1 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
2 | * All rights reserved. |
3 | * |
4 | * This package is an SSL implementation written |
5 | * by Eric Young (eay@cryptsoft.com). |
6 | * The implementation was written so as to conform with Netscapes SSL. |
7 | * |
8 | * This library is free for commercial and non-commercial use as long as |
9 | * the following conditions are aheared to. The following conditions |
10 | * apply to all code found in this distribution, be it the RC4, RSA, |
11 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
12 | * included with this distribution is covered by the same copyright terms |
13 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
14 | * |
15 | * Copyright remains Eric Young's, and as such any Copyright notices in |
16 | * the code are not to be removed. |
17 | * If this package is used in a product, Eric Young should be given attribution |
18 | * as the author of the parts of the library used. |
19 | * This can be in the form of a textual message at program startup or |
20 | * in documentation (online or textual) provided with the package. |
21 | * |
22 | * Redistribution and use in source and binary forms, with or without |
23 | * modification, are permitted provided that the following conditions |
24 | * are met: |
25 | * 1. Redistributions of source code must retain the copyright |
26 | * notice, this list of conditions and the following disclaimer. |
27 | * 2. Redistributions in binary form must reproduce the above copyright |
28 | * notice, this list of conditions and the following disclaimer in the |
29 | * documentation and/or other materials provided with the distribution. |
30 | * 3. All advertising materials mentioning features or use of this software |
31 | * must display the following acknowledgement: |
32 | * "This product includes cryptographic software written by |
33 | * Eric Young (eay@cryptsoft.com)" |
34 | * The word 'cryptographic' can be left out if the rouines from the library |
35 | * being used are not cryptographic related :-). |
36 | * 4. If you include any Windows specific code (or a derivative thereof) from |
37 | * the apps directory (application code) you must include an acknowledgement: |
38 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
39 | * |
40 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
41 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
42 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
43 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
44 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
45 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
46 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
47 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
48 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
49 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
50 | * SUCH DAMAGE. |
51 | * |
52 | * The licence and distribution terms for any publically available version or |
53 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
54 | * copied and put under another distribution licence |
55 | * [including the GNU Public Licence.] |
56 | */ |
57 | /* ==================================================================== |
58 | * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. |
59 | * |
60 | * Redistribution and use in source and binary forms, with or without |
61 | * modification, are permitted provided that the following conditions |
62 | * are met: |
63 | * |
64 | * 1. Redistributions of source code must retain the above copyright |
65 | * notice, this list of conditions and the following disclaimer. |
66 | * |
67 | * 2. Redistributions in binary form must reproduce the above copyright |
68 | * notice, this list of conditions and the following disclaimer in |
69 | * the documentation and/or other materials provided with the |
70 | * distribution. |
71 | * |
72 | * 3. All advertising materials mentioning features or use of this |
73 | * software must display the following acknowledgment: |
74 | * "This product includes software developed by the OpenSSL Project |
75 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
76 | * |
77 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
78 | * endorse or promote products derived from this software without |
