ring-native 0.0.0

data/vendor/ring/src/agreement.rs

@@ -0,0 +1,248 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
+// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//! Key agreement: ECDH.
+
+use super::{c, digest, ecc, ffi};
+use super::input::Input;
+use std;
+
+/// A key agreement algorithm.
+pub struct Algorithm {
+    ec_group_fn: unsafe extern fn () -> *const ecc::EC_GROUP,
+    encoded_public_key_len: usize,
+    nid: c::int,
+}
+
+/// An ephemeral key pair for use (only) with `agree_ephemeral`. The
+/// signature of `agree_ephemeral` ensures that an `EphemeralKeyPair` can be
+/// used for at most one key agreement.
+pub struct EphemeralKeyPair {
+    key: *mut EC_KEY,
+    algorithm: &'static Algorithm
+}
+
+impl EphemeralKeyPair {
+    /// Generate a new ephemeral key pair for the given algorithm.
+    ///
+    /// C analog: `EC_KEY_new_by_curve_name` + `EC_KEY_generate_key`.
+    pub fn generate(algorithm: &'static Algorithm)
+                    -> Result<EphemeralKeyPair, ()> {
+        let key = try!(ffi::map_bssl_ptr_result(unsafe {
+            EC_KEY_generate_key_ex((algorithm.ec_group_fn)())
+        }));
+        Ok(EphemeralKeyPair { key: key, algorithm: algorithm })
+    }
+
+    /// The size in bytes of the encoded public key returned from `public_key`.
+    #[inline(always)]
+    pub fn public_point_len(&self) -> usize {
+        self.algorithm.encoded_public_key_len
+    }
+
+    /// Fills `out` with the public point encoded in the standard form for the
+    /// algorithm.
+    ///
+    /// `out.len()` must be equal to the value returned by `public_point_len`.
+    pub fn fill_with_encoded_public_key(&self, out: &mut [u8])
+                                        -> Result<(), ()> {
+        match unsafe {
+            EC_KEY_public_key_to_oct(self.key, out.as_mut_ptr(), out.len())
+        } {
+            n if n == self.public_point_len() => Ok(()),
+            _ => Err(())
+        }
+    }
+}
+
+impl Drop for EphemeralKeyPair {
+    fn drop(&mut self) {
+        unsafe {
+            EC_KEY_free(self.key);
+        }
+    }
+}
+
+/// Performs a key agreement with an ephemeral key pair's private key and the
+/// given public key.
+///
+/// `my_key_pair` is the ephemeral key pair to use. Since `my_key_pair` is
+/// moved, it will not be usable after calling `agree_ephemeral`, thus
+/// guaranteeing that the key is used for only one key agreement.
+/// `peer_algorithm` is the algorithm/curve for the peer's public key point;
+/// `agree_ephemeral` will return `Err(())` if it does not match `my_key_pair's`
+/// algorithm/curve. `peer_encoded_pubic_key` is the peer's public key. It
+/// must be encoded in the standard form for the algorithm; see the algorithm's
+/// documentation for details. `error_value` is the value to return if an error
+/// occurs before `kdf` is called, e.g. when decoding of the peer's public key
+/// fails. After the key agreement is done, `agree_ephemeral` calls `kdf` with
+/// the raw key material from the key agrement operation and then returns what
+/// `kdf` returns.
+///
+/// C analogs: `ECDH_compute_key_ex` (*ring* only), `EC_POINT_oct2point` +
+/// `ECDH_compute_key`.
+//
+// TODO: If the key is authenticated then we don't necessarily need to verify
+// that the peer's public point is on the curve since a malicious
+// authenticated peer could just as easily give us a bad public point that is
+// on the curve. Also, given that our key pair is ephemeral, we're not risking
+// the leakage of a long-term key via invalid point attacks. Accordingly, even
+// though the lower-level C code does check that the peer's point is on the
+// curve, that check seems like overkill, at least for the most typical uses
+// of this function. On the other hand, some users may feel that it is
+// worthwhile to do point validity check even if it seems to be unnecssary.
+// Accordingly, it might be worthwhile to change this interface in the future
+// so that the caller can choose how much validation of the peer's public
+// point is done.
