aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/restricted/aws/s2n/crypto
diff options
context:
space:
mode:
authorrobot-contrib <robot-contrib@yandex-team.com>2022-12-29 11:19:28 +0300
committerrobot-contrib <robot-contrib@yandex-team.com>2022-12-29 11:19:28 +0300
commitfed8d432668e1993b6d0d429398d65aa40f3f5fe (patch)
tree5b837c62d01f3fcdafb6a31ae4914f530053c5b9 /contrib/restricted/aws/s2n/crypto
parentd6e1a495bd3ea25012ef907b23327e085f36be1c (diff)
downloadydb-fed8d432668e1993b6d0d429398d65aa40f3f5fe.tar.gz
Update contrib/restricted/aws/s2n to 1.3.31
Diffstat (limited to 'contrib/restricted/aws/s2n/crypto')
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c46
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_chacha20_poly1305.c20
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_3des.c14
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_aes.c22
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_certificate.c122
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_certificate.h3
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_cipher.c3
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_cipher.h48
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c145
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_crypto.c9
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_crypto.h7
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_dhe.c52
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_dhe.h1
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_drbg.c28
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_drbg.h9
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.c163
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.h36
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_ecdsa.c40
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_ecdsa.h6
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_evp.c1
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_evp.h16
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_evp_signing.c7
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_evp_signing.h1
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_fips.c9
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hash.c261
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hash.h25
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hkdf.c25
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hkdf.h9
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hmac.c2
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_hmac.h2
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_libcrypto.c36
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_locking.c7
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_openssl.h24
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.c3
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.h4
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_pkey.c111
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_pkey.h5
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_rsa.c51
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_rsa.h6
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.c20
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.h14
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.c63
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.h7
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_sequence.c6
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_sequence.h1
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_signature.h7
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_null.c10
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_rc4.c7
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.c24
-rw-r--r--contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.h5
50 files changed, 769 insertions, 774 deletions
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c
index 395c500994..0dde774d89 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_aes_gcm.c
@@ -17,14 +17,12 @@
#include <openssl/evp.h>
#include "crypto/s2n_cipher.h"
-
#include "tls/s2n_crypto.h"
-
-#include "utils/s2n_safety.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#define S2N_AEAD_AES_GCM_AVAILABLE
+ #define S2N_AEAD_AES_GCM_AVAILABLE
#endif
static uint8_t s2n_aead_cipher_aes128_gcm_available()
@@ -382,11 +380,11 @@ const struct s2n_cipher s2n_aes128_gcm = {
.key_material_size = S2N_TLS_AES_128_GCM_KEY_LEN,
.type = S2N_AEAD,
.io.aead = {
- .record_iv_size = S2N_TLS_GCM_EXPLICIT_IV_LEN,
- .fixed_iv_size = S2N_TLS_GCM_FIXED_IV_LEN,
- .tag_size = S2N_TLS_GCM_TAG_LEN,
- .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
- .encrypt = s2n_aead_cipher_aes_gcm_encrypt},
+ .record_iv_size = S2N_TLS_GCM_EXPLICIT_IV_LEN,
+ .fixed_iv_size = S2N_TLS_GCM_FIXED_IV_LEN,
+ .tag_size = S2N_TLS_GCM_TAG_LEN,
+ .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
+ .encrypt = s2n_aead_cipher_aes_gcm_encrypt },
.is_available = s2n_aead_cipher_aes128_gcm_available,
.init = s2n_aead_cipher_aes_gcm_init,
.set_encryption_key = s2n_aead_cipher_aes128_gcm_set_encryption_key,
@@ -398,11 +396,11 @@ const struct s2n_cipher s2n_aes256_gcm = {
.key_material_size = S2N_TLS_AES_256_GCM_KEY_LEN,
.type = S2N_AEAD,
.io.aead = {
- .record_iv_size = S2N_TLS_GCM_EXPLICIT_IV_LEN,
- .fixed_iv_size = S2N_TLS_GCM_FIXED_IV_LEN,
- .tag_size = S2N_TLS_GCM_TAG_LEN,
- .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
- .encrypt = s2n_aead_cipher_aes_gcm_encrypt},
+ .record_iv_size = S2N_TLS_GCM_EXPLICIT_IV_LEN,
+ .fixed_iv_size = S2N_TLS_GCM_FIXED_IV_LEN,
+ .tag_size = S2N_TLS_GCM_TAG_LEN,
+ .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
+ .encrypt = s2n_aead_cipher_aes_gcm_encrypt },
.is_available = s2n_aead_cipher_aes256_gcm_available,
.init = s2n_aead_cipher_aes_gcm_init,
.set_encryption_key = s2n_aead_cipher_aes256_gcm_set_encryption_key,
@@ -415,11 +413,11 @@ const struct s2n_cipher s2n_tls13_aes128_gcm = {
.key_material_size = S2N_TLS_AES_128_GCM_KEY_LEN,
.type = S2N_AEAD,
.io.aead = {
- .record_iv_size = S2N_TLS13_RECORD_IV_LEN,
- .fixed_iv_size = S2N_TLS13_FIXED_IV_LEN,
- .tag_size = S2N_TLS_GCM_TAG_LEN,
- .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
- .encrypt = s2n_aead_cipher_aes_gcm_encrypt},
+ .record_iv_size = S2N_TLS13_RECORD_IV_LEN,
+ .fixed_iv_size = S2N_TLS13_FIXED_IV_LEN,
+ .tag_size = S2N_TLS_GCM_TAG_LEN,
+ .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
+ .encrypt = s2n_aead_cipher_aes_gcm_encrypt },
.is_available = s2n_aead_cipher_aes128_gcm_available,
.init = s2n_aead_cipher_aes_gcm_init,
.set_encryption_key = s2n_aead_cipher_aes128_gcm_set_encryption_key_tls13,
@@ -431,11 +429,11 @@ const struct s2n_cipher s2n_tls13_aes256_gcm = {
.key_material_size = S2N_TLS_AES_256_GCM_KEY_LEN,
.type = S2N_AEAD,
.io.aead = {
- .record_iv_size = S2N_TLS13_RECORD_IV_LEN,
- .fixed_iv_size = S2N_TLS13_FIXED_IV_LEN,
- .tag_size = S2N_TLS_GCM_TAG_LEN,
- .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
- .encrypt = s2n_aead_cipher_aes_gcm_encrypt},
+ .record_iv_size = S2N_TLS13_RECORD_IV_LEN,
+ .fixed_iv_size = S2N_TLS13_FIXED_IV_LEN,
+ .tag_size = S2N_TLS_GCM_TAG_LEN,
+ .decrypt = s2n_aead_cipher_aes_gcm_decrypt,
+ .encrypt = s2n_aead_cipher_aes_gcm_encrypt },
.is_available = s2n_aead_cipher_aes256_gcm_available,
.init = s2n_aead_cipher_aes_gcm_init,
.set_encryption_key = s2n_aead_cipher_aes256_gcm_set_encryption_key_tls13,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_chacha20_poly1305.c b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_chacha20_poly1305.c
index 0a119baac6..55f12908f1 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_chacha20_poly1305.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_aead_cipher_chacha20_poly1305.c
@@ -17,11 +17,9 @@
#include "crypto/s2n_cipher.h"
#include "crypto/s2n_openssl.h"
-
#include "tls/s2n_crypto.h"
-
-#include "utils/s2n_safety.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
/* We support two different backing implementations of ChaCha20-Poly1305: one
* implementation for OpenSSL (>= 1.1.0, see
@@ -31,9 +29,9 @@
* Note, the order in the if/elif below matters because both BoringSSL and
* AWS-LC define OPENSSL_VERSION_NUMBER. */
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#define S2N_CHACHA20_POLY1305_AVAILABLE_BSSL_AWSLC
-#elif (S2N_OPENSSL_VERSION_AT_LEAST(1,1,0) && !defined(LIBRESSL_VERSION_NUMBER))
-#define S2N_CHACHA20_POLY1305_AVAILABLE_OSSL
+ #define S2N_CHACHA20_POLY1305_AVAILABLE_BSSL_AWSLC
+#elif (S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0) && !defined(LIBRESSL_VERSION_NUMBER))
+ #define S2N_CHACHA20_POLY1305_AVAILABLE_OSSL
#endif
static uint8_t s2n_aead_chacha20_poly1305_available(void)
@@ -266,11 +264,11 @@ const struct s2n_cipher s2n_chacha20_poly1305 = {
.key_material_size = S2N_TLS_CHACHA20_POLY1305_KEY_LEN,
.type = S2N_AEAD,
.io.aead = {
- .record_iv_size = S2N_TLS_CHACHA20_POLY1305_EXPLICIT_IV_LEN,
- .fixed_iv_size = S2N_TLS_CHACHA20_POLY1305_FIXED_IV_LEN,
- .tag_size = S2N_TLS_CHACHA20_POLY1305_TAG_LEN,
- .decrypt = s2n_aead_chacha20_poly1305_decrypt,
- .encrypt = s2n_aead_chacha20_poly1305_encrypt},
+ .record_iv_size = S2N_TLS_CHACHA20_POLY1305_EXPLICIT_IV_LEN,
+ .fixed_iv_size = S2N_TLS_CHACHA20_POLY1305_FIXED_IV_LEN,
+ .tag_size = S2N_TLS_CHACHA20_POLY1305_TAG_LEN,
+ .decrypt = s2n_aead_chacha20_poly1305_decrypt,
+ .encrypt = s2n_aead_chacha20_poly1305_encrypt },
.is_available = s2n_aead_chacha20_poly1305_available,
.init = s2n_aead_chacha20_poly1305_init,
.set_encryption_key = s2n_aead_chacha20_poly1305_set_encryption_key,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_3des.c b/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_3des.c
index f90d116f01..96914c0a13 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_3des.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_3des.c
@@ -15,13 +15,11 @@
#include <openssl/evp.h>
-#include "error/s2n_errno.h"
-
#include "crypto/s2n_cipher.h"
#include "crypto/s2n_openssl.h"
-
-#include "utils/s2n_safety.h"
+#include "error/s2n_errno.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
static uint8_t s2n_cbc_cipher_3des_available()
{
@@ -94,10 +92,10 @@ const struct s2n_cipher s2n_3des = {
.key_material_size = 24,
.type = S2N_CBC,
.io.cbc = {
- .block_size = 8,
- .record_iv_size = 8,
- .decrypt = s2n_cbc_cipher_3des_decrypt,
- .encrypt = s2n_cbc_cipher_3des_encrypt},
+ .block_size = 8,
+ .record_iv_size = 8,
+ .decrypt = s2n_cbc_cipher_3des_decrypt,
+ .encrypt = s2n_cbc_cipher_3des_encrypt },
.is_available = s2n_cbc_cipher_3des_available,
.init = s2n_cbc_cipher_3des_init,
.set_decryption_key = s2n_cbc_cipher_3des_set_decryption_key,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_aes.c b/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_aes.c
index 489a0e329f..892dea59c6 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_aes.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_cbc_cipher_aes.c
@@ -15,13 +15,11 @@
#include <openssl/aes.h>
-#include "error/s2n_errno.h"
-
#include "crypto/s2n_cipher.h"
#include "crypto/s2n_openssl.h"
-
-#include "utils/s2n_safety.h"
+#include "error/s2n_errno.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
static uint8_t s2n_cbc_cipher_aes128_available()
{
@@ -120,10 +118,10 @@ const struct s2n_cipher s2n_aes128 = {
.key_material_size = 16,
.type = S2N_CBC,
.io.cbc = {
- .block_size = 16,
- .record_iv_size = 16,
- .decrypt = s2n_cbc_cipher_aes_decrypt,
- .encrypt = s2n_cbc_cipher_aes_encrypt},
+ .block_size = 16,
+ .record_iv_size = 16,
+ .decrypt = s2n_cbc_cipher_aes_decrypt,
+ .encrypt = s2n_cbc_cipher_aes_encrypt },
.is_available = s2n_cbc_cipher_aes128_available,
.init = s2n_cbc_cipher_aes_init,
.set_decryption_key = s2n_cbc_cipher_aes128_set_decryption_key,
@@ -135,10 +133,10 @@ const struct s2n_cipher s2n_aes256 = {
.key_material_size = 32,
.type = S2N_CBC,
.io.cbc = {
- .block_size = 16,
- .record_iv_size = 16,
- .decrypt = s2n_cbc_cipher_aes_decrypt,
- .encrypt = s2n_cbc_cipher_aes_encrypt},
+ .block_size = 16,
+ .record_iv_size = 16,
+ .decrypt = s2n_cbc_cipher_aes_decrypt,
+ .encrypt = s2n_cbc_cipher_aes_encrypt },
.is_available = s2n_cbc_cipher_aes256_available,
.init = s2n_cbc_cipher_aes_init,
.set_decryption_key = s2n_cbc_cipher_aes256_set_decryption_key,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_certificate.c b/contrib/restricted/aws/s2n/crypto/s2n_certificate.c
index 9e3f4bc551..baeee2dc64 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_certificate.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_certificate.c
@@ -14,23 +14,23 @@
*/
#ifndef _GNU_SOURCE
-# define _GNU_SOURCE
+ #define _GNU_SOURCE
#endif
-#include "api/s2n.h"
-#include <openssl/x509v3.h>
+#include "crypto/s2n_certificate.h"
+
#include <openssl/pem.h>
+#include <openssl/x509v3.h>
#include <string.h>
#include <strings.h>
-#include "crypto/s2n_certificate.h"
+#include "api/s2n.h"
#include "crypto/s2n_openssl_x509.h"
-#include "utils/s2n_array.h"
-#include "utils/s2n_safety.h"
-#include "utils/s2n_mem.h"
-
#include "tls/extensions/s2n_extension_list.h"
#include "tls/s2n_connection.h"
+#include "utils/s2n_array.h"
+#include "utils/s2n_mem.h"
+#include "utils/s2n_safety.h"
int s2n_cert_set_cert_type(struct s2n_cert *cert, s2n_pkey_type pkey_type)
{
@@ -42,7 +42,7 @@ int s2n_cert_set_cert_type(struct s2n_cert *cert, s2n_pkey_type pkey_type)
int s2n_create_cert_chain_from_stuffer(struct s2n_cert_chain *cert_chain_out, struct s2n_stuffer *chain_in_stuffer)
{
- DEFER_CLEANUP(struct s2n_stuffer cert_out_stuffer = {0}, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer cert_out_stuffer = { 0 }, s2n_stuffer_free);
POSIX_GUARD(s2n_stuffer_growable_alloc(&cert_out_stuffer, 2048));
struct s2n_cert **insert = &cert_chain_out->head;
@@ -56,9 +56,9 @@ int s2n_create_cert_chain_from_stuffer(struct s2n_cert_chain *cert_chain_out, st
}
break;
}
- struct s2n_blob mem = {0};
+ struct s2n_blob mem = { 0 };
POSIX_GUARD(s2n_alloc(&mem, sizeof(struct s2n_cert)));
- new_node = (struct s2n_cert *)(void *)mem.data;
+ new_node = (struct s2n_cert *) (void *) mem.data;
if (s2n_alloc(&new_node->raw, s2n_stuffer_data_available(&cert_out_stuffer)) != S2N_SUCCESS) {
POSIX_GUARD(s2n_free(&mem));
@@ -94,7 +94,7 @@ int s2n_cert_chain_and_key_set_cert_chain_from_stuffer(struct s2n_cert_chain_and
int s2n_cert_chain_and_key_set_cert_chain_bytes(struct s2n_cert_chain_and_key *cert_and_key, uint8_t *cert_chain_pem, uint32_t cert_chain_len)
{
- DEFER_CLEANUP(struct s2n_stuffer chain_in_stuffer = {0}, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer chain_in_stuffer = { 0 }, s2n_stuffer_free);
POSIX_GUARD(s2n_stuffer_init_ro_from_string(&chain_in_stuffer, cert_chain_pem, cert_chain_len));
POSIX_GUARD(s2n_cert_chain_and_key_set_cert_chain_from_stuffer(cert_and_key, &chain_in_stuffer));
@@ -104,7 +104,7 @@ int s2n_cert_chain_and_key_set_cert_chain_bytes(struct s2n_cert_chain_and_key *c
int s2n_cert_chain_and_key_set_cert_chain(struct s2n_cert_chain_and_key *cert_and_key, const char *cert_chain_pem)
{
- DEFER_CLEANUP(struct s2n_stuffer chain_in_stuffer = {0}, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer chain_in_stuffer = { 0 }, s2n_stuffer_free);
/* Turn the chain into a stuffer */
POSIX_GUARD(s2n_stuffer_alloc_ro_from_string(&chain_in_stuffer, cert_chain_pem));
@@ -115,7 +115,7 @@ int s2n_cert_chain_and_key_set_cert_chain(struct s2n_cert_chain_and_key *cert_an
int s2n_cert_chain_and_key_set_private_key_from_stuffer(struct s2n_cert_chain_and_key *cert_and_key, struct s2n_stuffer *key_in_stuffer, struct s2n_stuffer *key_out_stuffer)
{
- struct s2n_blob key_blob = {0};
+ struct s2n_blob key_blob = { 0 };
POSIX_GUARD(s2n_pkey_zero_init(cert_and_key->private_key));
@@ -133,8 +133,8 @@ int s2n_cert_chain_and_key_set_private_key_from_stuffer(struct s2n_cert_chain_an
int s2n_cert_chain_and_key_set_private_key_bytes(struct s2n_cert_chain_and_key *cert_and_key, uint8_t *private_key_pem, uint32_t private_key_len)
{
- DEFER_CLEANUP(struct s2n_stuffer key_in_stuffer = {0}, s2n_stuffer_free);
- DEFER_CLEANUP(struct s2n_stuffer key_out_stuffer = {0}, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer key_in_stuffer = { 0 }, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer key_out_stuffer = { 0 }, s2n_stuffer_free);
/* Put the private key pem in a stuffer */
POSIX_GUARD(s2n_stuffer_init_ro_from_string(&key_in_stuffer, private_key_pem, private_key_len));
@@ -149,8 +149,8 @@ int s2n_cert_chain_and_key_set_private_key(struct s2n_cert_chain_and_key *cert_a
{
POSIX_ENSURE_REF(private_key_pem);
- DEFER_CLEANUP(struct s2n_stuffer key_in_stuffer = {0}, s2n_stuffer_free);
- DEFER_CLEANUP(struct s2n_stuffer key_out_stuffer = {0}, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer key_in_stuffer = { 0 }, s2n_stuffer_free);
+ DEFER_CLEANUP(struct s2n_stuffer key_out_stuffer = { 0 }, s2n_stuffer_free);
/* Put the private key pem in a stuffer */
POSIX_GUARD(s2n_stuffer_alloc_ro_from_string(&key_in_stuffer, private_key_pem));
@@ -205,9 +205,9 @@ struct s2n_cert_chain_and_key *s2n_cert_chain_and_key_new(void)
san_names = s2n_array_new(sizeof(struct s2n_blob));
PTR_ENSURE_REF(san_names);
- struct s2n_cert_chain_and_key *chain_and_key = (struct s2n_cert_chain_and_key *)(void *)chain_and_key_mem.data;
- chain_and_key->cert_chain = (struct s2n_cert_chain *)(void *)cert_chain_mem.data;
- chain_and_key->private_key = (s2n_cert_private_key *)(void *)pkey_mem.data;
+ struct s2n_cert_chain_and_key *chain_and_key = (struct s2n_cert_chain_and_key *) (void *) chain_and_key_mem.data;
+ chain_and_key->cert_chain = (struct s2n_cert_chain *) (void *) cert_chain_mem.data;
+ chain_and_key->private_key = (s2n_cert_private_key *) (void *) pkey_mem.data;
chain_and_key->cn_names = cn_names;
chain_and_key->san_names = san_names;
@@ -243,7 +243,7 @@ int s2n_cert_chain_and_key_load_sans(struct s2n_cert_chain_and_key *chain_and_ke
unsigned char *san_str = san_name->d.dNSName->data;
const size_t san_str_len = san_name->d.dNSName->length;
struct s2n_blob *san_blob = NULL;
- POSIX_GUARD_RESULT(s2n_array_pushback(chain_and_key->san_names, (void **)&san_blob));
+ POSIX_GUARD_RESULT(s2n_array_pushback(chain_and_key->san_names, (void **) &san_blob));
if (!san_blob) {
POSIX_BAIL(S2N_ERR_NULL_SANS);
}
@@ -283,7 +283,7 @@ int s2n_cert_chain_and_key_load_cns(struct s2n_cert_chain_and_key *chain_and_key
}
int lastpos = -1;
- while((lastpos = X509_NAME_get_index_by_NID(subject, NID_commonName, lastpos)) >= 0) {
+ while ((lastpos = X509_NAME_get_index_by_NID(subject, NID_commonName, lastpos)) >= 0) {
X509_NAME_ENTRY *name_entry = X509_NAME_get_entry(subject, lastpos);
if (!name_entry) {
continue;
@@ -308,7 +308,7 @@ int s2n_cert_chain_and_key_load_cns(struct s2n_cert_chain_and_key *chain_and_key
OPENSSL_free(utf8_str);
} else {
struct s2n_blob *cn_name = NULL;
- POSIX_GUARD_RESULT(s2n_array_pushback(chain_and_key->cn_names, (void **)&cn_name));
+ POSIX_GUARD_RESULT(s2n_array_pushback(chain_and_key->cn_names, (void **) &cn_name));