79 | * prior written permission. For written permission, please contact |
80 | * openssl-core@openssl.org. |
81 | * |
82 | * 5. Products derived from this software may not be called "OpenSSL" |
83 | * nor may "OpenSSL" appear in their names without prior written |
84 | * permission of the OpenSSL Project. |
85 | * |
86 | * 6. Redistributions of any form whatsoever must retain the following |
87 | * acknowledgment: |
88 | * "This product includes software developed by the OpenSSL Project |
89 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
90 | * |
91 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
92 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
93 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
94 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
95 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
96 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
97 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
98 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
99 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
100 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
101 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
102 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
103 | * ==================================================================== |
104 | * |
105 | * This product includes cryptographic software written by Eric Young |
106 | * (eay@cryptsoft.com). This product includes software written by Tim |
107 | * Hudson (tjh@cryptsoft.com). */ |
108 | |
109 | #ifndef OPENSSL_HEADER_CRYPTO_INTERNAL_H |
110 | #define |
111 | |
112 | #include <openssl/ex_data.h> |
113 | #include <openssl/stack.h> |
114 | #include <openssl/thread.h> |
115 | |
116 | #include <assert.h> |
117 | #include <string.h> |
118 | |
119 | #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION) |
120 | #include <valgrind/memcheck.h> |
121 | #endif |
122 | |
123 | #if !defined(__cplusplus) |
124 | #if defined(_MSC_VER) |
125 | #define alignas(x) __declspec(align(x)) |
126 | #define alignof __alignof |
127 | #else |
128 | #include <stdalign.h> |
129 | #endif |
130 | #endif |
131 | |
132 | #if defined(OPENSSL_THREADS) && \ |
133 | (!defined(OPENSSL_WINDOWS) || defined(__MINGW32__)) |
134 | #include <pthread.h> |
135 | #define OPENSSL_PTHREADS |
136 | #endif |
137 | |
138 | #if defined(OPENSSL_THREADS) && !defined(OPENSSL_PTHREADS) && \ |
139 | defined(OPENSSL_WINDOWS) |
140 | #define OPENSSL_WINDOWS_THREADS |
141 | OPENSSL_MSVC_PRAGMA(warning(push, 3)) |
142 | #include <windows.h> |
143 | OPENSSL_MSVC_PRAGMA(warning(pop)) |
144 | #endif |
145 | |
146 | #if defined(__cplusplus) |
147 | extern "C" { |
148 | #endif |
149 | |
150 | |
151 | #if defined(OPENSSL_X86) || defined(OPENSSL_X86_64) || defined(OPENSSL_ARM) || \ |
152 | defined(OPENSSL_AARCH64) || defined(OPENSSL_PPC64LE) |
153 | // OPENSSL_cpuid_setup initializes the platform-specific feature cache. |
154 | void OPENSSL_cpuid_setup(void); |
155 | #endif |
156 | |
157 | #if (defined(OPENSSL_ARM) || defined(OPENSSL_AARCH64)) && \ |
158 | !defined(OPENSSL_STATIC_ARMCAP) |
159 | // OPENSSL_get_armcap_pointer_for_test returns a pointer to |OPENSSL_armcap_P| |
160 | // for unit tests. Any modifications to the value must be made after |
161 | // |CRYPTO_library_init| but before any other function call in BoringSSL. |
162 | OPENSSL_EXPORT uint32_t *OPENSSL_get_armcap_pointer_for_test(void); |
163 | #endif |
164 | |
165 | |
166 | #if (!defined(_MSC_VER) || defined(__clang__)) && defined(OPENSSL_64_BIT) |
167 | #define BORINGSSL_HAS_UINT128 |
168 | typedef __int128_t int128_t; |
169 | typedef __uint128_t uint128_t; |
170 | |
171 | // clang-cl supports __uint128_t but modulus and division don't work. |
172 | // https://crbug.com/787617. |
173 | #if !defined(_MSC_VER) || !defined(__clang__) |
174 | #define BORINGSSL_CAN_DIVIDE_UINT128 |
175 | #endif |
176 | #endif |
177 | |
178 | #define OPENSSL_ARRAY_SIZE(array) (sizeof(array) / sizeof((array)[0])) |
179 | |
180 | // Have a generic fall-through for different versions of C/C++. |
181 | #if defined(__cplusplus) && __cplusplus >= 201703L |
182 | #define OPENSSL_FALLTHROUGH [[fallthrough]] |
183 | #elif defined(__cplusplus) && __cplusplus >= 201103L && defined(__clang__) |