+pub fn agree_ephemeral<F, R, E>(my_key_pair: EphemeralKeyPair,
+                                peer_alg: &Algorithm,
+                                peer_encoded_public_point: Input,
+                                error_value: E, kdf: F) -> Result<R, E>
+                                where F: FnOnce(&[u8]) -> Result<R, E> {
+    let mut shared_key = [0u8; MAX_COORDINATE_LEN];
+    let mut shared_key_len = 0;
+    let peer_encoded_public_point =
+        peer_encoded_public_point.as_slice_less_safe();
+    match unsafe {
+        ECDH_compute_key_ex(shared_key.as_mut_ptr(), &mut shared_key_len,
+                            shared_key.len(), my_key_pair.key, peer_alg.nid,
+                            peer_encoded_public_point.as_ptr(),
+                            peer_encoded_public_point.len())
+    } {
+        1 => kdf(&shared_key[0..shared_key_len]),
+        _ => Err(error_value)
+    }
+}
+
+// TODO: After ecdsa_test.cc is removed, this function should be removed and
+// the caller should be changed to call `SHA512_5` directly. Also, the
+// alternative implementation of this in crypto/test should be removed at
+// that time.
+#[allow(non_snake_case)]
+#[doc(hidden)]
+#[no_mangle]
+pub extern fn BN_generate_dsa_nonce_digest(
+        out: *mut u8, out_len: c::size_t,
+        part1: *const u8, part1_len: c::size_t,
+        part2: *const u8, part2_len: c::size_t,
+        part3: *const u8, part3_len: c::size_t,
+        part4: *const u8, part4_len: c::size_t,
+        part5: *const u8, part5_len: c::size_t)
+        -> c::int {
+    SHA512_5(out, out_len, part1, part1_len, part2, part2_len, part3,
+             part3_len, part4, part4_len, part5, part5_len);
+    1
+}
+
+/// SHA512_5 calculates the SHA-512 digest of the concatenation of |part1|
+/// through |part5|. Any part<N> may be null if and only if the corresponding
+/// part<N>_len is zero. This ugliness exists in order to allow some of the
+/// C ECC code to calculate SHA-512 digests.
+#[allow(non_snake_case)]
+#[doc(hidden)]
+#[no_mangle]
+pub extern fn SHA512_5(out: *mut u8, out_len: c::size_t,
+                       part1: *const u8, part1_len: c::size_t,
+                       part2: *const u8, part2_len: c::size_t,
+                       part3: *const u8, part3_len: c::size_t,
+                       part4: *const u8, part4_len: c::size_t,
+                       part5: *const u8, part5_len: c::size_t) {
+    fn maybe_update(ctx: &mut digest::Context, part: *const u8,
+                    part_len: c::size_t) {
+        if part_len != 0 {
+            assert!(!part.is_null());
+            ctx.update(unsafe { std::slice::from_raw_parts(part, part_len) });
+        }
+    }
+
+    let mut ctx = digest::Context::new(&digest::SHA512);
+    maybe_update(&mut ctx, part1, part1_len);
+    maybe_update(&mut ctx, part2, part2_len);
+    maybe_update(&mut ctx, part3, part3_len);
+    maybe_update(&mut ctx, part4, part4_len);
+    maybe_update(&mut ctx, part5, part5_len);
+    let digest = ctx.finish();
+    let digest = digest.as_ref();
+    let out = unsafe { std::slice::from_raw_parts_mut(out, out_len) };
+    assert_eq!(out.len(), digest.len());
+    for i in 0..digest.len() {
+        out[i] = digest[i];
+    }
+}
+
+// XXX: Replace with `const fn` when `const fn` is stable:
+// https://github.com/rust-lang/rust/issues/24111
+macro_rules! encoded_public_key_len {
+    ( $bits:expr ) => ( 1 + (2 * (($bits + 7) / 8)) )
+}
+
+/// ECDH using the NIST P-256 (secp256r1) curve.
+///
+/// Public keys are encoding in uncompressed form using the
+/// Octet-String-to-Elliptic-Curve-Point algorithm in [SEC 1: Elliptic Curve
+/// Cryptography, Version 2.0](http://www.secg.org/sec1-v2.pdf).