if (cn_name == NULL) {
POSIX_BAIL(S2N_ERR_NULL_CN_NAME);
}
@@ -354,7 +354,7 @@ int s2n_cert_chain_and_key_load(struct s2n_cert_chain_and_key *chain_and_key)
struct s2n_cert *head = chain_and_key->cert_chain->head;
/* Parse the leaf cert for the public key and certificate type */
- DEFER_CLEANUP(struct s2n_pkey public_key = {0}, s2n_pkey_free);
+ DEFER_CLEANUP(struct s2n_pkey public_key = { 0 }, s2n_pkey_free);
s2n_pkey_type pkey_type = S2N_PKEY_TYPE_UNKNOWN;
POSIX_GUARD(s2n_asn1der_to_public_key_and_type(&public_key, &pkey_type, &head->raw));
POSIX_ENSURE(pkey_type != S2N_PKEY_TYPE_UNKNOWN, S2N_ERR_CERT_TYPE_UNSUPPORTED);
@@ -399,7 +399,7 @@ int s2n_cert_chain_and_key_load_public_pem_bytes(struct s2n_cert_chain_and_key *
}
int s2n_cert_chain_and_key_load_pem_bytes(struct s2n_cert_chain_and_key *chain_and_key, uint8_t *chain_pem,
- uint32_t chain_pem_len, uint8_t *private_key_pem, uint32_t private_key_pem_len)
+ uint32_t chain_pem_len, uint8_t *private_key_pem, uint32_t private_key_pem_len)
{
POSIX_ENSURE_REF(chain_and_key);
@@ -434,16 +434,16 @@ int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_key)
/* update head so it won't point to freed memory */
cert_and_key->cert_chain->head = node->next;
/* Free the node */
- POSIX_GUARD(s2n_free_object((uint8_t **)&node, sizeof(struct s2n_cert)));
+ POSIX_GUARD(s2n_free_object((uint8_t **) &node, sizeof(struct s2n_cert)));
node = cert_and_key->cert_chain->head;
}
- POSIX_GUARD(s2n_free_object((uint8_t **)&cert_and_key->cert_chain, sizeof(struct s2n_cert_chain)));
+ POSIX_GUARD(s2n_free_object((uint8_t **) &cert_and_key->cert_chain, sizeof(struct s2n_cert_chain)));
}
if (cert_and_key->private_key) {
POSIX_GUARD(s2n_pkey_free(cert_and_key->private_key));
- POSIX_GUARD(s2n_free_object((uint8_t **)&cert_and_key->private_key, sizeof(s2n_cert_private_key)));
+ POSIX_GUARD(s2n_free_object((uint8_t **) &cert_and_key->private_key, sizeof(s2n_cert_private_key)));
}
uint32_t len = 0;
@@ -452,7 +452,7 @@ int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_key)
POSIX_GUARD_RESULT(s2n_array_num_elements(cert_and_key->san_names, &len));
for (uint32_t i = 0; i < len; i++) {
struct s2n_blob *san_name = NULL;
- POSIX_GUARD_RESULT(s2n_array_get(cert_and_key->san_names, i, (void **)&san_name));
+ POSIX_GUARD_RESULT(s2n_array_get(cert_and_key->san_names, i, (void **) &san_name));
POSIX_GUARD(s2n_free(san_name));
}
POSIX_GUARD_RESULT(s2n_array_free(cert_and_key->san_names));
@@ -463,7 +463,7 @@ int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_key)
POSIX_GUARD_RESULT(s2n_array_num_elements(cert_and_key->cn_names, &len));
for (uint32_t i = 0; i < len; i++) {
struct s2n_blob *cn_name = NULL;
- POSIX_GUARD_RESULT(s2n_array_get(cert_and_key->cn_names, i, (void **)&cn_name));
+ POSIX_GUARD_RESULT(s2n_array_get(cert_and_key->cn_names, i, (void **) &cn_name));
POSIX_GUARD(s2n_free(cn_name));
}
POSIX_GUARD_RESULT(s2n_array_free(cert_and_key->cn_names));
@@ -473,7 +473,7 @@ int s2n_cert_chain_and_key_free(struct s2n_cert_chain_and_key *cert_and_key)
POSIX_GUARD(s2n_free(&cert_and_key->ocsp_status));
POSIX_GUARD(s2n_free(&cert_and_key->sct_list));
- POSIX_GUARD(s2n_free_object((uint8_t **)&cert_and_key, sizeof(struct s2n_cert_chain_and_key)));
+ POSIX_GUARD(s2n_free_object((uint8_t **) &cert_and_key, sizeof(struct s2n_cert_chain_and_key)));
return 0;
}
@@ -488,7 +488,7 @@ int s2n_cert_chain_free(struct s2n_cert_chain *cert_chain)
/* update head so it won't point to freed memory */
cert_chain->head = node->next;
/* Free the node */
- POSIX_GUARD(s2n_free_object((uint8_t **)&node, sizeof(struct s2n_cert)));
+ POSIX_GUARD(s2n_free_object((uint8_t **) &node, sizeof(struct s2n_cert)));
node = cert_chain->head;
}
}
@@ -506,7 +506,7 @@ int s2n_send_cert_chain(struct s2n_connection *conn, struct s2n_stuffer *out, st
struct s2n_cert *cur_cert = chain->head;
POSIX_ENSURE_REF(cur_cert);
- struct s2n_stuffer_reservation cert_chain_size = {0};
+ struct s2n_stuffer_reservation cert_chain_size = { 0 };
POSIX_GUARD(s2n_stuffer_reserve_uint24(out, &cert_chain_size));
/* Send certs and extensions (in TLS 1.3) */
@@ -554,7 +554,7 @@ static int s2n_does_cert_san_match_hostname(const struct s2n_cert_chain_and_key
POSIX_GUARD_RESULT(s2n_array_num_elements(san_names, &len));
for (uint32_t i = 0; i < len; i++) {
struct s2n_blob *san_name = NULL;
- POSIX_GUARD_RESULT(s2n_array_get(san_names, i, (void **)&san_name));
+ POSIX_GUARD_RESULT(s2n_array_get(san_names, i, (void **) &san_name));
POSIX_ENSURE_REF(san_name);
if ((dns_name->size == san_name->size) && (strncasecmp((const char *) dns_name->data, (const char *) san_name->data, dns_name->size) == 0)) {
return 1;
@@ -574,7 +574,7 @@ static int s2n_does_cert_cn_match_hostname(const struct s2n_cert_chain_and_key *
POSIX_GUARD_RESULT(s2n_array_num_elements(cn_names, &len));
for (uint32_t i = 0; i < len; i++) {
struct s2n_blob *cn_name = NULL;
- POSIX_GUARD_RESULT(s2n_array_get(cn_names, i, (void **)&cn_name));
+ POSIX_GUARD_RESULT(s2n_array_get(cn_names, i, (void **) &cn_name));
POSIX_ENSURE_REF(cn_name);
if ((dns_name->size == cn_name->size) && (strncasecmp((const char *) dns_name->data, (const char *) cn_name->data, dns_name->size) == 0)) {
return 1;
@@ -619,8 +619,8 @@ void *s2n_cert_chain_and_key_get_ctx(struct s2n_cert_chain_and_key *cert_and_key
s2n_pkey_type s2n_cert_chain_and_key_get_pkey_type(struct s2n_cert_chain_and_key *chain_and_key)
{
if (chain_and_key == NULL
- || chain_and_key->cert_chain == NULL
- || chain_and_key->cert_chain->head == NULL) {
+ || chain_and_key->cert_chain == NULL
+ || chain_and_key->cert_chain->head == NULL) {
return S2N_PKEY_TYPE_UNKNOWN;
}
return chain_and_key->cert_chain->head->pkey_type;
@@ -650,7 +650,7 @@ int s2n_cert_chain_get_length(const struct s2n_cert_chain_and_key *chain_and_key
}
int s2n_cert_chain_get_cert(const struct s2n_cert_chain_and_key *chain_and_key, struct s2n_cert **out_cert,
- const uint32_t cert_idx)
+ const uint32_t cert_idx)
{
POSIX_ENSURE_REF(chain_and_key);
POSIX_ENSURE_REF(out_cert);
@@ -662,7 +662,7 @@ int s2n_cert_chain_get_cert(const struct s2n_cert_chain_and_key *chain_and_key,
struct s2n_cert *next_cert = cur_cert->next;
while ((next_cert != NULL) && (counter < cert_idx)) {
- cur_cert = next_cert;
+ cur_cert = next_cert;
next_cert = next_cert->next;
counter++;
}
@@ -686,15 +686,15 @@ int s2n_cert_get_der(const struct s2n_cert *cert, const uint8_t **out_cert_der,
return S2N_SUCCESS;
}
-static int s2n_asn1_obj_free(ASN1_OBJECT ** data)
+static int s2n_asn1_obj_free(ASN1_OBJECT **data)
{
if (*data != NULL) {
- ASN1_OBJECT_free(*data);
+ ASN1_OBJECT_free(*data);
}
return S2N_SUCCESS;
}
-static int s2n_asn1_string_free(ASN1_STRING** data)
+static int s2n_asn1_string_free(ASN1_STRING **data)
{
if (*data != NULL) {
ASN1_STRING_free(*data);
@@ -711,7 +711,7 @@ static int s2n_utf8_string_from_extension_data(const uint8_t *extension_data, ui
* https://www.openssl.org/docs/man1.1.0/man3/d2i_ASN1_UTF8STRING.html.
*/
const uint8_t *asn1_str_data = extension_data;
- asn1_str = d2i_ASN1_UTF8STRING(NULL, (const unsigned char **)(void *)&asn1_str_data, extension_len);
+ asn1_str = d2i_ASN1_UTF8STRING(NULL, (const unsigned char **) (void *) &asn1_str_data, extension_len);
POSIX_ENSURE(asn1_str != NULL, S2N_ERR_INVALID_X509_EXTENSION_TYPE);
/* ASN1_STRING_type() returns the type of `asn1_str`, using standard constants such as V_ASN1_OCTET_STRING.
* Ref: https://www.openssl.org/docs/man1.1.0/man3/ASN1_STRING_type.html.
@@ -725,13 +725,13 @@ static int s2n_utf8_string_from_extension_data(const uint8_t *extension_data, ui
/* ASN1_STRING_data() returns an internal pointer to the data.
* Since this is an internal pointer it should not be freed or modified in any way.
* Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
- */
+ */
unsigned char *internal_data = ASN1_STRING_data(asn1_str);
POSIX_ENSURE_REF(internal_data);
POSIX_CHECKED_MEMCPY(out_data, internal_data, len);
}
*out_len = len;
- return S2N_SUCCESS;
+ return S2N_SUCCESS;
}
int s2n_cert_get_utf8_string_from_extension_data_length(const uint8_t *extension_data, uint32_t extension_len, uint32_t *utf8_str_len)
@@ -758,7 +758,7 @@ int s2n_cert_get_utf8_string_from_extension_data(const uint8_t *extension_data,
}
static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
- uint8_t *ext_value, uint32_t *ext_value_len, bool *critical)
+ uint8_t *ext_value, uint32_t *ext_value_len, bool *critical)
{
POSIX_ENSURE_REF(cert->raw.data);
/* Obtain the openssl x509 cert from the ASN1 DER certificate input.
@@ -768,8 +768,8 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
* https://www.openssl.org/docs/man1.1.0/man3/d2i_X509.html.
*/
uint8_t *der_in = cert->raw.data;
- DEFER_CLEANUP(X509 *x509_cert = d2i_X509(NULL, (const unsigned char **)(void *)&der_in, cert->raw.size),
- X509_free_pointer);
+ DEFER_CLEANUP(X509 *x509_cert = d2i_X509(NULL, (const unsigned char **) (void *) &der_in, cert->raw.size),
+ X509_free_pointer);
POSIX_ENSURE_REF(x509_cert);
/* Retrieve the number of x509 extensions present in the certificate
@@ -784,12 +784,12 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
* If no_name is 1 only the numerical form is acceptable.
* Ref: https://www.openssl.org/docs/man1.1.0/man3/OBJ_txt2obj.html.
*/
- DEFER_CLEANUP(ASN1_OBJECT *asn1_obj_in = OBJ_txt2obj((const char *)oid, 0), s2n_asn1_obj_free);
+ DEFER_CLEANUP(ASN1_OBJECT *asn1_obj_in = OBJ_txt2obj((const char *) oid, 0), s2n_asn1_obj_free);
POSIX_ENSURE_REF(asn1_obj_in);
for (size_t loc = 0; loc < ext_count; loc++) {
ASN1_OCTET_STRING *asn1_str = NULL;
- bool match_found = false;
+ bool match_found = false;
/* Retrieve the x509 extension at location loc.
* X509_get_ext() retrieves extension loc from x.
@@ -822,24 +822,24 @@ static int s2n_parse_x509_extension(struct s2n_cert *cert, const uint8_t *oid,
asn1_str = X509_EXTENSION_get_data(x509_ext);
/* ASN1_STRING_length() returns the length of the content of `asn1_str`.
* Ref: https://www.openssl.org/docs/man1.1.0/man3/ASN1_STRING_length.html.
- */
+ */
int len = ASN1_STRING_length(asn1_str);
if (ext_value != NULL) {
POSIX_ENSURE(*ext_value_len >= len, S2N_ERR_INSUFFICIENT_MEM_SIZE);
/* ASN1_STRING_data() returns an internal pointer to the data.
- * Since this is an internal pointer it should not be freed or modified in any way.
- * Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
- */
+ * Since this is an internal pointer it should not be freed or modified in any way.
+ * Ref: https://www.openssl.org/docs/man1.0.2/man3/ASN1_STRING_data.html.
+ */
unsigned char *internal_data = ASN1_STRING_data(asn1_str);
POSIX_ENSURE_REF(internal_data);
POSIX_CHECKED_MEMCPY(ext_value, internal_data, len);
}
if (critical != NULL) {
- /* Retrieve the x509 extension's critical value.
- * X509_EXTENSION_get_critical() returns the criticality of extension `x509_ext`,
- * it returns 1 for critical and 0 for non-critical.
- * Ref: https://www.openssl.org/docs/man1.1.0/man3/X509_EXTENSION_get_critical.html.
- */
+ /* Retrieve the x509 extension's critical value.
+ * X509_EXTENSION_get_critical() returns the criticality of extension `x509_ext`,
+ * it returns 1 for critical and 0 for non-critical.
+ * Ref: https://www.openssl.org/docs/man1.1.0/man3/X509_EXTENSION_get_critical.html.
+ */
*critical = X509_EXTENSION_get_critical(x509_ext);
}
*ext_value_len = len;
@@ -862,7 +862,7 @@ int s2n_cert_get_x509_extension_value_length(struct s2n_cert *cert, const uint8_
}
int s2n_cert_get_x509_extension_value(struct s2n_cert *cert, const uint8_t *oid,
- uint8_t *ext_value, uint32_t *ext_value_len, bool *critical)
+ uint8_t *ext_value, uint32_t *ext_value_len, bool *critical)
{
POSIX_ENSURE_REF(cert);
POSIX_ENSURE_REF(oid);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_certificate.h b/contrib/restricted/aws/s2n/crypto/s2n_certificate.h
index c0cfad98da..db4be5c2ae 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_certificate.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_certificate.h
@@ -15,9 +15,8 @@
#pragma once
-#include <stdint.h>
-
#include <openssl/x509.h>
+#include <stdint.h>
#include "api/s2n.h"
#include "crypto/s2n_pkey.h"
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_cipher.c b/contrib/restricted/aws/s2n/crypto/s2n_cipher.c
index c01e44d8da..aaada9dfad 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_cipher.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_cipher.c
@@ -15,11 +15,10 @@
#include <openssl/evp.h>
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#error #include <openssl/mem.h>
+ #error #include <openssl/mem.h>
#endif
#include "crypto/s2n_cipher.h"
-
#include "utils/s2n_safety.h"
int s2n_session_key_alloc(struct s2n_session_key *key)
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_cipher.h b/contrib/restricted/aws/s2n/crypto/s2n_cipher.h
index 460187ee10..ac0baa6fba 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_cipher.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_cipher.h
@@ -15,19 +15,18 @@
#pragma once
-#include <openssl/evp.h>
#include <openssl/aes.h>
-#include <openssl/rc4.h>
#include <openssl/des.h>
-#include <openssl/rsa.h>
#include <openssl/dh.h>
+#include <openssl/evp.h>
+#include <openssl/rc4.h>
+#include <openssl/rsa.h>
#include "crypto/s2n_crypto.h"
-
#include "utils/s2n_blob.h"
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#define S2N_CIPHER_AEAD_API_AVAILABLE
+ #define S2N_CIPHER_AEAD_API_AVAILABLE
#endif
struct s2n_session_key {
@@ -38,38 +37,43 @@ struct s2n_session_key {
};
struct s2n_stream_cipher {
- int (*decrypt) (struct s2n_session_key * key, struct s2n_blob * in, struct s2n_blob * out);
- int (*encrypt) (struct s2n_session_key * key, struct s2n_blob * in, struct s2n_blob * out);
+ int (*decrypt)(struct s2n_session_key *key, struct s2n_blob *in, struct s2n_blob *out);
+ int (*encrypt)(struct s2n_session_key *key, struct s2n_blob *in, struct s2n_blob *out);
};
struct s2n_cbc_cipher {
uint8_t block_size;
uint8_t record_iv_size;
- int (*decrypt) (struct s2n_session_key * key, struct s2n_blob * iv, struct s2n_blob * in, struct s2n_blob * out);
- int (*encrypt) (struct s2n_session_key * key, struct s2n_blob * iv, struct s2n_blob * in, struct s2n_blob * out);
+ int (*decrypt)(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out);
+ int (*encrypt)(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out);
};
struct s2n_aead_cipher {
uint8_t fixed_iv_size;
uint8_t record_iv_size;
uint8_t tag_size;
- int (*decrypt) (struct s2n_session_key * key, struct s2n_blob * iv, struct s2n_blob * add, struct s2n_blob * in, struct s2n_blob * out);
- int (*encrypt) (struct s2n_session_key * key, struct s2n_blob * iv, struct s2n_blob * add, struct s2n_blob * in, struct s2n_blob * out);
+ int (*decrypt)(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *add, struct s2n_blob *in, struct s2n_blob *out);
+ int (*encrypt)(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *add, struct s2n_blob *in, struct s2n_blob *out);
};
struct s2n_composite_cipher {
uint8_t block_size;
uint8_t record_iv_size;
uint8_t mac_key_size;
- int (*decrypt) (struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out);
- int (*encrypt) (struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out);
- int (*set_mac_write_key) (struct s2n_session_key *key, uint8_t *mac_key, uint32_t mac_size);
- int (*initial_hmac) (struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type, uint16_t protocol_version,
- uint16_t payload_and_eiv_len, int *extra);
+ int (*decrypt)(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out);
+ int (*encrypt)(struct s2n_session_key *key, struct s2n_blob *iv, struct s2n_blob *in, struct s2n_blob *out);
+ int (*set_mac_write_key)(struct s2n_session_key *key, uint8_t *mac_key, uint32_t mac_size);
+ int (*initial_hmac)(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type, uint16_t protocol_version,
+ uint16_t payload_and_eiv_len, int *extra);
};
struct s2n_cipher {
- enum { S2N_STREAM, S2N_CBC, S2N_AEAD, S2N_COMPOSITE } type;
+ enum {
+ S2N_STREAM,
+ S2N_CBC,
+ S2N_AEAD,
+ S2N_COMPOSITE
+ } type;
union {
struct s2n_stream_cipher stream;
struct s2n_aead_cipher aead;
@@ -77,11 +81,11 @@ struct s2n_cipher {
struct s2n_composite_cipher comp;
} io;
uint8_t key_material_size;
- uint8_t (*is_available) (void);
- int (*init) (struct s2n_session_key *key);
- int (*set_decryption_key) (struct s2n_session_key *key, struct s2n_blob *in);
- int (*set_encryption_key) (struct s2n_session_key *key, struct s2n_blob *in);
- int (*destroy_key) (struct s2n_session_key *key);
+ uint8_t (*is_available)(void);
+ int (*init)(struct s2n_session_key *key);
+ int (*set_decryption_key)(struct s2n_session_key *key, struct s2n_blob *in);
+ int (*set_encryption_key)(struct s2n_session_key *key, struct s2n_blob *in);
+ int (*destroy_key)(struct s2n_session_key *key);
};
extern int s2n_session_key_alloc(struct s2n_session_key *key);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c b/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c
index 10bedf3941..57a308d227 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_composite_cipher_aes_sha.c
@@ -20,72 +20,70 @@
#include "crypto/s2n_cipher.h"
#include "crypto/s2n_fips.h"
#include "crypto/s2n_openssl.h"
-
#include "tls/s2n_crypto.h"
-
-#include "utils/s2n_safety.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
/* LibreSSL and BoringSSL support the cipher, but the interface is different from Openssl's. We
* should define a separate s2n_cipher struct for LibreSSL and BoringSSL.
*/
#if !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
-/* Symbols for AES-SHA1-CBC composite ciphers were added in Openssl 1.0.1
- * These composite ciphers exhibit erratic behavior in LibreSSL releases.
- */
-#if S2N_OPENSSL_VERSION_AT_LEAST(1,0,1)
-#define S2N_AES_SHA1_COMPOSITE_AVAILABLE
-#endif
-#if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
-#undef S2N_AES_SHA1_COMPOSITE_AVAILABLE
-#endif
-/* Symbols for AES-SHA256-CBC composite ciphers were added in Openssl 1.0.2
- * See https://www.openssl.org/news/cl102.txt
- * These composite ciphers exhibit erratic behavior in LibreSSL releases.
- */
-#if S2N_OPENSSL_VERSION_AT_LEAST(1,0,2)
-#define S2N_AES_SHA256_COMPOSITE_AVAILABLE
-#endif
-#if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
-#undef S2N_AES_SHA256_COMPOSITE_AVAILABLE
-#endif
+ /* Symbols for AES-SHA1-CBC composite ciphers were added in Openssl 1.0.1
+ * These composite ciphers exhibit erratic behavior in LibreSSL releases.
+ */
+ #if S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 1)
+ #define S2N_AES_SHA1_COMPOSITE_AVAILABLE
+ #endif
+ #if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
+ #undef S2N_AES_SHA1_COMPOSITE_AVAILABLE
+ #endif
+ /* Symbols for AES-SHA256-CBC composite ciphers were added in Openssl 1.0.2
+ * See https://www.openssl.org/news/cl102.txt
+ * These composite ciphers exhibit erratic behavior in LibreSSL releases.