184 | #define OPENSSL_FALLTHROUGH [[clang::fallthrough]] |
185 | #elif defined(__cplusplus) && __cplusplus >= 201103L && defined(__GNUC__) && \ |
186 | __GNUC__ >= 7 |
187 | #define OPENSSL_FALLTHROUGH [[gnu::fallthrough]] |
188 | #elif defined(__GNUC__) && __GNUC__ >= 7 // gcc 7 |
189 | #define OPENSSL_FALLTHROUGH __attribute__ ((fallthrough)) |
190 | #else // C++11 on gcc 6, and all other cases |
191 | #define OPENSSL_FALLTHROUGH |
192 | #endif |
193 | |
194 | // buffers_alias returns one if |a| and |b| alias and zero otherwise. |
195 | static inline int buffers_alias(const uint8_t *a, size_t a_len, |
196 | const uint8_t *b, size_t b_len) { |
197 | // Cast |a| and |b| to integers. In C, pointer comparisons between unrelated |
198 | // objects are undefined whereas pointer to integer conversions are merely |
199 | // implementation-defined. We assume the implementation defined it in a sane |
200 | // way. |
201 | uintptr_t a_u = (uintptr_t)a; |
202 | uintptr_t b_u = (uintptr_t)b; |
203 | return a_u + a_len > b_u && b_u + b_len > a_u; |
204 | } |
205 | |
206 | |
207 | // Constant-time utility functions. |
208 | // |
209 | // The following methods return a bitmask of all ones (0xff...f) for true and 0 |
210 | // for false. This is useful for choosing a value based on the result of a |
211 | // conditional in constant time. For example, |
212 | // |
213 | // if (a < b) { |
214 | // c = a; |
215 | // } else { |
216 | // c = b; |
217 | // } |
218 | // |
219 | // can be written as |
220 | // |
221 | // crypto_word_t lt = constant_time_lt_w(a, b); |
222 | // c = constant_time_select_w(lt, a, b); |
223 | |
224 | // crypto_word_t is the type that most constant-time functions use. Ideally we |
225 | // would like it to be |size_t|, but NaCl builds in 64-bit mode with 32-bit |
226 | // pointers, which means that |size_t| can be 32 bits when |BN_ULONG| is 64 |
227 | // bits. Since we want to be able to do constant-time operations on a |
228 | // |BN_ULONG|, |crypto_word_t| is defined as an unsigned value with the native |
229 | // word length. |
230 | #if defined(OPENSSL_64_BIT) |
231 | typedef uint64_t crypto_word_t; |
232 | #elif defined(OPENSSL_32_BIT) |
233 | typedef uint32_t crypto_word_t; |
234 | #else |
235 | #error "Must define either OPENSSL_32_BIT or OPENSSL_64_BIT" |
236 | #endif |
237 | |
238 | #define CONSTTIME_TRUE_W ~((crypto_word_t)0) |
239 | #define CONSTTIME_FALSE_W ((crypto_word_t)0) |
240 | #define CONSTTIME_TRUE_8 ((uint8_t)0xff) |
241 | #define CONSTTIME_FALSE_8 ((uint8_t)0) |
242 | |
243 | // value_barrier_w returns |a|, but prevents GCC and Clang from reasoning about |
244 | // the returned value. This is used to mitigate compilers undoing constant-time |
245 | // code, until we can express our requirements directly in the language. |
246 | // |
247 | // Note the compiler is aware that |value_barrier_w| has no side effects and |
248 | // always has the same output for a given input. This allows it to eliminate |
249 | // dead code, move computations across loops, and vectorize. |
250 | static inline crypto_word_t value_barrier_w(crypto_word_t a) { |
251 | #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) |
252 | __asm__("" : "+r" (a) : /* no inputs */); |
253 | #endif |
254 | return a; |
255 | } |
256 | |
257 | // value_barrier_u32 behaves like |value_barrier_w| but takes a |uint32_t|. |
258 | static inline uint32_t value_barrier_u32(uint32_t a) { |
259 | #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) |
260 | __asm__("" : "+r" (a) : /* no inputs */); |
261 | #endif |
262 | return a; |
263 | } |
264 | |
265 | // value_barrier_u64 behaves like |value_barrier_w| but takes a |uint64_t|. |
266 | static inline uint64_t value_barrier_u64(uint64_t a) { |
267 | #if !defined(OPENSSL_NO_ASM) && (defined(__GNUC__) || defined(__clang__)) |
268 | __asm__("" : "+r" (a) : /* no inputs */); |
269 | #endif |
270 | return a; |
271 | } |
272 | |
273 | // constant_time_msb_w returns the given value with the MSB copied to all the |
274 | // other bits. |
275 | static inline crypto_word_t constant_time_msb_w(crypto_word_t a) { |
276 | return 0u - (a >> (sizeof(a) * 8 - 1)); |
277 | } |
278 | |
279 | // constant_time_lt_w returns 0xff..f if a < b and 0 otherwise. |
