDIATION 0x0040 #define X509v3_KU_KEY_ENCIPHERMENT 0x0020 @@ -246,22 +246,22 @@ OPENSSL_EXPORT long X509_get_pathlen(X509 *x509); #define X509v3_KU_DECIPHER_ONLY 0x8000 // X509_get_key_usage returns a bitmask of key usages (see Section 4.2.1.3 of -// RFC 5280) which |x509| is valid for. This function only reports the first 16 +// RFC 5280) which `x509` is valid for. This function only reports the first 16 // bits, in a little-endian byte order, but big-endian bit order. That is, bits // 0 though 7 are reported at 1<<7 through 1<<0, and bits 8 through 15 are // reported at 1<<15 through 1<<8. // // Instead of depending on this bit order, callers should compare against the -// |X509v3_KU_*| constants. +// `X509v3_KU_*` constants. // -// If |x509| has no key usage extension, all key usages are valid and this -// function returns |UINT32_MAX|. If there was an error processing |x509|'s +// If `x509` has no key usage extension, all key usages are valid and this +// function returns `UINT32_MAX`. If there was an error processing `x509`'s // extensions, or if the first 16 bits in the key usage extension were all zero, // this function returns zero. OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509); // XKU_* are extended key usage bits returned from -// |X509_get_extended_key_usage|. +// `X509_get_extended_key_usage`. #define XKU_SSL_SERVER 0x1 #define XKU_SSL_CLIENT 0x2 #define XKU_SMIME 0x4 @@ -273,285 +273,285 @@ OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x509); #define XKU_ANYEKU 0x100 // X509_get_extended_key_usage returns a bitmask of extended key usages (see -// Section 4.2.1.12 of RFC 5280) which |x509| is valid for. The result will be -// a combination of |XKU_*| constants. If checking an extended key usage not +// Section 4.2.1.12 of RFC 5280) which `x509` is valid for. The result will be +// a combination of `XKU_*` constants. If checking an extended key usage not // defined above, callers should extract the extended key usage extension -// separately, e.g. via |X509_get_ext_d2i|. +// separately, e.g. via `X509_get_ext_d2i`. // -// If |x509| has no extended key usage extension, all extended key usages are -// valid and this function returns |UINT32_MAX|. If there was an error -// processing |x509|'s extensions, or if |x509|'s extended key usage extension +// If `x509` has no extended key usage extension, all extended key usages are +// valid and this function returns `UINT32_MAX`. If there was an error +// processing `x509`'s extensions, or if `x509`'s extended key usage extension // contained no recognized usages, this function returns zero. OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x509); -// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present. +// X509_get0_subject_key_id returns `x509`'s subject key identifier, if present. // (See RFC 5280, section 4.2.1.2.) It returns NULL if the extension is not -// present or if some extension in |x509| was invalid. +// present or if some extension in `x509` was invalid. // -// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// TODO(crbug.com/boringssl/381): Decoding an `X509` object will not check for // invalid extensions. To detect the error case, call -// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +// `X509_get_extension_flags` and check the `EXFLAG_INVALID` bit. OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509); -// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key +// X509_get0_authority_key_id returns keyIdentifier of `x509`'s authority key // identifier, if the extension and field are present. (See RFC 5280, // section 4.2.1.1.) It returns NULL if the extension is not present, if it is -// present but lacks a keyIdentifier field, or if some extension in |x509| was +// present but lacks a keyIdentifier field, or if some extension in `x509` was // invalid. // -// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// TODO(crbug.com/boringssl/381): Decoding an `X509` object will not check for // invalid extensions. To detect the error case, call -// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +// `X509_get_extension_flags` and check the `EXFLAG_INVALID` bit. OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509); DEFINE_STACK_OF(GENERAL_NAME) typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES; -// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s +// X509_get0_authority_issuer returns the authorityCertIssuer of `x509`'s // authority key identifier, if the extension and field are present. (See // RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, // if it is present but lacks a authorityCertIssuer field, or if some extension -// in |x509| was invalid. +// in `x509` was invalid. // -// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// TODO(crbug.com/boringssl/381): Decoding an `X509` object will not check for // invalid extensions. To detect the error case, call -// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +// `X509_get_extension_flags` and check the `EXFLAG_INVALID` bit. OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509); -// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s +// X509_get0_authority_serial returns the authorityCertSerialNumber of `x509`'s // authority key identifier, if the extension and field are present. (See // RFC 5280, section 4.2.1.1.) It returns NULL if the extension is not present, // if it is present but lacks a authorityCertSerialNumber field, or if some -// extension in |x509| was invalid. +// extension in `x509` was invalid. // -// TODO(crbug.com/boringssl/381): Decoding an |X509| object will not check for +// TODO(crbug.com/boringssl/381): Decoding an `X509` object will not check for // invalid extensions. To detect the error case, call -// |X509_get_extension_flags| and check the |EXFLAG_INVALID| bit. +// `X509_get_extension_flags` and check the `EXFLAG_INVALID` bit. OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509); -// X509_get0_extensions returns |x509|'s extension list, or NULL if |x509| omits +// X509_get0_extensions returns `x509`'s extension list, or NULL if `x509` omits // it. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_get0_extensions( const X509 *x509); -// X509_get_ext_count returns the number of extensions in |x|. +// X509_get_ext_count returns the number of extensions in `x`. OPENSSL_EXPORT int X509_get_ext_count(const X509 *x); -// X509_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for -// extensions in |x|. +// X509_get_ext_by_NID behaves like `X509v3_get_ext_by_NID` but searches for +// extensions in `x`. OPENSSL_EXPORT int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); -// X509_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for -// extensions in |x|. +// X509_get_ext_by_OBJ behaves like `X509v3_get_ext_by_OBJ` but searches for +// extensions in `x`. OPENSSL_EXPORT int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos); -// X509_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but -// searches for extensions in |x|. +// X509_get_ext_by_critical behaves like `X509v3_get_ext_by_critical` but +// searches for extensions in `x`. OPENSSL_EXPORT int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos); -// X509_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| is +// X509_get_ext returns the extension in `x` at index `loc`, or NULL if `loc` is // out of bounds. This function returns a non-const pointer for OpenSSL // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_get_ext(const X509 *x, int loc); -// X509_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the extension in -// |x509|'s extension list. +// X509_get_ext_d2i behaves like `X509V3_get_d2i` but looks for the extension in +// `x509`'s extension list. // // WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. +// for `X509V3_get_d2i` for details. OPENSSL_EXPORT void *X509_get_ext_d2i(const X509 *x509, int nid, int *out_critical, int *out_idx); -// X509_get0_tbs_sigalg returns the signature algorithm in |x509|'s -// TBSCertificate. For the outer signature algorithm, see |X509_get0_signature|. +// X509_get0_tbs_sigalg returns the signature algorithm in `x509`'s +// TBSCertificate. For the outer signature algorithm, see `X509_get0_signature`. // // Certificates with mismatched signature algorithms will successfully parse, // but they will be rejected when verifying. OPENSSL_EXPORT const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x509); -// X509_get0_signature sets |*out_sig| and |*out_alg| to the signature and -// signature algorithm of |x509|, respectively. Either output pointer may be +// X509_get0_signature sets `*out_sig` and `*out_alg` to the signature and +// signature algorithm of `x509`, respectively. Either output pointer may be // NULL to ignore the value. // // This function outputs the outer signature algorithm. For the one in the -// TBSCertificate, see |X509_get0_tbs_sigalg|. Certificates with mismatched +// TBSCertificate, see `X509_get0_tbs_sigalg`. Certificates with mismatched // signature algorithms will successfully parse, but they will be rejected when // verifying. OPENSSL_EXPORT void X509_get0_signature(const ASN1_BIT_STRING **out_sig, const X509_ALGOR **out_alg, const X509 *x509); -// X509_get_signature_nid returns the NID corresponding to |x509|'s signature -// algorithm, or |NID_undef| if the signature algorithm does not correspond to +// X509_get_signature_nid returns the NID corresponding to `x509`'s signature +// algorithm, or `NID_undef` if the signature algorithm does not correspond to // a known NID. OPENSSL_EXPORT int X509_get_signature_nid(const X509 *x509); -// i2d_X509_tbs serializes the TBSCertificate portion of |x509|, as described in -// |i2d_SAMPLE|. +// i2d_X509_tbs serializes the TBSCertificate portion of `x509`, as described in +// `i2d_SAMPLE`. // // This function preserves the original encoding of the TBSCertificate and may -// not reflect modifications made to |x509|. It may be used to manually verify +// not reflect modifications made to `x509`. It may be used to manually verify // the signature of an existing certificate. To generate certificates, use -// |i2d_re_X509_tbs| instead. +// `i2d_re_X509_tbs` instead. OPENSSL_EXPORT int i2d_X509_tbs(const X509 *x509, uint8_t **outp); -// X509_verify checks that |x509| has a valid signature by |pkey|. It returns +// X509_verify checks that `x509` has a valid signature by `pkey`. It returns // one if the signature is valid and zero otherwise. Note this function only // checks the signature itself and does not perform a full certificate // validation. OPENSSL_EXPORT int X509_verify(const X509 *x509, EVP_PKEY *pkey); // X509_get1_email returns a newly-allocated list of NUL-terminated strings -// containing all email addresses in |x509|'s subject and all rfc822name names -// in |x509|'s subject alternative names. Email addresses which contain embedded +// containing all email addresses in `x509`'s subject and all rfc822name names +// in `x509`'s subject alternative names. Email addresses which contain embedded // NUL bytes are skipped. The results are returned in an arbitrary order. // // On error, or if there are no such email addresses, it returns NULL. When -// done, the caller must release the result with |X509_email_free|. +// done, the caller must release the result with `X509_email_free`. OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(const X509 *x509); // X509_get1_ocsp returns a newly-allocated list of NUL-terminated strings -// containing all OCSP URIs in |x509|. That is, it collects all URI -// AccessDescriptions with an accessMethod of id-ad-ocsp in |x509|'s authority +// containing all OCSP URIs in `x509`. That is, it collects all URI +// AccessDescriptions with an accessMethod of id-ad-ocsp in `x509`'s authority // information access extension. URIs which contain embedded NUL bytes are // skipped. The results are returned in an arbitrary order. // // On error, or if there are no such URIs, it returns NULL. When done, the -// caller must release the result with |X509_email_free|. +// caller must release the result with `X509_email_free`. OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(const X509 *x509); -// X509_email_free releases memory associated with |sk|, including |sk| itself. -// Each |OPENSSL_STRING| in |sk| must be a NUL-terminated string allocated with -// |OPENSSL_malloc|. If |sk| is NULL, no action is taken. +// X509_email_free releases memory associated with `sk`, including `sk` itself. +// Each `OPENSSL_STRING` in `sk` must be a NUL-terminated string allocated with +// `OPENSSL_malloc`. If `sk` is NULL, no action is taken. OPENSSL_EXPORT void X509_email_free(STACK_OF(OPENSSL_STRING) *sk); -// X509_cmp compares |a| and |b| and returns zero if they are equal, a negative -// number if |b| sorts after |a| and a negative number if |a| sorts after |b|. +// X509_cmp compares `a` and `b` and returns zero if they are equal, a negative +// number if `b` sorts after `a` and a negative number if `a` sorts after `b`. // The sort order implemented by this function is arbitrary and does not // reflect properties of the certificate such as expiry. Applications should not // rely on the order itself. // // TODO(https://crbug.com/boringssl/355): This function works by comparing a -// cached hash of the encoded certificate. If |a| or |b| could not be +// cached hash of the encoded certificate. If `a` or `b` could not be // serialized, the current behavior is to compare all unencodable certificates -// as equal. This function should only be used with |X509| objects that were +// as equal. This function should only be used with `X509` objects that were // parsed from bytes and never mutated. OPENSSL_EXPORT int X509_cmp(const X509 *a, const X509 *b); // Issuing certificates. // -// An |X509| object may also represent an incomplete certificate. Callers may -// construct empty |X509| objects, fill in fields individually, and finally sign +// An `X509` object may also represent an incomplete certificate. Callers may +// construct empty `X509` objects, fill in fields individually, and finally sign // the result. The following functions may be used for this purpose. -// X509_new returns a newly-allocated, empty |X509| object, or NULL on error. +// X509_new returns a newly-allocated, empty `X509` object, or NULL on error. // This produces an incomplete certificate which may be filled in to issue a new // certificate. OPENSSL_EXPORT X509 *X509_new(void); -// X509_set_version sets |x509|'s version to |version|, which should be one of -// the |X509V_VERSION_*| constants. It returns one on success and zero on error. +// X509_set_version sets `x509`'s version to `version`, which should be one of +// the `X509V_VERSION_*` constants. It returns one on success and zero on error. // -// If unsure, use |X509_VERSION_3|. +// If unsure, use `X509_VERSION_3`. OPENSSL_EXPORT int X509_set_version(X509 *x509, long version); -// X509_set_serialNumber sets |x509|'s serial number to |serial|. It returns one +// X509_set_serialNumber sets `x509`'s serial number to `serial`. It returns one // on success and zero on error. OPENSSL_EXPORT int X509_set_serialNumber(X509 *x509, const ASN1_INTEGER *serial); -// X509_set1_notBefore sets |x509|'s notBefore time to |tm|. It returns one on +// X509_set1_notBefore sets `x509`'s notBefore time to `tm`. It returns one on // success and zero on error. OPENSSL_EXPORT int X509_set1_notBefore(X509 *x509, const ASN1_TIME *tm); -// X509_set1_notAfter sets |x509|'s notAfter time to |tm|. it returns one on +// X509_set1_notAfter sets `x509`'s notAfter time to `tm`. it returns one on // success and zero on error. OPENSSL_EXPORT int X509_set1_notAfter(X509 *x509, const ASN1_TIME *tm); -// X509_getm_notBefore returns a mutable pointer to |x509|'s notBefore time. +// X509_getm_notBefore returns a mutable pointer to `x509`'s notBefore time. OPENSSL_EXPORT ASN1_TIME *X509_getm_notBefore(X509 *x509); -// X509_getm_notAfter returns a mutable pointer to |x509|'s notAfter time. +// X509_getm_notAfter returns a mutable pointer to `x509`'s notAfter time. OPENSSL_EXPORT ASN1_TIME *X509_getm_notAfter(X509 *x); -// X509_set_issuer_name sets |x509|'s issuer to a copy of |name|. It returns one +// X509_set_issuer_name sets `x509`'s issuer to a copy of `name`. It returns one // on success and zero on error. OPENSSL_EXPORT int X509_set_issuer_name(X509 *x509, const X509_NAME *name); -// X509_set_subject_name sets |x509|'s subject to a copy of |name|. It returns +// X509_set_subject_name sets `x509`'s subject to a copy of `name`. It returns // one on success and zero on error. OPENSSL_EXPORT int X509_set_subject_name(X509 *x509, const X509_NAME *name); -// X509_set_pubkey sets |x509|'s public key to |pkey|. It returns one on success -// and zero on error. This function does not take ownership of |pkey| and +// X509_set_pubkey sets `x509`'s public key to `pkey`. It returns one on success +// and zero on error. This function does not take ownership of `pkey` and // internally copies and updates reference counts as needed. OPENSSL_EXPORT int X509_set_pubkey(X509 *x509, EVP_PKEY *pkey); -// X509_delete_ext removes the extension in |x| at index |loc| and returns the -// removed extension, or NULL if |loc| was out of bounds. If non-NULL, the -// caller must release the result with |X509_EXTENSION_free|. +// X509_delete_ext removes the extension in `x` at index `loc` and returns the +// removed extension, or NULL if `loc` was out of bounds. If non-NULL, the +// caller must release the result with `X509_EXTENSION_free`. OPENSSL_EXPORT X509_EXTENSION *X509_delete_ext(X509 *x, int loc); -// X509_add_ext adds a copy of |ex| to |x|. It returns one on success and zero -// on failure. The caller retains ownership of |ex| and can release it -// independently of |x|. +// X509_add_ext adds a copy of `ex` to `x`. It returns one on success and zero +// on failure. The caller retains ownership of `ex` and can release it +// independently of `x`. // -// The new extension is inserted at index |loc|, shifting extensions to the -// right. If |loc| is -1 or out of bounds, the new extension is appended to the +// The new extension is inserted at index `loc`, shifting extensions to the +// right. If `loc` is -1 or out of bounds, the new extension is appended to the // list. OPENSSL_EXPORT int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc); -// X509_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension to -// |x|'s extension list. +// X509_add1_ext_i2d behaves like `X509V3_add1_i2d` but adds the extension to +// `x`'s extension list. // // WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. +// ensure `value`'s type matches `nid`. See the documentation for +// `X509V3_add1_i2d` for details. OPENSSL_EXPORT int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags); -// X509_sign signs |x509| with |pkey| and replaces the signature algorithm and +// X509_sign signs `x509` with `pkey` and replaces the signature algorithm and // signature fields. It returns the length of the signature on success and zero -// on error. This function uses digest algorithm |md|, or |pkey|'s default if -// NULL. Other signing parameters use |pkey|'s defaults. To customize them, use -// |X509_sign_ctx|. +// on error. This function uses digest algorithm `md`, or `pkey`'s default if +// NULL. Other signing parameters use `pkey`'s defaults. To customize them, use +// `X509_sign_ctx`. OPENSSL_EXPORT int X509_sign(X509 *x509, EVP_PKEY *pkey, const EVP_MD *md); -// X509_sign_ctx signs |x509| with |ctx| and replaces the signature algorithm +// X509_sign_ctx signs `x509` with `ctx` and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and -// zero on error. The signature algorithm and parameters come from |ctx|, which -// must have been initialized with |EVP_DigestSignInit|. The caller should -// configure the corresponding |EVP_PKEY_CTX| before calling this function. +// zero on error. The signature algorithm and parameters come from `ctx`, which +// must have been initialized with `EVP_DigestSignInit`. The caller should +// configure the corresponding `EVP_PKEY_CTX` before calling this function. // -// On success or failure, this function mutates |ctx| and resets it to the empty +// On success or failure, this function mutates `ctx` and resets it to the empty // state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_sign_ctx(X509 *x509, EVP_MD_CTX *ctx); -// i2d_re_X509_tbs serializes the TBSCertificate portion of |x509|, as described -// in |i2d_SAMPLE|. +// i2d_re_X509_tbs serializes the TBSCertificate portion of `x509`, as described +// in `i2d_SAMPLE`. // -// This function re-encodes the TBSCertificate and may not reflect |x509|'s +// This function re-encodes the TBSCertificate and may not reflect `x509`'s // original encoding. It may be used to manually generate a signature for a new -// certificate. To verify certificates, use |i2d_X509_tbs| instead. +// certificate. To verify certificates, use `i2d_X509_tbs` instead. // -// Unlike |i2d_X509_tbs|, this function is not |const| and thus may not be to -// use concurrently with other functions that access |x509|. It mutates |x509| +// Unlike `i2d_X509_tbs`, this function is not `const` and thus may not be to +// use concurrently with other functions that access `x509`. It mutates `x509` // by dropping the cached encoding. This function is intended to be used during -// certificate construction, where |x509| is still single-threaded and being +// certificate construction, where `x509` is still single-threaded and being // mutated. OPENSSL_EXPORT int i2d_re_X509_tbs(X509 *x509, uint8_t **outp); -// X509_set1_signature_algo sets |x509|'s signature algorithm to |algo| and +// X509_set1_signature_algo sets `x509`'s signature algorithm to `algo` and // returns one on success or zero on error. It updates both the signature field // of the TBSCertificate structure, and the signatureAlgorithm field of the // Certificate. OPENSSL_EXPORT int X509_set1_signature_algo(X509 *x509, const X509_ALGOR *algo); -// X509_set1_signature_value sets |x509|'s signature to a copy of the |sig_len| -// bytes pointed by |sig|. It returns one on success and zero on error. +// X509_set1_signature_value sets `x509`'s signature to a copy of the `sig_len` +// bytes pointed by `sig`. It returns one on success and zero on error. // // Due to a specification error, X.509 certificates store signatures in ASN.1 // BIT STRINGs, but signature algorithms return byte strings rather than bit @@ -564,29 +564,29 @@ OPENSSL_EXPORT int X509_set1_signature_value(X509 *x509, const uint8_t *sig, // Auxiliary certificate properties. // -// |X509| objects optionally maintain auxiliary properties. These are not part +// `X509` objects optionally maintain auxiliary properties. These are not part // of the certificates themselves, and thus are not covered by signatures or // preserved by the standard serialization. They are used as inputs or outputs // to other functions in this library. -// i2d_X509_AUX marshals |x509| as a DER-encoded X.509 Certificate (RFC 5280), +// i2d_X509_AUX marshals `x509` as a DER-encoded X.509 Certificate (RFC 5280), // followed optionally by a separate, OpenSSL-specific structure with auxiliary -// properties. It behaves as described in |i2d_SAMPLE|. +// properties. It behaves as described in `i2d_SAMPLE`. // // Unlike similarly-named functions, this function does not output a single // ASN.1 element. Directly embedding the output in a larger ASN.1 structure will // not behave correctly. OPENSSL_EXPORT int i2d_X509_AUX(const X509 *x509, uint8_t **outp); -// d2i_X509_AUX parses up to |length| bytes from |*inp| as a DER-encoded X.509 +// d2i_X509_AUX parses up to `length` bytes from `*inp` as a DER-encoded X.509 // Certificate (RFC 5280), followed optionally by a separate, OpenSSL-specific -// structure with auxiliary properties. It behaves as described in |d2i_SAMPLE|. +// structure with auxiliary properties. It behaves as described in `d2i_SAMPLE`. // // WARNING: Passing untrusted input to this function allows an attacker to // control auxiliary properties. This can allow unexpected influence over the // application if the certificate is used in a context that reads auxiliary // properties. This includes PKCS#12 serialization, trusted certificates in -// |X509_STORE|, and callers of |X509_alias_get0| or |X509_keyid_get0|. +// `X509_STORE`, and callers of `X509_alias_get0` or `X509_keyid_get0`. // // Unlike similarly-named functions, this function does not parse a single // ASN.1 element. Trying to parse data directly embedded in a larger ASN.1 @@ -594,82 +594,82 @@ OPENSSL_EXPORT int i2d_X509_AUX(const X509 *x509, uint8_t **outp); OPENSSL_EXPORT X509 *d2i_X509_AUX(X509 **x509, const uint8_t **inp, long length); -// X509_alias_set1 sets |x509|'s alias to |len| bytes from |name|. If |name| is +// X509_alias_set1 sets `x509`'s alias to `len` bytes from `name`. If `name` is // NULL, the alias is cleared instead. Aliases are not part of the certificate -// itself and will not be serialized by |i2d_X509|. If |x509| is serialized in +// itself and will not be serialized by `i2d_X509`. If `x509` is serialized in // a PKCS#12 structure, the friendlyName attribute (RFC 2985) will contain this // alias. OPENSSL_EXPORT int X509_alias_set1(X509 *x509, const uint8_t *name, ossl_ssize_t len); -// X509_keyid_set1 sets |x509|'s key ID to |len| bytes from |id|. If |id| is +// X509_keyid_set1 sets `x509`'s key ID to `len` bytes from `id`. If `id` is // NULL, the key ID is cleared instead. Key IDs are not part of the certificate -// itself and will not be serialized by |i2d_X509|. +// itself and will not be serialized by `i2d_X509`. OPENSSL_EXPORT int X509_keyid_set1(X509 *x509, const uint8_t *id, ossl_ssize_t len); -// X509_alias_get0 looks up |x509|'s alias. If found, it sets |*out_len| to the +// X509_alias_get0 looks up `x509`'s alias. If found, it sets `*out_len` to the // alias's length and returns a pointer to a buffer containing the contents. If // not found, it outputs the empty string by returning NULL and setting -// |*out_len| to zero. +// `*out_len` to zero. // -// If |x509| was parsed from a PKCS#12 structure (see -// |PKCS12_get_key_and_certs|), the alias will reflect the friendlyName +// If `x509` was parsed from a PKCS#12 structure (see +// `PKCS12_get_key_and_certs`), the alias will reflect the friendlyName // attribute (RFC 2985). // -// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was +// WARNING: In OpenSSL, this function did not set `*out_len` when the alias was // missing. Callers that target both OpenSSL and BoringSSL should set the value // to zero before calling this function. OPENSSL_EXPORT const uint8_t *X509_alias_get0(const X509 *x509, int *out_len); -// X509_keyid_get0 looks up |x509|'s key ID. If found, it sets |*out_len| to the +// X509_keyid_get0 looks up `x509`'s key ID. If found, it sets `*out_len` to the // key ID's length and returns a pointer to a buffer containing the contents. If // not found, it outputs the empty string by returning NULL and setting -// |*out_len| to zero. +// `*out_len` to zero. // -// WARNING: In OpenSSL, this function did not set |*out_len| when the alias was +// WARNING: In OpenSSL, this function did not set `*out_len` when the alias was // missing. Callers that target both OpenSSL and BoringSSL should set the value // to zero before calling this function. OPENSSL_EXPORT const uint8_t *X509_keyid_get0(const X509 *x509, int *out_len); -// X509_add1_trust_object configures |x509| as a valid trust anchor for |obj|. -// It returns one on success and zero on error. |obj| should be a certificate -// usage OID associated with an |X509_TRUST_*| constant. +// X509_add1_trust_object configures `x509` as a valid trust anchor for `obj`. +// It returns one on success and zero on error. `obj` should be a certificate +// usage OID associated with an `X509_TRUST_*` constant. // -// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. -// Note this only takes effect if |x509| was configured as a trusted certificate -// via |X509_STORE|. +// See `X509_VERIFY_PARAM_set_trust` for details on how this value is evaluated. +// Note this only takes effect if `x509` was configured as a trusted certificate +// via `X509_STORE`. OPENSSL_EXPORT int X509_add1_trust_object(X509 *x509, const ASN1_OBJECT *obj); -// X509_add1_reject_object configures |x509| as distrusted for |obj|. It returns -// one on success and zero on error. |obj| should be a certificate usage OID -// associated with an |X509_TRUST_*| constant. +// X509_add1_reject_object configures `x509` as distrusted for `obj`. It returns +// one on success and zero on error. `obj` should be a certificate usage OID +// associated with an `X509_TRUST_*` constant. // -// See |X509_VERIFY_PARAM_set_trust| for details on how this value is evaluated. -// Note this only takes effect if |x509| was configured as a trusted certificate -// via |X509_STORE|. +// See `X509_VERIFY_PARAM_set_trust` for details on how this value is evaluated. +// Note this only takes effect if `x509` was configured as a trusted certificate +// via `X509_STORE`. OPENSSL_EXPORT int X509_add1_reject_object(X509 *x509, const ASN1_OBJECT *obj); -// X509_trust_clear clears the list of OIDs for which |x509| is trusted. See -// also |X509_add1_trust_object|. +// X509_trust_clear clears the list of OIDs for which `x509` is trusted. See +// also `X509_add1_trust_object`. OPENSSL_EXPORT void X509_trust_clear(X509 *x509); -// X509_reject_clear clears the list of OIDs for which |x509| is distrusted. See -// also |X509_add1_reject_object|. +// X509_reject_clear clears the list of OIDs for which `x509` is distrusted. See +// also `X509_add1_reject_object`. OPENSSL_EXPORT void X509_reject_clear(X509 *x509); // Certificate revocation lists. // -// An |X509_CRL| object represents an X.509 certificate revocation list (CRL), +// An `X509_CRL` object represents an X.509 certificate revocation list (CRL), // defined in RFC 5280. A CRL is a signed list of certificates, the // revokedCertificates field, which are no longer considered valid. Each entry -// of this list is represented with an |X509_REVOKED| object, documented in the +// of this list is represented with an `X509_REVOKED` object, documented in the // "CRL entries" section below. // -// Although an |X509_CRL| is a mutable object, mutating an |X509_CRL| or its -// |X509_REVOKED|s can give incorrect results. Callers typically obtain -// |X509_CRL|s by parsing some input with |d2i_X509_CRL|, etc. Such objects +// Although an `X509_CRL` is a mutable object, mutating an `X509_CRL` or its +// `X509_REVOKED`s can give incorrect results. Callers typically obtain +// `X509_CRL`s by parsing some input with `d2i_X509_CRL`, etc. Such objects // carry information such as the serialized TBSCertList and decoded extensions, // which will become inconsistent when mutated. // @@ -679,128 +679,128 @@ OPENSSL_EXPORT void X509_reject_clear(X509 *x509); DEFINE_STACK_OF(X509_CRL) DEFINE_STACK_OF(X509_REVOKED) -// X509_CRL_up_ref adds one to the reference count of |crl| and returns one. +// X509_CRL_up_ref adds one to the reference count of `crl` and returns one. OPENSSL_EXPORT int X509_CRL_up_ref(X509_CRL *crl); -// X509_CRL_dup returns a newly-allocated copy of |crl|, or NULL on error. This -// function works by serializing the structure, so if |crl| is incomplete, it +// X509_CRL_dup returns a newly-allocated copy of `crl`, or NULL on error. This +// function works by serializing the structure, so if `crl` is incomplete, it // may fail. OPENSSL_EXPORT X509_CRL *X509_CRL_dup(const X509_CRL *crl); -// X509_CRL_free decrements |crl|'s reference count and, if zero, releases -// memory associated with |crl|. +// X509_CRL_free decrements `crl`'s reference count and, if zero, releases +// memory associated with `crl`. OPENSSL_EXPORT void X509_CRL_free(X509_CRL *crl); -// d2i_X509_CRL parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// CertificateList (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_X509_CRL parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// CertificateList (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_CRL *d2i_X509_CRL(X509_CRL **out, const uint8_t **inp, long len); -// i2d_X509_CRL marshals |crl| as a X.509 CertificateList (RFC 5280), as -// described in |i2d_SAMPLE|. +// i2d_X509_CRL marshals `crl` as a X.509 CertificateList (RFC 5280), as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_CRL(const X509_CRL *crl, uint8_t **outp); -// X509_CRL_match compares |a| and |b| and returns zero if they are equal, a -// negative number if |b| sorts after |a| and a negative number if |a| sorts -// after |b|. The sort order implemented by this function is arbitrary and does +// X509_CRL_match compares `a` and `b` and returns zero if they are equal, a +// negative number if `b` sorts after `a` and a negative number if `a` sorts +// after `b`. The sort order implemented by this function is arbitrary and does // not reflect properties of the CRL such as expiry. Applications should not // rely on the order itself. // // TODO(https://crbug.com/boringssl/355): This function works by comparing a // cached hash of the encoded CRL. This cached hash is computed when the CRL is // parsed, but not when mutating or issuing CRLs. This function should only be -// used with |X509_CRL| objects that were parsed from bytes and never mutated. +// used with `X509_CRL` objects that were parsed from bytes and never mutated. OPENSSL_EXPORT int X509_CRL_match(const X509_CRL *a, const X509_CRL *b); #define X509_CRL_VERSION_1 0 #define X509_CRL_VERSION_2 1 -// X509_CRL_get_version returns the numerical value of |crl|'s version, which -// will be one of the |X509_CRL_VERSION_*| constants. +// X509_CRL_get_version returns the numerical value of `crl`'s version, which +// will be one of the `X509_CRL_VERSION_*` constants. OPENSSL_EXPORT long X509_CRL_get_version(const X509_CRL *crl); -// X509_CRL_get0_lastUpdate returns |crl|'s thisUpdate time. The OpenSSL API +// X509_CRL_get0_lastUpdate returns `crl`'s thisUpdate time. The OpenSSL API // refers to this field as lastUpdate. OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); -// X509_CRL_get0_nextUpdate returns |crl|'s nextUpdate time, or NULL if |crl| +// X509_CRL_get0_nextUpdate returns `crl`'s nextUpdate time, or NULL if `crl` // has none. OPENSSL_EXPORT const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); -// X509_CRL_get_issuer returns |crl|'s issuer name. Note this function is not +// X509_CRL_get_issuer returns `crl`'s issuer name. Note this function is not // const-correct for legacy reasons. OPENSSL_EXPORT X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); -// X509_CRL_get0_by_serial finds the entry in |crl| whose serial number is -// |serial|. If found, it sets |*out| to the entry and returns one. If not +// X509_CRL_get0_by_serial finds the entry in `crl` whose serial number is +// `serial`. If found, it sets `*out` to the entry and returns one. If not // found, it returns zero. // -// On success, |*out| continues to be owned by |crl|. It is an error to free or -// otherwise modify |*out|. +// On success, `*out` continues to be owned by `crl`. It is an error to free or +// otherwise modify `*out`. // -// TODO(crbug.com/42290473): Ideally |crl| would be const. It is broadly -// thread-safe, but changes the order of entries in |crl|. It cannot be called -// concurrently with |i2d_X509_CRL|. +// TODO(crbug.com/42290473): Ideally `crl` would be const. It is broadly +// thread-safe, but changes the order of entries in `crl`. It cannot be called +// concurrently with `i2d_X509_CRL`. OPENSSL_EXPORT int X509_CRL_get0_by_serial(X509_CRL *crl, X509_REVOKED **out, const ASN1_INTEGER *serial); -// X509_CRL_get0_by_cert behaves like |X509_CRL_get0_by_serial|, except it looks -// for the entry that matches |x509|. +// X509_CRL_get0_by_cert behaves like `X509_CRL_get0_by_serial`, except it looks +// for the entry that matches `x509`. // -// TODO(crbug.com/42290473): Ideally |crl| would be const. It is broadly -// thread-safe, but changes the order of entries in |crl|. It cannot be called -// concurrently with |i2d_X509_CRL|. +// TODO(crbug.com/42290473): Ideally `crl` would be const. It is broadly +// thread-safe, but changes the order of entries in `crl`. It cannot be called +// concurrently with `i2d_X509_CRL`. OPENSSL_EXPORT int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **out, const X509 *x509); -// X509_CRL_get_REVOKED returns the list of revoked certificates in |crl|, or -// NULL if |crl| omits it. +// X509_CRL_get_REVOKED returns the list of revoked certificates in `crl`, or +// NULL if `crl` omits it. // // TODO(davidben): This function was originally a macro, without clear const // semantics. It should take a const input and give const output, but the latter // would break existing callers. For now, we match upstream. OPENSSL_EXPORT STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); -// X509_CRL_get0_extensions returns |crl|'s extension list, or NULL if |crl| +// X509_CRL_get0_extensions returns `crl`'s extension list, or NULL if `crl` // omits it. A CRL can have extensions on individual entries, which is -// |X509_REVOKED_get0_extensions|, or on the overall CRL, which is this +// `X509_REVOKED_get0_extensions`, or on the overall CRL, which is this // function. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions( const X509_CRL *crl); -// X509_CRL_get_ext_count returns the number of extensions in |x|. +// X509_CRL_get_ext_count returns the number of extensions in `x`. OPENSSL_EXPORT int X509_CRL_get_ext_count(const X509_CRL *x); -// X509_CRL_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches for -// extensions in |x|. +// X509_CRL_get_ext_by_NID behaves like `X509v3_get_ext_by_NID` but searches for +// extensions in `x`. OPENSSL_EXPORT int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos); -// X509_CRL_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches for -// extensions in |x|. +// X509_CRL_get_ext_by_OBJ behaves like `X509v3_get_ext_by_OBJ` but searches for +// extensions in `x`. OPENSSL_EXPORT int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, int lastpos); -// X509_CRL_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| but -// searches for extensions in |x|. +// X509_CRL_get_ext_by_critical behaves like `X509v3_get_ext_by_critical` but +// searches for extensions in `x`. OPENSSL_EXPORT int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos); -// X509_CRL_get_ext returns the extension in |x| at index |loc|, or NULL if -// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL +// X509_CRL_get_ext returns the extension in `x` at index `loc`, or NULL if +// `loc` is out of bounds. This function returns a non-const pointer for OpenSSL // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); -// X509_CRL_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the -// extension in |crl|'s extension list. +// X509_CRL_get_ext_d2i behaves like `X509V3_get_d2i` but looks for the +// extension in `crl`'s extension list. // // WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. +// for `X509V3_get_d2i` for details. OPENSSL_EXPORT void *X509_CRL_get_ext_d2i(const X509_CRL *crl, int nid, int *out_critical, int *out_idx); -// X509_CRL_get0_signature sets |*out_sig| and |*out_alg| to the signature and -// signature algorithm of |crl|, respectively. Either output pointer may be NULL +// X509_CRL_get0_signature sets `*out_sig` and `*out_alg` to the signature and +// signature algorithm of `crl`, respectively. Either output pointer may be NULL // to ignore the value. // // This function outputs the outer signature algorithm, not the one in the @@ -810,124 +810,124 @@ OPENSSL_EXPORT void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **out_sig, const X509_ALGOR **out_alg); -// X509_CRL_get_signature_nid returns the NID corresponding to |crl|'s signature -// algorithm, or |NID_undef| if the signature algorithm does not correspond to +// X509_CRL_get_signature_nid returns the NID corresponding to `crl`'s signature +// algorithm, or `NID_undef` if the signature algorithm does not correspond to // a known NID. OPENSSL_EXPORT int X509_CRL_get_signature_nid(const X509_CRL *crl); -// i2d_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described in -// |i2d_SAMPLE|. +// i2d_X509_CRL_tbs serializes the TBSCertList portion of `crl`, as described in +// `i2d_SAMPLE`. // // This function preserves the original encoding of the TBSCertList and may not -// reflect modifications made to |crl|. It may be used to manually verify the -// signature of an existing CRL. To generate CRLs, use |i2d_re_X509_CRL_tbs| +// reflect modifications made to `crl`. It may be used to manually verify the +// signature of an existing CRL. To generate CRLs, use `i2d_re_X509_CRL_tbs` // instead. OPENSSL_EXPORT int i2d_X509_CRL_tbs(const X509_CRL *crl, unsigned char **outp); -// X509_CRL_verify checks that |crl| has a valid signature by |pkey|. It returns +// X509_CRL_verify checks that `crl` has a valid signature by `pkey`. It returns // one if the signature is valid and zero otherwise. OPENSSL_EXPORT int X509_CRL_verify(const X509_CRL *crl, EVP_PKEY *pkey); // Issuing certificate revocation lists. // -// An |X509_CRL| object may also represent an incomplete CRL. Callers may -// construct empty |X509_CRL| objects, fill in fields individually, and finally +// An `X509_CRL` object may also represent an incomplete CRL. Callers may +// construct empty `X509_CRL` objects, fill in fields individually, and finally // sign the result. The following functions may be used for this purpose. -// X509_CRL_new returns a newly-allocated, empty |X509_CRL| object, or NULL on +// X509_CRL_new returns a newly-allocated, empty `X509_CRL` object, or NULL on // error. This object may be filled in and then signed to construct a CRL. OPENSSL_EXPORT X509_CRL *X509_CRL_new(void); -// X509_CRL_set_version sets |crl|'s version to |version|, which should be one -// of the |X509_CRL_VERSION_*| constants. It returns one on success and zero on +// X509_CRL_set_version sets `crl`'s version to `version`, which should be one +// of the `X509_CRL_VERSION_*` constants. It returns one on success and zero on // error. // -// If unsure, use |X509_CRL_VERSION_2|. Note that, unlike certificates, CRL -// versions are only defined up to v2. Callers should not use |X509_VERSION_3|. +// If unsure, use `X509_CRL_VERSION_2`. Note that, unlike certificates, CRL +// versions are only defined up to v2. Callers should not use `X509_VERSION_3`. OPENSSL_EXPORT int X509_CRL_set_version(X509_CRL *crl, long version); -// X509_CRL_set_issuer_name sets |crl|'s issuer to a copy of |name|. It returns +// X509_CRL_set_issuer_name sets `crl`'s issuer to a copy of `name`. It returns // one on success and zero on error. OPENSSL_EXPORT int X509_CRL_set_issuer_name(X509_CRL *crl, const X509_NAME *name); -// X509_CRL_set1_lastUpdate sets |crl|'s thisUpdate time to |tm|. It returns one +// X509_CRL_set1_lastUpdate sets `crl`'s thisUpdate time to `tm`. It returns one // on success and zero on error. The OpenSSL API refers to this field as // lastUpdate. OPENSSL_EXPORT int X509_CRL_set1_lastUpdate(X509_CRL *crl, const ASN1_TIME *tm); -// X509_CRL_set1_nextUpdate sets |crl|'s nextUpdate time to |tm|. It returns one +// X509_CRL_set1_nextUpdate sets `crl`'s nextUpdate time to `tm`. It returns one // on success and zero on error. OPENSSL_EXPORT int X509_CRL_set1_nextUpdate(X509_CRL *crl, const ASN1_TIME *tm); -// X509_CRL_add0_revoked adds |rev| to |crl|. On success, it takes ownership of -// |rev| and returns one. On error, it returns zero. If this function fails, the -// caller retains ownership of |rev| and must release it when done. +// X509_CRL_add0_revoked adds `rev` to `crl`. On success, it takes ownership of +// `rev` and returns one. On error, it returns zero. If this function fails, the +// caller retains ownership of `rev` and must release it when done. OPENSSL_EXPORT int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); -// X509_CRL_sort sorts the entries in |crl| by serial number. It returns one on +// X509_CRL_sort sorts the entries in `crl` by serial number. It returns one on // success and zero on error. OPENSSL_EXPORT int X509_CRL_sort(X509_CRL *crl); -// X509_CRL_delete_ext removes the extension in |x| at index |loc| and returns -// the removed extension, or NULL if |loc| was out of bounds. If non-NULL, the -// caller must release the result with |X509_EXTENSION_free|. +// X509_CRL_delete_ext removes the extension in `x` at index `loc` and returns +// the removed extension, or NULL if `loc` was out of bounds. If non-NULL, the +// caller must release the result with `X509_EXTENSION_free`. OPENSSL_EXPORT X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); -// X509_CRL_add_ext adds a copy of |ex| to |x|. It returns one on success and -// zero on failure. The caller retains ownership of |ex| and can release it -// independently of |x|. +// X509_CRL_add_ext adds a copy of `ex` to `x`. It returns one on success and +// zero on failure. The caller retains ownership of `ex` and can release it +// independently of `x`. // -// The new extension is inserted at index |loc|, shifting extensions to the -// right. If |loc| is -1 or out of bounds, the new extension is appended to the +// The new extension is inserted at index `loc`, shifting extensions to the +// right. If `loc` is -1 or out of bounds, the new extension is appended to the // list. OPENSSL_EXPORT int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc); -// X509_CRL_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the extension -// to |x|'s extension list. +// X509_CRL_add1_ext_i2d behaves like `X509V3_add1_i2d` but adds the extension +// to `x`'s extension list. // // WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. +// ensure `value`'s type matches `nid`. See the documentation for +// `X509V3_add1_i2d` for details. OPENSSL_EXPORT int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, unsigned long flags); -// X509_CRL_sign signs |crl| with |pkey| and replaces the signature algorithm +// X509_CRL_sign signs `crl` with `pkey` and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and -// zero on error. This function uses digest algorithm |md|, or |pkey|'s default -// if NULL. Other signing parameters use |pkey|'s defaults. To customize them, -// use |X509_CRL_sign_ctx|. +// zero on error. This function uses digest algorithm `md`, or `pkey`'s default +// if NULL. Other signing parameters use `pkey`'s defaults. To customize them, +// use `X509_CRL_sign_ctx`. OPENSSL_EXPORT int X509_CRL_sign(X509_CRL *crl, EVP_PKEY *pkey, const EVP_MD *md); -// X509_CRL_sign_ctx signs |crl| with |ctx| and replaces the signature algorithm +// X509_CRL_sign_ctx signs `crl` with `ctx` and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and -// zero on error. The signature algorithm and parameters come from |ctx|, which -// must have been initialized with |EVP_DigestSignInit|. The caller should -// configure the corresponding |EVP_PKEY_CTX| before calling this function. +// zero on error. The signature algorithm and parameters come from `ctx`, which +// must have been initialized with `EVP_DigestSignInit`. The caller should +// configure the corresponding `EVP_PKEY_CTX` before calling this function. // -// On success or failure, this function mutates |ctx| and resets it to the empty +// On success or failure, this function mutates `ctx` and resets it to the empty // state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_CRL_sign_ctx(X509_CRL *crl, EVP_MD_CTX *ctx); -// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of |crl|, as described -// in |i2d_SAMPLE|. +// i2d_re_X509_CRL_tbs serializes the TBSCertList portion of `crl`, as described +// in `i2d_SAMPLE`. // -// This function re-encodes the TBSCertList and may not reflect |crl|'s original +// This function re-encodes the TBSCertList and may not reflect `crl`'s original // encoding. It may be used to manually generate a signature for a new CRL. To -// verify CRLs, use |i2d_X509_CRL_tbs| instead. +// verify CRLs, use `i2d_X509_CRL_tbs` instead. OPENSSL_EXPORT int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **outp); -// X509_CRL_set1_signature_algo sets |crl|'s signature algorithm to |algo| and +// X509_CRL_set1_signature_algo sets `crl`'s signature algorithm to `algo` and // returns one on success or zero on error. It updates both the signature field // of the TBSCertList structure, and the signatureAlgorithm field of the CRL. OPENSSL_EXPORT int X509_CRL_set1_signature_algo(X509_CRL *crl, const X509_ALGOR *algo); -// X509_CRL_set1_signature_value sets |crl|'s signature to a copy of the -// |sig_len| bytes pointed by |sig|. It returns one on success and zero on +// X509_CRL_set1_signature_value sets `crl`'s signature to a copy of the +// `sig_len` bytes pointed by `sig`. It returns one on success and zero on // error. // // Due to a specification error, X.509 CRLs store signatures in ASN.1 BIT @@ -942,116 +942,116 @@ OPENSSL_EXPORT int X509_CRL_set1_signature_value(X509_CRL *crl, // CRL entries. // -// Each entry of a CRL is represented as an |X509_REVOKED| object, which +// Each entry of a CRL is represented as an `X509_REVOKED` object, which // describes a revoked certificate by serial number. // -// When an |X509_REVOKED| is obtained from an |X509_CRL| object, it is an error -// to mutate the object. Doing so may break |X509_CRL|'s and cause the library +// When an `X509_REVOKED` is obtained from an `X509_CRL` object, it is an error +// to mutate the object. Doing so may break `X509_CRL`'s and cause the library // to behave incorrectly. -// X509_REVOKED_new returns a newly-allocated, empty |X509_REVOKED| object, or +// X509_REVOKED_new returns a newly-allocated, empty `X509_REVOKED` object, or // NULL on allocation error. OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_new(void); -// X509_REVOKED_free releases memory associated with |rev|. +// X509_REVOKED_free releases memory associated with `rev`. OPENSSL_EXPORT void X509_REVOKED_free(X509_REVOKED *rev); -// d2i_X509_REVOKED parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// CRL entry, as described in |d2i_SAMPLE|. +// d2i_X509_REVOKED parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// CRL entry, as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_REVOKED *d2i_X509_REVOKED(X509_REVOKED **out, const uint8_t **inp, long len); -// i2d_X509_REVOKED marshals |alg| as a DER-encoded X.509 CRL entry, as -// described in |i2d_SAMPLE|. +// i2d_X509_REVOKED marshals `alg` as a DER-encoded X.509 CRL entry, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_REVOKED(const X509_REVOKED *alg, uint8_t **outp); -// X509_REVOKED_dup returns a newly-allocated copy of |rev|, or NULL on error. -// This function works by serializing the structure, so if |rev| is incomplete, +// X509_REVOKED_dup returns a newly-allocated copy of `rev`, or NULL on error. +// This function works by serializing the structure, so if `rev` is incomplete, // it may fail. OPENSSL_EXPORT X509_REVOKED *X509_REVOKED_dup(const X509_REVOKED *rev); // X509_REVOKED_get0_serialNumber returns the serial number of the certificate -// revoked by |revoked|. +// revoked by `revoked`. OPENSSL_EXPORT const ASN1_INTEGER *X509_REVOKED_get0_serialNumber( const X509_REVOKED *revoked); -// X509_REVOKED_set_serialNumber sets |revoked|'s serial number to |serial|. It +// X509_REVOKED_set_serialNumber sets `revoked`'s serial number to `serial`. It // returns one on success or zero on error. OPENSSL_EXPORT int X509_REVOKED_set_serialNumber(X509_REVOKED *revoked, const ASN1_INTEGER *serial); // X509_REVOKED_get0_revocationDate returns the revocation time of the -// certificate revoked by |revoked|. +// certificate revoked by `revoked`. OPENSSL_EXPORT const ASN1_TIME *X509_REVOKED_get0_revocationDate( const X509_REVOKED *revoked); -// X509_REVOKED_set_revocationDate sets |revoked|'s revocation time to |tm|. It +// X509_REVOKED_set_revocationDate sets `revoked`'s revocation time to `tm`. It // returns one on success or zero on error. OPENSSL_EXPORT int X509_REVOKED_set_revocationDate(X509_REVOKED *revoked, const ASN1_TIME *tm); -// X509_REVOKED_get0_extensions returns |r|'s extensions list, or NULL if |r| +// X509_REVOKED_get0_extensions returns `r`'s extensions list, or NULL if `r` // omits it. A CRL can have extensions on individual entries, which is this -// function, or on the overall CRL, which is |X509_CRL_get0_extensions|. +// function, or on the overall CRL, which is `X509_CRL_get0_extensions`. OPENSSL_EXPORT const STACK_OF(X509_EXTENSION) *X509_REVOKED_get0_extensions( const X509_REVOKED *r); -// X509_REVOKED_get_ext_count returns the number of extensions in |x|. +// X509_REVOKED_get_ext_count returns the number of extensions in `x`. OPENSSL_EXPORT int X509_REVOKED_get_ext_count(const X509_REVOKED *x); -// X509_REVOKED_get_ext_by_NID behaves like |X509v3_get_ext_by_NID| but searches -// for extensions in |x|. +// X509_REVOKED_get_ext_by_NID behaves like `X509v3_get_ext_by_NID` but searches +// for extensions in `x`. OPENSSL_EXPORT int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos); -// X509_REVOKED_get_ext_by_OBJ behaves like |X509v3_get_ext_by_OBJ| but searches -// for extensions in |x|. +// X509_REVOKED_get_ext_by_OBJ behaves like `X509v3_get_ext_by_OBJ` but searches +// for extensions in `x`. OPENSSL_EXPORT int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, int lastpos); -// X509_REVOKED_get_ext_by_critical behaves like |X509v3_get_ext_by_critical| -// but searches for extensions in |x|. +// X509_REVOKED_get_ext_by_critical behaves like `X509v3_get_ext_by_critical` +// but searches for extensions in `x`. OPENSSL_EXPORT int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos); -// X509_REVOKED_get_ext returns the extension in |x| at index |loc|, or NULL if -// |loc| is out of bounds. This function returns a non-const pointer for OpenSSL +// X509_REVOKED_get_ext returns the extension in `x` at index `loc`, or NULL if +// `loc` is out of bounds. This function returns a non-const pointer for OpenSSL // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc); -// X509_REVOKED_delete_ext removes the extension in |x| at index |loc| and -// returns the removed extension, or NULL if |loc| was out of bounds. If -// non-NULL, the caller must release the result with |X509_EXTENSION_free|. +// X509_REVOKED_delete_ext removes the extension in `x` at index `loc` and +// returns the removed extension, or NULL if `loc` was out of bounds. If +// non-NULL, the caller must release the result with `X509_EXTENSION_free`. OPENSSL_EXPORT X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc); -// X509_REVOKED_add_ext adds a copy of |ex| to |x|. It returns one on success -// and zero on failure. The caller retains ownership of |ex| and can release it -// independently of |x|. +// X509_REVOKED_add_ext adds a copy of `ex` to `x`. It returns one on success +// and zero on failure. The caller retains ownership of `ex` and can release it +// independently of `x`. // -// The new extension is inserted at index |loc|, shifting extensions to the -// right. If |loc| is -1 or out of bounds, the new extension is appended to the +// The new extension is inserted at index `loc`, shifting extensions to the +// right. If `loc` is -1 or out of bounds, the new extension is appended to the // list. OPENSSL_EXPORT int X509_REVOKED_add_ext(X509_REVOKED *x, const X509_EXTENSION *ex, int loc); -// X509_REVOKED_get_ext_d2i behaves like |X509V3_get_d2i| but looks for the -// extension in |revoked|'s extension list. +// X509_REVOKED_get_ext_d2i behaves like `X509V3_get_d2i` but looks for the +// extension in `revoked`'s extension list. // // WARNING: This function is difficult to use correctly. See the documentation -// for |X509V3_get_d2i| for details. +// for `X509V3_get_d2i` for details. OPENSSL_EXPORT void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *revoked, int nid, int *out_critical, int *out_idx); -// X509_REVOKED_add1_ext_i2d behaves like |X509V3_add1_i2d| but adds the -// extension to |x|'s extension list. +// X509_REVOKED_add1_ext_i2d behaves like `X509V3_add1_i2d` but adds the +// extension to `x`'s extension list. // // WARNING: This function may return zero or -1 on error. The caller must also -// ensure |value|'s type matches |nid|. See the documentation for -// |X509V3_add1_i2d| for details. +// ensure `value`'s type matches `nid`. See the documentation for +// `X509V3_add1_i2d` for details. OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, unsigned long flags); @@ -1059,245 +1059,245 @@ OPENSSL_EXPORT int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, // Certificate requests. // -// An |X509_REQ| represents a PKCS #10 certificate request (RFC 2986). These are +// An `X509_REQ` represents a PKCS #10 certificate request (RFC 2986). These are // also referred to as certificate signing requests or CSRs. CSRs are a common // format used to request a certificate from a CA. // -// Although an |X509_REQ| is a mutable object, mutating an |X509_REQ| can give -// incorrect results. Callers typically obtain |X509_REQ|s by parsing some input -// with |d2i_X509_REQ|, etc. Such objects carry information such as the +// Although an `X509_REQ` is a mutable object, mutating an `X509_REQ` can give +// incorrect results. Callers typically obtain `X509_REQ`s by parsing some input +// with `d2i_X509_REQ`, etc. Such objects carry information such as the // serialized CertificationRequestInfo, which will become inconsistent when // mutated. // // Instead, mutation functions should only be used when issuing new CRLs, as // described in a later section. -// X509_REQ_dup returns a newly-allocated copy of |req|, or NULL on error. This -// function works by serializing the structure, so if |req| is incomplete, it +// X509_REQ_dup returns a newly-allocated copy of `req`, or NULL on error. This +// function works by serializing the structure, so if `req` is incomplete, it // may fail. OPENSSL_EXPORT X509_REQ *X509_REQ_dup(const X509_REQ *req); -// X509_REQ_free releases memory associated with |req|. +// X509_REQ_free releases memory associated with `req`. OPENSSL_EXPORT void X509_REQ_free(X509_REQ *req); -// d2i_X509_REQ parses up to |len| bytes from |*inp| as a DER-encoded -// CertificateRequest (RFC 2986), as described in |d2i_SAMPLE|. +// d2i_X509_REQ parses up to `len` bytes from `*inp` as a DER-encoded +// CertificateRequest (RFC 2986), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_REQ *d2i_X509_REQ(X509_REQ **out, const uint8_t **inp, long len); -// i2d_X509_REQ marshals |req| as a CertificateRequest (RFC 2986), as described -// in |i2d_SAMPLE|. +// i2d_X509_REQ marshals `req` as a CertificateRequest (RFC 2986), as described +// in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_REQ(const X509_REQ *req, uint8_t **outp); -// X509_REQ_VERSION_1 is the version constant for |X509_REQ| objects. No other +// X509_REQ_VERSION_1 is the version constant for `X509_REQ` objects. No other // versions are defined. #define X509_REQ_VERSION_1 0 -// X509_REQ_get_version returns the numerical value of |req|'s version. This -// will always be |X509_REQ_VERSION_1| for valid CSRs. For compatibility, -// |d2i_X509_REQ| also accepts some invalid version numbers, in which case this +// X509_REQ_get_version returns the numerical value of `req`'s version. This +// will always be `X509_REQ_VERSION_1` for valid CSRs. For compatibility, +// `d2i_X509_REQ` also accepts some invalid version numbers, in which case this // function may return other values. OPENSSL_EXPORT long X509_REQ_get_version(const X509_REQ *req); -// X509_REQ_get_subject_name returns |req|'s subject name. Note this function is +// X509_REQ_get_subject_name returns `req`'s subject name. Note this function is // not const-correct for legacy reasons. OPENSSL_EXPORT X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req); -// X509_REQ_get0_pubkey returns |req|'s public key as an |EVP_PKEY|, or NULL if -// the public key was unsupported or could not be decoded. The |EVP_PKEY| is -// cached in |req|, so callers must not mutate the result. +// X509_REQ_get0_pubkey returns `req`'s public key as an `EVP_PKEY`, or NULL if +// the public key was unsupported or could not be decoded. The `EVP_PKEY` is +// cached in `req`, so callers must not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req); -// X509_REQ_get_pubkey behaves like |X509_REQ_get0_pubkey| but increments the -// reference count on the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |req|, so callers must +// X509_REQ_get_pubkey behaves like `X509_REQ_get0_pubkey` but increments the +// reference count on the `EVP_PKEY`. The caller must release the result with +// `EVP_PKEY_free` when done. The `EVP_PKEY` is cached in `req`, so callers must // not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_REQ_get_pubkey(const X509_REQ *req); -// X509_REQ_check_private_key returns one if |req|'s public key matches |pkey| +// X509_REQ_check_private_key returns one if `req`'s public key matches `pkey` // and zero otherwise. OPENSSL_EXPORT int X509_REQ_check_private_key(const X509_REQ *req, const EVP_PKEY *pkey); -// X509_REQ_get_attr_count returns the number of attributes in |req|. +// X509_REQ_get_attr_count returns the number of attributes in `req`. OPENSSL_EXPORT int X509_REQ_get_attr_count(const X509_REQ *req); -// X509_REQ_get_attr returns the attribute at index |loc| in |req|, or NULL if +// X509_REQ_get_attr returns the attribute at index `loc` in `req`, or NULL if // out of bounds. OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); -// X509_REQ_get_attr_by_NID returns the index of the attribute in |req| of type -// |nid|, or a negative number if not found. If found, callers can use -// |X509_REQ_get_attr| to look up the attribute by index. +// X509_REQ_get_attr_by_NID returns the index of the attribute in `req` of type +// `nid`, or a negative number if not found. If found, callers can use +// `X509_REQ_get_attr` to look up the attribute by index. // -// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers +// If `lastpos` is non-negative, it begins searching at `lastpos` + 1. Callers // can thus loop over all matching attributes by first passing -1 and then // passing the previously-returned value until no match is returned. OPENSSL_EXPORT int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos); -// X509_REQ_get_attr_by_OBJ behaves like |X509_REQ_get_attr_by_NID| but looks -// for attributes of type |obj|. +// X509_REQ_get_attr_by_OBJ behaves like `X509_REQ_get_attr_by_NID` but looks +// for attributes of type `obj`. OPENSSL_EXPORT int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, int lastpos); -// X509_REQ_extension_nid returns one if |nid| is a supported CSR attribute type +// X509_REQ_extension_nid returns one if `nid` is a supported CSR attribute type // for carrying extensions and zero otherwise. The supported types are -// |NID_ext_req| (pkcs-9-at-extensionRequest from RFC 2985) and |NID_ms_ext_req| +// `NID_ext_req` (pkcs-9-at-extensionRequest from RFC 2985) and `NID_ms_ext_req` // (a Microsoft szOID_CERT_EXTENSIONS variant). OPENSSL_EXPORT int X509_REQ_extension_nid(int nid); // X509_REQ_get_extensions decodes the most preferred list of requested -// extensions in |req| and returns a newly-allocated |STACK_OF(X509_EXTENSION)| -// containing the result. It returns NULL on error, or if |req| did not request +// extensions in `req` and returns a newly-allocated `STACK_OF(X509_EXTENSION)` +// containing the result. It returns NULL on error, or if `req` did not request // extensions. // // CSRs do not store extensions directly. Instead there are attribute types -// which are defined to hold extensions. See |X509_REQ_extension_nid|. This +// which are defined to hold extensions. See `X509_REQ_extension_nid`. This // function supports both pkcs-9-at-extensionRequest from RFC 2985 and the // Microsoft szOID_CERT_EXTENSIONS variant. If both are present, // pkcs-9-at-extensionRequest is preferred. OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions( const X509_REQ *req); -// X509_REQ_get0_signature sets |*out_sig| and |*out_alg| to the signature and -// signature algorithm of |req|, respectively. Either output pointer may be NULL +// X509_REQ_get0_signature sets `*out_sig` and `*out_alg` to the signature and +// signature algorithm of `req`, respectively. Either output pointer may be NULL // to ignore the value. OPENSSL_EXPORT void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **out_sig, const X509_ALGOR **out_alg); -// X509_REQ_get_signature_nid returns the NID corresponding to |req|'s signature -// algorithm, or |NID_undef| if the signature algorithm does not correspond to +// X509_REQ_get_signature_nid returns the NID corresponding to `req`'s signature +// algorithm, or `NID_undef` if the signature algorithm does not correspond to // a known NID. OPENSSL_EXPORT int X509_REQ_get_signature_nid(const X509_REQ *req); -// X509_REQ_verify checks that |req| has a valid signature by |pkey|. It returns +// X509_REQ_verify checks that `req` has a valid signature by `pkey`. It returns // one if the signature is valid and zero otherwise. OPENSSL_EXPORT int X509_REQ_verify(const X509_REQ *req, EVP_PKEY *pkey); // X509_REQ_get1_email returns a newly-allocated list of NUL-terminated strings -// containing all email addresses in |req|'s subject and all rfc822name names -// in |req|'s subject alternative names. The subject alternative names extension -// is extracted from the result of |X509_REQ_get_extensions|. Email addresses +// containing all email addresses in `req`'s subject and all rfc822name names +// in `req`'s subject alternative names. The subject alternative names extension +// is extracted from the result of `X509_REQ_get_extensions`. Email addresses // which contain embedded NUL bytes are skipped. The results are returned in an // arbitrary order. // // On error, or if there are no such email addresses, it returns NULL. When -// done, the caller must release the result with |X509_email_free|. +// done, the caller must release the result with `X509_email_free`. OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email( const X509_REQ *req); // Issuing certificate requests. // -// An |X509_REQ| object may also represent an incomplete CSR. Callers may -// construct empty |X509_REQ| objects, fill in fields individually, and finally +// An `X509_REQ` object may also represent an incomplete CSR. Callers may +// construct empty `X509_REQ` objects, fill in fields individually, and finally // sign the result. The following functions may be used for this purpose. -// X509_REQ_new returns a newly-allocated, empty |X509_REQ| object, or NULL on +// X509_REQ_new returns a newly-allocated, empty `X509_REQ` object, or NULL on // error. This object may be filled in and then signed to construct a CSR. OPENSSL_EXPORT X509_REQ *X509_REQ_new(void); -// X509_REQ_set_version sets |req|'s version to |version|, which should be -// |X509_REQ_VERSION_1|. It returns one on success and zero on error. +// X509_REQ_set_version sets `req`'s version to `version`, which should be +// `X509_REQ_VERSION_1`. It returns one on success and zero on error. // -// The only defined CSR version is |X509_REQ_VERSION_1|, so there is no need to +// The only defined CSR version is `X509_REQ_VERSION_1`, so there is no need to // call this function. OPENSSL_EXPORT int X509_REQ_set_version(X509_REQ *req, long version); -// X509_REQ_set_subject_name sets |req|'s subject to a copy of |name|. It +// X509_REQ_set_subject_name sets `req`'s subject to a copy of `name`. It // returns one on success and zero on error. OPENSSL_EXPORT int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); -// X509_REQ_set_pubkey sets |req|'s public key to |pkey|. It returns one on -// success and zero on error. This function does not take ownership of |pkey| +// X509_REQ_set_pubkey sets `req`'s public key to `pkey`. It returns one on +// success and zero on error. This function does not take ownership of `pkey` // and internally copies and updates reference counts as needed. OPENSSL_EXPORT int X509_REQ_set_pubkey(X509_REQ *req, EVP_PKEY *pkey); -// X509_REQ_delete_attr removes the attribute at index |loc| in |req|. It -// returns the removed attribute to the caller, or NULL if |loc| was out of +// X509_REQ_delete_attr removes the attribute at index `loc` in `req`. It +// returns the removed attribute to the caller, or NULL if `loc` was out of // bounds. If non-NULL, the caller must release the result with -// |X509_ATTRIBUTE_free| when done. It is also safe, but not necessary, to call -// |X509_ATTRIBUTE_free| if the result is NULL. +// `X509_ATTRIBUTE_free` when done. It is also safe, but not necessary, to call +// `X509_ATTRIBUTE_free` if the result is NULL. OPENSSL_EXPORT X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); -// X509_REQ_add1_attr appends a copy of |attr| to |req|'s list of attributes. It +// X509_REQ_add1_attr appends a copy of `attr` to `req`'s list of attributes. It // returns one on success and zero on error. OPENSSL_EXPORT int X509_REQ_add1_attr(X509_REQ *req, const X509_ATTRIBUTE *attr); -// X509_REQ_add1_attr_by_OBJ appends a new attribute to |req| with type |obj|. +// X509_REQ_add1_attr_by_OBJ appends a new attribute to `req` with type `obj`. // It returns one on success and zero on error. The value is determined by -// |X509_ATTRIBUTE_set1_data|. +// `X509_ATTRIBUTE_set1_data`. // -// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and -// error-prone. See |X509_ATTRIBUTE_set1_data| for details. +// WARNING: The interpretation of `attrtype`, `data`, and `len` is complex and +// error-prone. See `X509_ATTRIBUTE_set1_data` for details. OPENSSL_EXPORT int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int attrtype, const unsigned char *data, int len); -// X509_REQ_add1_attr_by_NID behaves like |X509_REQ_add1_attr_by_OBJ| except the -// attribute type is determined by |nid|. +// X509_REQ_add1_attr_by_NID behaves like `X509_REQ_add1_attr_by_OBJ` except the +// attribute type is determined by `nid`. OPENSSL_EXPORT int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int attrtype, const unsigned char *data, int len); -// X509_REQ_add1_attr_by_txt behaves like |X509_REQ_add1_attr_by_OBJ| except the -// attribute type is determined by calling |OBJ_txt2obj| with |attrname|. +// X509_REQ_add1_attr_by_txt behaves like `X509_REQ_add1_attr_by_OBJ` except the +// attribute type is determined by calling `OBJ_txt2obj` with `attrname`. OPENSSL_EXPORT int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int attrtype, const unsigned char *data, int len); -// X509_REQ_add_extensions_nid adds an attribute to |req| of type |nid|, to -// request the certificate extensions in |exts|. It returns one on success and -// zero on error. |nid| should be |NID_ext_req| or |NID_ms_ext_req|. +// X509_REQ_add_extensions_nid adds an attribute to `req` of type `nid`, to +// request the certificate extensions in `exts`. It returns one on success and +// zero on error. `nid` should be `NID_ext_req` or `NID_ms_ext_req`. OPENSSL_EXPORT int X509_REQ_add_extensions_nid( X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts, int nid); -// X509_REQ_add_extensions behaves like |X509_REQ_add_extensions_nid|, using the -// standard |NID_ext_req| for the attribute type. +// X509_REQ_add_extensions behaves like `X509_REQ_add_extensions_nid`, using the +// standard `NID_ext_req` for the attribute type. OPENSSL_EXPORT int X509_REQ_add_extensions( X509_REQ *req, const STACK_OF(X509_EXTENSION) *exts); -// X509_REQ_sign signs |req| with |pkey| and replaces the signature algorithm +// X509_REQ_sign signs `req` with `pkey` and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and -// zero on error. This function uses digest algorithm |md|, or |pkey|'s default -// if NULL. Other signing parameters use |pkey|'s defaults. To customize them, -// use |X509_REQ_sign_ctx|. +// zero on error. This function uses digest algorithm `md`, or `pkey`'s default +// if NULL. Other signing parameters use `pkey`'s defaults. To customize them, +// use `X509_REQ_sign_ctx`. OPENSSL_EXPORT int X509_REQ_sign(X509_REQ *req, EVP_PKEY *pkey, const EVP_MD *md); -// X509_REQ_sign_ctx signs |req| with |ctx| and replaces the signature algorithm +// X509_REQ_sign_ctx signs `req` with `ctx` and replaces the signature algorithm // and signature fields. It returns the length of the signature on success and -// zero on error. The signature algorithm and parameters come from |ctx|, which -// must have been initialized with |EVP_DigestSignInit|. The caller should -// configure the corresponding |EVP_PKEY_CTX| before calling this function. +// zero on error. The signature algorithm and parameters come from `ctx`, which +// must have been initialized with `EVP_DigestSignInit`. The caller should +// configure the corresponding `EVP_PKEY_CTX` before calling this function. // -// On success or failure, this function mutates |ctx| and resets it to the empty +// On success or failure, this function mutates `ctx` and resets it to the empty // state. Caller should not rely on its contents after the function returns. OPENSSL_EXPORT int X509_REQ_sign_ctx(X509_REQ *req, EVP_MD_CTX *ctx); // i2d_re_X509_REQ_tbs serializes the CertificationRequestInfo (see RFC 2986) -// portion of |req|, as described in |i2d_SAMPLE|. +// portion of `req`, as described in `i2d_SAMPLE`. // // This function re-encodes the CertificationRequestInfo and may not reflect -// |req|'s original encoding. It may be used to manually generate a signature +// `req`'s original encoding. It may be used to manually generate a signature // for a new certificate request. OPENSSL_EXPORT int i2d_re_X509_REQ_tbs(X509_REQ *req, uint8_t **outp); -// X509_REQ_set1_signature_algo sets |req|'s signature algorithm to |algo| and +// X509_REQ_set1_signature_algo sets `req`'s signature algorithm to `algo` and // returns one on success or zero on error. OPENSSL_EXPORT int X509_REQ_set1_signature_algo(X509_REQ *req, const X509_ALGOR *algo); -// X509_REQ_set1_signature_value sets |req|'s signature to a copy of the -// |sig_len| bytes pointed by |sig|. It returns one on success and zero on +// X509_REQ_set1_signature_value sets `req`'s signature to a copy of the +// `sig_len` bytes pointed by `sig`. It returns one on success and zero on // error. // // Due to a specification error, PKCS#10 certificate requests store signatures @@ -1312,7 +1312,7 @@ OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req, // Names. // -// An |X509_NAME| represents an X.509 Name structure (RFC 5280). X.509 names are +// An `X509_NAME` represents an X.509 Name structure (RFC 5280). X.509 names are // a complex, hierarchical structure over a collection of attributes. Each name // is sequence of relative distinguished names (RDNs), decreasing in // specificity. For example, the first RDN may specify the country, while the @@ -1322,10 +1322,10 @@ OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req, // OBJECT IDENTIFIERs. This determines the ASN.1 type of the value, which is // commonly a string but may be other types. // -// The |X509_NAME| representation flattens this two-level structure into a -// single list of attributes. Each attribute is stored in an |X509_NAME_ENTRY|, +// The `X509_NAME` representation flattens this two-level structure into a +// single list of attributes. Each attribute is stored in an `X509_NAME_ENTRY`, // with also maintains the index of the RDN it is part of, accessible via -// |X509_NAME_ENTRY_set|. This can be used to recover the two-level structure. +// `X509_NAME_ENTRY_set`. This can be used to recover the two-level structure. // // X.509 names are largely vestigial. Historically, DNS names were parsed out of // the subject's common name attribute, but this is deprecated and has since @@ -1335,30 +1335,30 @@ OPENSSL_EXPORT int X509_REQ_set1_signature_value(X509_REQ *req, DEFINE_STACK_OF(X509_NAME_ENTRY) DEFINE_STACK_OF(X509_NAME) -// X509_NAME is an |ASN1_ITEM| whose ASN.1 type is X.509 Name (RFC 5280) and C -// type is |X509_NAME*|. +// X509_NAME is an `ASN1_ITEM` whose ASN.1 type is X.509 Name (RFC 5280) and C +// type is `X509_NAME*`. DECLARE_ASN1_ITEM(X509_NAME) -// X509_NAME_new returns a new, empty |X509_NAME|, or NULL on error. +// X509_NAME_new returns a new, empty `X509_NAME`, or NULL on error. OPENSSL_EXPORT X509_NAME *X509_NAME_new(void); -// X509_NAME_free releases memory associated with |name|. +// X509_NAME_free releases memory associated with `name`. OPENSSL_EXPORT void X509_NAME_free(X509_NAME *name); -// d2i_X509_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// Name (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_X509_NAME parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// Name (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_NAME *d2i_X509_NAME(X509_NAME **out, const uint8_t **inp, long len); -// i2d_X509_NAME marshals |in| as a DER-encoded X.509 Name (RFC 5280), as -// described in |i2d_SAMPLE|. +// i2d_X509_NAME marshals `in` as a DER-encoded X.509 Name (RFC 5280), as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_NAME(const X509_NAME *in, uint8_t **outp); -// X509_NAME_dup returns a newly-allocated copy of |name|, or NULL on error. +// X509_NAME_dup returns a newly-allocated copy of `name`, or NULL on error. OPENSSL_EXPORT X509_NAME *X509_NAME_dup(const X509_NAME *name); -// X509_NAME_cmp compares |a| and |b|'s canonicalized forms. It returns zero if -// they are equal, one if |a| sorts after |b|, -1 if |b| sorts after |a|, and -2 +// X509_NAME_cmp compares `a` and `b`'s canonicalized forms. It returns zero if +// they are equal, one if `a` sorts after `b`, -1 if `b` sorts after `a`, and -2 // on error. // // TODO(https://crbug.com/boringssl/355): The -2 return is very inconvenient to @@ -1367,173 +1367,173 @@ OPENSSL_EXPORT X509_NAME *X509_NAME_dup(const X509_NAME *name); // Although even the library itself passes this to a sorting function. OPENSSL_EXPORT int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b); -// X509_NAME_get0_der marshals |name| as a DER-encoded X.509 Name (RFC 5280). On -// success, it returns one and sets |*out_der| and |*out_der_len| to a buffer -// containing the result. Otherwise, it returns zero. |*out_der| is owned by -// |name| and must not be freed by the caller. It is invalidated after |name| is +// X509_NAME_get0_der marshals `name` as a DER-encoded X.509 Name (RFC 5280). On +// success, it returns one and sets `*out_der` and `*out_der_len` to a buffer +// containing the result. Otherwise, it returns zero. `*out_der` is owned by +// `name` and must not be freed by the caller. It is invalidated after `name` is // mutated or freed. OPENSSL_EXPORT int X509_NAME_get0_der(const X509_NAME *name, const uint8_t **out_der, size_t *out_der_len); -// X509_NAME_set makes a copy of |name|. On success, it frees |*xn|, sets |*xn| +// X509_NAME_set makes a copy of `name`. On success, it frees `*xn`, sets `*xn` // to the copy, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_NAME_set(X509_NAME **xn, const X509_NAME *name); -// X509_NAME_entry_count returns the number of entries in |name|. +// X509_NAME_entry_count returns the number of entries in `name`. OPENSSL_EXPORT int X509_NAME_entry_count(const X509_NAME *name); // X509_NAME_get_index_by_NID returns the zero-based index of the first -// attribute in |name| with type |nid|, or -1 if there is none. |nid| should be -// one of the |NID_*| constants. If |lastpos| is non-negative, it begins -// searching at |lastpos+1|. To search all attributes, pass in -1, not zero. +// attribute in `name` with type `nid`, or -1 if there is none. `nid` should be +// one of the `NID_*` constants. If `lastpos` is non-negative, it begins +// searching at `lastpos+1`. To search all attributes, pass in -1, not zero. // -// Indices from this function refer to |X509_NAME|'s flattened representation. +// Indices from this function refer to `X509_NAME`'s flattened representation. OPENSSL_EXPORT int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos); -// X509_NAME_get_index_by_OBJ behaves like |X509_NAME_get_index_by_NID| but -// looks for attributes with type |obj|. +// X509_NAME_get_index_by_OBJ behaves like `X509_NAME_get_index_by_NID` but +// looks for attributes with type `obj`. OPENSSL_EXPORT int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, int lastpos); -// X509_NAME_get_entry returns the attribute in |name| at index |loc|, or NULL -// if |loc| is out of range. |loc| is interpreted using |X509_NAME|'s flattened +// X509_NAME_get_entry returns the attribute in `name` at index `loc`, or NULL +// if `loc` is out of range. `loc` is interpreted using `X509_NAME`'s flattened // representation. This function returns a non-const pointer for OpenSSL // compatibility, but callers should not mutate the result. Doing so will break // internal invariants in the library. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc); -// X509_NAME_delete_entry removes and returns the attribute in |name| at index -// |loc|, or NULL if |loc| is out of range. |loc| is interpreted using -// |X509_NAME|'s flattened representation. If the attribute is found, the caller -// is responsible for releasing the result with |X509_NAME_ENTRY_free|. +// X509_NAME_delete_entry removes and returns the attribute in `name` at index +// `loc`, or NULL if `loc` is out of range. `loc` is interpreted using +// `X509_NAME`'s flattened representation. If the attribute is found, the caller +// is responsible for releasing the result with `X509_NAME_ENTRY_free`. // -// This function will internally update RDN indices (see |X509_NAME_ENTRY_set|) +// This function will internally update RDN indices (see `X509_NAME_ENTRY_set`) // so they continue to be consecutive. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); -// X509_NAME_add_entry adds a copy of |entry| to |name| and returns one on -// success or zero on error. If |loc| is -1, the entry is appended to |name|. -// Otherwise, it is inserted at index |loc|. If |set| is -1, the entry is added +// X509_NAME_add_entry adds a copy of `entry` to `name` and returns one on +// success or zero on error. If `loc` is -1, the entry is appended to `name`. +// Otherwise, it is inserted at index `loc`. If `set` is -1, the entry is added // to the previous entry's RDN. If it is 0, the entry becomes a singleton RDN. // If 1, it is added to next entry's RDN. // -// This function will internally update RDN indices (see |X509_NAME_ENTRY_set|) +// This function will internally update RDN indices (see `X509_NAME_ENTRY_set`) // so they continue to be consecutive. OPENSSL_EXPORT int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *entry, int loc, int set); -// X509_NAME_add_entry_by_OBJ adds a new entry to |name| and returns one on -// success or zero on error. The entry's attribute type is |obj|. The entry's -// attribute value is determined by |type|, |bytes|, and |len|, as in -// |X509_NAME_ENTRY_set_data|. The entry's position is determined by |loc| and -// |set| as in |X509_NAME_add_entry|. +// X509_NAME_add_entry_by_OBJ adds a new entry to `name` and returns one on +// success or zero on error. The entry's attribute type is `obj`. The entry's +// attribute value is determined by `type`, `bytes`, and `len`, as in +// `X509_NAME_ENTRY_set_data`. The entry's position is determined by `loc` and +// `set` as in `X509_NAME_add_entry`. OPENSSL_EXPORT int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, const uint8_t *bytes, ossl_ssize_t len, int loc, int set); -// X509_NAME_add_entry_by_NID behaves like |X509_NAME_add_entry_by_OBJ| but sets -// the entry's attribute type to |nid|, which should be one of the |NID_*| +// X509_NAME_add_entry_by_NID behaves like `X509_NAME_add_entry_by_OBJ` but sets +// the entry's attribute type to `nid`, which should be one of the `NID_*` // constants. OPENSSL_EXPORT int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, const uint8_t *bytes, ossl_ssize_t len, int loc, int set); -// X509_NAME_add_entry_by_txt behaves like |X509_NAME_add_entry_by_OBJ| but sets -// the entry's attribute type to |field|, which is passed to |OBJ_txt2obj|. +// X509_NAME_add_entry_by_txt behaves like `X509_NAME_add_entry_by_OBJ` but sets +// the entry's attribute type to `field`, which is passed to `OBJ_txt2obj`. OPENSSL_EXPORT int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const uint8_t *bytes, ossl_ssize_t len, int loc, int set); -// X509_NAME_ENTRY_new returns a new, empty |X509_NAME_ENTRY|, or NULL on error. +// X509_NAME_ENTRY_new returns a new, empty `X509_NAME_ENTRY`, or NULL on error. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_new(void); -// X509_NAME_ENTRY_free releases memory associated with |entry|. +// X509_NAME_ENTRY_free releases memory associated with `entry`. OPENSSL_EXPORT void X509_NAME_ENTRY_free(X509_NAME_ENTRY *entry); -// X509_NAME_ENTRY_dup returns a newly-allocated copy of |entry|, or NULL on +// X509_NAME_ENTRY_dup returns a newly-allocated copy of `entry`, or NULL on // error. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_dup( const X509_NAME_ENTRY *entry); -// X509_NAME_ENTRY_get_object returns |entry|'s attribute type. This function +// X509_NAME_ENTRY_get_object returns `entry`'s attribute type. This function // returns a non-const pointer for OpenSSL compatibility, but callers should not // mutate the result. Doing so will break internal invariants in the library. OPENSSL_EXPORT ASN1_OBJECT *X509_NAME_ENTRY_get_object( const X509_NAME_ENTRY *entry); -// X509_NAME_ENTRY_set_object sets |entry|'s attribute type to |obj|. It returns +// X509_NAME_ENTRY_set_object sets `entry`'s attribute type to `obj`. It returns // one on success and zero on error. OPENSSL_EXPORT int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *entry, const ASN1_OBJECT *obj); -// X509_NAME_ENTRY_get_data returns |entry|'s attribute value, represented as an -// |ASN1_STRING|. This value may have any ASN.1 type, so callers must check the +// X509_NAME_ENTRY_get_data returns `entry`'s attribute value, represented as an +// `ASN1_STRING`. This value may have any ASN.1 type, so callers must check the // type before interpreting the contents. This function returns a non-const // pointer for OpenSSL compatibility, but callers should not mutate the result. // Doing so will break internal invariants in the library. // -// See |ASN1_STRING| for how values are represented in this library. Where a -// specific |ASN1_STRING| representation exists, that representation is used. -// Otherwise, the |V_ASN1_OTHER| representation is used. Note that NULL, OBJECT -// IDENTIFIER, and BOOLEAN attribute values are represented as |V_ASN1_OTHER|, +// See `ASN1_STRING` for how values are represented in this library. Where a +// specific `ASN1_STRING` representation exists, that representation is used. +// Otherwise, the `V_ASN1_OTHER` representation is used. Note that NULL, OBJECT +// IDENTIFIER, and BOOLEAN attribute values are represented as `V_ASN1_OTHER`, // because their usual representation in this library is not -// |ASN1_STRING|-compatible. +// `ASN1_STRING`-compatible. OPENSSL_EXPORT ASN1_STRING *X509_NAME_ENTRY_get_data( const X509_NAME_ENTRY *entry); -// X509_NAME_ENTRY_set_data sets |entry|'s value to |len| bytes from |bytes|. It -// returns one on success and zero on error. If |len| is -1, |bytes| must be a -// NUL-terminated C string and the length is determined by |strlen|. |bytes| is +// X509_NAME_ENTRY_set_data sets `entry`'s value to `len` bytes from `bytes`. It +// returns one on success and zero on error. If `len` is -1, `bytes` must be a +// NUL-terminated C string and the length is determined by `strlen`. `bytes` is // converted to an ASN.1 type as follows: // -// If |type| is a |MBSTRING_*| constant, the value is an ASN.1 string. The -// string is determined by decoding |bytes| in the encoding specified by |type|, -// and then re-encoding it in a form appropriate for |entry|'s attribute type. -// See |ASN1_STRING_set_by_NID| for details. +// If `type` is a `MBSTRING_*` constant, the value is an ASN.1 string. The +// string is determined by decoding `bytes` in the encoding specified by `type`, +// and then re-encoding it in a form appropriate for `entry`'s attribute type. +// See `ASN1_STRING_set_by_NID` for details. // -// Otherwise, the value is an |ASN1_STRING| with type |type| and value |bytes|. -// See |ASN1_STRING| for how to format ASN.1 types as an |ASN1_STRING|. If -// |type| is |V_ASN1_UNDEF| the previous |ASN1_STRING| type is reused. +// Otherwise, the value is an `ASN1_STRING` with type `type` and value `bytes`. +// See `ASN1_STRING` for how to format ASN.1 types as an `ASN1_STRING`. If +// `type` is `V_ASN1_UNDEF` the previous `ASN1_STRING` type is reused. OPENSSL_EXPORT int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *entry, int type, const uint8_t *bytes, ossl_ssize_t len); // X509_NAME_ENTRY_set returns the zero-based index of the RDN which contains -// |entry|. Consecutive entries with the same index are part of the same RDN. +// `entry`. Consecutive entries with the same index are part of the same RDN. OPENSSL_EXPORT int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *entry); -// X509_NAME_ENTRY_create_by_OBJ creates a new |X509_NAME_ENTRY| with attribute -// type |obj|. The attribute value is determined from |type|, |bytes|, and |len| -// as in |X509_NAME_ENTRY_set_data|. It returns the |X509_NAME_ENTRY| on success +// X509_NAME_ENTRY_create_by_OBJ creates a new `X509_NAME_ENTRY` with attribute +// type `obj`. The attribute value is determined from `type`, `bytes`, and `len` +// as in `X509_NAME_ENTRY_set_data`. It returns the `X509_NAME_ENTRY` on success // and NULL on error. // -// If |out| is non-NULL and |*out| is NULL, it additionally sets |*out| to the -// result on success. If both |out| and |*out| are non-NULL, it updates the -// object at |*out| instead of allocating a new one. +// If `out` is non-NULL and `*out` is NULL, it additionally sets `*out` to the +// result on success. If both `out` and `*out` are non-NULL, it updates the +// object at `*out` instead of allocating a new one. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ( X509_NAME_ENTRY **out, const ASN1_OBJECT *obj, int type, const uint8_t *bytes, ossl_ssize_t len); -// X509_NAME_ENTRY_create_by_NID behaves like |X509_NAME_ENTRY_create_by_OBJ| -// except the attribute type is |nid|, which should be one of the |NID_*| +// X509_NAME_ENTRY_create_by_NID behaves like `X509_NAME_ENTRY_create_by_OBJ` +// except the attribute type is `nid`, which should be one of the `NID_*` // constants. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID( X509_NAME_ENTRY **out, int nid, int type, const uint8_t *bytes, ossl_ssize_t len); -// X509_NAME_ENTRY_create_by_txt behaves like |X509_NAME_ENTRY_create_by_OBJ| -// except the attribute type is |field|, which is passed to |OBJ_txt2obj|. +// X509_NAME_ENTRY_create_by_txt behaves like `X509_NAME_ENTRY_create_by_OBJ` +// except the attribute type is `field`, which is passed to `OBJ_txt2obj`. OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( X509_NAME_ENTRY **out, const char *field, int type, const uint8_t *bytes, ossl_ssize_t len); @@ -1542,74 +1542,74 @@ OPENSSL_EXPORT X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt( // Public keys. // // X.509 encodes public keys as SubjectPublicKeyInfo (RFC 5280), sometimes -// referred to as SPKI. These are represented in this library by |X509_PUBKEY|. +// referred to as SPKI. These are represented in this library by `X509_PUBKEY`. -// X509_PUBKEY_new returns a newly-allocated, empty |X509_PUBKEY| object, or +// X509_PUBKEY_new returns a newly-allocated, empty `X509_PUBKEY` object, or // NULL on error. OPENSSL_EXPORT X509_PUBKEY *X509_PUBKEY_new(void); -// X509_PUBKEY_free releases memory associated with |key|. +// X509_PUBKEY_free releases memory associated with `key`. OPENSSL_EXPORT void X509_PUBKEY_free(X509_PUBKEY *key); -// d2i_X509_PUBKEY parses up to |len| bytes from |*inp| as a DER-encoded -// SubjectPublicKeyInfo, as described in |d2i_SAMPLE|. +// d2i_X509_PUBKEY parses up to `len` bytes from `*inp` as a DER-encoded +// SubjectPublicKeyInfo, as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_PUBKEY *d2i_X509_PUBKEY(X509_PUBKEY **out, const uint8_t **inp, long len); -// i2d_X509_PUBKEY marshals |key| as a DER-encoded SubjectPublicKeyInfo, as -// described in |i2d_SAMPLE|. +// i2d_X509_PUBKEY marshals `key` as a DER-encoded SubjectPublicKeyInfo, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_PUBKEY(const X509_PUBKEY *key, uint8_t **outp); -// X509_PUBKEY_set serializes |pkey| into a newly-allocated |X509_PUBKEY| -// structure. On success, it frees |*x| if non-NULL, then sets |*x| to the new +// X509_PUBKEY_set serializes `pkey` into a newly-allocated `X509_PUBKEY` +// structure. On success, it frees `*x` if non-NULL, then sets `*x` to the new // object, and returns one. Otherwise, it returns zero. OPENSSL_EXPORT int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey); -// X509_PUBKEY_get0 returns |key| as an |EVP_PKEY|, or NULL if |key| either -// could not be parsed or is an unrecognized algorithm. The |EVP_PKEY| is cached -// in |key|, so callers must not mutate the result. +// X509_PUBKEY_get0 returns `key` as an `EVP_PKEY`, or NULL if `key` either +// could not be parsed or is an unrecognized algorithm. The `EVP_PKEY` is cached +// in `key`, so callers must not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get0(const X509_PUBKEY *key); -// X509_PUBKEY_get behaves like |X509_PUBKEY_get0| but increments the reference -// count on the |EVP_PKEY|. The caller must release the result with -// |EVP_PKEY_free| when done. The |EVP_PKEY| is cached in |key|, so callers must +// X509_PUBKEY_get behaves like `X509_PUBKEY_get0` but increments the reference +// count on the `EVP_PKEY`. The caller must release the result with +// `EVP_PKEY_free` when done. The `EVP_PKEY` is cached in `key`, so callers must // not mutate the result. OPENSSL_EXPORT EVP_PKEY *X509_PUBKEY_get(const X509_PUBKEY *key); -// X509_PUBKEY_set0_param sets |pub| to a key with AlgorithmIdentifier -// determined by |obj|, |param_type|, and |param_value|, and an encoded -// public key of |key|. On success, it gives |pub| ownership of all the other -// parameters and returns one. Otherwise, it returns zero. |key| must have been -// allocated by |OPENSSL_malloc|. |obj| and, if applicable, |param_value| must +// X509_PUBKEY_set0_param sets `pub` to a key with AlgorithmIdentifier +// determined by `obj`, `param_type`, and `param_value`, and an encoded +// public key of `key`. On success, it gives `pub` ownership of all the other +// parameters and returns one. Otherwise, it returns zero. `key` must have been +// allocated by `OPENSSL_malloc`. `obj` and, if applicable, `param_value` must // not be freed after a successful call, and must have been allocated in a -// manner compatible with |ASN1_OBJECT_free| or |ASN1_STRING_free|. +// manner compatible with `ASN1_OBJECT_free` or `ASN1_STRING_free`. // -// |obj|, |param_type|, and |param_value| are interpreted as in -// |X509_ALGOR_set0|. See |X509_ALGOR_set0| for details. +// `obj`, `param_type`, and `param_value` are interpreted as in +// `X509_ALGOR_set0`. See `X509_ALGOR_set0` for details. OPENSSL_EXPORT int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *obj, int param_type, void *param_value, uint8_t *key, int key_len); -// X509_PUBKEY_get0_param outputs fields of |pub| and returns one. If |out_obj| -// is not NULL, it sets |*out_obj| to AlgorithmIdentifier's OID. If |out_key| -// is not NULL, it sets |*out_key| and |*out_key_len| to the encoded public key. -// If |out_alg| is not NULL, it sets |*out_alg| to the AlgorithmIdentifier. +// X509_PUBKEY_get0_param outputs fields of `pub` and returns one. If `out_obj` +// is not NULL, it sets `*out_obj` to AlgorithmIdentifier's OID. If `out_key` +// is not NULL, it sets `*out_key` and `*out_key_len` to the encoded public key. +// If `out_alg` is not NULL, it sets `*out_alg` to the AlgorithmIdentifier. // -// All pointers outputted by this function are internal to |pub| and must not be +// All pointers outputted by this function are internal to `pub` and must not be // freed by the caller. Additionally, although some outputs are non-const, // callers must not mutate the resulting objects. // // Note: X.509 SubjectPublicKeyInfo structures store the encoded public key as a -// BIT STRING. |*out_key| and |*out_key_len| will silently pad the key with zero -// bits if |pub| did not contain a whole number of bytes. Use -// |X509_PUBKEY_get0_public_key| to preserve this information. +// BIT STRING. `*out_key` and `*out_key_len` will silently pad the key with zero +// bits if `pub` did not contain a whole number of bytes. Use +// `X509_PUBKEY_get0_public_key` to preserve this information. OPENSSL_EXPORT int X509_PUBKEY_get0_param(ASN1_OBJECT **out_obj, const uint8_t **out_key, int *out_key_len, X509_ALGOR **out_alg, X509_PUBKEY *pub); -// X509_PUBKEY_get0_public_key returns |pub|'s encoded public key. +// X509_PUBKEY_get0_public_key returns `pub`'s encoded public key. OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( const X509_PUBKEY *pub); @@ -1617,79 +1617,79 @@ OPENSSL_EXPORT const ASN1_BIT_STRING *X509_PUBKEY_get0_public_key( // Extensions. // // X.509 certificates and CRLs may contain a list of extensions (RFC 5280). -// Extensions have a type, specified by an object identifier (|ASN1_OBJECT|) and +// Extensions have a type, specified by an object identifier (`ASN1_OBJECT`) and // a byte string value, which should a DER-encoded structure whose type is // determined by the extension type. This library represents extensions with the -// |X509_EXTENSION| type. +// `X509_EXTENSION` type. -// X509_EXTENSION is an |ASN1_ITEM| whose ASN.1 type is X.509 Extension (RFC -// 5280) and C type is |X509_EXTENSION*|. +// X509_EXTENSION is an `ASN1_ITEM` whose ASN.1 type is X.509 Extension (RFC +// 5280) and C type is `X509_EXTENSION*`. DECLARE_ASN1_ITEM(X509_EXTENSION) -// X509_EXTENSION_new returns a newly-allocated, empty |X509_EXTENSION| object +// X509_EXTENSION_new returns a newly-allocated, empty `X509_EXTENSION` object // or NULL on error. OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_new(void); -// X509_EXTENSION_free releases memory associated with |ex|. +// X509_EXTENSION_free releases memory associated with `ex`. OPENSSL_EXPORT void X509_EXTENSION_free(X509_EXTENSION *ex); -// d2i_X509_EXTENSION parses up to |len| bytes from |*inp| as a DER-encoded -// X.509 Extension (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_X509_EXTENSION parses up to `len` bytes from `*inp` as a DER-encoded +// X.509 Extension (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_EXTENSION *d2i_X509_EXTENSION(X509_EXTENSION **out, const uint8_t **inp, long len); -// i2d_X509_EXTENSION marshals |ex| as a DER-encoded X.509 Extension (RFC -// 5280), as described in |i2d_SAMPLE|. +// i2d_X509_EXTENSION marshals `ex` as a DER-encoded X.509 Extension (RFC +// 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_EXTENSION(const X509_EXTENSION *ex, uint8_t **outp); -// X509_EXTENSION_dup returns a newly-allocated copy of |ex|, or NULL on error. -// This function works by serializing the structure, so if |ex| is incomplete, +// X509_EXTENSION_dup returns a newly-allocated copy of `ex`, or NULL on error. +// This function works by serializing the structure, so if `ex` is incomplete, // it may fail. OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_dup(const X509_EXTENSION *ex); -// X509_EXTENSION_create_by_NID creates a new |X509_EXTENSION| with type |nid|, -// value |data|, and critical bit |crit|. It returns an |X509_EXTENSION| on -// success, and NULL on error. |nid| should be a |NID_*| constant. +// X509_EXTENSION_create_by_NID creates a new `X509_EXTENSION` with type `nid`, +// value `data`, and critical bit `crit`. It returns an `X509_EXTENSION` on +// success, and NULL on error. `nid` should be a `NID_*` constant. // -// If |ex| and |*ex| are both non-NULL, |*ex| is used to hold the result, -// otherwise a new object is allocated. If |ex| is non-NULL and |*ex| is NULL, -// the function sets |*ex| to point to the newly allocated result, in addition +// If `ex` and `*ex` are both non-NULL, `*ex` is used to hold the result, +// otherwise a new object is allocated. If `ex` is non-NULL and `*ex` is NULL, +// the function sets `*ex` to point to the newly allocated result, in addition // to returning the result. OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_NID( X509_EXTENSION **ex, int nid, int crit, const ASN1_OCTET_STRING *data); -// X509_EXTENSION_create_by_OBJ behaves like |X509_EXTENSION_create_by_NID|, but -// the extension type is determined by an |ASN1_OBJECT|. +// X509_EXTENSION_create_by_OBJ behaves like `X509_EXTENSION_create_by_NID`, but +// the extension type is determined by an `ASN1_OBJECT`. OPENSSL_EXPORT X509_EXTENSION *X509_EXTENSION_create_by_OBJ( X509_EXTENSION **ex, const ASN1_OBJECT *obj, int crit, const ASN1_OCTET_STRING *data); -// X509_EXTENSION_get_object returns |ex|'s extension type. This function +// X509_EXTENSION_get_object returns `ex`'s extension type. This function // returns a non-const pointer for OpenSSL compatibility, but callers should not // mutate the result. OPENSSL_EXPORT ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex); -// X509_EXTENSION_get_data returns |ne|'s extension value. This function returns +// X509_EXTENSION_get_data returns `ne`'s extension value. This function returns // a non-const pointer for OpenSSL compatibility, but callers should not mutate // the result. OPENSSL_EXPORT ASN1_OCTET_STRING *X509_EXTENSION_get_data( const X509_EXTENSION *ne); -// X509_EXTENSION_get_critical returns one if |ex| is critical and zero +// X509_EXTENSION_get_critical returns one if `ex` is critical and zero // otherwise. OPENSSL_EXPORT int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); -// X509_EXTENSION_set_object sets |ex|'s extension type to |obj|. It returns one +// X509_EXTENSION_set_object sets `ex`'s extension type to `obj`. It returns one // on success and zero on error. OPENSSL_EXPORT int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj); -// X509_EXTENSION_set_critical sets |ex| to critical if |crit| is non-zero and -// to non-critical if |crit| is zero. +// X509_EXTENSION_set_critical sets `ex` to critical if `crit` is non-zero and +// to non-critical if `crit` is zero. OPENSSL_EXPORT int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); -// X509_EXTENSION_set_data set's |ex|'s extension value to a copy of |data|. It +// X509_EXTENSION_set_data set's `ex`'s extension value to a copy of `data`. It // returns one on success and zero on error. OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, const ASN1_OCTET_STRING *data); @@ -1698,70 +1698,70 @@ OPENSSL_EXPORT int X509_EXTENSION_set_data(X509_EXTENSION *ex, // Extension lists. // // The following functions manipulate lists of extensions. Most of them have -// corresponding functions on the containing |X509|, |X509_CRL|, or -// |X509_REVOKED|. +// corresponding functions on the containing `X509`, `X509_CRL`, or +// `X509_REVOKED`. DEFINE_STACK_OF(X509_EXTENSION) typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS; -// d2i_X509_EXTENSIONS parses up to |len| bytes from |*inp| as a DER-encoded -// SEQUENCE OF Extension (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_X509_EXTENSIONS parses up to `len` bytes from `*inp` as a DER-encoded +// SEQUENCE OF Extension (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_EXTENSIONS *d2i_X509_EXTENSIONS(X509_EXTENSIONS **out, const uint8_t **inp, long len); -// i2d_X509_EXTENSIONS marshals |alg| as a DER-encoded SEQUENCE OF Extension -// (RFC 5280), as described in |i2d_SAMPLE|. +// i2d_X509_EXTENSIONS marshals `alg` as a DER-encoded SEQUENCE OF Extension +// (RFC 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_EXTENSIONS(const X509_EXTENSIONS *alg, uint8_t **outp); -// X509v3_get_ext_count returns the number of extensions in |x|. +// X509v3_get_ext_count returns the number of extensions in `x`. OPENSSL_EXPORT int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); -// X509v3_get_ext_by_NID returns the index of the first extension in |x| with -// type |nid|, or a negative number if not found. If found, callers can use -// |X509v3_get_ext| to look up the extension by index. +// X509v3_get_ext_by_NID returns the index of the first extension in `x` with +// type `nid`, or a negative number if not found. If found, callers can use +// `X509v3_get_ext` to look up the extension by index. // -// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers +// If `lastpos` is non-negative, it begins searching at `lastpos` + 1. Callers // can thus loop over all matching extensions by first passing -1 and then // passing the previously-returned value until no match is returned. OPENSSL_EXPORT int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos); -// X509v3_get_ext_by_OBJ behaves like |X509v3_get_ext_by_NID| but looks for -// extensions matching |obj|. +// X509v3_get_ext_by_OBJ behaves like `X509v3_get_ext_by_NID` but looks for +// extensions matching `obj`. OPENSSL_EXPORT int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, const ASN1_OBJECT *obj, int lastpos); -// X509v3_get_ext_by_critical returns the index of the first extension in |x| -// whose critical bit matches |crit|, or a negative number if no such extension +// X509v3_get_ext_by_critical returns the index of the first extension in `x` +// whose critical bit matches `crit`, or a negative number if no such extension // was found. // -// If |lastpos| is non-negative, it begins searching at |lastpos| + 1. Callers +// If `lastpos` is non-negative, it begins searching at `lastpos` + 1. Callers // can thus loop over all matching extensions by first passing -1 and then // passing the previously-returned value until no match is returned. OPENSSL_EXPORT int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, int crit, int lastpos); -// X509v3_get_ext returns the extension in |x| at index |loc|, or NULL if |loc| +// X509v3_get_ext returns the extension in `x` at index `loc`, or NULL if `loc` // is out of bounds. This function returns a non-const pointer for OpenSSL // compatibility, but callers should not mutate the result. OPENSSL_EXPORT X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc); -// X509v3_delete_ext removes the extension in |x| at index |loc| and returns the -// removed extension, or NULL if |loc| was out of bounds. If an extension was -// returned, the caller must release it with |X509_EXTENSION_free|. +// X509v3_delete_ext removes the extension in `x` at index `loc` and returns the +// removed extension, or NULL if `loc` was out of bounds. If an extension was +// returned, the caller must release it with `X509_EXTENSION_free`. OPENSSL_EXPORT X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc); -// X509v3_add_ext adds a copy of |ex| to the extension list in |*x|. If |*x| is -// NULL, it allocates a new |STACK_OF(X509_EXTENSION)| to hold the copy and sets -// |*x| to the new list. It returns |*x| on success and NULL on error. The -// caller retains ownership of |ex| and can release it independently of |*x|. +// X509v3_add_ext adds a copy of `ex` to the extension list in `*x`. If `*x` is +// NULL, it allocates a new `STACK_OF(X509_EXTENSION)` to hold the copy and sets +// `*x` to the new list. It returns `*x` on success and NULL on error. The +// caller retains ownership of `ex` and can release it independently of `*x`. // -// The new extension is inserted at index |loc|, shifting extensions to the -// right. If |loc| is -1 or out of bounds, the new extension is appended to the +// The new extension is inserted at index `loc`, shifting extensions to the +// right. If `loc` is -1 or out of bounds, the new extension is appended to the // list. OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( STACK_OF(X509_EXTENSION) **x, const X509_EXTENSION *ex, int loc); @@ -1772,111 +1772,111 @@ OPENSSL_EXPORT STACK_OF(X509_EXTENSION) *X509v3_add_ext( // Several functions in the library encode and decode extension values into a // C structure to that extension. The following extensions are supported: // -// - |NID_authority_key_identifier| with type |AUTHORITY_KEYID| -// - |NID_basic_constraints| with type |BASIC_CONSTRAINTS| -// - |NID_certificate_issuer| with type |GENERAL_NAMES| -// - |NID_certificate_policies| with type |CERTIFICATEPOLICIES| -// - |NID_crl_distribution_points| with type |CRL_DIST_POINTS| -// - |NID_crl_number| with type |ASN1_INTEGER| -// - |NID_crl_reason| with type |ASN1_ENUMERATED| -// - |NID_delta_crl| with type |ASN1_INTEGER| -// - |NID_ext_key_usage| with type |EXTENDED_KEY_USAGE| -// - |NID_freshest_crl| with type |ISSUING_DIST_POINT| -// - |NID_id_pkix_OCSP_noCheck| with type |ASN1_NULL| -// - |NID_info_access| with type |AUTHORITY_INFO_ACCESS| -// - |NID_inhibit_any_policy| with type |ASN1_INTEGER| -// - |NID_invalidity_date| with type |ASN1_GENERALIZEDTIME| -// - |NID_issuer_alt_name| with type |GENERAL_NAMES| -// - |NID_issuing_distribution_point| with type |ISSUING_DIST_POINT| -// - |NID_key_usage| with type |ASN1_BIT_STRING| -// - |NID_name_constraints| with type |NAME_CONSTRAINTS| -// - |NID_netscape_base_url| with type |ASN1_IA5STRING| -// - |NID_netscape_ca_policy_url| with type |ASN1_IA5STRING| -// - |NID_netscape_ca_revocation_url| with type |ASN1_IA5STRING| -// - |NID_netscape_cert_type| with type |ASN1_BIT_STRING| -// - |NID_netscape_comment| with type |ASN1_IA5STRING| -// - |NID_netscape_renewal_url| with type |ASN1_IA5STRING| -// - |NID_netscape_revocation_url| with type |ASN1_IA5STRING| -// - |NID_netscape_ssl_server_name| with type |ASN1_IA5STRING| -// - |NID_policy_constraints| with type |POLICY_CONSTRAINTS| -// - |NID_policy_mappings| with type |POLICY_MAPPINGS| -// - |NID_sinfo_access| with type |AUTHORITY_INFO_ACCESS| -// - |NID_subject_alt_name| with type |GENERAL_NAMES| -// - |NID_subject_key_identifier| with type |ASN1_OCTET_STRING| +// - `NID_authority_key_identifier` with type `AUTHORITY_KEYID` +// - `NID_basic_constraints` with type `BASIC_CONSTRAINTS` +// - `NID_certificate_issuer` with type `GENERAL_NAMES` +// - `NID_certificate_policies` with type `CERTIFICATEPOLICIES` +// - `NID_crl_distribution_points` with type `CRL_DIST_POINTS` +// - `NID_crl_number` with type `ASN1_INTEGER` +// - `NID_crl_reason` with type `ASN1_ENUMERATED` +// - `NID_delta_crl` with type `ASN1_INTEGER` +// - `NID_ext_key_usage` with type `EXTENDED_KEY_USAGE` +// - `NID_freshest_crl` with type `ISSUING_DIST_POINT` +// - `NID_id_pkix_OCSP_noCheck` with type `ASN1_NULL` +// - `NID_info_access` with type `AUTHORITY_INFO_ACCESS` +// - `NID_inhibit_any_policy` with type `ASN1_INTEGER` +// - `NID_invalidity_date` with type `ASN1_GENERALIZEDTIME` +// - `NID_issuer_alt_name` with type `GENERAL_NAMES` +// - `NID_issuing_distribution_point` with type `ISSUING_DIST_POINT` +// - `NID_key_usage` with type `ASN1_BIT_STRING` +// - `NID_name_constraints` with type `NAME_CONSTRAINTS` +// - `NID_netscape_base_url` with type `ASN1_IA5STRING` +// - `NID_netscape_ca_policy_url` with type `ASN1_IA5STRING` +// - `NID_netscape_ca_revocation_url` with type `ASN1_IA5STRING` +// - `NID_netscape_cert_type` with type `ASN1_BIT_STRING` +// - `NID_netscape_comment` with type `ASN1_IA5STRING` +// - `NID_netscape_renewal_url` with type `ASN1_IA5STRING` +// - `NID_netscape_revocation_url` with type `ASN1_IA5STRING` +// - `NID_netscape_ssl_server_name` with type `ASN1_IA5STRING` +// - `NID_policy_constraints` with type `POLICY_CONSTRAINTS` +// - `NID_policy_mappings` with type `POLICY_MAPPINGS` +// - `NID_sinfo_access` with type `AUTHORITY_INFO_ACCESS` +// - `NID_subject_alt_name` with type `GENERAL_NAMES` +// - `NID_subject_key_identifier` with type `ASN1_OCTET_STRING` // // If an extension does not appear in this list, e.g. for a custom extension, -// callers can instead use functions such as |X509_get_ext_by_OBJ|, -// |X509_EXTENSION_get_data|, and |X509_EXTENSION_create_by_OBJ| to inspect or -// create extensions directly. Although the |X509V3_EXT_METHOD| mechanism allows +// callers can instead use functions such as `X509_get_ext_by_OBJ`, +// `X509_EXTENSION_get_data`, and `X509_EXTENSION_create_by_OBJ` to inspect or +// create extensions directly. Although the `X509V3_EXT_METHOD` mechanism allows // registering custom extensions, doing so is deprecated and may result in // threading or memory errors. -// X509V3_EXT_d2i decodes |ext| and returns a pointer to a newly-allocated +// X509V3_EXT_d2i decodes `ext` and returns a pointer to a newly-allocated // structure, with type dependent on the type of the extension. It returns NULL -// if |ext| is an unsupported extension or if there was a syntax error in the +// if `ext` is an unsupported extension or if there was a syntax error in the // extension. The caller should cast the return value to the expected type and // free the structure when done. // // WARNING: Casting the return value to the wrong type is a potentially // exploitable memory error, so callers must not use this function before -// checking |ext| is of a known type. See the list at the top of this section +// checking `ext` is of a known type. See the list at the top of this section // for the correct types. OPENSSL_EXPORT void *X509V3_EXT_d2i(const X509_EXTENSION *ext); -// X509V3_get_d2i finds and decodes the extension in |extensions| of type |nid|. +// X509V3_get_d2i finds and decodes the extension in `extensions` of type `nid`. // If found, it decodes it and returns a newly-allocated structure, with type -// dependent on |nid|. If the extension is not found or on error, it returns -// NULL. The caller may distinguish these cases using the |out_critical| value. +// dependent on `nid`. If the extension is not found or on error, it returns +// NULL. The caller may distinguish these cases using the `out_critical` value. // -// If |out_critical| is not NULL, this function sets |*out_critical| to one if +// If `out_critical` is not NULL, this function sets `*out_critical` to one if // the extension is found and critical, zero if it is found and not critical, -1 // if it is not found, and -2 if there is an invalid duplicate extension. Note -// this function may set |*out_critical| to one or zero and still return NULL if +// this function may set `*out_critical` to one or zero and still return NULL if // the extension is found but has a syntax error. // -// If |out_idx| is not NULL, this function looks for the first occurrence of the -// extension after |*out_idx|. It then sets |*out_idx| to the index of the -// extension, or -1 if not found. If |out_idx| is non-NULL, duplicate extensions +// If `out_idx` is not NULL, this function looks for the first occurrence of the +// extension after `*out_idx`. It then sets `*out_idx` to the index of the +// extension, or -1 if not found. If `out_idx` is non-NULL, duplicate extensions // are not treated as an error. Callers, however, should not rely on this // behavior as it may be removed in the future. Duplicate extensions are // forbidden in RFC 5280. // // WARNING: This function is difficult to use correctly. Callers should pass a -// non-NULL |out_critical| and check both the return value and |*out_critical| -// to handle errors. If the return value is NULL and |*out_critical| is not -1, +// non-NULL `out_critical` and check both the return value and `*out_critical` +// to handle errors. If the return value is NULL and `*out_critical` is not -1, // there was an error. Otherwise, the function succeeded and but may return NULL -// for a missing extension. Callers should pass NULL to |out_idx| so that +// for a missing extension. Callers should pass NULL to `out_idx` so that // duplicate extensions are handled correctly. // // Additionally, casting the return value to the wrong type is a potentially -// exploitable memory error, so callers must ensure the cast and |nid| match. +// exploitable memory error, so callers must ensure the cast and `nid` match. // See the list at the top of this section for the correct types. OPENSSL_EXPORT void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *extensions, int nid, int *out_critical, int *out_idx); -// X509V3_EXT_free casts |ext_data| into the type that corresponds to |nid| and +// X509V3_EXT_free casts `ext_data` into the type that corresponds to `nid` and // releases memory associated with it. It returns one on success and zero if -// |nid| is not a known extension. +// `nid` is not a known extension. // -// WARNING: Casting |ext_data| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |ext_data|'s type matches |nid|. See the +// WARNING: Casting `ext_data` to the wrong type is a potentially exploitable +// memory error, so callers must ensure `ext_data`'s type matches `nid`. See the // list at the top of this section for the correct types. // // TODO(davidben): OpenSSL upstream no longer exposes this function. Remove it? OPENSSL_EXPORT int X509V3_EXT_free(int nid, void *ext_data); -// X509V3_EXT_i2d casts |ext_struc| into the type that corresponds to -// |ext_nid|, serializes it, and returns a newly-allocated |X509_EXTENSION| -// object containing the serialization, or NULL on error. The |X509_EXTENSION| -// has OID |ext_nid| and is critical if |crit| is one. +// X509V3_EXT_i2d casts `ext_struc` into the type that corresponds to +// `ext_nid`, serializes it, and returns a newly-allocated `X509_EXTENSION` +// object containing the serialization, or NULL on error. The `X509_EXTENSION` +// has OID `ext_nid` and is critical if `crit` is one. // -// WARNING: Casting |ext_struc| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |ext_struct|'s type matches |ext_nid|. +// WARNING: Casting `ext_struc` to the wrong type is a potentially exploitable +// memory error, so callers must ensure `ext_struct`'s type matches `ext_nid`. // See the list at the top of this section for the correct types. OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); -// The following constants control the behavior of |X509V3_add1_i2d| and related +// The following constants control the behavior of `X509V3_add1_i2d` and related // functions. // X509V3_ADD_OP_MASK can be ANDed with the flags to determine how duplicate @@ -1905,7 +1905,7 @@ OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, // X509V3_ADD_DELETE causes the function to remove the matching extension. No // new extension is added. If there is no matching extension, the function -// fails. The |value| parameter is ignored in this mode. +// fails. The `value` parameter is ignored in this mode. #define X509V3_ADD_DELETE 5L // X509V3_ADD_SILENT may be ORed into one of the values above to indicate the @@ -1914,18 +1914,18 @@ OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, // continue to return -1 and add to the error queue on other errors. #define X509V3_ADD_SILENT 0x10 -// X509V3_add1_i2d casts |value| to the type that corresponds to |nid|, -// serializes it, and appends it to the extension list in |*x|. If |*x| is NULL, -// it will set |*x| to a newly-allocated |STACK_OF(X509_EXTENSION)| as needed. -// The |crit| parameter determines whether the new extension is critical. -// |flags| may be some combination of the |X509V3_ADD_*| constants to control +// X509V3_add1_i2d casts `value` to the type that corresponds to `nid`, +// serializes it, and appends it to the extension list in `*x`. If `*x` is NULL, +// it will set `*x` to a newly-allocated `STACK_OF(X509_EXTENSION)` as needed. +// The `crit` parameter determines whether the new extension is critical. +// `flags` may be some combination of the `X509V3_ADD_*` constants to control // the function's behavior on duplicate extension. // // This function returns one on success, zero if the operation failed due to a // missing or duplicate extension, and -1 on other errors. // -// WARNING: Casting |value| to the wrong type is a potentially exploitable -// memory error, so callers must ensure |value|'s type matches |nid|. See the +// WARNING: Casting `value` to the wrong type is a potentially exploitable +// memory error, so callers must ensure `value`'s type matches `nid`. See the // list at the top of this section for the correct types. OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags); @@ -1937,32 +1937,32 @@ OPENSSL_EXPORT int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, // whether a certificate is a CA certificate and, if so, optionally constrains // the maximum depth of the certificate chain. -// A BASIC_CONSTRAINTS_st, aka |BASIC_CONSTRAINTS| represents an +// A BASIC_CONSTRAINTS_st, aka `BASIC_CONSTRAINTS` represents an // BasicConstraints structure (RFC 5280). struct BASIC_CONSTRAINTS_st { ASN1_BOOLEAN ca; ASN1_INTEGER *pathlen; } /* BASIC_CONSTRAINTS */; -// BASIC_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is BasicConstraints (RFC -// 5280) and C type is |BASIC_CONSTRAINTS*|. +// BASIC_CONSTRAINTS is an `ASN1_ITEM` whose ASN.1 type is BasicConstraints (RFC +// 5280) and C type is `BASIC_CONSTRAINTS*`. DECLARE_ASN1_ITEM(BASIC_CONSTRAINTS) -// BASIC_CONSTRAINTS_new returns a newly-allocated, empty |BASIC_CONSTRAINTS| +// BASIC_CONSTRAINTS_new returns a newly-allocated, empty `BASIC_CONSTRAINTS` // object, or NULL on error. OPENSSL_EXPORT BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void); -// BASIC_CONSTRAINTS_free releases memory associated with |bcons|. +// BASIC_CONSTRAINTS_free releases memory associated with `bcons`. OPENSSL_EXPORT void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *bcons); -// d2i_BASIC_CONSTRAINTS parses up to |len| bytes from |*inp| as a DER-encoded -// BasicConstraints (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_BASIC_CONSTRAINTS parses up to `len` bytes from `*inp` as a DER-encoded +// BasicConstraints (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **out, const uint8_t **inp, long len); -// i2d_BASIC_CONSTRAINTS marshals |bcons| as a DER-encoded BasicConstraints (RFC -// 5280), as described in |i2d_SAMPLE|. +// i2d_BASIC_CONSTRAINTS marshals `bcons` as a DER-encoded BasicConstraints (RFC +// 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_BASIC_CONSTRAINTS(const BASIC_CONSTRAINTS *bcons, uint8_t **outp); @@ -1975,39 +1975,39 @@ OPENSSL_EXPORT int i2d_BASIC_CONSTRAINTS(const BASIC_CONSTRAINTS *bcons, typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE; -// EXTENDED_KEY_USAGE is an |ASN1_ITEM| whose ASN.1 type is ExtKeyUsageSyntax -// (RFC 5280) and C type is |STACK_OF(ASN1_OBJECT)*|, or |EXTENDED_KEY_USAGE*|. +// EXTENDED_KEY_USAGE is an `ASN1_ITEM` whose ASN.1 type is ExtKeyUsageSyntax +// (RFC 5280) and C type is `STACK_OF(ASN1_OBJECT)*`, or `EXTENDED_KEY_USAGE*`. DECLARE_ASN1_ITEM(EXTENDED_KEY_USAGE) -// EXTENDED_KEY_USAGE_new returns a newly-allocated, empty |EXTENDED_KEY_USAGE| +// EXTENDED_KEY_USAGE_new returns a newly-allocated, empty `EXTENDED_KEY_USAGE` // object, or NULL on error. OPENSSL_EXPORT EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void); -// EXTENDED_KEY_USAGE_free releases memory associated with |eku|. +// EXTENDED_KEY_USAGE_free releases memory associated with `eku`. OPENSSL_EXPORT void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *eku); -// d2i_EXTENDED_KEY_USAGE parses up to |len| bytes from |*inp| as a DER-encoded -// ExtKeyUsageSyntax (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_EXTENDED_KEY_USAGE parses up to `len` bytes from `*inp` as a DER-encoded +// ExtKeyUsageSyntax (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE( EXTENDED_KEY_USAGE **out, const uint8_t **inp, long len); -// i2d_EXTENDED_KEY_USAGE marshals |eku| as a DER-encoded ExtKeyUsageSyntax (RFC -// 5280), as described in |i2d_SAMPLE|. +// i2d_EXTENDED_KEY_USAGE marshals `eku` as a DER-encoded ExtKeyUsageSyntax (RFC +// 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_EXTENDED_KEY_USAGE(const EXTENDED_KEY_USAGE *eku, uint8_t **outp); // General names. // -// A |GENERAL_NAME| represents an X.509 GeneralName structure, defined in RFC -// 5280, Section 4.2.1.6. General names are distinct from names (|X509_NAME|). A +// A `GENERAL_NAME` represents an X.509 GeneralName structure, defined in RFC +// 5280, Section 4.2.1.6. General names are distinct from names (`X509_NAME`). A // general name is a CHOICE type which may contain one of several name types, // most commonly a DNS name or an IP address. General names most commonly appear // in the subject alternative name (SAN) extension, though they are also used in // other extensions. // // Many extensions contain a SEQUENCE OF GeneralName, or GeneralNames, so -// |STACK_OF(GENERAL_NAME)| is defined and aliased to |GENERAL_NAMES|. +// `STACK_OF(GENERAL_NAME)` is defined and aliased to `GENERAL_NAMES`. typedef struct otherName_st { ASN1_OBJECT *type_id; @@ -2019,7 +2019,7 @@ typedef struct EDIPartyName_st { ASN1_STRING *partyName; } EDIPARTYNAME; -// GEN_* are constants for the |type| field of |GENERAL_NAME|, defined below. +// GEN_* are constants for the `type` field of `GENERAL_NAME`, defined below. #define GEN_OTHERNAME 0 #define GEN_EMAIL 1 #define GEN_DNS 2 @@ -2030,13 +2030,13 @@ typedef struct EDIPartyName_st { #define GEN_IPADD 7 #define GEN_RID 8 -// A GENERAL_NAME_st, aka |GENERAL_NAME|, represents an X.509 GeneralName. The -// |type| field determines which member of |d| is active. A |GENERAL_NAME| may -// also be empty, in which case |type| is -1 and |d| is NULL. Empty -// |GENERAL_NAME|s are invalid and will never be returned from the parser, but -// may be created temporarily, e.g. by |GENERAL_NAME_new|. +// A GENERAL_NAME_st, aka `GENERAL_NAME`, represents an X.509 GeneralName. The +// `type` field determines which member of `d` is active. A `GENERAL_NAME` may +// also be empty, in which case `type` is -1 and `d` is NULL. Empty +// `GENERAL_NAME`s are invalid and will never be returned from the parser, but +// may be created temporarily, e.g. by `GENERAL_NAME_new`. // -// WARNING: |type| and |d| must be kept consistent. An inconsistency will result +// WARNING: `type` and `d` must be kept consistent. An inconsistency will result // in a potentially exploitable memory error. struct GENERAL_NAME_st { int type; @@ -2060,75 +2060,75 @@ struct GENERAL_NAME_st { } d; } /* GENERAL_NAME */; -// GENERAL_NAME_new returns a new, empty |GENERAL_NAME|, or NULL on error. +// GENERAL_NAME_new returns a new, empty `GENERAL_NAME`, or NULL on error. OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_new(void); -// GENERAL_NAME_free releases memory associated with |gen|. +// GENERAL_NAME_free releases memory associated with `gen`. OPENSSL_EXPORT void GENERAL_NAME_free(GENERAL_NAME *gen); -// d2i_GENERAL_NAME parses up to |len| bytes from |*inp| as a DER-encoded X.509 -// GeneralName (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_GENERAL_NAME parses up to `len` bytes from `*inp` as a DER-encoded X.509 +// GeneralName (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **out, const uint8_t **inp, long len); -// i2d_GENERAL_NAME marshals |in| as a DER-encoded X.509 GeneralName (RFC 5280), -// as described in |i2d_SAMPLE|. +// i2d_GENERAL_NAME marshals `in` as a DER-encoded X.509 GeneralName (RFC 5280), +// as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_GENERAL_NAME(const GENERAL_NAME *in, uint8_t **outp); -// GENERAL_NAME_dup returns a newly-allocated copy of |gen|, or NULL on error. -// This function works by serializing the