+ */
+ #if S2N_OPENSSL_VERSION_AT_LEAST(1, 0, 2)
+ #define S2N_AES_SHA256_COMPOSITE_AVAILABLE
+ #endif
+ #if defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17)
+ #undef S2N_AES_SHA256_COMPOSITE_AVAILABLE
+ #endif
#endif
/* Silly accessors, but we avoid using version macro guards in multiple places */
static const EVP_CIPHER *s2n_evp_aes_128_cbc_hmac_sha1(void)
{
- #if defined(S2N_AES_SHA1_COMPOSITE_AVAILABLE)
- return EVP_aes_128_cbc_hmac_sha1();
- #else
- return NULL;
- #endif
+#if defined(S2N_AES_SHA1_COMPOSITE_AVAILABLE)
+ return EVP_aes_128_cbc_hmac_sha1();
+#else
+ return NULL;
+#endif
}
static const EVP_CIPHER *s2n_evp_aes_256_cbc_hmac_sha1(void)
{
- #if defined(S2N_AES_SHA1_COMPOSITE_AVAILABLE)
- return EVP_aes_256_cbc_hmac_sha1();
- #else
- return NULL;
- #endif
+#if defined(S2N_AES_SHA1_COMPOSITE_AVAILABLE)
+ return EVP_aes_256_cbc_hmac_sha1();
+#else
+ return NULL;
+#endif
}
static const EVP_CIPHER *s2n_evp_aes_128_cbc_hmac_sha256(void)
{
- #if defined(S2N_AES_SHA256_COMPOSITE_AVAILABLE)
- return EVP_aes_128_cbc_hmac_sha256();
- #else
- return NULL;
- #endif
+#if defined(S2N_AES_SHA256_COMPOSITE_AVAILABLE)
+ return EVP_aes_128_cbc_hmac_sha256();
+#else
+ return NULL;
+#endif
}
static const EVP_CIPHER *s2n_evp_aes_256_cbc_hmac_sha256(void)
{
- #if defined(S2N_AES_SHA256_COMPOSITE_AVAILABLE)
- return EVP_aes_256_cbc_hmac_sha256();
- #else
- return NULL;
- #endif
+#if defined(S2N_AES_SHA256_COMPOSITE_AVAILABLE)
+ return EVP_aes_256_cbc_hmac_sha256();
+#else
+ return NULL;
+#endif
}
static uint8_t s2n_composite_cipher_aes128_sha_available(void)
@@ -128,18 +126,18 @@ static uint8_t s2n_composite_cipher_aes256_sha256_available(void)
}
static int s2n_composite_cipher_aes_sha_initial_hmac(struct s2n_session_key *key, uint8_t *sequence_number, uint8_t content_type,
- uint16_t protocol_version, uint16_t payload_and_eiv_len, int *extra)
+ uint16_t protocol_version, uint16_t payload_and_eiv_len, int *extra)
{
/* BoringSSL and AWS-LC(AWSLC_API_VERSION <= 17) do not support these composite ciphers with the existing EVP API, and they took out the
* constants used below. This method should never be called with BoringSSL or AWS-LC(AWSLC_API_VERSION <= 17) because the isAvaliable checked
* will fail. Instead of defining a possibly dangerous default or hard coding this to 0x16 error out with BoringSSL and AWS-LC(AWSLC_API_VERSION <= 17).
*/
#if defined(OPENSSL_IS_BORINGSSL) || (defined(AWSLC_API_VERSION) && (AWSLC_API_VERSION <= 17))
- POSIX_BAIL(S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API);
+ POSIX_BAIL(S2N_ERR_NO_SUPPORTED_LIBCRYPTO_API);
#else
uint8_t ctrl_buf[S2N_TLS12_AAD_LEN];
struct s2n_blob ctrl_blob = { .data = ctrl_buf, .size = S2N_TLS12_AAD_LEN };
- struct s2n_stuffer ctrl_stuffer = {0};
+ struct s2n_stuffer ctrl_stuffer = { 0 };
POSIX_GUARD(s2n_stuffer_init(&ctrl_stuffer, &ctrl_blob));
POSIX_GUARD(s2n_stuffer_write_bytes(&ctrl_stuffer, sequence_number, S2N_TLS_SEQUENCE_NUM_LEN));
@@ -208,7 +206,6 @@ static int s2n_composite_cipher_aes_sha256_set_mac_write_key(struct s2n_session_
return 0;
}
-
static int s2n_composite_cipher_aes128_sha_set_encryption_key(struct s2n_session_key *key, struct s2n_blob *in)
{
POSIX_ENSURE_EQ(in->size, 16);
@@ -307,13 +304,13 @@ const struct s2n_cipher s2n_aes128_sha = {
.key_material_size = 16,
.type = S2N_COMPOSITE,
.io.comp = {
- .block_size = 16,
- .record_iv_size = 16,
- .mac_key_size = SHA_DIGEST_LENGTH,
- .decrypt = s2n_composite_cipher_aes_sha_decrypt,
- .encrypt = s2n_composite_cipher_aes_sha_encrypt,
- .set_mac_write_key = s2n_composite_cipher_aes_sha_set_mac_write_key,
- .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
+ .block_size = 16,
+ .record_iv_size = 16,
+ .mac_key_size = SHA_DIGEST_LENGTH,
+ .decrypt = s2n_composite_cipher_aes_sha_decrypt,
+ .encrypt = s2n_composite_cipher_aes_sha_encrypt,
+ .set_mac_write_key = s2n_composite_cipher_aes_sha_set_mac_write_key,
+ .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
.is_available = s2n_composite_cipher_aes128_sha_available,
.init = s2n_composite_cipher_aes_sha_init,
.set_encryption_key = s2n_composite_cipher_aes128_sha_set_encryption_key,
@@ -325,13 +322,13 @@ const struct s2n_cipher s2n_aes256_sha = {
.key_material_size = 32,
.type = S2N_COMPOSITE,
.io.comp = {
- .block_size = 16,
- .record_iv_size = 16,
- .mac_key_size = SHA_DIGEST_LENGTH,
- .decrypt = s2n_composite_cipher_aes_sha_decrypt,
- .encrypt = s2n_composite_cipher_aes_sha_encrypt,
- .set_mac_write_key = s2n_composite_cipher_aes_sha_set_mac_write_key,
- .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
+ .block_size = 16,
+ .record_iv_size = 16,
+ .mac_key_size = SHA_DIGEST_LENGTH,
+ .decrypt = s2n_composite_cipher_aes_sha_decrypt,
+ .encrypt = s2n_composite_cipher_aes_sha_encrypt,
+ .set_mac_write_key = s2n_composite_cipher_aes_sha_set_mac_write_key,
+ .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
.is_available = s2n_composite_cipher_aes256_sha_available,
.init = s2n_composite_cipher_aes_sha_init,
.set_encryption_key = s2n_composite_cipher_aes256_sha_set_encryption_key,
@@ -343,13 +340,13 @@ const struct s2n_cipher s2n_aes128_sha256 = {
.key_material_size = 16,
.type = S2N_COMPOSITE,
.io.comp = {
- .block_size = 16,
- .record_iv_size = 16,
- .mac_key_size = SHA256_DIGEST_LENGTH,
- .decrypt = s2n_composite_cipher_aes_sha_decrypt,
- .encrypt = s2n_composite_cipher_aes_sha_encrypt,
- .set_mac_write_key = s2n_composite_cipher_aes_sha256_set_mac_write_key,
- .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
+ .block_size = 16,
+ .record_iv_size = 16,
+ .mac_key_size = SHA256_DIGEST_LENGTH,
+ .decrypt = s2n_composite_cipher_aes_sha_decrypt,
+ .encrypt = s2n_composite_cipher_aes_sha_encrypt,
+ .set_mac_write_key = s2n_composite_cipher_aes_sha256_set_mac_write_key,
+ .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
.is_available = s2n_composite_cipher_aes128_sha256_available,
.init = s2n_composite_cipher_aes_sha_init,
.set_encryption_key = s2n_composite_cipher_aes128_sha256_set_encryption_key,
@@ -361,13 +358,13 @@ const struct s2n_cipher s2n_aes256_sha256 = {
.key_material_size = 32,
.type = S2N_COMPOSITE,
.io.comp = {
- .block_size = 16,
- .record_iv_size = 16,
- .mac_key_size = SHA256_DIGEST_LENGTH,
- .decrypt = s2n_composite_cipher_aes_sha_decrypt,
- .encrypt = s2n_composite_cipher_aes_sha_encrypt,
- .set_mac_write_key = s2n_composite_cipher_aes_sha256_set_mac_write_key,
- .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
+ .block_size = 16,
+ .record_iv_size = 16,
+ .mac_key_size = SHA256_DIGEST_LENGTH,
+ .decrypt = s2n_composite_cipher_aes_sha_decrypt,
+ .encrypt = s2n_composite_cipher_aes_sha_encrypt,
+ .set_mac_write_key = s2n_composite_cipher_aes_sha256_set_mac_write_key,
+ .initial_hmac = s2n_composite_cipher_aes_sha_initial_hmac },
.is_available = s2n_composite_cipher_aes256_sha256_available,
.init = s2n_composite_cipher_aes_sha_init,
.set_encryption_key = s2n_composite_cipher_aes256_sha256_set_encryption_key,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_crypto.c b/contrib/restricted/aws/s2n/crypto/s2n_crypto.c
index d9062f0578..37c3c0f14b 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_crypto.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_crypto.c
@@ -13,17 +13,18 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_crypto.h"
+
#include <stdint.h>
#include "api/s2n.h"
-#include "crypto/s2n_crypto.h"
/* OPENSSL_free is defined within <openssl/crypto.h> for OpenSSL Libcrypto
* and within <openssl/mem.h> for AWS_LC and BoringSSL */
#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#error #include <openssl/mem.h>
-#else
-#include <openssl/crypto.h>
+ #error #include <openssl/mem.h>
+#else
+ #include <openssl/crypto.h>
#endif
int s2n_crypto_free(uint8_t** data)
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_crypto.h b/contrib/restricted/aws/s2n/crypto/s2n_crypto.h
index 8c5fc04266..3e39f15040 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_crypto.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_crypto.h
@@ -15,12 +15,11 @@
#pragma once
-#include <stdint.h>
-
#include <openssl/aes.h>
-#include <openssl/rc4.h>
#include <openssl/des.h>
-#include <openssl/rsa.h>
#include <openssl/dh.h>
+#include <openssl/rc4.h>
+#include <openssl/rsa.h>
+#include <stdint.h>
int s2n_crypto_free(uint8_t** data);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_dhe.c b/contrib/restricted/aws/s2n/crypto/s2n_dhe.c
index 513b6d09ed..aa5b629c09 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_dhe.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_dhe.c
@@ -40,7 +40,7 @@ static const BIGNUM *s2n_get_Ys_dh_param(struct s2n_dh_params *dh_params)
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
DH_get0_key(dh_params->dh, &Ys, NULL);
#else
- Ys = dh_params->dh->pub_key;
+ Ys = dh_params->dh->pub_key;
#endif
return Ys;
@@ -52,7 +52,7 @@ static const BIGNUM *s2n_get_p_dh_param(struct s2n_dh_params *dh_params)
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
DH_get0_pqg(dh_params->dh, &p, NULL, NULL);
#else
- p = dh_params->dh->p;
+ p = dh_params->dh->p;
#endif
return p;
@@ -64,7 +64,7 @@ static const BIGNUM *s2n_get_g_dh_param(struct s2n_dh_params *dh_params)
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
DH_get0_pqg(dh_params->dh, NULL, NULL, &g);
#else
- g = dh_params->dh->g;
+ g = dh_params->dh->g;
#endif
return g;
@@ -100,14 +100,14 @@ static int s2n_check_pub_key_dh_params(struct s2n_dh_params *dh_params)
}
static int s2n_set_p_g_Ys_dh_params(struct s2n_dh_params *dh_params, struct s2n_blob *p, struct s2n_blob *g,
- struct s2n_blob *Ys)
+ struct s2n_blob *Ys)
{
POSIX_ENSURE(p->size <= INT_MAX, S2N_ERR_INTEGER_OVERFLOW);
POSIX_ENSURE(g->size <= INT_MAX, S2N_ERR_INTEGER_OVERFLOW);
POSIX_ENSURE(Ys->size <= INT_MAX, S2N_ERR_INTEGER_OVERFLOW);
- BIGNUM *bn_p = BN_bin2bn(( const unsigned char * )p->data, p->size, NULL);
- BIGNUM *bn_g = BN_bin2bn(( const unsigned char * )g->data, g->size, NULL);
- BIGNUM *bn_Ys = BN_bin2bn(( const unsigned char * )Ys->data, Ys->size, NULL);
+ BIGNUM *bn_p = BN_bin2bn((const unsigned char *) p->data, p->size, NULL);
+ BIGNUM *bn_g = BN_bin2bn((const unsigned char *) g->data, g->size, NULL);
+ BIGNUM *bn_Ys = BN_bin2bn((const unsigned char *) Ys->data, Ys->size, NULL);
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)
/* Per https://www.openssl.org/docs/man1.1.0/crypto/DH_get0_pqg.html:
@@ -118,8 +118,8 @@ static int s2n_set_p_g_Ys_dh_params(struct s2n_dh_params *dh_params, struct s2n_
/* Same as DH_set0_pqg */
POSIX_GUARD_OSSL(DH_set0_key(dh_params->dh, bn_Ys, NULL), S2N_ERR_DH_PARAMS_CREATE);
#else
- dh_params->dh->p = bn_p;
- dh_params->dh->g = bn_g;
+ dh_params->dh->p = bn_p;
+ dh_params->dh->g = bn_g;
dh_params->dh->pub_key = bn_Ys;
#endif
@@ -140,7 +140,7 @@ int s2n_pkcs3_to_dh_params(struct s2n_dh_params *dh_params, struct s2n_blob *pkc
POSIX_PRECONDITION(s2n_blob_validate(pkcs3));
uint8_t *original_ptr = pkcs3->data;
- dh_params->dh = d2i_DHparams(NULL, ( const unsigned char ** )( void * )&pkcs3->data, pkcs3->size);
+ dh_params->dh = d2i_DHparams(NULL, (const unsigned char **) (void *) &pkcs3->data, pkcs3->size);
POSIX_GUARD(s2n_check_p_g_dh_params(dh_params));
if (pkcs3->data && (pkcs3->data - original_ptr != pkcs3->size)) {
DH_free(dh_params->dh);
@@ -161,7 +161,7 @@ int s2n_pkcs3_to_dh_params(struct s2n_dh_params *dh_params, struct s2n_blob *pkc
}
int s2n_dh_p_g_Ys_to_dh_params(struct s2n_dh_params *server_dh_params, struct s2n_blob *p, struct s2n_blob *g,
- struct s2n_blob *Ys)
+ struct s2n_blob *Ys)
{
POSIX_ENSURE_REF(server_dh_params);
POSIX_PRECONDITION(s2n_blob_validate(p));
@@ -183,12 +183,12 @@ int s2n_dh_params_to_p_g_Ys(struct s2n_dh_params *server_dh_params, struct s2n_s
POSIX_PRECONDITION(s2n_stuffer_validate(out));
POSIX_PRECONDITION(s2n_blob_validate(output));
- const BIGNUM *bn_p = s2n_get_p_dh_param(server_dh_params);
- const BIGNUM *bn_g = s2n_get_g_dh_param(server_dh_params);
+ const BIGNUM *bn_p = s2n_get_p_dh_param(server_dh_params);
+ const BIGNUM *bn_g = s2n_get_g_dh_param(server_dh_params);
const BIGNUM *bn_Ys = s2n_get_Ys_dh_param(server_dh_params);
- uint16_t p_size = BN_num_bytes(bn_p);
- uint16_t g_size = BN_num_bytes(bn_g);
+ uint16_t p_size = BN_num_bytes(bn_p);
+ uint16_t g_size = BN_num_bytes(bn_g);
uint16_t Ys_size = BN_num_bytes(bn_Ys);
uint8_t *p = NULL;
uint8_t *g = NULL;
@@ -218,12 +218,12 @@ int s2n_dh_params_to_p_g_Ys(struct s2n_dh_params *server_dh_params, struct s2n_s
}
int s2n_dh_compute_shared_secret_as_client(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *Yc_out,
- struct s2n_blob *shared_key)
+ struct s2n_blob *shared_key)
{
struct s2n_dh_params client_params = { 0 };
- uint8_t * client_pub_key = NULL;
- uint16_t client_pub_key_size = 0;
- int shared_key_size = 0;
+ uint8_t *client_pub_key = NULL;
+ uint16_t client_pub_key_size = 0;
+ int shared_key_size = 0;
POSIX_GUARD(s2n_dh_params_check(server_dh_params));
POSIX_GUARD(s2n_dh_params_copy(server_dh_params, &client_params));
@@ -232,7 +232,7 @@ int s2n_dh_compute_shared_secret_as_client(struct s2n_dh_params *server_dh_param
const BIGNUM *client_pub_key_bn = s2n_get_Ys_dh_param(&client_params);
POSIX_ENSURE_REF(client_pub_key_bn);
- client_pub_key_size = BN_num_bytes(client_pub_key_bn);
+ client_pub_key_size = BN_num_bytes(client_pub_key_bn);
POSIX_GUARD(s2n_stuffer_write_uint16(Yc_out, client_pub_key_size));
client_pub_key = s2n_stuffer_raw_write(Yc_out, client_pub_key_size);
if (client_pub_key == NULL) {
@@ -249,7 +249,7 @@ int s2n_dh_compute_shared_secret_as_client(struct s2n_dh_params *server_dh_param
/* server_dh_params already validated */
const BIGNUM *server_pub_key_bn = s2n_get_Ys_dh_param(server_dh_params);
- shared_key_size = DH_compute_key(shared_key->data, server_pub_key_bn, client_params.dh);
+ shared_key_size = DH_compute_key(shared_key->data, server_pub_key_bn, client_params.dh);
if (shared_key_size < 0) {
POSIX_GUARD(s2n_free(shared_key));
POSIX_GUARD(s2n_dh_params_free(&client_params));
@@ -264,12 +264,12 @@ int s2n_dh_compute_shared_secret_as_client(struct s2n_dh_params *server_dh_param
}
int s2n_dh_compute_shared_secret_as_server(struct s2n_dh_params *server_dh_params, struct s2n_stuffer *Yc_in,
- struct s2n_blob *shared_key)
+ struct s2n_blob *shared_key)
{
- uint16_t Yc_length = 0;
+ uint16_t Yc_length = 0;
struct s2n_blob Yc = { 0 };
- int shared_key_size = 0;
- BIGNUM * pub_key = NULL;
+ int shared_key_size = 0;
+ BIGNUM *pub_key = NULL;
POSIX_GUARD(s2n_check_all_dh_params(server_dh_params));
@@ -278,7 +278,7 @@ int s2n_dh_compute_shared_secret_as_server(struct s2n_dh_params *server_dh_param
Yc.data = s2n_stuffer_raw_read(Yc_in, Yc.size);
POSIX_ENSURE_REF(Yc.data);
- pub_key = BN_bin2bn(( const unsigned char * )Yc.data, Yc.size, NULL);
+ pub_key = BN_bin2bn((const unsigned char *) Yc.data, Yc.size, NULL);
POSIX_ENSURE_REF(pub_key);
int server_dh_params_size = DH_size(server_dh_params->dh);
POSIX_ENSURE(server_dh_params_size <= INT32_MAX, S2N_ERR_INTEGER_OVERFLOW);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_dhe.h b/contrib/restricted/aws/s2n/crypto/s2n_dhe.h
index f9e004e5e5..c5c940c090 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_dhe.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_dhe.h
@@ -18,7 +18,6 @@
#include <openssl/dh.h>
#include "stuffer/s2n_stuffer.h"
-
#include "utils/s2n_blob.h"
struct s2n_dh_params {
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_drbg.c b/contrib/restricted/aws/s2n/crypto/s2n_drbg.c
index 9f0acd5bf2..536a16da09 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_drbg.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_drbg.c
@@ -13,19 +13,18 @@
* permissions and limitations under the License.
*/
-#include <sys/param.h>
+#include "crypto/s2n_drbg.h"
#include <openssl/evp.h>
+#include <sys/param.h>
-#include "crypto/s2n_drbg.h"
-
-#include "utils/s2n_safety.h"
-#include "utils/s2n_random.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_random.h"
+#include "utils/s2n_safety.h"
static bool ignore_prediction_resistance_for_testing = false;
-#define s2n_drbg_key_size(drgb) EVP_CIPHER_CTX_key_length((drbg)->ctx)
+#define s2n_drbg_key_size(drgb) EVP_CIPHER_CTX_key_length((drbg)->ctx)
#define s2n_drbg_seed_size(drgb) (S2N_DRBG_BLOCK_SIZE + s2n_drbg_key_size(drgb))
/* This function is the same as s2n_increment_sequence_number
@@ -34,12 +33,12 @@ static bool ignore_prediction_resistance_for_testing = false;
S2N_RESULT s2n_increment_drbg_counter(struct s2n_blob *counter)
{
for (uint32_t i = counter->size; i > 0; i--) {
- counter->data[i-1] += 1;
- if (counter->data[i-1]) {
+ counter->data[i - 1] += 1;
+ if (counter->data[i - 1]) {
break;
}
- /* seq[i] wrapped, so let it carry */
+ /* seq[i] wrapped, so let it carry */
}
return S2N_RESULT_OK;
}
@@ -62,7 +61,7 @@ static S2N_RESULT s2n_drbg_bits(struct s2n_drbg *drbg, struct s2n_blob *out)
RESULT_ENSURE_REF(drbg->ctx);
RESULT_ENSURE_REF(out);
- struct s2n_blob value = {0};
+ struct s2n_blob value = { 0 };
RESULT_GUARD_POSIX(s2n_blob_init(&value, drbg->v, sizeof(drbg->v)));
int block_aligned_size = out->size - (out->size % S2N_DRBG_BLOCK_SIZE);
@@ -168,7 +167,7 @@ S2N_RESULT s2n_drbg_instantiate(struct s2n_drbg *drbg, struct s2n_blob *personal
RESULT_EVP_CTX_INIT(drbg->ctx);
- switch(mode) {
+ switch (mode) {
case S2N_AES_128_CTR_NO_DF_PR:
RESULT_GUARD_OSSL(EVP_EncryptInit_ex(drbg->ctx, EVP_aes_128_ecb(), NULL, NULL, NULL), S2N_ERR_DRBG);
break;
@@ -182,7 +181,7 @@ S2N_RESULT s2n_drbg_instantiate(struct s2n_drbg *drbg, struct s2n_blob *personal
RESULT_ENSURE_LTE(s2n_drbg_key_size(drbg), S2N_DRBG_MAX_KEY_SIZE);
RESULT_ENSURE_LTE(s2n_drbg_seed_size(drbg), S2N_DRBG_MAX_SEED_SIZE);
- static const uint8_t zero_key[S2N_DRBG_MAX_KEY_SIZE] = {0};
+ static const uint8_t zero_key[S2N_DRBG_MAX_KEY_SIZE] = { 0 };
/* Start off with zeroed data, per 10.2.1.3.1 item 4 and 5 */
memset(drbg->v, 0, sizeof(drbg->v));
@@ -235,7 +234,7 @@ S2N_RESULT s2n_drbg_wipe(struct s2n_drbg *drbg)
drbg->ctx = NULL;
}
- *drbg = (struct s2n_drbg) {0};
+ *drbg = (struct s2n_drbg){ 0 };
return S2N_RESULT_OK;
}
@@ -248,7 +247,8 @@ S2N_RESULT s2n_drbg_bytes_used(struct s2n_drbg *drbg, uint64_t *bytes_used)
return S2N_RESULT_OK;
}
-S2N_RESULT s2n_ignore_prediction_resistance_for_testing(bool ignore_bool) {
+S2N_RESULT s2n_ignore_prediction_resistance_for_testing(bool ignore_bool)
+{
RESULT_ENSURE(s2n_in_unit_test(), S2N_ERR_NOT_IN_UNIT_TEST);
ignore_prediction_resistance_for_testing = ignore_bool;
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_drbg.h b/contrib/restricted/aws/s2n/crypto/s2n_drbg.h
index f3a5661554..dc4074006d 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_drbg.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_drbg.h
@@ -21,8 +21,8 @@
#include "utils/s2n_blob.h"
#include "utils/s2n_result.h"
-#define S2N_DRBG_BLOCK_SIZE 16
-#define S2N_DRBG_MAX_KEY_SIZE 32
+#define S2N_DRBG_BLOCK_SIZE 16
+#define S2N_DRBG_MAX_KEY_SIZE 32
#define S2N_DRBG_MAX_SEED_SIZE (S2N_DRBG_BLOCK_SIZE + S2N_DRBG_MAX_KEY_SIZE)
/* The maximum size of any one request: from NIST SP800-90A 10.2.1 Table 3 */
@@ -48,7 +48,10 @@ struct s2n_drbg {
* S2N_AES_256_CTR_NO_DF_PR is a deterministic random bit generator using AES 256 in counter mode (AES_128_CTR). It does not
* use a derivation function on the seed but does have prediction resistance.