280 | static inline crypto_word_t constant_time_lt_w(crypto_word_t a, |
281 | crypto_word_t b) { |
282 | // Consider the two cases of the problem: |
283 | // msb(a) == msb(b): a < b iff the MSB of a - b is set. |
284 | // msb(a) != msb(b): a < b iff the MSB of b is set. |
285 | // |
286 | // If msb(a) == msb(b) then the following evaluates as: |
287 | // msb(a^((a^b)|((a-b)^a))) == |
288 | // msb(a^((a-b) ^ a)) == (because msb(a^b) == 0) |
289 | // msb(a^a^(a-b)) == (rearranging) |
290 | // msb(a-b) (because ∀x. x^x == 0) |
291 | // |
292 | // Else, if msb(a) != msb(b) then the following evaluates as: |
293 | // msb(a^((a^b)|((a-b)^a))) == |
294 | // msb(a^(𝟙 | ((a-b)^a))) == (because msb(a^b) == 1 and 𝟙 |
295 | // represents a value s.t. msb(𝟙) = 1) |
296 | // msb(a^𝟙) == (because ORing with 1 results in 1) |
297 | // msb(b) |
298 | // |
299 | // |
300 | // Here is an SMT-LIB verification of this formula: |
301 | // |
302 | // (define-fun lt ((a (_ BitVec 32)) (b (_ BitVec 32))) (_ BitVec 32) |
303 | // (bvxor a (bvor (bvxor a b) (bvxor (bvsub a b) a))) |
304 | // ) |
305 | // |
306 | // (declare-fun a () (_ BitVec 32)) |
307 | // (declare-fun b () (_ BitVec 32)) |
308 | // |
309 | // (assert (not (= (= #x00000001 (bvlshr (lt a b) #x0000001f)) (bvult a b)))) |
310 | // (check-sat) |
311 | // (get-model) |
312 | return constant_time_msb_w(a^((a^b)|((a-b)^a))); |
313 | } |
314 | |
315 | // constant_time_lt_8 acts like |constant_time_lt_w| but returns an 8-bit |
316 | // mask. |
317 | static inline uint8_t constant_time_lt_8(crypto_word_t a, crypto_word_t b) { |
318 | return (uint8_t)(constant_time_lt_w(a, b)); |
319 | } |
320 | |
321 | // constant_time_ge_w returns 0xff..f if a >= b and 0 otherwise. |
322 | static inline crypto_word_t constant_time_ge_w(crypto_word_t a, |
323 | crypto_word_t b) { |
324 | return ~constant_time_lt_w(a, b); |
325 | } |
326 | |
327 | // constant_time_ge_8 acts like |constant_time_ge_w| but returns an 8-bit |
328 | // mask. |
329 | static inline uint8_t constant_time_ge_8(crypto_word_t a, crypto_word_t b) { |
330 | return (uint8_t)(constant_time_ge_w(a, b)); |
331 | } |
332 | |
333 | // constant_time_is_zero returns 0xff..f if a == 0 and 0 otherwise. |
334 | static inline crypto_word_t constant_time_is_zero_w(crypto_word_t a) { |
335 | // Here is an SMT-LIB verification of this formula: |
336 | // |
337 | // (define-fun is_zero ((a (_ BitVec 32))) (_ BitVec 32) |
338 | // (bvand (bvnot a) (bvsub a #x00000001)) |
339 | // ) |
340 | // |
341 | // (declare-fun a () (_ BitVec 32)) |
342 | // |
343 | // (assert (not (= (= #x00000001 (bvlshr (is_zero a) #x0000001f)) (= a #x00000000)))) |
344 | // (check-sat) |
345 | // (get-model) |
346 | return constant_time_msb_w(~a & (a - 1)); |
347 | } |
348 | |
349 | // constant_time_is_zero_8 acts like |constant_time_is_zero_w| but returns an |
350 | // 8-bit mask. |
351 | static inline uint8_t constant_time_is_zero_8(crypto_word_t a) { |
352 | return (uint8_t)(constant_time_is_zero_w(a)); |
353 | } |
354 | |
355 | // constant_time_eq_w returns 0xff..f if a == b and 0 otherwise. |
356 | static inline crypto_word_t constant_time_eq_w(crypto_word_t a, |
357 | crypto_word_t b) { |
358 | return constant_time_is_zero_w(a ^ b); |
359 | } |
360 | |
361 | // constant_time_eq_8 acts like |constant_time_eq_w| but returns an 8-bit |
362 | // mask. |
363 | static inline uint8_t constant_time_eq_8(crypto_word_t a, crypto_word_t b) { |
364 | return (uint8_t)(constant_time_eq_w(a, b)); |
365 | } |
366 | |
367 | // constant_time_eq_int acts like |constant_time_eq_w| but works on int |
368 | // values. |
369 | static inline crypto_word_t constant_time_eq_int(int a, int b) { |
370 | return constant_time_eq_w((crypto_word_t)(a), (crypto_word_t)(b)); |
371 | } |
372 | |
373 | // constant_time_eq_int_8 acts like |constant_time_eq_int| but returns an 8-bit |
374 | // mask. |
375 | static inline uint8_t constant_time_eq_int_8(int a, int b) { |
376 | return constant_time_eq_8((crypto_word_t)(a), (crypto_word_t)(b)); |
377 | } |
378 | |
379 | // constant_time_select_w returns (mask & a) | (~mask & b). When |mask| is all |
380 | // 1s or all 0s (as returned by the methods above), the select methods return |