structure, so it will fail if |gen| is +// GENERAL_NAME_dup returns a newly-allocated copy of `gen`, or NULL on error. +// This function works by serializing the structure, so it will fail if `gen` is // empty. OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(const GENERAL_NAME *gen); -// GENERAL_NAMES_new returns a new, empty |GENERAL_NAMES|, or NULL on error. +// GENERAL_NAMES_new returns a new, empty `GENERAL_NAMES`, or NULL on error. OPENSSL_EXPORT GENERAL_NAMES *GENERAL_NAMES_new(void); -// GENERAL_NAMES_free releases memory associated with |gens|. +// GENERAL_NAMES_free releases memory associated with `gens`. OPENSSL_EXPORT void GENERAL_NAMES_free(GENERAL_NAMES *gens); -// d2i_GENERAL_NAMES parses up to |len| bytes from |*inp| as a DER-encoded -// SEQUENCE OF GeneralName, as described in |d2i_SAMPLE|. +// d2i_GENERAL_NAMES parses up to `len` bytes from `*inp` as a DER-encoded +// SEQUENCE OF GeneralName, as described in `d2i_SAMPLE`. OPENSSL_EXPORT GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **out, const uint8_t **inp, long len); -// i2d_GENERAL_NAMES marshals |in| as a DER-encoded SEQUENCE OF GeneralName, as -// described in |i2d_SAMPLE|. +// i2d_GENERAL_NAMES marshals `in` as a DER-encoded SEQUENCE OF GeneralName, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_GENERAL_NAMES(const GENERAL_NAMES *in, uint8_t **outp); -// OTHERNAME_new returns a new, empty |OTHERNAME|, or NULL on error. +// OTHERNAME_new returns a new, empty `OTHERNAME`, or NULL on error. OPENSSL_EXPORT OTHERNAME *OTHERNAME_new(void); -// OTHERNAME_free releases memory associated with |name|. +// OTHERNAME_free releases memory associated with `name`. OPENSSL_EXPORT void OTHERNAME_free(OTHERNAME *name); -// EDIPARTYNAME_new returns a new, empty |EDIPARTYNAME|, or NULL on error. +// EDIPARTYNAME_new returns a new, empty `EDIPARTYNAME`, or NULL on error. // EDIPartyName is rarely used in practice, so callers are unlikely to need this // function. OPENSSL_EXPORT EDIPARTYNAME *EDIPARTYNAME_new(void); -// EDIPARTYNAME_free releases memory associated with |name|. EDIPartyName is +// EDIPARTYNAME_free releases memory associated with `name`. EDIPartyName is // rarely used in practice, so callers are unlikely to need this function. OPENSSL_EXPORT void EDIPARTYNAME_free(EDIPARTYNAME *name); -// GENERAL_NAME_set0_value set |gen|'s type and value to |type| and |value|. -// |type| must be a |GEN_*| constant and |value| must be an object of the -// corresponding type. |gen| takes ownership of |value|, so |value| must have +// GENERAL_NAME_set0_value set `gen`'s type and value to `type` and `value`. +// `type` must be a `GEN_*` constant and `value` must be an object of the +// corresponding type. `gen` takes ownership of `value`, so `value` must have // been an allocated object. // -// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) -// before calling this function. If |gen| already contained a value, the +// WARNING: `gen` must be empty (typically as returned from `GENERAL_NAME_new`) +// before calling this function. If `gen` already contained a value, the // previous contents will be leaked. OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *gen, int type, void *value); -// GENERAL_NAME_get0_value returns the in-memory representation of |gen|'s -// contents and, |out_type| is not NULL, sets |*out_type| to the type of |gen|, -// which will be a |GEN_*| constant. If |gen| is incomplete, the return value +// GENERAL_NAME_get0_value returns the in-memory representation of `gen`'s +// contents and, `out_type` is not NULL, sets `*out_type` to the type of `gen`, +// which will be a `GEN_*` constant. If `gen` is incomplete, the return value // will be NULL and the type will be -1. // // WARNING: Casting the result of this function to the wrong type is a -// potentially exploitable memory error. Callers must check |gen|'s type, either -// via |*out_type| or checking |gen->type| directly, before inspecting the +// potentially exploitable memory error. Callers must check `gen`'s type, either +// via `*out_type` or checking `gen->type` directly, before inspecting the // result. // // WARNING: This function is not const-correct. The return value should be @@ -2136,27 +2136,27 @@ OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *gen, int type, OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *gen, int *out_type); -// GENERAL_NAME_set0_othername sets |gen| to be an OtherName with type |oid| and -// value |value|. On success, it returns one and takes ownership of |oid| and -// |value|, which must be created in a way compatible with |ASN1_OBJECT_free| -// and |ASN1_TYPE_free|, respectively. On allocation failure, it returns zero. -// In the failure case, the caller retains ownership of |oid| and |value| and +// GENERAL_NAME_set0_othername sets `gen` to be an OtherName with type `oid` and +// value `value`. On success, it returns one and takes ownership of `oid` and +// `value`, which must be created in a way compatible with `ASN1_OBJECT_free` +// and `ASN1_TYPE_free`, respectively. On allocation failure, it returns zero. +// In the failure case, the caller retains ownership of `oid` and `value` and // must release them when done. // -// WARNING: |gen| must be empty (typically as returned from |GENERAL_NAME_new|) -// before calling this function. If |gen| already contained a value, the +// WARNING: `gen` must be empty (typically as returned from `GENERAL_NAME_new`) +// before calling this function. If `gen` already contained a value, the // previously contents will be leaked. OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, ASN1_TYPE *value); -// GENERAL_NAME_get0_otherName, if |gen| is an OtherName, sets |*out_oid| and -// |*out_value| to the OtherName's type-id and value, respectively, and returns -// one. If |gen| is not an OtherName, it returns zero and leaves |*out_oid| and -// |*out_value| unmodified. Either of |out_oid| or |out_value| may be NULL to +// GENERAL_NAME_get0_otherName, if `gen` is an OtherName, sets `*out_oid` and +// `*out_value` to the OtherName's type-id and value, respectively, and returns +// one. If `gen` is not an OtherName, it returns zero and leaves `*out_oid` and +// `*out_value` unmodified. Either of `out_oid` or `out_value` may be NULL to // ignore the value. // -// WARNING: This function is not const-correct. |out_oid| and |out_value| are +// WARNING: This function is not const-correct. `out_oid` and `out_value` are // not const, but callers should not mutate the resulting objects. OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, ASN1_OBJECT **out_oid, @@ -2167,10 +2167,10 @@ OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, // // The authority key identifier extension (RFC 5280, section 4.2.1.1) allows a // certificate to more precisely identify its issuer. This is helpful when -// multiple certificates share a name. Only the keyIdentifier (|keyid| in -// |AUTHORITY_KEYID|) field is used in practice. +// multiple certificates share a name. Only the keyIdentifier (`keyid` in +// `AUTHORITY_KEYID`) field is used in practice. -// A AUTHORITY_KEYID_st, aka |AUTHORITY_KEYID|, represents an +// A AUTHORITY_KEYID_st, aka `AUTHORITY_KEYID`, represents an // AuthorityKeyIdentifier structure (RFC 5280). struct AUTHORITY_KEYID_st { ASN1_OCTET_STRING *keyid; @@ -2178,25 +2178,25 @@ struct AUTHORITY_KEYID_st { ASN1_INTEGER *serial; } /* AUTHORITY_KEYID */; -// AUTHORITY_KEYID is an |ASN1_ITEM| whose ASN.1 type is AuthorityKeyIdentifier -// (RFC 5280) and C type is |AUTHORITY_KEYID*|. +// AUTHORITY_KEYID is an `ASN1_ITEM` whose ASN.1 type is AuthorityKeyIdentifier +// (RFC 5280) and C type is `AUTHORITY_KEYID*`. DECLARE_ASN1_ITEM(AUTHORITY_KEYID) -// AUTHORITY_KEYID_new returns a newly-allocated, empty |AUTHORITY_KEYID| +// AUTHORITY_KEYID_new returns a newly-allocated, empty `AUTHORITY_KEYID` // object, or NULL on error. OPENSSL_EXPORT AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); -// AUTHORITY_KEYID_free releases memory associated with |akid|. +// AUTHORITY_KEYID_free releases memory associated with `akid`. OPENSSL_EXPORT void AUTHORITY_KEYID_free(AUTHORITY_KEYID *akid); -// d2i_AUTHORITY_KEYID parses up to |len| bytes from |*inp| as a DER-encoded -// AuthorityKeyIdentifier (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_AUTHORITY_KEYID parses up to `len` bytes from `*inp` as a DER-encoded +// AuthorityKeyIdentifier (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **out, const uint8_t **inp, long len); -// i2d_AUTHORITY_KEYID marshals |akid| as a DER-encoded AuthorityKeyIdentifier -// (RFC 5280), as described in |i2d_SAMPLE|. +// i2d_AUTHORITY_KEYID marshals `akid` as a DER-encoded AuthorityKeyIdentifier +// (RFC 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_AUTHORITY_KEYID(const AUTHORITY_KEYID *akid, uint8_t **outp); @@ -2217,29 +2217,29 @@ typedef struct GENERAL_SUBTREE_st { DEFINE_STACK_OF(GENERAL_SUBTREE) -// GENERAL_SUBTREE_new returns a newly-allocated, empty |GENERAL_SUBTREE| +// GENERAL_SUBTREE_new returns a newly-allocated, empty `GENERAL_SUBTREE` // object, or NULL on error. OPENSSL_EXPORT GENERAL_SUBTREE *GENERAL_SUBTREE_new(void); -// GENERAL_SUBTREE_free releases memory associated with |subtree|. +// GENERAL_SUBTREE_free releases memory associated with `subtree`. OPENSSL_EXPORT void GENERAL_SUBTREE_free(GENERAL_SUBTREE *subtree); -// A NAME_CONSTRAINTS_st, aka |NAME_CONSTRAINTS|, represents a NameConstraints +// A NAME_CONSTRAINTS_st, aka `NAME_CONSTRAINTS`, represents a NameConstraints // structure (RFC 5280). struct NAME_CONSTRAINTS_st { STACK_OF(GENERAL_SUBTREE) *permittedSubtrees; STACK_OF(GENERAL_SUBTREE) *excludedSubtrees; } /* NAME_CONSTRAINTS */; -// NAME_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is NameConstraints (RFC -// 5280) and C type is |NAME_CONSTRAINTS*|. +// NAME_CONSTRAINTS is an `ASN1_ITEM` whose ASN.1 type is NameConstraints (RFC +// 5280) and C type is `NAME_CONSTRAINTS*`. DECLARE_ASN1_ITEM(NAME_CONSTRAINTS) -// NAME_CONSTRAINTS_new returns a newly-allocated, empty |NAME_CONSTRAINTS| +// NAME_CONSTRAINTS_new returns a newly-allocated, empty `NAME_CONSTRAINTS` // object, or NULL on error. OPENSSL_EXPORT NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void); -// NAME_CONSTRAINTS_free releases memory associated with |ncons|. +// NAME_CONSTRAINTS_free releases memory associated with `ncons`. OPENSSL_EXPORT void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *ncons); @@ -2259,35 +2259,35 @@ typedef struct ACCESS_DESCRIPTION_st { DEFINE_STACK_OF(ACCESS_DESCRIPTION) -// ACCESS_DESCRIPTION_new returns a newly-allocated, empty |ACCESS_DESCRIPTION| +// ACCESS_DESCRIPTION_new returns a newly-allocated, empty `ACCESS_DESCRIPTION` // object, or NULL on error. OPENSSL_EXPORT ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void); -// ACCESS_DESCRIPTION_free releases memory associated with |desc|. +// ACCESS_DESCRIPTION_free releases memory associated with `desc`. OPENSSL_EXPORT void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *desc); typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; -// AUTHORITY_INFO_ACCESS is an |ASN1_ITEM| whose ASN.1 type is +// AUTHORITY_INFO_ACCESS is an `ASN1_ITEM` whose ASN.1 type is // AuthorityInfoAccessSyntax (RFC 5280) and C type is -// |STACK_OF(ACCESS_DESCRIPTION)*|, or |AUTHORITY_INFO_ACCESS*|. +// `STACK_OF(ACCESS_DESCRIPTION)*`, or `AUTHORITY_INFO_ACCESS*`. DECLARE_ASN1_ITEM(AUTHORITY_INFO_ACCESS) // AUTHORITY_INFO_ACCESS_new returns a newly-allocated, empty -// |AUTHORITY_INFO_ACCESS| object, or NULL on error. +// `AUTHORITY_INFO_ACCESS` object, or NULL on error. OPENSSL_EXPORT AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void); -// AUTHORITY_INFO_ACCESS_free releases memory associated with |aia|. +// AUTHORITY_INFO_ACCESS_free releases memory associated with `aia`. OPENSSL_EXPORT void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *aia); -// d2i_AUTHORITY_INFO_ACCESS parses up to |len| bytes from |*inp| as a +// d2i_AUTHORITY_INFO_ACCESS parses up to `len` bytes from `*inp` as a // DER-encoded AuthorityInfoAccessSyntax (RFC 5280), as described in -// |d2i_SAMPLE|. +// `d2i_SAMPLE`. OPENSSL_EXPORT AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS( AUTHORITY_INFO_ACCESS **out, const uint8_t **inp, long len); -// i2d_AUTHORITY_INFO_ACCESS marshals |aia| as a DER-encoded -// AuthorityInfoAccessSyntax (RFC 5280), as described in |i2d_SAMPLE|. +// i2d_AUTHORITY_INFO_ACCESS marshals `aia` as a DER-encoded +// AuthorityInfoAccessSyntax (RFC 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_AUTHORITY_INFO_ACCESS(const AUTHORITY_INFO_ACCESS *aia, uint8_t **outp); @@ -2299,11 +2299,11 @@ OPENSSL_EXPORT int i2d_AUTHORITY_INFO_ACCESS(const AUTHORITY_INFO_ACCESS *aia, // point CRL extension (RFC 5280, section 5.2.5) matches against this extension. // A DIST_POINT_NAME represents a DistributionPointName structure (RFC 5280). -// The |name| field contains the CHOICE value and is determined by |type|. If -// |type| is zero, |name| must be a |fullname|. If |type| is one, |name| must be -// a |relativename|. +// The `name` field contains the CHOICE value and is determined by `type`. If +// `type` is zero, `name` must be a `fullname`. If `type` is one, `name` must be +// a `relativename`. // -// WARNING: |type| and |name| must be kept consistent. An inconsistency will +// WARNING: `type` and `name` must be kept consistent. An inconsistency will // result in a potentially exploitable memory error. typedef struct DIST_POINT_NAME_st { int type; @@ -2315,14 +2315,14 @@ typedef struct DIST_POINT_NAME_st { X509_NAME *dpname; } DIST_POINT_NAME; -// DIST_POINT_NAME_new returns a newly-allocated, empty |DIST_POINT_NAME| +// DIST_POINT_NAME_new returns a newly-allocated, empty `DIST_POINT_NAME` // object, or NULL on error. OPENSSL_EXPORT DIST_POINT_NAME *DIST_POINT_NAME_new(void); -// DIST_POINT_NAME_free releases memory associated with |name|. +// DIST_POINT_NAME_free releases memory associated with `name`. OPENSSL_EXPORT void DIST_POINT_NAME_free(DIST_POINT_NAME *name); -// A DIST_POINT_st, aka |DIST_POINT|, represents a DistributionPoint structure +// A DIST_POINT_st, aka `DIST_POINT`, represents a DistributionPoint structure // (RFC 5280). struct DIST_POINT_st { DIST_POINT_NAME *distpoint; @@ -2332,38 +2332,38 @@ struct DIST_POINT_st { DEFINE_STACK_OF(DIST_POINT) -// DIST_POINT_new returns a newly-allocated, empty |DIST_POINT| object, or NULL +// DIST_POINT_new returns a newly-allocated, empty `DIST_POINT` object, or NULL // on error. OPENSSL_EXPORT DIST_POINT *DIST_POINT_new(void); -// DIST_POINT_free releases memory associated with |dp|. +// DIST_POINT_free releases memory associated with `dp`. OPENSSL_EXPORT void DIST_POINT_free(DIST_POINT *dp); typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; -// CRL_DIST_POINTS is an |ASN1_ITEM| whose ASN.1 type is CRLDistributionPoints -// (RFC 5280) and C type is |CRL_DIST_POINTS*|. +// CRL_DIST_POINTS is an `ASN1_ITEM` whose ASN.1 type is CRLDistributionPoints +// (RFC 5280) and C type is `CRL_DIST_POINTS*`. DECLARE_ASN1_ITEM(CRL_DIST_POINTS) -// CRL_DIST_POINTS_new returns a newly-allocated, empty |CRL_DIST_POINTS| +// CRL_DIST_POINTS_new returns a newly-allocated, empty `CRL_DIST_POINTS` // object, or NULL on error. OPENSSL_EXPORT CRL_DIST_POINTS *CRL_DIST_POINTS_new(void); -// CRL_DIST_POINTS_free releases memory associated with |crldp|. +// CRL_DIST_POINTS_free releases memory associated with `crldp`. OPENSSL_EXPORT void CRL_DIST_POINTS_free(CRL_DIST_POINTS *crldp); -// d2i_CRL_DIST_POINTS parses up to |len| bytes from |*inp| as a DER-encoded -// CRLDistributionPoints (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_CRL_DIST_POINTS parses up to `len` bytes from `*inp` as a DER-encoded +// CRLDistributionPoints (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **out, const uint8_t **inp, long len); -// i2d_CRL_DIST_POINTS marshals |crldp| as a DER-encoded CRLDistributionPoints -// (RFC 5280), as described in |i2d_SAMPLE|. +// i2d_CRL_DIST_POINTS marshals `crldp` as a DER-encoded CRLDistributionPoints +// (RFC 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_CRL_DIST_POINTS(const CRL_DIST_POINTS *crldp, uint8_t **outp); -// A ISSUING_DIST_POINT_st, aka |ISSUING_DIST_POINT|, represents a +// A ISSUING_DIST_POINT_st, aka `ISSUING_DIST_POINT`, represents a // IssuingDistributionPoint structure (RFC 5280). struct ISSUING_DIST_POINT_st { DIST_POINT_NAME *distpoint; @@ -2374,24 +2374,24 @@ struct ISSUING_DIST_POINT_st { ASN1_BOOLEAN onlyattr; } /* ISSUING_DIST_POINT */; -// ISSUING_DIST_POINT is an |ASN1_ITEM| whose ASN.1 type is -// IssuingDistributionPoint (RFC 5280) and C type is |ISSUING_DIST_POINT*|. +// ISSUING_DIST_POINT is an `ASN1_ITEM` whose ASN.1 type is +// IssuingDistributionPoint (RFC 5280) and C type is `ISSUING_DIST_POINT*`. DECLARE_ASN1_ITEM(ISSUING_DIST_POINT) -// ISSUING_DIST_POINT_new returns a newly-allocated, empty |ISSUING_DIST_POINT| +// ISSUING_DIST_POINT_new returns a newly-allocated, empty `ISSUING_DIST_POINT` // object, or NULL on error. OPENSSL_EXPORT ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void); -// ISSUING_DIST_POINT_free releases memory associated with |idp|. +// ISSUING_DIST_POINT_free releases memory associated with `idp`. OPENSSL_EXPORT void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *idp); -// d2i_ISSUING_DIST_POINT parses up to |len| bytes from |*inp| as a DER-encoded -// IssuingDistributionPoint (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_ISSUING_DIST_POINT parses up to `len` bytes from `*inp` as a DER-encoded +// IssuingDistributionPoint (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT( ISSUING_DIST_POINT **out, const uint8_t **inp, long len); -// i2d_ISSUING_DIST_POINT marshals |idp| as a DER-encoded -// IssuingDistributionPoint (RFC 5280), as described in |i2d_SAMPLE|. +// i2d_ISSUING_DIST_POINT marshals `idp` as a DER-encoded +// IssuingDistributionPoint (RFC 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_ISSUING_DIST_POINT(const ISSUING_DIST_POINT *idp, uint8_t **outp); @@ -2412,11 +2412,11 @@ typedef struct NOTICEREF_st { STACK_OF(ASN1_INTEGER) *noticenos; } NOTICEREF; -// NOTICEREF_new returns a newly-allocated, empty |NOTICEREF| object, or NULL +// NOTICEREF_new returns a newly-allocated, empty `NOTICEREF` object, or NULL // on error. OPENSSL_EXPORT NOTICEREF *NOTICEREF_new(void); -// NOTICEREF_free releases memory associated with |ref|. +// NOTICEREF_free releases memory associated with `ref`. OPENSSL_EXPORT void NOTICEREF_free(NOTICEREF *ref); // A USERNOTICE represents a UserNotice structure (RFC 5280). @@ -2425,20 +2425,20 @@ typedef struct USERNOTICE_st { ASN1_STRING *exptext; } USERNOTICE; -// USERNOTICE_new returns a newly-allocated, empty |USERNOTICE| object, or NULL +// USERNOTICE_new returns a newly-allocated, empty `USERNOTICE` object, or NULL // on error. OPENSSL_EXPORT USERNOTICE *USERNOTICE_new(void); -// USERNOTICE_free releases memory associated with |notice|. +// USERNOTICE_free releases memory associated with `notice`. OPENSSL_EXPORT void USERNOTICE_free(USERNOTICE *notice); -// A POLICYQUALINFO represents a PolicyQualifierInfo structure (RFC 5280). |d| +// A POLICYQUALINFO represents a PolicyQualifierInfo structure (RFC 5280). `d` // contains the qualifier field of the PolicyQualifierInfo. Its type is -// determined by |pqualid|. If |pqualid| is |NID_id_qt_cps|, |d| must be -// |cpsuri|. If |pqualid| is |NID_id_qt_unotice|, |d| must be |usernotice|. -// Otherwise, |d| must be |other|. +// determined by `pqualid`. If `pqualid` is `NID_id_qt_cps`, `d` must be +// `cpsuri`. If `pqualid` is `NID_id_qt_unotice`, `d` must be `usernotice`. +// Otherwise, `d` must be `other`. // -// WARNING: |pqualid| and |d| must be kept consistent. An inconsistency will +// WARNING: `pqualid` and `d` must be kept consistent. An inconsistency will // result in a potentially exploitable memory error. typedef struct POLICYQUALINFO_st { ASN1_OBJECT *pqualid; @@ -2451,11 +2451,11 @@ typedef struct POLICYQUALINFO_st { DEFINE_STACK_OF(POLICYQUALINFO) -// POLICYQUALINFO_new returns a newly-allocated, empty |POLICYQUALINFO| object, +// POLICYQUALINFO_new returns a newly-allocated, empty `POLICYQUALINFO` object, // or NULL on error. OPENSSL_EXPORT POLICYQUALINFO *POLICYQUALINFO_new(void); -// POLICYQUALINFO_free releases memory associated with |info|. +// POLICYQUALINFO_free releases memory associated with `info`. OPENSSL_EXPORT void POLICYQUALINFO_free(POLICYQUALINFO *info); // A POLICYINFO represents a PolicyInformation structure (RFC 5280). @@ -2466,33 +2466,33 @@ typedef struct POLICYINFO_st { DEFINE_STACK_OF(POLICYINFO) -// POLICYINFO_new returns a newly-allocated, empty |POLICYINFO| object, or NULL +// POLICYINFO_new returns a newly-allocated, empty `POLICYINFO` object, or NULL // on error. OPENSSL_EXPORT POLICYINFO *POLICYINFO_new(void); -// POLICYINFO_free releases memory associated with |info|. +// POLICYINFO_free releases memory associated with `info`. OPENSSL_EXPORT void POLICYINFO_free(POLICYINFO *info); typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES; -// CERTIFICATEPOLICIES is an |ASN1_ITEM| whose ASN.1 type is CertificatePolicies -// (RFC 5280) and C type is |STACK_OF(POLICYINFO)*|, or |CERTIFICATEPOLICIES*|. +// CERTIFICATEPOLICIES is an `ASN1_ITEM` whose ASN.1 type is CertificatePolicies +// (RFC 5280) and C type is `STACK_OF(POLICYINFO)*`, or `CERTIFICATEPOLICIES*`. DECLARE_ASN1_ITEM(CERTIFICATEPOLICIES) // CERTIFICATEPOLICIES_new returns a newly-allocated, empty -// |CERTIFICATEPOLICIES| object, or NULL on error. +// `CERTIFICATEPOLICIES` object, or NULL on error. OPENSSL_EXPORT CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void); -// CERTIFICATEPOLICIES_free releases memory associated with |policies|. +// CERTIFICATEPOLICIES_free releases memory associated with `policies`. OPENSSL_EXPORT void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *policies); -// d2i_CERTIFICATEPOLICIES parses up to |len| bytes from |*inp| as a DER-encoded -// CertificatePolicies (RFC 5280), as described in |d2i_SAMPLE|. +// d2i_CERTIFICATEPOLICIES parses up to `len` bytes from `*inp` as a DER-encoded +// CertificatePolicies (RFC 5280), as described in `d2i_SAMPLE`. OPENSSL_EXPORT CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES( CERTIFICATEPOLICIES **out, const uint8_t **inp, long len); -// i2d_CERTIFICATEPOLICIES marshals |policies| as a DER-encoded -// CertificatePolicies (RFC 5280), as described in |i2d_SAMPLE|. +// i2d_CERTIFICATEPOLICIES marshals `policies` as a DER-encoded +// CertificatePolicies (RFC 5280), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_CERTIFICATEPOLICIES(const CERTIFICATEPOLICIES *policies, uint8_t **outp); @@ -2505,17 +2505,17 @@ typedef struct POLICY_MAPPING_st { DEFINE_STACK_OF(POLICY_MAPPING) -// POLICY_MAPPING_new returns a newly-allocated, empty |POLICY_MAPPING| object, +// POLICY_MAPPING_new returns a newly-allocated, empty `POLICY_MAPPING` object, // or NULL on error. OPENSSL_EXPORT POLICY_MAPPING *POLICY_MAPPING_new(void); -// POLICY_MAPPING_free releases memory associated with |mapping|. +// POLICY_MAPPING_free releases memory associated with `mapping`. OPENSSL_EXPORT void POLICY_MAPPING_free(POLICY_MAPPING *mapping); typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS; -// POLICY_MAPPINGS is an |ASN1_ITEM| whose ASN.1 type is PolicyMappings (RFC -// 5280) and C type is |STACK_OF(POLICY_MAPPING)*|, or |POLICY_MAPPINGS*|. +// POLICY_MAPPINGS is an `ASN1_ITEM` whose ASN.1 type is PolicyMappings (RFC +// 5280) and C type is `STACK_OF(POLICY_MAPPING)*`, or `POLICY_MAPPINGS*`. DECLARE_ASN1_ITEM(POLICY_MAPPINGS) // A POLICY_CONSTRAINTS represents a PolicyConstraints structure (RFC 5280). @@ -2524,96 +2524,96 @@ typedef struct POLICY_CONSTRAINTS_st { ASN1_INTEGER *inhibitPolicyMapping; } POLICY_CONSTRAINTS; -// POLICY_CONSTRAINTS is an |ASN1_ITEM| whose ASN.1 type is PolicyConstraints -// (RFC 5280) and C type is |POLICY_CONSTRAINTS*|. +// POLICY_CONSTRAINTS is an `ASN1_ITEM` whose ASN.1 type is PolicyConstraints +// (RFC 5280) and C type is `POLICY_CONSTRAINTS*`. DECLARE_ASN1_ITEM(POLICY_CONSTRAINTS) -// POLICY_CONSTRAINTS_new returns a newly-allocated, empty |POLICY_CONSTRAINTS| +// POLICY_CONSTRAINTS_new returns a newly-allocated, empty `POLICY_CONSTRAINTS` // object, or NULL on error. OPENSSL_EXPORT POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void); -// POLICY_CONSTRAINTS_free releases memory associated with |pcons|. +// POLICY_CONSTRAINTS_free releases memory associated with `pcons`. OPENSSL_EXPORT void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *pcons); // Algorithm identifiers. // -// An |X509_ALGOR| represents an AlgorithmIdentifier structure, used in X.509 +// An `X509_ALGOR` represents an AlgorithmIdentifier structure, used in X.509 // to represent signature algorithms and public key algorithms. DEFINE_STACK_OF(X509_ALGOR) -// X509_ALGOR is an |ASN1_ITEM| whose ASN.1 type is AlgorithmIdentifier and C -// type is |X509_ALGOR*|. +// X509_ALGOR is an `ASN1_ITEM` whose ASN.1 type is AlgorithmIdentifier and C +// type is `X509_ALGOR*`. DECLARE_ASN1_ITEM(X509_ALGOR) -// X509_ALGOR_new returns a newly-allocated, empty |X509_ALGOR| object, or NULL +// X509_ALGOR_new returns a newly-allocated, empty `X509_ALGOR` object, or NULL // on error. OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_new(void); -// X509_ALGOR_dup returns a newly-allocated copy of |alg|, or NULL on error. -// This function works by serializing the structure, so if |alg| is incomplete, +// X509_ALGOR_dup returns a newly-allocated copy of `alg`, or NULL on error. +// This function works by serializing the structure, so if `alg` is incomplete, // it may fail. OPENSSL_EXPORT X509_ALGOR *X509_ALGOR_dup(const X509_ALGOR *alg); -// X509_ALGOR_copy sets |dst| to a copy of the contents of |src|. It returns one +// X509_ALGOR_copy sets `dst` to a copy of the contents of `src`. It returns one // on success and zero on error. OPENSSL_EXPORT int X509_ALGOR_copy(X509_ALGOR *dst, const X509_ALGOR *src); -// X509_ALGOR_free releases memory associated with |alg|. +// X509_ALGOR_free releases memory associated with `alg`. OPENSSL_EXPORT void X509_ALGOR_free(X509_ALGOR *alg); -// d2i_X509_ALGOR parses up to |len| bytes from |*inp| as a DER-encoded -// AlgorithmIdentifier, as described in |d2i_SAMPLE|. +// d2i_X509_ALGOR parses up to `len` bytes from `*inp` as a DER-encoded +// AlgorithmIdentifier, as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_ALGOR *d2i_X509_ALGOR(X509_ALGOR **out, const uint8_t **inp, long len); -// i2d_X509_ALGOR marshals |alg| as a DER-encoded AlgorithmIdentifier, as -// described in |i2d_SAMPLE|. +// i2d_X509_ALGOR marshals `alg` as a DER-encoded AlgorithmIdentifier, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_ALGOR(const X509_ALGOR *alg, uint8_t **outp); -// X509_ALGOR_set0 sets |alg| to an AlgorithmIdentifier with algorithm |obj| and -// parameter determined by |param_type| and |param_value|. It returns one on -// success and zero on error. This function takes ownership of |obj| and -// |param_value| on success. +// X509_ALGOR_set0 sets `alg` to an AlgorithmIdentifier with algorithm `obj` and +// parameter determined by `param_type` and `param_value`. It returns one on +// success and zero on error. This function takes ownership of `obj` and +// `param_value` on success. // -// If |param_type| is |V_ASN1_UNDEF|, the parameter is omitted. If |param_type| -// is zero, the parameter is left unchanged. Otherwise, |param_type| and -// |param_value| are interpreted as in |ASN1_TYPE_set|. +// If `param_type` is `V_ASN1_UNDEF`, the parameter is omitted. If `param_type` +// is zero, the parameter is left unchanged. Otherwise, `param_type` and +// `param_value` are interpreted as in `ASN1_TYPE_set`. // -// Note omitting the parameter (|V_ASN1_UNDEF|) and encoding an explicit NULL -// value (|V_ASN1_NULL|) are different. Some algorithms require one and some the +// Note omitting the parameter (`V_ASN1_UNDEF`) and encoding an explicit NULL +// value (`V_ASN1_NULL`) are different. Some algorithms require one and some the // other. Consult the relevant specification before calling this function. The -// correct parameter for an RSASSA-PKCS1-v1_5 signature is |V_ASN1_NULL|. The -// correct one for an ECDSA or Ed25519 signature is |V_ASN1_UNDEF|. +// correct parameter for an RSASSA-PKCS1-v1_5 signature is `V_ASN1_NULL`. The +// correct one for an ECDSA or Ed25519 signature is `V_ASN1_UNDEF`. OPENSSL_EXPORT int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *obj, int param_type, void *param_value); -// X509_ALGOR_get0 sets |*out_obj| to the |alg|'s algorithm. If |alg|'s -// parameter is omitted, it sets |*out_param_type| and |*out_param_value| to -// |V_ASN1_UNDEF| and NULL. Otherwise, it sets |*out_param_type| and -// |*out_param_value| to the parameter, using the same representation as -// |ASN1_TYPE_set0|. See |ASN1_TYPE_set0| and |ASN1_TYPE| for details. +// X509_ALGOR_get0 sets `*out_obj` to the `alg`'s algorithm. If `alg`'s +// parameter is omitted, it sets `*out_param_type` and `*out_param_value` to +// `V_ASN1_UNDEF` and NULL. Otherwise, it sets `*out_param_type` and +// `*out_param_value` to the parameter, using the same representation as +// `ASN1_TYPE_set0`. See `ASN1_TYPE_set0` and `ASN1_TYPE` for details. // // Callers that require the parameter in serialized form should, after checking -// for |V_ASN1_UNDEF|, use |ASN1_TYPE_set1| and |d2i_ASN1_TYPE|, rather than -// inspecting |*out_param_value|. +// for `V_ASN1_UNDEF`, use `ASN1_TYPE_set1` and `d2i_ASN1_TYPE`, rather than +// inspecting `*out_param_value`. // -// Each of |out_obj|, |out_param_type|, and |out_param_value| may be NULL to -// ignore the output. If |out_param_type| is NULL, |out_param_value| is ignored. +// Each of `out_obj`, `out_param_type`, and `out_param_value` may be NULL to +// ignore the output. If `out_param_type` is NULL, `out_param_value` is ignored. // -// WARNING: If |*out_param_type| is set to |V_ASN1_UNDEF|, OpenSSL and older -// revisions of BoringSSL leave |*out_param_value| unset rather than setting it +// WARNING: If `*out_param_type` is set to `V_ASN1_UNDEF`, OpenSSL and older +// revisions of BoringSSL leave `*out_param_value` unset rather than setting it // to NULL. Callers that support both OpenSSL and BoringSSL should not assume -// |*out_param_value| is uniformly initialized. +// `*out_param_value` is uniformly initialized. OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, int *out_param_type, const void **out_param_value, const X509_ALGOR *alg); -// X509_ALGOR_set_md sets |alg| to the hash function |md|. Note this +// X509_ALGOR_set_md sets `alg` to the hash function `md`. Note this // AlgorithmIdentifier represents the hash function itself, not a signature -// algorithm that uses |md|. It returns one on success and zero on error. +// algorithm that uses `md`. It returns one on success and zero on error. // // Due to historical specification mistakes (see Section 2.1 of RFC 4055), the // parameters field is sometimes omitted and sometimes a NULL value. When used @@ -2626,7 +2626,7 @@ OPENSSL_EXPORT void X509_ALGOR_get0(const ASN1_OBJECT **out_obj, // constructing PSS and move on. OPENSSL_EXPORT int X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); -// X509_ALGOR_cmp returns zero if |a| and |b| are equal, and some non-zero value +// X509_ALGOR_cmp returns zero if `a` and `b` are equal, and some non-zero value // otherwise. Note this function can only be used for equality checks, not an // ordering. OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); @@ -2636,51 +2636,51 @@ OPENSSL_EXPORT int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); // // Unlike certificates and CRLs, CSRs use a separate Attribute structure (RFC // 2985, RFC 2986) for extensibility. This is represented by the library as -// |X509_ATTRIBUTE|. +// `X509_ATTRIBUTE`. DEFINE_STACK_OF(X509_ATTRIBUTE) -// X509_ATTRIBUTE_new returns a newly-allocated, empty |X509_ATTRIBUTE| object, -// or NULL on error. |X509_ATTRIBUTE_set1_*| may be used to finish initializing +// X509_ATTRIBUTE_new returns a newly-allocated, empty `X509_ATTRIBUTE` object, +// or NULL on error. `X509_ATTRIBUTE_set1_*` may be used to finish initializing // it. OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_new(void); -// X509_ATTRIBUTE_dup returns a newly-allocated copy of |attr|, or NULL on -// error. This function works by serializing the structure, so if |attr| is +// X509_ATTRIBUTE_dup returns a newly-allocated copy of `attr`, or NULL on +// error. This function works by serializing the structure, so if `attr` is // incomplete, it may fail. OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_dup(const X509_ATTRIBUTE *attr); -// X509_ATTRIBUTE_free releases memory associated with |attr|. +// X509_ATTRIBUTE_free releases memory associated with `attr`. OPENSSL_EXPORT void X509_ATTRIBUTE_free(X509_ATTRIBUTE *attr); -// d2i_X509_ATTRIBUTE parses up to |len| bytes from |*inp| as a DER-encoded -// Attribute (RFC 2986), as described in |d2i_SAMPLE|. +// d2i_X509_ATTRIBUTE parses up to `len` bytes from `*inp` as a DER-encoded +// Attribute (RFC 2986), as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_ATTRIBUTE *d2i_X509_ATTRIBUTE(X509_ATTRIBUTE **out, const uint8_t **inp, long len); -// i2d_X509_ATTRIBUTE marshals |alg| as a DER-encoded Attribute (RFC 2986), as -// described in |i2d_SAMPLE|. +// i2d_X509_ATTRIBUTE marshals `alg` as a DER-encoded Attribute (RFC 2986), as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_ATTRIBUTE(const X509_ATTRIBUTE *alg, uint8_t **outp); -// X509_ATTRIBUTE_create returns a newly-allocated |X509_ATTRIBUTE|, or NULL on -// error. The attribute has type |nid| and contains a single value determined by -// |attrtype| and |value|, which are interpreted as in |ASN1_TYPE_set|. Note -// this function takes ownership of |value|. +// X509_ATTRIBUTE_create returns a newly-allocated `X509_ATTRIBUTE`, or NULL on +// error. The attribute has type `nid` and contains a single value determined by +// `attrtype` and `value`, which are interpreted as in `ASN1_TYPE_set`. Note +// this function takes ownership of `value`. OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, void *value); -// X509_ATTRIBUTE_create_by_NID returns a newly-allocated |X509_ATTRIBUTE| of -// type |nid|, or NULL on error. The value is determined as in -// |X509_ATTRIBUTE_set1_data|. +// X509_ATTRIBUTE_create_by_NID returns a newly-allocated `X509_ATTRIBUTE` of +// type `nid`, or NULL on error. The value is determined as in +// `X509_ATTRIBUTE_set1_data`. // -// If |attr| is non-NULL, the resulting |X509_ATTRIBUTE| is also written to -// |*attr|. If |*attr| was non-NULL when the function was called, |*attr| is +// If `attr` is non-NULL, the resulting `X509_ATTRIBUTE` is also written to +// `*attr`. If `*attr` was non-NULL when the function was called, `*attr` is // reused instead of creating a new object. // -// WARNING: The interpretation of |attrtype|, |data|, and |len| is complex and -// error-prone. See |X509_ATTRIBUTE_set1_data| for details. +// WARNING: The interpretation of `attrtype`, `data`, and `len` is complex and +// error-prone. See `X509_ATTRIBUTE_set1_data` for details. // // WARNING: The object reuse form is deprecated and may be removed in the // future. It also currently incorrectly appends to the reused object's value @@ -2688,201 +2688,201 @@ OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create(int nid, int attrtype, OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID( X509_ATTRIBUTE **attr, int nid, int attrtype, const void *data, int len); -// X509_ATTRIBUTE_create_by_OBJ behaves like |X509_ATTRIBUTE_create_by_NID| -// except the attribute's type is determined by |obj|. +// X509_ATTRIBUTE_create_by_OBJ behaves like `X509_ATTRIBUTE_create_by_NID` +// except the attribute's type is determined by `obj`. OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ( X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, int attrtype, const void *data, int len); -// X509_ATTRIBUTE_create_by_txt behaves like |X509_ATTRIBUTE_create_by_NID| -// except the attribute's type is determined by calling |OBJ_txt2obj| with -// |attrname|. +// X509_ATTRIBUTE_create_by_txt behaves like `X509_ATTRIBUTE_create_by_NID` +// except the attribute's type is determined by calling `OBJ_txt2obj` with +// `attrname`. OPENSSL_EXPORT X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt( X509_ATTRIBUTE **attr, const char *attrname, int type, const unsigned char *bytes, int len); -// X509_ATTRIBUTE_set1_object sets |attr|'s type to |obj|. It returns one on +// X509_ATTRIBUTE_set1_object sets `attr`'s type to `obj`. It returns one on // success and zero on error. OPENSSL_EXPORT int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj); -// X509_ATTRIBUTE_set1_data appends a value to |attr|'s value set and returns +// X509_ATTRIBUTE_set1_data appends a value to `attr`'s value set and returns // one on success or zero on error. The value is determined as follows: // -// If |attrtype| is zero, this function returns one and does nothing. This form -// may be used when calling |X509_ATTRIBUTE_create_by_*| to create an attribute +// If `attrtype` is zero, this function returns one and does nothing. This form +// may be used when calling `X509_ATTRIBUTE_create_by_*` to create an attribute // with an empty value set. Such attributes are invalid, but OpenSSL supports // creating them. // -// Otherwise, if |attrtype| is a |MBSTRING_*| constant, the value is an ASN.1 -// string. The string is determined by decoding |len| bytes from |data| in the -// encoding specified by |attrtype|, and then re-encoding it in a form -// appropriate for |attr|'s type. If |len| is -1, |strlen(data)| is used -// instead. See |ASN1_STRING_set_by_NID| for details. +// Otherwise, if `attrtype` is a `MBSTRING_*` constant, the value is an ASN.1 +// string. The string is determined by decoding `len` bytes from `data` in the +// encoding specified by `attrtype`, and then re-encoding it in a form +// appropriate for `attr`'s type. If `len` is -1, `strlen(data)` is used +// instead. See `ASN1_STRING_set_by_NID` for details. // -// Otherwise, if |len| is not -1, the value is an ASN.1 string. |attrtype| is an -// |ASN1_STRING| type value and the |len| bytes from |data| are copied as the -// type-specific representation of |ASN1_STRING|. See |ASN1_STRING| for details. +// Otherwise, if `len` is not -1, the value is an ASN.1 string. `attrtype` is an +// `ASN1_STRING` type value and the `len` bytes from `data` are copied as the +// type-specific representation of `ASN1_STRING`. See `ASN1_STRING` for details. // -// Otherwise, if |len| is -1, the value is constructed by passing |attrtype| and -// |data| to |ASN1_TYPE_set1|. That is, |attrtype| is an |ASN1_TYPE| type value, -// and |data| is cast to the corresponding pointer type. +// Otherwise, if `len` is -1, the value is constructed by passing `attrtype` and +// `data` to `ASN1_TYPE_set1`. That is, `attrtype` is an `ASN1_TYPE` type value, +// and `data` is cast to the corresponding pointer type. // -// WARNING: Despite the name, this function appends to |attr|'s value set, +// WARNING: Despite the name, this function appends to `attr`'s value set, // rather than overwriting it. To overwrite the value set, create a new -// |X509_ATTRIBUTE| with |X509_ATTRIBUTE_new|. +// `X509_ATTRIBUTE` with `X509_ATTRIBUTE_new`. // -// WARNING: If using the |MBSTRING_*| form, pass a length rather than relying on -// |strlen|. In particular, |strlen| will not behave correctly if the input is -// |MBSTRING_BMP| or |MBSTRING_UNIV|. +// WARNING: If using the `MBSTRING_*` form, pass a length rather than relying on +// `strlen`. In particular, `strlen` will not behave correctly if the input is +// `MBSTRING_BMP` or `MBSTRING_UNIV`. // -// WARNING: This function currently misinterprets |V_ASN1_OTHER| as an -// |MBSTRING_*| constant. This matches OpenSSL but means it is impossible to +// WARNING: This function currently misinterprets `V_ASN1_OTHER` as an +// `MBSTRING_*` constant. This matches OpenSSL but means it is impossible to // construct a value with a non-universal tag. OPENSSL_EXPORT int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len); -// X509_ATTRIBUTE_get0_data returns the |idx|th value of |attr| in a -// type-specific representation to |attrtype|, or NULL if out of bounds or the -// type does not match. |attrtype| is one of the type values in |ASN1_TYPE|. On -// match, the return value uses the same representation as |ASN1_TYPE_set0|. See -// |ASN1_TYPE| for details. +// X509_ATTRIBUTE_get0_data returns the `idx`th value of `attr` in a +// type-specific representation to `attrtype`, or NULL if out of bounds or the +// type does not match. `attrtype` is one of the type values in `ASN1_TYPE`. On +// match, the return value uses the same representation as `ASN1_TYPE_set0`. See +// `ASN1_TYPE` for details. OPENSSL_EXPORT void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int attrtype, void *unused); -// X509_ATTRIBUTE_count returns the number of values in |attr|. +// X509_ATTRIBUTE_count returns the number of values in `attr`. OPENSSL_EXPORT int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); -// X509_ATTRIBUTE_get0_object returns the type of |attr|. +// X509_ATTRIBUTE_get0_object returns the type of `attr`. OPENSSL_EXPORT ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); -// X509_ATTRIBUTE_get0_type returns the |idx|th value in |attr|, or NULL if out -// of bounds. Note this function returns one of |attr|'s values, not the type. +// X509_ATTRIBUTE_get0_type returns the `idx`th value in `attr`, or NULL if out +// of bounds. Note this function returns one of `attr`'s values, not the type. OPENSSL_EXPORT ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); // Certificate stores. // -// An |X509_STORE| contains trusted certificates, CRLs, and verification +// An `X509_STORE` contains trusted certificates, CRLs, and verification // parameters that are shared between multiple certificate verifications. // -// Certificates in an |X509_STORE| are referred to as "trusted certificates", +// Certificates in an `X509_STORE` are referred to as "trusted certificates", // but an individual certificate verification may not necessarily treat every -// trusted certificate as a trust anchor. See |X509_VERIFY_PARAM_set_trust| for +// trusted certificate as a trust anchor. See `X509_VERIFY_PARAM_set_trust` for // details. // // WARNING: Although