*/
-typedef enum {S2N_AES_128_CTR_NO_DF_PR, S2N_AES_256_CTR_NO_DF_PR} s2n_drbg_mode;
+typedef enum {
+ S2N_AES_128_CTR_NO_DF_PR,
+ S2N_AES_256_CTR_NO_DF_PR
+} s2n_drbg_mode;
/* Per NIST SP 800-90C 6.3
*
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.c b/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.c
index 4d1a72c408..ab369f79d6 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.c
@@ -18,7 +18,7 @@
#include <openssl/ecdh.h>
#include <openssl/evp.h>
#if defined(OPENSSL_IS_AWSLC)
-#error #include <openssl/mem.h>
+ #error #include <openssl/mem.h>
#endif
#include <stdint.h>
@@ -52,31 +52,28 @@ static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_p
/* IANA values can be found here: https://tools.ietf.org/html/rfc8446#appendix-B.3.1.4 */
-const struct s2n_ecc_named_curve s2n_ecc_curve_secp256r1 =
-{
- .iana_id = TLS_EC_CURVE_SECP_256_R1,
- .libcrypto_nid = NID_X9_62_prime256v1,
- .name = "secp256r1",
- .share_size = SECP256R1_SHARE_SIZE,
- .generate_key = s2n_ecc_evp_generate_key_nist_curves,
+const struct s2n_ecc_named_curve s2n_ecc_curve_secp256r1 = {
+ .iana_id = TLS_EC_CURVE_SECP_256_R1,
+ .libcrypto_nid = NID_X9_62_prime256v1,
+ .name = "secp256r1",
+ .share_size = SECP256R1_SHARE_SIZE,
+ .generate_key = s2n_ecc_evp_generate_key_nist_curves,
};
-const struct s2n_ecc_named_curve s2n_ecc_curve_secp384r1 =
-{
- .iana_id = TLS_EC_CURVE_SECP_384_R1,
- .libcrypto_nid = NID_secp384r1,
- .name = "secp384r1",
- .share_size = SECP384R1_SHARE_SIZE,
- .generate_key = s2n_ecc_evp_generate_key_nist_curves,
+const struct s2n_ecc_named_curve s2n_ecc_curve_secp384r1 = {
+ .iana_id = TLS_EC_CURVE_SECP_384_R1,
+ .libcrypto_nid = NID_secp384r1,
+ .name = "secp384r1",
+ .share_size = SECP384R1_SHARE_SIZE,
+ .generate_key = s2n_ecc_evp_generate_key_nist_curves,
};
-const struct s2n_ecc_named_curve s2n_ecc_curve_secp521r1 =
-{
- .iana_id = TLS_EC_CURVE_SECP_521_R1,
- .libcrypto_nid = NID_secp521r1,
- .name = "secp521r1",
- .share_size = SECP521R1_SHARE_SIZE,
- .generate_key = s2n_ecc_evp_generate_key_nist_curves,
+const struct s2n_ecc_named_curve s2n_ecc_curve_secp521r1 = {
+ .iana_id = TLS_EC_CURVE_SECP_521_R1,
+ .libcrypto_nid = NID_secp521r1,
+ .name = "secp521r1",
+ .share_size = SECP521R1_SHARE_SIZE,
+ .generate_key = s2n_ecc_evp_generate_key_nist_curves,
};
#if EVP_APIS_SUPPORTED
@@ -88,14 +85,15 @@ const struct s2n_ecc_named_curve s2n_ecc_curve_x25519 = {
.generate_key = s2n_ecc_evp_generate_key_x25519,
};
#else
-const struct s2n_ecc_named_curve s2n_ecc_curve_x25519 = {0};
+const struct s2n_ecc_named_curve s2n_ecc_curve_x25519 = { 0 };
#endif
/* A fake / unsupported curve for use in triggering retries
* during testing.
*/
const struct s2n_ecc_named_curve s2n_unsupported_curve = {
- .iana_id = 0, .name = "unsupported",
+ .iana_id = 0,
+ .name = "unsupported",
.libcrypto_nid = NID_X9_62_prime256v1,
.share_size = SECP256R1_SHARE_SIZE,
.generate_key = s2n_ecc_evp_generate_key_nist_curves,
@@ -115,17 +113,16 @@ const struct s2n_ecc_named_curve *const s2n_all_supported_curves_list[] = {
const size_t s2n_all_supported_curves_list_len = s2n_array_len(s2n_all_supported_curves_list);
-
int s2n_is_evp_apis_supported()
{
return EVP_APIS_SUPPORTED;
}
#if EVP_APIS_SUPPORTED
-static int s2n_ecc_evp_generate_key_x25519(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey) {
-
+static int s2n_ecc_evp_generate_key_x25519(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey)
+{
DEFER_CLEANUP(EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(named_curve->libcrypto_nid, NULL),
- EVP_PKEY_CTX_free_pointer);
+ EVP_PKEY_CTX_free_pointer);
S2N_ERROR_IF(pctx == NULL, S2N_ERR_ECDHE_GEN_KEY);
POSIX_GUARD_OSSL(EVP_PKEY_keygen_init(pctx), S2N_ERR_ECDHE_GEN_KEY);
@@ -136,8 +133,8 @@ static int s2n_ecc_evp_generate_key_x25519(const struct s2n_ecc_named_curve *nam
}
#endif
-static int s2n_ecc_evp_generate_key_nist_curves(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey) {
-
+static int s2n_ecc_evp_generate_key_nist_curves(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey)
+{
DEFER_CLEANUP(EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL), EVP_PKEY_CTX_free_pointer);
S2N_ERROR_IF(pctx == NULL, S2N_ERR_ECDHE_GEN_KEY);
@@ -158,14 +155,16 @@ static int s2n_ecc_evp_generate_key_nist_curves(const struct s2n_ecc_named_curve
return 0;
}
-static int s2n_ecc_evp_generate_own_key(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey) {
+static int s2n_ecc_evp_generate_own_key(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey)
+{
POSIX_ENSURE_REF(named_curve);
S2N_ERROR_IF(named_curve->generate_key == NULL, S2N_ERR_ECDHE_GEN_KEY);
return named_curve->generate_key(named_curve, evp_pkey);
}
-static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_public, uint16_t iana_id, struct s2n_blob *shared_secret) {
+static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_public, uint16_t iana_id, struct s2n_blob *shared_secret)
+{
POSIX_ENSURE_REF(peer_public);
POSIX_ENSURE_REF(own_key);
@@ -202,37 +201,40 @@ static int s2n_ecc_evp_compute_shared_secret(EVP_PKEY *own_key, EVP_PKEY *peer_p
return 0;
}
-int s2n_ecc_evp_generate_ephemeral_key(struct s2n_ecc_evp_params *ecc_evp_params) {
+int s2n_ecc_evp_generate_ephemeral_key(struct s2n_ecc_evp_params *ecc_evp_params)
+{
POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
S2N_ERROR_IF(ecc_evp_params->evp_pkey != NULL, S2N_ERR_ECDHE_GEN_KEY);
S2N_ERROR_IF(s2n_ecc_evp_generate_own_key(ecc_evp_params->negotiated_curve, &ecc_evp_params->evp_pkey) != 0,
- S2N_ERR_ECDHE_GEN_KEY);
+ S2N_ERR_ECDHE_GEN_KEY);
S2N_ERROR_IF(ecc_evp_params->evp_pkey == NULL, S2N_ERR_ECDHE_GEN_KEY);
return 0;
}
int s2n_ecc_evp_compute_shared_secret_from_params(struct s2n_ecc_evp_params *private_ecc_evp_params,
- struct s2n_ecc_evp_params *public_ecc_evp_params,
- struct s2n_blob *shared_key) {
+ struct s2n_ecc_evp_params *public_ecc_evp_params,
+ struct s2n_blob *shared_key)
+{
POSIX_ENSURE_REF(private_ecc_evp_params->negotiated_curve);
POSIX_ENSURE_REF(private_ecc_evp_params->evp_pkey);
POSIX_ENSURE_REF(public_ecc_evp_params->negotiated_curve);
POSIX_ENSURE_REF(public_ecc_evp_params->evp_pkey);
S2N_ERROR_IF(private_ecc_evp_params->negotiated_curve->iana_id != public_ecc_evp_params->negotiated_curve->iana_id,
- S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
+ S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
POSIX_GUARD(s2n_ecc_evp_compute_shared_secret(private_ecc_evp_params->evp_pkey, public_ecc_evp_params->evp_pkey,
- private_ecc_evp_params->negotiated_curve->iana_id, shared_key));
+ private_ecc_evp_params->negotiated_curve->iana_id, shared_key));
return 0;
}
int s2n_ecc_evp_compute_shared_secret_as_server(struct s2n_ecc_evp_params *ecc_evp_params,
- struct s2n_stuffer *Yc_in, struct s2n_blob *shared_key) {
+ struct s2n_stuffer *Yc_in, struct s2n_blob *shared_key)
+{
POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
POSIX_ENSURE_REF(ecc_evp_params->evp_pkey);
POSIX_ENSURE_REF(Yc_in);
uint8_t client_public_len;
- struct s2n_blob client_public_blob = {0};
+ struct s2n_blob client_public_blob = { 0 };
DEFER_CLEANUP(EVP_PKEY *peer_key = EVP_PKEY_new(), EVP_PKEY_free_pointer);
S2N_ERROR_IF(peer_key == NULL, S2N_ERR_BAD_MESSAGE);
@@ -252,10 +254,10 @@ int s2n_ecc_evp_compute_shared_secret_as_server(struct s2n_ecc_evp_params *ecc_e
POSIX_GUARD_OSSL(EVP_PKEY_paramgen(pctx, &peer_key), S2N_ERR_ECDHE_SERIALIZING);
}
POSIX_GUARD_OSSL(EVP_PKEY_set1_tls_encodedpoint(peer_key, client_public_blob.data, client_public_blob.size),
- S2N_ERR_ECDHE_SERIALIZING);
+ S2N_ERR_ECDHE_SERIALIZING);
#else
DEFER_CLEANUP(EC_KEY *ec_key = EC_KEY_new_by_curve_name(ecc_evp_params->negotiated_curve->libcrypto_nid),
- EC_KEY_free_pointer);
+ EC_KEY_free_pointer);
S2N_ERROR_IF(ec_key == NULL, S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
DEFER_CLEANUP(EC_POINT *point = s2n_ecc_evp_blob_to_point(&client_public_blob, ec_key), EC_POINT_free_pointer);
@@ -267,22 +269,21 @@ int s2n_ecc_evp_compute_shared_secret_as_server(struct s2n_ecc_evp_params *ecc_e
#endif
return s2n_ecc_evp_compute_shared_secret(ecc_evp_params->evp_pkey, peer_key,
- ecc_evp_params->negotiated_curve->iana_id, shared_key);
-
+ ecc_evp_params->negotiated_curve->iana_id, shared_key);
}
int s2n_ecc_evp_compute_shared_secret_as_client(struct s2n_ecc_evp_params *ecc_evp_params,
- struct s2n_stuffer *Yc_out, struct s2n_blob *shared_key) {
-
- DEFER_CLEANUP(struct s2n_ecc_evp_params client_params = {0}, s2n_ecc_evp_params_free);
+ struct s2n_stuffer *Yc_out, struct s2n_blob *shared_key)
+{
+ DEFER_CLEANUP(struct s2n_ecc_evp_params client_params = { 0 }, s2n_ecc_evp_params_free);
POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
client_params.negotiated_curve = ecc_evp_params->negotiated_curve;
POSIX_GUARD(s2n_ecc_evp_generate_own_key(client_params.negotiated_curve, &client_params.evp_pkey));
S2N_ERROR_IF(client_params.evp_pkey == NULL, S2N_ERR_ECDHE_GEN_KEY);
- if (s2n_ecc_evp_compute_shared_secret(client_params.evp_pkey, ecc_evp_params->evp_pkey,
- ecc_evp_params->negotiated_curve->iana_id, shared_key) != S2N_SUCCESS) {
+ if (s2n_ecc_evp_compute_shared_secret(client_params.evp_pkey, ecc_evp_params->evp_pkey, ecc_evp_params->negotiated_curve->iana_id, shared_key)
+ != S2N_SUCCESS) {
POSIX_BAIL(S2N_ERR_ECDHE_SHARED_SECRET);
}
@@ -292,25 +293,27 @@ int s2n_ecc_evp_compute_shared_secret_as_client(struct s2n_ecc_evp_params *ecc_e
POSIX_BAIL(S2N_ERR_ECDHE_SERIALIZING);
}
return 0;
-
}
#if (!EVP_APIS_SUPPORTED)
-static int s2n_ecc_evp_calculate_point_length(const EC_POINT *point, const EC_GROUP *group, uint8_t *length) {
+static int s2n_ecc_evp_calculate_point_length(const EC_POINT *point, const EC_GROUP *group, uint8_t *length)
+{
size_t ret = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL);
S2N_ERROR_IF(ret == 0, S2N_ERR_ECDHE_SERIALIZING);
S2N_ERROR_IF(ret > UINT8_MAX, S2N_ERR_ECDHE_SERIALIZING);
- *length = (uint8_t)ret;
+ *length = (uint8_t) ret;
return 0;
}
-static int s2n_ecc_evp_write_point_data_snug(const EC_POINT *point, const EC_GROUP *group, struct s2n_blob *out) {
+static int s2n_ecc_evp_write_point_data_snug(const EC_POINT *point, const EC_GROUP *group, struct s2n_blob *out)
+{
size_t ret = EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, out->data, out->size, NULL);
S2N_ERROR_IF(ret != out->size, S2N_ERR_ECDHE_SERIALIZING);
return 0;
}
-static EC_POINT *s2n_ecc_evp_blob_to_point(struct s2n_blob *blob, const EC_KEY *ec_key) {
+static EC_POINT *s2n_ecc_evp_blob_to_point(struct s2n_blob *blob, const EC_KEY *ec_key)
+{
const EC_GROUP *group = EC_KEY_get0_group(ec_key);
EC_POINT *point = EC_POINT_new(group);
if (point == NULL) {
@@ -324,7 +327,8 @@ static EC_POINT *s2n_ecc_evp_blob_to_point(struct s2n_blob *blob, const EC_KEY *
}
#endif
-int s2n_ecc_evp_read_params_point(struct s2n_stuffer *in, int point_size, struct s2n_blob *point_blob) {
+int s2n_ecc_evp_read_params_point(struct s2n_stuffer *in, int point_size, struct s2n_blob *point_blob)
+{
POSIX_ENSURE_REF(in);
POSIX_ENSURE_REF(point_blob);
POSIX_ENSURE_GTE(point_size, 0);
@@ -338,7 +342,8 @@ int s2n_ecc_evp_read_params_point(struct s2n_stuffer *in, int point_size, struct
}
int s2n_ecc_evp_read_params(struct s2n_stuffer *in, struct s2n_blob *data_to_verify,
- struct s2n_ecdhe_raw_server_params *raw_server_ecc_params) {
+ struct s2n_ecdhe_raw_server_params *raw_server_ecc_params)
+{
POSIX_ENSURE_REF(in);
uint8_t curve_type;
uint8_t point_length;
@@ -350,7 +355,7 @@ int s2n_ecc_evp_read_params(struct s2n_stuffer *in, struct s2n_blob *data_to_ver
/* Read the curve */
POSIX_GUARD(s2n_stuffer_read_uint8(in, &curve_type));
S2N_ERROR_IF(curve_type != TLS_EC_CURVE_TYPE_NAMED, S2N_ERR_BAD_MESSAGE);
- raw_server_ecc_params->curve_blob.data = s2n_stuffer_raw_read(in, 2);
+ raw_server_ecc_params->curve_blob.data = s2n_stuffer_raw_read(in, 2);
POSIX_ENSURE_REF(raw_server_ecc_params->curve_blob.data);
raw_server_ecc_params->curve_blob.size = 2;
@@ -365,22 +370,22 @@ int s2n_ecc_evp_read_params(struct s2n_stuffer *in, struct s2n_blob *data_to_ver
return 0;
}
-int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, struct s2n_stuffer *out) {
+int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, struct s2n_stuffer *out)
+{
POSIX_ENSURE_REF(ecc_evp_params);
POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
POSIX_ENSURE_REF(ecc_evp_params->evp_pkey);
POSIX_ENSURE_REF(out);
#if EVP_APIS_SUPPORTED
- struct s2n_blob point_blob = {0};
+ struct s2n_blob point_blob = { 0 };
uint8_t *encoded_point = NULL;
size_t size = EVP_PKEY_get1_tls_encodedpoint(ecc_evp_params->evp_pkey, &encoded_point);
if (size != ecc_evp_params->negotiated_curve->share_size) {
OPENSSL_free(encoded_point);
POSIX_BAIL(S2N_ERR_ECDHE_SERIALIZING);
- }
- else {
+ } else {
point_blob.data = s2n_stuffer_raw_write(out, ecc_evp_params->negotiated_curve->share_size);
POSIX_ENSURE_REF(point_blob.data);
POSIX_CHECKED_MEMCPY(point_blob.data, encoded_point, size);
@@ -388,7 +393,7 @@ int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, st
}
#else
uint8_t point_len;
- struct s2n_blob point_blob = {0};
+ struct s2n_blob point_blob = { 0 };
DEFER_CLEANUP(EC_KEY *ec_key = EVP_PKEY_get1_EC_KEY(ecc_evp_params->evp_pkey), EC_KEY_free_pointer);
S2N_ERROR_IF(ec_key == NULL, S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
@@ -408,7 +413,8 @@ int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, st
}
int s2n_ecc_evp_write_params(struct s2n_ecc_evp_params *ecc_evp_params, struct s2n_stuffer *out,
- struct s2n_blob *written) {
+ struct s2n_blob *written)
+{
POSIX_ENSURE_REF(ecc_evp_params);
POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
POSIX_ENSURE_REF(ecc_evp_params->evp_pkey);
@@ -432,7 +438,8 @@ int s2n_ecc_evp_write_params(struct s2n_ecc_evp_params *ecc_evp_params, struct s
return written->size;
}
-int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_evp_params *ecc_evp_params) {
+int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_evp_params *ecc_evp_params)
+{
POSIX_ENSURE_REF(point_blob->data);
POSIX_ENSURE_REF(ecc_evp_params->negotiated_curve);
S2N_ERROR_IF(point_blob->size != ecc_evp_params->negotiated_curve->share_size, S2N_ERR_ECDHE_SERIALIZING);
@@ -444,8 +451,7 @@ int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_e
}
S2N_ERROR_IF(ecc_evp_params->evp_pkey == NULL, S2N_ERR_BAD_MESSAGE);
POSIX_GUARD(EVP_PKEY_set_type(ecc_evp_params->evp_pkey, ecc_evp_params->negotiated_curve->libcrypto_nid));
- }
- else {
+ } else {
DEFER_CLEANUP(EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL), EVP_PKEY_CTX_free_pointer);
S2N_ERROR_IF(pctx == NULL, S2N_ERR_ECDHE_SERIALIZING);
POSIX_GUARD_OSSL(EVP_PKEY_paramgen_init(pctx), S2N_ERR_ECDHE_SERIALIZING);
@@ -453,7 +459,7 @@ int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_e
POSIX_GUARD_OSSL(EVP_PKEY_paramgen(pctx, &ecc_evp_params->evp_pkey), S2N_ERR_ECDHE_SERIALIZING);
}
POSIX_GUARD_OSSL(EVP_PKEY_set1_tls_encodedpoint(ecc_evp_params->evp_pkey, point_blob->data, point_blob->size),
- S2N_ERR_ECDHE_SERIALIZING);
+ S2N_ERR_ECDHE_SERIALIZING);
#else
if (ecc_evp_params->evp_pkey == NULL) {
ecc_evp_params->evp_pkey = EVP_PKEY_new();
@@ -461,7 +467,7 @@ int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_e
S2N_ERROR_IF(ecc_evp_params->evp_pkey == NULL, S2N_ERR_BAD_MESSAGE);
/* Create a key to store the point */
DEFER_CLEANUP(EC_KEY *ec_key = EC_KEY_new_by_curve_name(ecc_evp_params->negotiated_curve->libcrypto_nid),
- EC_KEY_free_pointer);
+ EC_KEY_free_pointer);
S2N_ERROR_IF(ec_key == NULL, S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
/* Parse and store the server public point */
@@ -471,7 +477,7 @@ int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_e
/* Set the point as the public key */
int success = EC_KEY_set_public_key(ec_key, point);
- POSIX_GUARD_OSSL(EVP_PKEY_set1_EC_KEY(ecc_evp_params->evp_pkey,ec_key), S2N_ERR_ECDHE_SERIALIZING);
+ POSIX_GUARD_OSSL(EVP_PKEY_set1_EC_KEY(ecc_evp_params->evp_pkey, ec_key), S2N_ERR_ECDHE_SERIALIZING);
/* EC_KEY_set_public_key returns 1 on success, 0 on failure */
S2N_ERROR_IF(success == 0, S2N_ERR_BAD_MESSAGE);
@@ -480,21 +486,21 @@ int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_e
return 0;
}
-int s2n_ecc_evp_parse_params(struct s2n_connection* conn,
- struct s2n_ecdhe_raw_server_params* raw_server_ecc_params,
- struct s2n_ecc_evp_params* ecc_evp_params) {
- POSIX_ENSURE(
- s2n_ecc_evp_find_supported_curve(conn, &raw_server_ecc_params->curve_blob, &ecc_evp_params->negotiated_curve) == 0,
+int s2n_ecc_evp_parse_params(struct s2n_connection *conn, struct s2n_ecdhe_raw_server_params *raw_server_ecc_params,
+ struct s2n_ecc_evp_params *ecc_evp_params)
+{
+ POSIX_ENSURE(s2n_ecc_evp_find_supported_curve(conn, &raw_server_ecc_params->curve_blob, &ecc_evp_params->negotiated_curve) == 0,
S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
return s2n_ecc_evp_parse_params_point(&raw_server_ecc_params->point_blob, ecc_evp_params);
}
-int s2n_ecc_evp_find_supported_curve(struct s2n_connection* conn, struct s2n_blob *iana_ids, const struct s2n_ecc_named_curve **found) {
- const struct s2n_ecc_preferences* ecc_prefs = NULL;
+int s2n_ecc_evp_find_supported_curve(struct s2n_connection *conn, struct s2n_blob *iana_ids, const struct s2n_ecc_named_curve **found)
+{
+ const struct s2n_ecc_preferences *ecc_prefs = NULL;
POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_prefs));
POSIX_ENSURE_REF(ecc_prefs);
- struct s2n_stuffer iana_ids_in = {0};
+ struct s2n_stuffer iana_ids_in = { 0 };
POSIX_GUARD(s2n_stuffer_init(&iana_ids_in, iana_ids));
POSIX_GUARD(s2n_stuffer_write(&iana_ids_in, iana_ids));