381 | // either |a| (if |mask| is nonzero) or |b| (if |mask| is zero). |
382 | static inline crypto_word_t constant_time_select_w(crypto_word_t mask, |
383 | crypto_word_t a, |
384 | crypto_word_t b) { |
385 | // Clang recognizes this pattern as a select. While it usually transforms it |
386 | // to a cmov, it sometimes further transforms it into a branch, which we do |
387 | // not want. |
388 | // |
389 | // Adding barriers to both |mask| and |~mask| breaks the relationship between |
390 | // the two, which makes the compiler stick with bitmasks. |
391 | return (value_barrier_w(mask) & a) | (value_barrier_w(~mask) & b); |
392 | } |
393 | |
394 | // constant_time_select_8 acts like |constant_time_select| but operates on |
395 | // 8-bit values. |
396 | static inline uint8_t constant_time_select_8(uint8_t mask, uint8_t a, |
397 | uint8_t b) { |
398 | return (uint8_t)(constant_time_select_w(mask, a, b)); |
399 | } |
400 | |
401 | // constant_time_select_int acts like |constant_time_select| but operates on |
402 | // ints. |
403 | static inline int constant_time_select_int(crypto_word_t mask, int a, int b) { |
404 | return (int)(constant_time_select_w(mask, (crypto_word_t)(a), |
405 | (crypto_word_t)(b))); |
406 | } |
407 | |
408 | #if defined(BORINGSSL_CONSTANT_TIME_VALIDATION) |
409 | |
410 | // CONSTTIME_SECRET takes a pointer and a number of bytes and marks that region |
411 | // of memory as secret. Secret data is tracked as it flows to registers and |
412 | // other parts of a memory. If secret data is used as a condition for a branch, |
413 | // or as a memory index, it will trigger warnings in valgrind. |
414 | #define CONSTTIME_SECRET(x, y) VALGRIND_MAKE_MEM_UNDEFINED(x, y) |
415 | |
416 | // CONSTTIME_DECLASSIFY takes a pointer and a number of bytes and marks that |
417 | // region of memory as public. Public data is not subject to constant-time |
418 | // rules. |
419 | #define CONSTTIME_DECLASSIFY(x, y) VALGRIND_MAKE_MEM_DEFINED(x, y) |
420 | |
421 | #else |
422 | |
423 | #define CONSTTIME_SECRET(x, y) |
424 | #define CONSTTIME_DECLASSIFY(x, y) |
425 | |
426 | #endif // BORINGSSL_CONSTANT_TIME_VALIDATION |
427 | |
428 | |
429 | // Thread-safe initialisation. |
430 | |
431 | #if !defined(OPENSSL_THREADS) |
432 | typedef uint32_t CRYPTO_once_t; |
433 | #define CRYPTO_ONCE_INIT 0 |
434 | #elif defined(OPENSSL_WINDOWS_THREADS) |
435 | typedef INIT_ONCE CRYPTO_once_t; |
436 | #define CRYPTO_ONCE_INIT INIT_ONCE_STATIC_INIT |
437 | #elif defined(OPENSSL_PTHREADS) |
438 | typedef pthread_once_t CRYPTO_once_t; |
439 | #define CRYPTO_ONCE_INIT PTHREAD_ONCE_INIT |
440 | #else |
441 | #error "Unknown threading library" |
442 | #endif |
443 | |
444 | // CRYPTO_once calls |init| exactly once per process. This is thread-safe: if |
445 | // concurrent threads call |CRYPTO_once| with the same |CRYPTO_once_t| argument |
446 | // then they will block until |init| completes, but |init| will have only been |
447 | // called once. |
448 | // |
449 | // The |once| argument must be a |CRYPTO_once_t| that has been initialised with |
450 | // the value |CRYPTO_ONCE_INIT|. |
451 | OPENSSL_EXPORT void CRYPTO_once(CRYPTO_once_t *once, void (*init)(void)); |
452 | |
453 | |
454 | // Reference counting. |
455 | |
456 | // CRYPTO_REFCOUNT_MAX is the value at which the reference count saturates. |
457 | #define CRYPTO_REFCOUNT_MAX 0xffffffff |
458 | |
459 | // CRYPTO_refcount_inc atomically increments the value at |*count| unless the |
460 | // value would overflow. It's safe for multiple threads to concurrently call |
461 | // this or |CRYPTO_refcount_dec_and_test_zero| on the same |
462 | // |CRYPTO_refcount_t|. |
463 | OPENSSL_EXPORT void CRYPTO_refcount_inc(CRYPTO_refcount_t *count); |
464 | |
465 | // CRYPTO_refcount_dec_and_test_zero tests the value at |*count|: |
466 | // if it's zero, it crashes the address space. |
467 | // if it's the maximum value, it returns zero. |
468 | // otherwise, it atomically decrements it and returns one iff the resulting |
469 | // value is zero. |
470 | // |
471 | // It's safe for multiple threads to concurrently call this or |
472 | // |CRYPTO_refcount_inc| on the same |CRYPTO_refcount_t|. |
473 | OPENSSL_EXPORT int CRYPTO_refcount_dec_and_test_zero(CRYPTO_refcount_t *count); |