a trusted certificate which fails the -// |X509_VERIFY_PARAM_set_trust| check is functionally an untrusted +// `X509_VERIFY_PARAM_set_trust` check is functionally an untrusted // intermediate certificate, callers should not rely on this to configure -// untrusted intermediates in an |X509_STORE|. The trust check is complex, so +// untrusted intermediates in an `X509_STORE`. The trust check is complex, so // this risks inadvertently treating it as a trust anchor. Instead, configure -// untrusted intermediates with the |chain| parameter of |X509_STORE_CTX_init|. +// untrusted intermediates with the `chain` parameter of `X509_STORE_CTX_init`. // -// Certificates in |X509_STORE| may be specified in several ways: -// - Added by |X509_STORE_add_cert|. -// - Returned by an |X509_LOOKUP| added by |X509_STORE_add_lookup|. +// Certificates in `X509_STORE` may be specified in several ways: +// - Added by `X509_STORE_add_cert`. +// - Returned by an `X509_LOOKUP` added by `X509_STORE_add_lookup`. // -// |X509_STORE|s are reference-counted and may be shared by certificate +// `X509_STORE`s are reference-counted and may be shared by certificate // verifications running concurrently on multiple threads. However, an -// |X509_STORE|'s verification parameters may not be modified concurrently with +// `X509_STORE`'s verification parameters may not be modified concurrently with // certificate verification or other operations. Unless otherwise documented, // functions which take const pointer may be used concurrently, while // functions which take a non-const pointer may not. Callers that wish to modify -// verification parameters in a shared |X509_STORE| should instead modify -// |X509_STORE_CTX|s individually. +// verification parameters in a shared `X509_STORE` should instead modify +// `X509_STORE_CTX`s individually. // -// Objects in an |X509_STORE| are represented as an |X509_OBJECT|. Some +// Objects in an `X509_STORE` are represented as an `X509_OBJECT`. Some // functions in this library return values with this type. -// X509_STORE_new returns a newly-allocated |X509_STORE|, or NULL on error. +// X509_STORE_new returns a newly-allocated `X509_STORE`, or NULL on error. OPENSSL_EXPORT X509_STORE *X509_STORE_new(void); -// X509_STORE_up_ref adds one to the reference count of |store| and returns one. -// Although |store| is not const, this function's use of |store| is thread-safe. +// X509_STORE_up_ref adds one to the reference count of `store` and returns one. +// Although `store` is not const, this function's use of `store` is thread-safe. OPENSSL_EXPORT int X509_STORE_up_ref(X509_STORE *store); -// X509_STORE_free releases memory associated with |store|. +// X509_STORE_free releases memory associated with `store`. OPENSSL_EXPORT void X509_STORE_free(X509_STORE *store); -// X509_STORE_add_cert adds |x509| to |store| as a trusted certificate. It +// X509_STORE_add_cert adds `x509` to `store` as a trusted certificate. It // returns one on success and zero on error. This function internally increments -// |x509|'s reference count, so the caller retains ownership of |x509|. +// `x509`'s reference count, so the caller retains ownership of `x509`. // // Certificates configured by this function are still subject to the checks -// described in |X509_VERIFY_PARAM_set_trust|. +// described in `X509_VERIFY_PARAM_set_trust`. // -// Although |store| is not const, this function's use of |store| is thread-safe. -// However, if this function is called concurrently with |X509_verify_cert|, it -// is a race condition whether |x509| is available for issuer lookups. +// Although `store` is not const, this function's use of `store` is thread-safe. +// However, if this function is called concurrently with `X509_verify_cert`, it +// is a race condition whether `x509` is available for issuer lookups. // Moreover, the result may differ for each issuer lookup performed by a single -// |X509_verify_cert| call. +// `X509_verify_cert` call. OPENSSL_EXPORT int X509_STORE_add_cert(X509_STORE *store, X509 *x509); -// X509_STORE_add_crl adds |crl| to |store|. It returns one on success and zero -// on error. This function internally increments |crl|'s reference count, so the -// caller retains ownership of |crl|. CRLs added in this way are candidates for -// CRL lookup when |X509_V_FLAG_CRL_CHECK| is set. +// X509_STORE_add_crl adds `crl` to `store`. It returns one on success and zero +// on error. This function internally increments `crl`'s reference count, so the +// caller retains ownership of `crl`. CRLs added in this way are candidates for +// CRL lookup when `X509_V_FLAG_CRL_CHECK` is set. // -// Although |store| is not const, this function's use of |store| is thread-safe. -// However, if this function is called concurrently with |X509_verify_cert|, it -// is a race condition whether |crl| is available for CRL checks. Moreover, the +// Although `store` is not const, this function's use of `store` is thread-safe. +// However, if this function is called concurrently with `X509_verify_cert`, it +// is a race condition whether `crl` is available for CRL checks. Moreover, the // result may differ for each CRL check performed by a single -// |X509_verify_cert| call. +// `X509_verify_cert` call. // -// Note there are no supported APIs to remove CRLs from |store| once inserted. +// Note there are no supported APIs to remove CRLs from `store` once inserted. // To vary the set of CRLs over time, callers should either create a new -// |X509_STORE| or configure CRLs on a per-verification basis with -// |X509_STORE_CTX_set0_crls|. +// `X509_STORE` or configure CRLs on a per-verification basis with +// `X509_STORE_CTX_set0_crls`. OPENSSL_EXPORT int X509_STORE_add_crl(X509_STORE *store, X509_CRL *crl); -// X509_STORE_get0_param returns |store|'s verification parameters. This object +// X509_STORE_get0_param returns `store`'s verification parameters. This object // is mutable and may be modified by the caller. For an individual certificate -// verification operation, |X509_STORE_CTX_init| initializes the -// |X509_STORE_CTX|'s parameters with these parameters. +// verification operation, `X509_STORE_CTX_init` initializes the +// `X509_STORE_CTX`'s parameters with these parameters. // -// WARNING: |X509_STORE_CTX_init| applies some default parameters (as in -// |X509_VERIFY_PARAM_inherit|) after copying |store|'s parameters. This means -// it is impossible to leave some parameters unset at |store|. They must be -// explicitly unset after creating the |X509_STORE_CTX|. +// WARNING: `X509_STORE_CTX_init` applies some default parameters (as in +// `X509_VERIFY_PARAM_inherit`) after copying `store`'s parameters. This means +// it is impossible to leave some parameters unset at `store`. They must be +// explicitly unset after creating the `X509_STORE_CTX`. // // As of writing these late defaults are a depth limit (see -// |X509_VERIFY_PARAM_set_depth|) and the |X509_V_FLAG_TRUSTED_FIRST| flag. This -// warning does not apply if the parameters were set in |store|. +// `X509_VERIFY_PARAM_set_depth`) and the `X509_V_FLAG_TRUSTED_FIRST` flag. This +// warning does not apply if the parameters were set in `store`. // // TODO(crbug.com/boringssl/441): This behavior is very surprising. Can we -// remove this notion of late defaults? The unsettable value at |X509_STORE| is +// remove this notion of late defaults? The unsettable value at `X509_STORE` is // -1, which rejects everything but explicitly-trusted self-signed certificates. -// |X509_V_FLAG_TRUSTED_FIRST| is mostly a workaround for poor path-building. +// `X509_V_FLAG_TRUSTED_FIRST` is mostly a workaround for poor path-building. OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store); -// X509_STORE_set1_param copies verification parameters from |param| as in -// |X509_VERIFY_PARAM_set1|. It returns one on success and zero on error. +// X509_STORE_set1_param copies verification parameters from `param` as in +// `X509_VERIFY_PARAM_set1`. It returns one on success and zero on error. OPENSSL_EXPORT int X509_STORE_set1_param(X509_STORE *store, const X509_VERIFY_PARAM *param); -// X509_STORE_set_flags enables all values in |flags| in |store|'s verification -// flags. |flags| should be a combination of |X509_V_FLAG_*| constants. +// X509_STORE_set_flags enables all values in `flags` in `store`'s verification +// flags. `flags` should be a combination of `X509_V_FLAG_*` constants. // // WARNING: These flags will be combined with default flags when copied to an -// |X509_STORE_CTX|. This means it is impossible to unset those defaults from -// the |X509_STORE|. See discussion in |X509_STORE_get0_param|. +// `X509_STORE_CTX`. This means it is impossible to unset those defaults from +// the `X509_STORE`. See discussion in `X509_STORE_get0_param`. OPENSSL_EXPORT int X509_STORE_set_flags(X509_STORE *store, unsigned long flags); -// X509_STORE_set_depth configures |store| to, by default, limit certificate -// chains to |depth| intermediate certificates. This count excludes both the +// X509_STORE_set_depth configures `store` to, by default, limit certificate +// chains to `depth` intermediate certificates. This count excludes both the // target certificate and the trust anchor (root certificate). OPENSSL_EXPORT int X509_STORE_set_depth(X509_STORE *store, int depth); -// X509_STORE_set_purpose configures the purpose check for |store|. See -// |X509_VERIFY_PARAM_set_purpose| for details. +// X509_STORE_set_purpose configures the purpose check for `store`. See +// `X509_VERIFY_PARAM_set_purpose` for details. OPENSSL_EXPORT int X509_STORE_set_purpose(X509_STORE *store, int purpose); -// X509_STORE_set_trust configures the trust check for |store|. See -// |X509_VERIFY_PARAM_set_trust| for details. +// X509_STORE_set_trust configures the trust check for `store`. See +// `X509_VERIFY_PARAM_set_trust` for details. OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust); -// The following constants indicate the type of an |X509_OBJECT|. +// The following constants indicate the type of an `X509_OBJECT`. #define X509_LU_NONE 0 #define X509_LU_X509 1 #define X509_LU_CRL 2 @@ -2890,28 +2890,28 @@ OPENSSL_EXPORT int X509_STORE_set_trust(X509_STORE *store, int trust); DEFINE_STACK_OF(X509_OBJECT) -// X509_OBJECT_new returns a newly-allocated, empty |X509_OBJECT| or NULL on +// X509_OBJECT_new returns a newly-allocated, empty `X509_OBJECT` or NULL on // error. OPENSSL_EXPORT X509_OBJECT *X509_OBJECT_new(void); -// X509_OBJECT_free releases memory associated with |obj|. +// X509_OBJECT_free releases memory associated with `obj`. OPENSSL_EXPORT void X509_OBJECT_free(X509_OBJECT *obj); -// X509_OBJECT_get_type returns the type of |obj|, which will be one of the -// |X509_LU_*| constants. +// X509_OBJECT_get_type returns the type of `obj`, which will be one of the +// `X509_LU_*` constants. OPENSSL_EXPORT int X509_OBJECT_get_type(const X509_OBJECT *obj); -// X509_OBJECT_get0_X509 returns |obj| as a certificate, or NULL if |obj| is not +// X509_OBJECT_get0_X509 returns `obj` as a certificate, or NULL if `obj` is not // a certificate. OPENSSL_EXPORT X509 *X509_OBJECT_get0_X509(const X509_OBJECT *obj); // X509_STORE_get1_objects returns a newly-allocated stack containing the -// contents of |store|, or NULL on error. The caller must release the result -// with |sk_X509_OBJECT_pop_free| and |X509_OBJECT_free| when done. +// contents of `store`, or NULL on error. The caller must release the result +// with `sk_X509_OBJECT_pop_free` and `X509_OBJECT_free` when done. // // The result will include all certificates and CRLs added via -// |X509_STORE_add_cert| and |X509_STORE_add_crl|, as well as any cached objects -// added by |X509_LOOKUP_add_dir|. The last of these may change over time, as +// `X509_STORE_add_cert` and `X509_STORE_add_crl`, as well as any cached objects +// added by `X509_LOOKUP_add_dir`. The last of these may change over time, as // different objects are loaded from the filesystem. Callers should not depend // on this caching behavior. The objects are returned in no particular order. OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get1_objects( @@ -2920,41 +2920,41 @@ OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get1_objects( // Certificate verification. // -// An |X509_STORE_CTX| object represents a single certificate verification +// An `X509_STORE_CTX` object represents a single certificate verification // operation. To verify a certificate chain, callers construct an -// |X509_STORE_CTX|, initialize it with |X509_STORE_CTX_init|, configure extra -// parameters with |X509_STORE_CTX_get0_param|, and call |X509_verify_cert|. +// `X509_STORE_CTX`, initialize it with `X509_STORE_CTX_init`, configure extra +// parameters with `X509_STORE_CTX_get0_param`, and call `X509_verify_cert`. -// X509_STORE_CTX_new returns a newly-allocated, empty |X509_STORE_CTX|, or NULL +// X509_STORE_CTX_new returns a newly-allocated, empty `X509_STORE_CTX`, or NULL // on error. OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_new(void); -// X509_STORE_CTX_free releases memory associated with |ctx|. +// X509_STORE_CTX_free releases memory associated with `ctx`. OPENSSL_EXPORT void X509_STORE_CTX_free(X509_STORE_CTX *ctx); -// X509_STORE_CTX_init initializes |ctx| to verify |x509|, using trusted -// certificates and parameters in |store|. It returns one on success and zero on -// error. |chain| is a list of untrusted intermediate certificates to use in +// X509_STORE_CTX_init initializes `ctx` to verify `x509`, using trusted +// certificates and parameters in `store`. It returns one on success and zero on +// error. `chain` is a list of untrusted intermediate certificates to use in // verification. // -// |ctx| stores pointers to |store|, |x509|, and |chain|. Each of these objects -// must outlive |ctx| and may not be mutated for the duration of the certificate +// `ctx` stores pointers to `store`, `x509`, and `chain`. Each of these objects +// must outlive `ctx` and may not be mutated for the duration of the certificate // verification. OPENSSL_EXPORT int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, STACK_OF(X509) *chain); -// X509_verify_cert performs certificate verification with |ctx|, which must -// have been initialized with |X509_STORE_CTX_init|. It returns one on success -// and zero on error. On success, |X509_STORE_CTX_get0_chain| or -// |X509_STORE_CTX_get1_chain| may be used to return the verified certificate -// chain. On error, |X509_STORE_CTX_get_error| may be used to return additional +// X509_verify_cert performs certificate verification with `ctx`, which must +// have been initialized with `X509_STORE_CTX_init`. It returns one on success +// and zero on error. On success, `X509_STORE_CTX_get0_chain` or +// `X509_STORE_CTX_get1_chain` may be used to return the verified certificate +// chain. On error, `X509_STORE_CTX_get_error` may be used to return additional // error information. // // WARNING: Most failure conditions from this function do not use the error -// queue. Use |X509_STORE_CTX_get_error| to determine the cause of the error. +// queue. Use `X509_STORE_CTX_get_error` to determine the cause of the error. OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); -// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call, +// X509_STORE_CTX_get0_chain, after a successful `X509_verify_cert` call, // returns the verified certificate chain. The chain begins with the leaf and // ends with trust anchor. // @@ -2965,14 +2965,14 @@ OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx); OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_chain( const X509_STORE_CTX *ctx); -// X509_STORE_CTX_get1_chain behaves like |X509_STORE_CTX_get0_chain| but -// returns a newly-allocated |STACK_OF(X509)| containing the completed chain, +// X509_STORE_CTX_get1_chain behaves like `X509_STORE_CTX_get0_chain` but +// returns a newly-allocated `STACK_OF(X509)` containing the completed chain, // with each certificate's reference count incremented. Callers must free the -// result with |sk_X509_pop_free| and |X509_free| when done. +// result with `sk_X509_pop_free` and `X509_free` when done. OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( const X509_STORE_CTX *ctx); -// The following values are possible outputs of |X509_STORE_CTX_get_error|. +// The following values are possible outputs of `X509_STORE_CTX_get_error`. #define X509_V_OK 0 #define X509_V_ERR_UNSPECIFIED 1 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 @@ -3035,85 +3035,85 @@ OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_chain( #define X509_V_ERR_STORE_LOOKUP 66 #define X509_V_ERR_NAME_CONSTRAINTS_WITHOUT_SANS 67 -// X509_STORE_CTX_get_error, after |X509_verify_cert| returns, returns -// |X509_V_OK| if verification succeeded or an |X509_V_ERR_*| describing why -// verification failed. This will be consistent with |X509_verify_cert|'s return +// X509_STORE_CTX_get_error, after `X509_verify_cert` returns, returns +// `X509_V_OK` if verification succeeded or an `X509_V_ERR_*` describing why +// verification failed. This will be consistent with `X509_verify_cert`'s return // value, unless the caller used the deprecated verification callback (see -// |X509_STORE_CTX_set_verify_cb|) in a way that breaks |ctx|'s invariants. +// `X509_STORE_CTX_set_verify_cb`) in a way that breaks `ctx`'s invariants. // -// If called during the deprecated verification callback when |ok| is zero, it +// If called during the deprecated verification callback when `ok` is zero, it // returns the current error under consideration. OPENSSL_EXPORT int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx); -// X509_STORE_CTX_set_error sets |ctx|'s error to |err|, which should be -// |X509_V_OK| or an |X509_V_ERR_*| constant. It is not expected to be called in -// typical |X509_STORE_CTX| usage, but may be used in callback APIs where -// applications synthesize |X509_STORE_CTX| error conditions. See also -// |X509_STORE_CTX_set_verify_cb| and |SSL_CTX_set_cert_verify_callback|. +// X509_STORE_CTX_set_error sets `ctx`'s error to `err`, which should be +// `X509_V_OK` or an `X509_V_ERR_*` constant. It is not expected to be called in +// typical `X509_STORE_CTX` usage, but may be used in callback APIs where +// applications synthesize `X509_STORE_CTX` error conditions. See also +// `X509_STORE_CTX_set_verify_cb` and `SSL_CTX_set_cert_verify_callback`. OPENSSL_EXPORT void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err); -// X509_verify_cert_error_string returns |err| as a human-readable string, where -// |err| should be one of the |X509_V_*| values. If |err| is unknown, it returns +// X509_verify_cert_error_string returns `err` as a human-readable string, where +// `err` should be one of the `X509_V_*` values. If `err` is unknown, it returns // a default description. OPENSSL_EXPORT const char *X509_verify_cert_error_string(long err); // X509_STORE_CTX_get_error_depth returns the depth at which the error returned -// by |X509_STORE_CTX_get_error| occurred. This is zero-indexed integer into the +// by `X509_STORE_CTX_get_error` occurred. This is zero-indexed integer into the // certificate chain. Zero indicates the target certificate, one its issuer, and // so on. OPENSSL_EXPORT int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx); // X509_STORE_CTX_get_current_cert returns the certificate which caused the -// error returned by |X509_STORE_CTX_get_error|. +// error returned by `X509_STORE_CTX_get_error`. OPENSSL_EXPORT X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); // X509_STORE_CTX_get0_current_crl returns the CRL which caused the error -// returned by |X509_STORE_CTX_get_error|. +// returned by `X509_STORE_CTX_get_error`. OPENSSL_EXPORT X509_CRL *X509_STORE_CTX_get0_current_crl( const X509_STORE_CTX *ctx); -// X509_STORE_CTX_get0_store returns the |X509_STORE| that |ctx| uses. +// X509_STORE_CTX_get0_store returns the `X509_STORE` that `ctx` uses. OPENSSL_EXPORT X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx); -// X509_STORE_CTX_get0_cert returns the leaf certificate that |ctx| is +// X509_STORE_CTX_get0_cert returns the leaf certificate that `ctx` is // verifying. OPENSSL_EXPORT X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); // X509_STORE_CTX_get0_untrusted returns the stack of untrusted intermediates -// used by |ctx| for certificate verification. +// used by `ctx` for certificate verification. OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get0_untrusted( const X509_STORE_CTX *ctx); -// X509_STORE_CTX_set0_trusted_stack configures |ctx| to trust the certificates -// in |sk|. |sk| must remain valid for the duration of |ctx|. Calling this -// function causes |ctx| to ignore any certificates configured in the -// |X509_STORE|. Certificates in |sk| are still subject to the check described -// in |X509_VERIFY_PARAM_set_trust|. +// X509_STORE_CTX_set0_trusted_stack configures `ctx` to trust the certificates +// in `sk`. `sk` must remain valid for the duration of `ctx`. Calling this +// function causes `ctx` to ignore any certificates configured in the +// `X509_STORE`. Certificates in `sk` are still subject to the check described +// in `X509_VERIFY_PARAM_set_trust`. // -// WARNING: This function differs from most |set0| functions in that it does not +// WARNING: This function differs from most `set0` functions in that it does not // take ownership of its input. The caller is required to ensure the lifetimes // are consistent. OPENSSL_EXPORT void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); -// X509_STORE_CTX_set0_crls configures |ctx| to consider the CRLs in |sk| as -// candidates for CRL lookup. |sk| must remain valid for the duration of |ctx|. -// These CRLs are considered in addition to CRLs found in |X509_STORE|. +// X509_STORE_CTX_set0_crls configures `ctx` to consider the CRLs in `sk` as +// candidates for CRL lookup. `sk` must remain valid for the duration of `ctx`. +// These CRLs are considered in addition to CRLs found in `X509_STORE`. // -// WARNING: This function differs from most |set0| functions in that it does not +// WARNING: This function differs from most `set0` functions in that it does not // take ownership of its input. The caller is required to ensure the lifetimes // are consistent. OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk); -// X509_STORE_CTX_set_default looks up the set of parameters named |name| and -// applies those default verification parameters for |ctx|. As in -// |X509_VERIFY_PARAM_inherit|, only unset parameters are changed. This function +// X509_STORE_CTX_set_default looks up the set of parameters named `name` and +// applies those default verification parameters for `ctx`. As in +// `X509_VERIFY_PARAM_inherit`, only unset parameters are changed. This function // returns one on success and zero on error. // -// The supported values of |name| are: +// The supported values of `name` are: // - "default" is an internal value which configures some late defaults. See the -// discussion in |X509_STORE_get0_param|. +// discussion in `X509_STORE_get0_param`. // - "pkcs7" configures default trust and purpose checks for PKCS#7 signatures. // - "smime_sign" configures trust and purpose checks for S/MIME signatures. // - "ssl_client" configures trust and purpose checks for TLS clients. @@ -3123,124 +3123,124 @@ OPENSSL_EXPORT void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, OPENSSL_EXPORT int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name); -// X509_STORE_CTX_get0_param returns |ctx|'s verification parameters. This +// X509_STORE_CTX_get0_param returns `ctx`'s verification parameters. This // object is mutable and may be modified by the caller. OPENSSL_EXPORT X509_VERIFY_PARAM *X509_STORE_CTX_get0_param( X509_STORE_CTX *ctx); -// X509_STORE_CTX_set0_param returns |ctx|'s verification parameters to |param| -// and takes ownership of |param|. After this function returns, the caller -// should not free |param|. +// X509_STORE_CTX_set0_param returns `ctx`'s verification parameters to `param` +// and takes ownership of `param`. After this function returns, the caller +// should not free `param`. // // WARNING: This function discards any values which were previously applied in -// |ctx|, including the "default" parameters applied late in -// |X509_STORE_CTX_init|. These late defaults are not applied to parameters -// created standalone by |X509_VERIFY_PARAM_new|. +// `ctx`, including the "default" parameters applied late in +// `X509_STORE_CTX_init`. These late defaults are not applied to parameters +// created standalone by `X509_VERIFY_PARAM_new`. // // TODO(crbug.com/boringssl/441): This behavior is very surprising. Should we -// re-apply the late defaults in |param|, or somehow avoid this notion of late +// re-apply the late defaults in `param`, or somehow avoid this notion of late // defaults altogether? OPENSSL_EXPORT void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param); -// X509_STORE_CTX_set_flags enables all values in |flags| in |ctx|'s -// verification flags. |flags| should be a combination of |X509_V_FLAG_*| +// X509_STORE_CTX_set_flags enables all values in `flags` in `ctx`'s +// verification flags. `flags` should be a combination of `X509_V_FLAG_*` // constants. OPENSSL_EXPORT void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags); -// X509_STORE_CTX_set_time configures certificate verification to use |t| -// instead of the current time. |flags| is ignored and should be zero. +// X509_STORE_CTX_set_time configures certificate verification to use `t` +// instead of the current time. `flags` is ignored and should be zero. OPENSSL_EXPORT void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t); -// X509_STORE_CTX_set_time_posix configures certificate verification to use |t| -// instead of the current time. |t| is interpreted as a POSIX timestamp in -// seconds. |flags| is ignored and should be zero. +// X509_STORE_CTX_set_time_posix configures certificate verification to use `t` +// instead of the current time. `t` is interpreted as a POSIX timestamp in +// seconds. `flags` is ignored and should be zero. OPENSSL_EXPORT void X509_STORE_CTX_set_time_posix(X509_STORE_CTX *ctx, unsigned long flags, int64_t t); -// X509_STORE_CTX_set_depth configures |ctx| to, by default, limit certificate -// chains to |depth| intermediate certificates. This count excludes both the +// X509_STORE_CTX_set_depth configures `ctx` to, by default, limit certificate +// chains to `depth` intermediate certificates. This count excludes both the // target certificate and the trust anchor (root certificate). OPENSSL_EXPORT void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); -// X509_STORE_CTX_set_purpose simultaneously configures |ctx|'s purpose and -// trust checks, if unset. It returns one on success and zero if |purpose| is -// not a valid purpose value. |purpose| should be an |X509_PURPOSE_*| constant. -// If so, it configures |ctx| with a purpose check of |purpose| and a trust -// check of |purpose|'s corresponding trust value. If either the purpose or -// trust check had already been specified for |ctx|, that corresponding +// X509_STORE_CTX_set_purpose simultaneously configures `ctx`'s purpose and +// trust checks, if unset. It returns one on success and zero if `purpose` is +// not a valid purpose value. `purpose` should be an `X509_PURPOSE_*` constant. +// If so, it configures `ctx` with a purpose check of `purpose` and a trust +// check of `purpose`'s corresponding trust value. If either the purpose or +// trust check had already been specified for `ctx`, that corresponding // modification is silently dropped. // -// See |X509_VERIFY_PARAM_set_purpose| and |X509_VERIFY_PARAM_set_trust| for +// See `X509_VERIFY_PARAM_set_purpose` and `X509_VERIFY_PARAM_set_trust` for // details on the purpose and trust checks, respectively. // -// If |purpose| is |X509_PURPOSE_ANY|, this function returns an error because it -// has no corresponding |X509_TRUST_*| value. It is not possible to set -// |X509_PURPOSE_ANY| with this function, only |X509_VERIFY_PARAM_set_purpose|. +// If `purpose` is `X509_PURPOSE_ANY`, this function returns an error because it +// has no corresponding `X509_TRUST_*` value. It is not possible to set +// `X509_PURPOSE_ANY` with this function, only `X509_VERIFY_PARAM_set_purpose`. // // WARNING: Unlike similarly named functions in this header, this function -// silently does not behave the same as |X509_VERIFY_PARAM_set_purpose|. Callers -// may use |X509_VERIFY_PARAM_set_purpose| with |X509_STORE_CTX_get0_param| to +// silently does not behave the same as `X509_VERIFY_PARAM_set_purpose`. Callers +// may use `X509_VERIFY_PARAM_set_purpose` with `X509_STORE_CTX_get0_param` to // avoid this difference. OPENSSL_EXPORT int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose); -// X509_STORE_CTX_set_trust configures |ctx|'s trust check, if unset. It returns -// one on success and zero if |trust| is not a valid trust value. |trust| should -// be an |X509_TRUST_*| constant. If so, it configures |ctx| with a trust check -// of |trust|. If the trust check had already been specified for |ctx|, it +// X509_STORE_CTX_set_trust configures `ctx`'s trust check, if unset. It returns +// one on success and zero if `trust` is not a valid trust value. `trust` should +// be an `X509_TRUST_*` constant. If so, it configures `ctx` with a trust check +// of `trust`. If the trust check had already been specified for `ctx`, it // silently does nothing. // -// See |X509_VERIFY_PARAM_set_trust| for details on the purpose and trust check. +// See `X509_VERIFY_PARAM_set_trust` for details on the purpose and trust check. // // WARNING: Unlike similarly named functions in this header, this function -// does not behave the same as |X509_VERIFY_PARAM_set_trust|. Callers may use -// |X509_VERIFY_PARAM_set_trust| with |X509_STORE_CTX_get0_param| to avoid this +// does not behave the same as `X509_VERIFY_PARAM_set_trust`. Callers may use +// `X509_VERIFY_PARAM_set_trust` with `X509_STORE_CTX_get0_param` to avoid this // difference. OPENSSL_EXPORT int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust); // Verification parameters. // -// An |X509_VERIFY_PARAM| contains a set of parameters for certificate +// An `X509_VERIFY_PARAM` contains a set of parameters for certificate // verification. -// X509_VERIFY_PARAM_new returns a newly-allocated |X509_VERIFY_PARAM|, or NULL +// X509_VERIFY_PARAM_new returns a newly-allocated `X509_VERIFY_PARAM`, or NULL // on error. OPENSSL_EXPORT X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void); -// X509_VERIFY_PARAM_free releases memory associated with |param|. +// X509_VERIFY_PARAM_free releases memory associated with `param`. OPENSSL_EXPORT void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param); -// X509_VERIFY_PARAM_inherit applies |from| as the default values for |to|. That -// is, for each parameter that is unset in |to|, it copies the value in |from|. +// X509_VERIFY_PARAM_inherit applies `from` as the default values for `to`. That +// is, for each parameter that is unset in `to`, it copies the value in `from`. // This function returns one on success and zero on error. OPENSSL_EXPORT int X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from); -// X509_VERIFY_PARAM_set1 copies parameters from |from| to |to|. If a parameter -// is unset in |from|, the existing value in |to| is preserved. This function +// X509_VERIFY_PARAM_set1 copies parameters from `from` to `to`. If a parameter +// is unset in `from`, the existing value in `to` is preserved. This function // returns one on success and zero on error. OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from); -// X509_V_FLAG_* are flags for |X509_VERIFY_PARAM_set_flags| and -// |X509_VERIFY_PARAM_clear_flags|. +// X509_V_FLAG_* are flags for `X509_VERIFY_PARAM_set_flags` and +// `X509_VERIFY_PARAM_clear_flags`. // X509_V_FLAG_CB_ISSUER_CHECK causes the deprecated verify callback (see -// |X509_STORE_CTX_set_verify_cb|) to be called for errors while matching +// `X509_STORE_CTX_set_verify_cb`) to be called for errors while matching // subject and issuer certificates. #define X509_V_FLAG_CB_ISSUER_CHECK 0x1 // X509_V_FLAG_USE_CHECK_TIME is an internal flag used to track whether -// |X509_STORE_CTX_set_time| has been used. If cleared, the system time is +// `X509_STORE_CTX_set_time` has been used. If cleared, the system time is // restored. #define X509_V_FLAG_USE_CHECK_TIME 0x2 // X509_V_FLAG_CRL_CHECK enables CRL lookup and checking for the leaf. #define X509_V_FLAG_CRL_CHECK 0x4 // X509_V_FLAG_CRL_CHECK_ALL enables CRL lookup and checking for the entire -// certificate chain. |X509_V_FLAG_CRL_CHECK| must be set for this flag to take +// certificate chain. `X509_V_FLAG_CRL_CHECK` must be set for this flag to take // effect. #define X509_V_FLAG_CRL_CHECK_ALL 0x8 // X509_V_FLAG_IGNORE_CRITICAL ignores unhandled critical extensions. Do not use @@ -3281,7 +3281,7 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, // enabled by default. #define X509_V_FLAG_TRUSTED_FIRST 0x8000 // X509_V_FLAG_PARTIAL_CHAIN treats all trusted certificates as trust anchors, -// independent of the |X509_VERIFY_PARAM_set_trust| setting. +// independent of the `X509_VERIFY_PARAM_set_trust` setting. #define X509_V_FLAG_PARTIAL_CHAIN 0x80000 // X509_V_FLAG_NO_ALT_CHAINS disables building alternative chains if the initial // one was rejected. @@ -3290,76 +3290,76 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, // verification. #define X509_V_FLAG_NO_CHECK_TIME 0x200000 -// X509_VERIFY_PARAM_set_flags enables all values in |flags| in |param|'s -// verification flags and returns one. |flags| should be a combination of -// |X509_V_FLAG_*| constants. +// X509_VERIFY_PARAM_set_flags enables all values in `flags` in `param`'s +// verification flags and returns one. `flags` should be a combination of +// `X509_V_FLAG_*` constants. OPENSSL_EXPORT int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags); -// X509_VERIFY_PARAM_clear_flags disables all values in |flags| in |param|'s -// verification flags and returns one. |flags| should be a combination of -// |X509_V_FLAG_*| constants. +// X509_VERIFY_PARAM_clear_flags disables all values in `flags` in `param`'s +// verification flags and returns one. `flags` should be a combination of +// `X509_V_FLAG_*` constants. OPENSSL_EXPORT int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags); -// X509_VERIFY_PARAM_get_flags returns |param|'s verification flags. +// X509_VERIFY_PARAM_get_flags returns `param`'s verification flags. OPENSSL_EXPORT unsigned long X509_VERIFY_PARAM_get_flags( const X509_VERIFY_PARAM *param); -// X509_VERIFY_PARAM_set_depth configures |param| to limit certificate chains to -// |depth| intermediate certificates. This count excludes both the target +// X509_VERIFY_PARAM_set_depth configures `param` to limit certificate chains to +// `depth` intermediate certificates. This count excludes both the target // certificate and the trust anchor (root certificate). OPENSSL_EXPORT void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); -// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in |param|. -// See |X509_VERIFY_PARAM_set_depth|. +// X509_VERIFY_PARAM_get_depth returns the maximum depth configured in `param`. +// See `X509_VERIFY_PARAM_set_depth`. OPENSSL_EXPORT int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param); -// X509_VERIFY_PARAM_set_time configures certificate verification to use |t| +// X509_VERIFY_PARAM_set_time configures certificate verification to use `t` // instead of the current time. OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); // X509_VERIFY_PARAM_set_time_posix configures certificate verification to use -// |t| instead of the current time. |t| is interpreted as a POSIX timestamp in +// `t` instead of the current time. `t` is interpreted as a POSIX timestamp in // seconds. OPENSSL_EXPORT void X509_VERIFY_PARAM_set_time_posix(X509_VERIFY_PARAM *param, int64_t t); -// X509_VERIFY_PARAM_add0_policy adds |policy| to the user-initial-policy-set +// X509_VERIFY_PARAM_add0_policy adds `policy` to the user-initial-policy-set // (see Section 6.1.1 of RFC 5280). On success, it takes ownership of -// |policy| and returns one. Otherwise, it returns zero and the caller retains -// owneship of |policy|. +// `policy` and returns one. Otherwise, it returns zero and the caller retains +// owneship of `policy`. OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy); // X509_VERIFY_PARAM_set1_policies sets the user-initial-policy-set (see -// Section 6.1.1 of RFC 5280) to a copy of |policies|. It returns one on success +// Section 6.1.1 of RFC 5280) to a copy of `policies`. It returns one on success // and zero on error. OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies( X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies); -// X509_VERIFY_PARAM_set1_host configures |param| to check for the DNS name -// specified by |name|. It returns one on success and zero on error. +// X509_VERIFY_PARAM_set1_host configures `param` to check for the DNS name +// specified by `name`. It returns one on success and zero on error. // // By default, both subject alternative names and the subject's common name // attribute are checked. The latter has long been deprecated, so callers should -// call |X509_VERIFY_PARAM_set_hostflags| with -// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// call `X509_VERIFY_PARAM_set_hostflags` with +// `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` to use the standard behavior. // https://crbug.com/boringssl/464 tracks fixing the default. OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t name_len); -// X509_VERIFY_PARAM_add1_host adds |name| to the list of names checked by -// |param|. If any configured DNS name matches the certificate, verification +// X509_VERIFY_PARAM_add1_host adds `name` to the list of names checked by +// `param`. If any configured DNS name matches the certificate, verification // succeeds. It returns one on success and zero on error. // // By default, both subject alternative names and the subject's common name // attribute are checked. The latter has long been deprecated, so callers should -// call |X509_VERIFY_PARAM_set_hostflags| with -// |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| to use the standard behavior. +// call `X509_VERIFY_PARAM_set_hostflags` with +// `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` to use the standard behavior. // https://crbug.com/boringssl/464 tracks fixing the default. OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, @@ -3372,30 +3372,30 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, // enabled when subjectAltNames is missing. #define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 -// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on |param| to -// |flags|. |flags| should be a combination of |X509_CHECK_FLAG_*| constants. +// X509_VERIFY_PARAM_set_hostflags sets the name-checking flags on `param` to +// `flags`. `flags` should be a combination of `X509_CHECK_FLAG_*` constants. OPENSSL_EXPORT void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags); -// X509_VERIFY_PARAM_set1_email configures |param| to check for the email -// address specified by |email|. It returns one on success and zero on error. +// X509_VERIFY_PARAM_set1_email configures `param` to check for the email +// address specified by `email`. It returns one on success and zero on error. // // By default, both subject alternative names and the subject's email address -// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// attribute are checked. The `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag may be // used to change this behavior. OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t email_len); -// X509_VERIFY_PARAM_set1_ip configures |param| to check for the IP address -// specified by |ip|. It returns one on success and zero on error. The IP -// address is specified in its binary representation. |ip_len| must be 4 for an +// X509_VERIFY_PARAM_set1_ip configures `param` to check for the IP address +// specified by `ip`. It returns one on success and zero on error. The IP +// address is specified in its binary representation. `ip_len` must be 4 for an // IPv4 address and 16 for an IPv6 address. OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const uint8_t *ip, size_t ip_len); -// X509_VERIFY_PARAM_set1_ip_asc decodes |ipasc| as the ASCII representation of -// an IPv4 or IPv6 address, and configures |param| to check for it. It returns +// X509_VERIFY_PARAM_set1_ip_asc decodes `ipasc` as the ASCII representation of +// an IPv4 or IPv6 address, and configures `param` to check for it. It returns // one on success and zero on error. OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc); @@ -3411,7 +3411,7 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, // usage specific to the negotiated TLS parameters. #define X509_PURPOSE_SSL_SERVER 2 // X509_PURPOSE_NS_SSL_SERVER is a legacy mode. It behaves like -// |X509_PURPOSE_SSL_SERVER|, but only accepts the keyEncipherment key usage, +// `X509_PURPOSE_SSL_SERVER`, but only accepts the keyEncipherment key usage, // used by SSL 2.0 and RSA key exchange. Do not use this. #define X509_PURPOSE_NS_SSL_SERVER 3 // X509_PURPOSE_SMIME_SIGN validates S/MIME signing certificates. It checks for @@ -3439,9 +3439,9 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, // asserted. #define X509_PURPOSE_TIMESTAMP_SIGN 9 -// X509_VERIFY_PARAM_set_purpose configures |param| to validate certificates for -// a specified purpose. It returns one on success and zero if |purpose| is not a -// valid purpose type. |purpose| should be one of the |X509_PURPOSE_*| values. +// X509_VERIFY_PARAM_set_purpose configures `param` to validate certificates for +// a specified purpose. It returns one on success and zero if `purpose` is not a +// valid purpose type. `purpose` should be one of the `X509_PURPOSE_*` values. // // This option controls checking the extended key usage (EKU) and key usage // extensions. These extensions specify how a certificate's public key may be @@ -3455,13 +3455,13 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, // not accept anyExtendedKeyUsage. // // Many purpose values have a corresponding trust value, which is not configured -// by this function. See |X509_VERIFY_PARAM_set_trust| for details. Callers +// by this function. See `X509_VERIFY_PARAM_set_trust` for details. Callers // that wish to configure both should either call both functions, or use -// |X509_STORE_CTX_set_purpose|. +// `X509_STORE_CTX_set_purpose`. // // It is currently not possible to configure custom EKU OIDs or key usage bits. // Contact the BoringSSL maintainers if your application needs to do so. OpenSSL -// had an |X509_PURPOSE_add| API, but it was not thread-safe and relied on +// had an `X509_PURPOSE_add` API, but it was not thread-safe and relied on // global mutable state, so we removed it. // // TODO(davidben): This function additionally configures checking the legacy @@ -3472,52 +3472,52 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, // X509_TRUST_COMPAT evaluates trust using only the self-signed fallback. Trust // and distrust OIDs are ignored. #define X509_TRUST_COMPAT 1 -// X509_TRUST_SSL_CLIENT evaluates trust with the |NID_client_auth| OID, for +// X509_TRUST_SSL_CLIENT evaluates trust with the `NID_client_auth` OID, for // validating TLS client certificates. #define X509_TRUST_SSL_CLIENT 2 -// X509_TRUST_SSL_SERVER evaluates trust with the |NID_server_auth| OID, for +// X509_TRUST_SSL_SERVER evaluates trust with the `NID_server_auth` OID, for // validating TLS server certificates. #define X509_TRUST_SSL_SERVER 3 -// X509_TRUST_EMAIL evaluates trust with the |NID_email_protect| OID, for +// X509_TRUST_EMAIL evaluates trust with the `NID_email_protect` OID, for // validating S/MIME email certificates. #define X509_TRUST_EMAIL 4 -// X509_TRUST_OBJECT_SIGN evaluates trust with the |NID_code_sign| OID, for +// X509_TRUST_OBJECT_SIGN evaluates trust with the `NID_code_sign` OID, for // validating code signing certificates. #define X509_TRUST_OBJECT_SIGN 5 -// X509_TRUST_TSA evaluates trust with the |NID_time_stamp| OID, for validating +// X509_TRUST_TSA evaluates trust with the `NID_time_stamp` OID, for validating // Time Stamping Authority (RFC 3161) certificates. #define X509_TRUST_TSA 8 -// X509_VERIFY_PARAM_set_trust configures which certificates from |X509_STORE| -// are trust anchors. It returns one on success and zero if |trust| is not a -// valid trust value. |trust| should be one of the |X509_TRUST_*| constants. +// X509_VERIFY_PARAM_set_trust configures which certificates from `X509_STORE` +// are trust anchors. It returns one on success and zero if `trust` is not a +// valid trust value. `trust` should be one of the `X509_TRUST_*` constants. // This function allows applications to vary trust anchors when the same set of // trusted certificates is used in multiple contexts. // // Two properties determine whether a certificate is a trust anchor: // // - Whether it is trusted or distrusted for some OID, via auxiliary information -// configured by |X509_add1_trust_object| or |X509_add1_reject_object|. +// configured by `X509_add1_trust_object` or `X509_add1_reject_object`. // -// - Whether it is "self-signed". That is, whether |X509_get_extension_flags| -// includes |EXFLAG_SS|. The signature itself is not checked. +// - Whether it is "self-signed". That is, whether `X509_get_extension_flags` +// includes `EXFLAG_SS`. The signature itself is not checked. // -// When this function is called, |trust| determines the OID to check in the +// When this function is called, `trust` determines the OID to check in the // first case. If the certificate is not explicitly trusted or distrusted for // any OID, it is trusted if self-signed instead. // -// If unset, the default behavior is to check for the |NID_anyExtendedKeyUsage| +// If unset, the default behavior is to check for the `NID_anyExtendedKeyUsage` // OID. If the certificate is not explicitly trusted or distrusted for this OID, // it is trusted if self-signed instead. Note this slightly differs from the // above. // -// If the |X509_V_FLAG_PARTIAL_CHAIN| is set, every certificate from -// |X509_STORE| is a trust anchor, unless it was explicitly distrusted for the +// If the `X509_V_FLAG_PARTIAL_CHAIN` is set, every certificate from +// `X509_STORE` is a trust anchor, unless it was explicitly distrusted for the // OID. // // It is currently not possible to configure custom trust OIDs. Contact the // BoringSSL maintainers if your application needs to do so. OpenSSL had an -// |X509_TRUST_add| API, but it was not thread-safe and relied on global mutable +// `X509_TRUST_add` API, but it was not thread-safe and relied on global mutable // state, so we removed it. OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); @@ -3525,160 +3525,160 @@ OPENSSL_EXPORT int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, // Filesystem-based certificate stores. // -// An |X509_STORE| may be configured to get its contents from the filesystem. -// This is done by adding |X509_LOOKUP| structures to the |X509_STORE| with -// |X509_STORE_add_lookup| and then configuring the |X509_LOOKUP| with paths. +// An `X509_STORE` may be configured to get its contents from the filesystem. +// This is done by adding `X509_LOOKUP` structures to the `X509_STORE` with +// `X509_STORE_add_lookup` and then configuring the `X509_LOOKUP` with paths. // -// Most cases can use |X509_STORE_load_locations|, which configures the same +// Most cases can use `X509_STORE_load_locations`, which configures the same // thing but is simpler to use. -// X509_STORE_load_locations configures |store| to load data from filepaths -// |file| and |dir|. It returns one on success and zero on error. Either of -// |file| or |dir| may be NULL, but at least one must be non-NULL. +// X509_STORE_load_locations configures `store` to load data from filepaths +// `file` and `dir`. It returns one on success and zero on error. Either of +// `file` or `dir` may be NULL, but at least one must be non-NULL. // -// If |file| is non-NULL, it loads CRLs and trusted certificates in PEM format -// from the file at |file|, and them to |store|, as in |X509_load_cert_crl_file| -// with |X509_FILETYPE_PEM|. +// If `file` is non-NULL, it loads CRLs and trusted certificates in PEM format +// from the file at `file`, and them to `store`, as in `X509_load_cert_crl_file` +// with `X509_FILETYPE_PEM`. // -// If |dir| is non-NULL, it configures |store| to load CRLs and trusted -// certificates from the directory at |dir| in PEM format, as in -// |X509_LOOKUP_add_dir| with |X509_FILETYPE_PEM|. +// If `dir` is non-NULL, it configures `store` to load CRLs and trusted +// certificates from the directory at `dir` in PEM format, as in +// `X509_LOOKUP_add_dir` with `X509_FILETYPE_PEM`. OPENSSL_EXPORT int X509_STORE_load_locations(X509_STORE *store, const char *file, const char *dir); -// X509_STORE_add_lookup returns an |X509_LOOKUP| associated with |store| with -// type |method|, or NULL on error. The result is owned by |store|, so callers -// are not expected to free it. This may be used with |X509_LOOKUP_add_dir| or -// |X509_LOOKUP_load_file|, depending on |method|, to configure |store|. +// X509_STORE_add_lookup returns an `X509_LOOKUP` associated with `store` with +// type `method`, or NULL on error. The result is owned by `store`, so callers +// are not expected to free it. This may be used with `X509_LOOKUP_add_dir` or +// `X509_LOOKUP_load_file`, depending on `method`, to configure `store`. // -// A single |X509_LOOKUP| may be configured with multiple paths, and an -// |X509_STORE| only contains one |X509_LOOKUP| of each type, so there is no +// A single `X509_LOOKUP` may be configured with multiple paths, and an +// `X509_STORE` only contains one `X509_LOOKUP` of each type, so there is no // need to call this function multiple times for a single type. Calling it -// multiple times will return the previous |X509_LOOKUP| of that type. +// multiple times will return the previous `X509_LOOKUP` of that type. OPENSSL_EXPORT X509_LOOKUP *X509_STORE_add_lookup( X509_STORE *store, const X509_LOOKUP_METHOD *method); -// X509_LOOKUP_hash_dir creates |X509_LOOKUP|s that may be used with -// |X509_LOOKUP_add_dir|. +// X509_LOOKUP_hash_dir creates `X509_LOOKUP`s that may be used with +// `X509_LOOKUP_add_dir`. OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void); -// X509_LOOKUP_file creates |X509_LOOKUP|s that may be used with -// |X509_LOOKUP_load_file|. +// X509_LOOKUP_file creates `X509_LOOKUP`s that may be used with +// `X509_LOOKUP_load_file`. // -// Although this is modeled as an |X509_LOOKUP|, this function is redundant. It +// Although this is modeled as an `X509_LOOKUP`, this function is redundant. It // has the same effect as loading a certificate or CRL from the filesystem, in -// the caller's desired format, and then adding it with |X509_STORE_add_cert| -// and |X509_STORE_add_crl|. +// the caller's desired format, and then adding it with `X509_STORE_add_cert` +// and `X509_STORE_add_crl`. OPENSSL_EXPORT const X509_LOOKUP_METHOD *X509_LOOKUP_file(void); // The following constants are used to specify the format of files in an -// |X509_LOOKUP|. +// `X509_LOOKUP`. #define X509_FILETYPE_PEM 1 #define X509_FILETYPE_ASN1 2 #define X509_FILETYPE_DEFAULT 3 -// X509_LOOKUP_load_file calls |X509_load_cert_crl_file|. |lookup| must have -// been constructed with |X509_LOOKUP_file|. +// X509_LOOKUP_load_file calls `X509_load_cert_crl_file`. `lookup` must have +// been constructed with `X509_LOOKUP_file`. // -// If |type| is |X509_FILETYPE_DEFAULT|, it ignores |file| and instead uses some -// default system path with |X509_FILETYPE_PEM|. See also -// |X509_STORE_set_default_paths|. +// If `type` is `X509_FILETYPE_DEFAULT`, it ignores `file` and instead uses some +// default system path with `X509_FILETYPE_PEM`. See also +// `X509_STORE_set_default_paths`. OPENSSL_EXPORT int X509_LOOKUP_load_file(X509_LOOKUP *lookup, const char *file, int type); -// X509_LOOKUP_add_dir configures |lookup| to load CRLs and trusted certificates -// from the directories in |path|. It returns one on success and zero on error. -// |lookup| must have been constructed with |X509_LOOKUP_hash_dir|. +// X509_LOOKUP_add_dir configures `lookup` to load CRLs and trusted certificates +// from the directories in `path`. It returns one on success and zero on error. +// `lookup` must have been constructed with `X509_LOOKUP_hash_dir`. // -// WARNING: |path| is interpreted as a colon-separated (semicolon-separated on +// WARNING: `path` is interpreted as a colon-separated (semicolon-separated on // Windows) list of paths. It is not possible to configure a path containing the // separator character. https://crbug.com/boringssl/691 tracks removing this // behavior. // -// |type| should be one of the |X509_FILETYPE_*| constants and determines the -// format of the files. If |type| is |X509_FILETYPE_DEFAULT|, |path| is ignored -// and some default system path is used with |X509_FILETYPE_PEM|. See also -// |X509_STORE_set_default_paths|. +// `type` should be one of the `X509_FILETYPE_*` constants and determines the +// format of the files. If `type` is `X509_FILETYPE_DEFAULT`, `path` is ignored +// and some default system path is used with `X509_FILETYPE_PEM`. See also +// `X509_STORE_set_default_paths`. // // Trusted certificates should be named HASH.N and CRLs should be -// named HASH.rN. HASH is |X509_NAME_hash| of the certificate subject and CRL +// named HASH.rN. HASH is `X509_NAME_hash` of the certificate subject and CRL // issuer, respectively, in hexadecimal. N is in decimal and counts hash // collisions consecutively, starting from zero. For example, "002c0b4f.0" and // "002c0b4f.r0". // -// WARNING: Objects from |path| are loaded on demand, but cached in memory on -// the |X509_STORE|. If a CA is removed from the directory, existing -// |X509_STORE|s will continue to trust it. Cache entries are not evicted for -// the lifetime of the |X509_STORE|. +// WARNING: Objects from `path` are loaded on demand, but cached in memory on +// the `X509_STORE`. If a CA is removed from the directory, existing +// `X509_STORE`s will continue to trust it. Cache entries are not evicted for +// the lifetime of the `X509_STORE`. // // WARNING: This mechanism is also not well-suited for CRL updates. -// |X509_STORE|s rely on this cache and never load the same CRL file twice. CRL +// `X509_STORE`s rely on this cache and never load the same CRL file twice. CRL // updates must use a new file, with an incremented suffix, to be reflected in -// existing |X509_STORE|s. However, this means each CRL update will use +// existing `X509_STORE`s. However, this means each CRL update will use // additional storage and memory. Instead, configure inputs that vary per -// verification, such as CRLs, on each |X509_STORE_CTX| separately, using -// functions like |X509_STORE_CTX_set0_crl|. +// verification, such as CRLs, on each `X509_STORE_CTX` separately, using +// functions like `X509_STORE_CTX_set0_crl`. OPENSSL_EXPORT int X509_LOOKUP_add_dir(X509_LOOKUP *lookup, const char *path, int type); -// X509_L_* are commands for |X509_LOOKUP_ctrl|. +// X509_L_* are commands for `X509_LOOKUP_ctrl`. #define X509_L_FILE_LOAD 1 #define X509_L_ADD_DIR 2 -// X509_LOOKUP_ctrl implements commands on |lookup|. |cmd| specifies the +// X509_LOOKUP_ctrl implements commands on `lookup`. `cmd` specifies the // command. The other arguments specify the operation in a command-specific way. -// Use |X509_LOOKUP_load_file| or |X509_LOOKUP_add_dir| instead. +// Use `X509_LOOKUP_load_file` or `X509_LOOKUP_add_dir` instead. OPENSSL_EXPORT int X509_LOOKUP_ctrl(X509_LOOKUP *lookup, int cmd, const char *argc, long argl, char **ret); -// X509_load_cert_file loads trusted certificates from |file| and adds them to -// |lookup|'s |X509_STORE|. It returns one on success and zero on error. +// X509_load_cert_file loads trusted certificates from `file` and adds them to +// `lookup`'s `X509_STORE`. It returns one on success and zero on error. // -// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate. -// If |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded -// certificates. |type| may not be |X509_FILETYPE_DEFAULT|. +// If `type` is `X509_FILETYPE_ASN1`, it loads a single DER-encoded certificate. +// If `type` is `X509_FILETYPE_PEM`, it loads a sequence of PEM-encoded +// certificates. `type` may not be `X509_FILETYPE_DEFAULT`. OPENSSL_EXPORT int X509_load_cert_file(X509_LOOKUP *lookup, const char *file, int type); -// X509_load_crl_file loads CRLs from |file| and add them it to |lookup|'s -// |X509_STORE|. It returns one on success and zero on error. +// X509_load_crl_file loads CRLs from `file` and add them it to `lookup`'s +// `X509_STORE`. It returns one on success and zero on error. // -// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded CRL. If -// |type| is |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded CRLs. -// |type| may not be |X509_FILETYPE_DEFAULT|. +// If `type` is `X509_FILETYPE_ASN1`, it loads a single DER-encoded CRL. If +// `type` is `X509_FILETYPE_PEM`, it loads a sequence of PEM-encoded CRLs. +// `type` may not be `X509_FILETYPE_DEFAULT`. OPENSSL_EXPORT int X509_load_crl_file(X509_LOOKUP *lookup, const char *file, int type); -// X509_load_cert_crl_file loads CRLs and trusted certificates from |file| and -// adds them to |lookup|'s |X509_STORE|. It returns one on success and zero on +// X509_load_cert_crl_file loads CRLs and trusted certificates from `file` and +// adds them to `lookup`'s `X509_STORE`. It returns one on success and zero on // error. // -// If |type| is |X509_FILETYPE_ASN1|, it loads a single DER-encoded certificate. -// This function cannot be used to load a DER-encoded CRL. If |type| is -// |X509_FILETYPE_PEM|, it loads a sequence of PEM-encoded certificates and -// CRLs. |type| may not be |X509_FILETYPE_DEFAULT|. +// If `type` is `X509_FILETYPE_ASN1`, it loads a single DER-encoded certificate. +// This function cannot be used to load a DER-encoded CRL. If `type` is +// `X509_FILETYPE_PEM`, it loads a sequence of PEM-encoded certificates and +// CRLs. `type` may not be `X509_FILETYPE_DEFAULT`. OPENSSL_EXPORT int X509_load_cert_crl_file(X509_LOOKUP *lookup, const char *file, int type); -// X509_NAME_hash returns a hash of |name|, or zero on error. This is the new -// hash used by |X509_LOOKUP_add_dir|. +// X509_NAME_hash returns a hash of `name`, or zero on error. This is the new +// hash used by `X509_LOOKUP_add_dir`. // -// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// This hash is specific to the `X509_LOOKUP_add_dir` filesystem format and is // not suitable for general-purpose X.509 name processing. It is very short, so // there will be hash collisions. It also depends on an OpenSSL-specific // canonicalization process. OPENSSL_EXPORT uint32_t X509_NAME_hash(const X509_NAME *name); -// X509_NAME_hash_old returns a hash of |name|, or zero on error. This is the -// legacy hash used by |X509_LOOKUP_add_dir|, which is still supported for +// X509_NAME_hash_old returns a hash of `name`, or zero on error. This is the +// legacy hash used by `X509_LOOKUP_add_dir`, which is still supported for // compatibility. // -// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// This hash is specific to the `X509_LOOKUP_add_dir` filesystem format and is // not suitable for general-purpose X.509 name processing. It is very short, so // there will be hash collisions. OPENSSL_EXPORT uint32_t X509_NAME_hash_old(const X509_NAME *name); -// X509_STORE_set_default_paths configures |store| to read from some "default" +// X509_STORE_set_default_paths configures `store` to read from some "default" // filesystem paths. It returns one on success and zero on error. The filesystem // paths are determined by a combination of hardcoded paths and the SSL_CERT_DIR // and SSL_CERT_FILE environment variables. @@ -3714,14 +3714,14 @@ OPENSSL_EXPORT const char *X509_get_default_cert_file_env(void); // // The SignedPublicKeyAndChallenge (SPKAC) is a legacy structure to request // certificates, primarily in the legacy HTML tag. An SPKAC structure -// is represented by a |NETSCAPE_SPKI| structure. +// is represented by a `NETSCAPE_SPKI` structure. // // The structure is described in // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/keygen -// A Netscape_spki_st, or |NETSCAPE_SPKI|, represents a +// A Netscape_spki_st, or `NETSCAPE_SPKI`, represents a // SignedPublicKeyAndChallenge structure. Although this structure contains a -// |spkac| field of type |NETSCAPE_SPKAC|, these are misnamed. The SPKAC is the +// `spkac` field of type `NETSCAPE_SPKAC`, these are misnamed. The SPKAC is the // entire structure, not the signed portion. struct Netscape_spki_st { NETSCAPE_SPKAC *spkac; @@ -3729,81 +3729,81 @@ struct Netscape_spki_st { ASN1_BIT_STRING *signature; } /* NETSCAPE_SPKI */; -// NETSCAPE_SPKI_new returns a newly-allocated, empty |NETSCAPE_SPKI| object, or +// NETSCAPE_SPKI_new returns a newly-allocated, empty `NETSCAPE_SPKI` object, or // NULL on error. OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_new(void); -// NETSCAPE_SPKI_free releases memory associated with |spki|. +// NETSCAPE_SPKI_free releases memory associated with `spki`. OPENSSL_EXPORT void NETSCAPE_SPKI_free(NETSCAPE_SPKI *spki); -// d2i_NETSCAPE_SPKI parses up to |len| bytes from |*inp| as a DER-encoded -// SignedPublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +// d2i_NETSCAPE_SPKI parses up to `len` bytes from `*inp` as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in `d2i_SAMPLE`. OPENSSL_EXPORT NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **out, const uint8_t **inp, long len); -// i2d_NETSCAPE_SPKI marshals |spki| as a DER-encoded -// SignedPublicKeyAndChallenge structure, as described in |i2d_SAMPLE|. +// i2d_NETSCAPE_SPKI marshals `spki` as a DER-encoded +// SignedPublicKeyAndChallenge structure, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_NETSCAPE_SPKI(const NETSCAPE_SPKI *spki, uint8_t **outp); -// NETSCAPE_SPKI_verify checks that |spki| has a valid signature by |pkey|. It +// NETSCAPE_SPKI_verify checks that `spki` has a valid signature by `pkey`. It // returns one if the signature is valid and zero otherwise. OPENSSL_EXPORT int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); -// NETSCAPE_SPKI_b64_decode decodes |len| bytes from |str| as a base64-encoded +// NETSCAPE_SPKI_b64_decode decodes `len` bytes from `str` as a base64-encoded // SignedPublicKeyAndChallenge structure. It returns a newly-allocated -// |NETSCAPE_SPKI| structure with the result, or NULL on error. If |len| is 0 or -// negative, the length is calculated with |strlen| and |str| must be a +// `NETSCAPE_SPKI` structure with the result, or NULL on error. If `len` is 0 or +// negative, the length is calculated with `strlen` and `str` must be a // NUL-terminated C string. OPENSSL_EXPORT NETSCAPE_SPKI *NETSCAPE_SPKI_b64_decode(const char *str, ossl_ssize_t len); -// NETSCAPE_SPKI_b64_encode encodes |spki| as a base64-encoded +// NETSCAPE_SPKI_b64_encode encodes `spki` as a base64-encoded // SignedPublicKeyAndChallenge structure. It returns a newly-allocated // NUL-terminated C string with the result, or NULL on error. The caller must -// release the memory with |OPENSSL_free| when done. +// release the memory with `OPENSSL_free` when done. OPENSSL_EXPORT char *NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki); -// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in |spki| as an -// |EVP_PKEY|, or NULL on error. The caller takes ownership of the resulting -// pointer and must call |EVP_PKEY_free| when done. +// NETSCAPE_SPKI_get_pubkey decodes and returns the public key in `spki` as an +// `EVP_PKEY`, or NULL on error. The caller takes ownership of the resulting +// pointer and must call `EVP_PKEY_free` when done. OPENSSL_EXPORT EVP_PKEY *NETSCAPE_SPKI_get_pubkey(const NETSCAPE_SPKI *spki); -// NETSCAPE_SPKI_set_pubkey sets |spki|'s public key to |pkey|. It returns one -// on success or zero on error. This function does not take ownership of |pkey|, -// so the caller may continue to manage its lifetime independently of |spki|. +// NETSCAPE_SPKI_set_pubkey sets `spki`'s public key to `pkey`. It returns one +// on success or zero on error. This function does not take ownership of `pkey`, +// so the caller may continue to manage its lifetime independently of `spki`. OPENSSL_EXPORT int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *spki, EVP_PKEY *pkey); -// NETSCAPE_SPKI_sign signs |spki| with |pkey| and replaces the signature +// NETSCAPE_SPKI_sign signs `spki` with `pkey` and replaces the signature // algorithm and signature fields. It returns the length of the signature on -// success and zero on error. This function uses digest algorithm |md|, or -// |pkey|'s default if NULL. Other signing parameters use |pkey|'s defaults. +// success and zero on error. This function uses digest algorithm `md`, or +// `pkey`'s default if NULL. Other signing parameters use `pkey`'s defaults. OPENSSL_EXPORT int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *spki, EVP_PKEY *pkey, const EVP_MD *md); -// A Netscape_spkac_st, or |NETSCAPE_SPKAC|, represents a PublicKeyAndChallenge +// A Netscape_spkac_st, or `NETSCAPE_SPKAC`, represents a PublicKeyAndChallenge // structure. This type is misnamed. The full SPKAC includes the signature, -// which is represented with the |NETSCAPE_SPKI| type. +// which is represented with the `NETSCAPE_SPKI` type. struct Netscape_spkac_st { X509_PUBKEY *pubkey; ASN1_IA5STRING *challenge; } /* NETSCAPE_SPKAC */; -// NETSCAPE_SPKAC_new returns a newly-allocated, empty |NETSCAPE_SPKAC| object, +// NETSCAPE_SPKAC_new returns a newly-allocated, empty `NETSCAPE_SPKAC` object, // or NULL on error. OPENSSL_EXPORT NETSCAPE_SPKAC *NETSCAPE_SPKAC_new(void); -// NETSCAPE_SPKAC_free releases memory associated with |spkac|. +// NETSCAPE_SPKAC_free releases memory associated with `spkac`. OPENSSL_EXPORT void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *spkac); -// d2i_NETSCAPE_SPKAC parses up to |len| bytes from |*inp| as a DER-encoded -// PublicKeyAndChallenge structure, as described in |d2i_SAMPLE|. +// d2i_NETSCAPE_SPKAC parses up to `len` bytes from `*inp` as a DER-encoded +// PublicKeyAndChallenge structure, as described in `d2i_SAMPLE`. OPENSSL_EXPORT NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **out, const uint8_t **inp, long len); -// i2d_NETSCAPE_SPKAC marshals |spkac| as a DER-encoded PublicKeyAndChallenge -// structure, as described in |i2d_SAMPLE|. +// i2d_NETSCAPE_SPKAC marshals `spkac` as a DER-encoded PublicKeyAndChallenge +// structure, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, uint8_t **outp); @@ -3816,43 +3816,43 @@ OPENSSL_EXPORT int i2d_NETSCAPE_SPKAC(const NETSCAPE_SPKAC *spkac, // discouraged. The parameters structure is very complex, and it takes more // bytes to merely encode parameters than an entire P-256 ECDSA signature. -// An rsa_pss_params_st, aka |RSA_PSS_PARAMS|, represents a parsed +// An rsa_pss_params_st, aka `RSA_PSS_PARAMS`, represents a parsed // RSASSA-PSS-params structure, as defined in (RFC 4055). struct rsa_pss_params_st { X509_ALGOR *hashAlgorithm; X509_ALGOR *maskGenAlgorithm; ASN1_INTEGER *saltLength; ASN1_INTEGER *trailerField; - // OpenSSL caches the MGF hash on |RSA_PSS_PARAMS| in some cases. None of the + // OpenSSL caches the MGF hash on `RSA_PSS_PARAMS` in some cases. None of the // cases apply to BoringSSL, so this is always NULL, but Node expects the // field to be present. X509_ALGOR *maskHash; } /* RSA_PSS_PARAMS */; -// RSA_PSS_PARAMS is an |ASN1_ITEM| whose ASN.1 type is RSASSA-PSS-params (RFC -// 4055) and C type is |RSA_PSS_PARAMS*|. +// RSA_PSS_PARAMS is an `ASN1_ITEM` whose ASN.1 type is RSASSA-PSS-params (RFC +// 4055) and C type is `RSA_PSS_PARAMS*`. DECLARE_ASN1_ITEM(RSA_PSS_PARAMS) -// RSA_PSS_PARAMS_new returns a new, empty |RSA_PSS_PARAMS|, or NULL on error. +// RSA_PSS_PARAMS_new returns a new, empty `RSA_PSS_PARAMS`, or NULL on error. OPENSSL_EXPORT RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void); -// RSA_PSS_PARAMS_free releases memory associated with |params|. +// RSA_PSS_PARAMS_free releases memory associated with `params`. OPENSSL_EXPORT void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *params); -// d2i_RSA_PSS_PARAMS parses up to |len| bytes from |*inp| as a DER-encoded -// RSASSA-PSS-params (RFC 4055), as described in |d2i_SAMPLE|. +// d2i_RSA_PSS_PARAMS parses up to `len` bytes from `*inp` as a DER-encoded +// RSASSA-PSS-params (RFC 4055), as described in `d2i_SAMPLE`. OPENSSL_EXPORT RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **out, const uint8_t **inp, long len); -// i2d_RSA_PSS_PARAMS marshals |in| as a DER-encoded RSASSA-PSS-params (RFC -// 4055), as described in |i2d_SAMPLE|. +// i2d_RSA_PSS_PARAMS marshals `in` as a DER-encoded RSASSA-PSS-params (RFC +// 4055), as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_RSA_PSS_PARAMS(const RSA_PSS_PARAMS *in, uint8_t **outp); // PKCS#8 private keys. // -// The |PKCS8_PRIV_KEY_INFO| type represents a PKCS#8 PrivateKeyInfo (RFC 5208) +// The `PKCS8_PRIV_KEY_INFO` type represents a PKCS#8 PrivateKeyInfo (RFC 5208) // structure. This is analogous to SubjectPublicKeyInfo and uses the same // AlgorithmIdentifiers, but carries private keys and is not part of X.509 // itself. @@ -3860,68 +3860,68 @@ OPENSSL_EXPORT int i2d_RSA_PSS_PARAMS(const RSA_PSS_PARAMS *in, uint8_t **outp); // TODO(davidben): Do these functions really belong in this header? // PKCS8_PRIV_KEY_INFO_new returns a newly-allocated, empty -// |PKCS8_PRIV_KEY_INFO| object, or NULL on error. +// `PKCS8_PRIV_KEY_INFO` object, or NULL on error. OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *PKCS8_PRIV_KEY_INFO_new(void); -// PKCS8_PRIV_KEY_INFO_free releases memory associated with |key|. +// PKCS8_PRIV_KEY_INFO_free releases memory associated with `key`. OPENSSL_EXPORT void PKCS8_PRIV_KEY_INFO_free(PKCS8_PRIV_KEY_INFO *key); -// d2i_PKCS8_PRIV_KEY_INFO parses up to |len| bytes from |*inp| as a DER-encoded -// PrivateKeyInfo, as described in |d2i_SAMPLE|. +// d2i_PKCS8_PRIV_KEY_INFO parses up to `len` bytes from `*inp` as a DER-encoded +// PrivateKeyInfo, as described in `d2i_SAMPLE`. OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO( PKCS8_PRIV_KEY_INFO **out, const uint8_t **inp, long len); -// i2d_PKCS8_PRIV_KEY_INFO marshals |key| as a DER-encoded PrivateKeyInfo, as -// described in |i2d_SAMPLE|. +// i2d_PKCS8_PRIV_KEY_INFO marshals `key` as a DER-encoded PrivateKeyInfo, as +// described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_PKCS8_PRIV_KEY_INFO(const PKCS8_PRIV_KEY_INFO *key, uint8_t **outp); -// EVP_PKCS82PKEY returns |p8| as a newly-allocated |EVP_PKEY|, or NULL if the +// EVP_PKCS82PKEY returns `p8` as a newly-allocated `EVP_PKEY`, or NULL if the // key was unsupported or could not be decoded. The caller must release the -// result with |EVP_PKEY_free| when done. +// result with `EVP_PKEY_free` when done. // -// Use |EVP_parse_private_key| instead. +// Use `EVP_parse_private_key` instead. OPENSSL_EXPORT EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); -// EVP_PKEY2PKCS8 encodes |pkey| as a PKCS#8 PrivateKeyInfo (RFC 5208), -// represented as a newly-allocated |PKCS8_PRIV_KEY_INFO|, or NULL on error. The -// caller must release the result with |PKCS8_PRIV_KEY_INFO_free| when done. +// EVP_PKEY2PKCS8 encodes `pkey` as a PKCS#8 PrivateKeyInfo (RFC 5208), +// represented as a newly-allocated `PKCS8_PRIV_KEY_INFO`, or NULL on error. The +// caller must release the result with `PKCS8_PRIV_KEY_INFO_free` when done. // -// Use |EVP_marshal_private_key| instead. +// Use `EVP_marshal_private_key` instead. OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(const EVP_PKEY *pkey); // Algorithm and octet string pairs. // -// The |X509_SIG| type represents an ASN.1 SEQUENCE type of an -// AlgorithmIdentifier and an OCTET STRING. Although named |X509_SIG|, there is +// The `X509_SIG` type represents an ASN.1 SEQUENCE type of an +// AlgorithmIdentifier and an OCTET STRING. Although named `X509_SIG`, there is // no type in X.509 which matches this format. The two common types which do are // DigestInfo (RFC 2315 and RFC 8017), and EncryptedPrivateKeyInfo (RFC 5208). -// X509_SIG_new returns a newly-allocated, empty |X509_SIG| object, or NULL on +// X509_SIG_new returns a newly-allocated, empty `X509_SIG` object, or NULL on // error. OPENSSL_EXPORT X509_SIG *X509_SIG_new(void); -// X509_SIG_free releases memory associated with |key|. +// X509_SIG_free releases memory associated with `key`. OPENSSL_EXPORT void X509_SIG_free(X509_SIG *key); -// d2i_X509_SIG parses up to |len| bytes from |*inp| as a DER-encoded algorithm -// and octet string pair, as described in |d2i_SAMPLE|. +// d2i_X509_SIG parses up to `len` bytes from `*inp` as a DER-encoded algorithm +// and octet string pair, as described in `d2i_SAMPLE`. OPENSSL_EXPORT X509_SIG *d2i_X509_SIG(X509_SIG **out, const uint8_t **inp, long len); -// i2d_X509_SIG marshals |sig| as a DER-encoded algorithm -// and octet string pair, as described in |i2d_SAMPLE|. +// i2d_X509_SIG marshals `sig` as a DER-encoded algorithm +// and octet string pair, as described in `i2d_SAMPLE`. OPENSSL_EXPORT int i2d_X509_SIG(const X509_SIG *sig, uint8_t **outp); -// X509_SIG_get0 sets |*out_alg| and |*out_digest| to non-owning pointers to -// |sig|'s algorithm and digest fields, respectively. Either |out_alg| and -// |out_digest| may be NULL to skip those fields. +// X509_SIG_get0 sets `*out_alg` and `*out_digest` to non-owning pointers to +// `sig`'s algorithm and digest fields, respectively. Either `out_alg` and +// `out_digest` may be NULL to skip those fields. OPENSSL_EXPORT void X509_SIG_get0(const X509_SIG *sig, const X509_ALGOR **out_alg, const ASN1_OCTET_STRING **out_digest); -// X509_SIG_getm behaves like |X509_SIG_get0| but returns mutable pointers. +// X509_SIG_getm behaves like `X509_SIG_get0` but returns mutable pointers. OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, ASN1_OCTET_STRING **out_digest); @@ -3933,8 +3933,8 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, // and not parsed programmatically. In many cases, the outputs are ambiguous, so // attempting to parse them can lead to string injection vulnerabilities. -// The following flags control |X509_print_ex| and |X509_REQ_print_ex|. These -// flags co-exist with |X509V3_EXT_*|, so avoid collisions when adding new ones. +// The following flags control `X509_print_ex` and `X509_REQ_print_ex`. These +// flags co-exist with `X509V3_EXT_*`, so avoid collisions when adding new ones. // X509_FLAG_COMPAT disables all flags. It additionally causes names to be // printed with a 16-byte indent. @@ -3947,18 +3947,18 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, #define X509_FLAG_NO_VERSION (1L << 1) // X509_FLAG_NO_SERIAL skips printing the serial number. It is ignored in -// |X509_REQ_print_fp|. +// `X509_REQ_print_fp`. #define X509_FLAG_NO_SERIAL (1L << 2) // X509_FLAG_NO_SIGNAME skips printing the signature algorithm in the -// TBSCertificate. It is ignored in |X509_REQ_print_fp|. +// TBSCertificate. It is ignored in `X509_REQ_print_fp`. #define X509_FLAG_NO_SIGNAME (1L << 3) // X509_FLAG_NO_ISSUER skips printing the issuer. #define X509_FLAG_NO_ISSUER (1L << 4) // X509_FLAG_NO_VALIDITY skips printing the notBefore and notAfter times. It is -// ignored in |X509_REQ_print_fp|. +// ignored in `X509_REQ_print_fp`. #define X509_FLAG_NO_VALIDITY (1L << 5) // X509_FLAG_NO_SUBJECT skips printing the subject. @@ -3968,15 +3968,15 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, #define X509_FLAG_NO_PUBKEY (1L << 7) // X509_FLAG_NO_EXTENSIONS skips printing the extension list. It is ignored in -// |X509_REQ_print_fp|. CSRs instead have attributes, which is controlled by -// |X509_FLAG_NO_ATTRIBUTES|. +// `X509_REQ_print_fp`. CSRs instead have attributes, which is controlled by +// `X509_FLAG_NO_ATTRIBUTES`. #define X509_FLAG_NO_EXTENSIONS (1L << 8) // X509_FLAG_NO_SIGDUMP skips printing the signature and outer signature // algorithm. #define X509_FLAG_NO_SIGDUMP (1L << 9) -// X509_FLAG_NO_AUX skips printing auxiliary properties. (See |d2i_X509_AUX| and +// X509_FLAG_NO_AUX skips printing auxiliary properties. (See `d2i_X509_AUX` and // related functions.) #define X509_FLAG_NO_AUX (1L << 10) @@ -3985,12 +3985,12 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, #define X509_FLAG_NO_ATTRIBUTES (1L << 11) // X509_FLAG_NO_IDS skips printing the issuerUniqueID and subjectUniqueID in a -// certificate. It is ignored in |X509_REQ_print_fp|. +// certificate. It is ignored in `X509_REQ_print_fp`. #define X509_FLAG_NO_IDS (1L << 12) -// The following flags control |X509_print_ex|, |X509_REQ_print_ex|, -// |X509V3_EXT_print|, and |X509V3_extensions_print|. These flags coexist with -// |X509_FLAG_*|, so avoid collisions when adding new ones. +// The following flags control `X509_print_ex`, `X509_REQ_print_ex`, +// `X509V3_EXT_print`, and `X509V3_extensions_print`. These flags coexist with +// `X509_FLAG_*`, so avoid collisions when adding new ones. // X509V3_EXT_UNKNOWN_MASK is a mask that determines how unknown extensions are // processed. @@ -4005,59 +4005,59 @@ OPENSSL_EXPORT void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **out_alg, #define X509V3_EXT_ERROR_UNKNOWN (1L << 16) // X509V3_EXT_PARSE_UNKNOWN is deprecated and behaves like -// |X509V3_EXT_DUMP_UNKNOWN|. +// `X509V3_EXT_DUMP_UNKNOWN`. #define X509V3_EXT_PARSE_UNKNOWN (2L << 16) // X509V3_EXT_DUMP_UNKNOWN causes unknown extensions to be displayed as a // hexdump. #define X509V3_EXT_DUMP_UNKNOWN (3L << 16) -// X509_print_ex writes a human-readable representation of |x| to |bp|. It -// returns one on success and zero on error. |nmflags| is the flags parameter -// for |X509_NAME_print_ex| when printing the subject and issuer. |cflag| should -// be some combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. +// X509_print_ex writes a human-readable representation of `x` to `bp`. It +// returns one on success and zero on error. `nmflags` is the flags parameter +// for `X509_NAME_print_ex` when printing the subject and issuer. `cflag` should +// be some combination of the `X509_FLAG_*` and `X509V3_EXT_*` constants. OPENSSL_EXPORT int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflag, unsigned long cflag); -// X509_print_ex_fp behaves like |X509_print_ex| but writes to |fp|. +// X509_print_ex_fp behaves like `X509_print_ex` but writes to `fp`. OPENSSL_EXPORT int X509_print_ex_fp(FILE *fp, const X509 *x, unsigned long nmflag, unsigned long cflag); -// X509_print calls |X509_print_ex| with |XN_FLAG_COMPAT| and |X509_FLAG_COMPAT| +// X509_print calls `X509_print_ex` with `XN_FLAG_COMPAT` and `X509_FLAG_COMPAT` // flags. OPENSSL_EXPORT int X509_print(BIO *bp, const X509 *x); -// X509_print_fp behaves like |X509_print| but writes to |fp|. +// X509_print_fp behaves like `X509_print` but writes to `fp`. OPENSSL_EXPORT int X509_print_fp(FILE *fp, const X509 *x); -// X509_CRL_print writes a human-readable representation of |x| to |bp|. It +// X509_CRL_print writes a human-readable representation of `x` to `bp`. It // returns one on success and zero on error. OPENSSL_EXPORT int X509_CRL_print(BIO *bp, const X509_CRL *x); -// X509_CRL_print_fp behaves like |X509_CRL_print| but writes to |fp|. +// X509_CRL_print_fp behaves like `X509_CRL_print` but writes to `fp`. OPENSSL_EXPORT int X509_CRL_print_fp(FILE *fp, const X509_CRL *x); -// X509_REQ_print_ex writes a human-readable representation of |x| to |bp|. It -// returns one on success and zero on error. |nmflags| is the flags parameter -// for |X509_NAME_print_ex|, when printing the subject. |cflag| should be some -// combination of the |X509_FLAG_*| and |X509V3_EXT_*| constants. +// X509_REQ_print_ex writes a human-readable representation of `x` to `bp`. It +// returns one on success and zero on error. `nmflags` is the flags parameter +// for `X509_NAME_print_ex`, when printing the subject. `cflag` should be some +// combination of the `X509_FLAG_*` and `X509V3_EXT_*` constants. OPENSSL_EXPORT int X509_REQ_print_ex(BIO *bp, const X509_REQ *x, unsigned long nmflag, unsigned long cflag); -// X509_REQ_print calls |X509_REQ_print_ex| with |XN_FLAG_COMPAT| and -// |X509_FLAG_COMPAT| flags. +// X509_REQ_print calls `X509_REQ_print_ex` with `XN_FLAG_COMPAT` and +// `X509_FLAG_COMPAT` flags. OPENSSL_EXPORT int X509_REQ_print(BIO *bp, const X509_REQ *req); -// X509_REQ_print_fp behaves like |X509_REQ_print| but writes to |fp|. +// X509_REQ_print_fp behaves like `X509_REQ_print` but writes to `fp`. OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, const X509_REQ *req); -// The following flags are control |X509_NAME_print_ex|. They must not collide -// with |ASN1_STRFLGS_*|. +// The following flags are control `X509_NAME_print_ex`. They must not collide +// with `ASN1_STRFLGS_*`. // // TODO(davidben): This is far, far too many options and most of them are // useless. Trim this down. -// XN_FLAG_COMPAT prints with |X509_NAME_print|'s format and return value +// XN_FLAG_COMPAT prints with `X509_NAME_print`'s format and return value // convention. #define XN_FLAG_COMPAT 0ul @@ -4068,7 +4068,7 @@ OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, const X509_REQ *req); // with "+", as in RFC 2253. #define XN_FLAG_SEP_COMMA_PLUS (1ul << 16) -// XN_FLAG_SEP_CPLUS_SPC behaves like |XN_FLAG_SEP_COMMA_PLUS| but adds spaces +// XN_FLAG_SEP_CPLUS_SPC behaves like `XN_FLAG_SEP_COMMA_PLUS` but adds spaces // between the separators. #define XN_FLAG_SEP_CPLUS_SPC (2ul << 16) @@ -4106,62 +4106,62 @@ OPENSSL_EXPORT int X509_REQ_print_fp(FILE *fp, const X509_REQ *req); (ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | \ XN_FLAG_SPC_EQ | XN_FLAG_FN_SN) -// X509_NAME_print_ex writes a human-readable representation of |nm| to |out|. -// Each line of output is indented by |indent| spaces. It returns the number of -// bytes written on success, and -1 on error. If |out| is NULL, it returns the -// number of bytes it would have written but does not write anything. |flags| -// should be some combination of |XN_FLAG_*| and |ASN1_STRFLGS_*| values and -// determines the output. If unsure, use |XN_FLAG_RFC2253|. +// X509_NAME_print_ex writes a human-readable representation of `nm` to `out`. +// Each line of output is indented by `indent` spaces. It returns the number of +// bytes written on success, and -1 on error. If `out` is NULL, it returns the +// number of bytes it would have written but does not write anything. `flags` +// should be some combination of `XN_FLAG_*` and `ASN1_STRFLGS_*` values and +// determines the output. If unsure, use `XN_FLAG_RFC2253`. // -// If |flags| is |XN_FLAG_COMPAT|, or zero, this function calls -// |X509_NAME_print| instead. In that case, it returns one on success, rather +// If `flags` is `XN_FLAG_COMPAT`, or zero, this function calls +// `X509_NAME_print` instead. In that case, it returns one on success, rather // than the output length. OPENSSL_EXPORT int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, unsigned long flags); -// X509_NAME_print prints a human-readable representation of |name| to |bp|. It -// returns one on success and zero on error. |obase| is ignored. +// X509_NAME_print prints a human-readable representation of `name` to `bp`. It +// returns one on success and zero on error. `obase` is ignored. // // This function outputs a legacy format that does not correctly handle string -// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for +// encodings and other cases. Prefer `X509_NAME_print_ex` if printing a name for // debugging purposes. OPENSSL_EXPORT int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); -// X509_NAME_oneline writes a human-readable representation to |name| to a +// X509_NAME_oneline writes a human-readable representation to `name` to a // buffer as a NUL-terminated C string. // -// If |buf| is NULL, returns a newly-allocated buffer containing the result on -// success, or NULL on error. The buffer must be released with |OPENSSL_free| +// If `buf` is NULL, returns a newly-allocated buffer containing the result on +// success, or NULL on error. The buffer must be released with `OPENSSL_free` // when done. // -// If |buf| is non-NULL, at most |size| bytes of output are written to |buf| -// instead. |size| includes the trailing NUL. The function then returns |buf| on -// success or NULL on error. If the output does not fit in |size| bytes, the +// If `buf` is non-NULL, at most `size` bytes of output are written to `buf` +// instead. `size` includes the trailing NUL. The function then returns `buf` on +// success or NULL on error. If the output does not fit in `size` bytes, the // output is silently truncated at an attribute boundary. // // This function outputs a legacy format that does