@@ -514,7 +520,8 @@ int s2n_ecc_evp_find_supported_curve(struct s2n_connection* conn, struct s2n_blo
POSIX_BAIL(S2N_ERR_ECDHE_UNSUPPORTED_CURVE);
}
-int s2n_ecc_evp_params_free(struct s2n_ecc_evp_params *ecc_evp_params) {
+int s2n_ecc_evp_params_free(struct s2n_ecc_evp_params *ecc_evp_params)
+{
if (ecc_evp_params->evp_pkey != NULL) {
EVP_PKEY_free(ecc_evp_params->evp_pkey);
ecc_evp_params->evp_pkey = NULL;
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.h b/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.h
index 1d09e2c89d..cd76417770 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_ecc_evp.h
@@ -18,17 +18,17 @@
#include <openssl/evp.h>
#include "crypto/s2n_hash.h"
-#include "tls/s2n_kex_data.h"
#include "stuffer/s2n_stuffer.h"
+#include "tls/s2n_kex_data.h"
#include "tls/s2n_tls_parameters.h"
#include "utils/s2n_safety.h"
/* Share sizes are described here: https://tools.ietf.org/html/rfc8446#section-4.2.8.2
* and include the extra "legacy_form" byte */
-#define SECP256R1_SHARE_SIZE ((32 * 2 ) + 1)
-#define SECP384R1_SHARE_SIZE ((48 * 2 ) + 1)
-#define SECP521R1_SHARE_SIZE ((66 * 2 ) + 1)
-#define X25519_SHARE_SIZE (32)
+#define SECP256R1_SHARE_SIZE ((32 * 2) + 1)
+#define SECP384R1_SHARE_SIZE ((48 * 2) + 1)
+#define SECP521R1_SHARE_SIZE ((66 * 2) + 1)
+#define X25519_SHARE_SIZE (32)
struct s2n_ecc_named_curve {
/* See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 */
@@ -37,7 +37,7 @@ struct s2n_ecc_named_curve {
int libcrypto_nid;
const char *name;
const uint8_t share_size;
- int (*generate_key) (const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey);
+ int (*generate_key)(const struct s2n_ecc_named_curve *named_curve, EVP_PKEY **evp_pkey);
};
extern const struct s2n_ecc_named_curve s2n_ecc_curve_secp256r1;
@@ -49,10 +49,10 @@ extern const struct s2n_ecc_named_curve s2n_ecc_curve_x25519;
* the future. See https://github.com/google/boringssl/blob/master/crypto/evp/p_x25519_asn1.c#L233
*/
#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
- #define EVP_APIS_SUPPORTED 1
+ #define EVP_APIS_SUPPORTED 1
#define S2N_ECC_EVP_SUPPORTED_CURVES_COUNT 4
#else
- #define EVP_APIS_SUPPORTED 0
+ #define EVP_APIS_SUPPORTED 0
#define S2N_ECC_EVP_SUPPORTED_CURVES_COUNT 3
#endif
@@ -66,22 +66,22 @@ struct s2n_ecc_evp_params {
int s2n_ecc_evp_generate_ephemeral_key(struct s2n_ecc_evp_params *ecc_evp_params);
int s2n_ecc_evp_compute_shared_secret_from_params(struct s2n_ecc_evp_params *private_ecc_evp_params,
- struct s2n_ecc_evp_params *public_ecc_evp_params,
- struct s2n_blob *shared_key);
+ struct s2n_ecc_evp_params *public_ecc_evp_params,
+ struct s2n_blob *shared_key);
int s2n_ecc_evp_write_params_point(struct s2n_ecc_evp_params *ecc_evp_params, struct s2n_stuffer *out);
int s2n_ecc_evp_read_params_point(struct s2n_stuffer *in, int point_size, struct s2n_blob *point_blob);
int s2n_ecc_evp_compute_shared_secret_as_server(struct s2n_ecc_evp_params *server_ecc_evp_params,
- struct s2n_stuffer *Yc_in, struct s2n_blob *shared_key);
-int s2n_ecc_evp_compute_shared_secret_as_client(struct s2n_ecc_evp_params *server_ecc_evp_params,
- struct s2n_stuffer *Yc_out, struct s2n_blob *shared_key);
+ struct s2n_stuffer *Yc_in, struct s2n_blob *shared_key);
+int s2n_ecc_evp_compute_shared_secret_as_client(struct s2n_ecc_evp_params *server_ecc_evp_params,
+ struct s2n_stuffer *Yc_out, struct s2n_blob *shared_key);
int s2n_ecc_evp_parse_params_point(struct s2n_blob *point_blob, struct s2n_ecc_evp_params *ecc_evp_params);
int s2n_ecc_evp_write_params(struct s2n_ecc_evp_params *ecc_evp_params, struct s2n_stuffer *out,
- struct s2n_blob *written);
+ struct s2n_blob *written);
int s2n_ecc_evp_read_params(struct s2n_stuffer *in, struct s2n_blob *data_to_verify,
- struct s2n_ecdhe_raw_server_params *raw_server_ecc_params);
+ struct s2n_ecdhe_raw_server_params *raw_server_ecc_params);
int s2n_ecc_evp_parse_params(struct s2n_connection *conn,
- struct s2n_ecdhe_raw_server_params *raw_server_ecc_params,
- struct s2n_ecc_evp_params* ecc_evp_params);
-int s2n_ecc_evp_find_supported_curve(struct s2n_connection* conn, struct s2n_blob *iana_ids, const struct s2n_ecc_named_curve **found);
+ struct s2n_ecdhe_raw_server_params *raw_server_ecc_params,
+ struct s2n_ecc_evp_params *ecc_evp_params);
+int s2n_ecc_evp_find_supported_curve(struct s2n_connection *conn, struct s2n_blob *iana_ids, const struct s2n_ecc_named_curve **found);
int s2n_ecc_evp_params_free(struct s2n_ecc_evp_params *ecc_evp_params);
int s2n_is_evp_apis_supported();
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.c b/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.c
index d775e5b7b9..e4da43f7f0 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.c
@@ -13,42 +13,41 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_ecdsa.h"
+
#include <openssl/ec.h>
#include <openssl/ecdsa.h>
#include <openssl/x509.h>
+#include "crypto/s2n_ecc_evp.h"
+#include "crypto/s2n_evp_signing.h"
+#include "crypto/s2n_hash.h"
+#include "crypto/s2n_openssl.h"
+#include "crypto/s2n_pkey.h"
#include "error/s2n_errno.h"
#include "stuffer/s2n_stuffer.h"
-
-#include "utils/s2n_safety_macros.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_compiler.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_random.h"
#include "utils/s2n_result.h"
#include "utils/s2n_safety.h"
-
-#include "crypto/s2n_ecdsa.h"
-#include "crypto/s2n_ecc_evp.h"
-#include "crypto/s2n_evp_signing.h"
-#include "crypto/s2n_hash.h"
-#include "crypto/s2n_openssl.h"
-#include "crypto/s2n_pkey.h"
-
+#include "utils/s2n_safety_macros.h"
#define S2N_ECDSA_TYPE 0
-EC_KEY *s2n_unsafe_ecdsa_get_non_const(const struct s2n_ecdsa_key *ecdsa_key) {
+EC_KEY *s2n_unsafe_ecdsa_get_non_const(const struct s2n_ecdsa_key *ecdsa_key)
+{
PTR_ENSURE_REF(ecdsa_key);
/* pragma gcc diagnostic was added in gcc 4.6 */
-#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4,6,0)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wcast-qual"
+#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4, 6, 0)
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wcast-qual"
#endif
EC_KEY *out_ec_key = (EC_KEY *) ecdsa_key->ec_key;
-#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4,6,0)
-#pragma GCC diagnostic pop
+#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4, 6, 0)
+ #pragma GCC diagnostic pop
#endif
return out_ec_key;
@@ -82,7 +81,8 @@ int s2n_ecdsa_sign_digest(const struct s2n_pkey *priv, struct s2n_blob *digest,
/* Safety: ECDSA_sign does not mutate the key */
POSIX_GUARD_OSSL(ECDSA_sign(S2N_ECDSA_TYPE, digest->data, digest->size, signature->data, &signature_size,
- s2n_unsafe_ecdsa_get_non_const(key)), S2N_ERR_SIGN);
+ s2n_unsafe_ecdsa_get_non_const(key)),
+ S2N_ERR_SIGN);
POSIX_ENSURE(signature_size <= signature->size, S2N_ERR_SIZE_MISMATCH);
signature->size = signature_size;
@@ -129,7 +129,8 @@ static int s2n_ecdsa_verify(const struct s2n_pkey *pub, s2n_signature_algorithm
/* Safety: ECDSA_verify does not mutate the key */
/* ECDSA_verify ignores the first parameter */
POSIX_GUARD_OSSL(ECDSA_verify(0, digest_out, digest_length, signature->data, signature->size,
- s2n_unsafe_ecdsa_get_non_const(key)), S2N_ERR_VERIFY_SIGNATURE);
+ s2n_unsafe_ecdsa_get_non_const(key)),
+ S2N_ERR_VERIFY_SIGNATURE);
POSIX_GUARD(s2n_hash_reset(digest));
@@ -202,7 +203,8 @@ int s2n_evp_pkey_to_ecdsa_public_key(s2n_ecdsa_public_key *ecdsa_key, EVP_PKEY *
return 0;
}
-int s2n_ecdsa_pkey_init(struct s2n_pkey *pkey) {
+int s2n_ecdsa_pkey_init(struct s2n_pkey *pkey)
+{
pkey->size = &s2n_ecdsa_der_signature_size;
pkey->sign = &s2n_ecdsa_sign;
pkey->verify = &s2n_ecdsa_verify;
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.h b/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.h
index f6670a7b04..e5fe8efe31 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_ecdsa.h
@@ -17,13 +17,11 @@
#include <openssl/ecdsa.h>
#include <stdint.h>
-#include "api/s2n.h"
-
-#include "stuffer/s2n_stuffer.h"
+#include "api/s2n.h"
#include "crypto/s2n_ecc_evp.h"
#include "crypto/s2n_hash.h"
-
+#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_blob.h"
/* Forward declaration to avoid the circular dependency with s2n_pkey.h */
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_evp.c b/contrib/restricted/aws/s2n/crypto/s2n_evp.c
index 81fecdce5b..8ae88205e7 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_evp.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_evp.c
@@ -14,6 +14,7 @@
*/
#include "crypto/s2n_evp.h"
+
#include "crypto/s2n_fips.h"
#include "error/s2n_errno.h"
#include "utils/s2n_safety.h"
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_evp.h b/contrib/restricted/aws/s2n/crypto/s2n_evp.h
index 6c443efba7..e28c40b861 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_evp.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_evp.h
@@ -35,14 +35,14 @@ struct s2n_evp_hmac_state {
};
/* Define API's that change based on the OpenSSL Major Version. */
-#if S2N_OPENSSL_VERSION_AT_LEAST(1,1,0) && !defined(LIBRESSL_VERSION_NUMBER)
-#define S2N_EVP_MD_CTX_NEW() (EVP_MD_CTX_new())
-#define S2N_EVP_MD_CTX_RESET(md_ctx) (EVP_MD_CTX_reset(md_ctx))
-#define S2N_EVP_MD_CTX_FREE(md_ctx) (EVP_MD_CTX_free(md_ctx))
+#if S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0) && !defined(LIBRESSL_VERSION_NUMBER)
+ #define S2N_EVP_MD_CTX_NEW() (EVP_MD_CTX_new())
+ #define S2N_EVP_MD_CTX_RESET(md_ctx) (EVP_MD_CTX_reset(md_ctx))
+ #define S2N_EVP_MD_CTX_FREE(md_ctx) (EVP_MD_CTX_free(md_ctx))
#else
-#define S2N_EVP_MD_CTX_NEW() (EVP_MD_CTX_create())
-#define S2N_EVP_MD_CTX_RESET(md_ctx) (EVP_MD_CTX_cleanup(md_ctx))
-#define S2N_EVP_MD_CTX_FREE(md_ctx) (EVP_MD_CTX_destroy(md_ctx))
+ #define S2N_EVP_MD_CTX_NEW() (EVP_MD_CTX_create())
+ #define S2N_EVP_MD_CTX_RESET(md_ctx) (EVP_MD_CTX_cleanup(md_ctx))
+ #define S2N_EVP_MD_CTX_FREE(md_ctx) (EVP_MD_CTX_destroy(md_ctx))
#endif
/* On some versions of OpenSSL, "EVP_PKEY_CTX_set_signature_md()" is just a macro that casts digest_alg to "void*",
@@ -50,7 +50,7 @@ struct s2n_evp_hmac_state {
* issue by turning off this compiler check for this one function with a cast through.
*/
#define S2N_EVP_PKEY_CTX_set_signature_md(ctx, md) \
- EVP_PKEY_CTX_set_signature_md(ctx, (EVP_MD*) (uintptr_t) md)
+ EVP_PKEY_CTX_set_signature_md(ctx, (EVP_MD *) (uintptr_t) md)
extern int s2n_digest_allow_md5_for_fips(struct s2n_evp_digest *evp_digest);
extern S2N_RESULT s2n_digest_is_md5_allowed_for_fips(struct s2n_evp_digest *evp_digest, bool *out);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.c b/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.c
index 22aeb1b93b..886c3b1fa3 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.c
@@ -13,13 +13,12 @@
* permissions and limitations under the License.
*/
-#include "error/s2n_errno.h"
+#include "crypto/s2n_evp_signing.h"
#include "crypto/s2n_evp.h"
-#include "crypto/s2n_evp_signing.h"
#include "crypto/s2n_pkey.h"
#include "crypto/s2n_rsa_pss.h"
-
+#include "error/s2n_errno.h"
#include "utils/s2n_safety.h"
DEFINE_POINTER_CLEANUP_FUNC(EVP_PKEY_CTX *, EVP_PKEY_CTX_free);
@@ -77,7 +76,7 @@ S2N_RESULT s2n_evp_signing_set_pkey_overrides(struct s2n_pkey *pkey)
static S2N_RESULT s2n_evp_signing_validate_hash_alg(s2n_signature_algorithm sig_alg, s2n_hash_algorithm hash_alg)
{
- switch(hash_alg) {
+ switch (hash_alg) {
case S2N_HASH_NONE:
case S2N_HASH_MD5:
/* MD5 alone is never supported */
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.h b/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.h
index 872f63b682..720ce1b9f0 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_evp_signing.h
@@ -16,7 +16,6 @@
#pragma once
#include "api/s2n.h"
-
#include "crypto/s2n_hash.h"
#include "crypto/s2n_signature.h"
#include "utils/s2n_blob.h"
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_fips.c b/contrib/restricted/aws/s2n/crypto/s2n_fips.c
index 2eff17a45c..29229dd607 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_fips.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_fips.c
@@ -13,12 +13,12 @@
* permissions and limitations under the License.
*/
-#include <openssl/crypto.h>
-
#include "crypto/s2n_fips.h"
+#include <openssl/crypto.h>
+
#if defined(S2N_INTERN_LIBCRYPTO) && defined(OPENSSL_FIPS)
-#error "Interning with OpenSSL fips-validated libcrypto is not currently supported. See https://github.com/aws/s2n-tls/issues/2741"
+ #error "Interning with OpenSSL fips-validated libcrypto is not currently supported. See https://github.com/aws/s2n-tls/issues/2741"
#endif
static int s2n_fips_mode = 0;
@@ -34,7 +34,8 @@ static int s2n_fips_mode = 0;
* Note: FIPS_mode() does not change the FIPS state of libcrypto. This only returns the current state. Applications
* using s2n must call FIPS_mode_set(1) prior to s2n_init.
* */
-bool s2n_libcrypto_is_fips(void) {
+bool s2n_libcrypto_is_fips(void)
+{
#if defined(OPENSSL_FIPS) || defined(OPENSSL_IS_AWSLC)
if (FIPS_mode() == 1) {
return true;
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hash.c b/contrib/restricted/aws/s2n/crypto/s2n_hash.c
index 96dae1424c..f1401357ac 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hash.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hash.c
@@ -13,13 +13,12 @@
* permissions and limitations under the License.
*/
-#include "error/s2n_errno.h"
-
#include "crypto/s2n_hash.h"
+
+#include "crypto/s2n_fips.h"
#include "crypto/s2n_hmac.h"
#include "crypto/s2n_openssl.h"
-#include "crypto/s2n_fips.h"
-
+#include "error/s2n_errno.h"
#include "utils/s2n_safety.h"
static bool s2n_use_custom_md5_sha1()
@@ -41,7 +40,7 @@ bool s2n_hash_evp_fully_supported()
return s2n_use_evp_impl() && !s2n_use_custom_md5_sha1();
}
-const EVP_MD* s2n_hash_alg_to_evp_md(s2n_hash_algorithm alg)
+const EVP_MD *s2n_hash_alg_to_evp_md(s2n_hash_algorithm alg)
{
switch (alg) {
case S2N_HASH_MD5:
@@ -68,18 +67,20 @@ const EVP_MD* s2n_hash_alg_to_evp_md(s2n_hash_algorithm alg)
int s2n_hash_digest_size(s2n_hash_algorithm alg, uint8_t *out)
{
POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(out, sizeof(*out)), S2N_ERR_PRECONDITION_VIOLATION);
+ /* clang-format off */
switch (alg) {
- case S2N_HASH_NONE: *out = 0; break;
- case S2N_HASH_MD5: *out = MD5_DIGEST_LENGTH; break;
- case S2N_HASH_SHA1: *out = SHA_DIGEST_LENGTH; break;
- case S2N_HASH_SHA224: *out = SHA224_DIGEST_LENGTH; break;
- case S2N_HASH_SHA256: *out = SHA256_DIGEST_LENGTH; break;
- case S2N_HASH_SHA384: *out = SHA384_DIGEST_LENGTH; break;
- case S2N_HASH_SHA512: *out = SHA512_DIGEST_LENGTH; break;
- case S2N_HASH_MD5_SHA1: *out = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH; break;
- default:
- POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
+ case S2N_HASH_NONE: *out = 0; break;
+ case S2N_HASH_MD5: *out = MD5_DIGEST_LENGTH; break;
+ case S2N_HASH_SHA1: *out = SHA_DIGEST_LENGTH; break;
+ case S2N_HASH_SHA224: *out = SHA224_DIGEST_LENGTH; break;
+ case S2N_HASH_SHA256: *out = SHA256_DIGEST_LENGTH; break;
+ case S2N_HASH_SHA384: *out = SHA384_DIGEST_LENGTH; break;
+ case S2N_HASH_SHA512: *out = SHA512_DIGEST_LENGTH; break;
+ case S2N_HASH_MD5_SHA1: *out = MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH; break;
+ default:
+ POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
+ /* clang-format on */
return S2N_SUCCESS;
}
@@ -89,18 +90,20 @@ int s2n_hash_digest_size(s2n_hash_algorithm alg, uint8_t *out)
int s2n_hash_block_size(s2n_hash_algorithm alg, uint64_t *block_size)
{
POSIX_ENSURE(S2N_MEM_IS_WRITABLE_CHECK(block_size, sizeof(*block_size)), S2N_ERR_PRECONDITION_VIOLATION);
- switch(alg) {
- case S2N_HASH_NONE: *block_size = 64; break;
- case S2N_HASH_MD5: *block_size = 64; break;
- case S2N_HASH_SHA1: *block_size = 64; break;
- case S2N_HASH_SHA224: *block_size = 64; break;
- case S2N_HASH_SHA256: *block_size = 64; break;
- case S2N_HASH_SHA384: *block_size = 128; break;
- case S2N_HASH_SHA512: *block_size = 128; break;
- case S2N_HASH_MD5_SHA1: *block_size = 64; break;
- default:
- POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
+ /* clang-format off */
+ switch (alg) {
+ case S2N_HASH_NONE: *block_size = 64; break;
+ case S2N_HASH_MD5: *block_size = 64; break;
+ case S2N_HASH_SHA1: *block_size = 64; break;
+ case S2N_HASH_SHA224: *block_size = 64; break;
+ case S2N_HASH_SHA256: *block_size = 64; break;
+ case S2N_HASH_SHA384: *block_size = 128; break;
+ case S2N_HASH_SHA512: *block_size = 128; break;
+ case S2N_HASH_MD5_SHA1: *block_size = 64; break;
+ default:
+ POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
+ /* clang-format on */
return S2N_SUCCESS;
}
@@ -108,19 +111,19 @@ int s2n_hash_block_size(s2n_hash_algorithm alg, uint64_t *block_size)
bool s2n_hash_is_available(s2n_hash_algorithm alg)
{
switch (alg) {
- case S2N_HASH_MD5:
- case S2N_HASH_MD5_SHA1:
- /* return false if in FIPS mode, as MD5 algs are not available in FIPS mode. */
- return !s2n_is_in_fips_mode();
- case S2N_HASH_NONE:
- case S2N_HASH_SHA1:
- case S2N_HASH_SHA224:
- case S2N_HASH_SHA256:
- case S2N_HASH_SHA384:
- case S2N_HASH_SHA512:
- return true;
- case S2N_HASH_SENTINEL:
- return false;
+ case S2N_HASH_MD5:
+ case S2N_HASH_MD5_SHA1:
+ /* return false if in FIPS mode, as MD5 algs are not available in FIPS mode. */
+ return !s2n_is_in_fips_mode();
+ case S2N_HASH_NONE:
+ case S2N_HASH_SHA1:
+ case S2N_HASH_SHA224:
+ case S2N_HASH_SHA256:
+ case S2N_HASH_SHA384:
+ case S2N_HASH_SHA512:
+ return true;
+ case S2N_HASH_SENTINEL:
+ return false;
}
return false;
}
@@ -137,40 +140,40 @@ static int s2n_low_level_hash_new(struct s2n_hash_state *state)
* being used. For the s2n_low_level_hash implementation, new is a no-op.