474 | |
475 | |
476 | // Locks. |
477 | // |
478 | // Two types of locks are defined: |CRYPTO_MUTEX|, which can be used in |
479 | // structures as normal, and |struct CRYPTO_STATIC_MUTEX|, which can be used as |
480 | // a global lock. A global lock must be initialised to the value |
481 | // |CRYPTO_STATIC_MUTEX_INIT|. |
482 | // |
483 | // |CRYPTO_MUTEX| can appear in public structures and so is defined in |
484 | // thread.h as a structure large enough to fit the real type. The global lock is |
485 | // a different type so it may be initialized with platform initializer macros. |
486 | |
487 | #if !defined(OPENSSL_THREADS) |
488 | struct CRYPTO_STATIC_MUTEX { |
489 | char padding; // Empty structs have different sizes in C and C++. |
490 | }; |
491 | #define CRYPTO_STATIC_MUTEX_INIT { 0 } |
492 | #elif defined(OPENSSL_WINDOWS_THREADS) |
493 | struct CRYPTO_STATIC_MUTEX { |
494 | SRWLOCK lock; |
495 | }; |
496 | #define CRYPTO_STATIC_MUTEX_INIT { SRWLOCK_INIT } |
497 | #elif defined(OPENSSL_PTHREADS) |
498 | struct CRYPTO_STATIC_MUTEX { |
499 | pthread_rwlock_t lock; |
500 | }; |
501 | #define CRYPTO_STATIC_MUTEX_INIT { PTHREAD_RWLOCK_INITIALIZER } |
502 | #else |
503 | #error "Unknown threading library" |
504 | #endif |
505 | |
506 | // CRYPTO_MUTEX_init initialises |lock|. If |lock| is a static variable, use a |
507 | // |CRYPTO_STATIC_MUTEX|. |
508 | OPENSSL_EXPORT void CRYPTO_MUTEX_init(CRYPTO_MUTEX *lock); |
509 | |
510 | // CRYPTO_MUTEX_lock_read locks |lock| such that other threads may also have a |
511 | // read lock, but none may have a write lock. |
512 | OPENSSL_EXPORT void CRYPTO_MUTEX_lock_read(CRYPTO_MUTEX *lock); |
513 | |
514 | // CRYPTO_MUTEX_lock_write locks |lock| such that no other thread has any type |
515 | // of lock on it. |
516 | OPENSSL_EXPORT void CRYPTO_MUTEX_lock_write(CRYPTO_MUTEX *lock); |
517 | |
518 | // CRYPTO_MUTEX_unlock_read unlocks |lock| for reading. |
519 | OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_read(CRYPTO_MUTEX *lock); |
520 | |
521 | // CRYPTO_MUTEX_unlock_write unlocks |lock| for writing. |
522 | OPENSSL_EXPORT void CRYPTO_MUTEX_unlock_write(CRYPTO_MUTEX *lock); |
523 | |
524 | // CRYPTO_MUTEX_cleanup releases all resources held by |lock|. |
525 | OPENSSL_EXPORT void CRYPTO_MUTEX_cleanup(CRYPTO_MUTEX *lock); |
526 | |
527 | // CRYPTO_STATIC_MUTEX_lock_read locks |lock| such that other threads may also |
528 | // have a read lock, but none may have a write lock. The |lock| variable does |
529 | // not need to be initialised by any function, but must have been statically |
530 | // initialised with |CRYPTO_STATIC_MUTEX_INIT|. |
531 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_read( |
532 | struct CRYPTO_STATIC_MUTEX *lock); |
533 | |
534 | // CRYPTO_STATIC_MUTEX_lock_write locks |lock| such that no other thread has |
535 | // any type of lock on it. The |lock| variable does not need to be initialised |
536 | // by any function, but must have been statically initialised with |
537 | // |CRYPTO_STATIC_MUTEX_INIT|. |
538 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_lock_write( |
539 | struct CRYPTO_STATIC_MUTEX *lock); |
540 | |
541 | // CRYPTO_STATIC_MUTEX_unlock_read unlocks |lock| for reading. |
542 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_read( |
543 | struct CRYPTO_STATIC_MUTEX *lock); |
544 | |
545 | // CRYPTO_STATIC_MUTEX_unlock_write unlocks |lock| for writing. |
546 | OPENSSL_EXPORT void CRYPTO_STATIC_MUTEX_unlock_write( |
547 | struct CRYPTO_STATIC_MUTEX *lock); |
548 | |
549 | #if defined(__cplusplus) |
550 | extern "C++" { |
551 | |
552 | BSSL_NAMESPACE_BEGIN |
553 | |
554 | namespace internal { |
555 | |
556 | // MutexLockBase is a RAII helper for CRYPTO_MUTEX locking. |
557 | template <void (*LockFunc)(CRYPTO_MUTEX *), void (*ReleaseFunc)(CRYPTO_MUTEX *)> |
558 | class MutexLockBase { |
559 | public: |
560 | explicit MutexLockBase(CRYPTO_MUTEX *mu) : mu_(mu) { |
561 | assert(mu_ != nullptr); |
562 | LockFunc(mu_); |
563 | } |
564 | ~MutexLockBase() { ReleaseFunc(mu_); } |
565 | MutexLockBase(const MutexLockBase<LockFunc, ReleaseFunc> &) = delete; |
566 | MutexLockBase &operator=(const MutexLockBase<LockFunc, ReleaseFunc> &) = |
567 | delete; |
568 | |