+///
+/// C analogs: `EC_GROUP_P256` (*ring* only),
+/// `EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)`")
+pub static ECDH_P256: Algorithm = Algorithm {
+    ec_group_fn: ecc::EC_GROUP_P256,
+    encoded_public_key_len: encoded_public_key_len!(256),
+    nid: 415, // NID_X9_62_prime256v1
+};
+
+/// ECDH using the NIST P-384 (secp384r1) curve.
+///
+/// Public keys are encoding in uncompressed form using the
+/// Octet-String-to-Elliptic-Curve-Point algorithm in [SEC 1: Elliptic Curve
+/// Cryptography, Version 2.0](http://www.secg.org/sec1-v2.pdf).
+///
+/// C analogs: `EC_GROUP_P384` (*ring* only),
+/// `EC_GROUP_new_by_curve_name(NID_secp384r1)`")
+pub static ECDH_P384: Algorithm = Algorithm {
+    ec_group_fn: ecc::EC_GROUP_P384,
+    encoded_public_key_len: encoded_public_key_len!(384),
+    nid: 715, // NID_secp384r1
+};
+
+/// ECDH using the NIST P-521 (secp521r1) curve.
+///
+/// Public keys are encoding in uncompressed form using the
+/// Octet-String-to-Elliptic-Curve-Point algorithm in [SEC 1: Elliptic Curve
+/// Cryptography, Version 2.0](http://www.secg.org/sec1-v2.pdf).
+///
+/// C analogs: `EC_GROUP_new_p521` (*ring* only),
+/// `EC_GROUP_new_by_curve_name(NID_secp521r1)`")
+pub static ECDH_P521: Algorithm = Algorithm {
+    ec_group_fn: ecc::EC_GROUP_P521,
+    encoded_public_key_len: encoded_public_key_len!(521),
+    nid: 716, // NID_secp521r1
+};
+
+const MAX_COORDINATE_LEN: usize = (521 + 7) / 8;
+
+#[allow(non_camel_case_types)]
+enum EC_KEY { }
+
+extern {
+    fn EC_KEY_generate_key_ex(group: *const ecc::EC_GROUP) -> *mut EC_KEY;
+    fn EC_KEY_public_key_to_oct(key: *const EC_KEY, out: *mut u8,
+                                out_len: c::size_t) -> c::size_t;
+    fn EC_KEY_free(key: *mut EC_KEY);
+
+    fn ECDH_compute_key_ex(out: *mut u8, out_len: *mut c::size_t,
+                           max_out_len: c::size_t, my_key_pair: *const EC_KEY,
+                           peer_curve_nid: c::int,
+                           peer_pub_point_bytes: *const u8,
+                           peer_pub_point_bytes_len: c::size_t) -> c::int;
+}

data/vendor/ring/src/c.rs

@@ -0,0 +1,129 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//! TODO: Module-level documentation.
+
+#![allow(non_camel_case_types)]
+
+macro_rules! define_type {
+    ( $name:ident, $builtin:ty, $test_c_metrics:ident, $get_c_align_fn:ident,
+      $get_c_size_fn:ident, $doc:expr ) =>
+    {
+        #[doc = $doc]
+        pub type $name = $builtin;
+
+        define_metrics_tests!($name, $test_c_metrics, $get_c_align_fn,
+                              $get_c_size_fn);
+    }
+}
+
+macro_rules! define_metrics_tests {
+    ( $name:ident, $test_c_metrics:ident, $get_c_align_fn:ident,
+      $get_c_size_fn:ident ) =>
+    {
+        #[cfg(test)]
+        extern {
+            // We can't use `size_t` because we need to test that our
+            // definition of `size_t` is correct using this code! We use `u16`
+            // because even 8-bit and 16-bit microcontrollers have no trouble
+            // with it, and because `u16` is always as smaller or smaller than
+            // `usize`.
+            fn $get_c_align_fn() -> u16;
+            fn $get_c_size_fn() -> u16;
+        }
+
+        #[cfg(test)]
+        #[test]
+        fn $test_c_metrics() {
+            use std::mem;
+
+            let c_align = unsafe { $get_c_align_fn() };
+            let c_size = unsafe { $get_c_size_fn() };
+
+            // XXX: Remove these assertions and these uses of `as` when Rust
+            // supports implicit coercion of `u16` to `usize`.