*/
- *state = (struct s2n_hash_state) { 0 };
+ *state = (struct s2n_hash_state){ 0 };
return S2N_SUCCESS;
}
static int s2n_low_level_hash_init(struct s2n_hash_state *state, s2n_hash_algorithm alg)
{
switch (alg) {
- case S2N_HASH_NONE:
- break;
- case S2N_HASH_MD5:
- POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5), S2N_ERR_HASH_INIT_FAILED);
- break;
- case S2N_HASH_SHA1:
- POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.sha1), S2N_ERR_HASH_INIT_FAILED);
- break;
- case S2N_HASH_SHA224:
- POSIX_GUARD_OSSL(SHA224_Init(&state->digest.low_level.sha224), S2N_ERR_HASH_INIT_FAILED);
- break;
- case S2N_HASH_SHA256:
- POSIX_GUARD_OSSL(SHA256_Init(&state->digest.low_level.sha256), S2N_ERR_HASH_INIT_FAILED);
- break;
- case S2N_HASH_SHA384:
- POSIX_GUARD_OSSL(SHA384_Init(&state->digest.low_level.sha384), S2N_ERR_HASH_INIT_FAILED);
- break;
- case S2N_HASH_SHA512:
- POSIX_GUARD_OSSL(SHA512_Init(&state->digest.low_level.sha512), S2N_ERR_HASH_INIT_FAILED);
- break;
- case S2N_HASH_MD5_SHA1:
- POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_INIT_FAILED);
- POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_INIT_FAILED);
- break;
-
- default:
- POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
+ case S2N_HASH_NONE:
+ break;
+ case S2N_HASH_MD5:
+ POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5), S2N_ERR_HASH_INIT_FAILED);
+ break;
+ case S2N_HASH_SHA1:
+ POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.sha1), S2N_ERR_HASH_INIT_FAILED);
+ break;
+ case S2N_HASH_SHA224:
+ POSIX_GUARD_OSSL(SHA224_Init(&state->digest.low_level.sha224), S2N_ERR_HASH_INIT_FAILED);
+ break;
+ case S2N_HASH_SHA256:
+ POSIX_GUARD_OSSL(SHA256_Init(&state->digest.low_level.sha256), S2N_ERR_HASH_INIT_FAILED);
+ break;
+ case S2N_HASH_SHA384:
+ POSIX_GUARD_OSSL(SHA384_Init(&state->digest.low_level.sha384), S2N_ERR_HASH_INIT_FAILED);
+ break;
+ case S2N_HASH_SHA512:
+ POSIX_GUARD_OSSL(SHA512_Init(&state->digest.low_level.sha512), S2N_ERR_HASH_INIT_FAILED);
+ break;
+ case S2N_HASH_MD5_SHA1:
+ POSIX_GUARD_OSSL(SHA1_Init(&state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_INIT_FAILED);
+ POSIX_GUARD_OSSL(MD5_Init(&state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_INIT_FAILED);
+ break;
+
+ default:
+ POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
state->alg = alg;
@@ -185,32 +188,32 @@ static int s2n_low_level_hash_update(struct s2n_hash_state *state, const void *d
POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
switch (state->alg) {
- case S2N_HASH_NONE:
- break;
- case S2N_HASH_MD5:
- POSIX_GUARD_OSSL(MD5_Update(&state->digest.low_level.md5, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- case S2N_HASH_SHA1:
- POSIX_GUARD_OSSL(SHA1_Update(&state->digest.low_level.sha1, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- case S2N_HASH_SHA224:
- POSIX_GUARD_OSSL(SHA224_Update(&state->digest.low_level.sha224, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- case S2N_HASH_SHA256:
- POSIX_GUARD_OSSL(SHA256_Update(&state->digest.low_level.sha256, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- case S2N_HASH_SHA384:
- POSIX_GUARD_OSSL(SHA384_Update(&state->digest.low_level.sha384, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- case S2N_HASH_SHA512:
- POSIX_GUARD_OSSL(SHA512_Update(&state->digest.low_level.sha512, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- case S2N_HASH_MD5_SHA1:
- POSIX_GUARD_OSSL(SHA1_Update(&state->digest.low_level.md5_sha1.sha1, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- POSIX_GUARD_OSSL(MD5_Update(&state->digest.low_level.md5_sha1.md5, data, size), S2N_ERR_HASH_UPDATE_FAILED);
- break;
- default:
- POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
+ case S2N_HASH_NONE:
+ break;
+ case S2N_HASH_MD5:
+ POSIX_GUARD_OSSL(MD5_Update(&state->digest.low_level.md5, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ case S2N_HASH_SHA1:
+ POSIX_GUARD_OSSL(SHA1_Update(&state->digest.low_level.sha1, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ case S2N_HASH_SHA224:
+ POSIX_GUARD_OSSL(SHA224_Update(&state->digest.low_level.sha224, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ case S2N_HASH_SHA256:
+ POSIX_GUARD_OSSL(SHA256_Update(&state->digest.low_level.sha256, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ case S2N_HASH_SHA384:
+ POSIX_GUARD_OSSL(SHA384_Update(&state->digest.low_level.sha384, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ case S2N_HASH_SHA512:
+ POSIX_GUARD_OSSL(SHA512_Update(&state->digest.low_level.sha512, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ case S2N_HASH_MD5_SHA1:
+ POSIX_GUARD_OSSL(SHA1_Update(&state->digest.low_level.md5_sha1.sha1, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ POSIX_GUARD_OSSL(MD5_Update(&state->digest.low_level.md5_sha1.md5, data, size), S2N_ERR_HASH_UPDATE_FAILED);
+ break;
+ default:
+ POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
POSIX_ENSURE(size <= (UINT64_MAX - state->currently_in_hash), S2N_ERR_INTEGER_OVERFLOW);
@@ -224,39 +227,39 @@ static int s2n_low_level_hash_digest(struct s2n_hash_state *state, void *out, ui
POSIX_ENSURE(state->is_ready_for_input, S2N_ERR_HASH_NOT_READY);
switch (state->alg) {
- case S2N_HASH_NONE:
- break;
- case S2N_HASH_MD5:
- POSIX_ENSURE_EQ(size, MD5_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(MD5_Final(out, &state->digest.low_level.md5), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- case S2N_HASH_SHA1:
- POSIX_ENSURE_EQ(size, SHA_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(SHA1_Final(out, &state->digest.low_level.sha1), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- case S2N_HASH_SHA224:
- POSIX_ENSURE_EQ(size, SHA224_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(SHA224_Final(out, &state->digest.low_level.sha224), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- case S2N_HASH_SHA256:
- POSIX_ENSURE_EQ(size, SHA256_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(SHA256_Final(out, &state->digest.low_level.sha256), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- case S2N_HASH_SHA384:
- POSIX_ENSURE_EQ(size, SHA384_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(SHA384_Final(out, &state->digest.low_level.sha384), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- case S2N_HASH_SHA512:
- POSIX_ENSURE_EQ(size, SHA512_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(SHA512_Final(out, &state->digest.low_level.sha512), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- case S2N_HASH_MD5_SHA1:
- POSIX_ENSURE_EQ(size, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH);
- POSIX_GUARD_OSSL(SHA1_Final(((uint8_t *) out) + MD5_DIGEST_LENGTH, &state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_DIGEST_FAILED);
- POSIX_GUARD_OSSL(MD5_Final(out, &state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_DIGEST_FAILED);
- break;
- default:
- POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
+ case S2N_HASH_NONE:
+ break;
+ case S2N_HASH_MD5:
+ POSIX_ENSURE_EQ(size, MD5_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(MD5_Final(out, &state->digest.low_level.md5), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ case S2N_HASH_SHA1:
+ POSIX_ENSURE_EQ(size, SHA_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(SHA1_Final(out, &state->digest.low_level.sha1), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ case S2N_HASH_SHA224:
+ POSIX_ENSURE_EQ(size, SHA224_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(SHA224_Final(out, &state->digest.low_level.sha224), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ case S2N_HASH_SHA256:
+ POSIX_ENSURE_EQ(size, SHA256_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(SHA256_Final(out, &state->digest.low_level.sha256), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ case S2N_HASH_SHA384:
+ POSIX_ENSURE_EQ(size, SHA384_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(SHA384_Final(out, &state->digest.low_level.sha384), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ case S2N_HASH_SHA512:
+ POSIX_ENSURE_EQ(size, SHA512_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(SHA512_Final(out, &state->digest.low_level.sha512), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ case S2N_HASH_MD5_SHA1:
+ POSIX_ENSURE_EQ(size, MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH);
+ POSIX_GUARD_OSSL(SHA1_Final(((uint8_t *) out) + MD5_DIGEST_LENGTH, &state->digest.low_level.md5_sha1.sha1), S2N_ERR_HASH_DIGEST_FAILED);
+ POSIX_GUARD_OSSL(MD5_Final(out, &state->digest.low_level.md5_sha1.md5), S2N_ERR_HASH_DIGEST_FAILED);
+ break;
+ default:
+ POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
state->currently_in_hash = 0;
@@ -535,8 +538,7 @@ int s2n_hash_init(struct s2n_hash_state *state, s2n_hash_algorithm alg)
bool is_md5_allowed_for_fips = false;
POSIX_GUARD_RESULT(s2n_digest_is_md5_allowed_for_fips(&state->digest.high_level.evp, &is_md5_allowed_for_fips));
- if (s2n_hash_is_available(alg) ||
- ((alg == S2N_HASH_MD5 || alg == S2N_HASH_MD5_SHA1) && is_md5_allowed_for_fips)) {
+ if (s2n_hash_is_available(alg) || ((alg == S2N_HASH_MD5 || alg == S2N_HASH_MD5_SHA1) && is_md5_allowed_for_fips)) {
/* s2n will continue to initialize an "unavailable" hash when s2n is in FIPS mode and
* FIPS is forcing the hash to be made available.
*/
@@ -590,8 +592,7 @@ int s2n_hash_reset(struct s2n_hash_state *state)
int s2n_hash_free(struct s2n_hash_state *state)
{
- if (state == NULL)
- {
+ if (state == NULL) {
return S2N_SUCCESS;
}
/* Ensure that hash_impl is set, as it may have been reset for s2n_hash_state on s2n_connection_wipe.
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hash.h b/contrib/restricted/aws/s2n/crypto/s2n_hash.h
index 6ae9b13386..6746358c8c 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hash.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hash.h
@@ -15,18 +15,17 @@
#pragma once
-#include <stdint.h>
-#include <stdbool.h>
-
#include <openssl/md5.h>
#include <openssl/sha.h>
+#include <stdbool.h>
+#include <stdint.h>
#include "crypto/s2n_evp.h"
#define S2N_MAX_DIGEST_LEN SHA512_DIGEST_LENGTH
typedef enum {
- S2N_HASH_NONE=0,
+ S2N_HASH_NONE = 0,
S2N_HASH_MD5,
S2N_HASH_SHA1,
S2N_HASH_SHA224,
@@ -77,18 +76,18 @@ struct s2n_hash_state {
* either OpenSSL's low-level algorithm-specific API's or OpenSSL's EVP API's.
*/
struct s2n_hash {
- int (*alloc) (struct s2n_hash_state *state);
- int (*allow_md5_for_fips) (struct s2n_hash_state *state);
- int (*init) (struct s2n_hash_state *state, s2n_hash_algorithm alg);
- int (*update) (struct s2n_hash_state *state, const void *data, uint32_t size);
- int (*digest) (struct s2n_hash_state *state, void *out, uint32_t size);
- int (*copy) (struct s2n_hash_state *to, struct s2n_hash_state *from);
- int (*reset) (struct s2n_hash_state *state);
- int (*free) (struct s2n_hash_state *state);
+ int (*alloc)(struct s2n_hash_state *state);
+ int (*allow_md5_for_fips)(struct s2n_hash_state *state);
+ int (*init)(struct s2n_hash_state *state, s2n_hash_algorithm alg);
+ int (*update)(struct s2n_hash_state *state, const void *data, uint32_t size);
+ int (*digest)(struct s2n_hash_state *state, void *out, uint32_t size);
+ int (*copy)(struct s2n_hash_state *to, struct s2n_hash_state *from);
+ int (*reset)(struct s2n_hash_state *state);
+ int (*free)(struct s2n_hash_state *state);
};
bool s2n_hash_evp_fully_supported();
-const EVP_MD* s2n_hash_alg_to_evp_md(s2n_hash_algorithm alg);
+const EVP_MD *s2n_hash_alg_to_evp_md(s2n_hash_algorithm alg);
extern int s2n_hash_digest_size(s2n_hash_algorithm alg, uint8_t *out);
extern int s2n_hash_block_size(s2n_hash_algorithm alg, uint64_t *block_size);
extern bool s2n_hash_is_available(s2n_hash_algorithm alg);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c b/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c
index eda68149d8..e2a26d9050 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hkdf.c
@@ -15,23 +15,20 @@
#include <stdio.h>
+#include "crypto/s2n_hmac.h"
#include "error/s2n_errno.h"
-
#include "stuffer/s2n_stuffer.h"
-
-#include "crypto/s2n_hmac.h"
-
#include "utils/s2n_blob.h"
-#include "utils/s2n_safety.h"
#include "utils/s2n_mem.h"
+#include "utils/s2n_safety.h"
-#define MAX_DIGEST_SIZE 64 /* Current highest is SHA512 */
+#define MAX_DIGEST_SIZE 64 /* Current highest is SHA512 */
#define MAX_HKDF_ROUNDS 255
/* Reference: RFC 5869 */
int s2n_hkdf_extract(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *salt,
- const struct s2n_blob *key, struct s2n_blob *pseudo_rand_key)
+ const struct s2n_blob *key, struct s2n_blob *pseudo_rand_key)
{
uint8_t hmac_size;
POSIX_GUARD(s2n_hmac_digest_size(alg, &hmac_size));
@@ -46,7 +43,7 @@ int s2n_hkdf_extract(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const
}
static int s2n_hkdf_expand(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *pseudo_rand_key,
- const struct s2n_blob *info, struct s2n_blob *output)
+ const struct s2n_blob *info, struct s2n_blob *output)
{
uint8_t prev[MAX_DIGEST_SIZE] = { 0 };
@@ -79,7 +76,7 @@ static int s2n_hkdf_expand(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg,
POSIX_CHECKED_MEMCPY(output->data + done_len, prev, cat_len);
done_len += cat_len;
-
+
POSIX_GUARD(s2n_hmac_reset(hmac));
}
@@ -87,12 +84,12 @@ static int s2n_hkdf_expand(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg,
}
int s2n_hkdf_expand_label(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *secret, const struct s2n_blob *label,
- const struct s2n_blob *context, struct s2n_blob *output)
+ const struct s2n_blob *context, struct s2n_blob *output)
{
/* Per RFC8446: 7.1, a HKDF label is a 2 byte length field, and two 1...255 byte arrays with a one byte length field each. */
uint8_t hkdf_label_buf[2 + 256 + 256];
- struct s2n_blob hkdf_label_blob = {0};
- struct s2n_stuffer hkdf_label = {0};
+ struct s2n_blob hkdf_label_blob = { 0 };
+ struct s2n_stuffer hkdf_label = { 0 };
/* RFC8446 specifies that labels must be 12 characters or less, to avoid
** incurring two hash rounds.
@@ -115,10 +112,10 @@ int s2n_hkdf_expand_label(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, c
}
int s2n_hkdf(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *salt,
- const struct s2n_blob *key, const struct s2n_blob *info, struct s2n_blob *output)
+ const struct s2n_blob *key, const struct s2n_blob *info, struct s2n_blob *output)
{
uint8_t prk_pad[MAX_DIGEST_SIZE];
- struct s2n_blob pseudo_rand_key = {.data = prk_pad,.size = sizeof(prk_pad) };
+ struct s2n_blob pseudo_rand_key = { .data = prk_pad, .size = sizeof(prk_pad) };
POSIX_GUARD(s2n_hkdf_extract(hmac, alg, salt, key, &pseudo_rand_key));
POSIX_GUARD(s2n_hkdf_expand(hmac, alg, &pseudo_rand_key, info, output));
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hkdf.h b/contrib/restricted/aws/s2n/crypto/s2n_hkdf.h
index 9df0e766ba..1d3b98303d 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hkdf.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hkdf.h
@@ -17,15 +17,14 @@
#include <stdint.h>
-#include "utils/s2n_blob.h"
-
#include "crypto/s2n_hmac.h"
+#include "utils/s2n_blob.h"
extern int s2n_hkdf(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *salt,
- const struct s2n_blob *key, const struct s2n_blob *info, struct s2n_blob *output);
+ const struct s2n_blob *key, const struct s2n_blob *info, struct s2n_blob *output);
extern int s2n_hkdf_extract(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *salt,
- const struct s2n_blob *key, struct s2n_blob *pseudo_rand_key);
+ const struct s2n_blob *key, struct s2n_blob *pseudo_rand_key);
extern int s2n_hkdf_expand_label(struct s2n_hmac_state *hmac, s2n_hmac_algorithm alg, const struct s2n_blob *secret, const struct s2n_blob *label,
- const struct s2n_blob *context, struct s2n_blob *output);
+ const struct s2n_blob *context, struct s2n_blob *output);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hmac.c b/contrib/restricted/aws/s2n/crypto/s2n_hmac.c
index 29ded952ce..d2bb4e6684 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hmac.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hmac.c
@@ -12,6 +12,8 @@
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
+/* this file is patched by Sidetrail, clang-format invalidates patches */
+/* clang-format off */
#include <openssl/md5.h>
#include <openssl/sha.h>
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_hmac.h b/contrib/restricted/aws/s2n/crypto/s2n_hmac.h
index 1a3d52a343..08ff779d06 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_hmac.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_hmac.h
@@ -12,6 +12,8 @@
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
+/* this file is patched by sidetrail, clang-format invalidates patches */
+/* clang-format off */
#pragma once
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_libcrypto.c b/contrib/restricted/aws/s2n/crypto/s2n_libcrypto.c
index bf85f2773f..c7efef1454 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_libcrypto.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_libcrypto.c
@@ -13,17 +13,18 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_libcrypto.h"
+
+#include <openssl/crypto.h>
+#include <openssl/opensslv.h>
+
#include "crypto/s2n_crypto.h"
#include "crypto/s2n_fips.h"
#include "crypto/s2n_openssl.h"
-#include "crypto/s2n_libcrypto.h"
#include "utils/s2n_safety.h"
#include "utils/s2n_safety_macros.h"
-
-#include <openssl/crypto.h>
-#include <openssl/opensslv.h>
#if S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)
-#error #include <openssl/provider.h>
+ #error #include <openssl/provider.h>
#endif
#include <string.h>
@@ -43,8 +44,8 @@
* doesn't distribute fips-specific header files.
*/
#define EXPECTED_AWSLC_VERSION_NAME_FIPS_OR_OLD "BoringSSL"
-#define EXPECTED_AWSLC_VERSION_NAME_NON_FIPS "AWS-LC"
-#define EXPECTED_BORINGSSL_VERSION_NAME "BoringSSL"
+#define EXPECTED_AWSLC_VERSION_NAME_NON_FIPS "AWS-LC"
+#define EXPECTED_BORINGSSL_VERSION_NAME "BoringSSL"
/* https://www.openssl.org/docs/man{1.0.2, 1.1.1, 3.0}/man3/OPENSSL_VERSION_NUMBER.html
* OPENSSL_VERSION_NUMBER in hex is: MNNFFPPS major minor fix patch status.
@@ -58,7 +59,7 @@
* symbol OpenSSL_version binded to at link-time. This can be used as
* verification at run-time that s2n linked against the expected libcrypto.