569 | private: |
570 | CRYPTO_MUTEX *const mu_; |
571 | }; |
572 | |
573 | } // namespace internal |
574 | |
575 | using MutexWriteLock = |
576 | internal::MutexLockBase<CRYPTO_MUTEX_lock_write, CRYPTO_MUTEX_unlock_write>; |
577 | using MutexReadLock = |
578 | internal::MutexLockBase<CRYPTO_MUTEX_lock_read, CRYPTO_MUTEX_unlock_read>; |
579 | |
580 | BSSL_NAMESPACE_END |
581 | |
582 | } // extern "C++" |
583 | #endif // defined(__cplusplus) |
584 | |
585 | |
586 | // Thread local storage. |
587 | |
588 | // thread_local_data_t enumerates the types of thread-local data that can be |
589 | // stored. |
590 | typedef enum { |
591 | OPENSSL_THREAD_LOCAL_ERR = 0, |
592 | OPENSSL_THREAD_LOCAL_RAND, |
593 | OPENSSL_THREAD_LOCAL_TEST, |
594 | NUM_OPENSSL_THREAD_LOCALS, |
595 | } thread_local_data_t; |
596 | |
597 | // thread_local_destructor_t is the type of a destructor function that will be |
598 | // called when a thread exits and its thread-local storage needs to be freed. |
599 | typedef void (*thread_local_destructor_t)(void *); |
600 | |
601 | // CRYPTO_get_thread_local gets the pointer value that is stored for the |
602 | // current thread for the given index, or NULL if none has been set. |
603 | OPENSSL_EXPORT void *CRYPTO_get_thread_local(thread_local_data_t value); |
604 | |
605 | // CRYPTO_set_thread_local sets a pointer value for the current thread at the |
606 | // given index. This function should only be called once per thread for a given |
607 | // |index|: rather than update the pointer value itself, update the data that |
608 | // is pointed to. |
609 | // |
610 | // The destructor function will be called when a thread exits to free this |
611 | // thread-local data. All calls to |CRYPTO_set_thread_local| with the same |
612 | // |index| should have the same |destructor| argument. The destructor may be |
613 | // called with a NULL argument if a thread that never set a thread-local |
614 | // pointer for |index|, exits. The destructor may be called concurrently with |
615 | // different arguments. |
616 | // |
617 | // This function returns one on success or zero on error. If it returns zero |
618 | // then |destructor| has been called with |value| already. |
619 | OPENSSL_EXPORT int CRYPTO_set_thread_local( |
620 | thread_local_data_t index, void *value, |
621 | thread_local_destructor_t destructor); |
622 | |
623 | |
624 | // ex_data |
625 | |
626 | typedef struct crypto_ex_data_func_st CRYPTO_EX_DATA_FUNCS; |
627 | |
628 | DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS) |
629 | |
630 | // CRYPTO_EX_DATA_CLASS tracks the ex_indices registered for a type which |
631 | // supports ex_data. It should defined as a static global within the module |
632 | // which defines that type. |
633 | typedef struct { |
634 | struct CRYPTO_STATIC_MUTEX lock; |
635 | STACK_OF(CRYPTO_EX_DATA_FUNCS) *meth; |
636 | // num_reserved is one if the ex_data index zero is reserved for legacy |
637 | // |TYPE_get_app_data| functions. |
638 | uint8_t num_reserved; |
639 | } CRYPTO_EX_DATA_CLASS; |
640 | |
641 | #define CRYPTO_EX_DATA_CLASS_INIT {CRYPTO_STATIC_MUTEX_INIT, NULL, 0} |
642 | #define CRYPTO_EX_DATA_CLASS_INIT_WITH_APP_DATA \ |
643 | {CRYPTO_STATIC_MUTEX_INIT, NULL, 1} |
644 | |
645 | // CRYPTO_get_ex_new_index allocates a new index for |ex_data_class| and writes |
646 | // it to |*out_index|. Each class of object should provide a wrapper function |
647 | // that uses the correct |CRYPTO_EX_DATA_CLASS|. It returns one on success and |
648 | // zero otherwise. |
649 | OPENSSL_EXPORT int CRYPTO_get_ex_new_index(CRYPTO_EX_DATA_CLASS *ex_data_class, |
650 | int *out_index, long argl, |
651 | void *argp, |
652 | CRYPTO_EX_free *free_func); |
653 | |
654 | // CRYPTO_set_ex_data sets an extra data pointer on a given object. Each class |
655 | // of object should provide a wrapper function. |
656 | OPENSSL_EXPORT int CRYPTO_set_ex_data(CRYPTO_EX_DATA *ad, int index, void *val); |
657 | |
658 | // CRYPTO_get_ex_data returns an extra data pointer for a given object, or NULL |
659 | // if no such index exists. Each class of object should provide a wrapper |
660 | // function. |
661 | OPENSSL_EXPORT void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int index); |
662 | |