+            assert!(mem::size_of_val(&c_align) <= mem::size_of::<usize>());
+            assert!(mem::size_of_val(&c_size) <= mem::size_of::<usize>());
+            assert_eq!((mem::align_of::<$name>(), mem::size_of::<$name>()),
+                        (c_align as usize, c_size as usize));
+        }
+    }
+}
+
+define_type!(int, i32, test_int_metrics, ring_int_align, ring_int_size,
+             "The C `int` type. Equivalent to `libc::int`.");
+
+define_type!(
+  size_t, usize, test_size_t_metrics, ring_size_t_align, ring_size_t_size,
+  "The C `size_t` type from `<stdint.h>`.
+
+  ISO C's `size_t` is defined to be the type of the result of the
+  `sizeof` operator and the type of the size parameter to `malloc`. That
+  is, C's `size_t` is only required to hold the size of the largest object
+  that can be allocated. In particular, it is legal for a C implementation
+  to have a maximum object size smaller than the entire address space. For
+  example, a C implementation may have an maximum object size of 2^32
+  bytes with a 64-bit address space, and typedef `size_t` as `uint32_t` so
+  that `sizeof(size_t) == 4` and `sizeof(void*) == 8`.
+
+  Rust's `usize`, on the other hand, is defined to always be the same size
+  as a pointer. This means that it is possible, in theory, to have a platform
+  where `usize` can represent values that `size_t` cannot represent. However,
+  on the vast majority of systems, `usize` and `size_t` are represented the
+  same way. If it were required to explicitly cast `usize` to `size_t` on
+  common platforms, then many programmers would habitually write expressions
+  such as `my_slice.len() as libc::size_t` expecting this to always work and
+  be safe. But such a cast is *not* safe on the uncommon platforms where
+  `mem::sizeof(libc::size_t) < mem::size_t(usize)`. Consequently, to reduce
+  the chances of programmers becoming habituated to such casts that would be
+  unsafe on unusual platforms, we have adopted the following convention:
+
+  * On common platforms where C's `size_t` is the same size as `usize`,
+    `ring::c::size_t` must be a type alias of `usize`.
+
+  * On uncommon platforms where C's `size_t` is not the same size as `usize`,
+    `ring::c::size_t` must be a type alias for a type other than `usize`.
+
+  * Code that was written without consideration for the uncommon platforms
+    should not do any explicit casting between `size_t` and `usize`. Such
+    code will fail to compile on the uncommon platforms; this is better than
+    executing with unsafe truncations.
+
+  * Code that was written with full consideration of the uncommon platforms
+    should have explicit casts using `num::cast` or other methods that avoid
+    unintended truncation. Such code will then work on all platforms.");
+
+// XXX: MSVC's `alignof` returns strange values for `int8_t`.
+#[cfg(not(windows))]
+define_metrics_tests!(i8, test_i8_metrics, ring_int8_t_align, ring_int8_t_size);
+
+// XXX: MSVC's `alignof` returns strange values for `uint8_t`.
+#[cfg(not(windows))]
+define_metrics_tests!(u8, test_u8_metrics, ring_uint8_t_align,
+                      ring_uint8_t_size);
+
+define_metrics_tests!(i16, test_i16_metrics, ring_int16_t_align,
+                      ring_int16_t_size);
+define_metrics_tests!(u16, test_u16_metrics, ring_uint16_t_align,
+                      ring_uint16_t_size);
+
+define_metrics_tests!(i32, test_i32_metrics, ring_int32_t_align,
+                      ring_int32_t_size);
+define_metrics_tests!(u32, test_u32_metrics, ring_uint32_t_align,
+                      ring_uint32_t_size);
+
+define_metrics_tests!(i64, test_i64_metrics, ring_int64_t_align,
+                      ring_int64_t_size);
+define_metrics_tests!(u64, test_u64_metrics, ring_uint64_t_align,
+                      ring_uint64_t_size);

data/vendor/ring/src/constant_time.rs

@@ -0,0 +1,37 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//! Constant-time operations.