*/
-static const char * s2n_libcrypto_get_version_name(void)
+static const char *s2n_libcrypto_get_version_name(void)
{
return SSLeay_version(SSLEAY_VERSION);
}
@@ -68,7 +69,7 @@ static S2N_RESULT s2n_libcrypto_validate_expected_version_name(const char *expec
RESULT_ENSURE_REF(expected_version_name);
RESULT_ENSURE_REF(s2n_libcrypto_get_version_name());
RESULT_ENSURE_EQ(strlen(expected_version_name), strlen(s2n_libcrypto_get_version_name()));
- RESULT_ENSURE(s2n_constant_time_equals((const uint8_t *) expected_version_name, (const uint8_t *) s2n_libcrypto_get_version_name(), (const uint32_t) strlen(expected_version_name)), S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH);
+ RESULT_ENSURE(s2n_constant_time_equals((const uint8_t *) expected_version_name, (const uint8_t *) s2n_libcrypto_get_version_name(), (const uint32_t) strlen(expected_version_name)), S2N_ERR_LIBCRYPTO_VERSION_NAME_MISMATCH);
return S2N_RESULT_OK;
}
@@ -109,7 +110,7 @@ static S2N_RESULT s2n_libcrypto_validate_expected_version_number(void)
*/
#if defined(OPENSSL_IS_AWSLC) && defined(OPENSSL_IS_BORINGSSL)
-#error "Both OPENSSL_IS_AWSLC and OPENSSL_IS_BORINGSSL are defined at the same time!"
+ #error "Both OPENSSL_IS_AWSLC and OPENSSL_IS_BORINGSSL are defined at the same time!"
#endif
bool s2n_libcrypto_is_awslc()
@@ -121,7 +122,8 @@ bool s2n_libcrypto_is_awslc()
#endif
}
-static uint64_t s2n_libcrypto_awslc_api_version(void) {
+static uint64_t s2n_libcrypto_awslc_api_version(void)
+{
#if defined(OPENSSL_IS_AWSLC)
return AWSLC_API_VERSION;
#else
@@ -154,17 +156,20 @@ S2N_RESULT s2n_libcrypto_init(void)
}
#if S2N_OPENSSL_VERSION_AT_LEAST(3, 0, 0)
-int s2n_libcrypto_cleanup_cb(OSSL_PROVIDER *provider, void *cbdata) {
+int s2n_libcrypto_cleanup_cb(OSSL_PROVIDER *provider, void *cbdata)
+{
return OSSL_PROVIDER_unload(provider);
}
-S2N_RESULT s2n_libcrypto_cleanup(void) {
+S2N_RESULT s2n_libcrypto_cleanup(void)
+{
RESULT_GUARD_OSSL(OSSL_PROVIDER_do_all(NULL, *s2n_libcrypto_cleanup_cb, NULL), S2N_ERR_ATEXIT);
return S2N_RESULT_OK;
}
#else
-S2N_RESULT s2n_libcrypto_cleanup(void) {
+S2N_RESULT s2n_libcrypto_cleanup(void)
+{
return S2N_RESULT_OK;
}
#endif
@@ -193,8 +198,7 @@ S2N_RESULT s2n_libcrypto_validate_runtime(void)
expected_awslc_version_name = EXPECTED_AWSLC_VERSION_NAME_NON_FIPS;
}
RESULT_GUARD(s2n_libcrypto_validate_expected_version_name(expected_awslc_version_name));
- }
- else if (s2n_libcrypto_is_boringssl()) {
+ } else if (s2n_libcrypto_is_boringssl()) {
RESULT_GUARD(s2n_libcrypto_validate_expected_version_name(EXPECTED_BORINGSSL_VERSION_NAME));
}
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_locking.c b/contrib/restricted/aws/s2n/crypto/s2n_locking.c
index 84f4b263ae..7f4b3ff15b 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_locking.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_locking.c
@@ -13,10 +13,11 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_locking.h"
+
#include <openssl/crypto.h>
#include <pthread.h>
-#include "crypto/s2n_locking.h"
#include "crypto/s2n_openssl.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_safety.h"
@@ -35,7 +36,7 @@
* https://www.openssl.org/docs/man1.0.2/man3/threads.html
*/
-#define S2N_MUTEXES(mem) ((pthread_mutex_t *) (void*) (mem).data)
+#define S2N_MUTEXES(mem) ((pthread_mutex_t *) (void *) (mem).data)
/* While the locking-related APIs "exist" in later versions of
* Openssl, they tend to be placeholders or hardcoded values like:
@@ -91,7 +92,7 @@ S2N_RESULT s2n_locking_cleanup(void)
pthread_mutex_t *mutexes = S2N_MUTEXES(mutexes_mem);
if (mutexes) {
- while(mutexes_count > 0) {
+ while (mutexes_count > 0) {
RESULT_ENSURE_EQ(pthread_mutex_destroy(&(mutexes[mutexes_count - 1])), 0);
mutexes_count--;
}
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_openssl.h b/contrib/restricted/aws/s2n/crypto/s2n_openssl.h
index d0d2b2d2b2..39ff57f6aa 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_openssl.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_openssl.h
@@ -24,12 +24,12 @@
* https://github.com/aws/aws-sdk-cpp/pull/507/commits/2c99f1fe0c4b4683280caeb161538d4724d6a179
*/
#if defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER == 0x20000000L)
-#undef OPENSSL_VERSION_NUMBER
-#if LIBRESSL_VERSION_NUMBER < 0x3050000fL
-#define OPENSSL_VERSION_NUMBER 0x1000107fL
-#else
-#define OPENSSL_VERSION_NUMBER 0x1010000fL
-#endif
+ #undef OPENSSL_VERSION_NUMBER
+ #if LIBRESSL_VERSION_NUMBER < 0x3050000fL
+ #define OPENSSL_VERSION_NUMBER 0x1000107fL
+ #else
+ #define OPENSSL_VERSION_NUMBER 0x1010000fL
+ #endif
#endif
/* Per https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)
@@ -43,17 +43,17 @@
(OPENSSL_VERSION_NUMBER >= ((major << 28) + (minor << 20) + (fix << 12)))
#if (S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 0)) && (!defined(OPENSSL_IS_BORINGSSL)) && (!defined(OPENSSL_IS_AWSLC)) && (!defined(LIBRESSL_VERSION_NUMBER))
-#define s2n_evp_ctx_init(ctx) POSIX_GUARD_OSSL(EVP_CIPHER_CTX_init(ctx), S2N_ERR_DRBG)
-#define RESULT_EVP_CTX_INIT(ctx) RESULT_GUARD_OSSL(EVP_CIPHER_CTX_init(ctx), S2N_ERR_DRBG)
+ #define s2n_evp_ctx_init(ctx) POSIX_GUARD_OSSL(EVP_CIPHER_CTX_init(ctx), S2N_ERR_DRBG)
+ #define RESULT_EVP_CTX_INIT(ctx) RESULT_GUARD_OSSL(EVP_CIPHER_CTX_init(ctx), S2N_ERR_DRBG)
#else
-#define s2n_evp_ctx_init(ctx) EVP_CIPHER_CTX_init(ctx)
-#define RESULT_EVP_CTX_INIT(ctx) EVP_CIPHER_CTX_init(ctx)
+ #define s2n_evp_ctx_init(ctx) EVP_CIPHER_CTX_init(ctx)
+ #define RESULT_EVP_CTX_INIT(ctx) EVP_CIPHER_CTX_init(ctx)
#endif
#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_FIPS) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_AWSLC) && !defined(OPENSSL_NO_ENGINE)
-#define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 1
+ #define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 1
#else
-#define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 0
+ #define S2N_LIBCRYPTO_SUPPORTS_CUSTOM_RAND 0
#endif
bool s2n_libcrypto_is_awslc();
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.c b/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.c
index a61805cee7..f0909fd897 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.c
@@ -13,9 +13,10 @@
* permissions and limitations under the License.
*/
-#include "api/s2n.h"
#include "crypto/s2n_openssl_x509.h"
+#include "api/s2n.h"
+
int s2n_openssl_x509_stack_pop_free(STACK_OF(X509) **cert_chain)
{
if (*cert_chain != NULL) {
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.h b/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.h
index b27a7f5a92..1eb2069054 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_openssl_x509.h
@@ -15,11 +15,11 @@
#pragma once
-#include <stdint.h>
#include <openssl/x509.h>
+#include <stdint.h>
#include "utils/s2n_safety.h"
-DEFINE_POINTER_CLEANUP_FUNC(X509*, X509_free);
+DEFINE_POINTER_CLEANUP_FUNC(X509 *, X509_free);
int s2n_openssl_x509_stack_pop_free(STACK_OF(X509) **cert_chain);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_pkey.c b/contrib/restricted/aws/s2n/crypto/s2n_pkey.c
index 377eb2585e..ab0c6615f9 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_pkey.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_pkey.c
@@ -13,20 +13,20 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_pkey.h"
+
#include <openssl/evp.h>
+
#include "crypto/s2n_openssl_evp.h"
#include "crypto/s2n_openssl_x509.h"
-
-#include "error/s2n_errno.h"
#include "crypto/s2n_rsa_pss.h"
-#include "crypto/s2n_pkey.h"
-
+#include "error/s2n_errno.h"
#include "utils/s2n_result.h"
#include "utils/s2n_safety.h"
#define S2N_MAX_ALLOWED_CERT_TRAILING_BYTES 3
-int s2n_pkey_zero_init(struct s2n_pkey *pkey)
+int s2n_pkey_zero_init(struct s2n_pkey *pkey)
{
pkey->pkey = NULL;
pkey->size = NULL;
@@ -42,7 +42,7 @@ int s2n_pkey_zero_init(struct s2n_pkey *pkey)
int s2n_pkey_setup_for_type(struct s2n_pkey *pkey, s2n_pkey_type pkey_type)
{
- switch(pkey_type) {
+ switch (pkey_type) {
case S2N_PKEY_TYPE_RSA:
return s2n_rsa_pkey_init(pkey);
case S2N_PKEY_TYPE_ECDSA:
@@ -79,7 +79,7 @@ int s2n_pkey_sign(const struct s2n_pkey *pkey, s2n_signature_algorithm sig_alg,
struct s2n_hash_state *digest, struct s2n_blob *signature)
{
POSIX_ENSURE_REF(pkey->sign);
-
+
return pkey->sign(pkey, sig_alg, digest, signature);
}
@@ -134,10 +134,10 @@ int s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1d
uint8_t *key_to_parse = asn1der->data;
/* Detect key type */
- DEFER_CLEANUP(EVP_PKEY *evp_private_key = d2i_AutoPrivateKey(NULL, (const unsigned char **)(void *)&key_to_parse, asn1der->size),
+ DEFER_CLEANUP(EVP_PKEY *evp_private_key = d2i_AutoPrivateKey(NULL, (const unsigned char **) (void *) &key_to_parse, asn1der->size),
EVP_PKEY_free_pointer);
S2N_ERROR_IF(evp_private_key == NULL, S2N_ERR_DECODE_PRIVATE_KEY);
-
+
/* If key parsing is successful, d2i_AutoPrivateKey increments *key_to_parse to the byte following the parsed data */
uint32_t parsed_len = key_to_parse - asn1der->data;
if (parsed_len != asn1der->size) {
@@ -146,34 +146,34 @@ int s2n_asn1der_to_private_key(struct s2n_pkey *priv_key, struct s2n_blob *asn1d
/* Initialize s2n_pkey according to key type */
int type = EVP_PKEY_base_id(evp_private_key);
-
+
int ret;
switch (type) {
- case EVP_PKEY_RSA:
- ret = s2n_rsa_pkey_init(priv_key);
- if (ret != 0) {
+ case EVP_PKEY_RSA:
+ ret = s2n_rsa_pkey_init(priv_key);
+ if (ret != 0) {
+ break;
+ }
+ ret = s2n_evp_pkey_to_rsa_private_key(&priv_key->key.rsa_key, evp_private_key);
break;
- }
- ret = s2n_evp_pkey_to_rsa_private_key(&priv_key->key.rsa_key, evp_private_key);
- break;
- case EVP_PKEY_RSA_PSS:
- ret = s2n_rsa_pss_pkey_init(priv_key);
- if (ret != 0) {
+ case EVP_PKEY_RSA_PSS:
+ ret = s2n_rsa_pss_pkey_init(priv_key);
+ if (ret != 0) {
+ break;
+ }
+ ret = s2n_evp_pkey_to_rsa_pss_private_key(&priv_key->key.rsa_key, evp_private_key);
break;
- }
- ret = s2n_evp_pkey_to_rsa_pss_private_key(&priv_key->key.rsa_key, evp_private_key);
- break;
- case EVP_PKEY_EC:
- ret = s2n_ecdsa_pkey_init(priv_key);
- if (ret != 0) {
+ case EVP_PKEY_EC:
+ ret = s2n_ecdsa_pkey_init(priv_key);
+ if (ret != 0) {
+ break;
+ }
+ ret = s2n_evp_pkey_to_ecdsa_private_key(&priv_key->key.ecdsa_key, evp_private_key);
break;
- }
- ret = s2n_evp_pkey_to_ecdsa_private_key(&priv_key->key.ecdsa_key, evp_private_key);
- break;
- default:
- POSIX_BAIL(S2N_ERR_DECODE_PRIVATE_KEY);
+ default:
+ POSIX_BAIL(S2N_ERR_DECODE_PRIVATE_KEY);
}
-
+
priv_key->pkey = evp_private_key;
/* Reset to avoid DEFER_CLEANUP freeing our key */
evp_private_key = NULL;
@@ -186,7 +186,7 @@ int s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *
uint8_t *cert_to_parse = asn1der->data;
DEFER_CLEANUP(X509 *cert = NULL, X509_free_pointer);
- cert = d2i_X509(NULL, (const unsigned char **)(void *)&cert_to_parse, asn1der->size);
+ cert = d2i_X509(NULL, (const unsigned char **) (void *) &cert_to_parse, asn1der->size);
S2N_ERROR_IF(cert == NULL, S2N_ERR_DECODE_CERTIFICATE);
/* If cert parsing is successful, d2i_X509 increments *cert_to_parse to the byte following the parsed data */
@@ -205,32 +205,32 @@ int s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *
int ret;
switch (type) {
- case EVP_PKEY_RSA:
- ret = s2n_rsa_pkey_init(pub_key);
- if (ret != 0) {
+ case EVP_PKEY_RSA:
+ ret = s2n_rsa_pkey_init(pub_key);
+ if (ret != 0) {
+ break;
+ }
+ ret = s2n_evp_pkey_to_rsa_public_key(&pub_key->key.rsa_key, evp_public_key);
+ *pkey_type_out = S2N_PKEY_TYPE_RSA;
break;
- }
- ret = s2n_evp_pkey_to_rsa_public_key(&pub_key->key.rsa_key, evp_public_key);
- *pkey_type_out = S2N_PKEY_TYPE_RSA;
- break;
- case EVP_PKEY_RSA_PSS:
- ret = s2n_rsa_pss_pkey_init(pub_key);
- if (ret != 0) {
+ case EVP_PKEY_RSA_PSS:
+ ret = s2n_rsa_pss_pkey_init(pub_key);
+ if (ret != 0) {
+ break;
+ }
+ ret = s2n_evp_pkey_to_rsa_pss_public_key(&pub_key->key.rsa_key, evp_public_key);
+ *pkey_type_out = S2N_PKEY_TYPE_RSA_PSS;
break;
- }
- ret = s2n_evp_pkey_to_rsa_pss_public_key(&pub_key->key.rsa_key, evp_public_key);
- *pkey_type_out = S2N_PKEY_TYPE_RSA_PSS;
- break;
- case EVP_PKEY_EC:
- ret = s2n_ecdsa_pkey_init(pub_key);
- if (ret != 0) {
+ case EVP_PKEY_EC:
+ ret = s2n_ecdsa_pkey_init(pub_key);
+ if (ret != 0) {
+ break;
+ }
+ ret = s2n_evp_pkey_to_ecdsa_public_key(&pub_key->key.ecdsa_key, evp_public_key);
+ *pkey_type_out = S2N_PKEY_TYPE_ECDSA;
break;
- }
- ret = s2n_evp_pkey_to_ecdsa_public_key(&pub_key->key.ecdsa_key, evp_public_key);
- *pkey_type_out = S2N_PKEY_TYPE_ECDSA;
- break;
- default:
- POSIX_BAIL(S2N_ERR_DECODE_CERTIFICATE);
+ default:
+ POSIX_BAIL(S2N_ERR_DECODE_CERTIFICATE);
}
pub_key->pkey = evp_public_key;
@@ -239,4 +239,3 @@ int s2n_asn1der_to_public_key_and_type(struct s2n_pkey *pub_key, s2n_pkey_type *
return ret;
}
-
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_pkey.h b/contrib/restricted/aws/s2n/crypto/s2n_pkey.h
index 0edc9f662e..137a68e0d6 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_pkey.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_pkey.h
@@ -17,11 +17,10 @@
#include <openssl/evp.h>
-#include "crypto/s2n_signature.h"
#include "crypto/s2n_ecdsa.h"
#include "crypto/s2n_hash.h"
#include "crypto/s2n_rsa.h"
-
+#include "crypto/s2n_signature.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_result.h"
@@ -51,7 +50,7 @@ struct s2n_pkey {
struct s2n_hash_state *digest, struct s2n_blob *signature);
int (*encrypt)(const struct s2n_pkey *key, struct s2n_blob *in, struct s2n_blob *out);
int (*decrypt)(const struct s2n_pkey *key, struct s2n_blob *in, struct s2n_blob *out);
- int (*match)(const struct s2n_pkey *pub_key, const struct s2n_pkey *priv_key);
+ int (*match)(const struct s2n_pkey *pub_key, const struct s2n_pkey *priv_key);
int (*free)(struct s2n_pkey *key);
int (*check_key)(const struct s2n_pkey *key);
};
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_rsa.c b/contrib/restricted/aws/s2n/crypto/s2n_rsa.c
index ff6b5340b7..7e70e27d94 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_rsa.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_rsa.c
@@ -13,37 +13,37 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_rsa.h"
+
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <stdint.h>
-#include "error/s2n_errno.h"
-#include "stuffer/s2n_stuffer.h"
-
#include "crypto/s2n_drbg.h"
#include "crypto/s2n_evp_signing.h"
#include "crypto/s2n_hash.h"
#include "crypto/s2n_pkey.h"
-#include "crypto/s2n_rsa.h"
#include "crypto/s2n_rsa_signing.h"
-
+#include "error/s2n_errno.h"
+#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_compiler.h"
#include "utils/s2n_random.h"
#include "utils/s2n_result.h"
#include "utils/s2n_safety.h"
-RSA *s2n_unsafe_rsa_get_non_const(const struct s2n_rsa_key *rsa_key) {
+RSA *s2n_unsafe_rsa_get_non_const(const struct s2n_rsa_key *rsa_key)
+{
PTR_ENSURE_REF(rsa_key);
/* pragma gcc diagnostic was added in gcc 4.6 */
-#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4,6,0)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wcast-qual"
+#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4, 6, 0)
+ #pragma GCC diagnostic push
+ #pragma GCC diagnostic ignored "-Wcast-qual"
#endif
RSA *out_rsa_key = (RSA *) rsa_key->rsa;
-#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4,6,0)
-#pragma GCC diagnostic pop
+#if defined(__clang__) || S2N_GCC_VERSION_AT_LEAST(4, 6, 0)
+ #pragma GCC diagnostic pop
#endif
return out_rsa_key;
@@ -81,7 +81,7 @@ static S2N_RESULT s2n_rsa_encrypted_size(const struct s2n_pkey *pkey, uint32_t *
}
static int s2n_rsa_sign(const struct s2n_pkey *priv, s2n_signature_algorithm sig_alg, struct s2n_hash_state *digest,
- struct s2n_blob *signature)
+ struct s2n_blob *signature)
{
switch (sig_alg) {
case S2N_SIGNATURE_RSA:
@@ -96,7 +96,7 @@ static int s2n_rsa_sign(const struct s2n_pkey *priv, s2n_signature_algorithm sig
}
static int s2n_rsa_verify(const struct s2n_pkey *pub, s2n_signature_algorithm sig_alg, struct s2n_hash_state *digest,
- struct s2n_blob *signature)
+ struct s2n_blob *signature)
{
switch (sig_alg) {
case S2N_SIGNATURE_RSA:
@@ -119,7 +119,7 @@ static int s2n_rsa_encrypt(const struct s2n_pkey *pub, struct s2n_blob *in, stru
const s2n_rsa_public_key *pub_key = &pub->key.rsa_key;
/* Safety: RSA_public_encrypt does not mutate the key */
- int r = RSA_public_encrypt(in->size, ( unsigned char * )in->data, ( unsigned char * )out->data,
+ int r = RSA_public_encrypt(in->size, (unsigned char *) in->data, (unsigned char *) out->data,
s2n_unsafe_rsa_get_non_const(pub_key), RSA_PKCS1_PADDING);
S2N_ERROR_IF(r != out->size, S2N_ERR_SIZE_MISMATCH);
@@ -128,8 +128,8 @@ static int s2n_rsa_encrypt(const struct s2n_pkey *pub, struct s2n_blob *in, stru
static int s2n_rsa_decrypt(const struct s2n_pkey *priv, struct s2n_blob *in, struct s2n_blob *out)
{
- unsigned char intermediate[ 4096 ];
- uint32_t expected_size = 0;
+ unsigned char intermediate[4096];
+ uint32_t expected_size = 0;
POSIX_GUARD_RESULT(s2n_rsa_encrypted_size(priv, &expected_size));
@@ -141,7 +141,7 @@ static int s2n_rsa_decrypt(const struct s2n_pkey *priv, struct s2n_blob *in, str
const s2n_rsa_private_key *priv_key = &priv->key.rsa_key;
/* Safety: RSA_private_decrypt does not mutate the key */
- int r = RSA_private_decrypt(in->size, ( unsigned char * )in->data, intermediate,
+ int r = RSA_private_decrypt(in->size, (unsigned char *) in->data, intermediate,
s2n_unsafe_rsa_get_non_const(priv_key), RSA_NO_PADDING);
S2N_ERROR_IF(r != expected_size, S2N_ERR_SIZE_MISMATCH);
@@ -152,7 +152,7 @@ static int s2n_rsa_decrypt(const struct s2n_pkey *priv, struct s2n_blob *in, str
static int s2n_rsa_keys_match(const struct s2n_pkey *pub, const struct s2n_pkey *priv)
{
- uint8_t plain_inpad[ 36 ] = { 1 }, plain_outpad[ 36 ] = { 0 }, encpad[ 8192 ];
+ uint8_t plain_inpad[36] = { 1 }, plain_outpad[36] = { 0 }, encpad[8192];
struct s2n_blob plain_in = { 0 }, plain_out = { 0 }, enc = { 0 };
plain_in.data = plain_inpad;
@@ -214,15 +214,14 @@ int s2n_evp_pkey_to_rsa_private_key(s2n_rsa_private_key *rsa_key, EVP_PKEY *evp_