not correctly handle string -// encodings and other cases. Prefer |X509_NAME_print_ex| if printing a name for +// encodings and other cases. Prefer `X509_NAME_print_ex` if printing a name for // debugging purposes. OPENSSL_EXPORT char *X509_NAME_oneline(const X509_NAME *name, char *buf, int size); -// X509_NAME_print_ex_fp behaves like |X509_NAME_print_ex| but writes to |fp|. +// X509_NAME_print_ex_fp behaves like `X509_NAME_print_ex` but writes to `fp`. OPENSSL_EXPORT int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, unsigned long flags); -// X509_signature_dump writes a human-readable representation of |sig| to |bio|, -// indented with |indent| spaces. It returns one on success and zero on error. +// X509_signature_dump writes a human-readable representation of `sig` to `bio`, +// indented with `indent` spaces. It returns one on success and zero on error. OPENSSL_EXPORT int X509_signature_dump(BIO *bio, const ASN1_STRING *sig, int indent); -// X509_signature_print writes a human-readable representation of |alg| and -// |sig| to |bio|. It returns one on success and zero on error. +// X509_signature_print writes a human-readable representation of `alg` and +// `sig` to `bio`. It returns one on success and zero on error. OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, const ASN1_STRING *sig); -// X509V3_EXT_print prints a human-readable representation of |ext| to out. It -// returns one on success and zero on error. The output is indented by |indent| -// spaces. |flag| is one of the |X509V3_EXT_*| constants and controls printing +// X509V3_EXT_print prints a human-readable representation of `ext` to out. It +// returns one on success and zero on error. The output is indented by `indent` +// spaces. `flag` is one of the `X509V3_EXT_*` constants and controls printing // of unknown extensions and syntax errors. // // WARNING: Although some applications programmatically parse the output of this @@ -4172,21 +4172,21 @@ OPENSSL_EXPORT int X509_signature_print(BIO *bio, const X509_ALGOR *alg, OPENSSL_EXPORT int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag, int indent); -// X509V3_EXT_print_fp behaves like |X509V3_EXT_print| but writes to a |FILE| -// instead of a |BIO|. +// X509V3_EXT_print_fp behaves like `X509V3_EXT_print` but writes to a `FILE` +// instead of a `BIO`. OPENSSL_EXPORT int X509V3_EXT_print_fp(FILE *out, const X509_EXTENSION *ext, int flag, int indent); -// X509V3_extensions_print prints |title|, followed by a human-readable -// representation of |exts| to |out|. It returns one on success and zero on -// error. The output is indented by |indent| spaces. |flag| is one of the -// |X509V3_EXT_*| constants and controls printing of unknown extensions and +// X509V3_extensions_print prints `title`, followed by a human-readable +// representation of `exts` to `out`. It returns one on success and zero on +// error. The output is indented by `indent` spaces. `flag` is one of the +// `X509V3_EXT_*` constants and controls printing of unknown extensions and // syntax errors. OPENSSL_EXPORT int X509V3_extensions_print(BIO *out, const char *title, const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); -// GENERAL_NAME_print prints a human-readable representation of |gen| to |out|. +// GENERAL_NAME_print prints a human-readable representation of `gen` to `out`. // It returns one on success and zero on error. // // TODO(davidben): Actually, it just returns one and doesn't check for I/O or @@ -4196,10 +4196,10 @@ OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); // Convenience functions. -// X509_pubkey_digest hashes the contents of the BIT STRING in |x509|'s -// subjectPublicKeyInfo field with |md| and writes the result to |out|. -// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. If -// |out_len| is not NULL, |*out_len| is set to the number of bytes written. This +// X509_pubkey_digest hashes the contents of the BIT STRING in `x509`'s +// subjectPublicKeyInfo field with `md` and writes the result to `out`. +// `EVP_MD_CTX_size` bytes are written, which is at most `EVP_MAX_MD_SIZE`. If +// `out_len` is not NULL, `*out_len` is set to the number of bytes written. This // function returns one on success and zero on error. // // This hash omits the BIT STRING tag, length, and number of unused bits. It @@ -4209,42 +4209,42 @@ OPENSSL_EXPORT int GENERAL_NAME_print(BIO *out, const GENERAL_NAME *gen); OPENSSL_EXPORT int X509_pubkey_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, unsigned *out_len); -// X509_digest hashes |x509|'s DER encoding with |md| and writes the result to -// |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// X509_digest hashes `x509`'s DER encoding with `md` and writes the result to +// `out`. `EVP_MD_CTX_size` bytes are written, which is at most +// `EVP_MAX_MD_SIZE`. If `out_len` is not NULL, `*out_len` is set to the number // of bytes written. This function returns one on success and zero on error. // Note this digest covers the entire certificate, not just the signed portion. OPENSSL_EXPORT int X509_digest(const X509 *x509, const EVP_MD *md, uint8_t *out, unsigned *out_len); -// X509_CRL_digest hashes |crl|'s DER encoding with |md| and writes the result -// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// X509_CRL_digest hashes `crl`'s DER encoding with `md` and writes the result +// to `out`. `EVP_MD_CTX_size` bytes are written, which is at most +// `EVP_MAX_MD_SIZE`. If `out_len` is not NULL, `*out_len` is set to the number // of bytes written. This function returns one on success and zero on error. // Note this digest covers the entire CRL, not just the signed portion. OPENSSL_EXPORT int X509_CRL_digest(const X509_CRL *crl, const EVP_MD *md, uint8_t *out, unsigned *out_len); -// X509_REQ_digest hashes |req|'s DER encoding with |md| and writes the result -// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// X509_REQ_digest hashes `req`'s DER encoding with `md` and writes the result +// to `out`. `EVP_MD_CTX_size` bytes are written, which is at most +// `EVP_MAX_MD_SIZE`. If `out_len` is not NULL, `*out_len` is set to the number // of bytes written. This function returns one on success and zero on error. // Note this digest covers the entire certificate request, not just the signed // portion. OPENSSL_EXPORT int X509_REQ_digest(const X509_REQ *req, const EVP_MD *md, uint8_t *out, unsigned *out_len); -// X509_NAME_digest hashes |name|'s DER encoding with |md| and writes the result -// to |out|. |EVP_MD_CTX_size| bytes are written, which is at most -// |EVP_MAX_MD_SIZE|. If |out_len| is not NULL, |*out_len| is set to the number +// X509_NAME_digest hashes `name`'s DER encoding with `md` and writes the result +// to `out`. `EVP_MD_CTX_size` bytes are written, which is at most +// `EVP_MAX_MD_SIZE`. If `out_len` is not NULL, `*out_len` is set to the number // of bytes written. This function returns one on success and zero on error. OPENSSL_EXPORT int X509_NAME_digest(const X509_NAME *name, const EVP_MD *md, uint8_t *out, unsigned *out_len); -// The following functions behave like the corresponding unsuffixed |d2i_*| -// functions, but read the result from |bp| instead. Callers using these -// functions with memory |BIO|s to parse structures already in memory should use -// |d2i_*| instead. +// The following functions behave like the corresponding unsuffixed `d2i_*` +// functions, but read the result from `bp` instead. Callers using these +// functions with memory `BIO`s to parse structures already in memory should use +// `d2i_*` instead. OPENSSL_EXPORT X509 *d2i_X509_bio(BIO *bp, X509 **x509); OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl); OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req); @@ -4261,14 +4261,14 @@ OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio( OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_bio(BIO *bp, EVP_PKEY **a); OPENSSL_EXPORT DH *d2i_DHparams_bio(BIO *bp, DH **dh); -// d2i_PrivateKey_bio behaves like |d2i_AutoPrivateKey|, but reads from |bp| +// d2i_PrivateKey_bio behaves like `d2i_AutoPrivateKey`, but reads from `bp` // instead. OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a); -// The following functions behave like the corresponding unsuffixed |i2d_*| -// functions, but write the result to |bp|. They return one on success and zero -// on error. Callers using them with memory |BIO|s to encode structures to -// memory should use |i2d_*| directly instead. +// The following functions behave like the corresponding unsuffixed `i2d_*` +// functions, but write the result to `bp`. They return one on success and zero +// on error. Callers using them with memory `BIO`s to encode structures to +// memory should use `i2d_*` directly instead. OPENSSL_EXPORT int i2d_X509_bio(BIO *bp, const X509 *x509); OPENSSL_EXPORT int i2d_X509_CRL_bio(BIO *bp, const X509_CRL *crl); OPENSSL_EXPORT int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req); @@ -4286,13 +4286,13 @@ OPENSSL_EXPORT int i2d_PrivateKey_bio(BIO *bp, const EVP_PKEY *pkey); OPENSSL_EXPORT int i2d_PUBKEY_bio(BIO *bp, const EVP_PKEY *pkey); OPENSSL_EXPORT int i2d_DHparams_bio(BIO *bp, const DH *dh); -// i2d_PKCS8PrivateKeyInfo_bio encodes |key| as a PKCS#8 PrivateKeyInfo -// structure (see |EVP_marshal_private_key|) and writes the result to |bp|. It +// i2d_PKCS8PrivateKeyInfo_bio encodes `key` as a PKCS#8 PrivateKeyInfo +// structure (see `EVP_marshal_private_key`) and writes the result to `bp`. It // returns one on success and zero on error. OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, const EVP_PKEY *key); -// The following functions behave like the corresponding |d2i_*_bio| functions, -// but read from |fp| instead. +// The following functions behave like the corresponding `d2i_*_bio` functions, +// but read from `fp` instead. OPENSSL_EXPORT X509 *d2i_X509_fp(FILE *fp, X509 **x509); OPENSSL_EXPORT X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl); OPENSSL_EXPORT X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req); @@ -4309,8 +4309,8 @@ OPENSSL_EXPORT PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp( OPENSSL_EXPORT EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a); OPENSSL_EXPORT EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a); -// The following functions behave like the corresponding |i2d_*_bio| functions, -// but write to |fp| instead. +// The following functions behave like the corresponding `i2d_*_bio` functions, +// but write to `fp` instead. OPENSSL_EXPORT int i2d_X509_fp(FILE *fp, const X509 *x509); OPENSSL_EXPORT int i2d_X509_CRL_fp(FILE *fp, const X509_CRL *crl); OPENSSL_EXPORT int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req); @@ -4328,96 +4328,96 @@ OPENSSL_EXPORT int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, const EVP_PKEY *key); OPENSSL_EXPORT int i2d_PrivateKey_fp(FILE *fp, const EVP_PKEY *pkey); OPENSSL_EXPORT int i2d_PUBKEY_fp(FILE *fp, const EVP_PKEY *pkey); -// X509_find_by_issuer_and_serial returns the first |X509| in |sk| whose issuer -// and serial are |name| and |serial|, respectively. If no match is found, it +// X509_find_by_issuer_and_serial returns the first `X509` in `sk` whose issuer +// and serial are `name` and `serial`, respectively. If no match is found, it // returns NULL. OPENSSL_EXPORT X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name, const ASN1_INTEGER *serial); -// X509_find_by_subject returns the first |X509| in |sk| whose subject is -// |name|. If no match is found, it returns NULL. +// X509_find_by_subject returns the first `X509` in `sk` whose subject is +// `name`. If no match is found, it returns NULL. OPENSSL_EXPORT X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name); -// X509_cmp_time compares |s| against |*t|. On success, it returns a negative -// number if |s| <= |*t| and a positive number if |s| > |*t|. On error, it -// returns zero. If |t| is NULL, it uses the current time instead of |*t|. +// X509_cmp_time compares `s` against `*t`. On success, it returns a negative +// number if `s` <= `*t` and a positive number if `s` > `*t`. On error, it +// returns zero. If `t` is NULL, it uses the current time instead of `*t`. // // WARNING: Unlike most comparison functions, this function returns zero on // error, not equality. OPENSSL_EXPORT int X509_cmp_time(const ASN1_TIME *s, const time_t *t); -// X509_cmp_time_posix compares |s| against |t|. On success, it returns a -// negative number if |s| <= |t| and a positive number if |s| > |t|. On error, +// X509_cmp_time_posix compares `s` against `t`. On success, it returns a +// negative number if `s` <= `t` and a positive number if `s` > `t`. On error, // it returns zero. // // WARNING: Unlike most comparison functions, this function returns zero on // error, not equality. OPENSSL_EXPORT int X509_cmp_time_posix(const ASN1_TIME *s, int64_t t); -// X509_cmp_current_time behaves like |X509_cmp_time| but compares |s| against +// X509_cmp_current_time behaves like `X509_cmp_time` but compares `s` against // the current time. OPENSSL_EXPORT int X509_cmp_current_time(const ASN1_TIME *s); -// X509_time_adj calls |X509_time_adj_ex| with |offset_day| equal to zero. +// X509_time_adj calls `X509_time_adj_ex` with `offset_day` equal to zero. OPENSSL_EXPORT ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, const time_t *t); -// X509_time_adj_ex behaves like |ASN1_TIME_adj|, but adds an offset to |*t|. If -// |t| is NULL, it uses the current time instead of |*t|. +// X509_time_adj_ex behaves like `ASN1_TIME_adj`, but adds an offset to `*t`. If +// `t` is NULL, it uses the current time instead of `*t`. OPENSSL_EXPORT ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, const time_t *t); -// X509_gmtime_adj behaves like |X509_time_adj_ex| but adds |offset_sec| to the +// X509_gmtime_adj behaves like `X509_time_adj_ex` but adds `offset_sec` to the // current time. OPENSSL_EXPORT ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long offset_sec); -// X509_issuer_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s +// X509_issuer_name_cmp behaves like `X509_NAME_cmp`, but compares `a` and `b`'s // issuer names. OPENSSL_EXPORT int X509_issuer_name_cmp(const X509 *a, const X509 *b); -// X509_subject_name_cmp behaves like |X509_NAME_cmp|, but compares |a| and -// |b|'s subject names. +// X509_subject_name_cmp behaves like `X509_NAME_cmp`, but compares `a` and +// `b`'s subject names. OPENSSL_EXPORT int X509_subject_name_cmp(const X509 *a, const X509 *b); -// X509_CRL_cmp behaves like |X509_NAME_cmp|, but compares |a| and |b|'s +// X509_CRL_cmp behaves like `X509_NAME_cmp`, but compares `a` and `b`'s // issuer names. // // WARNING: This function is misnamed. It does not compare other parts of the -// CRL, only the issuer fields using |X509_NAME_cmp|. +// CRL, only the issuer fields using `X509_NAME_cmp`. OPENSSL_EXPORT int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b); -// X509_issuer_name_hash returns the hash of |x509|'s issuer name with -// |X509_NAME_hash|. +// X509_issuer_name_hash returns the hash of `x509`'s issuer name with +// `X509_NAME_hash`. // -// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// This hash is specific to the `X509_LOOKUP_add_dir` filesystem format and is // not suitable for general-purpose X.509 name processing. It is very short, so // there will be hash collisions. It also depends on an OpenSSL-specific // canonicalization process. OPENSSL_EXPORT uint32_t X509_issuer_name_hash(const X509 *x509); -// X509_subject_name_hash returns the hash of |x509|'s subject name with -// |X509_NAME_hash|. +// X509_subject_name_hash returns the hash of `x509`'s subject name with +// `X509_NAME_hash`. // -// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// This hash is specific to the `X509_LOOKUP_add_dir` filesystem format and is // not suitable for general-purpose X.509 name processing. It is very short, so // there will be hash collisions. It also depends on an OpenSSL-specific // canonicalization process. OPENSSL_EXPORT uint32_t X509_subject_name_hash(const X509 *x509); -// X509_issuer_name_hash_old returns the hash of |x509|'s issuer name with -// |X509_NAME_hash_old|. +// X509_issuer_name_hash_old returns the hash of `x509`'s issuer name with +// `X509_NAME_hash_old`. // -// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// This hash is specific to the `X509_LOOKUP_add_dir` filesystem format and is // not suitable for general-purpose X.509 name processing. It is very short, so // there will be hash collisions. OPENSSL_EXPORT uint32_t X509_issuer_name_hash_old(const X509 *x509); -// X509_subject_name_hash_old returns the hash of |x509|'s usjbect name with -// |X509_NAME_hash_old|. +// X509_subject_name_hash_old returns the hash of `x509`'s usjbect name with +// `X509_NAME_hash_old`. // -// This hash is specific to the |X509_LOOKUP_add_dir| filesystem format and is +// This hash is specific to the `X509_LOOKUP_add_dir` filesystem format and is // not suitable for general-purpose X.509 name processing. It is very short, so // there will be hash collisions. OPENSSL_EXPORT uint32_t X509_subject_name_hash_old(const X509 *x509); @@ -4425,7 +4425,7 @@ OPENSSL_EXPORT uint32_t X509_subject_name_hash_old(const X509 *x509); // ex_data functions. // -// See |ex_data.h| for details. +// See `ex_data.h` for details. OPENSSL_EXPORT int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_unused *unused, @@ -4449,70 +4449,70 @@ OPENSSL_EXPORT void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx); // Hashing and signing ASN.1 structures. -// ASN1_digest serializes |data| with |i2d| and then hashes the result with -// |type|. On success, it returns one, writes the digest to |md|, and sets -// |*len| to the digest length if non-NULL. On error, it returns zero. +// ASN1_digest serializes `data` with `i2d` and then hashes the result with +// `type`. On success, it returns one, writes the digest to `md`, and sets +// `*len` to the digest length if non-NULL. On error, it returns zero. // -// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The +// `EVP_MD_CTX_size` bytes are written, which is at most `EVP_MAX_MD_SIZE`. The // buffer must have sufficient space for this output. OPENSSL_EXPORT int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, unsigned char *md, unsigned int *len); -// ASN1_item_digest serializes |data| with |it| and then hashes the result with -// |type|. On success, it returns one, writes the digest to |md|, and sets -// |*len| to the digest length if non-NULL. On error, it returns zero. +// ASN1_item_digest serializes `data` with `it` and then hashes the result with +// `type`. On success, it returns one, writes the digest to `md`, and sets +// `*len` to the digest length if non-NULL. On error, it returns zero. // -// |EVP_MD_CTX_size| bytes are written, which is at most |EVP_MAX_MD_SIZE|. The +// `EVP_MD_CTX_size` bytes are written, which is at most `EVP_MAX_MD_SIZE`. The // buffer must have sufficient space for this output. // -// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// WARNING: `data` must be a pointer with the same type as `it`'s corresponding // C type. Using the wrong type is a potentially exploitable memory error. OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *data, unsigned char *md, unsigned int *len); -// ASN1_item_verify serializes |data| with |it| and then verifies |signature| is -// a valid signature for the result with |algor1| and |pkey|. It returns one on +// ASN1_item_verify serializes `data` with `it` and then verifies `signature` is +// a valid signature for the result with `algor1` and `pkey`. It returns one on // success and zero on error. The signature and algorithm are interpreted as in // X.509. // -// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// WARNING: `data` must be a pointer with the same type as `it`'s corresponding // C type. Using the wrong type is a potentially exploitable memory error. OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *algor1, const ASN1_BIT_STRING *signature, void *data, EVP_PKEY *pkey); -// ASN1_item_sign serializes |data| with |it| and then signs the result with -// the private key |pkey|. It returns the length of the signature on success and -// zero on error. On success, it writes the signature to |signature| and the -// signature algorithm to each of |algor1| and |algor2|. Either of |algor1| or -// |algor2| may be NULL to ignore them. This function uses digest algorithm -// |md|, or |pkey|'s default if NULL. Other signing parameters use |pkey|'s -// defaults. To customize them, use |ASN1_item_sign_ctx|. +// ASN1_item_sign serializes `data` with `it` and then signs the result with +// the private key `pkey`. It returns the length of the signature on success and +// zero on error. On success, it writes the signature to `signature` and the +// signature algorithm to each of `algor1` and `algor2`. Either of `algor1` or +// `algor2` may be NULL to ignore them. This function uses digest algorithm +// `md`, or `pkey`'s default if NULL. Other signing parameters use `pkey`'s +// defaults. To customize them, use `ASN1_item_sign_ctx`. // -// |algor1| and |algor2| may point into part of |asn| and will be updated before -// |asn| is serialized. +// `algor1` and `algor2` may point into part of `asn` and will be updated before +// `asn` is serialized. // -// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// WARNING: `data` must be a pointer with the same type as `it`'s corresponding // C type. Using the wrong type is a potentially exploitable memory error. OPENSSL_EXPORT int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *data, EVP_PKEY *pkey, const EVP_MD *type); -// ASN1_item_sign_ctx behaves like |ASN1_item_sign| except the signature is -// signed with |ctx|, |ctx|, which must have been initialized with -// |EVP_DigestSignInit|. The caller should configure the corresponding -// |EVP_PKEY_CTX| with any additional parameters before calling this function. +// ASN1_item_sign_ctx behaves like `ASN1_item_sign` except the signature is +// signed with `ctx`, `ctx`, which must have been initialized with +// `EVP_DigestSignInit`. The caller should configure the corresponding +// `EVP_PKEY_CTX` with any additional parameters before calling this function. // -// On success or failure, this function mutates |ctx| and resets it to the empty +// On success or failure, this function mutates `ctx` and resets it to the empty // state. Caller should not rely on its contents after the function returns. // -// |algor1| and |algor2| may point into part of |asn| and will be updated before -// |asn| is serialized. +// `algor1` and `algor2` may point into part of `asn` and will be updated before +// `asn` is serialized. // -// WARNING: |data| must be a pointer with the same type as |it|'s corresponding +// WARNING: `data` must be a pointer with the same type as `it`'s corresponding // C type. Using the wrong type is a potentially exploitable memory error. OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, @@ -4525,55 +4525,55 @@ OPENSSL_EXPORT int ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, // The following functions expose portions of certificate validation. They are // exported for compatibility with existing callers, or to support some obscure // use cases. Most callers, however, will not need these functions and should -// instead use |X509_STORE_CTX| APIs. +// instead use `X509_STORE_CTX` APIs. -// X509_supported_extension returns one if |ex| is a critical X.509 certificate -// extension, supported by |X509_verify_cert|, and zero otherwise. +// X509_supported_extension returns one if `ex` is a critical X.509 certificate +// extension, supported by `X509_verify_cert`, and zero otherwise. // // Note this function only reports certificate extensions (as opposed to CRL or // CRL extensions), and only extensions that are expected to be marked critical. -// Additionally, |X509_verify_cert| checks for unsupported critical extensions +// Additionally, `X509_verify_cert` checks for unsupported critical extensions // internally, so most callers will not need to call this function separately. OPENSSL_EXPORT int X509_supported_extension(const X509_EXTENSION *ex); -// X509_check_ca returns one if |x509| may be considered a CA certificate, +// X509_check_ca returns one if `x509` may be considered a CA certificate, // according to basic constraints and key usage extensions. Otherwise, it -// returns zero. If |x509| is an X509v1 certificate, and thus has no extensions, +// returns zero. If `x509` is an X509v1 certificate, and thus has no extensions, // it is considered eligible. // -// This function returning one does not indicate that |x509| is trusted, only +// This function returning one does not indicate that `x509` is trusted, only // that it is eligible to be a CA. OPENSSL_EXPORT int X509_check_ca(const X509 *x509); -// X509_check_issued checks if |issuer| and |subject|'s name, authority key -// identifier, and key usage fields allow |issuer| to have issued |subject|. It -// returns |X509_V_OK| on success and an |X509_V_ERR_*| value otherwise. +// X509_check_issued checks if `issuer` and `subject`'s name, authority key +// identifier, and key usage fields allow `issuer` to have issued `subject`. It +// returns `X509_V_OK` on success and an `X509_V_ERR_*` value otherwise. // -// This function does not check the signature on |subject|. Rather, it is +// This function does not check the signature on `subject`. Rather, it is // intended to prune the set of possible issuer certificates during // path-building. OPENSSL_EXPORT int X509_check_issued(const X509 *issuer, const X509 *subject); -// NAME_CONSTRAINTS_check checks if |x509| satisfies name constraints in |nc|. -// It returns |X509_V_OK| on success and some |X509_V_ERR_*| constant on error. +// NAME_CONSTRAINTS_check checks if `x509` satisfies name constraints in `nc`. +// It returns `X509_V_OK` on success and some `X509_V_ERR_*` constant on error. OPENSSL_EXPORT int NAME_CONSTRAINTS_check(const X509 *x509, const NAME_CONSTRAINTS *nc); -// X509_check_host checks if |x509| matches the DNS name |chk|. It returns one -// on match, zero on mismatch, or a negative number on error. |flags| should be -// some combination of |X509_CHECK_FLAG_*| and modifies the behavior. On match, -// if |out_peername| is non-NULL, it additionally sets |*out_peername| to a +// X509_check_host checks if `x509` matches the DNS name `chk`. It returns one +// on match, zero on mismatch, or a negative number on error. `flags` should be +// some combination of `X509_CHECK_FLAG_*` and modifies the behavior. On match, +// if `out_peername` is non-NULL, it additionally sets `*out_peername` to a // newly-allocated, NUL-terminated string containing the DNS name or wildcard in -// the certificate which matched. The caller must then free |*out_peername| with -// |OPENSSL_free| when done. +// the certificate which matched. The caller must then free `*out_peername` with +// `OPENSSL_free` when done. // // By default, both subject alternative names and the subject's common name // attribute are checked. The latter has long been deprecated, so callers should -// include |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| in |flags| to use the standard +// include `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` in `flags` to use the standard // behavior. https://crbug.com/boringssl/464 tracks fixing the default. // -// This function does not check if |x509| is a trusted certificate, only if, -// were it trusted, it would match |chk|. +// This function does not check if `x509` is a trusted certificate, only if, +// were it trusted, it would match `chk`. // // WARNING: This function differs from the usual calling convention and may // return either 0 or a negative number on error. @@ -4583,16 +4583,16 @@ OPENSSL_EXPORT int X509_check_host(const X509 *x509, const char *chk, size_t chklen, unsigned int flags, char **out_peername); -// X509_check_email checks if |x509| matches the email address |chk|. It returns -// one on match, zero on mismatch, or a negative number on error. |flags| should -// be some combination of |X509_CHECK_FLAG_*| and modifies the behavior. +// X509_check_email checks if `x509` matches the email address `chk`. It returns +// one on match, zero on mismatch, or a negative number on error. `flags` should +// be some combination of `X509_CHECK_FLAG_*` and modifies the behavior. // // By default, both subject alternative names and the subject's email address -// attribute are checked. The |X509_CHECK_FLAG_NEVER_CHECK_SUBJECT| flag may be +// attribute are checked. The `X509_CHECK_FLAG_NEVER_CHECK_SUBJECT` flag may be // used to change this behavior. // -// This function does not check if |x509| is a trusted certificate, only if, -// were it trusted, it would match |chk|. +// This function does not check if `x509` is a trusted certificate, only if, +// were it trusted, it would match `chk`. // // WARNING: This function differs from the usual calling convention and may // return either 0 or a negative number on error. @@ -4601,14 +4601,14 @@ OPENSSL_EXPORT int X509_check_host(const X509 *x509, const char *chk, OPENSSL_EXPORT int X509_check_email(const X509 *x509, const char *chk, size_t chklen, unsigned int flags); -// X509_check_ip checks if |x509| matches the IP address |chk|. The IP address +// X509_check_ip checks if `x509` matches the IP address `chk`. The IP address // is represented in byte form and should be 4 bytes for an IPv4 address and 16 // bytes for an IPv6 address. It returns one on match, zero on mismatch, or a -// negative number on error. |flags| should be some combination of -// |X509_CHECK_FLAG_*| and modifies the behavior. +// negative number on error. `flags` should be some combination of +// `X509_CHECK_FLAG_*` and modifies the behavior. // -// This function does not check if |x509| is a trusted certificate, only if, -// were it trusted, it would match |chk|. +// This function does not check if `x509` is a trusted certificate, only if, +// were it trusted, it would match `chk`. // // WARNING: This function differs from the usual calling convention and may // return either 0 or a negative number on error. @@ -4617,8 +4617,8 @@ OPENSSL_EXPORT int X509_check_email(const X509 *x509, const char *chk, OPENSSL_EXPORT int X509_check_ip(const X509 *x509, const uint8_t *chk, size_t chklen, unsigned int flags); -// X509_check_ip_asc behaves like |X509_check_ip| except the IP address is -// specified in textual form in |ipasc|. +// X509_check_ip_asc behaves like `X509_check_ip` except the IP address is +// specified in textual form in `ipasc`. // // WARNING: This function differs from the usual calling convention and may // return either 0 or a negative number on error. @@ -4627,70 +4627,70 @@ OPENSSL_EXPORT int X509_check_ip(const X509 *x509, const uint8_t *chk, OPENSSL_EXPORT int X509_check_ip_asc(const X509 *x509, const char *ipasc, unsigned int flags); -// X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for |x509| out -// of |ctx|'s |X509_STORE|, based on the criteria in |X509_check_issued|. If one -// was found, it returns one and sets |*out_issuer| to the issuer. The caller -// must release |*out_issuer| with |X509_free| when done. If none was found, it -// returns zero and leaves |*out_issuer| unchanged. +// X509_STORE_CTX_get1_issuer looks up a candidate trusted issuer for `x509` out +// of `ctx`'s `X509_STORE`, based on the criteria in `X509_check_issued`. If one +// was found, it returns one and sets `*out_issuer` to the issuer. The caller +// must release `*out_issuer` with `X509_free` when done. If none was found, it +// returns zero and leaves `*out_issuer` unchanged. // // This function only searches for trusted issuers. It does not consider -// untrusted intermediates passed in to |X509_STORE_CTX_init|. +// untrusted intermediates passed in to `X509_STORE_CTX_init`. OPENSSL_EXPORT int X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx, const X509 *x509); -// X509_check_purpose performs checks if |x509|'s basic constraints, key usage, -// and extended key usage extensions for the specified purpose. |purpose| should -// be one of |X509_PURPOSE_*| constants. See |X509_VERIFY_PARAM_set_purpose| for -// details. It returns one if |x509|'s extensions are consistent with |purpose| -// and zero otherwise. If |ca| is non-zero, |x509| is checked as a CA +// X509_check_purpose performs checks if `x509`'s basic constraints, key usage, +// and extended key usage extensions for the specified purpose. `purpose` should +// be one of `X509_PURPOSE_*` constants. See `X509_VERIFY_PARAM_set_purpose` for +// details. It returns one if `x509`'s extensions are consistent with `purpose` +// and zero otherwise. If `ca` is non-zero, `x509` is checked as a CA // certificate. Otherwise, it is checked as an end-entity certificate. // -// If |purpose| is -1, this function performs no purpose checks, but it parses -// some extensions in |x509| and may return zero on syntax error. Historically, +// If `purpose` is -1, this function performs no purpose checks, but it parses +// some extensions in `x509` and may return zero on syntax error. Historically, // callers primarily used this function to trigger this parsing, but this is no -// longer necessary. Functions acting on |X509| will internally parse as needed. +// longer necessary. Functions acting on `X509` will internally parse as needed. OPENSSL_EXPORT int X509_check_purpose(X509 *x509, int purpose, int ca); #define X509_TRUST_TRUSTED 1 #define X509_TRUST_REJECTED 2 #define X509_TRUST_UNTRUSTED 3 -// X509_check_trust checks if |x509| is a valid trust anchor for trust type -// |id|. See |X509_VERIFY_PARAM_set_trust| for details. It returns -// |X509_TRUST_TRUSTED| if |x509| is a trust anchor, |X509_TRUST_REJECTED| if it -// was distrusted, and |X509_TRUST_UNTRUSTED| otherwise. |id| should be one of -// the |X509_TRUST_*| constants, or zero to indicate the default behavior. -// |flags| should be zero and is ignored. +// X509_check_trust checks if `x509` is a valid trust anchor for trust type +// `id`. See `X509_VERIFY_PARAM_set_trust` for details. It returns +// `X509_TRUST_TRUSTED` if `x509` is a trust anchor, `X509_TRUST_REJECTED` if it +// was distrusted, and `X509_TRUST_UNTRUSTED` otherwise. `id` should be one of +// the `X509_TRUST_*` constants, or zero to indicate the default behavior. +// `flags` should be zero and is ignored. OPENSSL_EXPORT int X509_check_trust(X509 *x509, int id, int flags); // X509_STORE_CTX_get1_certs returns a newly-allocated stack containing all -// trusted certificates in |ctx|'s |X509_STORE| whose subject matches |name|, or -// NULL on error. The caller must release the result with |sk_X509_pop_free| and -// |X509_free| when done. +// trusted certificates in `ctx`'s `X509_STORE` whose subject matches `name`, or +// NULL on error. The caller must release the result with `sk_X509_pop_free` and +// `X509_free` when done. OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, const X509_NAME *name); // X509_STORE_CTX_get1_crls returns a newly-allocated stack containing all -// CRLs in |ctx|'s |X509_STORE| whose subject matches |name|, or NULL on error. -// The caller must release the result with |sk_X509_CRL_pop_free| and -// |X509_CRL_free| when done. +// CRLs in `ctx`'s `X509_STORE` whose subject matches `name`, or NULL on error. +// The caller must release the result with `sk_X509_CRL_pop_free` and +// `X509_CRL_free` when done. OPENSSL_EXPORT STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls( X509_STORE_CTX *ctx, const X509_NAME *name); -// X509_STORE_CTX_get_by_subject looks up an object of type |type| in |ctx|'s -// |X509_STORE| that matches |name|. |type| should be one of the |X509_LU_*| +// X509_STORE_CTX_get_by_subject looks up an object of type `type` in `ctx`'s +// `X509_STORE` that matches `name`. `type` should be one of the `X509_LU_*` // constants to indicate the type of object. If a match was found, it stores the -// result in |ret| and returns one. Otherwise, it returns zero. If multiple +// result in `ret` and returns one. Otherwise, it returns zero. If multiple // objects match, this function outputs an arbitrary one. // -// WARNING: |ret| must be in the empty state, as returned by |X509_OBJECT_new|. -// Otherwise, the object currently in |ret| will be leaked when overwritten. +// WARNING: `ret` must be in the empty state, as returned by `X509_OBJECT_new`. +// Otherwise, the object currently in `ret` will be leaked when overwritten. // https://crbug.com/boringssl/685 tracks fixing this. // // WARNING: Multiple trusted certificates or CRLs may share a name. In this // case, this function returns an arbitrary match. Use -// |X509_STORE_CTX_get1_certs| or |X509_STORE_CTX_get1_crls| instead. +// `X509_STORE_CTX_get1_certs` or `X509_STORE_CTX_get1_crls` instead. OPENSSL_EXPORT int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *ctx, int type, const X509_NAME *name, X509_OBJECT *ret); @@ -4698,7 +4698,7 @@ OPENSSL_EXPORT int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *ctx, int type, // X.509 information. // -// |X509_INFO| is the return type for |PEM_X509_INFO_read_bio|, defined in +// `X509_INFO` is the return type for `PEM_X509_INFO_read_bio`, defined in // . It is used to store a certificate, CRL, or private key. This // type is defined in this header for OpenSSL compatibility. @@ -4718,25 +4718,25 @@ struct X509_info_st { DEFINE_STACK_OF(X509_INFO) -// X509_INFO_free releases memory associated with |info|. +// X509_INFO_free releases memory associated with `info`. OPENSSL_EXPORT void X509_INFO_free(X509_INFO *info); // Deprecated custom extension registration. // // The following functions allow callers to register custom extensions for use -// with |X509V3_EXT_d2i| and related functions. This mechanism is deprecated and -// will be removed in the future. As discussed in |X509V3_EXT_add|, it is not +// with `X509V3_EXT_d2i` and related functions. This mechanism is deprecated and +// will be removed in the future. As discussed in `X509V3_EXT_add`, it is not // possible to safely register a custom extension without risking race // conditions and memory errors when linked with other users of BoringSSL. // // Moreover, it is not necessary to register a custom extension to process // extensions unknown to BoringSSL. Registration does not impact certificate // verification. Caller should instead use functions such as -// |ASN1_OBJECT_create|, |X509_get_ext_by_OBJ|, |X509_EXTENSION_get_data|, and -// |X509_EXTENSION_create_by_OBJ| to inspect or create extensions directly. +// `ASN1_OBJECT_create`, `X509_get_ext_by_OBJ`, `X509_EXTENSION_get_data`, and +// `X509_EXTENSION_create_by_OBJ` to inspect or create extensions directly. -// The following function pointer types are used in |X509V3_EXT_METHOD|. +// The following function pointer types are used in `X509V3_EXT_METHOD`. typedef void *(*X509V3_EXT_NEW)(void); typedef void (*X509V3_EXT_FREE)(void *ext); typedef void *(*X509V3_EXT_D2I)(void *ext, const uint8_t **inp, long len); @@ -4755,20 +4755,20 @@ typedef int (*X509V3_EXT_I2R)(const X509V3_EXT_METHOD *method, void *ext, typedef void *(*X509V3_EXT_R2I)(const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); -// A v3_ext_method, aka |X509V3_EXT_METHOD|, is a deprecated type which defines +// A v3_ext_method, aka `X509V3_EXT_METHOD`, is a deprecated type which defines // a custom extension. struct v3_ext_method { // ext_nid is the NID of the extension. int ext_nid; - // ext_flags is a combination of |X509V3_EXT_*| constants. + // ext_flags is a combination of `X509V3_EXT_*` constants. int ext_flags; // it determines how values of this extension are allocated, released, parsed, // and marshalled. This must be non-NULL. ASN1_ITEM_EXP *it; - // The following functions are ignored in favor of |it|. They are retained in + // The following functions are ignored in favor of `it`. They are retained in // the struct only for source compatibility with existing struct definitions. X509V3_EXT_NEW ext_new; X509V3_EXT_FREE ext_free; @@ -4791,31 +4791,31 @@ struct v3_ext_method { void *usr_data; // Any extension specific data } /* X509V3_EXT_METHOD */; -// X509V3_EXT_MULTILINE causes the result of an |X509V3_EXT_METHOD|'s |i2v| +// X509V3_EXT_MULTILINE causes the result of an `X509V3_EXT_METHOD`'s `i2v` // function to be printed on separate lines, rather than separated by commas. #define X509V3_EXT_MULTILINE 0x4 -// X509V3_EXT_get returns the |X509V3_EXT_METHOD| corresponding to |ext|'s +// X509V3_EXT_get returns the `X509V3_EXT_METHOD` corresponding to `ext`'s // extension type, or NULL if none was registered. OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get( const X509_EXTENSION *ext); -// X509V3_EXT_get_nid returns the |X509V3_EXT_METHOD| corresponding to |nid|, or +// X509V3_EXT_get_nid returns the `X509V3_EXT_METHOD` corresponding to `nid`, or // NULL if none was registered. OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); -// X509V3_EXT_add registers |ext| as a custom extension for the extension type -// |ext->ext_nid|. |ext| must be valid for the remainder of the address space's +// X509V3_EXT_add registers `ext` as a custom extension for the extension type +// `ext->ext_nid`. `ext` must be valid for the remainder of the address space's // lifetime. It returns one on success and zero on error. // // WARNING: This function modifies global state. If other code in the same -// address space also registers an extension with type |ext->ext_nid|, the two +// address space also registers an extension with type `ext->ext_nid`, the two // registrations will conflict. Which registration takes effect is undefined. If // the two registrations use incompatible in-memory representations, code // expecting the other registration will then cast a type to the wrong type, // resulting in a potentially exploitable memory error. This conflict can also -// occur if BoringSSL later adds support for |ext->ext_nid|, with a different -// in-memory representation than the one expected by |ext|. +// occur if BoringSSL later adds support for `ext->ext_nid`, with a different +// in-memory representation than the one expected by `ext`. // // This function, additionally, is not thread-safe and cannot be called // concurrently with any other BoringSSL function. @@ -4823,15 +4823,15 @@ OPENSSL_EXPORT const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); // As a result, it is impossible to safely use this function. Registering a // custom extension has no impact on certificate verification so, instead, // callers should simply handle the custom