+
+use super::c;
+
+/// Returns `Ok(())` if `a == b` and `Err(())` otherwise. The comparison of
+/// `a` and `b` is done in constant time with respect to the contents of each,
+/// but NOT in constant time with respect to the lengths of `a` and `b`.
+pub fn verify_slices_are_equal(a: &[u8], b: &[u8]) -> Result<(), ()> {
+    if a.len() != b.len() {
+        return Err(());
+    }
+    let result = unsafe {
+        CRYPTO_memcmp(a.as_ptr(), b.as_ptr(), a.len())
+    };
+    match result {
+        0 => Ok(()),
+        _ => Err(())
+    }
+}
+
+extern {
+    fn CRYPTO_memcmp(a: *const u8, b: *const u8, len: c::size_t) -> c::int;
+}

data/vendor/ring/src/der.rs

@@ -0,0 +1,96 @@
+// Copyright 2015 Brian Smith.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+//! Building blocks for parsing DER-encoded ASN.1 structures.
+//!
+//! This module contains the foundational parts of an ASN.1 DER parser.
+
+use super::input::*;
+
+pub const CONSTRUCTED : u8 = 1 << 5;
+pub const CONTEXT_SPECIFIC : u8 = 2 << 6;
+
+#[derive(Clone, Copy, PartialEq)]
+#[repr(u8)]
+pub enum Tag {
+    Boolean = 0x01,
+    Integer = 0x02,
+    BitString = 0x03,
+    OctetString = 0x04,
+    Null = 0x05,
+    OID = 0x06,
+    Sequence = CONSTRUCTED | 0x10, // 0x30
+    UTCTime = 0x17,
+    GeneralizedTime = 0x18,
+
+    ContextSpecificConstructed0 = CONTEXT_SPECIFIC | CONSTRUCTED | 0,
+    ContextSpecificConstructed1 = CONTEXT_SPECIFIC | CONSTRUCTED | 1,
+    ContextSpecificConstructed3 = CONTEXT_SPECIFIC | CONSTRUCTED | 3,
+}
+
+pub fn expect_tag_and_get_value<'a>(input: &mut Reader<'a>, tag: Tag)
+                                    -> Result<Input<'a>, ()> {
+    let (actual_tag, inner) = try!(read_tag_and_get_value(input));
+    if (tag as usize) != (actual_tag as usize) {
+        return Err(());
+    }
+    Ok(inner)
+}
+
+pub fn read_tag_and_get_value<'a>(input: &mut Reader<'a>)
+                                  -> Result<(u8, Input<'a>), ()> {
+    let tag = try!(input.read_byte());
+    if (tag & 0x1F) == 0x1F {
+        return Err(()) // High tag number form is not allowed.
+    }
+
+    // If the high order bit of the first byte is set to zero then the length
+    // is encoded in the seven remaining bits of that byte. Otherwise, those
+    // seven bits represent the number of bytes used to encode the length.
+    let length = match try!(input.read_byte()) {
+        n if (n & 0x80) == 0 => n as usize,
+        0x81 => {
+            let second_byte = try!(input.read_byte());
+            if second_byte < 128 {
+                return Err(()) // Not the canonical encoding.
+            }
+            second_byte as usize
+        },
+        0x82 => {
+            let second_byte = try!(input.read_byte()) as usize;
+            let third_byte = try!(input.read_byte()) as usize;
+            let combined = (second_byte << 8) | third_byte;
+            if combined < 256 {
+                return Err(()); // Not the canonical encoding.
+            }
+            combined
+        },
+        _ => {
+            return Err(()); // We don't support longer lengths.
+        }
+    };
+
+    let inner = try!(input.skip_and_get_input(length));
+    Ok((tag, inner))
+}
+
+// TODO: investigate taking decoder as a reference to reduce generated code
+// size.
+pub fn nested<'a, F, R, E: Copy>(input: &mut Reader<'a>, tag: Tag, error: E,
+                                 decoder: F) -> Result<R, E>
+                                 where F : FnOnce(&mut Reader<'a>)
+                                 -> Result<R, E> {
+    let inner = try!(expect_tag_and_get_value(input, tag).map_err(|_| error));
+    read_all(inner, error, decoder)
+}