int s2n_rsa_pkey_init(struct s2n_pkey *pkey)
{
- pkey->size = &s2n_rsa_encrypted_size;
- pkey->sign = &s2n_rsa_sign;
- pkey->verify = &s2n_rsa_verify;
- pkey->encrypt = &s2n_rsa_encrypt;
- pkey->decrypt = &s2n_rsa_decrypt;
- pkey->match = &s2n_rsa_keys_match;
- pkey->free = &s2n_rsa_key_free;
+ pkey->size = &s2n_rsa_encrypted_size;
+ pkey->sign = &s2n_rsa_sign;
+ pkey->verify = &s2n_rsa_verify;
+ pkey->encrypt = &s2n_rsa_encrypt;
+ pkey->decrypt = &s2n_rsa_decrypt;
+ pkey->match = &s2n_rsa_keys_match;
+ pkey->free = &s2n_rsa_key_free;
pkey->check_key = &s2n_rsa_check_key_exists;
POSIX_GUARD_RESULT(s2n_evp_signing_set_pkey_overrides(pkey));
return 0;
}
-
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_rsa.h b/contrib/restricted/aws/s2n/crypto/s2n_rsa.h
index 52724530a1..d928ad03f5 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_rsa.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_rsa.h
@@ -15,13 +15,11 @@
#pragma once
-#include <stdint.h>
-#include "api/s2n.h"
-
#include <openssl/rsa.h>
+#include <stdint.h>
+#include "api/s2n.h"
#include "crypto/s2n_hash.h"
-
#include "utils/s2n_blob.h"
/* Forward declaration to avoid the circular dependency with s2n_pkey.h */
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.c b/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.c
index 70be214cf6..82f1a57a58 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.c
@@ -13,25 +13,23 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_rsa_pss.h"
+
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <stdint.h>
-#include "error/s2n_errno.h"
-#include "stuffer/s2n_stuffer.h"
-
#include "crypto/s2n_evp_signing.h"
#include "crypto/s2n_hash.h"
#include "crypto/s2n_openssl.h"
+#include "crypto/s2n_pkey.h"
#include "crypto/s2n_rsa.h"
-#include "crypto/s2n_rsa_pss.h"
#include "crypto/s2n_rsa_signing.h"
-#include "crypto/s2n_pkey.h"
-
+#include "error/s2n_errno.h"
+#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_random.h"
#include "utils/s2n_safety.h"
-#include "utils/s2n_blob.h"
/* Checks whether PSS Certs is supported */
int s2n_is_rsa_pss_certs_supported()
@@ -98,8 +96,8 @@ static int s2n_rsa_pss_validate_sign_verify_match(const struct s2n_pkey *pub, co
POSIX_GUARD_RESULT(s2n_get_private_random_data(&random_data));
/* Sign/Verify API's only accept Hashes, so hash our Random Data */
- DEFER_CLEANUP(struct s2n_hash_state sign_hash = {0}, s2n_hash_free);
- DEFER_CLEANUP(struct s2n_hash_state verify_hash = {0}, s2n_hash_free);
+ DEFER_CLEANUP(struct s2n_hash_state sign_hash = { 0 }, s2n_hash_free);
+ DEFER_CLEANUP(struct s2n_hash_state verify_hash = { 0 }, s2n_hash_free);
POSIX_GUARD(s2n_hash_new(&sign_hash));
POSIX_GUARD(s2n_hash_new(&verify_hash));
POSIX_GUARD(s2n_hash_init(&sign_hash, S2N_HASH_SHA256));
@@ -159,7 +157,6 @@ static int s2n_rsa_validate_params_match(const struct s2n_pkey *pub, const struc
return 0;
}
-
static int s2n_rsa_pss_keys_match(const struct s2n_pkey *pub, const struct s2n_pkey *priv)
{
POSIX_ENSURE_REF(pub);
@@ -190,7 +187,8 @@ static int s2n_rsa_pss_key_free(struct s2n_pkey *pkey)
return S2N_SUCCESS;
}
-int s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey) {
+int s2n_evp_pkey_to_rsa_pss_public_key(struct s2n_rsa_key *rsa_key, EVP_PKEY *pkey)
+{
const RSA *pub_rsa_key = EVP_PKEY_get1_RSA(pkey);
POSIX_ENSURE_REF(pub_rsa_key);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.h b/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.h
index 82431986f3..c76a8bf1b6 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_rsa_pss.h
@@ -15,19 +15,19 @@
#pragma once
-#include <stdint.h>
-#include "api/s2n.h"
#include <openssl/bn.h>
+#include <stdint.h>
+#include "api/s2n.h"
#include "crypto/s2n_openssl.h"
#include "crypto/s2n_rsa.h"
#include "crypto/s2n_rsa_signing.h"
-#define RSA_PSS_SIGN_VERIFY_RANDOM_BLOB_SIZE 32
-#define RSA_PSS_SIGN_VERIFY_SIGNATURE_SIZE 256
+#define RSA_PSS_SIGN_VERIFY_RANDOM_BLOB_SIZE 32
+#define RSA_PSS_SIGN_VERIFY_SIGNATURE_SIZE 256
#ifndef EVP_PKEY_RSA_PSS
-#define EVP_PKEY_RSA_PSS EVP_PKEY_NONE
+ #define EVP_PKEY_RSA_PSS EVP_PKEY_NONE
#endif
/* OpenSSL 1.1.1d 10 Sep 2019 is broken, so disable on that version. For further info see: crypto/evp/p_lib.c:469
@@ -35,9 +35,9 @@
* This feature requires this Openssl commit for Openssl 1.1.x versions: openssl/openssl@4088b92
*/
#if RSA_PSS_SIGNING_SUPPORTED && OPENSSL_VERSION_NUMBER > 0x1010104fL
-#define RSA_PSS_CERTS_SUPPORTED 1
+ #define RSA_PSS_CERTS_SUPPORTED 1
#else
-#define RSA_PSS_CERTS_SUPPORTED 0
+ #define RSA_PSS_CERTS_SUPPORTED 0
#endif
int s2n_is_rsa_pss_certs_supported();
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.c b/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.c
index fc74fa24d3..d4d3e51f19 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.c
@@ -13,43 +13,41 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_rsa_signing.h"
+
#include <openssl/evp.h>
#include <openssl/rsa.h>
-#include "error/s2n_errno.h"
-
-#include "stuffer/s2n_stuffer.h"
-
#include "crypto/s2n_hash.h"
-#include "crypto/s2n_rsa_pss.h"
-#include "crypto/s2n_rsa_signing.h"
#include "crypto/s2n_pkey.h"
-
+#include "crypto/s2n_rsa_pss.h"
+#include "error/s2n_errno.h"
+#include "stuffer/s2n_stuffer.h"
#include "utils/s2n_blob.h"
#include "utils/s2n_safety.h"
static int s2n_hash_alg_to_NID[] = {
[S2N_HASH_MD5_SHA1] = NID_md5_sha1,
- [S2N_HASH_SHA1] = NID_sha1,
- [S2N_HASH_SHA224] = NID_sha224,
- [S2N_HASH_SHA256] = NID_sha256,
- [S2N_HASH_SHA384] = NID_sha384,
- [S2N_HASH_SHA512] = NID_sha512
+ [S2N_HASH_SHA1] = NID_sha1,
+ [S2N_HASH_SHA224] = NID_sha224,
+ [S2N_HASH_SHA256] = NID_sha256,
+ [S2N_HASH_SHA384] = NID_sha384,
+ [S2N_HASH_SHA512] = NID_sha512
};
int s2n_hash_NID_type(s2n_hash_algorithm alg, int *out)
{
- switch(alg) {
- case S2N_HASH_MD5_SHA1:
- case S2N_HASH_SHA1:
- case S2N_HASH_SHA224:
- case S2N_HASH_SHA256:
- case S2N_HASH_SHA384:
- case S2N_HASH_SHA512:
- *out = s2n_hash_alg_to_NID[alg];
- break;
- default:
- POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
+ switch (alg) {
+ case S2N_HASH_MD5_SHA1:
+ case S2N_HASH_SHA1:
+ case S2N_HASH_SHA224:
+ case S2N_HASH_SHA256:
+ case S2N_HASH_SHA384:
+ case S2N_HASH_SHA512:
+ *out = s2n_hash_alg_to_NID[alg];
+ break;
+ default:
+ POSIX_BAIL(S2N_ERR_HASH_INVALID_ALGORITHM);
}
return 0;
}
@@ -70,7 +68,8 @@ int s2n_rsa_pkcs1v15_sign_digest(const struct s2n_pkey *priv, s2n_hash_algorithm
/* Safety: RSA_sign does not mutate the key */
POSIX_GUARD_OSSL(RSA_sign(NID_type, digest->data, digest->size, signature->data, &signature_size,
- s2n_unsafe_rsa_get_non_const(rsa_key)), S2N_ERR_SIGN);
+ s2n_unsafe_rsa_get_non_const(rsa_key)),
+ S2N_ERR_SIGN);
POSIX_ENSURE(signature_size <= signature->size, S2N_ERR_SIZE_MISMATCH);
signature->size = signature_size;
@@ -110,7 +109,8 @@ int s2n_rsa_pkcs1v15_verify(const struct s2n_pkey *pub, struct s2n_hash_state *d
/* Safety: RSA_verify does not mutate the key */
POSIX_GUARD_OSSL(RSA_verify(digest_NID_type, digest_out, digest_length, signature->data, signature->size,
- s2n_unsafe_rsa_get_non_const(rsa_key)), S2N_ERR_VERIFY_SIGNATURE);
+ s2n_unsafe_rsa_get_non_const(rsa_key)),
+ S2N_ERR_VERIFY_SIGNATURE);
return 0;
}
@@ -123,10 +123,10 @@ int s2n_is_rsa_pss_signing_supported()
#if RSA_PSS_SIGNING_SUPPORTED
-static int s2n_evp_pkey_ctx_set_rsa_signature_digest(EVP_PKEY_CTX *ctx, const EVP_MD* digest_alg)
+static int s2n_evp_pkey_ctx_set_rsa_signature_digest(EVP_PKEY_CTX *ctx, const EVP_MD *digest_alg)
{
POSIX_GUARD_OSSL(S2N_EVP_PKEY_CTX_set_signature_md(ctx, digest_alg), S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
- POSIX_GUARD_OSSL(EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, (EVP_MD*) (uintptr_t) digest_alg), S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
+ POSIX_GUARD_OSSL(EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, (EVP_MD *) (uintptr_t) digest_alg), S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
return 0;
}
@@ -142,11 +142,11 @@ int s2n_rsa_pss_sign_digest(const struct s2n_pkey *priv, s2n_hash_algorithm hash
POSIX_ENSURE_REF(digest_in);
POSIX_ENSURE_REF(signature_out);
- const EVP_MD* digest_alg = s2n_hash_alg_to_evp_md(hash_alg);
+ const EVP_MD *digest_alg = s2n_hash_alg_to_evp_md(hash_alg);
POSIX_ENSURE_REF(digest_alg);
/* For more info see: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_sign.html */
- DEFER_CLEANUP(EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(priv->pkey, NULL), s2n_evp_pkey_ctx_free);
+ DEFER_CLEANUP(EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new(priv->pkey, NULL), s2n_evp_pkey_ctx_free);
POSIX_ENSURE_REF(ctx);
size_t signature_len = signature_out->size;
@@ -190,7 +190,7 @@ int s2n_rsa_pss_verify(const struct s2n_pkey *pub, struct s2n_hash_state *digest
uint8_t digest_data[S2N_MAX_DIGEST_LEN];
POSIX_GUARD(s2n_hash_digest_size(digest->alg, &digest_length));
POSIX_GUARD(s2n_hash_digest(digest, digest_data, digest_length));
- const EVP_MD* digest_alg = s2n_hash_alg_to_evp_md(digest->alg);
+ const EVP_MD *digest_alg = s2n_hash_alg_to_evp_md(digest->alg);
POSIX_ENSURE_REF(digest_alg);
/* For more info see: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_verify.html */
@@ -203,7 +203,8 @@ int s2n_rsa_pss_verify(const struct s2n_pkey *pub, struct s2n_hash_state *digest
POSIX_GUARD_OSSL(EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, RSA_PSS_SALTLEN_DIGEST), S2N_ERR_VERIFY_SIGNATURE);
POSIX_GUARD_OSSL(EVP_PKEY_verify(ctx, signature_in->data, signature_in->size,
- digest_data, digest_length), S2N_ERR_VERIFY_SIGNATURE);
+ digest_data, digest_length),
+ S2N_ERR_VERIFY_SIGNATURE);
return S2N_SUCCESS;
}
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.h b/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.h
index bf14928426..a1d859d22e 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_rsa_signing.h
@@ -16,16 +16,15 @@
#pragma once
#include "api/s2n.h"
-
-#include "utils/s2n_blob.h"
#include "crypto/s2n_openssl.h"
#include "crypto/s2n_rsa.h"
+#include "utils/s2n_blob.h"
/* Check for libcrypto 1.1 for RSA PSS Signing and EV_Key usage */
#if (S2N_OPENSSL_VERSION_AT_LEAST(1, 1, 1) || defined(OPENSSL_IS_AWSLC)) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
-#define RSA_PSS_SIGNING_SUPPORTED 1
+ #define RSA_PSS_SIGNING_SUPPORTED 1
#else
-#define RSA_PSS_SIGNING_SUPPORTED 0
+ #define RSA_PSS_SIGNING_SUPPORTED 0
#endif
int s2n_rsa_pkcs1v15_sign(const struct s2n_pkey *priv, struct s2n_hash_state *digest, struct s2n_blob *signature);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_sequence.c b/contrib/restricted/aws/s2n/crypto/s2n_sequence.c
index 611d7ac5b4..d7a8d95362 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_sequence.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_sequence.c
@@ -15,10 +15,8 @@
#include "crypto/s2n_sequence.h"
-#include "tls/s2n_crypto.h"
-
#include "error/s2n_errno.h"
-
+#include "tls/s2n_crypto.h"
#include "utils/s2n_blob.h"
#define SEQUENCE_NUMBER_POWER 8
@@ -52,7 +50,7 @@ int s2n_sequence_number_to_uint64(struct s2n_blob *sequence_number, uint64_t *ou
*output = 0;
for (uint32_t i = sequence_number->size; i > 0; i--) {
- *output += ((uint64_t) sequence_number->data[i-1]) << shift;
+ *output += ((uint64_t) sequence_number->data[i - 1]) << shift;
shift += SEQUENCE_NUMBER_POWER;
}
return S2N_SUCCESS;
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_sequence.h b/contrib/restricted/aws/s2n/crypto/s2n_sequence.h
index 6fd824458a..1ac58f38c3 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_sequence.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_sequence.h
@@ -16,7 +16,6 @@
#pragma once
#include "crypto/s2n_sequence.h"
-
#include "utils/s2n_blob.h"
extern int s2n_increment_sequence_number(struct s2n_blob *sequence_number);
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_signature.h b/contrib/restricted/aws/s2n/crypto/s2n_signature.h
index b097e93afb..b6d64fbd39 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_signature.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_signature.h
@@ -16,7 +16,12 @@
#include "tls/s2n_tls_parameters.h"
-#define sig_alg_check(a, b) do { if ( (a) != (b) ) { POSIX_BAIL(S2N_ERR_INVALID_SIGNATURE_ALGORITHM); } } while(0)
+#define sig_alg_check(a, b) \
+ do { \
+ if ((a) != (b)) { \
+ POSIX_BAIL(S2N_ERR_INVALID_SIGNATURE_ALGORITHM); \
+ } \
+ } while (0)
typedef enum {
S2N_SIGNATURE_ANONYMOUS = S2N_TLS_SIGNATURE_ANONYMOUS,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_null.c b/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_null.c
index 48b6f0dbf5..6550ed07cb 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_null.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_null.c
@@ -13,12 +13,10 @@
* permissions and limitations under the License.
*/
-#include "error/s2n_errno.h"
-
#include "crypto/s2n_cipher.h"
-
-#include "utils/s2n_safety.h"
+#include "error/s2n_errno.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
static uint8_t s2n_stream_cipher_null_available()
{
@@ -54,8 +52,8 @@ const struct s2n_cipher s2n_null_cipher = {
.type = S2N_STREAM,
.key_material_size = 0,
.io.stream = {
- .decrypt = s2n_stream_cipher_null_endecrypt,
- .encrypt = s2n_stream_cipher_null_endecrypt},
+ .decrypt = s2n_stream_cipher_null_endecrypt,
+ .encrypt = s2n_stream_cipher_null_endecrypt },
.is_available = s2n_stream_cipher_null_available,
.init = s2n_stream_cipher_null_init,
.set_encryption_key = s2n_stream_cipher_null_get_key,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_rc4.c b/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_rc4.c
index ccbfbceee5..569a11a2f9 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_rc4.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_stream_cipher_rc4.c
@@ -18,9 +18,8 @@
#include "crypto/s2n_cipher.h"
#include "crypto/s2n_fips.h"
#include "crypto/s2n_openssl.h"
-
-#include "utils/s2n_safety.h"
#include "utils/s2n_blob.h"
+#include "utils/s2n_safety.h"
static uint8_t s2n_stream_cipher_rc4_available()
{
@@ -129,8 +128,8 @@ const struct s2n_cipher s2n_rc4 = {
.type = S2N_STREAM,
.key_material_size = 16,
.io.stream = {
- .decrypt = s2n_stream_cipher_rc4_decrypt,
- .encrypt = s2n_stream_cipher_rc4_encrypt},
+ .decrypt = s2n_stream_cipher_rc4_decrypt,
+ .encrypt = s2n_stream_cipher_rc4_encrypt },
.is_available = s2n_stream_cipher_rc4_available,
.init = s2n_stream_cipher_rc4_init,
.set_decryption_key = s2n_stream_cipher_rc4_set_decryption_key,
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.c b/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.c
index 83d5e64951..3b5c284080 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.c
+++ b/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.c
@@ -13,18 +13,15 @@
* permissions and limitations under the License.
*/
+#include "crypto/s2n_tls13_keys.h"
+
#include <stdio.h>
+#include "crypto/s2n_hkdf.h"
+#include "crypto/s2n_hmac.h"
#include "error/s2n_errno.h"
-
#include "stuffer/s2n_stuffer.h"
-
-#include "crypto/s2n_hmac.h"
-#include "crypto/s2n_hkdf.h"
-#include "crypto/s2n_tls13_keys.h"
-
#include "utils/s2n_blob.h"
-#include "utils/s2n_safety.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_safety.h"
@@ -114,7 +111,8 @@ int s2n_tls13_keys_init(struct s2n_tls13_keys *keys, s2n_hmac_algorithm alg)
/*
* Frees any allocation
*/
-int s2n_tls13_keys_free(struct s2n_tls13_keys *keys) {
+int s2n_tls13_keys_free(struct s2n_tls13_keys *keys)
+{
POSIX_ENSURE_REF(keys);
POSIX_GUARD(s2n_hmac_free(&keys->hmac));
@@ -133,9 +131,9 @@ int s2n_tls13_derive_traffic_keys(struct s2n_tls13_keys *keys, struct s2n_blob *
POSIX_ENSURE_REF(iv);
POSIX_GUARD(s2n_hkdf_expand_label(&keys->hmac, keys->hmac_algorithm, secret,
- &s2n_tls13_label_traffic_secret_key, &zero_length_blob, key));
+ &s2n_tls13_label_traffic_secret_key, &zero_length_blob, key));
POSIX_GUARD(s2n_hkdf_expand_label(&keys->hmac, keys->hmac_algorithm, secret,
- &s2n_tls13_label_traffic_secret_iv, &zero_length_blob, iv));
+ &s2n_tls13_label_traffic_secret_iv, &zero_length_blob, iv));
return 0;
}
@@ -173,12 +171,12 @@ int s2n_tls13_update_application_traffic_secret(struct s2n_tls13_keys *keys, str
POSIX_ENSURE_REF(new_secret);
POSIX_GUARD(s2n_hkdf_expand_label(&keys->hmac, keys->hmac_algorithm, old_secret,
- &s2n_tls13_label_application_traffic_secret_update, &zero_length_blob, new_secret));
+ &s2n_tls13_label_application_traffic_secret_update, &zero_length_blob, new_secret));
return 0;
}
-S2N_RESULT s2n_tls13_derive_session_ticket_secret(struct s2n_tls13_keys *keys, struct s2n_blob *resumption_secret,
+S2N_RESULT s2n_tls13_derive_session_ticket_secret(struct s2n_tls13_keys *keys, struct s2n_blob *resumption_secret,
struct s2n_blob *ticket_nonce, struct s2n_blob *secret_blob)
{
RESULT_ENSURE_REF(keys);
@@ -188,7 +186,7 @@ S2N_RESULT s2n_tls13_derive_session_ticket_secret(struct s2n_tls13_keys *keys, s
/* Derive session ticket secret from master session resumption secret */
RESULT_GUARD_POSIX(s2n_hkdf_expand_label(&keys->hmac, keys->hmac_algorithm, resumption_secret,
- &s2n_tls13_label_session_ticket_secret, ticket_nonce, secret_blob));
+ &s2n_tls13_label_session_ticket_secret, ticket_nonce, secret_blob));
return S2N_RESULT_OK;
}
diff --git a/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.h b/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.h
index 48ef1bf01a..5bd7455dc2 100644
--- a/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.h
+++ b/contrib/restricted/aws/s2n/crypto/s2n_tls13_keys.h
@@ -17,13 +17,12 @@
#include <stdint.h>
-#include "crypto/s2n_hmac.h"
#include "crypto/s2n_hkdf.h"
+#include "crypto/s2n_hmac.h"
#include "stuffer/s2n_stuffer.h"
-#include "tls/s2n_tls_parameters.h"
#include "tls/s2n_psk.h"
+#include "tls/s2n_tls_parameters.h"
#include "utils/s2n_blob.h"
-#include "utils/s2n_safety.h"
#include "utils/s2n_mem.h"
#include "utils/s2n_safety.h"
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-30 02:45:58 +0000