663 | // CRYPTO_new_ex_data initialises a newly allocated |CRYPTO_EX_DATA|. |
664 | OPENSSL_EXPORT void CRYPTO_new_ex_data(CRYPTO_EX_DATA *ad); |
665 | |
666 | // CRYPTO_free_ex_data frees |ad|, which is embedded inside |obj|, which is an |
667 | // object of the given class. |
668 | OPENSSL_EXPORT void CRYPTO_free_ex_data(CRYPTO_EX_DATA_CLASS *ex_data_class, |
669 | void *obj, CRYPTO_EX_DATA *ad); |
670 | |
671 | |
672 | // Endianness conversions. |
673 | |
674 | #if defined(__GNUC__) && __GNUC__ >= 2 |
675 | static inline uint32_t CRYPTO_bswap4(uint32_t x) { |
676 | return __builtin_bswap32(x); |
677 | } |
678 | |
679 | static inline uint64_t CRYPTO_bswap8(uint64_t x) { |
680 | return __builtin_bswap64(x); |
681 | } |
682 | #elif defined(_MSC_VER) |
683 | OPENSSL_MSVC_PRAGMA(warning(push, 3)) |
684 | #include <stdlib.h> |
685 | OPENSSL_MSVC_PRAGMA(warning(pop)) |
686 | #pragma intrinsic(_byteswap_uint64, _byteswap_ulong) |
687 | static inline uint32_t CRYPTO_bswap4(uint32_t x) { |
688 | return _byteswap_ulong(x); |
689 | } |
690 | |
691 | static inline uint64_t CRYPTO_bswap8(uint64_t x) { |
692 | return _byteswap_uint64(x); |
693 | } |
694 | #else |
695 | static inline uint32_t CRYPTO_bswap4(uint32_t x) { |
696 | x = (x >> 16) | (x << 16); |
697 | x = ((x & 0xff00ff00) >> 8) | ((x & 0x00ff00ff) << 8); |
698 | return x; |
699 | } |
700 | |
701 | static inline uint64_t CRYPTO_bswap8(uint64_t x) { |
702 | return CRYPTO_bswap4(x >> 32) | (((uint64_t)CRYPTO_bswap4(x)) << 32); |
703 | } |
704 | #endif |
705 | |
706 | |
707 | // Language bug workarounds. |
708 | // |
709 | // Most C standard library functions are undefined if passed NULL, even when the |
710 | // corresponding length is zero. This gives them (and, in turn, all functions |
711 | // which call them) surprising behavior on empty arrays. Some compilers will |
712 | // miscompile code due to this rule. See also |
713 | // https://www.imperialviolet.org/2016/06/26/nonnull.html |
714 | // |
715 | // These wrapper functions behave the same as the corresponding C standard |
716 | // functions, but behave as expected when passed NULL if the length is zero. |
717 | // |
718 | // Note |OPENSSL_memcmp| is a different function from |CRYPTO_memcmp|. |
719 | |
720 | // C++ defines |memchr| as a const-correct overload. |
721 | #if defined(__cplusplus) |
722 | extern "C++" { |
723 | |
724 | static inline const void *OPENSSL_memchr(const void *s, int c, size_t n) { |
725 | if (n == 0) { |
726 | return NULL; |
727 | } |
728 | |
729 | return memchr(s, c, n); |
730 | } |
731 | |
732 | static inline void *OPENSSL_memchr(void *s, int c, size_t n) { |
733 | if (n == 0) { |
734 | return NULL; |
735 | } |
736 | |
737 | return memchr(s, c, n); |
738 | } |
739 | |
740 | } // extern "C++" |
741 | #else // __cplusplus |
742 | |
743 | static inline void *OPENSSL_memchr(const void *s, int c, size_t n) { |
744 | if (n == 0) { |
745 | return NULL; |
746 | } |
747 | |
748 | return memchr(s, c, n); |
749 | } |
750 | |
751 | #endif // __cplusplus |
752 | |
753 | static inline int OPENSSL_memcmp(const void *s1, const void *s2, size_t n) { |
754 | if (n == 0) { |
755 | return 0; |
756 | } |
757 | |
758 | return memcmp(s1, s2, n); |
759 | } |
760 | |
761 | static inline void *OPENSSL_memcpy(void *dst, const void *src, size_t n) { |
762 | if (n == 0) { |
763 | return dst; |
764 | } |
765 | |
766 | return memcpy(dst, src, n); |
767 | } |
768 | |
769 | static inline void *OPENSSL_memmove(void *dst, const void *src, size_t n) { |
770 | if (n == 0) { |
771 | return dst; |
772 | } |
773 | |
774 | return memmove(dst, src, n); |
775 | } |
776 | |
777 | static inline void *OPENSSL_memset(void *dst, int c, size_t n) { |
778 | if (n == 0) { |
779 | return dst; |
780 | } |
781 | |
782 | return memset(dst, c, n); |
783 | } |
784 | |
785 | #if defined(BORINGSSL_FIPS) |
786 | // BORINGSSL_FIPS_abort is called when a FIPS power-on or continuous test |
787 | // fails. It prevents any further cryptographic operations by the current |
788 | // process. |
789 | void BORINGSSL_FIPS_abort(void) __attribute__((noreturn)); |
790 | #endif |
791 | |
792 | #if defined(__cplusplus) |
793 | } // extern C |
794 | #endif |
795 | |
796 | #endif // OPENSSL_HEADER_CRYPTO_INTERNAL_H |
797 | |