extension with the byte-based -// |X509_EXTENSION| APIs directly. Registering |ext| with the library has little +// `X509_EXTENSION` APIs directly. Registering `ext` with the library has little // practical value. OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add(X509V3_EXT_METHOD *ext); -// X509V3_EXT_add_alias registers a custom extension with NID |nid_to|. The -// corresponding ASN.1 type is copied from |nid_from|. It returns one on success +// X509V3_EXT_add_alias registers a custom extension with NID `nid_to`. The +// corresponding ASN.1 type is copied from `nid_from`. It returns one on success // and zero on error. // -// WARNING: Do not use this function. See |X509V3_EXT_add|. +// WARNING: Do not use this function. See `X509V3_EXT_add`. OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, int nid_from); @@ -4855,10 +4855,10 @@ OPENSSL_EXPORT OPENSSL_DEPRECATED int X509V3_EXT_add_alias(int nid_to, // review than most of the library and may have bugs including memory leaks or // crashes. -// v3_ext_ctx, aka |X509V3_CTX|, contains additional context information for +// v3_ext_ctx, aka `X509V3_CTX`, contains additional context information for // constructing extensions. Some string formats reference additional values in -// these objects. It must be initialized with |X509V3_set_ctx| or -// |X509V3_set_ctx_test| before use. +// these objects. It must be initialized with `X509V3_set_ctx` or +// `X509V3_set_ctx_test` before use. struct v3_ext_ctx { int flags; const X509 *issuer_cert; @@ -4870,17 +4870,17 @@ struct v3_ext_ctx { #define X509V3_CTX_TEST 0x1 -// X509V3_set_ctx initializes |ctx| with the specified objects. Some string +// X509V3_set_ctx initializes `ctx` with the specified objects. Some string // formats will reference fields in these objects. Each object may be NULL to -// omit it, in which case those formats cannot be used. |flags| should be zero, -// unless called via |X509V3_set_ctx_test|. +// omit it, in which case those formats cannot be used. `flags` should be zero, +// unless called via `X509V3_set_ctx_test`. // -// |issuer|, |subject|, |req|, and |crl|, if non-NULL, must outlive |ctx|. +// `issuer`, `subject`, `req`, and `crl`, if non-NULL, must outlive `ctx`. OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, const X509 *subject, const X509_REQ *req, const X509_CRL *crl, int flags); -// X509V3_set_ctx_test calls |X509V3_set_ctx| without any reference objects and +// X509V3_set_ctx_test calls `X509V3_set_ctx` without any reference objects and // mocks out some features that use them. The resulting extensions may be // incomplete and should be discarded. This can be used to partially validate // syntax. @@ -4889,145 +4889,145 @@ OPENSSL_EXPORT void X509V3_set_ctx(X509V3_CTX *ctx, const X509 *issuer, #define X509V3_set_ctx_test(ctx) \ X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, X509V3_CTX_TEST) -// X509V3_set_nconf sets |ctx| to use |conf| as the config database. |ctx| must -// have previously been initialized by |X509V3_set_ctx| or -// |X509V3_set_ctx_test|. Some string formats will reference sections in |conf|. -// |conf| may be NULL, in which case these formats cannot be used. If non-NULL, -// |conf| must outlive |ctx|. +// X509V3_set_nconf sets `ctx` to use `conf` as the config database. `ctx` must +// have previously been initialized by `X509V3_set_ctx` or +// `X509V3_set_ctx_test`. Some string formats will reference sections in `conf`. +// `conf` may be NULL, in which case these formats cannot be used. If non-NULL, +// `conf` must outlive `ctx`. OPENSSL_EXPORT void X509V3_set_nconf(X509V3_CTX *ctx, const CONF *conf); -// X509V3_set_ctx_nodb calls |X509V3_set_nconf| with no config database. +// X509V3_set_ctx_nodb calls `X509V3_set_nconf` with no config database. #define X509V3_set_ctx_nodb(ctx) X509V3_set_nconf(ctx, NULL) -// X509V3_EXT_nconf constructs an extension of type specified by |name|, and -// value specified by |value|. It returns a newly-allocated |X509_EXTENSION| -// object on success, or NULL on error. |conf| and |ctx| specify additional -// information referenced by some formats. Either |conf| or |ctx| may be NULL, +// X509V3_EXT_nconf constructs an extension of type specified by `name`, and +// value specified by `value`. It returns a newly-allocated `X509_EXTENSION` +// object on success, or NULL on error. `conf` and `ctx` specify additional +// information referenced by some formats. Either `conf` or `ctx` may be NULL, // in which case features which use it will be disabled. // -// If non-NULL, |ctx| must be initialized with |X509V3_set_ctx| or -// |X509V3_set_ctx_test|. +// If non-NULL, `ctx` must be initialized with `X509V3_set_ctx` or +// `X509V3_set_ctx_test`. // -// Both |conf| and |ctx| provide a |CONF| object. When |ctx| is non-NULL, most -// features use the |ctx| copy, configured with |X509V3_set_ctx|, but some use -// |conf|. Callers should ensure the two match to avoid surprisingly behavior. +// Both `conf` and `ctx` provide a `CONF` object. When `ctx` is non-NULL, most +// features use the `ctx` copy, configured with `X509V3_set_ctx`, but some use +// `conf`. Callers should ensure the two match to avoid surprisingly behavior. OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf(const CONF *conf, const X509V3_CTX *ctx, const char *name, const char *value); -// X509V3_EXT_nconf_nid behaves like |X509V3_EXT_nconf|, except the extension +// X509V3_EXT_nconf_nid behaves like `X509V3_EXT_nconf`, except the extension // type is specified as a NID. OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_nconf_nid(const CONF *conf, const X509V3_CTX *ctx, int ext_nid, const char *value); -// X509V3_EXT_conf_nid calls |X509V3_EXT_nconf_nid|. |conf| must be NULL. +// X509V3_EXT_conf_nid calls `X509V3_EXT_nconf_nid`. `conf` must be NULL. OPENSSL_EXPORT X509_EXTENSION *X509V3_EXT_conf_nid(CRYPTO_MUST_BE_NULL *conf, const X509V3_CTX *ctx, int ext_nid, const char *value); -// X509V3_EXT_add_nconf_sk looks up the section named |section| in |conf|. For -// each |CONF_VALUE| in the section, it constructs an extension as in -// |X509V3_EXT_nconf|, taking |name| and |value| from the |CONF_VALUE|. Each new -// extension is appended to |*sk|. If |*sk| is non-NULL, and at least one -// extension is added, it sets |*sk| to a newly-allocated -// |STACK_OF(X509_EXTENSION)|. It returns one on success and zero on error. +// X509V3_EXT_add_nconf_sk looks up the section named `section` in `conf`. For +// each `CONF_VALUE` in the section, it constructs an extension as in +// `X509V3_EXT_nconf`, taking `name` and `value` from the `CONF_VALUE`. Each new +// extension is appended to `*sk`. If `*sk` is non-NULL, and at least one +// extension is added, it sets `*sk` to a newly-allocated +// `STACK_OF(X509_EXTENSION)`. It returns one on success and zero on error. OPENSSL_EXPORT int X509V3_EXT_add_nconf_sk(const CONF *conf, const X509V3_CTX *ctx, const char *section, STACK_OF(X509_EXTENSION) **sk); -// X509V3_EXT_add_nconf adds extensions to |cert| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +// X509V3_EXT_add_nconf adds extensions to `cert` as in +// `X509V3_EXT_add_nconf_sk`. It returns one on success and zero on error. OPENSSL_EXPORT int X509V3_EXT_add_nconf(const CONF *conf, const X509V3_CTX *ctx, const char *section, X509 *cert); -// X509V3_EXT_REQ_add_nconf adds extensions to |req| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +// X509V3_EXT_REQ_add_nconf adds extensions to `req` as in +// `X509V3_EXT_add_nconf_sk`. It returns one on success and zero on error. OPENSSL_EXPORT int X509V3_EXT_REQ_add_nconf(const CONF *conf, const X509V3_CTX *ctx, const char *section, X509_REQ *req); -// X509V3_EXT_CRL_add_nconf adds extensions to |crl| as in -// |X509V3_EXT_add_nconf_sk|. It returns one on success and zero on error. +// X509V3_EXT_CRL_add_nconf adds extensions to `crl` as in +// `X509V3_EXT_add_nconf_sk`. It returns one on success and zero on error. OPENSSL_EXPORT int X509V3_EXT_CRL_add_nconf(const CONF *conf, const X509V3_CTX *ctx, const char *section, X509_CRL *crl); -// i2s_ASN1_OCTET_STRING returns a human-readable representation of |oct| as a -// newly-allocated, NUL-terminated string, or NULL on error. |method| is -// ignored. The caller must release the result with |OPENSSL_free| when done. +// i2s_ASN1_OCTET_STRING returns a human-readable representation of `oct` as a +// newly-allocated, NUL-terminated string, or NULL on error. `method` is +// ignored. The caller must release the result with `OPENSSL_free` when done. OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(const X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct); -// s2i_ASN1_OCTET_STRING decodes |str| as a hexadecimal byte string, with +// s2i_ASN1_OCTET_STRING decodes `str` as a hexadecimal byte string, with // optional colon separators between bytes. It returns a newly-allocated -// |ASN1_OCTET_STRING| with the result on success, or NULL on error. |method| -// and |ctx| are ignored. +// `ASN1_OCTET_STRING` with the result on success, or NULL on error. `method` +// and `ctx` are ignored. OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING( const X509V3_EXT_METHOD *method, const X509V3_CTX *ctx, const char *str); -// i2s_ASN1_INTEGER returns a human-readable representation of |aint| as a -// newly-allocated, NUL-terminated string, or NULL on error. |method| is -// ignored. The caller must release the result with |OPENSSL_free| when done. +// i2s_ASN1_INTEGER returns a human-readable representation of `aint` as a +// newly-allocated, NUL-terminated string, or NULL on error. `method` is +// ignored. The caller must release the result with `OPENSSL_free` when done. OPENSSL_EXPORT char *i2s_ASN1_INTEGER(const X509V3_EXT_METHOD *method, const ASN1_INTEGER *aint); -// s2i_ASN1_INTEGER decodes |value| as the ASCII representation of an integer, -// and returns a newly-allocated |ASN1_INTEGER| containing the result, or NULL -// on error. |method| is ignored. If |value| begins with "0x" or "0X", the input +// s2i_ASN1_INTEGER decodes `value` as the ASCII representation of an integer, +// and returns a newly-allocated `ASN1_INTEGER` containing the result, or NULL +// on error. `method` is ignored. If `value` begins with "0x" or "0X", the input // is decoded in hexadecimal, otherwise decimal. OPENSSL_EXPORT ASN1_INTEGER *s2i_ASN1_INTEGER(const X509V3_EXT_METHOD *method, const char *value); -// i2s_ASN1_ENUMERATED returns a human-readable representation of |aint| as a -// newly-allocated, NUL-terminated string, or NULL on error. |method| is -// ignored. The caller must release the result with |OPENSSL_free| when done. +// i2s_ASN1_ENUMERATED returns a human-readable representation of `aint` as a +// newly-allocated, NUL-terminated string, or NULL on error. `method` is +// ignored. The caller must release the result with `OPENSSL_free` when done. OPENSSL_EXPORT char *i2s_ASN1_ENUMERATED(const X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *aint); -// X509V3_conf_free releases memory associated with |CONF_VALUE|. +// X509V3_conf_free releases memory associated with `CONF_VALUE`. OPENSSL_EXPORT void X509V3_conf_free(CONF_VALUE *val); -// i2v_GENERAL_NAME serializes |gen| as a |CONF_VALUE|. If |ret| is non-NULL, it -// appends the value to |ret| and returns |ret| on success or NULL on error. If -// it returns NULL, the caller is still responsible for freeing |ret|. If |ret| -// is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| containing the -// result. |method| is ignored. When done, the caller should release the result -// with |sk_CONF_VALUE_pop_free| and |X509V3_conf_free|. +// i2v_GENERAL_NAME serializes `gen` as a `CONF_VALUE`. If `ret` is non-NULL, it +// appends the value to `ret` and returns `ret` on success or NULL on error. If +// it returns NULL, the caller is still responsible for freeing `ret`. If `ret` +// is NULL, it returns a newly-allocated `STACK_OF(CONF_VALUE)` containing the +// result. `method` is ignored. When done, the caller should release the result +// with `sk_CONF_VALUE_pop_free` and `X509V3_conf_free`. // // Do not use this function. This is an internal implementation detail of the // human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. +// look at `gen` directly. OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME( const X509V3_EXT_METHOD *method, const GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret); -// i2v_GENERAL_NAMES serializes |gen| as a list of |CONF_VALUE|s. If |ret| is -// non-NULL, it appends the values to |ret| and returns |ret| on success or NULL +// i2v_GENERAL_NAMES serializes `gen` as a list of `CONF_VALUE`s. If `ret` is +// non-NULL, it appends the values to `ret` and returns `ret` on success or NULL // on error. If it returns NULL, the caller is still responsible for freeing -// |ret|. If |ret| is NULL, it returns a newly-allocated |STACK_OF(CONF_VALUE)| -// containing the results. |method| is ignored. +// `ret`. If `ret` is NULL, it returns a newly-allocated `STACK_OF(CONF_VALUE)` +// containing the results. `method` is ignored. // // Do not use this function. This is an internal implementation detail of the // human-readable print functions. If extracting a SAN list from a certificate, -// look at |gen| directly. +// look at `gen` directly. OPENSSL_EXPORT STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES( const X509V3_EXT_METHOD *method, const GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist); -// a2i_IPADDRESS decodes |ipasc| as the textual representation of an IPv4 or -// IPv6 address. On success, it returns a newly-allocated |ASN1_OCTET_STRING| +// a2i_IPADDRESS decodes `ipasc` as the textual representation of an IPv4 or +// IPv6 address. On success, it returns a newly-allocated `ASN1_OCTET_STRING` // containing the decoded IP address. IPv4 addresses are represented as 4-byte // strings and IPv6 addresses as 16-byte strings. On failure, it returns NULL. OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc); -// a2i_IPADDRESS_NC decodes |ipasc| as the textual representation of an IPv4 or +// a2i_IPADDRESS_NC decodes `ipasc` as the textual representation of an IPv4 or // IPv6 address range. On success, it returns a newly-allocated -// |ASN1_OCTET_STRING| containing the decoded IP address, followed by the +// `ASN1_OCTET_STRING` containing the decoded IP address, followed by the // decoded mask. IPv4 ranges are represented as 8-byte strings and IPv6 ranges // as 32-byte strings. On failure, it returns NULL. // @@ -5039,76 +5039,76 @@ OPENSSL_EXPORT ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc); // Deprecated functions. -// X509_get_notBefore returns |x509|'s notBefore time. Note this function is not -// const-correct for legacy reasons. Use |X509_get0_notBefore| or -// |X509_getm_notBefore| instead. +// X509_get_notBefore returns `x509`'s notBefore time. Note this function is not +// const-correct for legacy reasons. Use `X509_get0_notBefore` or +// `X509_getm_notBefore` instead. OPENSSL_EXPORT ASN1_TIME *X509_get_notBefore(const X509 *x509); -// X509_get_notAfter returns |x509|'s notAfter time. Note this function is not -// const-correct for legacy reasons. Use |X509_get0_notAfter| or -// |X509_getm_notAfter| instead. +// X509_get_notAfter returns `x509`'s notAfter time. Note this function is not +// const-correct for legacy reasons. Use `X509_get0_notAfter` or +// `X509_getm_notAfter` instead. OPENSSL_EXPORT ASN1_TIME *X509_get_notAfter(const X509 *x509); -// X509_set_notBefore calls |X509_set1_notBefore|. Use |X509_set1_notBefore| +// X509_set_notBefore calls `X509_set1_notBefore`. Use `X509_set1_notBefore` // instead. OPENSSL_EXPORT int X509_set_notBefore(X509 *x509, const ASN1_TIME *tm); -// X509_set_notAfter calls |X509_set1_notAfter|. Use |X509_set1_notAfter| +// X509_set_notAfter calls `X509_set1_notAfter`. Use `X509_set1_notAfter` // instead. OPENSSL_EXPORT int X509_set_notAfter(X509 *x509, const ASN1_TIME *tm); -// X509_CRL_get_lastUpdate returns a mutable pointer to |crl|'s thisUpdate time. +// X509_CRL_get_lastUpdate returns a mutable pointer to `crl`'s thisUpdate time. // The OpenSSL API refers to this field as lastUpdate. // -// Use |X509_CRL_get0_lastUpdate| or |X509_CRL_set1_lastUpdate| instead. +// Use `X509_CRL_get0_lastUpdate` or `X509_CRL_set1_lastUpdate` instead. OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); -// X509_CRL_get_nextUpdate returns a mutable pointer to |crl|'s nextUpdate time, -// or NULL if |crl| has none. Use |X509_CRL_get0_nextUpdate| or -// |X509_CRL_set1_nextUpdate| instead. +// X509_CRL_get_nextUpdate returns a mutable pointer to `crl`'s nextUpdate time, +// or NULL if `crl` has none. Use `X509_CRL_get0_nextUpdate` or +// `X509_CRL_set1_nextUpdate` instead. OPENSSL_EXPORT ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); -// X509_extract_key is a legacy alias to |X509_get_pubkey|. Use -// |X509_get_pubkey| instead. +// X509_extract_key is a legacy alias to `X509_get_pubkey`. Use +// `X509_get_pubkey` instead. #define X509_extract_key(x) X509_get_pubkey(x) -// X509_REQ_extract_key is a legacy alias for |X509_REQ_get_pubkey|. +// X509_REQ_extract_key is a legacy alias for `X509_REQ_get_pubkey`. #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) -// X509_name_cmp is a legacy alias for |X509_NAME_cmp|. +// X509_name_cmp is a legacy alias for `X509_NAME_cmp`. #define X509_name_cmp(a, b) X509_NAME_cmp((a), (b)) -// The following symbols are deprecated aliases to |X509_CRL_set1_*|. +// The following symbols are deprecated aliases to `X509_CRL_set1_*`. #define X509_CRL_set_lastUpdate X509_CRL_set1_lastUpdate #define X509_CRL_set_nextUpdate X509_CRL_set1_nextUpdate -// X509_get_serialNumber returns a mutable pointer to |x509|'s serial number. -// Prefer |X509_get0_serialNumber|. +// X509_get_serialNumber returns a mutable pointer to `x509`'s serial number. +// Prefer `X509_get0_serialNumber`. OPENSSL_EXPORT ASN1_INTEGER *X509_get_serialNumber(X509 *x509); -// X509_NAME_get_text_by_OBJ finds the first attribute with type |obj| in -// |name|. If found, it writes the value's UTF-8 representation to |buf|. +// X509_NAME_get_text_by_OBJ finds the first attribute with type `obj` in +// `name`. If found, it writes the value's UTF-8 representation to `buf`. // followed by a NUL byte, and returns the number of bytes in the output, // excluding the NUL byte. This is unlike OpenSSL which returns the raw -// ASN1_STRING data. The UTF-8 encoding of the |ASN1_STRING| may not contain a 0 +// ASN1_STRING data. The UTF-8 encoding of the `ASN1_STRING` may not contain a 0 // codepoint. // -// This function writes at most |len| bytes, including the NUL byte. If |buf| +// This function writes at most `len` bytes, including the NUL byte. If `buf` // is NULL, it writes nothing and returns the number of bytes in the // output, excluding the NUL byte that would be required for the full UTF-8 // output. // // This function may return -1 if an error occurs for any reason, including the -// value not being a recognized string type, |len| being of insufficient size to +// value not being a recognized string type, `len` being of insufficient size to // hold the full UTF-8 encoding and NUL byte, memory allocation failures, an -// object with type |obj| not existing in |name|, or if the UTF-8 encoding of +// object with type `obj` not existing in `name`, or if the UTF-8 encoding of // the string contains a zero byte. OPENSSL_EXPORT int X509_NAME_get_text_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, char *buf, int len); -// X509_NAME_get_text_by_NID behaves like |X509_NAME_get_text_by_OBJ| except it -// finds an attribute of type |nid|, which should be one of the |NID_*| +// X509_NAME_get_text_by_NID behaves like `X509_NAME_get_text_by_OBJ` except it +// finds an attribute of type `nid`, which should be one of the `NID_*` // constants. OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, char *buf, int len); @@ -5117,56 +5117,56 @@ OPENSSL_EXPORT int X509_NAME_get_text_by_NID(const X509_NAME *name, int nid, OPENSSL_EXPORT X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx( const X509_STORE_CTX *ctx); -// X509_OBJECT_free_contents sets |obj| to the empty object, freeing any values +// X509_OBJECT_free_contents sets `obj` to the empty object, freeing any values // that were previously there. // // TODO(davidben): Unexport this function after rust-openssl is fixed to no // longer call it. OPENSSL_EXPORT void X509_OBJECT_free_contents(X509_OBJECT *obj); -// X509_LOOKUP_free releases memory associated with |ctx|. This function should +// X509_LOOKUP_free releases memory associated with `ctx`. This function should // never be used outside the library. No function in the public API hands -// ownership of an |X509_LOOKUP| to the caller. +// ownership of an `X509_LOOKUP` to the caller. // // TODO(davidben): Unexport this function after rust-openssl is fixed to no // longer call it. OPENSSL_EXPORT void X509_LOOKUP_free(X509_LOOKUP *ctx); -// X509_STORE_CTX_cleanup resets |ctx| to the empty state. +// X509_STORE_CTX_cleanup resets `ctx` to the empty state. // -// This function is a remnant of when |X509_STORE_CTX| was stack-allocated and -// should not be used. If releasing |ctx|, call |X509_STORE_CTX_free|. If -// reusing |ctx| for a new verification, release the old one and create a new +// This function is a remnant of when `X509_STORE_CTX` was stack-allocated and +// should not be used. If releasing `ctx`, call `X509_STORE_CTX_free`. If +// reusing `ctx` for a new verification, release the old one and create a new // one. OPENSSL_EXPORT void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx); // X509V3_add_standard_extensions returns one. OPENSSL_EXPORT int X509V3_add_standard_extensions(void); -// The following symbols are legacy aliases for |X509_STORE_CTX| functions. +// The following symbols are legacy aliases for `X509_STORE_CTX` functions. #define X509_STORE_get_by_subject X509_STORE_CTX_get_by_subject #define X509_STORE_get1_certs X509_STORE_CTX_get1_certs #define X509_STORE_get1_crls X509_STORE_CTX_get1_crls -// X509_STORE_CTX_get_chain is a legacy alias for |X509_STORE_CTX_get0_chain|. +// X509_STORE_CTX_get_chain is a legacy alias for `X509_STORE_CTX_get0_chain`. OPENSSL_EXPORT STACK_OF(X509) *X509_STORE_CTX_get_chain( const X509_STORE_CTX *ctx); // X509_STORE_CTX_trusted_stack is a deprecated alias for -// |X509_STORE_CTX_set0_trusted_stack|. +// `X509_STORE_CTX_set0_trusted_stack`. OPENSSL_EXPORT void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); -// X509_STORE_CTX_set_verify_cb configures a callback function for |ctx| that is -// called multiple times during |X509_verify_cert|. The callback returns zero to -// fail verification and one to proceed. Typically, it will return |ok|, which -// preserves the default behavior. Returning one when |ok| is zero will proceed -// past some error. The callback may inspect |ctx| and the error queue to +// X509_STORE_CTX_set_verify_cb configures a callback function for `ctx` that is +// called multiple times during `X509_verify_cert`. The callback returns zero to +// fail verification and one to proceed. Typically, it will return `ok`, which +// preserves the default behavior. Returning one when `ok` is zero will proceed +// past some error. The callback may inspect `ctx` and the error queue to // attempt to determine the current stage of certificate verification, but this // is often unreliable. When synthesizing an error, callbacks should use -// |X509_STORE_CTX_set_error| to set a corresponding error. +// `X509_STORE_CTX_set_error` to set a corresponding error. // // WARNING: Do not use this function. It is extremely fragile and unpredictable. // This callback exposes implementation details of certificate verification, @@ -5174,36 +5174,36 @@ typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *); // can introduce vulnerabilities if making incorrect assumptions about when the // callback is called. Some errors, when suppressed, may implicitly suppress // other errors due to internal implementation details. Additionally, overriding -// |ok| may leave |ctx| in an inconsistent state and break invariants. +// `ok` may leave `ctx` in an inconsistent state and break invariants. // // Instead, customize certificate verification by configuring options on the -// |X509_STORE_CTX| before verification, or applying additional checks after -// |X509_verify_cert| completes successfully. +// `X509_STORE_CTX` before verification, or applying additional checks after +// `X509_verify_cert` completes successfully. OPENSSL_EXPORT void X509_STORE_CTX_set_verify_cb( X509_STORE_CTX *ctx, int (*verify_cb)(int ok, X509_STORE_CTX *ctx)); -// X509_STORE_set_verify_cb acts like |X509_STORE_CTX_set_verify_cb| but sets -// the verify callback for any |X509_STORE_CTX| created from this |X509_STORE| +// X509_STORE_set_verify_cb acts like `X509_STORE_CTX_set_verify_cb` but sets +// the verify callback for any `X509_STORE_CTX` created from this `X509_STORE` // -// Do not use this function. See |X509_STORE_CTX_set_verify_cb| for details. +// Do not use this function. See `X509_STORE_CTX_set_verify_cb` for details. OPENSSL_EXPORT void X509_STORE_set_verify_cb( X509_STORE *store, X509_STORE_CTX_verify_cb verify_cb); // X509_STORE_set_verify_cb_func is a deprecated alias for -// |X509_STORE_set_verify_cb|. +// `X509_STORE_set_verify_cb`. #define X509_STORE_set_verify_cb_func(store, func) \ X509_STORE_set_verify_cb((store), (func)) -// X509_STORE_CTX_set_chain configures |ctx| to use |sk| for untrusted +// X509_STORE_CTX_set_chain configures `ctx` to use `sk` for untrusted // intermediate certificates to use in verification. This function is redundant -// with the |chain| parameter of |X509_STORE_CTX_init|. Use the parameter +// with the `chain` parameter of `X509_STORE_CTX_init`. Use the parameter // instead. // // WARNING: Despite the similar name, this function is unrelated to -// |X509_STORE_CTX_get0_chain|. +// `X509_STORE_CTX_get0_chain`. // -// WARNING: This function saves a pointer to |sk| without copying or -// incrementing reference counts. |sk| must outlive |ctx| and may not be mutated +// WARNING: This function saves a pointer to `sk` without copying or +// incrementing reference counts. `sk` must outlive `ctx` and may not be mutated // for the duration of the certificate verification. OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk); @@ -5219,43 +5219,43 @@ OPENSSL_EXPORT void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, // always enabled. #define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0 -// X509_STORE_get0_objects returns a non-owning pointer of |store|'s internal +// X509_STORE_get0_objects returns a non-owning pointer of `store`'s internal // object list. Although this function is not const, callers must not modify // the result of this function. // -// WARNING: This function is not thread-safe. If |store| is shared across +// WARNING: This function is not thread-safe. If `store` is shared across // multiple threads, callers cannot safely inspect the result of this function, // because another thread may have concurrently added to it. In particular, -// |X509_LOOKUP_add_dir| treats this list as a cache and may add to it in the +// `X509_LOOKUP_add_dir` treats this list as a cache and may add to it in the // course of certificate verification. This API additionally prevents fixing -// some quadratic worst-case behavior in |X509_STORE| and may be removed in the -// future. Use |X509_STORE_get1_objects| instead. +// some quadratic worst-case behavior in `X509_STORE` and may be removed in the +// future. Use `X509_STORE_get1_objects` instead. OPENSSL_EXPORT STACK_OF(X509_OBJECT) *X509_STORE_get0_objects( X509_STORE *store); -// X509_PURPOSE_get_by_sname returns the |X509_PURPOSE_*| constant corresponding -// a short name |sname|, or -1 if |sname| was not recognized. +// X509_PURPOSE_get_by_sname returns the `X509_PURPOSE_*` constant corresponding +// a short name `sname`, or -1 if `sname` was not recognized. // -// Use |X509_PURPOSE_*| constants directly instead. The short names used by this +// Use `X509_PURPOSE_*` constants directly instead. The short names used by this // function look like "sslserver" or "smimeencrypt", so they do not make // especially good APIs. // // This function differs from OpenSSL, which returns an "index" to be passed to -// |X509_PURPOSE_get0|, followed by |X509_PURPOSE_get_id|, to finally obtain an -// |X509_PURPOSE_*| value suitable for use with |X509_VERIFY_PARAM_set_purpose|. +// `X509_PURPOSE_get0`, followed by `X509_PURPOSE_get_id`, to finally obtain an +// `X509_PURPOSE_*` value suitable for use with `X509_VERIFY_PARAM_set_purpose`. OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(const char *sname); -// X509_PURPOSE_get0 returns the |X509_PURPOSE| object corresponding to |id|, -// which should be one of the |X509_PURPOSE_*| constants, or NULL if none +// X509_PURPOSE_get0 returns the `X509_PURPOSE` object corresponding to `id`, +// which should be one of the `X509_PURPOSE_*` constants, or NULL if none // exists. // // This function differs from OpenSSL, which takes an "index", returned from -// |X509_PURPOSE_get_by_sname|. In BoringSSL, indices and |X509_PURPOSE_*| IDs +// `X509_PURPOSE_get_by_sname`. In BoringSSL, indices and `X509_PURPOSE_*` IDs // are the same. OPENSSL_EXPORT const X509_PURPOSE *X509_PURPOSE_get0(int id); -// X509_PURPOSE_get_id returns |purpose|'s ID. This will be one of the -// |X509_PURPOSE_*| constants. +// X509_PURPOSE_get_id returns `purpose`'s ID. This will be one of the +// `X509_PURPOSE_*` constants. OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *purpose); // The following constants are values for the legacy Netscape certificate type @@ -5306,6 +5306,7 @@ BORINGSSL_MAKE_DELETER(NETSCAPE_SPKI, NETSCAPE_SPKI_free) BORINGSSL_MAKE_DELETER(POLICY_CONSTRAINTS, POLICY_CONSTRAINTS_free) BORINGSSL_MAKE_DELETER(POLICY_MAPPING, POLICY_MAPPING_free) BORINGSSL_MAKE_DELETER(POLICYINFO, POLICYINFO_free) +BORINGSSL_MAKE_DELETER(POLICYQUALINFO, POLICYQUALINFO_free) BORINGSSL_MAKE_DELETER(RSA_PSS_PARAMS, RSA_PSS_PARAMS_free) BORINGSSL_MAKE_DELETER(X509, X509_free) BORINGSSL_MAKE_UP_REF(X509, X509_up_ref) diff --git a/third_party/boringssl/src/include/openssl/x509v3.h b/third_party/boringssl/src/include/openssl/x509v3.h index 3e8a7beb..838e855c 100644 --- a/third_party/boringssl/src/include/openssl/x509v3.h +++ b/third_party/boringssl/src/include/openssl/x509v3.h @@ -46,7 +46,7 @@ // Deprecated constants. -// The following constants are legacy aliases for |X509v3_KU_*|. They are +// The following constants are legacy aliases for `X509v3_KU_*`. They are // defined here instead of in because NSS's public headers use // the same symbols. Some callers have inadvertently relied on the conflicts // only being defined in this header. diff --git a/third_party/boringssl/src/include/openssl/xwing.h b/third_party/boringssl/src/include/openssl/xwing.h index a270637a..59f884ba 100644 --- a/third_party/boringssl/src/include/openssl/xwing.h +++ b/third_party/boringssl/src/include/openssl/xwing.h @@ -54,29 +54,29 @@ struct XWING_private_key { // XWING_generate_key generates a random public/private key pair, writes the -// encoded public key to |out_encoded_public_key| and the private key to -// |out_private_key|. Returns one on success and zero on error. +// encoded public key to `out_encoded_public_key` and the private key to +// `out_private_key`. Returns one on success and zero on error. OPENSSL_EXPORT int XWING_generate_key( uint8_t out_encoded_public_key[XWING_PUBLIC_KEY_BYTES], struct XWING_private_key *out_private_key); -// XWING_public_from_private sets |out_encoded_public_key| to the public key -// that corresponds to |private_key|. Returns one on success and zero on error. +// XWING_public_from_private sets `out_encoded_public_key` to the public key +// that corresponds to `private_key`. Returns one on success and zero on error. OPENSSL_EXPORT int XWING_public_from_private( uint8_t out_encoded_public_key[XWING_PUBLIC_KEY_BYTES], const struct XWING_private_key *private_key); -// XWING_encap encapsulates a random shared secret for |encoded_public_key|, -// writes the ciphertext to |out_ciphertext|, and writes the random shared -// secret to |out_shared_secret|. Returns one on success and zero on error. +// XWING_encap encapsulates a random shared secret for `encoded_public_key`, +// writes the ciphertext to `out_ciphertext`, and writes the random shared +// secret to `out_shared_secret`. Returns one on success and zero on error. OPENSSL_EXPORT int XWING_encap( uint8_t out_ciphertext[XWING_CIPHERTEXT_BYTES], uint8_t out_shared_secret[XWING_SHARED_SECRET_BYTES], const uint8_t encoded_public_key[XWING_PUBLIC_KEY_BYTES]); // XWING_encap_external_entropy encapsulates the shared secret for the given -// |eseed| entropy using |encoded_public_key|, writes the ciphertext to -// |out_ciphertext|, and writes the random shared secret to |out_shared_secret|. +// `eseed` entropy using `encoded_public_key`, writes the ciphertext to +// `out_ciphertext`, and writes the random shared secret to `out_shared_secret`. // Returns one on success and zero on error. OPENSSL_EXPORT int XWING_encap_external_entropy( uint8_t out_ciphertext[XWING_CIPHERTEXT_BYTES], @@ -84,8 +84,8 @@ OPENSSL_EXPORT int XWING_encap_external_entropy( const uint8_t encoded_public_key[XWING_PUBLIC_KEY_BYTES], const uint8_t eseed[64]); -// XWING_decap decapsulates a shared secret from |ciphertext| using -// |private_key| and writes it to |out_shared_secret|. Returns one on success +// XWING_decap decapsulates a shared secret from `ciphertext` using +// `private_key` and writes it to `out_shared_secret`. Returns one on success // and zero on error. OPENSSL_EXPORT int XWING_decap( uint8_t out_shared_secret[XWING_SHARED_SECRET_BYTES], @@ -94,16 +94,16 @@ OPENSSL_EXPORT int XWING_decap( // Serialisation of keys. -// XWING_marshal_private_key serializes |private_key| to |out| in the standard +// XWING_marshal_private_key serializes `private_key` to `out` in the standard // format for X-Wing private keys. It returns one on success or zero on // allocation error. OPENSSL_EXPORT int XWING_marshal_private_key( CBB *out, const struct XWING_private_key *private_key); // XWING_parse_private_key parses a private key in the standard format for -// X-Wing private keys from |in| and writes the result to |out_public_key|. It +// X-Wing private keys from `in` and writes the result to `out_public_key`. It // returns one on success or zero on parse error or if there are trailing bytes -// in |in|. +// in `in`. OPENSSL_EXPORT int XWING_parse_private_key( struct XWING_private_key *out_private_key, CBS *in); diff --git a/third_party/boringssl/src/third_party/fiat/bedrock_unverified_platform.c.inc b/third_party/boringssl/src/third_party/fiat/bedrock_unverified_platform.c.inc index d2b03c1f..cb9490a1 100644 --- a/third_party/boringssl/src/third_party/fiat/bedrock_unverified_platform.c.inc +++ b/third_party/boringssl/src/third_party/fiat/bedrock_unverified_platform.c.inc @@ -118,6 +118,16 @@ static inline br_word_t br_cmov(br_word_t c, br_word_t vnz, br_word_t vz) { : [vz] "r"(vz), [c] "r"(c) : "cc"); return vnz; +#elif !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) && \ + defined(__aarch64__) + br_word_t ret; + __asm__( + "cmp %[c], #0\n" + "csel %[ret], %[vz], %[vnz], EQ" + : [ret] "=r"(ret) + : [vz] "r"(vz), [vnz] "r"(vnz), [c] "r"(c) + : "cc"); + return ret; #else br_word_t m = br_broadcast_nonzero(c); return (m & vnz) | (~m & vz); diff --git a/third_party/boringssl/src/third_party/fiat/p256_64.h b/third_party/boringssl/src/third_party/fiat/p256_64.h index 8cad1695..ee07a458 100644 --- a/third_party/boringssl/src/third_party/fiat/p256_64.h +++ b/third_party/boringssl/src/third_party/fiat/p256_64.h @@ -1,15 +1,3 @@ -#include -#include "bedrock_unverified_platform.c.inc" -#include "p256_field_64.br.c.inc" -#include "../../crypto/internal.h" - -#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) -extern "C" { -void fiat_p256_adx_mul(uint64_t*, const uint64_t*, const uint64_t*); -void fiat_p256_adx_sqr(uint64_t*, const uint64_t*); -} -#endif - /* Autogenerated: 'src/ExtractionOCaml/word_by_word_montgomery' --inline --static --use-value-barrier p256 64 '2^256 - 2^224 + 2^192 + 2^96 - 1' mul square add sub opp from_montgomery to_montgomery nonzero selectznz to_bytes from_bytes one msat divstep divstep_precomp */ /* curve description: p256 */ /* machine_wordsize = 64 (from "64") */ @@ -177,14 +165,6 @@ static FIAT_P256_FIAT_INLINE void fiat_p256_cmovznz_u64(uint64_t* out1, fiat_p25 * */ static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1, const fiat_p256_montgomery_domain_field_element arg2) { - // NOTE: edited by hand, see third_party/fiat/README.md -#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) - if (bssl::CRYPTO_is_BMI1_capable() && bssl::CRYPTO_is_BMI2_capable() && - bssl::CRYPTO_is_ADX_capable()) { - fiat_p256_adx_mul(out1, arg1, arg2); - return; - } -#endif uint64_t x1; uint64_t x2; uint64_t x3; @@ -492,14 +472,6 @@ static FIAT_P256_FIAT_INLINE void fiat_p256_mul(fiat_p256_montgomery_domain_fiel * */ static FIAT_P256_FIAT_INLINE void fiat_p256_square(fiat_p256_montgomery_domain_field_element out1, const fiat_p256_montgomery_domain_field_element arg1) { - // NOTE: edited by hand, see third_party/fiat/README.md -#if !defined(OPENSSL_NO_ASM) && defined(__GNUC__) && defined(__x86_64__) - if (bssl::CRYPTO_is_BMI1_capable() && bssl::CRYPTO_is_BMI2_capable() && - bssl::CRYPTO_is_ADX_capable()) { - fiat_p256_adx_sqr(out1, arg1); - return; - } -#endif uint64_t x1; uint64_t x2; uint64_t x3; diff --git a/third_party/boringssl/src/third_party/fiat/p256_64_msvc.h b/third_party/boringssl/src/third_party/fiat/p256_64_msvc.h index aff43d35..abed672b 100644 --- a/third_party/boringssl/src/third_party/fiat/p256_64_msvc.h +++ b/third_party/boringssl/src/third_party/fiat/p256_64_msvc.h @@ -17,8 +17,6 @@ /* twos_complement_eval z = let x1 := z[0] + (z[1] << 64) + (z[2] << 128) + (z[3] << 192) in */ /* if x1 & (2^256-1) < 2^255 then x1 & (2^256-1) else (x1 & (2^256-1)) - 2^256 */ -#include "bedrock_unverified_platform.c.inc" -#include "p256_field_64.br.c.inc" #include #include #if defined(_M_X64) diff --git a/third_party/boringssl/src/third_party/fiat/p256_field.c.inc b/third_party/boringssl/src/third_party/fiat/p256_field.c.inc deleted file mode 100644 index bbd25de8..00000000 --- a/third_party/boringssl/src/third_party/fiat/p256_field.c.inc +++ /dev/null @@ -1,26 +0,0 @@ -#include -#include "bedrock_unverified_platform.c.inc" - -#if defined(BORINGSSL_HAS_UINT128) -#include "p256_64.h" -#elif defined(OPENSSL_64_BIT) -#include "p256_64_msvc.h" -#else -#include "p256_field_32.br.c.inc" -#include "p256_32.h" -// the 32-bit Bedrock-generated field halving calls Fiat-C code for add, sub -static inline void p256_coord_add(br_word_t out, br_word_t x, br_word_t y) { - fiat_p256_add((uint32_t*)out, (const uint32_t*)x, (const uint32_t*)y); -} -static inline void p256_coord_sub(br_word_t out, br_word_t x, br_word_t y) { - fiat_p256_sub((uint32_t*)out, (const uint32_t*)x, (const uint32_t*)y); -} -#endif - -// the Bedrock-generated point operations call Fiat-C or Fiat-x86 mul, sqr -static inline void p256_coord_mul(br_word_t out, br_word_t x, br_word_t y) { - fiat_p256_mul((br_word_t*)out, (const br_word_t*)x, (const br_word_t*)y); -} -static inline void p256_coord_sqr(br_word_t out, br_word_t x) { - fiat_p256_square((br_word_t*)out, (const br_word_t*)x); -} diff --git a/third_party/boringssl/src/third_party/fiat/p256_point.br.c.inc b/third_party/boringssl/src/third_party/fiat/p256_point.br.c.inc index 117547bd..49280348 100644 --- a/third_party/boringssl/src/third_party/fiat/p256_point.br.c.inc +++ b/third_party/boringssl/src/third_party/fiat/p256_point.br.c.inc @@ -110,3 +110,57 @@ static inline void p256_point_add_vartime_if_doubling(br_word_t p_out, br_word_t } br_memcpy(p_out, p_sel, (br_word_t)96); } + +static inline br_word_t p256_point_add_affine_nz_nz_neq(br_word_t p_out, br_word_t p_P, br_word_t p_Q) { + br_word_t z1z1, Hsqr, ok, different_x, different_y, u2, Hcub, r, h, s2; + uint8_t _br_stackalloc_z1z1[32] = {0}; z1z1 = (br_word_t)&_br_stackalloc_z1z1; + uint8_t _br_stackalloc_u2[32] = {0}; u2 = (br_word_t)&_br_stackalloc_u2; + uint8_t _br_stackalloc_h[32] = {0}; h = (br_word_t)&_br_stackalloc_h; + uint8_t _br_stackalloc_s2[32] = {0}; s2 = (br_word_t)&_br_stackalloc_s2; + uint8_t _br_stackalloc_r[32] = {0}; r = (br_word_t)&_br_stackalloc_r; + uint8_t _br_stackalloc_Hsqr[32] = {0}; Hsqr = (br_word_t)&_br_stackalloc_Hsqr; + uint8_t _br_stackalloc_Hcub[32] = {0}; Hcub = (br_word_t)&_br_stackalloc_Hcub; + p256_coord_sqr(z1z1, (p_P+32)+32); + p256_coord_mul(u2, p_Q, z1z1); + p256_coord_sub(h, u2, p_P); + p256_coord_mul(s2, (p_P+32)+32, z1z1); + p256_coord_mul((p_out+32)+32, h, (p_P+32)+32); + p256_coord_mul(s2, s2, p_Q+32); + p256_coord_sub(r, s2, p_P+32); + p256_coord_sqr(Hsqr, h); + p256_coord_sqr(p_out, r); + p256_coord_mul(Hcub, Hsqr, h); + p256_coord_mul(u2, p_P, Hsqr); + different_x = p256_coord_nonzero(Hcub); + different_y = p256_coord_nonzero(p_out); + ok = br_value_barrier(different_x|different_y); + p256_coord_sub(p_out, p_out, Hcub); + p256_coord_sub(p_out, p_out, u2); + p256_coord_sub(p_out, p_out, u2); + p256_coord_sub(h, u2, p_out); + p256_coord_mul(s2, Hcub, p_P+32); + p256_coord_mul(h, h, r); + p256_coord_sub(p_out+32, h, s2); + return ok; +} + +static inline void p256_point_add_affinenz_conditional_vartime_if_doubling(br_word_t p_out, br_word_t p_P, br_word_t p_Q, br_word_t c) { + br_word_t nzQ, p_tmp, zeroP, zeroQ, ok, p_buf; + zeroP = p256_point_iszero(p_P); + nzQ = br_broadcast_nonzero(c); + zeroQ = ~nzQ; + uint8_t _br_stackalloc_p_tmp[96] = {0}; p_tmp = (br_word_t)&_br_stackalloc_p_tmp; + ok = p256_point_add_affine_nz_nz_neq(p_tmp, p_P, p_Q); + ok = br_declassify((zeroP|zeroQ)|ok); + uint8_t _br_stackalloc_p_buf[96] = {0}; p_buf = (br_word_t)&_br_stackalloc_p_buf; + br_memset(p_buf, (br_word_t)0, (br_word_t)3*32); + br_memcxor(p_buf, p_tmp, (br_word_t)3*32, (~zeroP)&(~zeroQ)); + br_memcxor(p_buf, p_P, (br_word_t)3*32, (~zeroP)&zeroQ); + br_memcxor(p_buf, p_Q, (br_word_t)3*32, zeroP&(~zeroQ)); + if (ok) { + /*skip*/ + } else { + p256_point_double(p_buf, p_P); + } + br_memcpy(p_out, p_buf, (br_word_t)96); +} diff --git a/tool/REVISION b/tool/REVISION index 574301ba..d0b38d54 100644 --- a/tool/REVISION +++ b/tool/REVISION @@ -1 +1 @@ -5ee9407bc28dd9086507f02851886a185088f3a0 +825a42ab64264250e13bc4b94155d10ed9d92298